rack-cas_client 0.3.0

data/.autotest

@@ -0,0 +1,26 @@
+# -*- ruby -*-
+
+require 'autotest/restart'
+require 'autotest/isolate'
+
+# Autotest.add_hook :initialize do |at|
+#   at.extra_files << "../some/external/dependency.rb"
+#
+#   at.libs << ":../some/external"
+#
+#   at.add_exception 'vendor'
+#
+#   at.add_mapping(/dependency.rb/) do |f, _|
+#     at.files_matching(/test_.*rb$/)
+#   end
+#
+#   %w(TestA TestB).each do |klass|
+#     at.extra_class_map[klass] = "test/test_misc.rb"
+#   end
+# end
+
+# Autotest.add_hook :run_command do |at|
+#   system "rake build"
+# end
+
+# vim: syntax=ruby

data/.gitignore

@@ -0,0 +1,2 @@
+*.sw[op]
+tmp/*

data/History.txt

@@ -0,0 +1,15 @@
+=== 0.3.0 / 2012-07-24
+
+* 3 unknowns:
+
+  * Adds hoe plugins. Updates readme.
+  * Uses attr_reader.
+  * remove's cruft code.
+
+
+=== 1.0.0 / 2012-03-15
+
+* 1 major enhancement
+
+  * Birthday!
+

data/Manifest.txt

@@ -0,0 +1,10 @@
+.autotest
+.gitignore
+History.txt
+Manifest.txt
+README.rdoc
+Rakefile
+bin/rack_cas_client
+lib/rack/cas_client.rb
+test/helper.rb
+test/test_rack_cas_client.rb

data/README.rdoc

@@ -0,0 +1,93 @@
+= rack-cas_client
+
+* https://github.com/bhenderson/rack-cas_client
+
+== DESCRIPTION:
+
+A Rack Middleware component to authenticate against a CAS server.
+
+I (shamefully) forgot to attribute this to
+https://github.com/garnieretienne/rubycas-client-sinatra. I had reached out to
+garnieretienne and he was no longer interested in his project. There is also
+rack-cas-client gem but that was too rails focused for me.
+
+== FEATURES/PROBLEMS:
+
+* Tries to be a simple authentication mechanism and leaves it up to the app chain to determine endpoints that should be auth'd.
+* Does not depend on Sinatra or Rails.
+* Does use 'rack.session' so anything that uses that will work.
+* Passes options hash to CASClient::Client (see docs for exceptions)
+
+== SYNOPSIS:
+
+  # config.ru
+
+  require 'rack/cas_client'
+
+  use Rack::Session::Cookie
+
+  map '/login' do
+    run Rack::CASClient.new nil, :cas_base_url => 'https://example/cas'
+  end
+
+  class MyApp < Struct.new(:app)
+    def call(env)
+      request = Rack::Request.new env
+      response = Rack::Response.new
+
+      user = request.session[:cas_user]
+      unless user and not user.empty?
+        query = URI.encode_www_form url: request.url
+        response.redirect "/login?#{query}"
+        return response.finish
+      end
+
+      response.write "hi #{user.inspect}"
+      response.finish
+    end
+  end
+
+  run MyApp.new
+
+== REQUIREMENTS:
+
+* rack
+* rubycas-client
+
+== INSTALL:
+
+* gem install rack-cas_client
+
+== DEVELOPERS:
+
+After checking out the source, run:
+
+  $ rake newb
+
+This task will install any missing dependencies, run the tests/specs,
+and generate the RDoc.
+
+== LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2012 bhenderson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,23 @@
+# -*- ruby -*-
+
+require 'rubygems'
+require 'hoe'
+
+Hoe.plugin :isolate
+Hoe.plugin :minitest
+
+Hoe.plugin :version, :git
+
+Hoe.spec 'rack-cas_client' do
+  developer 'Brian Henderson', 'henderson.bj@gmail.com'
+
+  self.readme_file      = "README.rdoc"
+
+  self.testlib          = :minitest
+
+  extra_deps << ['rack']
+  extra_deps << ['rubycas-client']
+  extra_dev_deps << ['rack-test']
+end
+
+# vim: syntax=ruby

