rubycas-server 0.5.1 → 0.6.0

data/lib/casserver.rb

@@ -1,77 +1,105 @@
-#!/usr/bin/env ruby
+$: << File.dirname(File.expand_path(__FILE__))
+require 'casserver/environment'
 
-# change to current directory when invoked on its own
-Dir.chdir(File.dirname(File.expand_path(__FILE__))) if __FILE__ == $0
-
-# add current directory to load path
-$CASSERVER_HOME = File.dirname(File.expand_path(__FILE__))
-$: << $CASSERVER_HOME
-
-require 'rubygems'
-
-# make things backwards-compatible for rubygems < 0.9.0
-unless Object.method_defined? :gem
-  alias gem require_gem
-end
+$APP_PATH ||= File.dirname(File.expand_path(__FILE__))
 
+# change to current directory when invoked on its own
+Dir.chdir($APP_PATH) if __FILE__ == $0
 
-#gem 'camping', '~> 1.5.180'
-$: << $CASSERVER_HOME + "/../vendor/camping-1.5.180/lib"
-require 'camping'
-
-$: << $CASSERVER_HOME + "/../vendor/isaac_0.9.1"
+$: << $APP_PATH + "/../vendor/isaac_0.9.1"
 require 'crypt/ISAAC'
 
 require 'active_support'
 require 'yaml'
 
-# enable xhtml source code indentation for debugging views
-#Markaby::Builder.set(:indent, 2)
-
 
 # Camping.goes must be called after the authenticator class is loaded, otherwise weird things happen
 Camping.goes :CASServer
 
-module CASServer
-  def init_logger
-    $LOG = CASServer::Utils::Logger.new(CASServer::Conf.log[:file])
-    $LOG.level = "CASServer::Utils::Logger::#{CASServer::Conf.log[:level]}".constantize
-  end
-  module_function :init_logger
-
-  def init_db_logger
-    begin
-      if CASServer::Conf.db_log
-        log_file = CASServer::Conf.db_log[:file] || 'casserver_db.log'
-        CASServer::Models::Base.logger = Logger.new(log_file)
-        CASServer::Models::Base.logger.level = "CASServer::Utils::Logger::#{CASServer::Conf.db_log[:level] || 'DEBUG'}".constantize
-      end
-    rescue Errno::EACCES => e
-      $LOG.warn "Can't write to database log file at '#{log_file}': #{e}"
-    end
-  end
-  module_function :init_db_logger
+$CONFIG_FILE ||= '/etc/rubycas-server/config.yml'
 
+# for some reason this makes JRuby happy
+class CASServer::Models::Base
+end
+
+CASServer.picnic!
+
+$CONF[:expire_sessions] ||= false
+$CONF[:login_ticket_expiry] ||= 5.minutes
+$CONF[:service_ticket_expiry] ||= 5.minutes # CAS Protocol Spec, sec. 3.2.1 (recommended expiry time)
+$CONF[:proxy_granting_ticket_expiry] ||= 48.hours
+$CONF[:ticket_granting_ticket_expiry] ||= 48.hours
+$CONF[:log] ||= {:file => 'casserver.log', :level => 'DEBUG'}
+$CONF[:uri_path] ||= "/"
+
+unless $CONF[:authenticator]
+  $stderr.puts
+  $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+  $stderr.puts
+  $stderr.puts "You have not yet defined an authenticator for your CAS server!"
+  $stderr.puts "Please consult your config file at #{$CONFIG_FILE.inspect} for details."
+  $stderr.puts
+  $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+  exit 1
 end
 
 require 'casserver/utils'
 require 'casserver/models'
 require 'casserver/cas'
-require 'casserver/conf'
 require 'casserver/views'
 require 'casserver/controllers'
 
