rubycas-server 0.1.0

data/bin/rubycas-server

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require_gem 'rubycas-server'
+
+$RUN = true
+
+load 'casserver.rb'

data/config.example.yml

@@ -0,0 +1,197 @@
+# IMPORTANT NOTE ABOUT YAML CONFIGURATION FILES
+# ---> Be sure to use spaces instead of tabs for indentation. Yaml is white-space sensitive!
+
+##### SERVER ########################################################################
+
+# Under what environment are you running the CAS server? The following methods
+# are currently supported:
+#
+# webrick -- run as a stand-alone webrick server; this is the default method
+# mongrel -- run as a stand-alone mongrel server; fast, but you'll need to install
+#            mongrel and run it behind an https reverse proxy like Pound or Apache 2.2's mod_proxy)
+# cgi     -- slow, but simple to set up if you're already familliar with deploying CGI scripts
+# fastcgi -- see http://www.fastcgi.com (e.g. under Apache you can use this with mod_fastcgi)
+#
+# The cgi and fastcgi methods have not been thoroughly tested! 
+# Please report any problems to the authors.
+# 
+# IMPORTANT: If you use mongrel, you will need to run the server behind a reverse proxy 
+#            (Pound, Apache 2.2 with mod_proxy, etc.) since mongrel does not support SSL/HTTPS.
+#            See the RubyCAS-Server install docs for more info. Also, mongrel requries
+#            Camping 1.5.180 which as of writing is only available via SVN. You can install
+#            this by running `gem install camping --source code.whytheluckystiff.net`
+
+### webrick example
+
+server: webrick
+port: 443
+ssl_cert: /path/to/your/ssl.pem
+# ssl_key: /path/to/your/private_key.pem  <-- if private key is separate from cert
+
+### mongrel example (you will need to run this behind an https reverse proxy,
+### since mongrel doesn't support SSL on its own)
+
+#server: mongrel
+#port: 110011
+
+### cgi example (you'll need to serve this via an SSL-capable server like Apache)
+
+#server: cgi
+
+### fastcgi example (you'll need to serve this via an SSL-capable server like Apache)
+
+#server: fastcgi
+
+
+##### DATABASE #######################################################################
+
+# Set up the database connection. Make sure that this database is secure!
+# 
+# By default, we use sqlite3 since it works without any extra configuration.
+# You can also use MySQL, PostgreSQL, MSSQL, or anything else supported by ActiveRecord.
+#
+# For example, with MySQL, your config wold be something like:
+#
+#database:
+#  adapter: mysql
+#  database: casserver
+#  user: root
+#  password: 
+#  server: localhost
+#
+
+database:
+  adapter: sqlite3
+  dbfile: /var/lib/casserver.db
+  
+
+##### AUTHENTICATION #################################################################
+
+# Configure how username/passwords are validated.
+#
+# !!! YOU MUST CONFIGURE ONE (AND ONLY ONE) OF THESE AUTHENTICATION METHODS !!!
+#
+# Currently there are three built-in methods for authentication:
+# SQL, ActiveDirectory, and LDAP. If none of these work for you, it is relatively
+# easy to write your own custom Authenticator class.
+#
+# ==> SQL Authentication:
+# The simplest method is to validate against a SQL database. This assumes
+# that all of your users are stored in a table that has a 'username' column
+# and a 'password' column. When the user logs in, CAS conects to this database
+# and look for a matching username/password in the users table. If a matching
+# username and password is found, authentication is successful.
+# 
+# Example:
+#
+#authenticator:
+#  class: CASServer::Authenticators::SQL
+#  database:
+#    adapter: mysql
+#    database: some_database_with_users_table
+#    user: root
+#    password: 
+#    server: localhost
+#  user_table: user
+#  username_column: username
+#  password_column: password
+#
+#
+# ==> ActiveDirectory Authentication:
+# This method authenticates against Microsoft's ActiveDirectory using LDAP.
+# You must enter your ActiveDirectory server, and base DN. The port number
+# and LDAP filter are optional. You must also enter a username and password
+# for an "authenticator" user. The authenticator users this account to
+# log in to the ActiveDirectory server and search LDAP. This does not have
+# to be an administrative account; it only has to be able to search for other
+# users.
+#
+# Example:
+#
+#authenticator: 
+#  class: CASServer::Authenticators::ActiveDirectoryLDAP
+#  ldap:
+#    server: ad.example.net
+#    port: 389
+#    base: dc=example,dc=net
+#    filter: (objectClass=person)
+#    auth_user: authenticator
+#    auth_password: itsasecret
+#
+#
+# ==> LDAP Authentication:
+# This is a more general version of the ActiveDirectory authenticator.
+# The configuration is similar, except you don't need an authenticator
+# username or password. Note that this authenticator hasn't been widely
+# tested, so it is not guaranteed to work.
+#
+#authenticator:
+#  class: CASServer::Authenticators::ActiveDirectoryLDAP
+#  ldap:
+#    server: ad.example.net
+#    port: 389
+#    base: dc=example,dc=net
+#    filter: (objectClass=person)
+#
+#
+# ==> Custom Authentication:
+# It should be relatively easy to write your own Authenticator class. Have a look
+# at the built-in authenticators in the casserver/authenticators directory. Your
+# authenticator should extend the CASServer::Authenticators::Base class and must
+# implement a validate() method that takes a single hash argument. When the user submits
+# the login form, the username and password they entered is passed to validate()
+# as a hash under :username and :password keys. In the future, this hash
+# might also contain other data such as the domain that the user is logging in to.
+#
+# To use your custom authenticator, specify it's class name in the authenticator section
+# of the config. You will also probably have to load the class using using a `require`
+# call at the top of casserver.rb. Any other parameters you specify in the authenticator
+# configuration will be passed on to the authenticator and made availabe in the validate()
+# method as an @options hash.
+#
+# Example:
+#
+#authenticator:
+#  class: FooModule::MyCustomAuthenticator
+#  option_a: foo
+#  another_option: yeeha
+
+
+##### LOOK & FEEL ######################################################################
+
+# Set the path to the theme directory that determines how your CAS pages look. 
+#
+# Custom themes are not well supported yet, but will be in the near future. In the
+# meantime, if you want to create a custom theme, you can create a subdirectory
+# under the CASServer's themes dir (for example '/usr/lib/ruby/1.8/gems/casserver-xxx/lib/themes',
+# if you installed CASServer on Linux as a gem). A theme is basically just a theme.css
+# file that overrides the themes/cas.css styles along with a collection of image files
+# like logo.png and bg.png.
+#
+# By default, we use the 'simple' theme which you can find in themes/simple.
+theme: simple
+
+# The name of your company/organization. This will show up on the login page.
+organization: CAS
+
+# A short bit of text that shows up on the login page. You can make this blank if you prefer.
+infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
+
+
+##### LOGGING #########################################################################
+
+# Configure general logging. This log is where you'll want to look in case of problems.
+#
+# You may want to change the file to something like /var/log/casserver.log
+# Set the level to DEBUG if you want more detailed logging.
+
+log:
+  file: /var/log/casserver.log
+  level: INFO
+
+
+# If you want full database logging, uncomment this next section.
+# Every SQL query will be logged here. This is useful for debugging database problems.
+#
+#db_log:
+#  file: /var/log/casserver_db.log