data/bin/rack_cas_client

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+
+abort "you need to write me"

data/lib/rack/cas_client.rb

@@ -0,0 +1,156 @@
+require 'rack/request'
+require 'rubycas-client'
+
+module Rack
+  ##
+  # Middleware component to authenticate with a CAS server.
+  class CASClient
+    VERSION = '0.3.0'
+
+    # Public: CASCLient depends on these things but does not explicitely require them.
+    # Call this method (before any forking) if you care. (You may not if you
+    # implement your own #blank? for example.)
+    def self.require_casclient_deps
+      # YUCK! These are required for casclient
+      require 'active_support/core_ext/object/blank'
+      # I believe one or the other of these is required (not both) but since
+      # they're stdlib I'm leaving them in.
+      require 'json'
+      require 'yaml'
+    end
+
+    attr_reader :cas_client, :request
+
+    # options - Hash
+    #           :logger - Logger, must respond to :<<
+    #           Everything else is used by CASClient::Client#configure. Notable params are:
+    #           :cas_base_url - String, your CAS Server base url. raises if not there.
+    #           :force_ssl_verification - Bool, force ssl verification? Defaults to true.
+    def initialize app = nil, opts = {}
+      @app = app
+
+      # quiet cas_client
+      @logger = opts.delete :logger
+      raise ArgumentError, "invalid logger #{@logger}" if
+        @logger and not @logger.respond_to? :<<
+
+      opts[:force_ssl_verification] = opts.fetch(:force_ssl_verification, true)
+      @cas_client = ::CASClient::Client.new opts
+    end
+
+    # Private: Accessor method for app.
+    #
+    # If app is nil, redirects back to the referrer, otherwise, just displays a
+    # simple page saying that login was successful.
+    def app
+      @app || lambda{|env|
+        req = Rack::Request.new env
+        if url = req.params['url']
+          self.redirect url
+        else
+          [200, {'Content-Type'=>'text/plain'},['logged in!']]
+        end
+      }
+    end
+
+    # Public: Rack interface.
+    #
+    # Calls +app+ if already authenticated.
+    #
+    # If not authenticated, redirects user to login server.
+    # Login server should redirect back with a ticket param.
+    # If ticket is valid, redirect back to original request.
+    #
+    # It's up to the session manager to manage timeouts etc.
+    def call env
+      dup.call! env
+    end
+
+    # Private: Rack call method.
+    def call! env
+      @request = Rack::Request.new env
+
+      return app.call(env) if authenticated?
+
+      service_url = request_url_without_ticket
+      cas_login_url = cas_client.add_service_to_login_url(service_url)
+
+      if st = service_ticket(service_url)
+
+        cas_client.validate_service_ticket(st) unless st.has_been_validated?
+
+        if st.is_valid?
+          log 'ticket is valid'
+          # use string because extra_attributes will always have strings as keys
+          user['username'] = st.user
+          user.merge!        st.extra_attributes || {}
+          log "user logged in as #{user.inspect}"
+          redirect service_url
+        else
+          log 'ticket is not valid'
+          user.clear # why?
+          redirect cas_login_url
+        end
+      else
+        log 'No ticket, redirecting to login server'
+        redirect cas_login_url
+      end
+    end
+
+    # Private: Returns a ticket configured with +service_url+
+    #
+    # service_url - String, the request url that needs to be validated.
+    def service_ticket service_url
+      ticket = request.params['ticket']
+      return unless ticket
+      ticket_class = ticket =~ /^PT-/ ?
+                       ::CASClient::ProxyTicket :
+                       ::CASClient::ServiceTicket
+
+      st = ticket_class.new(ticket, service_url, false)
+      log "User has a #{ticket_class}! #{st.inspect}"
+      st
+    end
+
+    def authenticated?
+      !user.empty? && log("#{user.inspect} is already authenticated")
+    end
+
+    def log msg
+      return true unless @logger
+
+      @logger << msg
+      @logger << "\n" unless msg["\n"]
+      true
+    end
+
+    def redirect loc
+      [302,
+        { 'Content-Type' => 'text/plain',
+          'Content-Length' => '0',
+          'Location' => loc},
+        ['']]
+    end
+
+    # return the request.url minus params['ticket']
+    def request_url_without_ticket
+      # I feel like this should be in Rack::Request
+      # request['ticket'] = nil
+      # request.url
+      url = request.base_url + request.path
+      query = request.params.dup
+      query.delete 'ticket'
+      query.empty? ? url : "#{url}?#{Rack::Utils.build_nested_query query}"
+    end
+
+    def session
+      request.session
+    end
+
+    def user
+      # session[:cas_user]
+      session[cas_client.username_session_key] ||= {}
+    end
+
+  end
+end

