rubycas-server 0.7.1.1 → 1.0

data/config/hoe.rb

@@ -1,76 +0,0 @@
-require 'rubycas-server/version'
-
-AUTHOR = 'Matt Zukowski'  # can also be an array of Authors
-EMAIL = "matt@zukowski.ca"
-DESCRIPTION = "Provides single sign-on authentication for web applications using the CAS protocol."
-GEM_NAME = 'rubycas-server' # what ppl will type to install your gem
-RUBYFORGE_PROJECT = 'rubycas-server' # The unix name for your project
-HOMEPATH = "http://#{RUBYFORGE_PROJECT}.rubyforge.org"
-DOWNLOAD_PATH = "http://rubyforge.org/projects/#{RUBYFORGE_PROJECT}"
-EXTRA_DEPENDENCIES = [
-  'activesupport',
-  'activerecord',
-  ['picnic', '= 0.7.0']
-]    # An array of rubygem dependencies [name, version]
-
-@config_file = "~/.rubyforge/user-config.yml"
-@config = nil
-RUBYFORGE_USERNAME = "unknown"
-def rubyforge_username
-  unless @config
-    begin
-      @config = YAML.load(File.read(File.expand_path(@config_file)))
-    rescue
-      puts <<-EOS
-ERROR: No rubyforge config file found: #{@config_file}
-Run 'rubyforge setup' to prepare your env for access to Rubyforge
- - See http://newgem.rubyforge.org/rubyforge.html for more details
-      EOS
-      exit
-    end
-  end
-  RUBYFORGE_USERNAME.replace @config["username"]
-end
-
-ENV['NODOT'] = '1'
-
-REV = nil
-# UNCOMMENT IF REQUIRED:
-#REV = YAML.load(`svn info`)['Revision']
-VERS = CASServer::VERSION::STRING + (REV ? ".#{REV}" : "")
-RDOC_OPTS = ['--quiet', '--title', 'rubycas-server documentation',
-    "--opname", "index.html",
-    "--line-numbers",
-    "--main", "README",
-    "--inline-source"]
-
-class Hoe
-  def extra_deps
-    @extra_deps.reject! { |x| Array(x).first == 'hoe' }
-    @extra_deps
-  end
-end
-
-# Generate all the Rake tasks
-# Run 'rake -T' to see list of generated tasks (from gem root directory)
-$hoe = Hoe.new(GEM_NAME, VERS) do |p|
-  p.developer(AUTHOR, EMAIL)
-  p.description = DESCRIPTION
-  p.summary = DESCRIPTION
-  p.url = HOMEPATH
-  p.rubyforge_name = RUBYFORGE_PROJECT if RUBYFORGE_PROJECT
-  p.test_globs = ["test/**/test_*.rb"]
-  p.clean_globs |= ['**/.*.sw?', '*.gem', '.config', '**/.DS_Store']  #An array of file patterns to delete on clean.
-
-  # == Optional
-  p.changes = p.paragraphs_of("History.txt", 0..1).join("\n\n")
-  #p.extra_deps = EXTRA_DEPENDENCIES
-
-    p.spec_extras = {:executables => ['rubycas-server', 'rubycas-server-ctl']}    # A hash of extra values to set in the gemspec.
-  end
-
-CHANGES = $hoe.paragraphs_of('History.txt', 0..1).join("\\n\\n")
-PATH    = (RUBYFORGE_PROJECT == GEM_NAME) ? RUBYFORGE_PROJECT : "#{RUBYFORGE_PROJECT}"
-$hoe.remote_rdoc_dir = File.join(PATH.gsub(/^#{RUBYFORGE_PROJECT}\/?/,''), 'rdoc')
-$hoe.rsync_args = '-av --delete --ignore-errors'
-$hoe.spec.post_install_message = File.open(File.dirname(__FILE__) + "/../PostInstall.txt").read rescue ""

data/config/requirements.rb

@@ -1,15 +0,0 @@
-require 'fileutils'
-include FileUtils
-
-require 'rubygems'
-%w[rake hoe newgem rubigen].each do |req_gem|
-  begin
-    require req_gem
-  rescue LoadError
-    puts "This Rakefile requires the '#{req_gem}' RubyGem."
