rubycas-server 0.1.0

data/lib/casserver/authenticators/test.rb

@@ -0,0 +1,8 @@
+require 'casserver/authenticators/base'
+
+class CASServer::Authenticators::Test < CASServer::Authenticators::Base
+  def validate(credentials)
+    read_standard_credentials(credentials)
+    return @username == "testuser" && @password == "testpassword"
+  end
+end

data/lib/casserver/cas.rb

@@ -0,0 +1,224 @@
+require 'uri'
+require 'net/https'
+
+# Encapsulates CAS functionality. This module is meant to be included in
+# the CASServer::Controllers module.
+module CASServer::CAS
+
+  include CASServer::Models
+
+  def generate_login_ticket
+    # 3.5 (login ticket)
+    lt = LoginTicket.new
+    lt.ticket = "LT-" + CASServer::Utils.random_string
+    lt.client_hostname = env['REMOTE_HOST'] || env['REMOTE_ADDR']
+    lt.save!
+    $LOG.debug("Generated login ticket '#{lt.ticket}' for client" +
+      " at '#{lt.client_hostname}'")
+    lt
+  end
+  
+  def generate_ticket_granting_ticket(username)
+    # 3.6 (ticket granting cookie/ticket)
+    tgt = TicketGrantingTicket.new
+    tgt.ticket = "TGC-" + CASServer::Utils.random_string
+    tgt.username = username
+    tgt.client_hostname = env['REMOTE_HOST'] || env['REMOTE_ADDR']
+    tgt.save!
+    $LOG.debug("Generated ticket granting ticket '#{tgt.ticket}' for user" +
+      " '#{tgt.username}' at '#{tgt.client_hostname}'")
+    tgt
+  end
+  
+  def generate_service_ticket(service, username)
+    # 3.1 (service ticket)
+    st = ServiceTicket.new
+    st.ticket = "ST-" + CASServer::Utils.random_string
+    st.service = service
+    st.username = username
+    st.client_hostname = env['REMOTE_HOST'] || env['REMOTE_ADDR']
+    st.save!
+    $LOG.debug("Generated service ticket '#{st.ticket}' for service '#{st.service}'" +
+      " for user '#{st.username}' at '#{st.client_hostname}'")
+    st
+  end
+  
+  def generate_proxy_ticket(target_service, pgt)
+    # 3.2 (proxy ticket)
+    pt = ProxyTicket.new
+    pt.ticket = "PT-" + CASServer::Utils.random_string
+    pt.service = target_service
+    pt.username = pgt.service_ticket.username
+    pt.proxy_granting_ticket_id = pgt.id
+    pt.client_hostname = env['REMOTE_HOST'] || env['REMOTE_ADDR']
+    pt.save!
+    $LOG.debug("Generated proxy ticket '#{pt.ticket}' for target service '#{pt.service}'" +
+      " for user '#{pt.username}' at '#{pt.client_hostname}' using proxy-granting" +
+      " ticket '#{pgt.ticket}'")
+    pt
+  end
+  
+  def generate_proxy_granting_ticket(pgt_url, st)
+    uri = URI.parse(pgt_url)
+    https = Net::HTTP.new(uri.host,uri.port)
+    https.use_ssl = true
+    
+    # Here's what's going on here:
+    # 
+    #   1. We generate a ProxyGrantingTicket (but don't store it in the database just yet)
+    #   2. Deposit the PGT and it's associated IOU at the proxy callback URL.
+    #   3. If the proxy callback URL responds with HTTP code 200, store the PGT and return it;
+    #      otherwise don't save it and return nothing.
+    #      
+    https.start do |conn|
+      path = uri.path.empty? ? '/' : uri.path
+      
+      pgt = ProxyGrantingTicket.new
+      pgt.ticket = "PGT-" + CASServer::Utils.random_string
+      pgt.iou = "PGTIOU-" + CASServer::Utils.random_string
+      pgt.service_ticket_id = st.id
+      pgt.client_hostname = env['REMOTE_HOST'] || env['REMOTE_ADDR']
+      
+      # FIXME: The CAS protocol spec says to use 'pgt' as the parameter, but in practice
+      #         the JA-SIG and Yale server implementations use pgtId. We'll go with the
+      #         in-practice standard.