-CASServer.init_logger
+if $CONF[:authenticator].instance_of? Array
+  $CONF[:authenticator].each_index do |auth_index| 
+    $CONF[:authenticator][auth_index] = HashWithIndifferentAccess.new($CONF[:authenticator][auth_index])
+  end
+end
+
+$AUTH = []
+begin
+  # attempt to instantiate the authenticator
+  if $CONF[:authenticator].instance_of? Array
+    $CONF[:authenticator].each { |authenticator| $AUTH << authenticator[:class].constantize.new}
+  else
+    $AUTH << $CONF[:authenticator][:class].constantize.new
+  end
+rescue NameError
+  if $CONF[:authenticator].instance_of? Array
+    $CONF[:authenticator].each do |authenticator|
+      if !authenticator[:source].nil?
+        # config.yml explicitly names source file
+        require authenticator[:source]
+      else
+        # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
+        auth_rb = authenticator[:class].underscore.gsub('cas_server/', '')
+        require 'casserver/'+auth_rb
+      end
+      $AUTH << authenticator[:class].constantize.new
+    end
+  else
+    if !$CONF[:authenticator][:source].nil?
+      # config.yml explicitly names source file
+      require $CONF[:authenticator][:source]
+    else
+      # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
+      auth_rb = $CONF[:authenticator][:class].underscore.gsub('cas_server/', '')
+      require 'casserver/'+auth_rb
+    end
+
+    $AUTH << $CONF[:authenticator][:class].constantize.new
+  end
+end
+
+$CONF[:public_dir] = {
+  :path => "/themes",
+  :dir  => File.expand_path(File.dirname(__FILE__))+"/themes"
+}
 
-# do initialization stuff
 def CASServer.create
+  $LOG.info "Creating RubyCAS-Server..."
+  CASServer::Models::Base.establish_connection(CASServer::Conf.database)
   CASServer::Models.create_schema
   
-  $LOG.info("RubyCAS-Server #{CASServer::VERSION::STRING} initialized.")
-  
-  $LOG.debug("Configuration is:\n#{$CONF.to_yaml}")
-  $LOG.debug("Authenticator is: #{$AUTH}")
-  
   CASServer::Models::ServiceTicket.cleanup_expired(CASServer::Conf.service_ticket_expiry)
   CASServer::Models::LoginTicket.cleanup_expired(CASServer::Conf.login_ticket_expiry)
   CASServer::Models::ProxyGrantingTicket.cleanup_expired(CASServer::Conf.proxy_granting_ticket_expiry)
@@ -79,34 +107,4 @@ def CASServer.create
 end
 
 
-# this gets run if we launch directly (i.e. `ruby casserver.rb` rather than `camping casserver`)
-if __FILE__ == $0 || $RUN
-  CASServer::Models::Base.establish_connection(CASServer::Conf.database)
-  CASServer.init_db_logger unless CASServer::Conf.server.to_s == 'mongrel'
-  
-  require 'casserver/postambles'
-  include CASServer::Postambles
-
-  if $PID_FILE && (CASServer::Conf.server.to_s != 'mongrel' || CASServer::Conf.server.to_s != 'webrick')
-    $LOG.warn("Unable to create a pid file. You must use mongrel or webrick for this feature.")
-  end
-
-  require 'casserver/version'
-  puts
-  puts "*** Starting RubyCAS-Server #{CASServer::VERSION::STRING} using codebase at #{$CASSERVER_HOME}"
-
-
-  begin
-    raise NoMethodError if CASServer::Conf.server.nil?
-    send(CASServer::Conf.server)
-  rescue NoMethodError
-    # FIXME: this rescue can sometime report the incorrect error messages due to other underlying problems
-    #         raising a NoMethodError
-    if CASServer::Conf.server
-      raise "The server setting '#{CASServer::Conf.server}' in your config.yml file is invalid."
-    else
-      raise "You must have a 'server' setting in your config.yml file. Please see the RubyCAS-Server documentation."
-    end
-  end
-
-end 
+CASServer.start_picnic

data/lib/casserver/authenticators/active_directory_ldap.rb

@@ -1,5 +1,8 @@
 require 'casserver/authenticators/ldap'
 
