rubycas-server 0.7.1.1 → 1.0

data/lib/casserver/localization.rb

@@ -0,0 +1,91 @@
+require "gettext"
+require "gettext/cgi"
+require 'active_support'
+
+module CASServer
+  module Localization
+    def self.included(mod)
+      mod.module_eval do
+        include GetText
+      end
+    end
+
+    include GetText
+    bindtextdomain("rubycas-server", :path => File.join(File.dirname(File.expand_path(__FILE__)), "../../locale"))
+
+    def determine_locale(request)
+      source = nil
+      lang = case
+      when !request.params['lang'].blank?
+        source = "'lang' request variable"
+        request.cookies['lang'] = request.params['lang']
+        request.params['lang']
+      when !request.cookies['lang'].blank?
+        source = "'lang' cookie"
+        request.cookies['lang']
+      when !request.env['HTTP_ACCEPT_LANGUAGE'].blank?
+        source = "'HTTP_ACCEPT_LANGUAGE' header"
+        lang = request.env['HTTP_ACCEPT_LANGUAGE']
+      when !request.env['HTTP_USER_AGENT'].blank? && request.env['HTTP_USER_AGENT'] =~ /[^a-z]([a-z]{2}(-[a-z]{2})?)[^a-z]/i
+        source = "'HTTP_USER_AGENT' header"
+        $~[1]
+#      when !$CONF['default_locale'].blank?
+#        source = "'default_locale' config option"
+#        $CONF[:default_locale]
+      else
+        source = "default"
+        "en"
+      end
+
+      $LOG.debug "Detected locale is #{lang.inspect} (from #{source})"
+
+      lang.gsub!('_','-')
+
+      # TODO: Need to confirm that this method of splitting the accepted
+      #       language string is correct.
+      if lang =~ /[,;\|]/
+        langs = lang.split(/[,;\|]/)
+      else
+        langs = [lang]
+      end
+
+      # TODO: This method of selecting the desired language might not be
+      #       standards-compliant. For example, http://www.w3.org/TR/ltli/
+      #       suggests that de-de and de-*-DE might be acceptable identifiers
+      #       for selecting various wildcards. The algorithm below does not
+      #       currently support anything like this.
+
+      available = available_locales
+
+      if available.length == 1
+        $LOG.warn "Only the #{available.first.inspect} localization is available. You should run `rake localization:mo` to compile support for additional languages!"
+      elsif available.length == 0 # this should never actually happen
+        $LOG.error "No localizations available! Run `rake localization:mo` to compile support for additional languages."
+      end
+
+      # Try to pick a locale exactly matching the desired identifier, otherwise
+      # fall back to locale without region (i.e. given "en-US; de-DE", we would
+      # first look for "en-US", then "en", then "de-DE", then "de").
+
+      chosen_lang = nil
+      langs.each do |l|
+        a = available.find{ |a| a =~ Regexp.new("\\A#{l}\\Z", 'i') ||
+                                a =~ Regexp.new("#{l}-\w*",   'i')    }
+        if a
+          chosen_lang = a
+          break
+        end
+      end
+
+      chosen_lang = "en" if chosen_lang.blank?
+
+      $LOG.debug "Chosen locale is #{chosen_lang.inspect}"
+
+      return chosen_lang
+    end
+
+    def available_locales
+      (Dir.glob(File.join(File.dirname(File.expand_path(__FILE__)), "../../locale/[a-z]*")).map{|path| File.basename(path)} << "en").uniq.collect{|l| l.gsub('_','-')}
+    end
+  end
+end

data/lib/casserver/model.rb

@@ -0,0 +1,270 @@
+require 'active_record'
+require 'active_record/base'
+
+module CASServer::Model
+
+  module Consumable
+    def consume!
+      self.consumed = Time.now
+      self.save!
