rubycas-server 1.0 → 1.0.1

data/CHANGELOG

@@ -1,4 +1,17 @@
-=== 1.0.0 :: In Progress...
+=== 1.0.1 :: 2011-11-22
+
+* NEW:
+  * On startup the server now checks for a config.yml file in its own root directory,
+    then in /etc/rubycas-server.
+
+* FIXED:
+  * Compatibilty with Sinatra 1.3 (:public changed to :public_folder).
+  * Database migration files should now be correctly bundled with the gem distribution.
+  * Should work with both ActiveRecord >= 2.3.12 and < 3.1. Previously the dependency
+    was erronously set to accept only the 2.3.12 series.
+  * Specs now pass under ActiveRecord 2.3.12 in both Ruby 1.8 and 1.9
+
+=== 1.0.0 :: 2011-08-03
 
 * NEW:
 	* Rewrite to replace Camping/Picnic with Sinatra

data/README.md

@@ -1,36 +1,5 @@
-# RubyCAS-Server ![http://stillmaintained.com/gunark/rubycas-server](http://stillmaintained.com/gunark/rubycas-server.png)
+# MOVED!
 
-## Copyright
+This repo has been moved to https://github.com/rubycas/rubycas-server. 
 
-Portions contributed by Matt Zukowski are copyright (c) 2010 Urbacon Ltd.
-Other portions are copyright of their respective authors.
-
-## Authors
-
-See http://github.com/gunark/rubycas-server/commits/
-
-## Installation
-
-on ubuntu using unicorn:
-
-	git clone git@github.com:seven1240/rubycas-server.git
-	cd rubycas-server
-	sudo bundle install
-
-If it complains mysql connectivity, do this
-
-	apt-get install libmysqlclient16-dev
-	sudo gem install mysql2
-
-copy resources/config.example.yml into /etc/rubycas-server/config.yml, there's way to put the config in other place, yet to document. Change the config to meet your requests.
-
-You might also want to change config/unicorn.conf
-
-	unicorn -D -c config/unicorn.conf
-
-For info and detailed installation instructions please see http://code.google.com/p/rubycas-server
-
-## License
-
-RubyCAS-Server is licensed for use under the terms of the MIT License. 
-See the LICENSE file bundled with the official RubyCAS-Server distribution for details.
+The fork you are looking at is no longer updated. Please change your git remotes to the new rubycas URL.

