rubycas-client 0.9.1 → 0.10.0

data/LICENSE

@@ -1,3 +1,36 @@
+Copyright (c) 2006 Karolinska Institutet
+(Karolinska Institutet, Stockholm, Sweden).
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+
+ 3. Neither the name of Karolinska Institutet nor the names of its contributors
+    may be used to endorse or promote products derived from this software
+    without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY KAROLINSKA INSTITUTET AND CONTRIBUTORS ``AS IS''
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED.  IN NO EVENT SHALL KAROLINSKA INSTITUTET OR CONTRIBUTORS BE 
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+===============================================================================
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
 		       Version 2.1, February 1999
 

data/README

@@ -1,7 +1,7 @@
 = RubyCAS-Client
 
-Author::    Matt Walker, with modification and docs by Matt Zukowski
-Copyright:: Copyright (c) retained by the authors
+Author::    Ola Bini <ola.bini AT ki DOT se>, Matt Zukowski <matt AT roughest DOT net>
+Copyright:: (c) 2006 Karolinska Institutet, portions (c) 2006 Urbacon Ltd.
 License::   GNU Lesser General Public License v2.1 (LGPL 2.1)
 Website::   http://rubyforge.org/projects/rubycas-client
 
@@ -19,10 +19,14 @@ about the CAS protocol here: http://www.ja-sig.org/products/cas
 
 This CAS client library is designed to work easily with Rails, but can of course be used elsewhere.
 
-=== Installing
+== Installing
 
-You can always download the latest version of RubyCAS-Client from the project's rubyforge page at http://rubyforge.org/projects/rubycas-client.
-The library is also available as a gem, which can be installed by:
+You can always download the latest version of RubyCAS-Client from the project's rubyforge page at http://rubyforge.org/projects/rubycas-client,
+however probably the easiest way to install CAS support into your Rails app is via the plugins facility:
+
+  ./script/plugin install http://rubycas-client.rubyforge.org/plugin/current
+
+Alternatively, the library is also available as a gem, which can be installed by:
 
   gem install rubycas-client
   
@@ -30,72 +34,116 @@ The latest development version is availabe via subversion:
 
   svn checkout svn://rubyforge.org/var/svn/rubycas-client/trunk/ruby
   
+Or you can install the latest development version into your Rails app as a plugin:
+
+  ./script/plugin install -x svn://rubyforge.org/var/svn/rubycas-client/trunk/ruby
+  
 Please contact the developers via the {rubyforge.org page}[svn checkout svn://rubyforge.org/var/svn/rubycas-client] if you have bug fixes
 or enhancements you would like to contribute back.
 
-=== Here is an example of how to use the library in your Rails application:
+== Examples
 
-Somewhere in your +config/environment.rb+ file add this:
+==== Here is an example of how to use the library in your Rails application:
 
-  require_gem 'rubycas-client'
+Somewhere in your +config/environment.rb+ file add this (assuming that you have RubyCAS-Client installed as a plugin, otherwise
+you'll need to +require 'cas_auth'+ and +require 'cas_proxy_callback_controller'+):
 
-  CAS.cas_server_host = 'login.mycompany.com'
-  CAS.cas_server_port = '443'
+  CAS::Filter.cas_base_url = "https://login.example.com/cas"
 
 Then, in your +app/controllers/application.rb+ (or in whatever controller you want to add the CAS filter for):
 
-  before_filter CAS::CASFilter
+  before_filter CAS::Filter
   
 That's it. You should now find that you are redirected to your CAS login page when you try to access any action
 in your protected controller. You can of course qualify the +before_filter+ as you would with any other ActionController
-filter. For example: +before_filter CAS::CASFilter, :except => [ :unprotected_action, :another_unprotected_action ]
+filter. For example: +before_filter CAS::Filter, :except => [ :unprotected_action, :another_unprotected_action ]
 
-<b>Once the user has been authenticated, their authenticated username is available under +session[:user]+</b>
+<b>Once the user has been authenticated, their authenticated username is available under +request.username+ 
+(and also under +session[:casfilteruser]+).</b> If you want to do something with this username (for example load a 
+user record from the database), you can append another filter method that checks for this value and does whatever you need
+it to do.
 
-=== A more complicated example:
+==== A more complicated example:
 
-The CAS client library provides callback methods that can be overridden to inject your user management business logic.
-For example, ordinarily after authentication the user's username is placed in +session[:user]+. Rather than storing
-the username you may want to store a User object (e.g. a User ActiveRecord model). Here is an example of how to do this:
+Here is a more complicated configuration showing most of the configuration options (this does not show proxy options however,
+which are covered in the next section):
 
-In your +config/environment.rb+ file add this:
+  CAS::Filter.login_url = "https://login.example.com/cas/login"  # the URI of the CAS login page
+  CAS::Filter.validate_url = "https://login.example.com/cas/serviceValidate"  # the URI where CAS ticket validation requests are sent
+  CAS::Filter.server_name = "yourapplication.example.com:3000"  # the server name of your CAS-protected application
+  CAS::Filter.renew = false                      # force re-authentication? see http://www.ja-sig.org/products/cas/overview/protocol
+  CAS::Filter.wrap_request = true                # make the username available under request.username?
+  CAS::Filter.gateway = false                    # act as cas gateway? see http://www.ja-sig.org/products/cas/overview/protocol
+  CAS::Filter.session_username = :casfilteruser  # this is the hash in the session where the authenticated username will be stored
 
-  require_gem 'rubycas-client'
 
-  CAS.cas_server_host = 'login.mycompany.com'
-  CAS.cas_server_port = '443'
+==== How to act as a CAS proxy:
 