+    end
+
+    def self.included(mod)
+      mod.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def cleanup(max_lifetime, max_unconsumed_lifetime)
+        transaction do
+          conditions = ["created_on < ? OR (consumed IS NULL AND created_on < ?)",
+                          Time.now - max_lifetime,
+                          Time.now - max_unconsumed_lifetime]
+                        
+          expired_tickets_count = count(:conditions => conditions)
+
+          $LOG.debug("Destroying #{expired_tickets_count} expired #{self.name.demodulize}"+
+            "#{'s' if expired_tickets_count > 1}.") if expired_tickets_count > 0
+
+          destroy_all(conditions)
+        end
+      end
+    end
+  end
+
+  class Base < ActiveRecord::Base
+  end
+
+  class Ticket < Base
+    def to_s
+      ticket
+    end
+
+    def self.cleanup(max_lifetime)
+      transaction do
+        conditions = ["created_on < ?", Time.now - max_lifetime]
+        expired_tickets_count = count(:conditions => conditions)
+
+        $LOG.debug("Destroying #{expired_tickets_count} expired #{self.name.demodulize}"+
+          "#{'s' if expired_tickets_count > 1}.") if expired_tickets_count > 0
+
+        destroy_all(conditions)
+      end
+    end
+  end
+
+  class LoginTicket < Ticket
+    set_table_name 'casserver_lt'
+    include Consumable
+  end
+
+  class ServiceTicket < Ticket
+    set_table_name 'casserver_st'
+    include Consumable
+
+    belongs_to :granted_by_tgt,
+      :class_name => 'CASServer::Model::TicketGrantingTicket',
+      :foreign_key => :granted_by_tgt_id
+    has_one :proxy_granting_ticket,
+      :foreign_key => :created_by_st_id
+
+    def matches_service?(service)
+      CASServer::CAS.clean_service_url(self.service) ==
+        CASServer::CAS.clean_service_url(service)
+    end
+  end
+
+  class ProxyTicket < ServiceTicket
+    belongs_to :granted_by_pgt,
+      :class_name => 'CASServer::Model::ProxyGrantingTicket',
+      :foreign_key => :granted_by_pgt_id
+  end
+
+  class TicketGrantingTicket < Ticket
+    set_table_name 'casserver_tgt'
+
+    serialize :extra_attributes
+
+    has_many :granted_service_tickets,
+      :class_name => 'CASServer::Model::ServiceTicket',
+      :foreign_key => :granted_by_tgt_id
+  end
+
+  class ProxyGrantingTicket < Ticket
+    set_table_name 'casserver_pgt'
+    belongs_to :service_ticket
+    has_many :granted_proxy_tickets,
+      :class_name => 'CASServer::Model::ProxyTicket',
+      :foreign_key => :granted_by_pgt_id
+  end
+
+  class Error
+    attr_reader :code, :message
+
+    def initialize(code, message)
+      @code = code
+      @message = message
+    end
+
+    def to_s
+      message
+    end
+  end
+
+#  class CreateCASServer < V 0.1
+#    def self.up
+#      if ActiveRecord::Base.connection.table_alias_length > 30
+#        $LOG.info("Creating database with long table names...")
+#
+#        create_table :casserver_login_tickets, :force => true do |t|
+#          t.column :ticket,     :string,   :null => false
+#          t.column :created_on, :timestamp, :null => false
+#          t.column :consumed,   :datetime, :null => true
+#          t.column :client_hostname, :string, :null => false
+#        end
+#
+#        create_table :casserver_service_tickets, :force => true do |t|
+#          t.column :ticket,     :string,    :null => false
+#          t.column :service,    :string,    :null => false
+#          t.column :created_on, :timestamp, :null => false
+#          t.column :consumed,   :datetime, :null => true
+#          t.column :client_hostname, :string, :null => false
+#          t.column :username,   :string,  :null => false
+#          t.column :type,       :string,   :null => false
+#          t.column :proxy_granting_ticket_id, :integer, :null => true
+#        end
+#
+#        create_table :casserver_ticket_granting_tickets, :force => true do |t|
+#          t.column :ticket,     :string,    :null => false
+#          t.column :created_on, :timestamp, :null => false
+#          t.column :client_hostname, :string, :null => false
+#          t.column :username,   :string,    :null => false
+#        end
+#
+#        create_table :casserver_proxy_granting_tickets, :force => true do |t|
+#          t.column :ticket,     :string,    :null => false
+#          t.column :created_on, :timestamp, :null => false
+#          t.column :client_hostname, :string, :null => false
+#          t.column :iou,        :string,    :null => false
+#          t.column :service_ticket_id, :integer, :null => false
+#        end
+#      end
+#    end
+#
+#    def self.down
+#      if ActiveRecord::Base.connection.table_alias_length > 30
+#        drop_table :casserver_proxy_granting_tickets
+#        drop_table :casserver_ticket_granting_tickets
+#        drop_table :casserver_service_tickets
+#        drop_table :casserver_login_tickets
+#      end
+#    end
+#  end
+#
+#  # Oracle table names cannot exceed 30 chars...