data/config/config.example.yml

@@ -0,0 +1,592 @@
+# IMPORTANT NOTE ABOUT YAML CONFIGURATION FILES
+# ---> Be sure to use spaces instead of tabs for indentation. YAML is 
+#      white-space sensitive!
+
+##### SERVER SETUP ################################################################
+
+# There are several ways to run RubyCAS-Server:
+#
+# webrick   -- stand-alone WEBrick server; should work out-of-the-box; this is 
+#              the default method, but probably not suited for high-traffic usage
+# mongrel   -- stand-alone Mongrel server; fast, but you'll need to  install  
+#              and compile Mongrel and run it behind an https reverse proxy like 
+#              Pound or Apache 2.2's mod_proxy (since Mongrel cannot serve out
+#              over SSL on its own).
+# passenger -- served out by Apache via the mod_rails/mod_rack module
+#              (see http://www.modrails.com/)
+#
+# The following are exampe configurations for each of these three methods:
+#
+
+
+###
+### WEBrick example
+###
+# WEBrick is a simple, all-Ruby web server. This is the easiest method for running
+# RubyCAS-Server. All you need is an SSL certificate (enter its path under the
+# ssl_cert option). WEBrick is fine for sites with low to medium traffic, but for
+# high-performance scenarios you may want to look into deploying using Mongrel
+# or Passenger.
+
+server: webrick
+port: 443
+ssl_cert: /path/to/your/ssl.pem
+
+# If your private key is in a separate file from the cert
+
+#ssl_key: /path/to/your/private_key.pem
+
+# If you do not already have an SSL certificate and would like to automatically
+# generate one, run the "generate_ssl_certificate" rake task and use the following 
+# settings:
+
+#  ssl_cert: ssl/cert.pem
+#  ssl_key: ssl/key.pem
+
+
+# By default the login page will be available at the root path 
+# (e.g. https://login.example.net/). The uri_path option lets you serve it from a 
+# different path (e.g. https://login.example.net/cas).
+
+#uri_path: /cas
+
+
+# This lets you bind the server to a specific address. Use 0.0.0.0 to listen on
+# all available interfaces (this is the default).
+
+#bind_address: 0.0.0.0
+
+
+###
+### Mongrel example 
+###
+# Mongrel is much faster than WEBrick, but there are two caveats:
+#  1. Since Mongrel can't serve out encrypted HTTP on its own (and CAS requires this),
+#     you will have to set up a reverse proxy like Pound or Apache's mod_proxy and
+#     route through it requests to the Mongrel server. So for example,
+#     your Pound server will receive all of the requests to RubyCAS-Server on port 443,
+#     and forward them to the Mongrel server listening on port 11011.
+#  2. Some of Mongrel's components are compiled into native binaries, so if you are 
+#     installing on Linux, make sure you have all of the standard build tools
+#     available. The binaries should be automatically compiled for you when you
+#     install the mogrel gem (if you're runnings Windows, pre-compiled
+#     binaries will be downloaded and installed, so don't worry about this).
+
+#server: mongrel
+#port: 11011
+
+
+# Bind the server to a specific address. Use 0.0.0.0 to listen on all
+# available interfaces (this is the default).
+
+#bind_address: 0.0.0.0
+
+### Reverse proxy configuration examples
+# If you're using mod_proxy, your Apache vhost config should look something like this:
+#
+#  Listen 443
+#  <VirtualHost *:443>
+#    ServerAdmin admin@example.net
+#    ServerName login.example.net
+#  
+#    SSLEngine On
+#    SSLCertificateFile /etc/apache2/ssl.crt/example.pem
+#  
+#    # Don't do forward proxying, we only want reverse proxying
+#    ProxyRequests Off
+#  
+#    <Proxy balancer://rubycas>
+#      Order allow,deny
+#      Allow from all
+#      BalancerMember http://127.0.0.1:11011
+#    </Proxy>
+#  </VirtualHost>
+#
+# For Pound, the config should be something like:
+#
+#  ListenHTTPS
+#    Address 0.0.0.0
+#    Port    11011
+#    Cert    "/etc/ssl/example.pem"
+#  
+#    Service
+#      BackEnd
+#        Address localhost
+#        Port    443
+#      End
+#    End
+#  End
+
+
+###
+### Phusion Passenger (running under Apache configured for SSL)
+###
+
+# No additional configuration is requried to run RubyCAS-Server under
+# passsenger. Just follow the normal instructions for a Passenger app
+# (see http://www.modrails.com/).
+#
+# Here's an example Apache vhost config for RubyCAS-Server and Passenger:
+#
+#  Listen 443
+#  <VirtualHost *:443>
+#     ServerAdmin admin@example.net
+#     ServerName login.example.net
+#
+#     SSLEngine On
+#     SSLCertificateFile /etc/apache2/ssl.crt/example.pem
+#
+#     RailsAutoDetect off
+#
+#     DocumentRoot /usr/lib/ruby/gems/1.8/gems/rubycas-server-0.8.0/public
+#
+#     <Directory "/usr/lib/ruby/gems/1.8/gems/rubycas-server-0.8.0/public">
+#       AllowOverride all
+#       Allow from all
+#     </Directory>
+#  </VirtualHost>
+#
+
+
+##### DATABASE #################################################################
+
+# Set up the database connection. Make sure that this database is secure!
+# 
+# By default, we use MySQL, since it is widely used and does not require any 
+# additional ruby libraries besides ActiveRecord.
+#
+# With MySQL, your config would be something like the following:
+# (be sure to create the casserver database in MySQL beforehand,
+#   i.e. `mysqladmin -u root create casserver`)
+
+database:
+  adapter: mysql
+  database: casserver
+  username: root
+  password: 
+  host: localhost
+  reconnect: true
+
+# IMPORTANT! By default, the server can handle up to ~5 concurrent requests
+# (without queuing). You can increase this by setting the database connection
+# pool size to a higher number. For example, to handle up to ~10 concurrent 
+# requests:
+#
+#database:
+#  pool: 10
+#  adapter: mysql
+#  database: casserver
+#  username: root
+#  password: 
+#  host: localhost
+
+#
+# Instead of MySQL you can use SQLite3, PostgreSQL, MSSQL, or anything else 
+# supported by ActiveRecord.
+#
+# With SQLite3 (which does not require a separate database server), your 
+# configuration would look something like the following (don't forget to install 
+# the sqlite3-ruby gem beforehand!):
+
+#database:
+#  adapter: sqlite3
+#  database: /var/lib/casserver.db
+  
+
+# By default RubyCAS-Server will run migrations at every startup to ensure
+# that its database schema is up-to-date. To disable this behaviour set
+# the following option to true:
+
+#disable_auto_migrations: true
+
+##### AUTHENTICATION ###########################################################
+
+# Configure how username/passwords are validated.
+#
+# !!! YOU MUST CONFIGURE AT LEAST ONE OF THESE AUTHENTICATION METHODS !!!
+#
+# There are several built-in methods for authentication:
+# SQL, ActiveDirectory, LDAP, and GoogleAccounts. If none of these work for you, 
+# it is relatively easy to write your own custom Authenticator class (see below).
+#
+# === SQL Authentication =======================================================
+#
+# The simplest method is to validate against a SQL database. This assumes
+# that all of your users are stored in a table that has a 'username' column
+# and a 'password' column. When the user logs in, CAS connects to this database
