rubycas-server 0.6.0 → 0.7.0

data/lib/casserver/controllers.rb

@@ -17,7 +17,7 @@ module CASServer::Controllers
       headers['Expires'] = (Time.now - 1.year).rfc2822
       
       # optional params
-      @service = @input['service']
+      @service = clean_service_url(@input['service'])
       @renew = @input['renew']
       @gateway = @input['gateway'] == 'true' || @input['gateway'] == '1'
       
@@ -26,13 +26,19 @@ module CASServer::Controllers
       end
       
       if tgt and !tgt_error
-        @message = {:type => 'notice', :message => %{You are currently logged in as "#{tgt.username}". If this is not you, please log in below.}}
+        @message = {:type => 'notice', 
+          :message => %{You are currently logged in as "#{tgt.username}". If this is not you, please log in below.}}
+      end
+
+      if @input['redirection_loop_intercepted']
+        @message = {:type => 'mistake', 
+          :message => %{The client and server are unable to negotiate authentication. Please try logging in again later.}}
       end
       
       begin
         if @service 
           if !@renew && tgt && !tgt_error
-            st = generate_service_ticket(@service, tgt.username)
+            st = generate_service_ticket(@service, tgt.username, tgt)
             service_with_ticket = service_uri_with_ticket(@service, st)
             $LOG.info("User '#{tgt.username}' authenticated based on ticket granting cookie. Redirecting to service '#{@service}'.")
             return redirect(service_with_ticket, :status => 303) # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
@@ -42,11 +48,13 @@ module CASServer::Controllers
           end
         elsif @gateway
             $LOG.error("This is a gateway request but no service parameter was given!")
-            @message = {:type => 'mistake', :message => "The server cannot fulfill this gateway request because no service parameter was given."}
+            @message = {:type => 'mistake', 
+              :message => "The server cannot fulfill this gateway request because no service parameter was given."}
         end
-      rescue # FIXME: shouldn't this only rescue URI::InvalidURIError?
+      rescue URI::InvalidURIError
         $LOG.error("The service '#{@service}' is not a valid URI!")
-        @message = {:type => 'mistake', :message => "The target service your browser supplied appears to be invalid. Please contact your system administrator for help."}
+        @message = {:type => 'mistake', 
+          :message => "The target service your browser supplied appears to be invalid. Please contact your system administrator for help."}
       end
       
       lt = generate_login_ticket
@@ -75,7 +83,7 @@ module CASServer::Controllers
           render :login_form
         else
           @status = 500
-          "Could not guess the CAS login URI. Please supply a submitURI parameter with your request."
+          "Could not guess the CAS login URI. Please supply a submitToURI parameter with your request."
         end
       else
         render :login
@@ -87,8 +95,7 @@ module CASServer::Controllers
       CASServer::Utils::log_controller_action(self.class, @input)
       
       # 2.2.1 (optional)
-      @service = @input['service']
-      @warn = @input['warn']
+      @service = clean_service_url(@input['service'])
       
       # 2.2.2 (required)
       @username = @input['username']
@@ -123,10 +130,21 @@ module CASServer::Controllers
       $LOG.debug("Logging in with username: #{@username}, lt: #{@lt}, service: #{@service}, auth: #{$AUTH}")
       
       credentials_are_valid = false
+      extra_attributes = {}
+      successful_authenticator = nil
       begin
         $AUTH.each do |auth|
-          credentials_are_valid = auth.validate(:username => @username, :password => @password, :service => @service)
-          break if credentials_are_valid
+          credentials_are_valid = auth.validate(
+            :username => @username, 
+            :password => @password, 
+            :service => @service,
+            :request => env
+          )
+          if credentials_are_valid
+            extra_attributes.merge!(auth.extra_attributes) unless auth.extra_attributes.blank?
+            successful_authenticator = auth
+            break 
+          end
         end
       rescue CASServer::AuthenticatorError => e
         $LOG.error(e)
@@ -135,10 +153,11 @@ module CASServer::Controllers
       end
       
       if credentials_are_valid
-        $LOG.info("Credentials for username '#{@username}' successfully validated")
+        $LOG.info("Credentials for username '#{@username}' successfully validated using #{successful_authenticator.class.name}.")
+        $LOG.debug("Authenticator provided additional user attributes: #{extra_attributes.inspect}") unless extra_attributes.blank?
         