-    puts "Installation: gem install #{req_gem} -y"
-    exit
-  end
-end
-
-$:.unshift(File.join(File.dirname(__FILE__), %w[.. lib]))

data/custom_views.example.rb

@@ -1,11 +0,0 @@
-# Custom views file; add methods to the module definition below
-
-module CASServer::Views
-
-  # Override views here, for example, a custom login form:
-  def login_form
-    # Add your custom login form here, using Markaby
-    # See the original views.rb file at lib/casserver/views.rb for method names and usage
-  end
-
-end

data/lib/casserver/conf.rb

@@ -1,112 +0,0 @@
-# load configuration
-
-begin
-  if $CONFIG_FILE
-    conf_file = $CONFIG_FILE
-  else
-    conf_file = etc_conf = "/etc/rubycas-server/config.yml"
-    unless File.exists? conf_file 
-      # can use local config.yml file in case we're running non-gem installation
-      conf_file = File.dirname(File.expand_path(__FILE__))+"/../../config.yml"
-    end
-  end
-
-  unless File.exists? conf_file  
-    require 'fileutils'
-    
-    example_conf_file = File.expand_path(File.dirname(File.expand_path(__FILE__))+"/../../config.example.yml")
-    puts "\nCAS SERVER NOT YET CONFIGURED!!!\n"
-    puts "\nAttempting to copy sample configuration from '#{example_conf_file}' to '#{etc_conf}'...\n"
-    
-    begin
-      FileUtils.mkdir("/etc/rubycas-server") unless File.exists? "/etc/rubycas-server"
-      FileUtils.cp(example_conf_file, etc_conf)
-    rescue Errno::EACCES
-      puts "\nIt appears that you do not have permissions to create the '#{etc_conf}' file. Try running this command using sudo (as root).\n"
-      exit 2
-    rescue
-      puts "\nFor some reason the '#{etc_conf}' file could not be created. You'll have to copy the file manually." +
-        " Use '#{example_conf_file}' as a template.\n"  
-      exit 2
-    end
-    
-    puts "\nA sample configuration has been created for you in '#{etc_conf}'. Please edit this file to" +
-      " suit your needs and then run rubycas-server again.\n"
-    exit 1
-  end
- 
-  loaded_conf = HashWithIndifferentAccess.new(YAML.load_file(conf_file))
-  
-  if $CONF
-    $CONF = loaded_conf.merge $CONF
-  else
-    $CONF = loaded_conf
-  end
- 
-  if $CONF[:authenticator].instance_of? Array
-    $CONF[:authenticator].each_index { |auth_index| $CONF[:authenticator][auth_index] = HashWithIndifferentAccess.new($CONF[:authenticator][auth_index])}
-  end
-
-  $AUTH = []
-  begin
-    # attempt to instantiate the authenticator
-    if $CONF[:authenticator].instance_of? Array
-      $CONF[:authenticator].each { |authenticator| $AUTH << authenticator[:class].constantize.new}
-    else
-      $AUTH << $CONF[:authenticator][:class].constantize.new
-    end
-  rescue NameError
-    if $CONF[:authenticator].instance_of? Array
-      $CONF[:authenticator].each do |authenticator|
-        if !authenticator[:source].nil?
-          # config.yml explicitly names source file
-          require authenticator[:source]
-        else
-          # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
-          auth_rb = authenticator[:class].underscore.gsub('cas_server/', '')
-          require 'casserver/'+auth_rb
-        end
-        $AUTH << authenticator[:class].constantize.new
-      end
-    else
-      if !$CONF[:authenticator][:source].nil?