-  module CAS
-    def self.load_user_data(username, cas_payload)
-      user = User.find_by_username(username)
-      user = User.new(:username => username) if user.nil?
-  
-      user.last_login = Time.now
-      
-      return user
-    end
+CAS 2.0 has a built-in mechanism that allows a CAS-authenticated application to pass on its authentication to other applications.
+An example where this is useful might be a portal site, where the user logs in to a central website and then gets forwarded to
+various other sites that run independently of the portal system (but are always accessed via the portal). The exact mechanism
+behind this is rather complicated so I won't go over it here. If you wish to learn more about CAS proxying, a great walkthrough
+is available at http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough.
+
+RubyCAS-Client fully supports proxying, so a CAS-protected Rails application can act as a CAS proxy.
+
+Additionally, RubyCAS-Client comes with a controller that can act as a CAS proxy callback receiver. This is necessary because
+when your application requests to act as a CAS proxy, the CAS server must contact your application to deposit the proxy-granting-ticket
+(PGT). Note that in this case the CAS server CONTACTS YOU, rather than you contacting the CAS server (as in all other CAS operations).
+
+Confused? Don't worry, you don't really have to understand this to use it. To enable your Rails app to act as a CAS proxy, 
+all you need to do is this:
+
+In your +config/environment.rb+:
+
+  CAS::Filter.cas_base_url = "https://login.example.com/cas"
+  CAS::Filter.proxy_callback_url = "https://yourrailsapp.com/cas_proxy_callback/receive_pgt"
+  CAS::Filter.proxy_retrieval_url = "https://yourrailsapp.com/cas_proxy_callback/retrieve_pgt"
   
-    def self.save_user_data(user)
-      user.save
-    end
-  end
+In +config/routes.rb+ make sure that you have a route that will allow requests to /cas_proxy_callback/:action to be routed to the
+CasProxyCallbackController. This should work as-is with the standard Rails routes setup, but if you have disabled the default
+route, you should add the following:
+
+  map.cas_proxy_callback 'cas_proxy_callback/:action', :controller => 'cas_proxy_callback'
+
+Once your user logs in to CAS via your application, you can do the following to obtain a service ticket that can then be used
+to authenticate another application:
+
+  service_uri = "http://some.other.application"
+  proxy_granting_ticket = session[:casfilterpgt]
+  ticket = CAS::Filter.request_proxy_ticket(service_uri, proxy_granting_ticket)
+
++ticket+ should now contain a valid service ticket. You can use it to authenticate your other by sending it and the service URI
+as query parameters to your target application:
+
+  http://some.other.application?service=#{ticket.target_service}&ticket=#{ticket.proxy_ticket}
   
-In the above example, +load_user_data+ is overridden to load the user data based on the authenticated username.
-+save_user_data+ is also overidden to save any changes made to the user model by the login process (in this case,
-the last_login column is updated). See the CAS module documentation for more information on callbacks.
+This is of course assuming that some.other.application is also protected by the CAS filter.
 
-Another feature available in the CAS library is the ability to refresh the authentication ticket with the server
-at some specified interval. Normally when the user logs in, their authentication info is stored in the local
-web session and no futher queries are made to the CAS server. This may result in a situation where the remote CAS
-authentication ticket has expired, but the local session authentication has not. To prevent this from happening
-you can specify a +refresh_ticket_interval+ (in minutes) as follows:
+For extra security -- and you will likely want to do this on production machines in the wild -- in the proxied app's configuration
+(some.other.appliction in this example) you can specify the list of authorized proxies. For example, on your proxied app the CAS
+configuration might look something like this:
 
-  CAS.refresh_ticket_interval = 15
+  CAS::Filter.cas_base_url = "https://login.example.com/cas"
+  CAS::Filter.server_name = "some.other.application"
+  CAS::Filter.authorized_proxies = ["https://yourrailsapp.com/cas/proxy_callback/receive_pgt"]
   
-The CAS client will now check at every request if the local authentication info is older than 15 minutes. If it is,
-it will transparently re-authenticate with the server. Note that because of the way the re-authentication process works,
-after re-authenticating the user will have a +ticket+ query variable attached to the end of their current URL for that request
-(i.e. http://mycompany.com/somepage/index?ticket=123456789).
+If no authorized proxies are given, the filter will accept receipts from any proxy.
+
+===== Additional notes and caveats:
+
+Note that when the CAS filter runs, the PGT is stored in session[:casfilterpgt]. This value must be passed to CAS::Filter#request_proxy_ticket.
+Also, note that CAS::Filter#request_proxy_ticket will URI-encode the service_uri before passing it to the CAS server, and the service
+value must henceforth always be passed as URI-encoded (this can be problematic when your proxied application uses some CAS client other than
+RubyCAS-Client).
+
+<b>The proxy url must be an https address.</b> Otherwise CAS will refuse to communicate with it. This means that if you are using
+the bundled cas_proxy_callback controller, you will have to host your application on an https-enabled server. This can be a bit
+tricky with Rails. WEBrick's SSL support is difficult to configure, and Mongrel doesn't support SSL at all. One workaround is to
+use a reverse proxy like Pound[http://www.apsis.ch/pound/], which will accept https connections and locally re-route them
+to your Rails application. Also, note that <i>self-signed SSL certificates likely won't work</i>. You will probably need to use
+a real certificate purchased from a trusted CA authority (there are ways around this, but good luck :)
+
 
 == License
 

data/Rakefile

@@ -0,0 +1,22 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the cas_auth plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the cas_auth plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'CasAuth'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/init.rb