+#  # See http://code.google.com/p/rubycas-server/issues/detail?id=15
+#  class ShortenTableNames < V 0.5
+#    def self.up
+#      if ActiveRecord::Base.connection.table_alias_length > 30
+#        $LOG.info("Shortening table names")
+#        rename_table :casserver_login_tickets, :casserver_lt
+#        rename_table :casserver_service_tickets, :casserver_st
+#        rename_table :casserver_ticket_granting_tickets, :casserver_tgt
+#        rename_table :casserver_proxy_granting_tickets, :casserver_pgt
+#      else
+#        create_table :casserver_lt, :force => true do |t|
+#          t.column :ticket,     :string,   :null => false
+#          t.column :created_on, :timestamp, :null => false
+#          t.column :consumed,   :datetime, :null => true
+#          t.column :client_hostname, :string, :null => false
+#        end
+#
+#        create_table :casserver_st, :force => true do |t|
+#          t.column :ticket,     :string,    :null => false
+#          t.column :service,    :string,    :null => false
+#          t.column :created_on, :timestamp, :null => false
+#          t.column :consumed,   :datetime, :null => true
+#          t.column :client_hostname, :string, :null => false
+#          t.column :username,   :string,  :null => false
+#          t.column :type,       :string,   :null => false
+#          t.column :proxy_granting_ticket_id, :integer, :null => true
+#        end
+#
+#        create_table :casserver_tgt, :force => true do |t|
+#          t.column :ticket,     :string,    :null => false
+#          t.column :created_on, :timestamp, :null => false
+#          t.column :client_hostname, :string, :null => false
+#          t.column :username,   :string,    :null => false
+#        end
+#
+#        create_table :casserver_pgt, :force => true do |t|
+#          t.column :ticket,     :string,    :null => false
+#          t.column :created_on, :timestamp, :null => false
+#          t.column :client_hostname, :string, :null => false
+#          t.column :iou,        :string,    :null => false
+#          t.column :service_ticket_id, :integer, :null => false
+#        end
+#      end
+#    end
+#
+#    def self.down
+#      if ActiveRecord::Base.connection.table_alias_length > 30
+#        rename_table :casserver_lt, :cassserver_login_tickets
+#        rename_table :casserver_st, :casserver_service_tickets
+#        rename_table :casserver_tgt, :casserver_ticket_granting_tickets
+#        rename_table :casserver_pgt, :casserver_proxy_granting_tickets
+#      else
+#        drop_table :casserver_pgt
+#        drop_table :casserver_tgt
+#        drop_table :casserver_st
+#        drop_table :casserver_lt
+#      end
+#    end
+#  end
+#
+#  class AddTgtToSt < V 0.7
+#    def self.up
+#      add_column :casserver_st, :tgt_id, :integer, :null => true
+#    end
+#
+#    def self.down
+#      remove_column :casserver_st, :tgt_id, :integer
+#    end
+#  end
+#
+#  class ChangeServiceToText < V 0.71
+#    def self.up
+#      # using change_column to change the column type from :string to :text
+#      # doesn't seem to work, at least under MySQL, so we drop and re-create
+#      # the column instead
+#      remove_column :casserver_st, :service
+#      say "WARNING: All existing service tickets are being deleted."
+#      add_column :casserver_st, :service, :text
+#    end
+#
+#    def self.down
+#      change_column :casserver_st, :service, :string
+#    end
+#  end
+#
+#  class AddExtraAttributes < V 0.72
+#    def self.up
+#      add_column :casserver_tgt, :extra_attributes, :text
+#    end
+#
+#    def self.down
+#      remove_column :casserver_tgt, :extra_attributes
+#    end
+#  end
+#
+#  class RenamePgtForeignKeys < V 0.80
+#    def self.up
+#      rename_column :casserver_st,  :proxy_granting_ticket_id,  :granted_by_pgt_id
+#      rename_column :casserver_st,  :tgt_id,                    :granted_by_tgt_id
+#    end
+#
+#    def self.down
+#      rename_column :casserver_st,  :granted_by_pgt_id,         :proxy_granting_ticket_id
+#      rename_column :casserver_st,  :granted_by_tgt_id,         :tgt_id
+#    end
+#  end
+end

data/lib/casserver/server.rb

@@ -0,0 +1,745 @@
+require 'sinatra/base'
+require 'casserver/localization'
+require 'casserver/utils'
+require 'casserver/cas'
+
+require 'logger'
+$LOG ||= Logger.new(STDOUT)
+
+module CASServer
+  class Server < Sinatra::Base
+    CONFIG_FILE = ENV['CONFIG_FILE'] || "/etc/rubycas-server/config.yml"
+    
+    include CASServer::CAS # CAS protocol helpers
+    include Localization
+
+    set :app_file, __FILE__
+    set :public, Proc.new { settings.config[:public_dir] || File.join(root, "..", "..", "public") }
+
+    config = HashWithIndifferentAccess.new(
+      :maximum_unused_login_ticket_lifetime => 5.minutes,
+      :maximum_unused_service_ticket_lifetime => 5.minutes, # CAS Protocol Spec, sec. 3.2.1 (recommended expiry time)
+      :maximum_session_lifetime => 2.days, # all tickets are deleted after this period of time
+      :log => {:file => 'casserver.log', :level => 'DEBUG'},
+      :uri_path => ""
+    )
+    set :config, config
+
+    def self.uri_path
+      config[:uri_path]
+    end
+    
+    # Strip the config.uri_path from the request.path_info...
+    # FIXME: do we really need to override all of Sinatra's #static! to make this happen?
+    def static!
+      return if (public_dir = settings.public).nil?
