rubycas-client 1.1.0 → 2.0.0

metadata

@@ -1,62 +1,82 @@
 --- !ruby/object:Gem::Specification 
-rubygems_version: 0.9.2
-specification_version: 1
 name: rubycas-client
 version: !ruby/object:Gem::Version 
-  version: 1.1.0
-date: 2007-12-21 12:37:15.306028 -05:00
-summary: Client library for the CAS single-sign-on protocol.
-require_paths: 
-- lib
-email: matt@roughest.net
-homepage: http://rubycas-client.rubyforge.org
-rubyforge_project: rubycas-client
-description: RubyCAS-Client is a Ruby client library for Yale's Central Authentication Service (CAS) single-sign-on protocol for web-based applications.
-autorequire: 
-default_executable: 
-bindir: bin
-has_rdoc: true
-required_ruby_version: !ruby/object:Gem::Version::Requirement 
-  requirements: 
-  - - ">"
-    - !ruby/object:Gem::Version 
-      version: 0.0.0
-  version: 
+  version: 2.0.0
 platform: ruby
-signing_key: 
-cert_chain: 
-post_install_message: 
 authors: 
 - Matt Zukowski
-- Ola Bini
 - Matt Walker
-files: 
-- install.rb
-- init.rb
-- lib/cas.rb
-- lib/cas_proxy_callback_controller.rb
-- lib/cas_auth.rb
-- lib/cas_logger.rb
-- CHANGES
-- Rakefile
-- README
-- LICENSE
-test_files: []
+autorequire: 
+bindir: bin
+cert_chain: []
 
-rdoc_options: 
-- --title
-- RubyCAS-Client RDocs
-- --main
-- README
-- --line-numbers
-extra_rdoc_files: 
-- README
-- LICENSE
+date: 2008-02-19 00:00:00 -05:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+description: Client library for the Central Authentication Service (CAS) protocol.
+email: matt at roughest dot net
 executables: []
 
 extensions: []
 
+extra_rdoc_files: 
+- CHANGELOG.txt
+- History.txt
+- LICENSE.txt
+- Manifest.txt
+- README.txt
+files: 
+- CHANGELOG.txt
+- History.txt
+- LICENSE.txt
+- Manifest.txt
+- README.txt
+- Rakefile
+- init.rb
+- lib/casclient.rb
+- lib/casclient/client.rb
+- lib/casclient/frameworks/rails/cas_proxy_callback_controller.rb
+- lib/casclient/frameworks/rails/filter.rb
+- lib/casclient/responses.rb
+- lib/casclient/tickets.rb
+- lib/casclient/version.rb
+- lib/rubycas-client.rb
+- setup.rb
+has_rdoc: true
+homepage: http://rubycas-client.rubyforge.org
+post_install_message: 
+rdoc_options: 
+- --main
+- README.txt
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
 requirements: []
 
-dependencies: []
+rubyforge_project: rubycas-client
+rubygems_version: 1.0.1
+signing_key: 
+specification_version: 2
+summary: Client library for the Central Authentication Service (CAS) protocol.
+test_files: []
 

