rubycas-client 0.11.0 → 0.12.0

data/CHANGES

@@ -1,5 +1,23 @@
 = RubyCAS-Client Changelog
 
+== Version 0.12.0
+
+* Prior to redirecting to the CAS login page, the client now stores the
+  current service URI in a session variable. This value is used to
+  validate the service ticket after the user comes back from the CAS
+  server's login page. This should address issues where redirection
+  from the CAS server resulted in a slightly different URI from the original
+  one used prior to login redirection (for example due to variations in the
+  way routing rules are applied by the server).
+* The client now handles malformed CAS server responses more gracefully.
+  This makes debugging a malfunctioning CAS server somewhat easier.
+* When receiving a proxy-granting ticket, the cas_proxy_callback_controller
+  can now take a parameter called 'pgt' (which is what ought to be used
+  according to the published CAS spec) or 'pgtId' (which is what the JA-SIG
+  CAS server uses).
+* Logging has been somewhat quieted down. Many messages that were previously
+  logged as INFO are now logged as DEBUG.
+
 == Version 0.11.0
 
 * Added this changelog to advise users of major changes to the library.

data/README

@@ -30,29 +30,30 @@ Alternatively, the library is also available as a gem, which can be installed by
 
   gem install rubycas-client
   
-If your Rails application is under subversion control, you can also install the plugin as an external, which will ensure that
-you are always up to date:
+If your Rails application is under Subversion control, you can also install the plugin as an svn:external, which will ensure that
+you always have the latest version of RubyCAS-Client:
 
   ./script/plugin install -x http://rubycas-client.googlecode.com/svn/trunk/rubycas-client
   
-Please contact the developers via the {rubyforge.org page}[http://rubyforge.org/projects/rubycas-client] if you have bug fixes
+Please contact the developers via the {RubyForge page}[http://rubyforge.org/projects/rubycas-client] if you have bug fixes
 or enhancements you would like to contribute back.
 
 == Examples
 
-==== Here is an example of how to use the library in your Rails application:
+==== Using RubyCAS-Client in Rails controllers
 
-Somewhere in your <tt>config/environment.rb</tt> file add this (assuming that you have RubyCAS-Client installed as a plugin, otherwise
-you'll need to <tt>require 'cas_auth'</tt> and <tt>require 'cas_proxy_callback_controller'</tt>):
+<i>Note that from this point on we are assuming that you have a working CAS server up and running at an https URI.</i>
 
+Somewhere in your <tt>config/environment.rb</tt> file add this:
+
+  require 'cas_auth'
   CAS::Filter.cas_base_url = "https://login.example.com/cas"
   
-You will also probably (but not necessarily) need to specify the server name where your CAS-protected app is running:
+You will also need to specify the server name where your CAS-protected app is running (i.e. the hostname of the app you are
+adding CAS protection to, not the CAS server):
 
   CAS::Filter.server_name = "yourapplication.example.com:3000"
 
-The above setting might not be necessary if your application is running on the standard port 80.
-
 Then, in your <tt>app/controllers/application.rb</tt> (or in whatever controller you want to add the CAS filter for):
 
   before_filter CAS::Filter
@@ -68,7 +69,7 @@ filter. For example:
 user record from the database), you can append another filter method that checks for this value and does whatever you need
 it to do.
 
-==== A more complicated example:
+==== A more complicated example
 
 Here is a more complicated configuration showing most of the configuration options (this does not show proxy options however,
 which are covered in the next section):
@@ -81,8 +82,10 @@ which are covered in the next section):
   CAS::Filter.gateway = false                    # act as cas gateway? see http://www.ja-sig.org/products/cas/overview/protocol
   CAS::Filter.session_username = :casfilteruser  # this is the hash in the session where the authenticated username will be stored
 
+Note that in this example we explicitly specified the login and validate URLs instead of letting RubyCAS-Client figure them out
+based on <tt>CAS::Filter.cas_base_url</tt>.
 
