rubycas-server 0.7.1.1 → 1.0

data/CHANGELOG

@@ -0,0 +1,292 @@
+=== 1.0.0 :: In Progress...
+
+* NEW:
+	* Rewrite to replace Camping/Picnic with Sinatra
+	* Support for Ruby 1.9.2
+	* Support for Active Record 3
+
+* CHANGED:
+  * Google authenticator proxy configuration has been changed (see config.example.yml)
+
+=== 0.8.0
+
+* NEW:
+	* Support for localization via Ruby-GetText.
+		See http://code.google.com/p/rubycas-server/wiki/Localization
+		for details. [antono]
+	* Switched to Picnic 0.8.x, so RubyCAS-Server is now based on Rack
+		and Camping 2.0 and is now compatible with Passenger Phusion
+	* Change to authenticator API: every authenticator now has a class 'setup'
+		method that gets called at server startup. This is where class-level
+		configuration should be done (e.g. establishing a database connection).
+		This is different from the 'configure' method which gets called on a per-
+		instance basis for each authenticator. [godfat]
+	* Database connections are now automatically released back to the connection
+		pool at the end of each request. This should allow the server to handle
+		many more concurrent requests, since database connections are no longer left
+		checked out of the pool.
+	* Added new SQL authenticator (sql_rest_auth) compatible with the
+		restful_authentication Rails plugin. [antono]
+	* Re-licensed under the MIT License.
+
+* FIXED:
+	* Fixed weird problems with loading controllers when using older versions of
+		activesupport and/or rubygems.
+	* Failure to connect to a service during a single sign out request is now
+		handled gracefully.
+	* Required gem dependencies have been re-enabled in the gemspec.
+	* Authlogic authenticator files added to gemspec. [rajiv]
+	* Authenticators are now instantiated on a per-request basis (rather than
+		once at startup) to ensure thread safety.
+
+=== 0.7.1 :: 2008-11-10
+
+* Fixed dependency loading problems introduced by upstream changes in RubyGems
+	1.3.1.
+
+=== 0.7.0 :: 2008-11-04
+
+* NEW:
+	* Implemented single-sign-out functionality as specified in CAS 3.3.	See
+		http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out.
+	* It is now possible to configure Authenticators to return extra attributes
+		to CAS clients alongside the username. For an example of how to do this see
+		the included SQL authenticator. Also have a look at:
+		http://groups.google.com/group/rubycas-server/browse_thread/thread/5eade3793cb590e9
+		Note that extra attributes of type other than String or Numeric are serialized
+		into YAML format before being sent along to the client.
+	* Added an MD5-password version of the SQL authenticator for Drupal and any other
+		database that stores its passwords in hashed form (thanks malcolmm).
+	* Added new Google authenticator for authenticating against Google/GMail
+		accounts.
+
+* CHANGED:
+	* Service URIs are now automatically normalized. For example, if the service
+		URI given to the server has a 'ticket' parameter, the ticket will now be
+		automatically stripped. This is to avert any possible issues raised by
+		misbehaving CAS clients (the CAS ticket should never be part of the service
+		URI). Same goes for other CAS-related parameters like 'service', 'renew',
+		and 'gateway'. Additionally, the trailing '/' and '?' characters are
+		automatically stripped from URLs, since, for example, "http://google.com/"
+		is almost certainly equivalent to "http://google.com".
+	* The expire_sessions config variable is now respected -- ticket granting
+		ticket cookies are set with an expiry datetime, so that the SSO session
+		is effectively terminated once the ticket_granting_ticket_expiry period
+		is reached.
+	* If present, the HTTP_X_FORWARDED_FOR header is used for recording the
+		client's address. This is useful when the server is running behind a reverse
+		proxy, but it should not be considered authoritative since it can be
+		easily spoofed.
+	* The 'service' field in the 'casserver_st' table has been changed from
+		VARCHAR(255) to TEXT in order to accomodate service URIs longer than 255
+		characters (fixes issue #46).
+	* The CAS XML responses are no longer whitespace-formatted (i.e. Markaby's
+		auto-indentation has been turned off). Apparently the whitespace was
+		causing problems with mod_auth_cas. See:
+		http://groups.google.com/group/rubycas-server/browse_thread/thread/e482fe09999b73d3
+	* When used without pre-authentication, the LDAP authenticator now tries to
+		bind by searching for the given username in the LDAP directory based on the
+		configured username_attribute. Prior to this change the authenticator
+		attempted to bind with the LDAP server by assuming that the username credential
+		matches the user's CN. This is no longer the case.
+	* CAS responses to invalid requests (for example where required parameters
+		are missing or incorrect) will now have HTTP status code 422. Internal server
+		errors (where the server rather than the client is at fault) have error 500.
+		Previously most responses had error code 200, regardless of their contents.
+
+* FIXED:
+	* Fixed logout action to work properly with ActiveRecord 2.1 (eager loading behaviour