data/README

@@ -1,223 +0,0 @@
-= RubyCAS-Client
-
-Author::    Matt Zukowski <matt AT roughest DOT net>, Ola Bini <ola.bini AT ki DOT se>, Matt Walker <mwalker AT tamu DOT edu>
-Copyright:: (c) 2006 Karolinska Institutet, portions (c) 2006 Urbacon Ltd.
-License::   GNU Lesser General Public License v2.1 (LGPL 2.1)
-Website::   http://rubyforge.org/projects/rubycas-client and http://code.google.com/p/rubycas-client
-
-=== RubyCAS-Client is a Ruby client library for Yale's Central Authentication Service (CAS) protocol.
-
-CAS provides a solid and secure single sign on solution for web-based applications. When a user logs on to your
-CAS-enabled website, the CAS client checks with the CAS server to see if the user has been centrally authenticated.
-If not, the user is redirected to your CAS server's web-based login page where they enter their credentials, and upon
-successful authentication are redirected back to your client web application. If the user has been previously
-authenticated with the CAS server (with their "ticket" being held as a session cookie), they are transparently
-allowed to go about their business.
-
-This client requires a CAS server to talk to. You can obtain a Java implementation of such a server as well as more info
-about the CAS protocol here: http://www.ja-sig.org/products/cas
-
-This CAS client library is designed to work easily with Rails, but can of course be used elsewhere.
-
-== Installing
-
-You can always download the latest version of RubyCAS-Client from the project's rubyforge page at http://rubyforge.org/projects/rubycas-client.
-However, probably the easiest way to install CAS support into your Rails app is via the plugins facility:
-
-  ./script/plugin install http://rubycas-client.googlecode.com/svn/trunk/rubycas-client
-
-Alternatively, the library is also available as a gem, which can be installed by:
-
-  gem install rubycas-client
-  
-If your Rails application is under Subversion control, you can also install the plugin as an svn:external, which will ensure that
-you always have the latest version of RubyCAS-Client:
-
-  ./script/plugin install -x http://rubycas-client.googlecode.com/svn/trunk/rubycas-client
-  
-Please contact the developers via the {RubyForge page}[http://rubyforge.org/projects/rubycas-client] if you have bug fixes
-or enhancements you would like to contribute back.
-
-== Examples
-
-==== Using RubyCAS-Client in Rails controllers
-
-<i>Note that from this point on we are assuming that you have a working CAS server up and running at an https URI.</i>
-
-Somewhere in your <tt>config/environment.rb</tt> file add this:
-
-  require 'cas_auth'
-  CAS::Filter.cas_base_url = "https://login.example.com/cas"
-  
-You will also need to specify the server name where your CAS-protected app is running (i.e. the hostname of the app you are
-adding CAS protection to, not the CAS server):
-
-  CAS::Filter.server_name = "yourapplication.example.com:3000"
-
-Then, in your <tt>app/controllers/application.rb</tt> (or in whatever controller you want to add the CAS filter for):
-
-  before_filter CAS::Filter
-  
-That's it. You should now find that you are redirected to your CAS login page whenever you try to access any action
-in your protected controller. You can of course qualify the <tt>before_filter</tt> as you would with any other ActionController
-filter. For example: 
-
-  before_filter CAS::Filter, :except => [ :unprotected_action, :another_unprotected_action ]
-
-<b>Once the user has been authenticated, their authenticated username is available under <tt>request.username</tt></b>
-(and also under <tt>session[:casfilteruser]</tt>). If you want to do something with this username (for example load a 
-user record from the database), you can append another filter method that checks for this value and does whatever you need
-it to do.
-
-==== A more complicated example
-
-Here is a more complicated configuration showing most of the configuration options (this does not show proxy options however,
-which are covered in the next section):
-
-  CAS::Filter.login_url = "https://login.example.com/cas/login"  # the URI of the CAS login page
-  CAS::Filter.validate_url = "https://login.example.com/cas/serviceValidate"  # the URI where CAS ticket validation requests are sent
-  CAS::Filter.server_name = "yourapplication.example.com:3000"  # the server name of your CAS-protected application