@@ -0,0 +1,11 @@
+require 'cas_auth'
+
+#CAS::Filter.logger = RAILS_DEFAULT_LOGGER if !RAILS_DEFAULT_LOGGER.nil?
+#CAS::Filter.logger = config.logger if !config.logger.nil?
+
+CAS::Filter.logger = Logger.new "#{RAILS_ROOT}/log/cas_filter.log"
+CAS::Filter.logger.level = Logger::DEBUG
+
+#class ActionController::Base
+#  append_before_filter CAS::Filter
+#end

data/install.rb

@@ -0,0 +1 @@
+# Install hook code here

data/lib/cas.rb

@@ -0,0 +1,188 @@
+require 'net/https'
+require 'rexml/document'
+
+module CAS
+  class CASException < Exception
+  end
+  class AuthenticationException < CASException
+  end
+  class ValidationException < CASException
+  end
+
+  class Receipt
+    attr_accessor :validate_url, :pgt_iou, :primary_authentication, :proxy_callback_url, :proxy_list, :user_name
+
+    def primary_authentication?
+      primary_authentication
+    end
+
+    def initialize(ptv)
+      if !ptv.successful_authentication?
+        begin
+          ptv.validate
+        rescue ValidationException=>vald
+          raise AuthenticationException, "Unable to validate ProxyTicketValidator [#{ptv}] [#{vald}]"
+        end
+        raise AuthenticationException, "Unable to validate ProxyTicketValidator because of no success with validation[#{ptv}]" unless ptv.successful_authentication?
+      end
+      self.validate_url = ptv.validate_url
+      self.pgt_iou = ptv.pgt_iou
+      self.user_name = ptv.user
+      self.proxy_callback_url = ptv.proxy_callback_url
+      self.proxy_list = ptv.proxy_list
+      self.primary_authentication = ptv.renewed?
+      raise AuthenticationException, "Validation of [#{ptv}] did not result in an internally consistent Receipt" unless validate
+    end
+
+    def proxied?
+      !proxy_list.empty?
+    end
+
+    def proxying_service
+      proxy_list.first
+    end
+
+    def to_s
+      "[#{super} - userName=[#{user_name}] validateUrl=[#{validate_url}] proxyCallbackUrl=[#{proxy_callback_url}] pgtIou=[#{pgt_iou}] proxyList=[#{proxy_list}]"
+    end
+
+    def validate
+      user_name &&
+        validate_url &&
+        proxy_list &&
+        !(primary_authentication? && !proxy_list.empty?) # May not be both primary authenitication and proxied.
+    end
+  end
+
+  class AbstractCASResponse
+  
+    def self.retrieve(uri_str)
+      prs = URI.parse(uri_str)
+#      puts prs.inspect
+      https = Net::HTTP.new(prs.host,prs.port)
+#      puts https.inspect
+      https.use_ssl=true
+      https.start { |conn|
+        # TODO: make sure that HTTP status code in the response is 200... maybe throw exception if is 500?
+        conn.get("#{prs.path}?#{prs.query}").body.strip
+      }
+    end
+    
+    protected
+    def parse_unsuccessful(elm)
+#      puts "unsuccessful"
+      @error_message = elm.text.strip
+      @error_code = elm.attributes["code"].strip
+      @successful_authentication = false
+    end
+
+    def parse(str)
+#      puts "parsing... #{str}"
+      doc = REXML::Document.new str
+      resp = doc.elements["cas:serviceResponse"].elements[1]
+#      puts "resp... #{resp.name}"
+      if successful_response? resp
+        parse_successful(resp)
+      else
+        parse_unsuccessful(resp)
+      end
+    end
+  end
+  
+  class ServiceTicketValidator < AbstractCASResponse
+    attr_accessor :validate_url, :proxy_callback_url, :renew, :service_ticket, :service
+    attr_reader   :pgt_iou, :user, :error_code, :error_message, :entire_response, :successful_authentication
+
+    def renewed?
+      renew
+    end
+
+    def successful_authentication?
+      successful_authentication
+    end
+
+    def validate
+      raise ValidationException, "must set validation URL and ticket" if validate_url.nil? || service_ticket.nil?
+      clear!
+      @attempted_authentication = true
+      url_building = "#{validate_url}#{(url_building =~ /\?/)?'&':'?'}service=#{service}&ticket=#{service_ticket}"
+      url_building += "&pgtUrl=#{proxy_callback_url}" if proxy_callback_url
+      url_building += "&renew=true" if renew
+      @@entire_response = ServiceTicketValidator.retrieve url_building
+      parse @@entire_response
+    end
+
+    def clear!
+      @user = @pgt_iou = @error_message = nil
+      @successful_authentication = @attempted_authentication = false
+    end
+
+    def to_s
+      "[#{super} - validateUrl=[#{validate_url}] proxyCallbackUrl=[#{proxy_callback_url}] ticket=[#{service_ticket}] service=[#{service} pgtIou=[#{pgt_iou}] user=[#{user}] errorCode=[#{error_message}] errorMessage=[#{error_message}] renew=[#{renew}] entireResponse=[#{entire_response}]]"
+    end
+    
+    protected
+    def parse_successful(elm)
+#      puts "successful"
+      @user = elm.elements["cas:user"] && elm.elements["cas:user"].text.strip
+#      puts "user: #{@user}"
+      @pgt_iou = elm.elements["cas:proxyGrantingTicket"] && elm.elements["cas:proxyGrantingTicket"].text.strip
+#      puts "pgt_iou: #{@pgt_iou}"
+      @successful_authentication = true
+    end
+    
+    def successful_response?(resp)
+      resp.name == "authenticationSuccess"
+    end
+  end
+
+  class ProxyTicketValidator < ServiceTicketValidator
+    attr_reader :proxy_list
+    @@response_prefix = "proxy"
+
+    def initialize
+      super
+      @proxy_list = []
+    end
+
+    def clear!
+      super
+      @proxy_list = []
+    end
+
+    protected
+    def parse_successful(elm)
+      super(elm)
+#      puts "proxy_successful"
+      proxies = elm.elements["cas:proxies"]
+      if proxies
+        proxies.elements.each("cas:proxy") { |prox|
+          @proxy_list ||= []
+          @proxy_list << prox.text.strip
+        }
+      end
+    end
+  end
+
+  class ProxyTicketRequest < AbstractCASResponse
+    attr_accessor :proxy_url, :target_service, :pgt
+    attr_reader :proxy_ticket
+  
+    def request
+      url_building = "#{proxy_url}#{(url_building =~ /\?/)?'&':'?'}targetService=#{target_service}&pgt=#{pgt}"
+#      puts "REQUESTING:"+url_building
+      @@entire_response = ServiceTicketValidator.retrieve url_building
+#      puts @@entire_response.to_s
+      parse @@entire_response
+    end
+    
+    protected
+    def parse_successful(elm)
+      @proxy_ticket = elm.elements["cas:proxyTicket"] && elm.elements["cas:proxyTicket"].text.strip
+    end
+    
+    def successful_response?(resp)
+      resp.name == "proxySuccess"
+    end
+  end
+end