+      path += (uri.query.nil? || uri.query.empty? ? '?' : '&') + "pgtId=#{pgt.ticket}&pgtIou=#{pgt.iou}"
+      
+      response = conn.request_get(path)
+      # TODO: follow redirects... 2.5.4 says that redirects MAY be followed
+      
+      if response.code.to_i == 200
+        # 3.4 (proxy-granting ticket IOU)
+        pgt.save!
+        $LOG.debug "PGT generated for pgt_url '#{pgt_url}'. PGT is: '#{pgt.ticket}', PGT-IOU is: '#{pgt.iou}'"
+        pgt
+      else
+        $LOG.warn "PGT callback server responded with a bad result code '#{response.code}'. PGT will not be stored."
+      end
+    end
+  end
+  
+  def validate_login_ticket(ticket)
+    $LOG.debug("Validating login ticket '#{ticket}'")
+  
+    success = false
+    if ticket.nil?
+      error = "Your login request did not include a login ticket."
+      $LOG.warn("Missing login ticket.")
+    elsif lt = LoginTicket.find_by_ticket(ticket)
+      if lt.consumed?
+        error = "The login ticket you provided has already been used up."
+        $LOG.warn("Login ticket '#{ticket}' previously used up")
+      elsif Time.now - lt.created_on < CASServer::Conf.login_ticket_expiry
+        $LOG.info("Login ticket '#{ticket}' successfully validated")
+      else
+        error = "Your login ticket  has expired."
+        $LOG.warn("Expired login ticket '#{ticket}'")
+      end
+    else
+      error = "The login ticket you provided is invalid."
+      $LOG.warn("Invalid login ticket '#{ticket}'")
+    end
+    
+    lt.consume! if lt
+    
+    error
+  end
+  
+  def validate_ticket_granting_ticket(ticket)
+    $LOG.debug("Validating ticket granting ticket '#{ticket}'")
+  
+    if ticket.nil?
+      error = "No ticket granting ticket given."
+      $LOG.debug(error)
+    elsif tgt = TicketGrantingTicket.find_by_ticket(ticket)
+      $LOG.info("Ticket granting ticket '#{ticket}' for user '#{tgt.username}' successfully validated.")
+    else
+      error = "Invalid ticket granting ticket '#{ticket}' (no matching ticket found in the database)."
+      $LOG.warn(error)
+    end
+    
+    [tgt, error]
+  end
+
+  def validate_service_ticket(service, ticket, allow_proxy_tickets = false)
+    $LOG.debug("Validating service/proxy ticket '#{ticket}' for service '#{service}'")
+  
+    if service.nil? or ticket.nil?
+      error = Error.new("INVALID_REQUEST", "Ticket or service parameter was missing in the request.")
+      $LOG.warn("#{error.code} - #{error.message}")
+    elsif st = ServiceTicket.find_by_ticket(ticket)
+      if st.consumed?
+        error = Error.new("INVALID_TICKET", "Ticket '#{ticket}' has already been used up.")
+        $LOG.warn("#{error.code} - #{error.message}")
+      elsif st.kind_of?(CASServer::Models::ProxyTicket) && !allow_proxy_tickets
+        error = Error.new("INVALID_TICKET", "Ticket '#{ticket}' is a proxy ticket, but only service tickets are allowed here.")
+        $LOG.warn("#{error.code} - #{error.message}")
+      elsif Time.now - st.created_on > CASServer::Conf.service_ticket_expiry
+        error = Error.new("INVALID_TICKET", "Ticket '#{ticket}' has expired.")
+        $LOG.warn("Ticket '#{ticket}' has expired.")
+      elsif st.service == service
+        $LOG.info("Ticket '#{ticket}' for service '#{service}' for user '#{st.username}' successfully validated.")
+      else
+        error = Error.new("INVALID_SERVICE", "The ticket '#{ticket}' belonging to user '#{st.username}' is valid,"+
+          " but the requested service '#{service}' does not match the service '#{st.service}' associated with this ticket.")
+        $LOG.warn("#{error.code} - #{error.message}")
+      end
+    else
+      error = Error.new("INVALID_TICKET", "Ticket '#{ticket}' not recognized.")
+      $LOG.warn("#{error.code} - #{error.message}")
+    end
+    
+    if st
+      st.consume!
+    end
+    
+    
+    [st, error]
+  end
+  
+  def validate_proxy_ticket(service, ticket)
+    pt, error = validate_service_ticket(service, ticket, true)
+    
+    if pt.kind_of?(CASServer::Models::ProxyTicket) && !error
+      if not pt.proxy_granting_ticket
+        error = Error.new("INTERNAL_ERROR", "Proxy ticket '#{pt}' belonging to user '#{pt.username}' is not associated with a proxy granting ticket.")