+      public_dir = File.expand_path(public_dir)
+      
+      path = File.expand_path(public_dir + unescape(request.path_info.gsub(/^#{settings.config[:uri_path]}/,'')))
+      return if path[0, public_dir.length] != public_dir
+      return unless File.file?(path)
+
+      env['sinatra.static_file'] = path
+      send_file path, :disposition => nil
+    end
+
+    def self.run!(options={})
+      set options
+
+      handler      = detect_rack_handler
+      handler_name = handler.name.gsub(/.*::/, '')
+      
+      puts "== RubyCAS-Server is starting up " +
+        "on port #{config[:port] || port} for #{environment} with backup from #{handler_name}" unless handler_name =~/cgi/i
+        
+      begin
+        opts = handler_options
+      rescue Exception => e
+        print_cli_message e, :error
+        raise e
+      end
+        
+      handler.run self, opts do |server|
+        [:INT, :TERM].each { |sig| trap(sig) { quit!(server, handler_name) } }
+        set :running, true
+      end
+    rescue Errno::EADDRINUSE => e
+      puts "== Something is already running on port #{port}!"
+    end
+
+    def self.quit!(server, handler_name)
+      ## Use thins' hard #stop! if available, otherwise just #stop
+      server.respond_to?(:stop!) ? server.stop! : server.stop
+      puts "\n== RubyCAS-Server is shutting down" unless handler_name =~/cgi/i
+    end
+    
+    def self.print_cli_message(msg, type = :info)
+      if respond_to?(:config) && config && config[:quiet]
+        return
+      end
+      
+      if type == :error
+        io = $stderr
+        prefix = "!!! "
+      else
+        io = $stdout
+        prefix = ">>> "
+      end
+      
+      io.puts
+      io.puts "#{prefix}#{msg}"
+      io.puts
+    end
+
+    def self.load_config_file(config_file)
+      begin
+        config_file = File.open(config_file)
+      rescue Errno::ENOENT => e
+        
+        print_cli_message "Config file #{config_file} does not exist!", :error
+        print_cli_message "Would you like the default config file copied to #{config_file.inspect}? [y/N]"
+        if gets.strip.downcase == 'y'
+          require 'fileutils'
+          default_config = File.dirname(__FILE__) + '/../../config/config.example.yml'
+          
+          if !File.exists?(File.dirname(config_file))
+            print_cli_message "Creating config directory..."
+            FileUtils.mkdir_p(File.dirname(config_file), :verbose => true)
+          end
+          
+          print_cli_message "Copying #{default_config.inspect} to #{config_file.inspect}..."
+          FileUtils.cp(default_config, config_file, :verbose => true)
+          print_cli_message "The default config has been copied. You should now edit it and try starting again."
+          exit
+        else
+          print_cli_message "Cannot start RubyCAS-Server without a valid config file.", :error
+          raise e
+        end
+      rescue Errno::EACCES => e
+        print_cli_message "Config file #{config_file.inspect} is not readable (permission denied)!", :error
+        raise e
+      rescue => e
+        print_cli_message "Config file #{config_file.inspect} could not be read!", :error
+        raise e
+      end
+      
+      config.merge! HashWithIndifferentAccess.new(YAML.load(config_file))
+      set :server, config[:server] || 'webrick'
+    end
+    
+    def self.reconfigure!(config)
+      config.each do |key, val|
+        self.config[key] = val
+      end
+      init_database!
+      init_logger!
+      init_authenticators!
+    end
+
+    def self.handler_options
+      handler_options = {
+        :Host => bind || config[:bind_address],
+        :Port => config[:port] || 443
+      }
+
+      handler_options.merge(handler_ssl_options).to_hash.symbolize_keys!
+    end
+
+    def self.handler_ssl_options
+      return {} unless config[:ssl_cert]
+
+      cert_path = config[:ssl_cert]
+      key_path = config[:ssl_key] || config[:ssl_cert]
+      
+      unless cert_path.nil? && key_path.nil?
+        raise "The ssl_cert and ssl_key options cannot be used with mongrel. You will have to run your " +
+          " server behind a reverse proxy if you want SSL under mongrel." if
+            config[:server] == 'mongrel'
+
+        raise "The specified certificate file #{cert_path.inspect} does not exist or is not readable. " +
+          " Your 'ssl_cert' configuration setting must be a path to a valid " +
+          " ssl certificate." unless
+            File.exists? cert_path
+
+        raise "The specified key file #{key_path.inspect} does not exist or is not readable. " +
+          " Your 'ssl_key' configuration setting must be a path to a valid " +
+          " ssl private key." unless
+            File.exists? key_path
+
+        require 'openssl'
+        require 'webrick/https'
+
+        cert = OpenSSL::X509::Certificate.new(File.read(cert_path))
+        key = OpenSSL::PKey::RSA.new(File.read(key_path))
+
+        {
+          :SSLEnable        => true,
+          :SSLVerifyClient  => ::OpenSSL::SSL::VERIFY_NONE,
+          :SSLCertificate   => cert,
+          :SSLPrivateKey    => key
+        }
+      end
+    end
+
+    def self.init_authenticators!
