rubycas-server 1.0.1 → 1.1.0

data/CHANGELOG

@@ -1,3 +1,23 @@
+=== 1.1.0 :: 2012-04-19
+
+ * NEW:
+   * Localization is now done using R18n instead of Gettext.
+   * Restored compatibility with Sinatra 1.2
+   * Now compatibile with Ruby 1.9.3
+   * Can now run without Bundler if all required dependencies are already installed.
+   * es_AR translations.
+
+ * CHANGED:
+   * It is no longer possible to select the locale by adding a 'lang=xx' attribute to the 
+   	 request URL. The locale is selected using the 'Accept-Lanuage' header sent in the 
+   	 request. However the old 'lang' functionality may be restored in a future version.
+   * Certain localized string keys have changed. If you are using your own custom views
+     you may need to modify them accordingly.
+
+ * FIXED:
+   * Removed unnecessary bcrypt requirement for encrypted sql authenticators.
+   * Single Sign Out requests should now work with SSL-enabled services.
+
 === 1.0.1 :: 2011-11-22
 
 * NEW:

data/LICENSE

@@ -1,4 +1,4 @@
-Portions of RubyCAS-Server contributed by Matt Zukowski are copyright (c) 2009 Urbacon Ltd. 
+Portions of RubyCAS-Server contributed by Matt Zukowski are copyright (c) 2011 Urbacon Ltd. 
 Other portions are copyright of their respective authors. 
 
 The MIT License

data/README.md

@@ -1,5 +1,19 @@
-# MOVED!
+# RubyCAS-Server ![http://stillmaintained.com/rubycas/rubycas-server](http://stillmaintained.com/rubycas/rubycas-server.png)
 
-This repo has been moved to https://github.com/rubycas/rubycas-server. 
+## Copyright
 
-The fork you are looking at is no longer updated. Please change your git remotes to the new rubycas URL.
+Portions contributed by Matt Zukowski are copyright (c) 2011 Urbacon Ltd.
+Other portions are copyright of their respective authors.
+
+## Authors
+
+See http://github.com/gunark/rubycas-server/commits/
+
+## Installation
+
+See http://code.google.com/p/rubycas-server
+
+## License
+
+RubyCAS-Server is licensed for use under the terms of the MIT License.
+See the LICENSE file bundled with the official RubyCAS-Server distribution for details.

data/Rakefile

@@ -1 +1,2 @@
-Dir['tasks/**/*.rake'].each { |rake| load rake }
+Dir['tasks/**/*.rake'].each { |rake| load rake }
+task :default => :spec

data/config.ru

@@ -1,5 +1,11 @@
 require 'rubygems'
-require 'bundler/setup'
+
+# Assume all necessary gems are in place if bundler is not installed.
+begin
+  require 'bundler/setup'
+rescue LoadError => e
+  raise e unless e.message =~ /no such file to load -- bundler/
+end
 
 $:.unshift "#{File.dirname(__FILE__)}/lib"
 require "casserver"

data/config/config.example.yml

@@ -15,7 +15,7 @@
 # passenger -- served out by Apache via the mod_rails/mod_rack module
 #              (see http://www.modrails.com/)
 #
-# The following are exampe configurations for each of these three methods:
+# The following are example configurations for each of these three methods:
 #
 
 

data/lib/casserver/authenticators/sql_encrypted.rb

@@ -3,7 +3,6 @@ require 'casserver/authenticators/sql'
 require 'digest/sha1'
 require 'digest/sha2'
 require 'crypt-isaac'
-require 'bcrypt'
 
 # This is a more secure version of the SQL authenticator. Passwords are encrypted
 # rather than being stored in plain text.

data/lib/casserver/authenticators/sql_rest_auth.rb

@@ -38,7 +38,7 @@ class CASServer::Authenticators::SQLRestAuth < CASServer::Authenticators::SQLEnc
     if results.size > 0
       $LOG.warn("Multiple matches found for user '#{@username}'") if results.size > 1
       user = results.first
-      if user.crypted_password == user.encrypt(@password)
+      if user.crypted_password == user.encrypt(@password,@options[:site_key],@options[:digest_streches])
         unless @options[:extra_attributes].blank?
           extract_extra(user)
           log_extra
@@ -63,18 +63,18 @@ class CASServer::Authenticators::SQLRestAuth < CASServer::Authenticators::SQLEnc
       raise "#{self} should be inclued in an ActiveRecord class!" unless mod.respond_to?(:before_save)
     end
 