+		was changed upstream forcing a change to the way we look for ProxyGrantingTickets
+		to delete on logout).
+	* When running under Mongrel, the USR2 signal should now restart the server as
+		expected -- however currently this only works when the server is running
+		in the foregaround. When daemonized, USR2 will shut down the server without
+		restarting (see issue #58).
+	* Fixed activerecord/activesupport gem load problems, hopefully once and for all
+		(however picnic-0.7.0 is now required).
+
+=== 0.6.0 :: 2008-03-28
+
+* Much of the supporting functionality that makes RubyCAS-Server
+	act as a well-behaved Linux service has been abstracted out
+	into its own library. This new library is called Picnic and is
+	now a gem dependency for RubyCAS-Server. You can find out more about
+	it at http://code.google.com/p/camping-picnic/.
+* The logout action will now accept a 'destination' parameter in lieu of
+	'service'. This means that if a 'destination' parameter is given with
+	some URL, the logout action will show the login form, allowing the user
+	to immedietly log back in to the service specified by 'destination'.
+* The logout action will now accept a 'url' parameter. If given, the logout
+	page will show a message indicating that the CAS session has been terminated
+	and instructing the user to click on a link to follow the given URL. If the
+	'url' parameter is given, the login form will NOT be shown on the logout
+	page (see above).
+* When an authentication failure occurs (because the user submitted
+	invalid credentials or the login ticket is missing), the server
+	now returns a 401 (Unauthorized) response instead of 200.
+* An encryption-enabled version of the SQL authenticator is now
+	available. For more info have a look at:
+	http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
+* Better compatibility with Oracle databases. The database migration
+	no longer tries to create tables with long names when long
+	table names are not supported by the underlying database connector
+	(issue #15).
+* The server now automatically removes leading and trailing whitespace from
+	the username entered by users. Passwords however are left intact, with no
+	whitespace removed.
+* The server can now be configured to automatically downcase the
+	username entered by users (dowcase_username option). So if a user
+	enters "JSmith", the system will convert it to "jsmith" if the
+	downcase_username option is set to true.
+* The server can now be made to bind to a specific address. See the
+	:bind_address option in the config.example.yml file.
+* Fixed bug with ActiveRecord 2.0.2 where service tickets were not
+	being given a type (issue #37).
+
+=== 0.5.1 :: 2007-12-20
+
+* Tickets generated by the server should now be a lot more secure.
+	The random string generator used for generating tickets now uses
+	Crypt::ISAAC. Tickets have also been extended in length; STs, PTs
+	and LTs can now extend up to 32 characters, and PGTs and PGT-IOUs
+	up to 64.
+
+=== 0.5.0 :: 2007-09-20
+
+* Gateway requests should now be handled correctly. When the request to the
+	login page is made with gateway=true as one of the parameters, the CAS
+	server will immediately redirect back to the target service along with
+	a service ticket if an SSO session exists for the user (or without a
+	service ticket if there is no pre-existing SSO session).
+	Note that if you are using RubyCAS-Client and want gatewaying, you will
+	need to upgrade it to 1.1.0 as gatewaying was broken in prior versions.
+* If gateway=true is specified as part of the logout URI, the server will
+	log the user out and immediately redirect them back to the specified
+	service. In other words, you can now do "gatewayed logouts" as well
+	as logins.
+* A login ticket can now be remotely requested from the server by placing
+	a POST request to '/loginTicket'.
+* The login view can now be made to return only the login form. This is
+	done by adding the 'onlyLoginForm' parameter to the '/login' request.
+	Optionally, a 'submitToURI' parameter can be supplied to force the login
+	form to submit to the given URI (otherwise the server will try to figure
+	out the full URI to its own login controller). This functionality may be
+	useful when you want to embed the login form in some external page, as
+	an IFRAME otherwise.
+* Custom views can now be used to override the default Markaby templates
+	by specifying a 'custom_views_file' option in the configuration. See
+	custom_views.example.rb. [jzylks]
+* Table names have been shortened to work with Oracle. A migration has
+	been added that should do the shortening for you the first time you run
+	this new RubyCAS-Server version.
+* Multiple authenticators can now be specified. During authentication,
+	credentials are presented to the first authenticator, then the second,
+	and so on, until the user is validated by any one authenticator or fails
+	validation for all of them. [jzylks]
+* When using webrick, you can now run with SSL disabled by omitting the
+	ssl_cert and ssl_key parameters.
+* Changed incorrect MySQL example database configuration -- option should
+	be 'host:' not 'server:' (issue #22).