+      auth = []
+      
+      if config[:authenticator].nil?
+        print_cli_message "No authenticators have been configured. Please double-check your config file (#{CONFIG_FILE.inspect}).", :error
+        exit 1
+      end
+      
+      begin
+        # attempt to instantiate the authenticator
+        config[:authenticator] = [config[:authenticator]] unless config[:authenticator].instance_of? Array
+        config[:authenticator].each { |authenticator| auth << authenticator[:class].constantize}
+      rescue NameError
+        if config[:authenticator].instance_of? Array
+          config[:authenticator].each do |authenticator|
+            if !authenticator[:source].nil?
+              # config.yml explicitly names source file
+              require authenticator[:source]
+            else
+              # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
+              auth_rb = authenticator[:class].underscore.gsub('cas_server/', '')
+              require 'casserver/'+auth_rb
+            end
+            auth << authenticator[:class].constantize
+          end
+        else
+          if config[:authenticator][:source]
+            # config.yml explicitly names source file
+            require config[:authenticator][:source]
+          else
+            # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
+            auth_rb = config[:authenticator][:class].underscore.gsub('cas_server/', '')
+            require 'casserver/'+auth_rb
+          end
+
+          auth << config[:authenticator][:class].constantize
+          config[:authenticator] = [config[:authenticator]]
+        end
+      end
+
+      auth.zip(config[:authenticator]).each_with_index{ |auth_conf, index|
+        authenticator, conf = auth_conf
+        $LOG.debug "About to setup #{authenticator} with #{conf.inspect}..."
+        authenticator.setup(conf.merge('auth_index' => index)) if authenticator.respond_to?(:setup)
+        $LOG.debug "Done setting up #{authenticator}."
+      }
+
+      set :auth, auth
+    end
+
+    def self.init_logger!
+      if config[:log]
+        if $LOG && config[:log][:file]
+          print_cli_message "Redirecting RubyCAS-Server log to #{config[:log][:file]}"
+          #$LOG.close
+          $LOG = Logger.new(config[:log][:file])
+        end
+        $LOG.level = Logger.const_get(config[:log][:level]) if config[:log][:level]
+      end
+      
+      if config[:db_log]
+        if $LOG && config[:db_log][:file]
+          $LOG.debug "Redirecting ActiveRecord log to #{config[:log][:file]}"
+          #$LOG.close
+          ActiveRecord::Base.logger = Logger.new(config[:db_log][:file])
+        end
+        ActiveRecord::Base.logger.level = Logger.const_get(config[:db_log][:level]) if config[:db_log][:level]
+      end
+    end
+
+    def self.init_database!
+
+      unless config[:disable_auto_migrations]
+        ActiveRecord::Base.establish_connection(config[:database])
+        print_cli_message "Running migrations to make sure your database schema is up to date..."
+        prev_db_log = ActiveRecord::Base.logger
+        ActiveRecord::Base.logger = Logger.new(STDOUT)
+        ActiveRecord::Migration.verbose = true
+        ActiveRecord::Migrator.migrate(File.dirname(__FILE__) + "/../../db/migrate")
+        ActiveRecord::Base.logger = prev_db_log
+        print_cli_message "Your database is now up to date."
+      end
+      
+      ActiveRecord::Base.establish_connection(config[:database])
+    end
+
+    configure do
+      load_config_file(CONFIG_FILE)
+      init_logger!
+      init_database!
+      init_authenticators!
+    end
+
+    before do
+      GetText.locale = determine_locale(request)
+      content_type :html, 'charset' => 'utf-8'
+      @theme = settings.config[:theme]
+      @organization = settings.config[:organization]
+      @uri_path = settings.config[:uri_path]
+      @infoline = settings.config[:infoline]
+      @custom_views = settings.config[:custom_views]
+      @template_engine = settings.config[:template_engine] || :erb
+      if @template_engine != :erb
+        require @template_engine
+        @template_engine = @template_engine.to_sym
+      end
+    end
+
+    # The #.#.# comments (e.g. "2.1.3") refer to section numbers in the CAS protocol spec
+    # under http://www.ja-sig.org/products/cas/overview/protocol/index.html
+    
+    # 2.1 :: Login
+
+    # 2.1.1
+    get "#{uri_path}/login" do
+      CASServer::Utils::log_controller_action(self.class, params)
+
+      # make sure there's no caching
+      headers['Pragma'] = 'no-cache'
+      headers['Cache-Control'] = 'no-store'
+      headers['Expires'] = (Time.now - 1.year).rfc2822
+
+      # optional params
+      @service = clean_service_url(params['service'])
+      @renew = params['renew']
+      @gateway = params['gateway'] == 'true' || params['gateway'] == '1'
+
+      if tgc = request.cookies['tgt']
+        tgt, tgt_error = validate_ticket_granting_ticket(tgc)
+      end
+
+      if tgt and !tgt_error
+        @message = {:type => 'notice',
+          :message => _("You are currently logged in as '%s'. If this is not you, please log in below.") % tgt.username }
+      elsif tgt_error
+        $LOG.debug("Ticket granting cookie could not be validated: #{tgt_error}")
+      elsif !tgt
+        $LOG.debug("No ticket granting ticket detected.")