         # 3.6 (ticket-granting cookie)
-        tgt = generate_ticket_granting_ticket(@username)
+        tgt = generate_ticket_granting_ticket(@username, extra_attributes)
         
         if CASServer::Conf.expire_sessions
           expires = CASServer::Conf.ticket_granting_ticket_expiry.to_i.from_now
@@ -147,17 +166,22 @@ module CASServer::Controllers
           expiry_info = " It will not expire."
         end
         
-        # TODO: Set expiry time for the cookie when expire_sessions is true. Unfortunately there doesn't
-        #        seem to be an easy way to set cookie expire times in Camping :(
-        @cookies[:tgt] = tgt.to_s
+        if CASServer::Conf.expire_sessions
+          @cookies[:tgt] = {
+            :value => tgt.to_s, 
+            :expires => Time.now + CASServer::Conf.ticket_granting_ticket_expiry
+          }
+        else
+          @cookies[:tgt] = tgt.to_s
+        end
         
-        $LOG.debug("Ticket granting cookie '#{@cookies[:tgt]}' granted to '#{@username}'. #{expiry_info}")
+        $LOG.debug("Ticket granting cookie '#{@cookies[:tgt].inspect}' granted to '#{@username.inspect}'. #{expiry_info}")
                 
         if @service.blank?
           $LOG.info("Successfully authenticated user '#{@username}' at '#{tgt.client_hostname}'. No service param was given, so we will not redirect.")
           @message = {:type => 'confirmation', :message => "You have successfully logged in."}
         else
-          @st = generate_service_ticket(@service, @username)
+          @st = generate_service_ticket(@service, @username, tgt)
           begin
             service_with_ticket = service_uri_with_ticket(@service, @st)
             
@@ -190,7 +214,7 @@ module CASServer::Controllers
       # "logout" page, we take the user back to the login page with a "you have been logged out"
       # message, allowing for an opportunity to immediately log back in. This makes it
       # easier for the user to log out and log in as someone else.
-      @service = @input['service'] || @input['destination']
+      @service = clean_service_url(@input['service'] || @input['destination'])
       @continue_url = @input['url']
       
       @gateway = @input['gateway'] == 'true' || @input['gateway'] == '1'
@@ -200,16 +224,29 @@ module CASServer::Controllers
       @cookies.delete :tgt
       
       if tgt
-        pgts = CASServer::Models::ProxyGrantingTicket.find(:all, 
-          :conditions => ["username = ?", tgt.username],
-          :include => :service_ticket)
-        pgts.each do |pgt|
-          $LOG.debug("Deleting Proxy-Granting Ticket '#{pgt}' for user '#{pgt.service_ticket.username}'")
-          pgt.destroy
-        end
-        
-        $LOG.debug("Deleting Ticket-Granting Ticket '#{tgt}' for user '#{tgt.username}'")
-        tgt.destroy
+        CASServer::Models::TicketGrantingTicket.transaction do
+          pgts = CASServer::Models::ProxyGrantingTicket.find(:all, 
+            :conditions => [CASServer::Models::Base.connection.quote_table_name(CASServer::Models::ServiceTicket.table_name)+".username = ?", tgt.username],
+            :include => :service_ticket) 
+          pgts.each do |pgt|
+            $LOG.debug("Deleting Proxy-Granting Ticket '#{pgt}' for user '#{pgt.service_ticket.username}'")
+            pgt.destroy
+          end
+          
+          if CASServer::Conf.enable_single_sign_out
+            $LOG.debug("Deleting Service/Proxy Tickets for '#{tgt}' for user '#{tgt.username}'")
+            tgt.service_tickets.each do |st|
+              send_logout_notification_for_service_ticket(st)
+              # TODO: Maybe we should do some special handling if send_logout_notification_for_service_ticket fails? 
+              #       (the above method returns false if the POST results in a non-200 HTTP response).
+              $LOG.debug "Deleting #{st.class.name.demodulize} #{st.ticket.inspect}."
+              st.destroy
+            end
+          end
+          
+          $LOG.debug("Deleting #{tgt.class.name.demodulize} '#{tgt}' for user '#{tgt.username}'")
+          tgt.destroy
+        end  
         
         $LOG.info("User '#{tgt.username}' logged out.")
       else
@@ -242,7 +279,7 @@ module CASServer::Controllers
       CASServer::Utils::log_controller_action(self.class, @input)
       