data/test/helper.rb

@@ -0,0 +1,46 @@
+require 'minitest/autorun'
+require 'rack/cas_client'
+require 'rack/test'
+require 'json'
+
+class TestRack < MiniTest::Unit::TestCase
+end
+class TestRack::TestCASClient < MiniTest::Unit::TestCase
+  include Rack::Test::Methods
+
+  def setup
+    app = lambda{|env|
+      request = Rack::Request.new(env)
+      [200,
+        {'Content-Type' => 'text/plain'},
+        [request.session[:cas_user].to_json]]
+    }
+    @session = {}
+    @env = {'rack.session' => @session}
+    @client = Rack::CASClient.new app, cas_base_url: 'http://example/cas'
+    @mock_request = MiniTest::Mock.new
+    @client.instance_variable_set :@request, @mock_request
+  end
+
+  def teardown
+    @mock_request.verify
+  end
+
+  def app
+    @app ||= Rack::Lint.new @client
+  end
+
+  def assert_request_url_without_ticket expected, url
+    expected[/^/] = 'http://example'
+    url[/^/]      = 'http://example'
+
+    browser = Rack::Test::Session.new(lambda{|e| [200, {},['']]})
+    browser.get url
+    @client.instance_variable_set :@request, browser.last_request
+
+    actual = @client.request_url_without_ticket
+
+    assert_equal expected, actual
+    assert_equal url, @client.request.url, "expected url to be unmodified"
+  end
+end