+      elsif not pt.proxy_granting_ticket.service_ticket
+        error = Error.new("INTERNAL_ERROR", "Proxy granting ticket '#{pt.proxy_granting_ticket}'"+
+          " (associated with proxy ticket '#{pt}' and belonging to user '#{pt.username}' is not associated with a service ticket.")
+      end
+    end
+    
+    [pt, error]
+  end
+  
+  def validate_proxy_granting_ticket(ticket)
+    if ticket.nil?
+      error = Error.new("INVALID_REQUEST", "pgt parameter was missing in the request.")
+      $LOG.warn("#{error.code} - #{error.message}")
+    elsif pgt = ProxyGrantingTicket.find_by_ticket(ticket)
+      if pgt.service_ticket
+        $LOG.info("Proxy granting ticket '#{ticket}' belonging to user '#{pgt.service_ticket.username}' successfully validated.")
+      else
+        error = Error.new("INTERNAL_ERROR", "Proxy granting ticket '#{ticket}' is not associated with a service ticket.")
+        $LOG.error("#{error.code} - #{error.message}")
+      end
+    else
+      error = Error.new("BAD_PGT", "Invalid proxy granting ticket '#{ticket}' (no matching ticket found in the database).")
+      $LOG.warn("#{error.code} - #{error.message}")
+    end
+    
+    [pgt, error]
+  end
+  
+  def service_uri_with_ticket(service, st)
+    raise ArgumentError, "Second argument must be a ServiceTicket!" unless st.kind_of? CASServer::Models::ServiceTicket
+    
+    service_uri = URI.parse(service)
+    query_separator = service_uri.query ? "&" : "?"
+    
+    service_with_ticket = service + query_separator + "ticket=" + st.ticket
+    service_with_ticket
+  end
+  
+end

data/lib/casserver/conf.rb

@@ -0,0 +1,78 @@
+# load configuration
+begin  
+  conf_file = etc_conf = "/etc/rubycas-server/config.yml"
+  unless File.exists? conf_file 
+    # can use local config.yml file in case we're running non-gem installation
+    conf_file = File.dirname(File.expand_path(__FILE__))+"/../../config.yml"
+  end
+
+  unless File.exists? conf_file  
+    require 'fileutils'
+    
+    example_conf_file = File.expand_path(File.dirname(File.expand_path(__FILE__))+"/../../config.example.yml")
+    puts "\nCAS SERVER NOT YET CONFIGURED!!!\n"
+    puts "\nAttempting to copy sample configuration from '#{example_conf_file}' to '#{etc_conf}'...\n"
+    
+    begin
+      FileUtils.mkdir("/etc/rubycas-server") unless File.exists? "/etc/rubycas-server"
+      FileUtils.cp(example_conf_file, etc_conf)
+    rescue Errno::EACCES
+      puts "\nIt appears that you do not have permissions to create the '#{etc_conf}' file. Try running this command using sudo (as root).\n"
+      exit 2
+    rescue
+      puts "\nFor some reason the '#{etc_conf}' file could not be created. You'll have to copy the file manually." +
+        " Use '#{example_conf_file}' as a template.\n"  
+      exit 2
+    end
+    
+    puts "\nA sample configuration has been created for you in '#{etc_conf}'. Please edit this file to" +
+      " suit your needs and then run rubycas-server again.\n"
+    exit 1
+  end
+  
+  
+  loaded_conf = HashWithIndifferentAccess.new(YAML.load_file(conf_file))
+  
+  if $CONF
+    $CONF = loaded_conf.merge $CONF
+  else
+    $CONF = loaded_conf
+  end
+  
+  begin
+    # attempt to instantiate the authenticator
+    $AUTH = $CONF[:authenticator][:class].constantize.new
+  rescue NameError
+    # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
+    auth_rb = $CONF[:authenticator][:class].underscore.gsub('cas_server/', '')
+    require 'casserver/'+auth_rb
+    $AUTH = $CONF[:authenticator][:class].constantize.new
+  end
+rescue
+    raise "Your RubyCAS-Server configuration may be invalid."+
+      " Please double-check check your config.yml file."+
+      " Make sure that you are using spaces instead of tabs for your indentation!!" +
+      "\n\nUNDERLYING EXCEPTION:\n#{$!}"
+end
+
+module CASServer
+  module Conf
+    DEFAULTS = {
+      :login_ticket_expiry => 5.minutes,
+      :service_ticket_expiry => 5.minutes, # CAS Protocol Spec, sec. 3.2.1 (recommended expiry time)
+      :proxy_granting_ticket_expiry => 48.hours,
+      :ticket_granting_ticket_expiry => 48.hours,
+      :log => {:file => 'casserver.log', :level => 'DEBUG'},