-        # config.yml explicitly names source file
-        require $CONF[:authenticator][:source]
-      else
-        # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
-        auth_rb = $CONF[:authenticator][:class].underscore.gsub('cas_server/', '')
-        require 'casserver/'+auth_rb
-      end
-
-      $AUTH << $CONF[:authenticator][:class].constantize.new
-    end
-  end
-rescue
-    raise "Your RubyCAS-Server configuration may be invalid."+
-      " Please double-check check your config.yml file."+
-      " Make sure that you are using spaces instead of tabs for your indentation!!" +
-      "\n\nUNDERLYING EXCEPTION:\n#{$!}"
-end
-
-module CASServer
-  module Conf
-    DEFAULTS = {
-      :expire_sessions => false,
-      :login_ticket_expiry => 5.minutes,
-      :service_ticket_expiry => 5.minutes, # CAS Protocol Spec, sec. 3.2.1 (recommended expiry time)
-      :proxy_granting_ticket_expiry => 48.hours,
-      :ticket_granting_ticket_expiry => 48.hours,
-      :log => {:file => 'casserver.log', :level => 'DEBUG'},
-      :uri_path => "/"
-    }
-  
-    def [](key)
-      $CONF[key] || DEFAULTS[key]
-    end
-    module_function "[]".intern
-    
-    def self.method_missing(method, *args)
-      self[method]
-    end
-  end
-end

data/lib/casserver/controllers.rb

@@ -1,452 +0,0 @@
-# The #.#.# comments (e.g. "2.1.3") refer to section numbers in the CAS protocol spec
-# under http://www.ja-sig.org/products/cas/overview/protocol/index.html
-
-module CASServer::Controllers
-
-  # 2.1
-  class Login < R '/', '/login'
-    include CASServer::CAS
-    
-    # 2.1.1
-    def get
-      CASServer::Utils::log_controller_action(self.class, @input)
-      
-      # make sure there's no caching
-      headers['Pragma'] = 'no-cache'
-      headers['Cache-Control'] = 'no-store'
-      headers['Expires'] = (Time.now - 1.year).rfc2822
-      
-      # optional params
-      @service = clean_service_url(@input['service'])
-      @renew = @input['renew']
-      @gateway = @input['gateway'] == 'true' || @input['gateway'] == '1'
-      
-      if tgc = @cookies[:tgt]
-        tgt, tgt_error = validate_ticket_granting_ticket(tgc)
-      end
-      
-      if tgt and !tgt_error
-        @message = {:type => 'notice', 
-          :message => %{You are currently logged in as "#{tgt.username}". If this is not you, please log in below.}}
-      end
-
-      if @input['redirection_loop_intercepted']
-        @message = {:type => 'mistake', 
-          :message => %{The client and server are unable to negotiate authentication. Please try logging in again later.}}
-      end
-      
-      begin
-        if @service 
-          if !@renew && tgt && !tgt_error
-            st = generate_service_ticket(@service, tgt.username, tgt)
-            service_with_ticket = service_uri_with_ticket(@service, st)
-            $LOG.info("User '#{tgt.username}' authenticated based on ticket granting cookie. Redirecting to service '#{@service}'.")
-            return redirect(service_with_ticket, :status => 303) # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
-          elsif @gateway
-            $LOG.info("Redirecting unauthenticated gateway request to service '#{@service}'.")
-            return redirect(@service, :status => 303)
-          end
-        elsif @gateway
-            $LOG.error("This is a gateway request but no service parameter was given!")
-            @message = {:type => 'mistake', 
-              :message => "The server cannot fulfill this gateway request because no service parameter was given."}
-        end
-      rescue URI::InvalidURIError
-        $LOG.error("The service '#{@service}' is not a valid URI!")
-        @message = {:type => 'mistake', 
-          :message => "The target service your browser supplied appears to be invalid. Please contact your system administrator for help."}
-      end
-      
-      lt = generate_login_ticket
-      
-      $LOG.debug("Rendering login form with lt: #{lt}, service: #{@service}, renew: #{@renew}, gateway: #{@gateway}")
-      
-      @lt = lt.ticket
-      
-      #$LOG.debug(env)
-      
-      # If the 'onlyLoginForm' parameter is specified, we will only return the 
-      # login form part of the page. This is useful for when you want to
-      # embed the login form in some external page (as an IFRAME, or otherwise).
-      # The optional 'submitToURI' parameter can be given to explicitly set the
-      # action for the form, otherwise the server will try to guess this for you.
-      if @input.has_key? 'onlyLoginForm'
-        if env['HTTP_HOST']
-          guessed_login_uri = "http#{env['HTTPS'] && env['HTTPS'] == 'on' ? 's' : ''}://#{env['REQUEST_URI']}#{self / '/login'}"
-        else
-          guessed_login_uri = nil
-        end
-
-        @form_action = @input['submitToURI'] || guessed_login_uri
-        
-        if @form_action
-          render :login_form
-        else
-          @status = 500
-          "Could not guess the CAS login URI. Please supply a submitToURI parameter with your request."