+# and looks for a matching username/password in the users table. If a matching
+# username and password is found, authentication is successful.
+#
+# If you prefer to have your passwords stored in an encrypted form, have a 
+# look at the SQLEncrypted authenticator: 
+# http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
+#
+# If your users table stores passwords with MD5 hashing (for example as with
+# Drupal) try using the SQLMd5 version of the SQL authenticator.
+# 
+# Example:
+#
+#authenticator:
+#  class: CASServer::Authenticators::SQL
+#  database:
+#    adapter: mysql
+#    database: some_database_with_users_table
+#    username: root
+#    password: 
+#    host: localhost
+#  user_table: users
+#  username_column: username
+#  password_column: password
+#
+# When replying to a CAS client's validation request, the server will normally
+# provide the client with the authenticated user's username. However it is
+# possible for the server to provide the client with additional attributes.
+# You can configure the SQL authenticator to provide data from additional
+# columns in the users table by listing the names of the columns under the 
+# 'extra_attributes' option. Note though that this functionality is experimental.
+# It should work with RubyCAS-Client, but may or may not work with other CAS
+# clients. 
+#
+# For example, with this configuration, the 'full_name' and 'access_level'
+# columns will be provided to your CAS clients along with the username:
+#
+#authenticator:
+#  class: CASServer::Authenticators::SQL
+#  database:
+#    adapter: mysql
+#    database: some_database_with_users_table
+#  user_table: users
+#  username_column: username
+#  password_column: password
+#  extra_attributes: full_name, access_level
+#
+#
+#
+# === Google Authentication ====================================================
+#
+# The Google authenticator allows users to log in to your CAS server using
+# their Google account credentials (i.e. the same email and password they
+# would use to log in to Google services like Gmail). This authenticator
+# requires no special configuration -- just specify its class name:
+#
+#authenticator:
+#  class: CASServer::Authenticators::Google
+#
+# If you are behind an http proxy, you can try specifying proxy settings as follows:
+#
+#authenticator:
+#  class: CASServer::Authenticators::Google
+#  proxy:
+#    host: your-proxy-server
+#    port: 8080
+#    username: nil
+#    password: nil
+#
+# Note that as with all authenticators, it is possible to use the Google 
+# authenticator alongside other authenticators. For example, CAS can first
+# attempt to validate the account with Google, and if that fails, fall back
+# to some other local authentication mechanism.
+#
+# For example:
+#
+#authenticator:
+#  - class: CASServer::Authenticators::Google
+#  - class: CASServer::Authenticators::SQL
+#    database:
+#      adapter: mysql
+#      database: some_database_with_users_table
+#      username: root
+#      password:
+#      host: localhost
+#    user_table: user
+#    username_column: username
+#    password_column: password
+#
+#
+# === ActiveDirectory Authentication ===========================================
+#
+# This method authenticates against Microsoft's Active Directory using LDAP.
+# You must configure the ActiveDirectory server, and base DN. The port number
+# and LDAP filter are optional. You must also enter a CN and password
+# for a special "authenticator" user. This account is used to log in to
+# the ActiveDirectory server and search LDAP. This does not have to be an
+# administrative account -- it only has to be able to search for other
+# users.
+# 
+# Note that the auth_user parameter must be the user's CN (Common Name).
+# In Active Directory, the CN is genarally the user's full name, which is usually
+# NOT the same as their username (sAMAccountName).
+#
+# For example:
+#
+#authenticator: 
+#  class: CASServer::Authenticators::ActiveDirectoryLDAP
+#  ldap:
+#    host: ad.example.net
+#    port: 389
+#    base: dc=example,dc=net
+#    filter: (objectClass=person)
+#    auth_user: authenticator
+#    auth_password: itsasecret
+#
+# A more complicated example, where the authenticator will use TLS encryption,
+# will ignore users with disabled accounts, and will pass on the 'cn' and 'mail' 
+# attributes to CAS clients:
+#
+#authenticator:
+#  class: CASServer::Authenticators::ActiveDirectoryLDAP
+#  ldap:
+#    host: ad.example.net
+#    port: 636
+#    base: dc=example,dc=net
+#    filter: (objectClass=person) & !(msExchHideFromAddressLists=TRUE)
+#    auth_user: authenticator
+#    auth_password: itsasecret
+#    encryption: simple_tls
+#  extra_attributes: cn, mail
+#
+# It is possible to authenticate against Active Directory without the
+# authenticator user, but this requires that users type in their CN as
+# the username rather than typing in their sAMAccountName. In other words
+# users will likely have to authenticate by typing their full name,
+# rather than their username. If you prefer to do this, then just
+# omit the auth_user and auth_password values in the above example.
+#
+#
+# === LDAP Authentication ======================================================
+#
+# This is a more general version of the ActiveDirectory authenticator.
+# The configuration is similar, except you don't need an authenticator
+# username or password. The following example has been reported to work 
+# for a basic OpenLDAP setup.
+#
+#authenticator:
+#  class: CASServer::Authenticators::LDAP
+#  ldap:
+#    host: ldap.example.net
+#    port: 389
+#    base: dc=example,dc=net
+#    username_attribute: uid
+#    filter: (objectClass=person)
+#
+# If you need more secure connections via TSL, specify the 'encryption'
+# option and change the port. This example also forces the authenticator
+# to connect using a special "authenticator" user with the given
+# username and password (see the ActiveDirectoryLDAP authenticator
+# explanation above):
+#
+#authenticator:
+#  class: CASServer::Authenticators::LDAP
+#  ldap:
+#    host: ldap.example.net
+#    port: 636
+#    base: dc=example,dc=net
+#    filter: (objectClass=person)
+#    encryption: simple_tls
+#    auth_user: cn=admin,dc=example,dc=net
+#    auth_password: secret
+#
+# If you need additional data about the user passed to the client (for example,
+# their 'cn' and 'mail' attributes, you can specify the list of attributes
+# under the extra_attributes config option: 
+#
+#authenticator:
+#  class: CASServer::Authenticators::LDAP
+#  ldap:
+#    host: ldap.example.net
+#    port: 389
+#    base: dc=example,dc=net
+#    filter: (objectClass=person)
+#  extra_attributes: cn, mail
+#
+# Note that the above functionality is somewhat limited by client compatibility.
+# See the SQL authenticator notes above for more info.
+#
+#
+# === Custom Authentication ====================================================
+#
+# It should be relatively easy to write your own Authenticator class. Have a look
+# at the built-in authenticators in the casserver/authenticators directory. Your
+# authenticator should extend the CASServer::Authenticators::Base class and must
+# implement a validate() method that takes a single hash argument. When the user 