+
+=== 0.4.2 :: 2007-07-26
+
+* The LDAP/AD authenticator has been largely re-written. The code is a bit
+	cleaner now, and should work better with non-Active Directory LDAP servers
+	(although this has yet to be tested since I don't have access to a non-AD
+	LDAP server).
+* The validate() method in your authenticators now receives a :service element
+	(in addition to :username, and :password). This is simply the service
+	url (if any) specified in the user's CAS request. If you call
+	read_standard_credentials(credentials) at the top of your validator, the value
+	will also be available as @service along with @username and @password.
+* By request, a :username_prefix option has been added to the ldap
+	configuration. If entered, this string will be automatically prefixed to
+	the username entered by the user.
+* A bug having to do with handling authenticator errors has been fixed.
+	Any authenticator error messages should now be correctly shown on the
+	login page.
+* Minor improvements to error messages having to do with login tickets.
+	They're a bit more prescriptive now, explaining to the user what steps
+	they should take to correct the error.
+
+=== 0.4.1 :: 2007-06-07
+
+* This release restores compatiblity with older versions of rubygems
+	(pre-0.9.0). To achieve this, we alias the 'gem' method to the old
+	'require_gem' if 'gem' is not already defined.
+* rubycas-server-ctl will now quiety delete an orphaned .pid file
+	instead complaining loudly and refusing to start up.
+* Fixed minor bug in rubycas-server-ctl that sometimes incorrectly reported
+	startup problems when in fact the server had started just fine.
+
+
+=== 0.4.0 :: 2007-06-05
+
+* Added rubycas-server-ctl script for controlling daemonized server.
+* rubygems-0.9.0 or later is now required.
+* Added system startup script to be used in /etc/init.d on Linux systems.
+* Authenticator can now be loaded from an external file using the 'source'
+	configuration option.
+* Better preemptive detection of startup problems with mongrel.
+* User now sees an error message if the service URI is not a valid URI (i.e.
+	if it's not URI-encoded or otherwise malformed).
+
+
+=== 0.3.0 :: 2007-03-29
+
+* Fixed glaring security problem with LDAP/AD Authenticator where under some
+	circumstances blank passwords were accepted as valid.
+* Autocomplete has been turned off on the password field for better security.
+	In the future we may allow autocomplete to be re-enabled using a
+	configuration setting.
+* When the user visits the login page and is already authenticated (i.e. they
+	have a valid ticket granting cookie), a message is shown at the top
+	indicating that they are already logged in.
+* sqlite3-ruby is no longer required by the gem as a dependency.	The user
+	must now install it manually prior to installing rubycas-server. The
+	building of sqlite3 native extensions appears to be somewhat flakey
+	and probably defeats the original purpose of using it (which was
+	to have a CAS server up and running with no additional DB configuration).
+	We will use MySQL as the default database adapter instead, since it does
+	not require additional libraries and many users will have a MySQL server
+	already available.
+* Fixed bug that was causing all proxy-granting tickets to be deleted whenever
+	any user logged out. Only the PGTs for the user that is logging out are now
+	being deleted.
+* Trailing slashes in service URLs are now ignored when validating service
+	and proxy tickets (e.g. "http://www.google.com" and "http://www.google.com/"
+	are now considered to be the same service URL).
+* Authenticators now raise AuthenticatorError exceptions when encountering
+	a problem/error. This makes it easier to send feedback to the user.
+	However, other exceptions should still be raised when errors ought
+	not be recoverable (i.e. programming errors).
+* Fixed serious vulnerability in LDAP authenticator where under some
+	cirumstances the user could just enter '*' as their username to match
+	any username. The LDAP authenticator will now refuse to process logins
+	with usernames that contain the characters * ( ) \ / and the NULL
+	character \0.
+* Views are no longer xhtml-validated. Markaby's auto-validation was turned
+	off to allow for use of the autocomplete property on inputs, since this is
+	the only viable way of turning off password storage in IE and Firefox at
+	the page level.
+* You can now limit the maximum length of a login session by setting the
+	expire_sessions config setting to true.
+* Fixed some minor bugs in the login view.
+
+
+=== 0.2.0 :: 2007-03-20
+
+* ruby-casserver now behaves more like a real command-line app, accepting
+	various command line arguments including -h (help), -v (version), -c (use
+	an alternate config.yml), and -d (daemonize, when using webrick or mongrel
+	mode).
+* Special characters in CAS XML responses are now properly encoded into XML
+	entities
+* CAS XML responses are no longer auto-indented... Markaby's indentation
+	seemed to be causing problems with the PHP CAS client.
+* Misc minor bug fixes/cleanup.
+
+
+=== 0.1.0 :: 2007-03-01
+
+* First public release.