+      end
+
+      if params['redirection_loop_intercepted']
+        @message = {:type => 'mistake',
+          :message => _("The client and server are unable to negotiate authentication. Please try logging in again later.")}
+      end
+
+      begin
+        if @service
+          if @renew
+            $LOG.info("Authentication renew explicitly requested. Proceeding with CAS login for service #{@service.inspect}.")
+          elsif tgt && !tgt_error
+            $LOG.debug("Valid ticket granting ticket detected.")
+            st = generate_service_ticket(@service, tgt.username, tgt)
+            service_with_ticket = service_uri_with_ticket(@service, st)
+            $LOG.info("User '#{tgt.username}' authenticated based on ticket granting cookie. Redirecting to service '#{@service}'.")
+            redirect service_with_ticket, 303 # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
+          elsif @gateway
+            $LOG.info("Redirecting unauthenticated gateway request to service '#{@service}'.")
+            redirect @service, 303
+          else
+            $LOG.info("Proceeding with CAS login for service #{@service.inspect}.")
+          end
+        elsif @gateway
+            $LOG.error("This is a gateway request but no service parameter was given!")
+            @message = {:type => 'mistake',
+              :message => _("The server cannot fulfill this gateway request because no service parameter was given.")}
+        else
+          $LOG.info("Proceeding with CAS login without a target service.")
+        end
+      rescue URI::InvalidURIError
+        $LOG.error("The service '#{@service}' is not a valid URI!")
+        @message = {:type => 'mistake',
+          :message => _("The target service your browser supplied appears to be invalid. Please contact your system administrator for help.")}
+      end
+
+      lt = generate_login_ticket
+
+      $LOG.debug("Rendering login form with lt: #{lt}, service: #{@service}, renew: #{@renew}, gateway: #{@gateway}")
+
+      @lt = lt.ticket
+
+      #$LOG.debug(env)
+
+      # If the 'onlyLoginForm' parameter is specified, we will only return the
+      # login form part of the page. This is useful for when you want to
+      # embed the login form in some external page (as an IFRAME, or otherwise).
+      # The optional 'submitToURI' parameter can be given to explicitly set the
+      # action for the form, otherwise the server will try to guess this for you.
+      if params.has_key? 'onlyLoginForm'
+        if @env['HTTP_HOST']
+          guessed_login_uri = "http#{@env['HTTPS'] && @env['HTTPS'] == 'on' ? 's' : ''}://#{@env['REQUEST_URI']}#{self / '/login'}"
+        else
+          guessed_login_uri = nil
+        end
+
+        @form_action = params['submitToURI'] || guessed_login_uri
+
+        if @form_action
+          render :login_form
+        else
+          status 500
+          render _("Could not guess the CAS login URI. Please supply a submitToURI parameter with your request.")
+        end
+      else
+        render @template_engine, :login
+      end
+    end
+
+    
+    # 2.2
+    post "#{uri_path}/login" do
+      Utils::log_controller_action(self.class, params)
+      
+      # 2.2.1 (optional)
+      @service = clean_service_url(params['service'])
+
+      # 2.2.2 (required)
+      @username = params['username']
+      @password = params['password']
+      @lt = params['lt']
+
+      # Remove leading and trailing widespace from username.
+      @username.strip! if @username
+      
+      if @username && settings.config[:downcase_username]
+        $LOG.debug("Converting username #{@username.inspect} to lowercase because 'downcase_username' option is enabled.")
+        @username.downcase!
+      end
+
+      if error = validate_login_ticket(@lt)
+        @message = {:type => 'mistake', :message => error}
+        # generate another login ticket to allow for re-submitting the form
+        @lt = generate_login_ticket.ticket
+        status 500
+        render @template_engine, :login
+      end
+
+      # generate another login ticket to allow for re-submitting the form after a post
+      @lt = generate_login_ticket.ticket
+
+      $LOG.debug("Logging in with username: #{@username}, lt: #{@lt}, service: #{@service}, auth: #{settings.auth.inspect}")
+      
+      credentials_are_valid = false
+      extra_attributes = {}
+      successful_authenticator = nil
+      begin
+        auth_index = 0
+        settings.auth.each do |auth_class|
+          auth = auth_class.new
+
+          auth_config = settings.config[:authenticator][auth_index]
+          # pass the authenticator index to the configuration hash in case the authenticator needs to know
+          # it splace in the authenticator queue
+          auth.configure(auth_config.merge('auth_index' => auth_index))
+
+          credentials_are_valid = auth.validate(
+            :username => @username,
+            :password => @password,
+            :service => @service,
+            :request => @env
+          )
+          if credentials_are_valid
+            extra_attributes.merge!(auth.extra_attributes) unless auth.extra_attributes.blank?