-==== How to act as a CAS proxy:
+==== How to act as a CAS proxy
 
 CAS 2.0 has a built-in mechanism that allows a CAS-authenticated application to pass on its authentication to other applications.
 An example where this is useful might be a portal site, where the user logs in to a central website and then gets forwarded to

data/init.rb

@@ -5,13 +5,13 @@ require 'cas_proxy_callback_controller'
 #CAS::Filter.logger = RAILS_DEFAULT_LOGGER if !RAILS_DEFAULT_LOGGER.nil?
 #CAS::Filter.logger = config.logger if !config.logger.nil?
 
-CAS::Filter.logger = CAS::Logger.new("#{RAILS_ROOT}/log/cas_client_#{RAILS_ENV}.log", 1024000)
+CAS::Filter.logger = CAS::Logger.new("#{RAILS_ROOT}/log/cas_client_#{RAILS_ENV}.log")
 CAS::Filter.logger.formatter = CAS::Logger::Formatter.new
 
 #if RAILS_ENV == "production"
 #  CAS::Filter.logger.level = Logger::WARN
 #else
-  CAS::Filter.logger.level = Logger::DEBUG
+#  CAS::Filter.logger.level = Logger::DEBUG
 #end
 
 

data/lib/cas.rb

@@ -8,6 +8,8 @@ module CAS
   end
   class ValidationException < CASException
   end
+  class MalformedServerResponseException < CASException
+  end
 
   class Receipt
     attr_accessor :validate_url, :pgt_iou, :primary_authentication, :proxy_callback_url, :proxy_list, :user_name
@@ -55,14 +57,12 @@ module CAS
   end
 
   class AbstractCASResponse
+    attr_reader :error_code, :error_message, :successful_authentication
   
     def self.retrieve(uri_str)
-#      puts uri_str
       prs = URI.parse(uri_str)
-#      puts prs.inspect
       https = Net::HTTP.new(prs.host,prs.port)
-#      puts https.inspect
-      https.use_ssl=true
+      https.use_ssl = true
       https.start { |conn|
         # TODO: make sure that HTTP status code in the response is 200... maybe throw exception if is 500?
         conn.get("#{prs.path}?#{prs.query}").body.strip
@@ -71,17 +71,24 @@ module CAS
     
     protected
     def parse_unsuccessful(elm)
-#      puts "unsuccessful"
       @error_message = elm.text.strip
       @error_code = elm.attributes["code"].strip
       @successful_authentication = false
     end
 
     def parse(str)
-#      puts "parsing... #{str}"
-      doc = REXML::Document.new str
+      begin
+        doc = REXML::Document.new str
+      rescue REXML::ParseException => e
+        raise MalformedServerResponseException, "BAD RESPONSE FROM CAS SERVER:\n#{str}\n\nEXCEPTION:\n#{e}"
+      end
+      
+      unless doc.elements && doc.elements["cas:serviceResponse"]
+        raise MalformedServerResponseException, "BAD RESPONSE FROM CAS SERVER:\n#{str}\n\nXML DOC:\n#{doc.inspect}"
+      end
+      
       resp = doc.elements["cas:serviceResponse"].elements[1]
-#      puts "resp... #{resp.name}"
+      
       if successful_response? resp
         parse_successful(resp)
       else
@@ -92,7 +99,7 @@ module CAS
   
   class ServiceTicketValidator < AbstractCASResponse
     attr_accessor :validate_url, :proxy_callback_url, :renew, :service_ticket, :service
-    attr_reader   :pgt_iou, :user, :error_code, :error_message, :entire_response, :successful_authentication
+    attr_reader   :pgt_iou, :user, :entire_response
 
     def renewed?
       renew
@@ -154,7 +161,7 @@ module CAS
     protected
     def parse_successful(elm)
       super(elm)
-#      puts "proxy_successful"
+      
       proxies = elm.elements["cas:proxies"]
       if proxies
         proxies.elements.each("cas:proxy") { |prox|
@@ -171,9 +178,7 @@ module CAS
   