+      :uri_path => "/"
+    }
+  
+    def [](key)
+      $CONF[key] || DEFAULTS[key]
+    end
+    module_function "[]".intern
+    
+    def self.method_missing(method, *args)
+      self[method]
+    end
+  end
+end

data/lib/casserver/controllers.rb

@@ -0,0 +1,253 @@
+# The #.#.# comments (e.g. "2.1.3") refer to section numbers in the CAS protocol spec
+# under http://www.ja-sig.org/products/cas/overview/protocol/index.html
+
+module CASServer::Controllers
+
+  # 2.1
+  class Login < R '/', '/login'
+    include CASServer::CAS
+    
+    # 2.1.1
+    def get
+      # make sure there's no caching
+      headers['Pragma'] = 'no-cache'
+      headers['Cache-Control'] = 'no-store'
+      headers['Expires'] = (Time.now - 1.year).rfc2822
+      
+      # optional params
+      @service = @input['service']
+      @renew = @input['renew']
+      @gateway = @input['gateway']
+      
+      if @service && !@renew && tgc = @cookies[:tgt]
+        tgt, error = validate_ticket_granting_ticket(tgc)
+        if tgt && !error
+          st = generate_service_ticket(@service, tgt.username)
+          service_with_ticket = service_uri_with_ticket(@service, st)
+          $LOG.info("User '#{tgt.username}' authenticated based on ticket granting cookie. Redirecting to service '#{@service}'.")
+          return redirect(service_with_ticket, :status => 303) # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
+        end
+      end
+      
+      lt = generate_login_ticket
+      
+      $LOG.debug("Rendering login form with lt: #{lt}, service: #{@service}, renew: #{@renew}, gateway: #{@gateway}")
+      
+      @lt = lt.ticket
+      
+      render :login
+    end
+    
+    # 2.2
+    def post
+      # 2.2.1 (optional)
+      @service = @input['service']
+      @warn = @input['warn']
+      
+      # 2.2.2 (required)
+      @username = @input['username']
+      @password = @input['password']
+      @lt = @input['lt']
+      
+      if error = validate_login_ticket(@lt)
+        @message = {:type => 'mistake', :message => error}
+        return render(:login)
+      end
+      
+      # generate another login ticket to allow for re-submitting the form after a post
+      @lt = generate_login_ticket.ticket
+      
+      $AUTH.configure(CASServer::Conf.authenticator)
+      
+      $LOG.debug("Logging in with username: #{@username}, lt: #{@lt}, service: #{@service}, auth: #{$AUTH}")
+      
+      if $AUTH.validate(:username => @username, :password => @password)
+        $LOG.info("Credentials for username '#{@username}' successfully validated")
+        
+        # 3.6 (ticket-granting cookie)
+        tgt = generate_ticket_granting_ticket(@username)
+        @cookies[:tgt] = tgt.to_s
+        $LOG.debug("Ticket granting cookie '#{@cookies[:tgt]}' granted to '#{@username}'")
+                
+        if @service.blank?
+          $LOG.info("Successfully authenticated user '#{@username}' at '#{tgt.client_hostname}'. No service param was given, so we will not redirect.")
+          @message = {:type => 'confirmation', :message => "You have successfully logged in."}
+          render :login
+        else
+          @st = generate_service_ticket(@service, @username)        
+          service_with_ticket = service_uri_with_ticket(@service, @st)
+        
+          $LOG.info("Redirecting authenticated user '#{@username}' at '#{@st.client_hostname}' to service '#{@service}'")
+          return redirect(service_with_ticket, :status => 303) # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
+        end
+      else
+        $LOG.warn("Invalid credentials given for user '#{@username}'")
+        @message = {:type => 'mistake', :message => "Incorrect username or password."}
+        render :login
+      end
+    end
+  end
+  
+  # 2.3
+  class Logout < R '/logout'
+    include CASServer::CAS
+    
+    # 2.3.1
+    def get
+      # The behaviour here is somewhat non-standard. Rather than showing just a blank
+      # "logout" page, we take the user back to the login page with a "you have been logged out"
+      # message, allowing for an opportunity to immediately log back in. This makes
+      # switching users a lot smoother.