+# submits the login form, the username and password they entered is passed to 
+# validate() as a hash under :username and :password keys. In the future, this 
+# hash might also contain other data such as the domain that the user is logging 
+# in to.
+#
+# To use your custom authenticator, specify it's class name and path to the 
+# source file in the authenticator section of the config. Any other parameters 
+# you specify in the authenticator configuration will be passed on to the 
+# authenticator and made availabe in the validate() method as an @options hash.
+#
+# Example:
+#
+#authenticator:
+#  class: FooModule::MyCustomAuthenticator
+#  source: /path/to/source.rb
+#  option_a: foo
+#  another_option: yeeha
+#
+# === Multiple Authenticators ==================================================
+#
+# If you need to have more than one source for authentication, such as an LDAP 
+# directory and a database, you can use multiple authenticators by making 
+# :authenticator an array of authenticators.
+#
+#authenticator:
+#  -
+#    class: CASServer::Authenticators::ActiveDirectoryLDAP
+#    ldap:
+#      host: ad.example.net
+#      port: 389
+#      base: dc=example,dc=net
+#      filter: (objectClass=person)
+#  -
+#    class: CASServer::Authenticators::SQL
+#    database:
+#      adapter: mysql
+#      database: some_database_with_users_table
+#      username: root
+#      password:
+#      host: localhost
+#    user_table: user
+#    username_column: username
+#    password_column: password
+#
+# During authentication, the user credentials will be checked against the first
+# authenticator and on failure fall through to the second authenticator.
+#
+
+
+##### LOOK & FEEL ##############################################################
+
+# Set the path to the theme directory that determines how your CAS pages look. 
+#
+# Custom themes are not well supported yet, but will be in the near future. In 
+# the meantime, if you want to create a custom theme, you can create a 
+# subdirectory under the CASServer's themes dir (for example, 
+# '/usr/lib/ruby/1.8/gems/casserver-xxx/public/themes', if you installed CASServer 
+# on Linux as a gem). A theme is basically just a theme.css file that overrides 
+# the themes/cas.css styles along with a collection of image files
+# like logo.png and bg.png.
+#
+# By default, we use the 'simple' theme which you can find in themes/simple.
+theme: simple
+
+# The name of your company/organization. This will show up on the login page.
+organization: CAS
+
+# A short bit of text that shows up on the login page. You can make this blank 
+# if you prefer to have no extra text shown at the bottom of the login box.
+infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
+
+# Custom views directory. If set, this will be used instead of 'lib/casserver/views'.
+#custom_views: /path/to/custom/views
+
+# Custom public directory. If set, static content (css, etc.) will be served from here rather 
+# than from rubycas-server's internal 'public' directory (but be mindful of any overriding 
+# settings you may have in your web server's config).
+#public_dir: /path/to/custom/public
+
+##### LOCALIZATION (L10N) #######################################################
+# The server will attempt to detect the user's locale and show text in the 
+# appropriate language based on:
+#
+#   1. The 'lang' URL parameter (if any)
+#   2. The 'lang' cookie (if any)
+#   3. The HTTP_ACCEPT_LANGUAGE header supplied by the user's browser.
+#   4. The HTTP_USER_AGENT header supplied by the user's browser.
+#
+# If the locale cannot be established based on one of the above checks (in the 
+# shown order), then the below 'default_locale' option will be used.
+#
+# The format is the same as standard linux locales (langagecode_COUNTRYCODE): 
+#
+#   ru_RU - Russian, Russia
+#   eo_AQ - Esperanto, Antarctica 
+#   
+# It will also work if you leave out the region (i.e. just "ru" for Russian,
+# "eo" for Esperanto).
+#
+# If you are interested in contributing new translations or have corrections
+# to the existing translations, see 
+# http://code.google.com/p/rubycas-server/wiki/HowToContribueTranslations
+#
+default_locale: en
+
+##### LOGGING ##################################################################
+
+# Configure general logging. This log is where you'll want to look in case of 
+# problems.
+#
+# You may want to change the file to something like /var/log/casserver.log
+# Set the level to DEBUG if you want more detailed logging.
+
+log:
+  file: /var/log/casserver.log
+  level: INFO
+
+
+# If you want full database logging, uncomment this next section.
+# Every SQL query will be logged here. This is useful for debugging database 
+# problems.
+
+#db_log:
+#  file: /var/log/casserver_db.log
+
+
+# Setting the following option to true will disable CLI output to stdout.
+# i.e. this will get rid of messages like ">>> Redirecting RubyCAS-Server log..."
+# This is useful when, for example, you're running rspecs.
+
+#quiet: true
+
+
+##### SINGLE SIGN-OUT ##########################################################
+
+# When a user logs in to a CAS-enabled client application, that application
+# generally opens its own local user session. When the user then logs out
+# through the CAS server, each of the CAS-enabled client applications need
+# to be notified so that they can close their own local sessions for that user.
+#
+# Up until recently this was not possible within CAS. However, a method for
+# performing this notification was recently added to the protocol (in CAS 3.1). 
+# This works exactly as described above -- when the user logs out, the CAS 
+# server individually contacts each client service and notifies it of the 
+# logout. Currently not all client applications support this, so this
+# behaviour is disabled by default. To enable it, uncomment the following
+# configuration line. Note that currently it is not possible to enable
+# or disable single-sign-out on a per-service basis, but this functionality
+# is planned for a future release.
+
+#enable_single_sign_out: true
+
+
+##### OTHER ####################################################################
+
+# You can set various ticket expiry times (specify the value in seconds).
+
+# Unused login and service tickets become unusable this many seconds after
+# they are created. (Defaults to 5 minutes)
+
+#maximum_unused_login_ticket_lifetime: 300
+#maximum_unused_service_ticket_lifetime: 300
+
+# The server must periodically delete old tickets (login tickets, service tickets
+# proxy-granting tickets, and ticket-granting tickets) to prevent buildup of
+# stale data. This effectively limits the maximum length of a CAS session to
+# the lifetime given here (in seconds). (Defaults to 48 hours)
+# 
+# Note that this limit is not enforced on the client side; it refers only to the
+# the maximum lifetime of tickets on the CAS server.
+
+#maximum_session_lifetime: 172800
+
+
+# If you want the usernames entered on the login page to be automatically 
+# downcased (converted to lowercase), enable the following option. When this 
+# option is set to true, if the user enters "JSmith" as their username, the 
+# system will automatically
+# convert this to "jsmith".
+
+#downcase_username: true