+# Slightly modified version of the LDAP authenticator for Microsoft's ActiveDirectory.
+# The only difference is that the default_username_attribute for AD is 'sAMAccountName'
+# rather than 'uid'.
 class CASServer::Authenticators::ActiveDirectoryLDAP < CASServer::Authenticators::LDAP
   protected
   def default_username_attribute

data/lib/casserver/authenticators/ldap.rb

@@ -4,10 +4,23 @@ begin
   require 'net/ldap'
 rescue LoadError
   require 'rubygems'
-  gem 'ruby-net-ldap', '~> 0.0.4'
+  begin
+    gem 'ruby-net-ldap', '~> 0.0.4'
+  rescue Gem::LoadError
+    $stderr.puts
+    $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+    $stderr.puts
+    $stderr.puts "To use the LDAP/AD authenticator, you must first install the 'ruby-net-ldap' gem."
+    $stderr.puts
+    $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+    exit 1
+  end
   require 'net/ldap'
 end
 
+# Basic LDAP authenticator. Should be compatible with OpenLDAP and other similar LDAP servers,
+# although it hasn't been officially tested. See example config file for details on how
+# to configure it.
 class CASServer::Authenticators::LDAP < CASServer::Authenticators::Base
   def validate(credentials)
     read_standard_credentials(credentials)

data/lib/casserver/authenticators/sql_encrypted.rb

@@ -0,0 +1,75 @@
+require 'casserver/authenticators/base'
+
+require 'digest/sha1'
+require 'digest/sha2'
+
+$: << File.dirname(File.expand_path(__FILE__)) + "/../../../vendor/isaac_0.9.1"
+require 'crypt/ISAAC'
+
+begin
+  require 'active_record'
+rescue LoadError
+  require 'rubygems'
+  require 'active_record'
+end
+
+# This is a more secure version of the SQL authenticator. Passwords are encrypted 
+# rather than being stored in plain text.
+#
+# Based on code contributed by Ben Mabey.
+#
+# Using this authenticator requires some configuration on the client side. Please see
+# http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
+class CASServer::Authenticators::SQLEncrypted < CASServer::Authenticators::Base
+
+  def validate(credentials)
+    read_standard_credentials(credentials)
+    
+    raise CASServer::AuthenticatorError, "Cannot validate credentials because the authenticator hasn't yet been configured" unless @options
+    raise CASServer::AuthenticatorError, "Invalid authenticator configuration!" unless @options[:database]
+    
+    CASUser.establish_connection @options[:database]
+    CASUser.set_table_name @options[:user_table] || "users"
+    
+    username_column = @options[:username_column] || "username"
+    
+    results = CASUser.find(:all, :conditions => ["#{username_column} = ?", @username])
+    
+    if results.size > 0
+      $LOG.warn("Multiple matches found for user '#{@username}'") if results.size > 1
+      user = results.first
+      return user.encrypted_password == user.encrypt(@password)
+    else
+      return false
+    end
+  end
+  
+  # Include this module into your application's user model. 
+  #
+  # Your model must have an 'encrypted_password' column where the password will be stored,
+  # and an 'encryption_salt' column that will be populated with a random string before
+  # the user record is first created.
+  module EncryptedPassword
+    def self.included(mod)
+      raise "#{self} should be inclued in an ActiveRecord class!" unless mod.respond_to?(:before_save)
+      mod.before_save :generate_encryption_salt
+    end
+    
+    def encrypt(str)
+      Digest::SHA256.hexdigest("#{encryption_salt}::#{str}")
+    end
+    
+    def password=(password)
+      self[:encrypted_password] = encrypt(password)
+    end
+    
+    def generate_encryption_salt
+      self.encryption_salt = Digest::SHA1.hexdigest(Crypt::ISAAC.new.rand(2**31).to_s) unless
+        encryption_salt
+    end
+  end
+  
+  class CASUser < ActiveRecord::Base
+    include EncryptedPassword
+  end
+end

data/lib/casserver/controllers.rb

@@ -55,7 +55,7 @@ module CASServer::Controllers
       
       @lt = lt.ticket
       
-      $LOG.debug(env)
+      #$LOG.debug(env)
       