       # required
-      @service = @input['service']
+      @service = clean_service_url(@input['service'])
       @ticket = @input['ticket']
       # optional
       @renew = @input['renew']
@@ -252,6 +289,8 @@ module CASServer::Controllers
       
       @username = st.username if @success
       
+      @status = response_status_from_error(@error) if @error
+      
       render :validate
     end
   end
@@ -265,7 +304,7 @@ module CASServer::Controllers
       CASServer::Utils::log_controller_action(self.class, @input)
       
       # required
-      @service = @input['service']
+      @service = clean_service_url(@input['service'])
       @ticket = @input['ticket']
       # optional
       @pgt_url = @input['pgtUrl']
@@ -280,8 +319,11 @@ module CASServer::Controllers
           pgt = generate_proxy_granting_ticket(@pgt_url, st)
           @pgtiou = pgt.iou if pgt
         end
+        @extra_attributes = st.ticket_granting_ticket.extra_attributes || {}
       end
       
+      @status = response_status_from_error(@error) if @error
+      
       render :service_validate
     end
   end
@@ -295,7 +337,7 @@ module CASServer::Controllers
       CASServer::Utils::log_controller_action(self.class, @input)
       
       # required
-      @service = @input['service']
+      @service = clean_service_url(@input['service'])
       @ticket = @input['ticket']
       # optional
       @pgt_url = @input['pgtUrl']
@@ -306,6 +348,7 @@ module CASServer::Controllers
       t, @error = validate_proxy_ticket(@service, @ticket)      
       @success = t && !@error
       
+      @extra_attributes = {}
       if @success
         @username = t.username
         
@@ -317,7 +360,11 @@ module CASServer::Controllers
           pgt = generate_proxy_granting_ticket(@pgt_url, t)
           @pgtiou = pgt.iou if pgt
         end
+        
+        @extra_attributes = t.ticket_granting_ticket.extra_attributes || {}
       end
+      
+      @status = response_status_from_error(@error) if @error
 
      render :proxy_validate
     end
@@ -341,6 +388,8 @@ module CASServer::Controllers
         @pt = generate_proxy_ticket(@target_service, pgt)
       end
       
+      @status = response_status_from_error(@error) if @error
+      
       render :proxy
     end
   end
@@ -356,7 +405,7 @@ module CASServer::Controllers
     def get
       CASServer::Utils::log_controller_action(self.class, @input)
       $LOG.error("Tried to use login ticket dispenser with get method!")
-      @status = 500
+      @status = 422
       "To generate a login ticket, you must make a POST request."
     end
     
@@ -366,7 +415,7 @@ module CASServer::Controllers
       CASServer::Utils::log_controller_action(self.class, @input)
       lt = generate_login_ticket
       
-      $LOG.debug("Dispensing login ticket #{lt} to host #{(env['REMOTE_HOST'] || env['REMOTE_ADDR']).inspect}")
+      $LOG.debug("Dispensing login ticket #{lt} to host #{(env['HTTP_X_FORWARDED_FOR'] || env['REMOTE_HOST'] || env['REMOTE_ADDR']).inspect}")
       
       @lt = lt.ticket
       
@@ -388,4 +437,16 @@ module CASServer::Controllers
       end
     end
   end
+  
+  def response_status_from_error(error)
+    case error.code.to_s
+    when /^INVALID_/, 'BAD_PGT'
+      422
+    when 'INTERNAL_ERROR'
+      500
+    else
+      500
+    end
+  end
+  module_function :response_status_from_error
 end

data/lib/casserver/environment.rb

@@ -1,15 +1,21 @@
 $: << File.dirname(File.expand_path(__FILE__))
 
 # Try to load local version of Picnic if possible (for development purposes)
-$: << File.dirname(File.expand_path(__FILE__))+"/../../../picnic/lib"
-$: << File.dirname(File.expand_path(__FILE__))+"/../../vendor/picnic/lib"
+alt_picic_paths = []
+alt_picic_paths << File.dirname(File.expand_path(__FILE__))+"/../../../picnic/lib"
+alt_picic_paths << File.dirname(File.expand_path(__FILE__))+"/../../vendor/picnic/lib"
 
 begin
+  require 'active_record'
+rescue LoadError
+  require 'rubygems'
+  require 'active_record'
+end
+
+if alt_picic_paths.any?{|path| File.exists? "#{path}/picnic.rb" }
+  alt_picic_paths.each{|path| $: << path}
   require 'picnic'
-rescue LoadError => e
-  # make sure that the LoadError was about picnic and not something else
-  raise e unless e.to_s =~ /picnic/
-  
+else
   require 'rubygems'
   