data/lib/cas_auth.rb

@@ -0,0 +1,311 @@
+# RubyCAS-Client is a client and Rails filter for the CAS protocol.
+# Copyright (c) 2006 Karolinska Institutet
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+require 'uri'
+require 'logger'
+
+
+require File.dirname(File.expand_path(__FILE__))+'/cas'
+
+module CAS
+  # The DummyLogger is a class which might pass through to a real Logger
+  # if one is assigned. However, it can gracefully swallow any logging calls
+  # if there is now Logger assigned.
+  class LoggerWrapper
+    def initialize(logger=nil)
+      set_logger(logger)
+    end
+    # Assign the 'real' Logger instance that this dummy instance wraps around.
+    def set_logger(logger)
+      @logger = logger
+    end
+    # log using the appropriate method if we have a logger
+    # if we dont' have a logger, ignore completely.
+    def method_missing(name, *args)
+      if @logger && @logger.respond_to?(name)
+        @logger.send(name, *args)
+      end
+    end
+  end
+
+  LOGGER = CAS::LoggerWrapper.new
+  
+  # Allows authentication through a CAS server.
+  # The precondition for this filter to work is that you have an
+  # authentication infrastructure. As such, this is for the enterprise
+  # rather than small shops.
+  #
+  # To use CAS::Filter for authentication, add something like this to
+  # your environment:
+  # 
+  #   CAS::Filter.server_name = "yourapplication.server.name"
+  #   CAS::Filter.cas_base_url = "https://cas.company.com
+  #   
+  # The filter will try to use the standard CAS page locations based on this URL.
+  # Or you can explicitly specify the individual URLs:
+  #
+  #   CAS::Filter.server_name = "yourapplication.server.name"
+  #   CAS::Filter.login_url = "https://cas.company.com/login"
+  #   CAS::Filter.validate_url = "https://cas.company.com/proxyValidate"
+  #
+  # It is of course possible to use different configurations in development, test
+  # and production by placing the configuration in the appropriate environments file.
+  #
+  # To add CAS protection to a controller:
+  # 
+  #   before_filter CAS::Filter
+  #   
+  # All of the standard Rails filter qualifiers can also be used. For example:
+  # 
+  #   before_filter CAS::Filter, :only => [:admin, :private]
+  #
+  # By default CAS::Filter saves the logged in user in session[:casfilteruser] but
+  # that name can be changed by setting CAS::Filter.session_username
+  # The username is also available from the request by
+  # 
+  #   request.username
+  #   
+  # This wrapping of the request can be disabled by
+  # 
+  #   CAS::Filter.wrap_request = false
+  # 
+  # Proxying is also possible. Please see the README for examples.
+  #
+  class Filter
+    @@login_url = "https://localhost/login"
+    @@logout_url = nil
+    @@validate_url = "https://localhost/proxyValidate"
+    @@server_name = "localhost"
+    @@renew = false
+    @@session_username = :casfilteruser
+    @@query_string = {}
+    @@fake = nil
+    @@pgt = nil
+    cattr_accessor :query_string
+    cattr_accessor :login_url, :validate_url, :service_url, :server_name, :renew, :wrap_request, :gateway, :session_username
+    cattr_accessor :proxy_url, :proxy_callback_url, :proxy_retrieval_url
+    @@authorized_proxies = []
+    cattr_accessor :authorized_proxies
+
+
+    class << self
+      # Retrieves the current Logger instance
+      def logger
+        CAS::LOGGER
+      end
+      def logger=(val)
+        CAS::LOGGER.set_logger(val)
+      end
+
+      alias :log :logger
+      alias :log= :logger=
+
+      def create_logout_url
+        if !@@logout_url && @@login_url =~ %r{^(.+?)/[^/]*$}
+          @@logout_url = "#{$1}/logout"
+        end
+        logger.info "Created logout-url: #{@@logout_url}"
+      end
+      
+      def logout_url(controller)
+        create_logout_url unless @@logout_url
+        url = redirect_url(controller,@@logout_url)
+        logger.info "Using logout-url #{url}"
+        url
+      end
+      
+      def logout_url=(val)
+        @@logout_url = val
+      end
+      
+      def cas_base_url=(url)
+        CAS::Filter.login_url = "#{url}/login"
+        CAS::Filter.validate_url = "#{url}/proxyValidate"
+        CAS::Filter.proxy_url = "#{url}/proxy"
+      end
+        
+      def fake
+        @@fake
+      end
+      
+      def fake=(val)
+        if val.nil?
+          alias :filter :filter_r
+        else
+          alias :filter :filter_f
+        end
+        @@fake = val
+      end
+
+      def filter_f(controller)
+        logger.debug("entering fake cas filter")
+        username = @@fake
+        if :failure == @@fake
+          return false
+        elsif :param == @@fake
+          username = controller.params['username']
+        elsif Proc === @@fake
+          username = @@fake.call(controller)
+        end
+        logger.debug("our username is: #{username}")
+        controller.session[@@session_username] = username
+        return true
+      end
+      
+      def filter_r(controller)
+        logger.debug("filter of controller: #{controller}")
+        receipt = controller.session[:casfilterreceipt]
+        logger.info("receipt: #{receipt}")
+        valid = false
+        if receipt
+          valid = validate_receipt(receipt)
+          logger.info("valid receipt?: #{valid}")
+        else
+          reqticket = controller.params["ticket"]
+          logger.info("ticket: #{reqticket}")
+          if reqticket
+            # We temporarily allow ActionController requests to be handled concurrently.