-        end
-      else
-        render :login
-      end
-    end
-    
-    # 2.2
-    def post
-      CASServer::Utils::log_controller_action(self.class, @input)
-      
-      # 2.2.1 (optional)
-      @service = clean_service_url(@input['service'])
-      
-      # 2.2.2 (required)
-      @username = @input['username']
-      @password = @input['password']
-      @lt = @input['lt']
-      
-      # Remove leading and trailing widespace from username.
-      @username.strip! if @username
-      
-      if @username && $CONF[:downcase_username]
-        $LOG.debug("Converting username #{@username.inspect} to lowercase because 'downcase_username' option is enabled.")
-        @username.downcase!
-      end
-      
-      if error = validate_login_ticket(@lt)
-        @message = {:type => 'mistake', :message => error}
-        # generate another login ticket to allow for re-submitting the form
-        @lt = generate_login_ticket.ticket
-        @status = 401
-        return render(:login)
-      end
-      
-      # generate another login ticket to allow for re-submitting the form after a post
-      @lt = generate_login_ticket.ticket
-      
-      if $CONF[:authenticator].instance_of? Array
-        $AUTH.each_index {|auth_index| $AUTH[auth_index].configure(CASServer::Conf.authenticator[auth_index])}
-      else
-        $AUTH[0].configure(CASServer::Conf.authenticator)
-      end
-
-      $LOG.debug("Logging in with username: #{@username}, lt: #{@lt}, service: #{@service}, auth: #{$AUTH}")
-      
-      credentials_are_valid = false
-      extra_attributes = {}
-      successful_authenticator = nil
-      begin
-        $AUTH.each do |auth|
-          credentials_are_valid = auth.validate(
-            :username => @username, 
-            :password => @password, 
-            :service => @service,
-            :request => env
-          )
-          if credentials_are_valid
-            extra_attributes.merge!(auth.extra_attributes) unless auth.extra_attributes.blank?
-            successful_authenticator = auth
-            break 
-          end
-        end
-      rescue CASServer::AuthenticatorError => e
-        $LOG.error(e)
-        @message = {:type => 'mistake', :message => e.to_s}
-        return render(:login)
-      end
-      
-      if credentials_are_valid
-        $LOG.info("Credentials for username '#{@username}' successfully validated using #{successful_authenticator.class.name}.")
-        $LOG.debug("Authenticator provided additional user attributes: #{extra_attributes.inspect}") unless extra_attributes.blank?
-        
-        # 3.6 (ticket-granting cookie)
-        tgt = generate_ticket_granting_ticket(@username, extra_attributes)
-        
-        if CASServer::Conf.expire_sessions
-          expires = CASServer::Conf.ticket_granting_ticket_expiry.to_i.from_now
-          expiry_info = " It will expire on #{expires}."
-        else
-          expiry_info = " It will not expire."
-        end
-        
-        if CASServer::Conf.expire_sessions
-          @cookies[:tgt] = {
-            :value => tgt.to_s, 
-            :expires => Time.now + CASServer::Conf.ticket_granting_ticket_expiry
-          }
-        else
-          @cookies[:tgt] = tgt.to_s
-        end
-        
-        $LOG.debug("Ticket granting cookie '#{@cookies[:tgt].inspect}' granted to '#{@username.inspect}'. #{expiry_info}")
-                
-        if @service.blank?
-          $LOG.info("Successfully authenticated user '#{@username}' at '#{tgt.client_hostname}'. No service param was given, so we will not redirect.")
-          @message = {:type => 'confirmation', :message => "You have successfully logged in."}
-        else
-          @st = generate_service_ticket(@service, @username, tgt)
-          begin
-            service_with_ticket = service_uri_with_ticket(@service, @st)
-            
-            $LOG.info("Redirecting authenticated user '#{@username}' at '#{@st.client_hostname}' to service '#{@service}'")
-            return redirect(service_with_ticket, :status => 303) # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
-          rescue URI::InvalidURIError
-            $LOG.error("The service '#{@service}' is not a valid URI!")