       # If the 'onlyLoginForm' parameter is specified, we will only return the 
       # login form part of the page. This is useful for when you want to
@@ -95,10 +95,19 @@ module CASServer::Controllers
       @password = @input['password']
       @lt = @input['lt']
       
+      # Remove leading and trailing widespace from username.
+      @username.strip! if @username
+      
+      if @username && $CONF[:downcase_username]
+        $LOG.debug("Converting username #{@username.inspect} to lowercase because 'downcase_username' option is enabled.")
+        @username.downcase!
+      end
+      
       if error = validate_login_ticket(@lt)
         @message = {:type => 'mistake', :message => error}
         # generate another login ticket to allow for re-submitting the form
         @lt = generate_login_ticket.ticket
+        @status = 401
         return render(:login)
       end
       
@@ -162,6 +171,7 @@ module CASServer::Controllers
       else
         $LOG.warn("Invalid credentials given for user '#{@username}'")
         @message = {:type => 'mistake', :message => "Incorrect username or password."}
+        @status = 401
       end
       
       render :login
@@ -180,8 +190,8 @@ module CASServer::Controllers
       # "logout" page, we take the user back to the login page with a "you have been logged out"
       # message, allowing for an opportunity to immediately log back in. This makes it
       # easier for the user to log out and log in as someone else.
-      @service = @input['url'] || @input['service']
-      # TODO: display service name in view as per 2.3.2
+      @service = @input['service'] || @input['destination']
+      @continue_url = @input['url']
       
       @gateway = @input['gateway'] == 'true' || @input['gateway'] == '1'
       
@@ -208,10 +218,15 @@ module CASServer::Controllers
       
       @message = {:type => 'confirmation', :message => "You have successfully logged out."}
       
+      @message[:message] << 
+        " Please click on the following link to continue:" if @continue_url
+      
       @lt = generate_login_ticket
       
       if @gateway && @service
         redirect(@service, :status => 303)
+      elsif @continue_url
+        render :logout
       else
         render :login
       end
@@ -291,10 +306,6 @@ module CASServer::Controllers
       t, @error = validate_proxy_ticket(@service, @ticket)      
       @success = t && !@error
       
-      if @success
-        
-      end
-      
       if @success
         @username = t.username
         
@@ -355,7 +366,7 @@ module CASServer::Controllers
       CASServer::Utils::log_controller_action(self.class, @input)
       lt = generate_login_ticket
       
-      $LOG.debug("Generated login ticket: #{lt}, host: #{env['REMOTE_HOST'] || env['REMOTE_ADDR']}")
+      $LOG.debug("Dispensing login ticket #{lt} to host #{(env['REMOTE_HOST'] || env['REMOTE_ADDR']).inspect}")
       
       @lt = lt.ticket
       

data/lib/casserver/environment.rb

@@ -0,0 +1,23 @@
+$: << File.dirname(File.expand_path(__FILE__))
+
+# Try to load local version of Picnic if possible (for development purposes)
+$: << File.dirname(File.expand_path(__FILE__))+"/../../../picnic/lib"
+$: << File.dirname(File.expand_path(__FILE__))+"/../../vendor/picnic/lib"
+
+begin
+  require 'picnic'
+rescue LoadError => e
+  # make sure that the LoadError was about picnic and not something else
+  raise e unless e.to_s =~ /picnic/
+  
+  require 'rubygems'
+  
+  # make things backwards-compatible for rubygems < 0.9.0
+  unless Object.method_defined? :gem
+    alias gem require_gem
+  end
+  
+  gem 'picnic'
+  
+  require 'picnic'
+end

data/lib/casserver/models.rb

@@ -10,22 +10,19 @@ module CASServer::Models
   end
   
   class Ticket < Base
-    self.abstract_class = true
     def to_s
       ticket
     end
     
     def self.cleanup_expired(expiry_time)
       transaction do
-        expired_tickets = find(:all, 
-          :conditions => ["created_on < ?", Time.now - expiry_time])
+        conditions = ["created_on < ?", Time.now - expiry_time]
+        expired_tickets_count = count(:conditions => conditions)
           