+            # Otherwise proxy granting ticket callbacks from CAS wouldn't work, since
+            # the Rails server would be deadlocked while it waits for the CAS server to validate
+            # the ticket, and the CAS server waits for the Rails server to receive the PGT callback.
+            # Note that since the allow_concurrency option is undocumented and considered
+            # experimental, what we're doing here may cause unforseen problems. Beware!
+            ActionController::Base.allow_concurrency = true
+            receipt = authenticated_user(reqticket,controller)
+            ActionController::Base.allow_concurrency = false
+            
+            logger.info("new receipt: #{receipt}")
+            logger.info("validate_receipt: " + validate_receipt(receipt).to_s)
+            if receipt && validate_receipt(receipt)
+              controller.session[:casfilterreceipt] = receipt
+              controller.session[@@session_username] = receipt.user_name
+              
+              if receipt.pgt_iou
+                ActionController::Base.allow_concurrency = true
+                retrieve_url = "#{@@proxy_retrieval_url}?pgtIou=#{receipt.pgt_iou}"
+                logger.info("retrieving pgt from: #{retrieve_url}")
+                controller.session[:casfilterpgt] = CAS::ServiceTicketValidator.retrieve(retrieve_url)
+                ActionController::Base.allow_concurrency = false
+              end
+              
+              valid = true
+            end
+          else
+            did_gateway = controller.session[:casfiltergateway]
+            raise CASException, "Can't redirect without login url" if !@@login_url
+            if did_gateway
+              if controller.session[@@session_username]
+                valid = true
+              else
+                controller.session[:casfiltergateway] = true
+              end
+            else
+              controller.session[:casfiltergateway] = true
+            end
+          end
+        end
+        logger.info("will send redirect #{redirect_url(controller)}") if !valid
+        controller.send :redirect_to,redirect_url(controller) if !valid
+        return valid
+      end
+      alias :filter :filter_r
+      
+      
+      def request_proxy_ticket(target_service, pgt)
+        r = ProxyTicketRequest.new
+        r.proxy_url = @@proxy_url
+        r.target_service = escape_service_uri(target_service)
+        r.pgt = pgt
+
+        raise "Cannot request a proxy ticket for service #{r.target_service} because no proxy granting ticket (PGT) has been set." unless r.pgt
+        
+        logger.info("requesting proxy ticket for service #{r.target_service} with pgt #{pgt}")
+        r.request
+        
+        if r.proxy_ticket
+          logger.info("got proxy ticket #{r.proxy_ticket} for service #{r.target_service}")
+        else
+          logger.warn("did not receive a proxy ticket for service #{r.target_service}!")
+        end
+        
+        return r
+      end
+    end
+    
+    private
+    def self.validate_receipt(receipt)       
+        if receipt
+          logger.debug "authorized proxies: #{@@authorized_proxies.inspect}"
+          logger.debug "proxying service: #{receipt.proxying_service.inspect}"
+        end
+        
+        valid = receipt && !(@@renew && !receipt.primary_authentication?)
+        
+        if @@authorized_proxies and !@@authorized_proxies.empty?
+          valid = valid && !(receipt.proxied? && !@@authorized_proxies.include?(receipt.proxying_service)) 
+        end
+        
+        return valid
+    end
+
+    def self.authenticated_user(tick, controller)
+      pv = ProxyTicketValidator.new
+      pv.validate_url = @@validate_url
+      pv.service_ticket = tick
+      pv.service = service_url(controller)
+      pv.renew = @@renew
+      pv.proxy_callback_url = @@proxy_callback_url
+      receipt = nil
+      logger.debug("pv: #{pv.inspect}")
+      begin
+        receipt = Receipt.new(pv)
+      rescue AuthenticationException=>auth
+        logger.warn("filter: had an authentication-exception #{auth}")
+      end
+      receipt
+    end
+    def self.service_url(controller)
+      before = @@service_url || guess_service(controller)
+      logger.debug("before: #{before}")
+      after = escape_service_uri(before)
+      logger.debug("after: #{after}")
+      after
+    end
+    def self.redirect_url(controller,url=@@login_url)
+      "#{url}?service=#{service_url(controller)}" + ((@@renew)? "&renew=true":"") + ((@@gateway)? "&gateway=true":"") + ((@@query_string.nil?)? "" : "&"+(@@query_string.collect { |k,v| "#{k}=#{v}"}.join("&")))
+    end
+    def self.guess_service(controller)
+      # we're assuming that controller.params[:service] is url-encoded!
+      return controller.params[:service] if controller.params.include? :service
+      
+      req = controller.request
+      parms = controller.params.dup
+      parms.delete("ticket")
+      query = (parms.collect {|key, val| "#{key}=#{val}"}).join("&")
+      query = "?" + query unless query.empty?
+      "#{req.protocol}#{@@server_name}#{req.request_uri.split(/\?/)[0]}#{query}"
+    end
+    def self.escape_service_uri(uri)
+      URI.encode(uri, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]", false, 'U').freeze)
+    end
+  end
+end
+
+class ActionController::AbstractRequest
+  def username
+    session[CAS::Filter.session_username]
+  end
+end