+      @service = @input['url'] || @input['service']
+      # TODO: display service name in view as per 2.3.2
+      
+      tgt = CASServer::Models::TicketGrantingTicket.find_by_ticket(@cookies[:tgt])
+      
+      @cookies.delete :tgt
+      
+      if tgt
+        pgts = CASServer::Models::ProxyGrantingTicket.find(:all, ["username = ?", tgt.username])
+        pgts.each do |pgt|
+          pgt.destroy
+          $LOG.debug("Deleting Proxy-Granting Ticket '#{pgt}' for user '#{tgt.username}'")
+        end
+        
+        $LOG.debug("Deleting Ticket-Granting Ticket '#{tgt}' for user '#{tgt.username}'")
+        
+        $LOG.info("User '#{tgt.username}' logged out.")
+      else
+        $LOG.warn("User tried to log out without a valid ticket-granting ticket.")
+      end
+      
+      @message = {:type => 'confirmation', :message => "You have successfully logged out."}
+      
+      @lt = generate_login_ticket
+      
+      render :login
+    end
+  end
+
+  # 2.4
+  class Validate < R '/validate'
+    include CASServer::CAS
+  
+    # 2.4.1
+    def get
+      # required
+      @service = @input['service']
+      @ticket = @input['ticket']
+      # optional
+      @renew = @input['renew']
+      
+      st, @error = validate_service_ticket(@service, @ticket)      
+      @success = st && !@error
+      
+      @username = st.username if @success
+      
+      render :validate
+    end
+  end
+  
+  # 2.5
+  class ServiceValidate < R '/serviceValidate'
+    include CASServer::CAS
+  
+    # 2.5.1
+    def get
+      # required
+      @service = @input['service']
+      @ticket = @input['ticket']
+      # optional
+      @pgt_url = @input['pgtUrl']
+      @renew = @input['renew']
+      
+      st, @error = validate_service_ticket(@service, @ticket)      
+      @success = st && !@error
+      
+      if @success
+        @username = st.username  
+        if @pgt_url
+          pgt = generate_proxy_granting_ticket(@pgt_url, st)
+          @pgtiou = pgt.iou if pgt
+        end
+      end
+      
+      render :service_validate
+    end
+  end
+  
+  # 2.6
+  class ProxyValidate < R '/proxyValidate'
+    include CASServer::CAS
+  
+    # 2.6.1
+    def get
+      # required
+      @service = @input['service']
+      @ticket = @input['ticket']
+      # optional
+      @pgt_url = @input['pgtUrl']
+      @renew = @input['renew']
+      
+      @proxies = []
+      
+      t, @error = validate_proxy_ticket(@service, @ticket)      
+      @success = t && !@error
+      
+      if @success
+        
+      end
+      
+      if @success
+        @username = t.username
+        
+        if t.kind_of? CASServer::Models::ProxyTicket
+          @proxies << t.proxy_granting_ticket.service_ticket.service
+        end
+          
+        if @pgt_url
+          pgt = generate_proxy_granting_ticket(@pgt_url, t)
+          @pgtiou = pgt.iou if pgt
+        end
+      end
+
+     render :proxy_validate
+    end
+  end
+  
+  class Proxy < R '/proxy'
+    include CASServer::CAS
+  
+    # 2.7
+    def get
+      # required
+      @ticket = @input['pgt']
+      @target_service = @input['targetService']
+      
+      pgt, @error = validate_proxy_granting_ticket(@ticket)
+      @success = pgt && !@error
+      
+      if @success
+        @pt = generate_proxy_ticket(@target_service, pgt)
+      end
+      
+      render :proxy
+    end
+  end
+  
+  class Themes < R '/themes/(.+)'         
+    MIME_TYPES = {'.css' => 'text/css', '.js' => 'text/javascript', 
+                  '.jpg' => 'image/jpeg'}
+    PATH = CASServer::Conf.themes_dir || File.expand_path(File.dirname(__FILE__))+'/../themes'
+
+    def get(path)
+      @headers['Content-Type'] = MIME_TYPES[path[/\.\w+$/, 0]] || "text/plain"
+      unless path.include? ".." # prevent directory traversal attacks
+        @headers['X-Sendfile'] = "#{PATH}/#{path}"
+      else
+        @status = "403"
+        "403 - Invalid path"
+      end
+    end
+  end
+end