data/config/unicorn.rb

@@ -0,0 +1,88 @@
+# Sample configuration file for Unicorn (not Rack)
+#
+# See http://unicorn.bogomips.org/Unicorn/Configurator.html for complete
+# documentation.
+SINATRA_ROOT = `pwd`.strip
+
+# Use at least one worker per core if you're on a dedicated server,
+# more will usually help for _short_ waits on databases/caches.
+worker_processes 3
+
+# Help ensure your application will always spawn in the symlinked
+# "current" directory that Capistrano sets up.
+working_directory SINATRA_ROOT # available in 0.94.0+
+
+# listen on both a Unix domain socket and a TCP port,
+# we use a shorter backlog for quicker failover when busy
+# listen "/tmp/.sock", :backlog => 64
+listen 18889, :tcp_nopush => true
+
+# nuke workers after 30 seconds instead of 60 seconds (the default)
+timeout 30
+
+# feel free to point this anywhere accessible on the filesystem
+
+pid "#{SINATRA_ROOT}/tmp/pids/unicorn.pid"
+
+# relative_path "/test_platform"
+# some applications/frameworks log to stderr or stdout, so prevent
+# them from going to /dev/null when daemonized here:
+stderr_path "#{SINATRA_ROOT}/log/unicorn.stderr.log"
+stdout_path "#{SINATRA_ROOT}/log/unicorn.stdout.log"
+
+# combine REE with "preload_app true" for memory savings
+# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow
+preload_app false
+GC.respond_to?(:copy_on_write_friendly=) and
+  GC.copy_on_write_friendly = true
+
+before_fork do |server, worker|
+  # the following is highly recomended for Rails + "preload_app true"
+  # as there's no need for the master process to hold a connection
+  # defined?(ActiveRecord::Base) and
+  #   ActiveRecord::Base.connection.disconnect!
+
+  # The following is only recommended for memory/DB-constrained
+  # installations.  It is not needed if your system can house
+  # twice as many worker_processes as you have configured.
+  #
+  # # This allows a new master process to incrementally
+  # # phase out the old master process with SIGTTOU to avoid a
+  # # thundering herd (especially in the "preload_app false" case)
+  # # when doing a transparent upgrade.  The last worker spawned
+  # # will then kill off the old master process with a SIGQUIT.
+  old_pid = "#{server.config[:pid]}.oldbin"
+  
+  puts 'pid:'
+  puts '-------------------'
+  puts server.pid
+  puts old_pid
+  puts '---------------------'
+  
+  if old_pid != server.pid
+    begin
+      sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
+      Process.kill(sig, File.read(old_pid).to_i)
+    rescue Errno::ENOENT, Errno::ESRCH
+    end
+  end
+  #
+  # # *optionally* throttle the master from forking too quickly by sleeping
+  sleep 1
+end
+
+after_fork do |server, worker|
+  # per-process listener ports for debugging/admin/migrations
+  # addr = "127.0.0.1:#{9293 + worker.nr}"
+  # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true)
+
+  # the following is *required* for Rails + "preload_app true",
+  # defined?(ActiveRecord::Base) and
+  #   ActiveRecord::Base.establish_connection
+
+  # if preload_app is true, then you may also want to check and
+  # restart any other shared sockets/descriptors such as Memcached,
+  # and Redis.  TokyoCabinet file handles are safe to reuse
+  # between any number of forked children (assuming your kernel
+  # correctly implements pread()/pwrite() system calls)
+end