+            successful_authenticator = auth
+            break
+          end
+
+          auth_index += 1
+        end
+        
+        if credentials_are_valid
+          $LOG.info("Credentials for username '#{@username}' successfully validated using #{successful_authenticator.class.name}.")
+          $LOG.debug("Authenticator provided additional user attributes: #{extra_attributes.inspect}") unless extra_attributes.blank?
+
+          # 3.6 (ticket-granting cookie)
+          tgt = generate_ticket_granting_ticket(@username, extra_attributes)
+          response.set_cookie('tgt', tgt.to_s)
+
+          $LOG.debug("Ticket granting cookie '#{tgt.inspect}' granted to #{@username.inspect}")
+
+          if @service.blank?
+            $LOG.info("Successfully authenticated user '#{@username}' at '#{tgt.client_hostname}'. No service param was given, so we will not redirect.")
+            @message = {:type => 'confirmation', :message => _("You have successfully logged in.")}
+          else
+            @st = generate_service_ticket(@service, @username, tgt)
+
+            begin
+              service_with_ticket = service_uri_with_ticket(@service, @st)
+
+              $LOG.info("Redirecting authenticated user '#{@username}' at '#{@st.client_hostname}' to service '#{@service}'")
+              redirect service_with_ticket, 303 # response code 303 means "See Other" (see Appendix B in CAS Protocol spec)
+            rescue URI::InvalidURIError
+              $LOG.error("The service '#{@service}' is not a valid URI!")
+              @message = {
+                :type => 'mistake',
+                :message => _("The target service your browser supplied appears to be invalid. Please contact your system administrator for help.")
+              }
+            end
+          end
+        else
+          $LOG.warn("Invalid credentials given for user '#{@username}'")
+          @message = {:type => 'mistake', :message => _("Incorrect username or password.")}
+          status 401
+        end
+      rescue CASServer::AuthenticatorError => e
+        $LOG.error(e)
+        # generate another login ticket to allow for re-submitting the form
+        @lt = generate_login_ticket.ticket
+        @message = {:type => 'mistake', :message => _(e.to_s)}
+        status 401
+      end
+
+      render @template_engine, :login
+    end
+
+    get /^#{uri_path}\/?$/ do
+      redirect "#{config['uri_path']}/login", 303
+    end
+
+
+    # 2.3
+
+    # 2.3.1
+    get "#{uri_path}/logout" do
+      CASServer::Utils::log_controller_action(self.class, params)
+
+      # The behaviour here is somewhat non-standard. Rather than showing just a blank
+      # "logout" page, we take the user back to the login page with a "you have been logged out"
+      # message, allowing for an opportunity to immediately log back in. This makes it
+      # easier for the user to log out and log in as someone else.
+      @service = clean_service_url(params['service'] || params['destination'])
+      @continue_url = params['url']
+
+      @gateway = params['gateway'] == 'true' || params['gateway'] == '1'
+
+      tgt = CASServer::Model::TicketGrantingTicket.find_by_ticket(request.cookies['tgt'])
+
+      response.delete_cookie 'tgt'
+
+      if tgt
+        CASServer::Model::TicketGrantingTicket.transaction do
+          $LOG.debug("Deleting Service/Proxy Tickets for '#{tgt}' for user '#{tgt.username}'")
+          tgt.granted_service_tickets.each do |st|
+            send_logout_notification_for_service_ticket(st) if config[:enable_single_sign_out]
+            # TODO: Maybe we should do some special handling if send_logout_notification_for_service_ticket fails?
+            #       (the above method returns false if the POST results in a non-200 HTTP response).
+            $LOG.debug "Deleting #{st.class.name.demodulize} #{st.ticket.inspect} for service #{st.service}."
+            st.destroy
+          end
+
+          pgts = CASServer::Model::ProxyGrantingTicket.find(:all,
+            :conditions => [CASServer::Model::Base.connection.quote_table_name(CASServer::Model::ServiceTicket.table_name)+".username = ?", tgt.username],
+            :include => :service_ticket)
+          pgts.each do |pgt|
+            $LOG.debug("Deleting Proxy-Granting Ticket '#{pgt}' for user '#{pgt.service_ticket.username}'")
+            pgt.destroy
+          end
+
+          $LOG.debug("Deleting #{tgt.class.name.demodulize} '#{tgt}' for user '#{tgt.username}'")
+          tgt.destroy
+        end
+
+        $LOG.info("User '#{tgt.username}' logged out.")
+      else
+        $LOG.warn("User tried to log out without a valid ticket-granting ticket.")
+      end
+
+      @message = {:type => 'confirmation', :message => _("You have successfully logged out.")}
+
+      @message[:message] +=_(" Please click on the following link to continue:") if @continue_url
+
+      @lt = generate_login_ticket
+
+      if @gateway && @service
+        redirect @service, 303
+      elsif @continue_url
+        render @template_engine, :logout
+      else
+        render @template_engine, :login
+      end
+    end
+  
+  
+    # Handler for obtaining login tickets.