-            @message = {:type => 'mistake', :message => "The target service your browser supplied appears to be invalid. Please contact your system administrator for help."}
-          end
-        end
-      else
-        $LOG.warn("Invalid credentials given for user '#{@username}'")
-        @message = {:type => 'mistake', :message => "Incorrect username or password."}
-        @status = 401
-      end
-      
-      render :login
-    end
-  end
-  
-  # 2.3
-  class Logout < R '/logout'
-    include CASServer::CAS
-    
-    # 2.3.1
-    def get
-      CASServer::Utils::log_controller_action(self.class, @input)
-      
-      # The behaviour here is somewhat non-standard. Rather than showing just a blank
-      # "logout" page, we take the user back to the login page with a "you have been logged out"
-      # message, allowing for an opportunity to immediately log back in. This makes it
-      # easier for the user to log out and log in as someone else.
-      @service = clean_service_url(@input['service'] || @input['destination'])
-      @continue_url = @input['url']
-      
-      @gateway = @input['gateway'] == 'true' || @input['gateway'] == '1'
-      
-      tgt = CASServer::Models::TicketGrantingTicket.find_by_ticket(@cookies[:tgt])
-      
-      @cookies.delete :tgt
-      
-      if tgt
-        CASServer::Models::TicketGrantingTicket.transaction do
-          pgts = CASServer::Models::ProxyGrantingTicket.find(:all, 
-            :conditions => [CASServer::Models::Base.connection.quote_table_name(CASServer::Models::ServiceTicket.table_name)+".username = ?", tgt.username],
-            :include => :service_ticket) 
-          pgts.each do |pgt|
-            $LOG.debug("Deleting Proxy-Granting Ticket '#{pgt}' for user '#{pgt.service_ticket.username}'")
-            pgt.destroy
-          end
-          
-          if CASServer::Conf.enable_single_sign_out
-            $LOG.debug("Deleting Service/Proxy Tickets for '#{tgt}' for user '#{tgt.username}'")
-            tgt.service_tickets.each do |st|
-              send_logout_notification_for_service_ticket(st)
-              # TODO: Maybe we should do some special handling if send_logout_notification_for_service_ticket fails? 
-              #       (the above method returns false if the POST results in a non-200 HTTP response).
-              $LOG.debug "Deleting #{st.class.name.demodulize} #{st.ticket.inspect}."
-              st.destroy
-            end
-          end
-          
-          $LOG.debug("Deleting #{tgt.class.name.demodulize} '#{tgt}' for user '#{tgt.username}'")
-          tgt.destroy
-        end  
-        
-        $LOG.info("User '#{tgt.username}' logged out.")
-      else
-        $LOG.warn("User tried to log out without a valid ticket-granting ticket.")
-      end
-      
-      @message = {:type => 'confirmation', :message => "You have successfully logged out."}
-      
-      @message[:message] << 
-        " Please click on the following link to continue:" if @continue_url
-      
-      @lt = generate_login_ticket
-      
-      if @gateway && @service
-        redirect(@service, :status => 303)
-      elsif @continue_url
-        render :logout
-      else
-        render :login
-      end
-    end
-  end
-
-  # 2.4
-  class Validate < R '/validate'
-    include CASServer::CAS
-  
-    # 2.4.1
-    def get
-      CASServer::Utils::log_controller_action(self.class, @input)
-      
-      # required
-      @service = clean_service_url(@input['service'])
-      @ticket = @input['ticket']
-      # optional
-      @renew = @input['renew']
-      
-      st, @error = validate_service_ticket(@service, @ticket)      
-      @success = st && !@error
-      
-      @username = st.username if @success
-      
-      @status = response_status_from_error(@error) if @error
-      
-      render :validate
-    end
-  end
-  
-  # 2.5
-  class ServiceValidate < R '/serviceValidate'
-    include CASServer::CAS
-  
-    # 2.5.1
-    def get
-      CASServer::Utils::log_controller_action(self.class, @input)
-      
-      # required
-      @service = clean_service_url(@input['service'])
-      @ticket = @input['ticket']