data/Gemfile

@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+gemspec
+

data/LICENSE

@@ -0,0 +1,26 @@
+Portions of RubyCAS-Server contributed by Matt Zukowski are copyright (c) 2009 Urbacon Ltd. 
+Other portions are copyright of their respective authors. 
+
+The MIT License
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+

data/README.md

@@ -0,0 +1,36 @@
+# RubyCAS-Server ![http://stillmaintained.com/gunark/rubycas-server](http://stillmaintained.com/gunark/rubycas-server.png)
+
+## Copyright
+
+Portions contributed by Matt Zukowski are copyright (c) 2010 Urbacon Ltd.
+Other portions are copyright of their respective authors.
+
+## Authors
+
+See http://github.com/gunark/rubycas-server/commits/
+
+## Installation
+
+on ubuntu using unicorn:
+
+	git clone git@github.com:seven1240/rubycas-server.git
+	cd rubycas-server
+	sudo bundle install
+
+If it complains mysql connectivity, do this
+
+	apt-get install libmysqlclient16-dev
+	sudo gem install mysql2
+
+copy resources/config.example.yml into /etc/rubycas-server/config.yml, there's way to put the config in other place, yet to document. Change the config to meet your requests.
+
+You might also want to change config/unicorn.conf
+
+	unicorn -D -c config/unicorn.conf
+
+For info and detailed installation instructions please see http://code.google.com/p/rubycas-server
+
+## License
+
+RubyCAS-Server is licensed for use under the terms of the MIT License. 
+See the LICENSE file bundled with the official RubyCAS-Server distribution for details.

data/Rakefile

@@ -1,4 +1 @@
-require 'config/requirements'
-require 'config/hoe' # setup Hoe + all gem configuration
-
 Dir['tasks/**/*.rake'].each { |rake| load rake }

data/bin/rubycas-server

@@ -1,25 +1,30 @@
 #!/usr/bin/env ruby
 
-if File.exists?(picnic = File.expand_path(File.dirname(File.expand_path(__FILE__))+'/../vendor/picnic/lib'))
-  $: << picnic
-elsif File.exists?(picnic = File.expand_path(File.dirname(File.expand_path(__FILE__))+'/../../picnic/lib'))
-  $: << picnic
-else
-  require 'rubygems'
-  
-  # make things backwards-compatible for rubygems < 0.9.0
-  unless Object.method_defined? :gem
-    alias gem require_gem
-  end
-  
-  gem 'picnic'
+# Enables UTF-8 compatibility in ruby 1.8.
+$KCODE = 'u' if RUBY_VERSION < '1.9'
+
+require 'rubygems'
+
+$:.unshift File.dirname(__FILE__) + "/../lib"
+
+if ARGV.join.match('--debugger')
+  require 'ruby-debug'
+  puts
+  puts "=> Debugger Enabled"
 end
 
-require 'picnic/cli'
+if ARGV.join.match('-c')
+  c = ARGV.join.match(/-c\s*([^\s]+)/)
+  if (c && c[1])
+    ENV['CONFIG_FILE'] = c[1]
+    puts
+    puts "=> Using custom config file #{ENV['CONFIG_FILE'].inspect}"
+  else
+    $stderr.puts("To specify a custom config file use `rubycas-server -c path/to/config_file_name.yml`.")
+    exit
+  end
+end
 
-cli = Picnic::Cli.new(
-  'rubycas-server',
-  :app_module => 'CASServer'
-)
+require 'casserver'
 
-cli.handle_cli_input
+CASServer::Server.run!