data/config.ru

@@ -0,0 +1,11 @@
+require 'rubygems'
+require 'bundler/setup'
+
+$:.unshift "#{File.dirname(__FILE__)}/lib"
+require "casserver"
+
+use Rack::ShowExceptions
+use Rack::Runtime
+use Rack::CommonLogger
+
+run CASServer::Server.new

data/db/migrate/001_create_initial_structure.rb

@@ -0,0 +1,47 @@
+class CreateInitialStructure < ActiveRecord::Migration
+  def self.up
+    # Oracle table names cannot exceed 30 chars...
+    # See http://code.google.com/p/rubycas-server/issues/detail?id=15
+    create_table 'casserver_lt', :force => true do |t|
+      t.string    'ticket',          :null => false
+      t.timestamp 'created_on',      :null => false
+      t.datetime  'consumed',        :null => true
+      t.string    'client_hostname', :null => false
+    end
+
+    create_table 'casserver_st', :force => true do |t|
+      t.string    'ticket',            :null => false
+      t.text      'service',           :null => false
+      t.timestamp 'created_on',        :null => false
+      t.datetime  'consumed',          :null => true
+      t.string    'client_hostname',   :null => false
+      t.string    'username',          :null => false
+      t.string    'type',              :null => false
+      t.integer   'granted_by_pgt_id', :null => true
+      t.integer   'granted_by_tgt_id', :null => true
+    end
+
+    create_table 'casserver_tgt', :force => true do |t|
+      t.string    'ticket',           :null => false
+      t.timestamp 'created_on',       :null => false
+      t.string    'client_hostname',  :null => false
+      t.string    'username',         :null => false
+      t.text      'extra_attributes', :null => true
+    end
+
+    create_table 'casserver_pgt', :force => true do |t|
+      t.string    'ticket',            :null => false
+      t.timestamp 'created_on',        :null => false
+      t.string    'client_hostname',   :null => false
+      t.string    'iou',               :null => false
+      t.integer   'service_ticket_id', :null => false
+    end
+  end # self.up
+
+  def self.down
+    drop_table 'casserver_pgt'
+    drop_table 'casserver_tgt'
+    drop_table 'casserver_st'
+    drop_table 'casserver_lt'
+  end # self.down
+end

data/lib/casserver/authenticators/active_resource.rb

@@ -25,9 +25,8 @@ module CASServer
       class Identity < ActiveResource::Base
 
         # define method_name accessor
-        cattr_accessor(:method_name) do
-          :authenticate # default value
-        end
+        cattr_accessor(:method_name)
+        self.method_name = :authenticate
 
         def self.method_type
           @@method_type ||= :post
@@ -82,6 +81,9 @@ module CASServer
           extract_extra_attributes(result) if result
           !!result
         rescue ::ActiveResource::ConnectionError => e
+          if e.response.blank? # band-aid for ARes 2.3.x -- craps out if to_s is called without a response
+            e = e.class.to_s
+          end
           $LOG.warn("Error during authentication: #{e}")
           false
         end

data/lib/casserver/authenticators/sql_encrypted.rb

@@ -3,6 +3,7 @@ require 'casserver/authenticators/sql'
 require 'digest/sha1'
 require 'digest/sha2'
 require 'crypt-isaac'
+require 'bcrypt'
 
 # This is a more secure version of the SQL authenticator. Passwords are encrypted
 # rather than being stored in plain text.

data/lib/casserver/server.rb

@@ -8,13 +8,19 @@ $LOG ||= Logger.new(STDOUT)
 
 module CASServer
   class Server < Sinatra::Base
-    CONFIG_FILE = ENV['CONFIG_FILE'] || "/etc/rubycas-server/config.yml"
+    if ENV['CONFIG_FILE']
+      CONFIG_FILE = ENV['CONFIG_FILE']
+    elsif !(c_file = File.dirname(__FILE__) + "/../../config.yml").nil? && File.exist?(c_file)
+      CONFIG_FILE = c_file
+    else
+      CONFIG_FILE = "/etc/rubycas-server/config.yml"
+    end
     
     include CASServer::CAS # CAS protocol helpers
     include Localization
 
     set :app_file, __FILE__
-    set :public, Proc.new { settings.config[:public_dir] || File.join(root, "..", "..", "public") }
+    set :public_folder, Proc.new { settings.config[:public_dir] || File.join(root, "..", "..", "public") }
 
     config = HashWithIndifferentAccess.new(
       :maximum_unused_login_ticket_lifetime => 5.minutes,
@@ -32,7 +38,7 @@ module CASServer
     # Strip the config.uri_path from the request.path_info...
     # FIXME: do we really need to override all of Sinatra's #static! to make this happen?
     def static!
-      return if (public_dir = settings.public).nil?
+      return if (public_dir = settings.public_folder).nil?
       public_dir = File.expand_path(public_dir)
       