-        $LOG.debug("Destroying #{expired_tickets.size} expired #{self}"+
-          "#{'s' if expired_tickets.size > 1}.") if expired_tickets.size > 0
+        $LOG.debug("Destroying #{expired_tickets_count} expired #{self.name.split('::').last}"+
+          "#{'s' if expired_tickets_count > 1}.") if expired_tickets_count > 0
       
-        expired_tickets.each do |t|
-          t.destroy
-        end
+        destroy_all(conditions)
       end
     end
   end
@@ -40,10 +37,16 @@ module CASServer::Models
     include Consumable
     
     def matches_service?(service)
-      # We ignore the trailing slash in URLs, since 
+      # Remove CAS-related parameters from the service URL, since they really shoudln't
+      # be there (some misbehaving clients include them in the service URL).
+      ['service', 'ticket', 'gateway', 'renew'].each do |p|
+        service.gsub!(Regexp.new("#{p}=[^&]*"), '')
+      end
+      
+      # We ignore the trailing slash and ? in URLs, since 
       # "http://www.google.com/" and "http://www.google.com" are almost
       # certainly the same service.
-      self.service.gsub(/\/$/, '') == service.gsub(/\/$/, '')
+      self.service.gsub(/[\/\?]$/, '') == service.gsub(/[\/\?]$/, '')
     end
   end
   
@@ -76,45 +79,51 @@ module CASServer::Models
 
   class CreateCASServer < V 0.1
     def self.up
-      $LOG.info("Migrating database")
-      
-      create_table :casserver_login_tickets, :force => true do |t|
-        t.column :ticket,     :string,   :null => false
-        t.column :created_on, :timestamp, :null => false
-        t.column :consumed,   :datetime, :null => true
-        t.column :client_hostname, :string, :null => false
-      end
-    
-      create_table :casserver_service_tickets, :force => true do |t|
-        t.column :ticket,     :string,    :null => false
-        t.column :service,    :string,    :null => false
-        t.column :created_on, :timestamp, :null => false
-        t.column :consumed,   :datetime, :null => true
-        t.column :client_hostname, :string, :null => false
-        t.column :username,   :string,  :null => false
-        t.column :type,       :string,   :null => false
-        t.column :proxy_granting_ticket_id, :integer, :null => true
-      end
-      
-      create_table :casserver_ticket_granting_tickets, :force => true do |t|
-        t.column :ticket,     :string,    :null => false
-        t.column :created_on, :timestamp, :null => false
-        t.column :client_hostname, :string, :null => false
-        t.column :username,   :string,    :null => false
-      end
+      if ActiveRecord::Base.connection.table_alias_length > 30
+        $LOG.info("Creating database with long table names...")
+        
+        create_table :casserver_login_tickets, :force => true do |t|
+          t.column :ticket,     :string,   :null => false
+          t.column :created_on, :timestamp, :null => false
+          t.column :consumed,   :datetime, :null => true
+          t.column :client_hostname, :string, :null => false
+        end
       
-      create_table :casserver_proxy_granting_tickets, :force => true do |t|
-        t.column :ticket,     :string,    :null => false
-        t.column :created_on, :timestamp, :null => false
-        t.column :client_hostname, :string, :null => false
-        t.column :iou,        :string,    :null => false
-        t.column :service_ticket_id, :integer, :null => false
+        create_table :casserver_service_tickets, :force => true do |t|
+          t.column :ticket,     :string,    :null => false
+          t.column :service,    :string,    :null => false
+          t.column :created_on, :timestamp, :null => false
+          t.column :consumed,   :datetime, :null => true
+          t.column :client_hostname, :string, :null => false
+          t.column :username,   :string,  :null => false
+          t.column :type,       :string,   :null => false
+          t.column :proxy_granting_ticket_id, :integer, :null => true
+        end
+        
+        create_table :casserver_ticket_granting_tickets, :force => true do |t|
+          t.column :ticket,     :string,    :null => false
+          t.column :created_on, :timestamp, :null => false
+          t.column :client_hostname, :string, :null => false
+          t.column :username,   :string,    :null => false
+        end
+        
+        create_table :casserver_proxy_granting_tickets, :force => true do |t|
+          t.column :ticket,     :string,    :null => false
+          t.column :created_on, :timestamp, :null => false
+          t.column :client_hostname, :string, :null => false
+          t.column :iou,        :string,    :null => false
+          t.column :service_ticket_id, :integer, :null => false
+        end
       end
     end
     