   # make things backwards-compatible for rubygems < 0.9.0
@@ -17,7 +23,8 @@ rescue LoadError => e
     alias gem require_gem
   end
   
-  gem 'picnic'
-  
   require 'picnic'
-end
+end
+
+# used for serializing user extra_attributes (see #service_validate in views.rb)
+require 'yaml'

data/lib/casserver/models.rb

@@ -36,17 +36,11 @@ module CASServer::Models
     set_table_name 'casserver_st'
     include Consumable
     
+    belongs_to :ticket_granting_ticket, :foreign_key => :tgt_id
+    
     def matches_service?(service)
-      # Remove CAS-related parameters from the service URL, since they really shoudln't
-      # be there (some misbehaving clients include them in the service URL).
-      ['service', 'ticket', 'gateway', 'renew'].each do |p|
-        service.gsub!(Regexp.new("#{p}=[^&]*"), '')
-      end
-      
-      # We ignore the trailing slash and ? in URLs, since 
-      # "http://www.google.com/" and "http://www.google.com" are almost
-      # certainly the same service.
-      self.service.gsub(/[\/\?]$/, '') == service.gsub(/[\/\?]$/, '')
+      CASServer::CAS.clean_service_url(self.service) == 
+        CASServer::CAS.clean_service_url(service)
     end
   end
   
@@ -56,6 +50,10 @@ module CASServer::Models
   
   class TicketGrantingTicket < Ticket
     set_table_name 'casserver_tgt'
+    
+    serialize :extra_attributes
+    
+    has_many :service_tickets, :foreign_key => :tgt_id
   end
   
   class ProxyGrantingTicket < Ticket
@@ -187,4 +185,34 @@ module CASServer::Models
       end
     end
   end
+  
+  class AddTgtToSt < V 0.7
+    def self.up
+      add_column :casserver_st, :tgt_id, :integer, :null => true
+    end
+    
+    def self.down
+      remove_column :casserver_st, :tgt_id, :integer
+    end
+  end
+  
+  class ChangeServiceToText < V 0.71
+    def self.up
+      change_column :casserver_st, :service, :text
+    end
+    
+    def self.down
+      change_column :casserver_st, :service, :string
+    end
+  end
+  
+  class AddExtraAttributes < V 0.72
+    def self.up
+      add_column :casserver_tgt, :extra_attributes, :text
+    end
+    
+    def self.down
+      remove_column :casserver_tgt, :extra_attributes
+    end
+  end
 end

data/lib/casserver/version.rb

@@ -1,7 +1,7 @@
 module CASServer
   module VERSION #:nodoc:
     MAJOR = 0
-    MINOR = 6
+    MINOR = 7
     TINY  = 0
 
     STRING = [MAJOR, MINOR, TINY].join('.')

data/lib/casserver/views.rb

@@ -3,7 +3,9 @@
 
 # need auto_validation off to render CAS responses and to use the autocomplete='off' property on password field
 Markaby::Builder.set(:auto_validation, false)
-Markaby::Builder.set(:indent, 2)
+
+# disabled XML indentation because it was causing problems with mod_auth_cas
+#Markaby::Builder.set(:indent, 2) 
 