data/lib/cas_proxy_callback_controller.rb

@@ -0,0 +1,72 @@
+require 'pstore'
+
+# Controller that responds to proxy generating ticket callbacks from the CAS server and allows
+# for retrieval of those PGTs.
+class CasProxyCallbackController < ActionController::Base
+
+  # Receives a proxy granting ticket from the CAS server and stores it in the database.
+  # Note that this action should ALWAYS be called via https, otherwise you have a gaping security hole.
+  # In fact, the JA-SIG implementation of the CAS server will refuse to send PGTs to non-https URLs.
+  def receive_pgt
+    render_error "PGTs can be received only via HTTPS or local connections." and return unless
+      request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
+
+    pgtIou = params['pgtIou']
+    pgtId = params['pgtId']
+    
+    # We need to render a response with HTTP status code 200 when no pgtIou/pgtId is specified because CAS seems first
+    # call the action without any parameters (maybe to check if the server responds correctly) and only then again,
+    # this time with the required params.
+    render :text => "Okay, the server is up, but please specify a pgtIou and pgtId." and return unless pgtIou and pgtId
+    
+    # TODO: pstore contents should probably be encrypted...
+    pstore = open_pstore
+    
+    pstore.transaction do
+      pstore[pgtIou] = pgtId
+    end
+    
+    render :text => "PGT received. Thank you!" and return
+  end
+  
+  # Retreives a proxy granting ticket, sends it to output, and deletes the pgt from session storage.
+  # Note that this action should ALWAYS be called via https, otherwise you have a gaping security hole --
+  # in fact, the action will not work if the request is not made via SSL or is not local (we allow for local
+  # non-SSL requests since this allows for the use of reverse HTTPS proxies like Pound).
+  def retrieve_pgt
+    render_error "You can only retrieve PGTs via HTTPS or local connections." and return unless
+      request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
+    
+    pgtIou = params['pgtIou']
+    
+    render_error "No pgtIou specified. Cannot retreive the pgtId." and return unless pgtIou
+  
+    pstore = open_pstore
+  
+    pgt = nil
+    pstore.transaction do
+      pgt = pstore[pgtIou]
+    end
+    
+    if not pgt
+      render_error "Invalid pgtIou specified. Perhaps this pgt has already been retrieved?" and return
+    end
+    
+    render :text => pgt
+    
+    # TODO: need to periodically clean the storage, otherwise it will just keep growing
+    pstore.transaction do
+      pstore.delete pgtIou
+    end
+  end
+  
+  private
+    def render_error(msg)
+      # Note that the error messages are mostly just for debugging, since the CAS server never reads them.
+      render :text => msg, :status => 500
+    end
+    
+    def open_pstore
+      PStore.new("#{RAILS_ROOT}/tmp/cas_pgt.pstore")
+    end
+end

metadata

@@ -3,7 +3,7 @@ rubygems_version: 0.8.11
 specification_version: 1
 name: rubycas-client
 version: !ruby/object:Gem::Version 
-  version: 0.9.1
+  version: 0.10.0
 date: 2006-09-07 00:00:00 -04:00
 summary: Client library for the CAS single-sign-on protocol.
 require_paths: 
@@ -12,7 +12,7 @@ email: matt@roughest.net
 homepage: http://rubycas-client.rubyforge.org
 rubyforge_project: rubycas-client
 description: RubyCAS-Client is a Ruby client library for Yale's Central Authentication Service (CAS) single-sign-on protocol for web-based applications.
-autorequire: cas-client
+autorequire: 
 default_executable: 
 bindir: bin
 has_rdoc: true
@@ -29,8 +29,13 @@ authors:
 - Matt Zukowski
 - Matt Walker
 files: 
-- lib/cas-client.rb
+- install.rb
+- init.rb
+- lib/cas_proxy_callback_controller.rb
+- lib/cas.rb
+- lib/cas_auth.rb
 - LICENSE
+- Rakefile
 - README
 test_files: []
 