     def self.down
-      drop_table :casserver_service_tickets
-      drop_table :casserver_login_tickets
+      if ActiveRecord::Base.connection.table_alias_length > 30
+        drop_table :casserver_proxy_granting_tickets
+        drop_table :casserver_ticket_granting_tickets
+        drop_table :casserver_service_tickets
+        drop_table :casserver_login_tickets
+      end
     end
   end
   
@@ -122,18 +131,60 @@ module CASServer::Models
   # See http://code.google.com/p/rubycas-server/issues/detail?id=15
   class ShortenTableNames < V 0.5
     def self.up
-      $LOG.info("Shortening table names")
-      rename_table :casserver_login_tickets, :casserver_lt
-      rename_table :casserver_service_tickets, :casserver_st
-      rename_table :casserver_ticket_granting_tickets, :casserver_tgt
-      rename_table :casserver_proxy_granting_tickets, :casserver_pgt
+      if ActiveRecord::Base.connection.table_alias_length > 30
+        $LOG.info("Shortening table names")
+        rename_table :casserver_login_tickets, :casserver_lt
+        rename_table :casserver_service_tickets, :casserver_st
+        rename_table :casserver_ticket_granting_tickets, :casserver_tgt
+        rename_table :casserver_proxy_granting_tickets, :casserver_pgt
+      else
+        create_table :casserver_lt, :force => true do |t|
+          t.column :ticket,     :string,   :null => false
+          t.column :created_on, :timestamp, :null => false
+          t.column :consumed,   :datetime, :null => true
+          t.column :client_hostname, :string, :null => false
+        end
+      
+        create_table :casserver_st, :force => true do |t|
+          t.column :ticket,     :string,    :null => false
+          t.column :service,    :string,    :null => false
+          t.column :created_on, :timestamp, :null => false
+          t.column :consumed,   :datetime, :null => true
+          t.column :client_hostname, :string, :null => false
+          t.column :username,   :string,  :null => false
+          t.column :type,       :string,   :null => false
+          t.column :proxy_granting_ticket_id, :integer, :null => true
+        end
+        
+        create_table :casserver_tgt, :force => true do |t|
+          t.column :ticket,     :string,    :null => false
+          t.column :created_on, :timestamp, :null => false
+          t.column :client_hostname, :string, :null => false
+          t.column :username,   :string,    :null => false
+        end
+        
+        create_table :casserver_pgt, :force => true do |t|
+          t.column :ticket,     :string,    :null => false
+          t.column :created_on, :timestamp, :null => false
+          t.column :client_hostname, :string, :null => false
+          t.column :iou,        :string,    :null => false
+          t.column :service_ticket_id, :integer, :null => false
+        end
+      end
     end
     
     def self.down
-      rename_table :casserver_lt, :cassserver_login_tickets
-      rename_table :casserver_st, :casserver_service_tickets
-      rename_table :casserver_tgt, :casserver_ticket_granting_tickets
-      rename_table :casserver_pgt, :casserver_proxy_granting_tickets
+      if ActiveRecord::Base.connection.table_alias_length > 30
+        rename_table :casserver_lt, :cassserver_login_tickets
+        rename_table :casserver_st, :casserver_service_tickets
+        rename_table :casserver_tgt, :casserver_ticket_granting_tickets
+        rename_table :casserver_pgt, :casserver_proxy_granting_tickets
+      else
+        drop_table :casserver_pgt
+        drop_table :casserver_tgt
+        drop_table :casserver_st
+        drop_table :casserver_lt
+      end
     end
   end
 end