-      # optional
-      @pgt_url = @input['pgtUrl']
-      @renew = @input['renew']
-      
-      st, @error = validate_service_ticket(@service, @ticket)      
-      @success = st && !@error
-      
-      if @success
-        @username = st.username  
-        if @pgt_url
-          pgt = generate_proxy_granting_ticket(@pgt_url, st)
-          @pgtiou = pgt.iou if pgt
-        end
-        @extra_attributes = st.ticket_granting_ticket.extra_attributes || {}
-      end
-      
-      @status = response_status_from_error(@error) if @error
-      
-      render :service_validate
-    end
-  end
-  
-  # 2.6
-  class ProxyValidate < R '/proxyValidate'
-    include CASServer::CAS
-  
-    # 2.6.1
-    def get
-      CASServer::Utils::log_controller_action(self.class, @input)
-      
-      # required
-      @service = clean_service_url(@input['service'])
-      @ticket = @input['ticket']
-      # optional
-      @pgt_url = @input['pgtUrl']
-      @renew = @input['renew']
-      
-      @proxies = []
-      
-      t, @error = validate_proxy_ticket(@service, @ticket)      
-      @success = t && !@error
-      
-      @extra_attributes = {}
-      if @success
-        @username = t.username
-        
-        if t.kind_of? CASServer::Models::ProxyTicket
-          @proxies << t.proxy_granting_ticket.service_ticket.service
-        end
-          
-        if @pgt_url
-          pgt = generate_proxy_granting_ticket(@pgt_url, t)
-          @pgtiou = pgt.iou if pgt
-        end
-        
-        @extra_attributes = t.ticket_granting_ticket.extra_attributes || {}
-      end
-      
-      @status = response_status_from_error(@error) if @error
-
-     render :proxy_validate
-    end
-  end
-  
-  class Proxy < R '/proxy'
-    include CASServer::CAS
-  
-    # 2.7
-    def get
-      CASServer::Utils::log_controller_action(self.class, @input)
-      
-      # required
-      @ticket = @input['pgt']
-      @target_service = @input['targetService']
-      
-      pgt, @error = validate_proxy_granting_ticket(@ticket)
-      @success = pgt && !@error
-      
-      if @success
-        @pt = generate_proxy_ticket(@target_service, pgt)
-      end
-      
-      @status = response_status_from_error(@error) if @error
-      
-      render :proxy
-    end
-  end
-  
-  # Controller for obtaining login tickets.
-  # This is useful when you want to build a custom login form located on a 
-  # remote server. Your form will have to include a valid login ticket
-  # value, and this can be fetched from the CAS server using this controller'
-  # POST method.
-  class LoginTicketDispenser < R '/loginTicket'
-    include CASServer::CAS
-    
-    def get
-      CASServer::Utils::log_controller_action(self.class, @input)
-      $LOG.error("Tried to use login ticket dispenser with get method!")
-      @status = 422
-      "To generate a login ticket, you must make a POST request."
-    end
-    
-    # Renders a page with a login ticket (and only the login ticket)
-    # in the response body.
-    def post
-      CASServer::Utils::log_controller_action(self.class, @input)
-      lt = generate_login_ticket
-      
-      $LOG.debug("Dispensing login ticket #{lt} to host #{(env['HTTP_X_FORWARDED_FOR'] || env['REMOTE_HOST'] || env['REMOTE_ADDR']).inspect}")
-      
-      @lt = lt.ticket
-      
-      @lt
-    end
-  end
-  
-  class Themes < R '/themes/(.+)'         
-    MIME_TYPES = {'.css' => 'text/css', '.js' => 'text/javascript', 
-                  '.jpg' => 'image/jpeg'}
-    PATH = CASServer::Conf.themes_dir || File.expand_path(File.dirname(__FILE__))+'/../themes'
-
-    def get(path)@headers['Content-Type'] = MIME_TYPES[path[/\.\w+$/, 0]] || "text/plain"
-      unless path.include? ".." # prevent directory traversal attacks
-        @headers['X-Sendfile'] = "#{PATH}/#{path}"
-      else
-        @status = "403"
-        "403 - Invalid path"
-      end
-    end
-  end
-  
-  def response_status_from_error(error)
-    case error.code.to_s
-    when /^INVALID_/, 'BAD_PGT'
-      422
-    when 'INTERNAL_ERROR'
-      500
-    else
-      500
-    end
-  end
-  module_function :response_status_from_error
-end