data/lib/casserver.rb

@@ -0,0 +1,152 @@
+#!/usr/bin/env ruby
+
+# change to current directory when invoked on its own
+Dir.chdir(File.dirname(File.expand_path(__FILE__))) if __FILE__ == $0
+
+# add current directory to load path
+$: << File.dirname(File.expand_path(__FILE__))
+
+require 'rubygems'
+require_gem 'camping', '~> 1.5'
+require 'camping'
+
+require 'active_support'
+require 'yaml'
+
+# enable xhtml source code indentation for debugging views
+Markaby::Builder.set(:indent, 2)
+
+# seed the random number generator (ruby does this by default, but it doesn't hurt to do it here just to be sure)
+srand
+
+# Camping.goes must be called after the authenticator class is loaded, otherwise weird things happen
+Camping.goes :CASServer
+
+module CASServer
+end
+
+require 'casserver/utils'
+require 'casserver/models'
+require 'casserver/cas'
+require 'casserver/conf'
+require 'casserver/views'
+require 'casserver/controllers'
+
+# init the logger
+$LOG = CASServer::Utils::Logger.new(CASServer::Conf.log[:file])
+$LOG.level = "CASServer::Utils::Logger::#{CASServer::Conf.log[:level]}".constantize
+
+# do initialization stuff
+def CASServer.create
+  CASServer::Models.create_schema
+  
+  $LOG.info("RubyCAS-Server initialized.")
+  
+  $LOG.debug("Configuration is:\n#{$CONF.to_yaml}")
+  $LOG.debug("Authenticator is: #{$AUTH}")
+  
+  CASServer::Models::ServiceTicket.cleanup_expired(CASServer::Conf.service_ticket_expiry)
+  CASServer::Models::LoginTicket.cleanup_expired(CASServer::Conf.login_ticket_expiry)
+  CASServer::Models::ProxyGrantingTicket.cleanup_expired(CASServer::Conf.proxy_granting_ticket_expiry)
+  CASServer::Models::TicketGrantingTicket.cleanup_expired(CASServer::Conf.ticket_granting_ticket_expiry)
+end
+
+
+# this gets run if we launch directly (i.e. `ruby casserver.rb` rather than `camping casserver`)
+if __FILE__ == $0 || $RUN
+  CASServer::Models::Base.establish_connection(CASServer::Conf.database)
+  if CASServer::Conf.db_log
+    CASServer::Models::Base.logger = Logger.new(CASServer::Conf.db_log[:file] || 'casserver_db.log')
+    CASServer::Models::Base.logger.level = "CASServer::Utils::Logger::#{CASServer::Conf.db_log[:level] || 'DEBUG'}".constantize
+  end
+
+  case CASServer::Conf.server
+  when "webrick", :webrick
+    require 'webrick/httpserver'
+    require 'webrick/https'
+    require 'camping/webrick'
+    
+    # TODO: verify the certificate's validity
+    # example of how to do this is here: http://pablotron.org/download/ruri-20050331.rb
+    
+    cert_path = CASServer::Conf.ssl_cert
+    key_path = CASServer::Conf.ssl_key || CASServer::Conf.ssl_cert
+      # look for the key in the ssl_cert if no ssl_key is specified
+    
+    raise "'#{cert_path}' is not a valid ssl certificate. Your 'ssl_cert' configuration" +
+      " setting must be a path to a valid ssl certificate file." unless
+        File.exists? cert_path
+    
+    raise "'#{key_path}' is not a valid ssl private key. Your 'ssl_key' configuration" +
+      " setting must be a path to a valid ssl private key file." unless
+        File.exists? key_path
+    
+    cert = OpenSSL::X509::Certificate.new(File.read(cert_path))
+    key = OpenSSL::PKey::RSA.new(File.read(key_path))
+    
+    begin
+      s = WEBrick::HTTPServer.new(
+        :BindAddress => "0.0.0.0",
+        :Port => CASServer::Conf.port,
+        :SSLEnable => true,
+        :SSLVerifyClient => ::OpenSSL::SSL::VERIFY_NONE,
+        :SSLCertificate => cert,
+        :SSLPrivateKey => key
+      )
+    rescue Errno::EACCES
+      puts "\nThe server could not launch. Are you running on a privileged port? (e.g. port 443) If so, you must run the server as root."
+      exit 2
+    end
+    
+    CASServer.create
+    s.mount "#{CASServer::Conf.uri_path}", WEBrick::CampingHandler, CASServer
+    
+    puts "\n** CASServer is running at http://localhost:#{CASServer::Conf.port}#{CASServer::Conf.uri_path} and logging to '#{CASServer::Conf.log[:file]}'\n\n"
+  
+    # This lets Ctrl+C shut down your server
+    trap(:INT) do
+      s.shutdown
+    end
+  
+    s.start
+    
+  when "mongrel", :mongrel
+    require 'rubygems'
+    require 'mongrel/camping'
+    
+    # camping has fixes for mongrel currently only availabe in SVN
+    # ... you can install camping from svn (1.5.180) by running: 
+    #     gem install camping --source code.whytheluckystiff.net
+    require_gem 'camping', '~> 1.5.180'
+    
+    CASServer.create
+  
+    begin
+      server = Mongrel::Camping::start("0.0.0.0",CASServer::Conf.port,"#{CASServer::Conf.uri_path}",CASServer)
+    rescue Errno::EACCES
+      puts "\nThe server could not launch. Are you running on a privileged port? (e.g. port 443) If so, you must run the server as root."
+      exit 2
+    end
+    
+    puts "\n** CASServer is running at http://localhost:#{CASServer::Conf.port}#{CASServer::Conf.uri_path} and logging to '#{CASServer::Conf.log[:file]}'"
+    server.run.join
+  
+  when "fastcgi", :fastcgi
+    require 'camping/fastcgi'
+    Dir.chdir('/srv/www/camping/casserver/')
+    
+    CASServer.create
+    Camping::FastCGI.start(CASServer)
+    
+  when "cgi", :cgi
+    CASServer.create
+    puts CASServer.run
+    
+  else
+    if CASServer::Conf.server
+      raise "The server setting '#{CASServer::Conf.server}' in your config.yml file is invalid."
+    else
+      raise "You must have a 'server' setting in your config.yml file. Please see the RubyCAS-Server documentation."
+    end
+  end
+end 