 module CASServer::Views
 
@@ -62,7 +64,7 @@ module CASServer::Views
   # Just the login form.
   def login_form
     form(:method => "post", :action => @form_action || '/login', :id => "login-form",
-        :onsubmit => "submit = document.getElementById('login-submit'); submit.value='Please wait...'; submit.disabled=true; return true;") do
+        :onsubmit => "submitbutton = document.getElementById('login-submit'); submitbutton.value='Please wait...'; submitbutton.disabled=true; return true;") do
       table(:id => "form-layout") do
         tr do
           td(:id => "username-label-container") do
@@ -87,7 +89,6 @@ module CASServer::Views
           td(:id => "submit-container") do
             input(:type => "hidden", :id => "lt", :name => "lt", :value => @lt)
             input(:type => "hidden", :id => "service", :name => "service", :value => @service)
-            input(:type => "hidden", :id => "warn", :name => "warn", :value => @warn)
             input(:type => "submit", :class => "button", :accesskey => "l", :value => "LOGIN", :tabindex => "4", :id => "login-submit")
           end
         end
@@ -143,6 +144,9 @@ module CASServer::Views
       tag!("cas:serviceResponse", 'xmlns:cas' => "http://www.yale.edu/tp/cas") do
         tag!("cas:authenticationSuccess") do
           tag!("cas:user") {@username.to_s.to_xs}
+          @extra_attributes.each do |key, value|
+            tag!(key) {serialize_extra_attribute(value)}
+          end
           if @pgtiou
             tag!("cas:proxyGrantingTicket") {@pgtiou.to_s.to_xs}
           end
@@ -162,6 +166,9 @@ module CASServer::Views
       tag!("cas:serviceResponse", 'xmlns:cas' => "http://www.yale.edu/tp/cas") do
         tag!("cas:authenticationSuccess") do
           tag!("cas:user") {@username.to_s.to_xs}
+          @extra_attributes.each do |key, value|
+            tag!(key) {serialize_extra_attribute(value)}
+          end
           if @pgtiou
             tag!("cas:proxyGrantingTicket") {@pgtiou.to_s.to_xs}
           end
@@ -201,25 +208,34 @@ module CASServer::Views
   end
   
   protected
-  def themes_dir
-    File.dirname(File.expand_path(__FILE__))+'../themes'
-  end
-  module_function :themes_dir
-  
-  def current_theme
-    CASServer::Conf.theme || "simple"
-  end
-  module_function :current_theme
-  
-  def organization
-    CASServer::Conf.organization || ""
-  end
-  module_function :organization
-  
-  def infoline
-    CASServer::Conf.infoline || ""
-  end
-  module_function :infoline
+    def themes_dir
+      File.dirname(File.expand_path(__FILE__))+'../themes'
+    end
+    module_function :themes_dir
+    
+    def current_theme
+      CASServer::Conf.theme || "simple"
+    end
+    module_function :current_theme
+    
+    def organization
+      CASServer::Conf.organization || ""
+    end
+    module_function :organization
+    
+    def infoline
+      CASServer::Conf.infoline || ""
+    end
+    module_function :infoline
+    
+    def serialize_extra_attribute(value)
+      if value.kind_of?(String) || value.kind_of?(Numeric)
+        value
+      else
+        "<![CDATA[#{value.to_yaml}]]>"
+      end
+    end
+    module_function :serialize_extra_attribute
 end
 
 if CASServer::Conf.custom_views_file

data/lib/casserver.rb

@@ -1,14 +1,17 @@
-$: << File.dirname(File.expand_path(__FILE__))
-require 'casserver/environment'
+unless $APP_PATH
+  $APP_PATH = File.dirname(File.expand_path(__FILE__))
+  $: << $APP_PATH
+end
 
-$APP_PATH ||= File.dirname(File.expand_path(__FILE__))
+load "#{$APP_PATH}/lib/casserver/environment.rb"
 
 # change to current directory when invoked on its own
 Dir.chdir($APP_PATH) if __FILE__ == $0
 
-$: << $APP_PATH + "/../vendor/isaac_0.9.1"
+$: << $APP_PATH + "/vendor/isaac_0.9.1"
 require 'crypt/ISAAC'
 
+
 require 'active_support'
 require 'yaml'
 
@@ -43,11 +46,11 @@ unless $CONF[:authenticator]
   exit 1
 end
 
-require 'casserver/utils'
-require 'casserver/models'
-require 'casserver/cas'
-require 'casserver/views'
-require 'casserver/controllers'
+require "casserver/utils.rb"
+require "casserver/models.rb"
+require "casserver/cas.rb"
+require "casserver/views.rb"
+require "casserver/controllers.rb"
 
 if $CONF[:authenticator].instance_of? Array
   $CONF[:authenticator].each_index do |auth_index| 
@@ -72,6 +75,7 @@ rescue NameError
       else
         # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
         auth_rb = authenticator[:class].underscore.gsub('cas_server/', '')
+        
         require 'casserver/'+auth_rb
       end
       $AUTH << authenticator[:class].constantize.new

data/lib/rubycas-server/version.rb

@@ -0,0 +1 @@
+require File.dirname(__FILE__)+'/../casserver/version.rb'

data/lib/rubycas-server.rb

@@ -1 +1 @@
-require 'lib/casserver'
+require 'casserver'