-  CAS::Filter.renew = false                      # force re-authentication? see http://www.ja-sig.org/products/cas/overview/protocol
-  CAS::Filter.wrap_request = true                # make the username available under request.username?
-  CAS::Filter.gateway = false                    # act as cas gateway? see http://www.ja-sig.org/products/cas/overview/protocol
-  CAS::Filter.session_username = :casfilteruser  # this is the hash in the session where the authenticated username will be stored
-
-Note that in this example we explicitly specified the login and validate URLs instead of letting RubyCAS-Client figure them out
-based on <tt>CAS::Filter.cas_base_url</tt>.
-
-==== Defining a 'logout' action
-
-Your Rails application's controller(s) will probably have some sort of logout function. In it you will likely want reset the 
-user's session for your application, and then redirect to the CAS server's logout URL. Here's an example of how to do this:
-
-  def logout
-  	reset_session
-  	redirect_to CAS::Filter.logout_url(self, request.referer)
-  end
-
-==== Gatewayed authentication
-
-RubyCAS-Client supports gatewaying as of version 1.1.0. Gatewaying allows for optional CAS authentication, so that users who
-already have a pre-existing CAS SSO session will be automatically authenticated for the gatewayed service, while those who
-do not, will be allowed to access the service without authentication. This is useful for example when you want to show
-some additional private content on a homepage to authenticated users, but also want unauthenticated users to be able to
-access the page without first logging in.
-
-For more information on using gatewaying, see CAS::GatewayFilter.
-
-==== How to act as a CAS proxy
-
-CAS 2.0 has a built-in mechanism that allows a CAS-authenticated application to pass on its authentication to other applications.
-An example where this is useful might be a portal site, where the user logs in to a central website and then gets forwarded to
-various other sites that run independently of the portal system (but are always accessed via the portal). The exact mechanism
-behind this is rather complicated so I won't go over it here. If you wish to learn more about CAS proxying, a great walkthrough
-is available at http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough.
-
-RubyCAS-Client fully supports proxying, so a CAS-protected Rails application can act as a CAS proxy.
-
-Additionally, RubyCAS-Client comes with a controller that can act as a CAS proxy callback receiver. This is necessary because
-when your application requests to act as a CAS proxy, the CAS server must contact your application to deposit the proxy-granting-ticket
-(PGT). Note that in this case the CAS server CONTACTS YOU, rather than you contacting the CAS server (as in all other CAS operations).
-
-Confused? Don't worry, you don't really have to understand this to use it. To enable your Rails app to act as a CAS proxy, 
-all you need to do is this:
-
-In your <tt>config/environment.rb</tt>:
-
-  CAS::Filter.cas_base_url = "https://login.example.com/cas"
-  CAS::Filter.proxy_callback_url = "https://yourrailsapp.com/cas_proxy_callback/receive_pgt"
-  CAS::Filter.proxy_retrieval_url = "https://yourrailsapp.com/cas_proxy_callback/retrieve_pgt"
-  
-In <tt>config/routes.rb</tt> make sure that you have a route that will allow requests to /cas_proxy_callback/:action to be routed to the
-CasProxyCallbackController. This should work as-is with the standard Rails routes setup, but if you have disabled the default
-route, you should add the following:
-
-  map.cas_proxy_callback 'cas_proxy_callback/:action', :controller => 'cas_proxy_callback'
-
-Now here's a big giant caveat: <b>your CAS callback application and your CAS proxy application must run on separate Rails servers</b>.
-In other words, if you want a Rails app to act as a CAS ticket-granting proxy, the cas_proxy_callback controller
-must run on a different server. This is because Rails does not properly support handling of concurrent requests. The CAS proxy mechanism
-acts in such a way that if your proxy application and your callback controller were on the same server
-you would end up with a deadlock (the CAS server would be waiting for its callback to be accepted by your Rails server,