data/lib/casserver.rb

@@ -1,114 +1,11 @@
-unless $APP_PATH
-  $APP_PATH = File.dirname(File.expand_path(__FILE__))
-  $: << $APP_PATH
-end
-
-load "#{$APP_PATH}/lib/casserver/environment.rb"
-
-# change to current directory when invoked on its own
-Dir.chdir($APP_PATH) if __FILE__ == $0
-
-$: << $APP_PATH + "/vendor/isaac_0.9.1"
-require 'crypt/ISAAC'
-
+module CASServer; end
 
+require 'active_record'
 require 'active_support'
-require 'yaml'
-
-
-# Camping.goes must be called after the authenticator class is loaded, otherwise weird things happen
-Camping.goes :CASServer
-
-$CONFIG_FILE ||= '/etc/rubycas-server/config.yml'
-
-# for some reason this makes JRuby happy
-class CASServer::Models::Base
-end
-
-CASServer.picnic!
-
-$CONF[:expire_sessions] ||= false
-$CONF[:login_ticket_expiry] ||= 5.minutes
-$CONF[:service_ticket_expiry] ||= 5.minutes # CAS Protocol Spec, sec. 3.2.1 (recommended expiry time)
-$CONF[:proxy_granting_ticket_expiry] ||= 48.hours
-$CONF[:ticket_granting_ticket_expiry] ||= 48.hours
-$CONF[:log] ||= {:file => 'casserver.log', :level => 'DEBUG'}
-$CONF[:uri_path] ||= "/"
-
-unless $CONF[:authenticator]
-  $stderr.puts
-  $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
-  $stderr.puts
-  $stderr.puts "You have not yet defined an authenticator for your CAS server!"
-  $stderr.puts "Please consult your config file at #{$CONFIG_FILE.inspect} for details."
-  $stderr.puts
-  $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
-  exit 1
-end
-
-require "casserver/utils.rb"
-require "casserver/models.rb"
-require "casserver/cas.rb"
-require "casserver/views.rb"
-require "casserver/controllers.rb"
-
-if $CONF[:authenticator].instance_of? Array
-  $CONF[:authenticator].each_index do |auth_index| 
-    $CONF[:authenticator][auth_index] = HashWithIndifferentAccess.new($CONF[:authenticator][auth_index])
-  end
-end
-
-$AUTH = []
-begin
-  # attempt to instantiate the authenticator
-  if $CONF[:authenticator].instance_of? Array
-    $CONF[:authenticator].each { |authenticator| $AUTH << authenticator[:class].constantize.new}
-  else
-    $AUTH << $CONF[:authenticator][:class].constantize.new
-  end
-rescue NameError
-  if $CONF[:authenticator].instance_of? Array
-    $CONF[:authenticator].each do |authenticator|
-      if !authenticator[:source].nil?
-        # config.yml explicitly names source file
-        require authenticator[:source]
-      else
-        # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
-        auth_rb = authenticator[:class].underscore.gsub('cas_server/', '')
-        
-        require 'casserver/'+auth_rb
-      end
-      $AUTH << authenticator[:class].constantize.new
-    end
-  else
-    if !$CONF[:authenticator][:source].nil?
-      # config.yml explicitly names source file
-      require $CONF[:authenticator][:source]
-    else
-      # the authenticator class hasn't yet been loaded, so lets try to load it from the casserver/authenticators directory
-      auth_rb = $CONF[:authenticator][:class].underscore.gsub('cas_server/', '')
-      require 'casserver/'+auth_rb
-    end
-
-    $AUTH << $CONF[:authenticator][:class].constantize.new
-  end
-end
-
-$CONF[:public_dir] = {
-  :path => "/themes",
-  :dir  => File.expand_path(File.dirname(__FILE__))+"/themes"
-}
-
-def CASServer.create
-  $LOG.info "Creating RubyCAS-Server..."
-  CASServer::Models::Base.establish_connection(CASServer::Conf.database)
-  CASServer::Models.create_schema
-  
-  CASServer::Models::ServiceTicket.cleanup_expired(CASServer::Conf.service_ticket_expiry)
-  CASServer::Models::LoginTicket.cleanup_expired(CASServer::Conf.login_ticket_expiry)
-  CASServer::Models::ProxyGrantingTicket.cleanup_expired(CASServer::Conf.proxy_granting_ticket_expiry)
-  CASServer::Models::TicketGrantingTicket.cleanup_expired(CASServer::Conf.ticket_granting_ticket_expiry)
-end
+require 'sinatra/base'
+require 'builder' # for XML views
+require 'logger'
+$LOG = Logger.new(STDOUT)
 
+require 'casserver/server'
 
-CASServer.start_picnic