     def request
       url_building = "#{proxy_url}#{(url_building =~ /\?/)?'&':'?'}pgt=#{pgt}&targetService=#{CGI.escape(target_service)}"
-#      puts "REQUESTING:"+url_building
       @@entire_response = ServiceTicketValidator.retrieve url_building
-#      puts @@entire_response.to_s
       parse @@entire_response
     end
     

data/lib/cas_auth.rb

@@ -106,26 +106,27 @@ module CAS
         if !@@logout_url && @@login_url =~ %r{^(.+?)/[^/]*$}
           @@logout_url = "#{$1}/logout"
         end
-        logger.info "Created logout url: #{@@logout_url}"
+        logger.debug "Created logout url: #{@@logout_url}"
       end
       
       def logout_url(controller)
         create_logout_url unless @@logout_url
         url = redirect_url(controller,@@logout_url)
-        logger.info "Logout url is: #{url}"
+        logger.debug "Logout url is: #{url}"
         url
       end
       
       def logout_url=(url)
         @@logout_url = url
-        logger.info "Set logout url to: #{url}"
+        logger.debug "Initialized logout url to: #{url}"
       end
       
       def cas_base_url=(url)
+        url.gsub!(/\/$/, '')
         CAS::Filter.login_url = "#{url}/login"
         CAS::Filter.validate_url = "#{url}/proxyValidate"
         CAS::Filter.proxy_url = "#{url}/proxy"
-        logger.info "Set CAS base url to: #{url}"
+        logger.debug "Initialized CAS base url to: #{url}"
       end
         
       def fake
@@ -162,17 +163,18 @@ module CAS
       def filter_r(controller)
         logger.break
         logger.info("Using real CAS filter in controller: #{controller}")
-          session_receipt = controller.session[:casfilterreceipt]
-          session_ticket = controller.session[:caslastticket]
-          ticket = controller.params[:ticket]
+        
+        session_receipt = controller.session[:casfilterreceipt]
+        session_ticket = controller.session[:caslastticket]
+        ticket = controller.params[:ticket]
   
-          is_valid = false
-          
-          if ticket and (!session_ticket or session_ticket != ticket)
-            log.info "A ticket parameter was given in the URI: #{ticket} and "+
-              (!session_ticket ? "there is no previous ticket for this session" : 
-                  "the ticket is different than the previous ticket, which was #{session_ticket}")
-          
+        is_valid = false
+        
+        if ticket and (!session_ticket or session_ticket != ticket)
+          log.info "A ticket parameter was given in the URI: #{ticket} and "+
+            (!session_ticket ? "there is no previous ticket for this session" : 
+                "the ticket is different than the previous ticket, which was #{session_ticket}")
+        
           receipt = get_receipt_for_ticket(ticket, controller)
           
           if receipt && validate_receipt(receipt)
@@ -188,16 +190,16 @@ module CAS
                 log.debug("Got PGT #{pgt} for PGT IOU #{receipt.pgt_iou}. This will be stored in the session.")
                 controller.session[:casfilterpgt] = pgt
               else
-                log.warning("Failed to retrieve a PGT for PGT IOU #{receipt.pgt_iou}!")
+                log.error("Failed to retrieve a PGT for PGT IOU #{receipt.pgt_iou}!")
               end
             end
             
             is_valid = true
           else
             if receipt
-              log.warn "get_receipt_for_ticket() for ticket #{ticket} did not return a receipt!"
-            else
               log.warn "Receipt was invalid for ticket #{ticket}!"
+            else
+              log.warn "get_receipt_for_ticket() for ticket #{ticket} did not return a receipt!"
             end
           end
           