-but your Rails server wouldn't respond to the CAS server's callback until the CAS server responded back first).
-
-The simplest workaround is this:
-
-1. Create an empty rails app (i.e. something like <tt>rails cas_proxy_callback</tt>)
-2. Make sure that you have the CAS plugin installed. If you installed it as a gem, you don't have to do anything since
-   it is already installed. If you want to install as a plugin, see the instructions in the "Installing" section above.
-3. Make sure that the server is up and running, and configure your proxy_callback_url and proxy_retrieval_url to point
-   to the new server as described above (or rather, make Pound point to the new server, if that's how you're handling https).
-   
-That's it. The proxy_callback_controller doesn't require any additional configuration. It doesn't access the database
-or anything of that sort.
-
-Once your user logs in to CAS via your application, you can do the following to obtain a service ticket that can then be used
-to authenticate another application:
-
-  service_uri = "http://some.other.application"
-  proxy_granting_ticket = session[:casfilterpgt]
-  ticket = CAS::Filter.request_proxy_ticket(service_uri, proxy_granting_ticket).proxy_ticket
-
-<tt>ticket</tt> should now contain a valid service ticket. You can use it to authenticate by sending it and the service URI
-as query parameters to your target application:
-
-  http://some.other.application?service=#{CGI.encode(ticket.target_service)}&ticket=#{ticket.proxy_ticket}
-  
-This is of course assuming that some.other.application is also protected by the CAS filter. 
-Note that you should always URI-encode your service parameter inside URIs!
-
-Note that CAS::Filter#request_proxy_ticket actually returns a CAS::ProxyTicketRequest object, which is why we need to call
-#proxy_ticket on it to retrieve the actual service ticket.
-
-For extra security -- and you will likely want to do this on production machines in the wild -- in the proxied app's configuration
-(some.other.appliction in this example) you can specify the list of authorized proxies. For example, on your proxied app the CAS
-configuration might look something like this:
-
-  CAS::Filter.cas_base_url = "https://login.example.com/cas"
-  CAS::Filter.server_name = "some.other.application"
-  CAS::Filter.authorized_proxies = ["https://yourrailsapp.com/cas/proxy_callback/receive_pgt"]
-  
-If no authorized proxies are given, the filter will accept receipts from any proxy.
-
-===== Additional notes and caveats:
-
-Note that when the CAS filter runs, the PGT is stored in session[:casfilterpgt]. This value must be passed to CAS::Filter#request_proxy_ticket.
-Also, note that CAS::Filter#request_proxy_ticket will URI-encode the service_uri before passing it to the CAS server, and the service
-value must henceforth always be passed as URI-encoded (this can be problematic when your proxied application uses some CAS client other than
-RubyCAS-Client).
-
-<b>The proxy url must be an https address.</b> Otherwise CAS will refuse to communicate with it. This means that if you are using
-the bundled cas_proxy_callback controller, you will have to host your application on an https-enabled server. This can be a bit
-tricky with Rails. WEBrick's SSL support is difficult to configure, and Mongrel doesn't support SSL at all. One workaround is to
-use a reverse proxy like Pound[http://www.apsis.ch/pound/], which will accept https connections and locally re-route them
-to your Rails application. Also, note that <i>self-signed SSL certificates likely won't work</i>. You will probably need to use
-a real certificate purchased from a trusted CA authority (there are ways around this, but good luck :)
-
-
-== SSL Support
-
-If you are getting an error on net/https -- something like this:
-
-  no such file to load -- net/https
-
-Then make sure the library for open SSL is installed. For example, on an Debian/Ubuntu system issue the following:
-
-  sudo apt-get install libopenssl-ruby
-
-
-== License
-
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU Lesser General Public License as published by
-the Free Software Foundation; either version 2 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU Lesser General Public License
-along with this program (see the file called LICENSE); if not, write to the
-Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA

data/install.rb

@@ -1,5 +0,0 @@
-# Install hook code here
-#parent_dir = File.dirname(File.expand_path(__FILE__))
-#grandparent_dir = File.dirname(parent_dir)
-#
-#File.rename(parent_dir, grandparent_dir+"/rubycas-client")

data/lib/cas.rb

@@ -1,194 +0,0 @@
-require 'net/https'
-require 'rexml/document'
-
-module CAS
-  class CASException < Exception
-  end
-  class AuthenticationException < CASException
-  end
-  class ValidationException < CASException
-  end
-  class MalformedServerResponseException < CASException
-  end
-
-  class Receipt
-    attr_accessor :validate_url, :pgt_iou, :primary_authentication, :proxy_callback_url, :proxy_list, :user_name
-
-    def primary_authentication?
-      primary_authentication
-    end
-
-    def initialize(ptv)
-      if !ptv.successful_authentication?
-        begin
-          ptv.validate
-        rescue ValidationException=>vald
-          raise AuthenticationException, "Unable to validate ProxyTicketValidator [#{ptv}] [#{vald}]"
-        end
-        raise AuthenticationException, "Unable to validate ProxyTicketValidator because of no success with validation[#{ptv}]" unless ptv.successful_authentication?
-      end
-      self.validate_url = ptv.validate_url
-      self.pgt_iou = ptv.pgt_iou
-      self.user_name = ptv.user
-      self.proxy_callback_url = ptv.proxy_callback_url
-      self.proxy_list = ptv.proxy_list
-      self.primary_authentication = ptv.renewed?
-      raise AuthenticationException, "Validation of [#{ptv}] did not result in an internally consistent Receipt" unless validate
-    end
-
-    def proxied?
-      !proxy_list.empty?
-    end
-
-    def proxying_service
-      proxy_list.first
-    end
-
-    def to_s
-      "[#{super} - userName=[#{user_name}] validateUrl=[#{validate_url}] proxyCallbackUrl=[#{proxy_callback_url}] pgtIou=[#{pgt_iou}] proxyList=[#{proxy_list}]"
-    end
-
-    def validate
-      user_name &&
-        validate_url &&
-        proxy_list &&
-        !(primary_authentication? && !proxy_list.empty?) # May not be both primary authenitication and proxied.
-    end
-  end
-
-  class AbstractCASResponse
-    attr_reader :error_code, :error_message, :successful_authentication
-  
-    def self.retrieve(uri_str)
-      prs = URI.parse(uri_str)
-      https = Net::HTTP.new(prs.host,prs.port)
-      https.use_ssl = (prs.scheme == 'https') # patch by rubywmg to allow non-SSL URLs for demo purposes
-      https.start { |conn|
-        # TODO: make sure that HTTP status code in the response is 200... maybe throw exception if is 500?
-        conn.get("#{prs.path}?#{prs.query}").body.strip
-      }
-    end
-    
-    protected
-    def parse_unsuccessful(elm)
-      @error_message = elm.text.strip
-      @error_code = elm.attributes["code"].strip
-      @successful_authentication = false
-    end
-
-    def parse(str)
-      begin
-        doc = REXML::Document.new str
-      rescue REXML::ParseException => e
-        raise MalformedServerResponseException, "BAD RESPONSE FROM CAS SERVER:\n#{str.inspect}\n\nEXCEPTION:\n#{e}"
-      end
-      
-      unless doc.elements && doc.elements["cas:serviceResponse"]
-        raise MalformedServerResponseException, "BAD RESPONSE FROM CAS SERVER:\n#{str.inspect}\n\nXML DOC:\n#{doc.inspect}"
-      end
-      
-      resp = doc.elements["cas:serviceResponse"].elements[1]
-      
-      if successful_response? resp
-        parse_successful(resp)
-      else
-        parse_unsuccessful(resp)
-      end
-    end
-  end
-  
-  class ServiceTicketValidator < AbstractCASResponse
-    attr_accessor :validate_url, :proxy_callback_url, :renew, :service_ticket, :service
-    attr_reader   :pgt_iou, :user, :entire_response
-
-    def renewed?
-      renew
-    end
-
-    def successful_authentication?
-      successful_authentication
-    end
-
-    def validate
-      raise ValidationException, "must set validation URL and ticket" if validate_url.nil? || service_ticket.nil?
-      clear!
-      @attempted_authentication = true
-      url_building = "#{validate_url}#{(url_building =~ /\?/)?'&':'?'}service=#{CGI.escape(service)}&ticket=#{service_ticket}"
-      url_building += "&pgtUrl=#{proxy_callback_url}" if proxy_callback_url
-      url_building += "&renew=true" if renew
-      @@entire_response = ServiceTicketValidator.retrieve url_building
-      parse @@entire_response
-    end
-
-    def clear!
-      @user = @pgt_iou = @error_message = nil
-      @successful_authentication = @attempted_authentication = false
-    end
-
-    def to_s
-      "[#{super} - validateUrl=[#{validate_url}] proxyCallbackUrl=[#{proxy_callback_url}] ticket=[#{service_ticket}] service=[#{service} pgtIou=[#{pgt_iou}] user=[#{user}] errorCode=[#{error_message}] errorMessage=[#{error_message}] renew=[#{renew}] entireResponse=[#{entire_response}]]"
-    end
-    
-    protected
-    def parse_successful(elm)
-#      puts "successful"
-      @user = elm.elements["cas:user"] && elm.elements["cas:user"].text.strip
-#      puts "user: #{@user}"
-      @pgt_iou = elm.elements["cas:proxyGrantingTicket"] && elm.elements["cas:proxyGrantingTicket"].text.strip
-#      puts "pgt_iou: #{@pgt_iou}"
-      @successful_authentication = true
-    end
-    
-    def successful_response?(resp)
-      resp.name == "authenticationSuccess"
-    end
-  end
-
-  class ProxyTicketValidator < ServiceTicketValidator
-    attr_reader :proxy_list
-    @@response_prefix = "proxy"
-
-    def initialize
-      super
-      @proxy_list = []
-    end
-
-    def clear!
-      super
-      @proxy_list = []
-    end
-
-    protected
-    def parse_successful(elm)
-      super(elm)
-      
-      proxies = elm.elements["cas:proxies"]
-      if proxies
-        proxies.elements.each("cas:proxy") { |prox|
-          @proxy_list ||= []
-          @proxy_list << prox.text.strip
-        }
-      end
-    end
-  end
-
-  class ProxyTicketRequest < AbstractCASResponse
-    attr_accessor :proxy_url, :target_service, :pgt
-    attr_reader :proxy_ticket
-  
-    def request
-      url_building = "#{proxy_url}#{(url_building =~ /\?/)?'&':'?'}pgt=#{pgt}&targetService=#{CGI.escape(target_service)}"
-      @@entire_response = ServiceTicketValidator.retrieve url_building
-      parse @@entire_response
-    end
-    
-    protected
-    def parse_successful(elm)
-      @proxy_ticket = elm.elements["cas:proxyTicket"] && elm.elements["cas:proxyTicket"].text.strip
-    end
-    
-    def successful_response?(resp)
-      resp.name == "proxySuccess"
-    end
-  end
-end