+    # This is useful when you want to build a custom login form located on a 
+    # remote server. Your form will have to include a valid login ticket
+    # value, and this can be fetched from the CAS server using the POST handler.
+
+    get "#{uri_path}/loginTicket" do
+      CASServer::Utils::log_controller_action(self.class, params)
+
+      $LOG.error("Tried to use login ticket dispenser with get method!")
+
+      status 422
+
+      "To generate a login ticket, you must make a POST request."
+    end
+
+
+    # Renders a page with a login ticket (and only the login ticket)
+    # in the response body.
+    post "#{uri_path}/loginTicket" do
+      CASServer::Utils::log_controller_action(self.class, params)
+
+      lt = generate_login_ticket
+
+      $LOG.debug("Dispensing login ticket #{lt} to host #{(@env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']).inspect}")
+
+      @lt = lt.ticket
+
+      @lt
+    end
+
+
+		# 2.4
+
+		# 2.4.1
+		get "#{uri_path}/validate" do
+			CASServer::Utils::log_controller_action(self.class, params)
+			
+			# required
+			@service = clean_service_url(params['service'])
+			@ticket = params['ticket']
+			# optional
+			@renew = params['renew']
+			
+			st, @error = validate_service_ticket(@service, @ticket)      
+			@success = st && !@error
+			
+			@username = st.username if @success
+			
+      status response_status_from_error(@error) if @error
+			
+			render @template_engine, :validate, :layout => false
+		end
+
+
+    # 2.5
+
+    # 2.5.1
+    get "#{uri_path}/serviceValidate" do
+			CASServer::Utils::log_controller_action(self.class, params)
+
+			# required
+			@service = clean_service_url(params['service'])
+			@ticket = params['ticket']
+			# optional
+			@renew = params['renew']
+
+			st, @error = validate_service_ticket(@service, @ticket)
+			@success = st && !@error
+
+			if @success
+        @username = st.username
+        if @pgt_url
+          pgt = generate_proxy_granting_ticket(@pgt_url, st)
+          @pgtiou = pgt.iou if pgt
+        end
+        @extra_attributes = st.granted_by_tgt.extra_attributes || {}
+      end
+
+      status response_status_from_error(@error) if @error
+
+			render :builder, :proxy_validate
+		end
+  
+    
+    # 2.6
+
+    # 2.6.1
+    get "#{uri_path}/proxyValidate" do
+      CASServer::Utils::log_controller_action(self.class, params)
+
+      # required
+      @service = clean_service_url(params['service'])
+      @ticket = params['ticket']
+      # optional
+      @pgt_url = params['pgtUrl']
+      @renew = params['renew']
+
+      @proxies = []
+
+      t, @error = validate_proxy_ticket(@service, @ticket)
+      @success = t && !@error
+
+      @extra_attributes = {}
+      if @success
+        @username = t.username
+
+        if t.kind_of? CASServer::Model::ProxyTicket
+          @proxies << t.granted_by_pgt.service_ticket.service
+        end
+
+        if @pgt_url
+          pgt = generate_proxy_granting_ticket(@pgt_url, t)
+          @pgtiou = pgt.iou if pgt
+        end
+
+        @extra_attributes = t.granted_by_tgt.extra_attributes || {}
+      end
+
+      status response_status_from_error(@error) if @error
+
+     render :builder, :proxy_validate
+    end
+
+
+    # 2.7
+    get "#{uri_path}/proxy" do
+      CASServer::Utils::log_controller_action(self.class, params)
+
+      # required
+      @ticket = params['pgt']
+      @target_service = params['targetService']
+
+      pgt, @error = validate_proxy_granting_ticket(@ticket)
+      @success = pgt && !@error
+
+      if @success
+        @pt = generate_proxy_ticket(@target_service, pgt)
+      end
+
+      status response_status_from_error(@error) if @error
+
+      render :builder, :proxy
+    end
+
+
+
+    # Helpers
+
+    def response_status_from_error(error)
+      case error.code.to_s
+      when /^INVALID_/, 'BAD_PGT'
+        422
+      when 'INTERNAL_ERROR'
+        500
+      else
+        500
+      end
+    end
+
+    def serialize_extra_attribute(builder, key, value)
+      if value.kind_of?(String)
+        builder.tag! key, value
+      elsif value.kind_of?(Numeric)
+        builder.tag! key, value.to_s
+      else
+        builder.tag! key do
+          builder.cdata! value.to_yaml
+        end
+      end
+    end
+
+    def compile_template(engine, data, options, views)
+      super engine, data, options, @custom_views || views
+    rescue Errno::ENOENT
+      raise unless @custom_views
+      super engine, data, options, views
+    end
+  end
+end
+