@@ -241,6 +243,7 @@ module CAS
           logger.info "This request is successfully CAS authenticated for user #{controller.session[@@session_username]}!"
           return true
         else
+          controller.session[:service] = service_url(controller)
           logger.info "This request is NOT CAS authenticated, so we will redirect to the login page at: #{redirect_url(controller)}"
             controller.send :redirect_to, redirect_url(controller) and return false
         end
@@ -262,7 +265,7 @@ module CAS
         if r.proxy_ticket
           logger.info("Got proxy ticket #{r.proxy_ticket} for service #{r.target_service}")
         else
-          logger.warn("Did not receive a proxy ticket for service #{r.target_service}!")
+          logger.warn("Did not receive a proxy ticket for service #{r.target_service}! Reason: #{r.error_code}: #{r.error_message}")
         end
         
         return r
@@ -323,7 +326,7 @@ module CAS
         pv = ProxyTicketValidator.new
         pv.validate_url = @@validate_url
         pv.service_ticket = ticket
-        pv.service = service_url(controller)
+        pv.service = controller.session[:service] || service_url(controller)
         pv.renew = @@renew
         pv.proxy_callback_url = @@proxy_callback_url
         receipt = nil
@@ -332,6 +335,9 @@ module CAS
           receipt = Receipt.new(pv)
         rescue AuthenticationException => e
           logger.warn("Getting a receipt for the ProxyTicketValidator threw an exception: #{e}")
+        rescue  MalformedServerResponseException => e
+          logger.error("CAS Server returned malformed response:\n\n#{e}")
+          raise e
         end
         logger.debug "Receipt is: #{receipt.inspect}"
         receipt
@@ -340,13 +346,17 @@ module CAS
       def self.service_url(controller)
         unclean = @@service_url || guess_service(controller)
         clean = remove_ticket_from_service_uri(unclean)
-        logger.debug("Service URI with ticket removed is: #{clean}")
+        logger.debug("Service URI without ticket is: #{clean}")
         clean
       end
       
       # FIXME: this method is really poorly named :(
       def self.redirect_url(controller,url=@@login_url)
-        "#{url}?service=#{CGI.escape(service_url(controller))}" + ((@@renew)? "&renew=true":"") + ((@@gateway)? "&gateway=true":"") + ((@@query_string.blank?)? "" : "&"+(@@query_string.collect { |k,v| "#{k}=#{v}"}.join("&")))
+        "#{url}?service=#{CGI.escape(service_url(controller))}" + 
+          ((@@renew)? "&renew=true":"") + 
+          ((@@gateway)? "&gateway=true":"") + 
+          ((@@query_string.blank?)? "" : "&" +
+          (@@query_string.collect { |k,v| "#{k}=#{v}"}.join("&")))
       end
       
       def self.guess_service(controller)

data/lib/cas_proxy_callback_controller.rb

@@ -14,11 +14,13 @@ class CasProxyCallbackController < ActionController::Base
     #  request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
 
     pgtIou = params['pgtIou']
-    pgtId = params['pgtId']
+    
+    # CAS Protocol spec says that the argument should be called 'pgt', but the JA-SIG CAS server seems to use pgtId.
+    # To accomodate this, we check for both parameters, although 'pgt' takes precedence over 'pgtId'.
+    pgtId = params['pgt'] || params['pgtId']
     
     # We need to render a response with HTTP status code 200 when no pgtIou/pgtId is specified because CAS seems first
-    # call the action without any parameters (maybe to check if the server responds correctly) and only then again,
-    # this time with the required params.
+    # call the action without any parameters (maybe to check if the server responds correctly)
     render :text => "Okay, the server is up, but please specify a pgtIou and pgtId." and return unless pgtIou and pgtId
     
     # TODO: pstore contents should probably be encrypted...

metadata

@@ -3,8 +3,8 @@ rubygems_version: 0.9.0
 specification_version: 1
 name: rubycas-client
 version: !ruby/object:Gem::Version 
-  version: 0.11.0
-date: 2007-01-18 00:00:00 -05:00
+  version: 0.12.0
+date: 2007-04-04 00:00:00 -04:00
 summary: Client library for the CAS single-sign-on protocol.
 require_paths: 
 - lib