data/lib/cas-client.rb

@@ -1,289 +0,0 @@
-#  RubyCAS-Client is a Ruby client library for Yale's Central Authentication Service (CAS) protocol.
-#
-#  Author::    Matt Walker, with modification and docs by Matt Zukowski
-#  Copyright:: Copyright (c) retained by the authors
-#  License::   GNU Lesser General Public License v2.1 (LGPL 2.1)
-#  Website::   http://rubyforge.org/projects/rubycas-client
-#  
-#  This program is free software; you can redistribute it and/or
-#  modify it under the terms of the GNU General Public License
-#  as published by the Free Software Foundation; either version 2
-#  of the License, or (at your option) any later version.
-#  
-#  This program is distributed in the hope that it will be useful,
-#  but WITHOUT ANY WARRANTY; without even the implied warranty of
-#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#  GNU General Public License for more details.
-#  
-#  You should have received a copy of the GNU General Public License
-#  along with this program; if not, write to the Free Software
-#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-
-
-require 'net/https'
-require 'rexml/document'
-
-require 'rubygems'
-require_gem 'actionpack'
-
-# We must override redirect_to in ActionController::Base to allow this class to
-# redirect the user to the CAS server for login, since redirect_to is not public by default.
-class ActionController::Base; public :redirect_to; end
-
-# Module containing the CASFilter and associated constants.  This particular
-# version is designed to be used with Rails, but you can imagine expanding it
-# to work in other settings as well.  If you would like to override the default
-# values of @@cas_server_host or @@cas_server_port, you may do so as follows:
-#
-#   require 'cas'
-#
-#   CAS.cas_server_host = 'netid.tamu.edu'
-#   CAS.cas_server_port = 443
-#
-# By default, the filter will store the authenticated username in session[:user]. You can
-# modify this behaviour to have session[:user] contain something like your User ActiveRecord object by
-# modifying various callbacks like so (see the documentation for each callback method for details):
-# 
-#   module CAS
-#     def self.load_user_data(username, cas_payload)
-#       user = User.find_by_username(username)
-#       user.last_login = Time.now
-#       return user
-#     end
-#  
-#     def self.save_user_data(user)
-#       user.save
-#     end
-#   end
-#
-# Author:: Matt Walker, with modification and docs by Matt Zukowski
-# Acknowledgements:: James Smith provided me with my first Ruby CAS client, on which this code is based.
-module CAS
-    # The hostname of the CAS server to authenticate against.
-    @@cas_server_host = 'login.mycompany.com'
-
-    # The port the CAS server is running on.
-    @@cas_server_port = 443
-    
-    # Normally, CAS authentication is only done once -- during the first filter call. After that the user's
-    # username is stored in the local session and the CAS server is not contacted again until the local (i.e. Rails)
-    # session expires. By setting this to a value other than nil, the user will be re-authenticated with CAS
-    # every @@refresh_ticket_interval minutes. If you set this to 0, the CAS ticket will be re-validated on every
-    # request.
-    @@refresh_ticket_interval = nil
-
-    # The class for performing authentication filtering in Rails.  The most
-    # important method is +filter+, which is static (thus requiring assisting
-    # methods to be static as well).  This version is simplistic, but you can
-    # imagine extending it to allow gatewaying or authentication by proxy.
-    class CASFilter
-        # Filtering method specific to Rails.  In particular, it is meant to be
-        # used with Rails' +before_filter+ method to add CAS authentication to
-        # one or more actions, as in the following example:
-        #
-        #  require 'cas'
-        #
-        #  class AdminController < ApplicationController
-        #    before_filter CAS::CASFilter, :except => :logout
-        #    # ...
-        #  end
-        #
-        # When a user logs in, their user object is stashed in the session.
-        # This indicates to all future requests that the user is authenticated.
-        # If there is no user object in the session, the user must provide a
-        # valid CAS ticket to login.  If they have no ticket, they are
-        # redirected to the CAS server to get one.  If they do have a ticket,
-        # it is validated with the server before creating their user object in
-        # the session (and possibly database).
-        #
-        # Inputs:
-        # [controller] The ActionController performing filtering.  If its session contains a user object, the user must have successfully authenticated against CAS.
-        #
-        # Returns a boolean: did user successfully authenticate?
-        def self.filter(controller)
-            RAILS_DEFAULT_LOGGER.info "Starting CAS filter..."
-            
-            # If we have a user, a successful login was made for this session
-            if (!controller.session[:user].nil?)
-              # If the local session auth info is older than @@refresh_ticket_interval, then re-submit the ticket for validation
-              # to ensure that the ticket hasn't expired on the CAS end
-              cas_ticket_timestamp = controller.session[:cas_ticket_timestamp]
-              
-              if (cas_ticket_timestamp and cas_ticket_timestamp.kind_of? Time)
-                time_elapsed = Time.now - cas_ticket_timestamp
-              
-                if time_elapsed < (CAS.refresh_ticket_interval * 60)
-                  return true # local session info isn't expired so we're okay
-                end
-              end
-              # local session info is expired so we continue with full ticket validation...
-            end
-
-            RAILS_DEFAULT_LOGGER.debug "No user session present, begin CAS authenticatoin process..."
-
-            # Otherwise, we require a ticket to authenticate the user
-            service = controller.url_for()
-            ticket = controller.params[:ticket]
-           
-            if ticket.nil? || ticket == ""
-              self.redirect_to_login(controller, service)
-              return false
-            end
-
-            cas_payload = validate_ticket(service, ticket)
-            
-            #TODO: redirect to login with appropriate error message (i.e. "your session has expried" or "invalid response from cas", etc.)