       path = File.expand_path(public_dir + unescape(request.path_info.gsub(/^#{settings.config[:uri_path]}/,'')))
@@ -627,6 +633,7 @@ module CASServer
 			@service = clean_service_url(params['service'])
 			@ticket = params['ticket']
 			# optional
+			@pgt_url = params['pgtUrl']
 			@renew = params['renew']
 
 			st, @error = validate_service_ticket(@service, @ticket)
@@ -742,4 +749,3 @@ module CASServer
     end
   end
 end
-

data/rubycas-server.gemspec

@@ -1,7 +1,6 @@
-
 $gemspec = Gem::Specification.new do |s|
   s.name     = 'rubycas-server'
-  s.version  = '1.0'
+  s.version  = '1.0.1'
   s.authors  = ["Matt Zukowski"]
   s.email    = ["matt@zukowski.ca"]
   s.homepage = 'http://code.google.com/p/rubycas-server/'
@@ -11,8 +10,8 @@ $gemspec = Gem::Specification.new do |s|
 
   s.files  = [
     "CHANGELOG", "LICENSE", "README.md", "Rakefile", "setup.rb",
-    "bin/*", "db/*", "lib/**/*.rb", "public/**/*", "po/**/*", "mo/**/*", "resources/*.*",
-    "tasks/**/*.rake", "vendor/**/*", "script/*", "lib/**/*.erb", "lib/**/*.builder",
+    "bin/*", "db/**/*", "lib/**/*.rb", "public/**/*", "po/**/*", "mo/**/*", "resources/*.*",
+    "config.ru", "config/**/*", "tasks/**/*.rake", "vendor/**/*", "script/*", "lib/**/*.erb", "lib/**/*.builder",
     "Gemfile", "rubycas-server.gemspec"
   ].map{|p| Dir[p]}.flatten
 
@@ -25,17 +24,18 @@ $gemspec = Gem::Specification.new do |s|
   s.extra_rdoc_files = ["CHANGELOG", "LICENSE", "README.md"]
 
   s.has_rdoc = true
-  s.post_install_message = %q{
+  s.post_install_message = "
 For more information on RubyCAS-Server, see http://code.google.com/p/rubycas-server
 
 If you plan on using RubyCAS-Server with languages other than English, please cd into the
-RubyCAS-Server installation directory (where the gem is installed) and type `rake localization:mo`
+RubyCAS-Server installation directory (where this gem is installed, for example: 
+'/usr/lib/ruby/gems/1.x/gems/rubycas-server-1.x.x/') and type `rake localization:mo`
 to build the LOCALE_LC files.
 
-}
+"
 
-  s.add_dependency("activerecord", "~> 2.3.6")
-  s.add_dependency("activesupport", "~> 2.3.6")
+  s.add_dependency("activerecord", ">= 2.3.12", "< 3.1")
+  s.add_dependency("activesupport", ">= 2.3.12", "< 3.1")
   s.add_dependency("sinatra", "~> 1.0")
   s.add_dependency("gettext", "~> 2.1.0")
   s.add_dependency("crypt-isaac", "~> 0.9.1")
@@ -48,7 +48,7 @@ to build the LOCALE_LC files.
   
   # for authenticator specs
   s.add_development_dependency("net-ldap", "~> 0.1.1")
-  s.add_development_dependency("activeresource", "~> 2.3.6")
+  s.add_development_dependency("activeresource", ">= 2.3.12", "< 3.1")
 
   s.rdoc_options = [
     '--quiet', '--title', 'RubyCAS-Server Documentation', '--opname',