data/test/test_rack_cas_client.rb

@@ -0,0 +1,100 @@
+require 'helper'
+
+class TestRack::TestCASClient
+
+  def test_all_ready_authd
+    @session[:cas_user] = {'username' => 'me'}
+    get '/', nil, @env
+    assert_equal @session[:cas_user].to_json, last_response.body
+  end
+
+  def test_all_ready_authd_with_no_app
+    @app = Rack::CASClient.new nil, cas_base_url: 'http://example/cas'
+
+    @session[:cas_user] = {'username' => 'me'}
+    get '/', nil, @env
+    assert last_response.ok?
+    assert_equal 'logged in!', last_response.body
+  end
+
+  def test_all_ready_authd_with_no_app_redirects_if_given_url
+    @app = Rack::CASClient.new nil, cas_base_url: 'http://example/cas'
+
+    @session[:cas_user] = {'username' => 'me'}
+    get '/?url=http%3A%2F%2Fexample%2Ffoo', nil, @env
+    assert last_response.redirect?
+    assert_equal 'http://example/foo', last_response['Location']
+  end
+
+  def test_redirects_to_cas_server
+    get '/'
+    assert last_response.redirect?
+
+    expected = 'http://example/cas/login?service=http%3A%2F%2Fexample.org%2F'
+    assert_equal expected, last_response['Location']
+
+    get '/foo?q=bar'
+    assert last_response.redirect?
+
+    expected = 'http://example/cas/login?service=http%3A%2F%2Fexample.org%2Ffoo%3Fq%3Dbar'
+    assert_equal expected, last_response['Location']
+  end
+
+  def test_request_url
+    assert_request_url_without_ticket '/', '/?ticket=123'
+    assert_request_url_without_ticket '/?foo=bar', '/?foo=bar&ticket=123'
+    assert_request_url_without_ticket '/?bar=foo', '/?ticket=123&bar=foo'
+    assert_request_url_without_ticket '/?foo=bar&bar=foo', '/?foo=bar&ticket=123&bar=foo'
+    assert_request_url_without_ticket '/?foo=bar&bar=foo', '/?foo=bar&bar=foo'
+    assert_request_url_without_ticket '/foo', '/foo?ticket=123'
+    assert_request_url_without_ticket '/foo/', '/foo/?ticket=123'
+  end
+
+  def test_service_ticket
+    @mock_request.expect :params, {}
+    t = @client.service_ticket ''
+    refute t
+  end
+
+  def test_service_ticket_returns_proxy_ticket
+    @mock_request.expect :params, 'ticket' => 'PT-123'
+    t = @client.service_ticket ''
+    assert_kind_of CASClient::ProxyTicket, t
+  end
+
+  def test_service_ticket_returns_service_ticket
+    @mock_request.expect :params, 'ticket' => 'ST-123'
+    t = @client.service_ticket ''
+    assert_kind_of CASClient::ServiceTicket, t
+  end
+
+  def test_ticket_validation
+    expected = 'http://example.org/foo'
+
+    cli = @client.cas_client
+    def cli.validate_service_ticket(t)
+      t.success = true
+      t.user = 'me'
+    end
+
+    get '/foo?ticket=ST-123', nil, @env
+    assert last_response.redirect?
+    assert_equal expected, last_response['Location']
+
+    expected = {'username' => 'me'}
+    assert_equal expected, @session[:cas_user]
+  end
+
+  def test_ticket_invalid
+    expected = 'http://example/cas/login?service=http%3A%2F%2Fexample.org%2Ffoo'
+
+    cli = @client.cas_client
+    def cli.validate_service_ticket(t)
+      t.success = false
+    end
+
+    get '/foo?ticket=ST-123'
+    assert last_response.redirect?
+    assert_equal expected, last_response['Location']
+  end
+end

metadata

@@ -0,0 +1,168 @@
+--- !ruby/object:Gem::Specification
+name: rack-cas_client
+version: !ruby/object:Gem::Version
+  version: 0.3.0
+  prerelease: 
+platform: ruby
+authors:
+- Brian Henderson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-07-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubycas-client
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.10'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: hoe
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: ! 'A Rack Middleware component to authenticate against a CAS server.
+
+
+  I (shamefully) forgot to attribute this to
+
+  https://github.com/garnieretienne/rubycas-client-sinatra. I had reached out to
+
+  garnieretienne and he was no longer interested in his project. There is also
+
+  rack-cas-client gem but that was too rails focused for me.'
+email:
+- henderson.bj@gmail.com
+executables:
+- rack_cas_client
+extensions: []
+extra_rdoc_files:
+- History.txt
+- Manifest.txt
+- README.rdoc
+files:
+- .autotest
+- .gitignore
+- History.txt
+- Manifest.txt
+- README.rdoc
+- Rakefile
+- bin/rack_cas_client
+- lib/rack/cas_client.rb
+- test/helper.rb
+- test/test_rack_cas_client.rb
+- .gemtest
+homepage: https://github.com/bhenderson/rack-cas_client
+licenses: []
+post_install_message: 
+rdoc_options:
+- --main
+- README.rdoc
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: rack-cas_client
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: A Rack Middleware component to authenticate against a CAS server
+test_files:
+- test/test_rack_cas_client.rb