-            if cas_payload.nil? || cas_payload.length != 1
-              self.redirect_to_login(controller, service)
-              return false
-            end
-            
-            username = cas_payload[:username]
-            
-            user = CAS.load_user_data(username, cas_payload)
-            CAS.save_user_data(user)
-            
-            controller.session[:user] = user
-            controller.session[:cas_ticket_timestamp] = Time.now
-            return true
-        end
-
-        private
-
-        # Validates a CAS ticket with the server.
-        #
-        # Inputs:
-        # [service] The URL of the calling service.
-        # [ticket] The CAS ticket returned by the server in the URL.
-        #
-        # Returns an array: [ NetID, UIN ]
-        def self.validate_ticket(service, ticket)
-            RAILS_DEFAULT_LOGGER.debug "Validating ticket #{ticket}..."
-        
-            http = Net::HTTP.new(CAS.cas_server_host, CAS.cas_server_port)
-            http.use_ssl = true
-            page = http.get("/cas/serviceValidate?service=#{service}&ticket=#{ticket}").body
-
-            RAILS_DEFAULT_LOGGER.debug "Got response:\n"+page
-
-            # Parse XML document returned by CAS server
-            doc = REXML::Document.new(page)
-            return unless REXML::XPath.first(doc, 'cas:serviceResponse/cas:authenticationFailure',
-                'cas:serviceResponse' => 'http://www.yale.edu/tp/cas').nil?
-            return if REXML::XPath.first(doc, 'cas:serviceResponse/cas:authenticationSuccess',
-                'cas:serviceResponse' => 'http://www.yale.edu/tp/cas').nil?
-
-            cas_payload = CAS.process_cas_xml(doc)
-            
-            return cas_payload
-        end
-    
-        def self.redirect_to_login(controller, service)
-          RAILS_DEFAULT_LOGGER.debug "Redirecting to CAS login..."
-          controller.redirect_to "https://#{CAS.cas_server_host}:#{CAS.cas_server_port}/cas/login?service=#{service}"
-        end
-    end
-    
-    # The following callbacks are meant to allow you to inject your business logic into the CAS filter
-    # without the need to modify the original code.
-    
-    # This method is called after we've obtained the authenticated username from CAS.
-    # It takes the username and returns some data based on that username. The data will be stored
-    # under session[:user]. Here you may want to load your User model. i.e., something like this:
-    # 
-    #  module CAS
-    #    def self.load_user_data(username, cas_payload)
-    #      return User.find_by_username(username)
-    #    end
-    #  end
-    #  
-    #  The method also takes the cas_payload object containing data returned from CAS. You can use
-    #  this to set some additional data for your user object. By default, however, cas_payload doesn't
-    #  contain anything interesting -- only an array with the username. You can modify this by changing
-    #  the behaviour or CAS#process_cas_xml
-    #  
-    def self.load_user_data(username, cas_payload)
-      user = User.find_by_username(username)
-      if user.nil?
-        user = User.new(:username => username)
-      else
-        user.update_from_directory
-      end
-
-      user.last_login = Time.now
-      
-      return user
-    end
-    
-    # This method is called after load_user_data has done its business and returned the user object.
-    # Here you will probably want to call user.save (or something similar) to commit any changes
-    # made to the user object during authentication.
-    # 
-    # Example:
-    # 
-    #  module CAS
-    #    def self.load_user_data(user)
-    #      user.save
-    #    end
-    #  end
-    #  
-    def self.save_user_data(user)
-      user.save
-    end
-    
-    # This method is called to parse the REXML doc returned by a CAS ticket validation request.
-    # By default, the method returns a hash with a :username key containing the authenticated 
-    # username. However if your CAS server returns other information in its response, you may want
-    # to modify this to have the cas_payload hash include other data (cas_payload is later fed
-    # into the CAS#load_user_data callback).
-    # Note that whatever you do, you almost definetly should return a hash with a :username key
-    # since load_user_data expects its first parameter to be a username derived from this.
-    # 
-    # Example:
-    # 
-    #  module CAS
-    #    def self.process_cas_xml(doc)
-    #      cas_payload = {}
-    #      cas_payload[:username] = REXML::XPath.first(doc,
-    #            'cas:serviceResponse/cas:authenticationSuccess/cas:user',
-    #            'cas:serviceResponse' => 'http://www.yale.edu/tp/cas').get_text.value
-    #    end
-    #  end
-    #  
-    def self.process_cas_xml(doc)
-      cas_payload = {}
-      cas_payload[:username] = REXML::XPath.first(doc,
-                'cas:serviceResponse/cas:authenticationSuccess/cas:user',
-                'cas:serviceResponse' => 'http://www.yale.edu/tp/cas').get_text.value
-      #cas_payload << REXML::XPath.first(doc,
-      #    'cas:serviceResponse/cas:authenticationSuccess/cas:UIN',
-      #    'cas:serviceResponse' => 'http://www.yale.edu/tp/cas').get_text.value
-      
-      return cas_payload
-    end
-    
-    # Returns the full URI to the CAS logout page.
-    # +service+ can be a full URI where the user should be re-directed after logging out and logging in again.
-    # (However it is up to your CAS server's implementation whether to use this parameter for anything)
-    def self.cas_logout_uri(service = nil)
-      "https://#{CAS.cas_server_host}:#{CAS.cas_server_port}/cas/logout?service=#{service}"
-    end
-    
-    # Setter for @@cas_server_host.
-    def self.cas_server_host; @@cas_server_host; end
-    
-    # Setter for @@cas_server_port.
-    def self.cas_server_port; @@cas_server_port; end
-    
-    # Setter for @@refresh_ticket_interval.
-    def self.refresh_ticket_interval; @@refresh_ticket_interval; end
-    
-    # Getter for @@cas_server_host.
-    def self.cas_server_host=(url); @@cas_server_host = url; end
-    
-    # Getter for @@cas_server_port.
-    def self.cas_server_port=(port); @@cas_server_port = port; end
-    
-    # Getter for @@refresh_ticket_interval.
-    def self.refresh_ticket_interval=(interval); @@refresh_ticket_interval = interval; end
-end