metadata

@@ -1,222 +1,177 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: rubycas-server
-version: !ruby/object:Gem::Version 
-  hash: 15
+version: !ruby/object:Gem::Version
+  version: 1.0.1
   prerelease: 
-  segments: 
-  - 1
-  - 0
-  version: "1.0"
 platform: ruby
-authors: 
+authors:
 - Matt Zukowski
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2011-08-03 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2011-11-22 00:00:00.000000000 -05:00
+default_executable: 
+dependencies:
+- !ruby/object:Gem::Dependency
   name: activerecord
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
+  requirement: &79179110 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 15
-        segments: 
-        - 2
-        - 3
-        - 6
-        version: 2.3.6
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.3.12
+    - - <
+      - !ruby/object:Gem::Version
+        version: '3.1'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: activesupport
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  version_requirements: *79179110
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: &79178640 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 15
-        segments: 
-        - 2
-        - 3
-        - 6
-        version: 2.3.6
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.3.12
+    - - <
+      - !ruby/object:Gem::Version
+        version: '3.1'
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: sinatra
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  version_requirements: *79178640
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: &79178260 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 15
-        segments: 
-        - 1
-        - 0
-        version: "1.0"
+      - !ruby/object:Gem::Version
+        version: '1.0'
   type: :runtime
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: gettext
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  version_requirements: *79178260
+- !ruby/object:Gem::Dependency
+  name: gettext
+  requirement: &79178020 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 11
-        segments: 
-        - 2
-        - 1
-        - 0
+      - !ruby/object:Gem::Version
         version: 2.1.0
   type: :runtime
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: crypt-isaac
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  version_requirements: *79178020
+- !ruby/object:Gem::Dependency
+  name: crypt-isaac
+  requirement: &79177770 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 57
-        segments: 
-        - 0
-        - 9
-        - 1
+      - !ruby/object:Gem::Version
         version: 0.9.1
   type: :runtime
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency 
-  name: rack-test
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
+  version_requirements: *79177770
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: &79177550 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id006
-- !ruby/object:Gem::Dependency 
-  name: capybara
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement 
+  version_requirements: *79177550
+- !ruby/object:Gem::Dependency
+  name: capybara
+  requirement: &79177260 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id007
-- !ruby/object:Gem::Dependency 
-  name: rspec
   prerelease: false
-  requirement: &id008 !ruby/object:Gem::Requirement 
+  version_requirements: *79177260
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &79177020 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id008
-- !ruby/object:Gem::Dependency 
-  name: rspec-core
   prerelease: false
-  requirement: &id009 !ruby/object:Gem::Requirement 
+  version_requirements: *79177020
+- !ruby/object:Gem::Dependency
+  name: rspec-core
+  requirement: &79176750 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id009
-- !ruby/object:Gem::Dependency 
-  name: sqlite3
   prerelease: false
-  requirement: &id010 !ruby/object:Gem::Requirement 
+  version_requirements: *79176750
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: &79162830 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 25
-        segments: 
-        - 1
-        - 3
-        - 1
+      - !ruby/object:Gem::Version
         version: 1.3.1
   type: :development
-  version_requirements: *id010
-- !ruby/object:Gem::Dependency 
-  name: net-ldap
   prerelease: false
-  requirement: &id011 !ruby/object:Gem::Requirement 
+  version_requirements: *79162830
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: &79162510 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 25
-        segments: 
-        - 0
-        - 1
-        - 1
+      - !ruby/object:Gem::Version
         version: 0.1.1
   type: :development
-  version_requirements: *id011
-- !ruby/object:Gem::Dependency 
-  name: activeresource
   prerelease: false
-  requirement: &id012 !ruby/object:Gem::Requirement 
+  version_requirements: *79162510
+- !ruby/object:Gem::Dependency
+  name: activeresource
+  requirement: &79162220 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 15
-        segments: 
-        - 2
-        - 3
-        - 6
-        version: 2.3.6
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.3.12
+    - - <
+      - !ruby/object:Gem::Version
+        version: '3.1'
   type: :development
-  version_requirements: *id012
-description: Provides single sign-on authentication for web applications using the CAS protocol.
-email: 
+  prerelease: false
+  version_requirements: *79162220
+description: Provides single sign-on authentication for web applications using the
+  CAS protocol.
+email:
 - matt@zukowski.ca
-executables: 
+executables:
 - rubycas-server
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - CHANGELOG
 - LICENSE
 - README.md
-files: 
+files:
 - CHANGELOG
 - LICENSE
 - README.md
 - Rakefile
 - setup.rb
 - bin/rubycas-server
+- db/migrate/001_create_initial_structure.rb
 - lib/casserver.rb
 - lib/casserver/localization.rb
 - lib/casserver/utils.rb
@@ -266,6 +221,9 @@ files:
 - po/pl_PL/rubycas-server.po
 - po/fr_FR/rubycas-server.po
 - resources/init.d.sh
+- config.ru
+- config/unicorn.rb
+- config/config.example.yml
 - tasks/spec.rake
 - tasks/localization.rake
 - tasks/bundler.rake
@@ -288,18 +246,15 @@ files:
 - spec/spec.opts
 - spec/spec_helper.rb
 - spec/utils_spec.rb
+has_rdoc: true
 homepage: http://code.google.com/p/rubycas-server/
 licenses: []
-
-post_install_message: |+
-  
-  For more information on RubyCAS-Server, see http://code.google.com/p/rubycas-server
-  
-  If you plan on using RubyCAS-Server with languages other than English, please cd into the
-  RubyCAS-Server installation directory (where the gem is installed) and type `rake localization:mo`
-  to build the LOCALE_LC files.
-  
-rdoc_options: 
+post_install_message: ! "\nFor more information on RubyCAS-Server, see http://code.google.com/p/rubycas-server\n\nIf
+  you plan on using RubyCAS-Server with languages other than English, please cd into
+  the\nRubyCAS-Server installation directory (where this gem is installed, for example:
+  \n'/usr/lib/ruby/gems/1.x/gems/rubycas-server-1.x.x/') and type `rake localization:mo`\nto
+  build the LOCALE_LC files.\n\n"
+rdoc_options:
 - --quiet
 - --title
 - RubyCAS-Server Documentation
@@ -309,34 +264,28 @@ rdoc_options:
 - --main
 - README.md
 - --inline-source
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.8.5
+rubygems_version: 1.6.2
 signing_key: 
 specification_version: 3
-summary: Provides single sign-on authentication for web applications using the CAS protocol.
-test_files: 
+summary: Provides single sign-on authentication for web applications using the CAS
+  protocol.
+test_files:
 - spec/alt_config.yml
 - spec/authenticators/active_resource_spec.rb
 - spec/authenticators/ldap_spec.rb