data/lib/casserver/authenticators/active_directory_ldap.rb

@@ -0,0 +1,8 @@
+require 'casserver/authenticators/ldap'
+
+class CASServer::Authenticators::ActiveDirectoryLDAP < CASServer::Authenticators::LDAP
+  protected
+  def default_username_attribute
+    "sAMAccountName"
+  end
+end

data/lib/casserver/authenticators/base.rb

@@ -0,0 +1,22 @@
+module CASServer
+  module Authenticators
+    class Base
+      attr_accessor :options
+    
+      def validate(credentials)
+        raise NotImplementedError, "This method must be implemented by a class extending #{self.class}"
+      end
+      
+      def configure(options)
+        raise ArgumentError, "options must be a HashWithIndifferentAccess" unless options.kind_of? HashWithIndifferentAccess
+        @options = options.dup
+      end
+      
+      protected
+      def read_standard_credentials(credentials)
+        @username = credentials[:username]
+        @password = credentials[:password]
+      end
+    end
+  end
+end

data/lib/casserver/authenticators/ldap.rb

@@ -0,0 +1,40 @@
+require 'casserver/authenticators/base'
+
+begin
+  require 'net/ldap'
+rescue LoadError
+  require 'rubygems'
+  require_gem 'ruby-net-ldap', '~> 0.0.4'
+  require 'net/ldap'
+end
+
+class CASServer::Authenticators::LDAP < CASServer::Authenticators::Base
+  def validate(credentials)
+    read_standard_credentials(credentials)
+    
+    raise "Cannot validate credentials because the authenticator hasn't yet been configured" unless @options
+    raise "Invalid authenticator configuration!" unless @options[:ldap]
+    raise "You must specify an ldap server in the configuration!" unless @options[:ldap][:server]
+    
+    ldap = Net::LDAP.new
+    ldap.host = @options[:ldap][:server]
+    ldap.port = @options[:ldap][:port] if   @options[:ldap][:port]
+    
+    if @options[:ldap][:auth_user]
+      raise "A password must be specified in the configuration for the authenticator user!" unless @options[:ldap][:auth_password]
+      ldap.authenticate(@options[:ldap][:auth_user], @options[:ldap][:auth_password])
+    end
+    
+    filter = "(#{@options[:ldap][:username_attribute] || default_username_attribute}=#{@username})"
+    filter += " & (#{@options[:ldap][:filter]})" if @options[:ldap][:filter]
+    
+    result = ldap.bind_as(:base => @options[:ldap][:base], :filter => filter, :password => @password)
+    
+    return result
+  end
+  
+  protected
+  def default_username_attribute
+    "uid"
+  end
+end

data/lib/casserver/authenticators/sql.rb

@@ -0,0 +1,37 @@
+require 'casserver/authenticators/base'
+
+begin
+  require 'active_record'
+rescue LoadError
+  require 'rubygems'
+  require 'active_record'
+end
+
+class CASServer::Authenticators::SQL < CASServer::Authenticators::Base
+
+  def validate(credentials)
+    read_standard_credentials(credentials)
+    
+    raise "Cannot validate credentials because the authenticator hasn't yet been configured" unless @options
+    raise "Invalid authenticator configuration!" unless @options[:database]
+    
+    CASUser.establish_connection @options[:database]
+    CASUser.set_table_name @options[:user_table] || "users"
+    
+    username_column = @options[:username_column] || 'username'
+    password_column = @options[:password_column] || 'password'
+    
+    results = CASUser.find(:all, :conditions => ["#{username_column} = ? AND #{password_column} = ?", @username, @password])
+    
+    if results.size > 0
+      $LOG.warn("Multiple matches found for user '#{@username}'") if results.size > 1
+      return true
+    else
+      return false
+    end
+  end
+  
+  class CASUser < ActiveRecord::Base
+  end
+
+end