-    def encrypt(password)
-      password_digest(password, self.salt)
+    def encrypt(password,site_key,digest_streches)
+      password_digest(password, self.salt,site_key,digest_streches)
     end
 
     def secure_digest(*args)
       Digest::SHA1.hexdigest(args.flatten.join('--'))
     end
 
-    def password_digest(password, salt)
-      digest = @options[:site_key]
-      @options[:digest_streches].times do
-        digest = secure_digest(digest, salt, password, @options[:site_key])
+    def password_digest(password, salt,site_key,digest_streches)
+      digest = site_key
+      digest_streches.times do
+        digest = secure_digest(digest, salt, password, site_key) 
       end
       digest
     end

data/lib/casserver/cas.rb

@@ -119,20 +119,20 @@ module CASServer::CAS
 
     success = false
     if ticket.nil?
-      error = _("Your login request did not include a login ticket. There may be a problem with the authentication system.")
+      error = t.error.no_login_ticket
       $LOG.warn "Missing login ticket."
     elsif lt = LoginTicket.find_by_ticket(ticket)
       if lt.consumed?
-        error = _("The login ticket you provided has already been used up. Please try logging in again.")
+        error = t.error.login_ticket_already_used
         $LOG.warn "Login ticket '#{ticket}' previously used up"
       elsif Time.now - lt.created_on < settings.config[:maximum_unused_login_ticket_lifetime]
         $LOG.info "Login ticket '#{ticket}' successfully validated"
       else
-        error = _("You took too long to enter your credentials. Please try again.")
+        error = t.error.login_timeout
         $LOG.warn "Expired login ticket '#{ticket}'"
       end
     else
-      error = _("The login ticket you provided is invalid. There may be a problem with the authentication system.")
+      error = t.error.invalid_login_ticket
       $LOG.warn "Invalid login ticket '#{ticket}'"
     end
 
@@ -244,18 +244,26 @@ module CASServer::CAS
     uri.path = '/' if uri.path.empty?
     time = Time.now
     rand = CASServer::Utils.random_string
-
+    path = uri.path
+    req = Net::HTTP::Post.new(path)
+    req.set_form_data('logoutRequest' => %{<samlp:LogoutRequest ID="#{rand}" Version="2.0" IssueInstant="#{time.rfc2822}">
+ <saml:NameID></saml:NameID>
+ <samlp:SessionIndex>#{st.ticket}</samlp:SessionIndex>
+ </samlp:LogoutRequest>})
+ 
     begin
-      response = Net::HTTP.post_form(uri, {'logoutRequest' => URI.escape(%{<samlp:LogoutRequest ID="#{rand}" Version="2.0" IssueInstant="#{time.rfc2822}">
-        <saml:NameID></saml:NameID>
-        <samlp:SessionIndex>#{st.ticket}</samlp:SessionIndex>
-        </samlp:LogoutRequest>})})
-      if response.kind_of? Net::HTTPSuccess
-        $LOG.info "Logout notification successfully posted to #{st.service.inspect}."
-        return true
-      else
-        $LOG.error "Service #{st.service.inspect} responed to logout notification with code '#{response.code}'!"
-        return false
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true if uri.scheme =='https'
+      
+      http.start do |conn|
+        response = conn.request(req)
+        if response.kind_of? Net::HTTPSuccess
+          $LOG.info "Logout notification successfully posted to #{st.service.inspect}."
+          return true
+        else
+          $LOG.error "Service #{st.service.inspect} responed to logout notification with code '#{response.code}'!"
+          return false
+        end
       end
     rescue Exception => e
       $LOG.error "Failed to send logout notification to service #{st.service.inspect} due to #{e}"

data/lib/casserver/localization.rb

@@ -1,91 +1,13 @@
-require "gettext"
-require "gettext/cgi"
-require 'active_support'
+require 'sinatra/r18n'
 
 module CASServer
   module Localization
     def self.included(mod)
       mod.module_eval do
-        include GetText
+        register Sinatra::R18n
+        set :default_locale, 'en'
+        set :translations,   './locales'
       end
     end
-
-    include GetText
-    bindtextdomain("rubycas-server", :path => File.join(File.dirname(File.expand_path(__FILE__)), "../../locale"))
-
-    def determine_locale(request)
-      source = nil
-      lang = case
-      when !request.params['lang'].blank?
-        source = "'lang' request variable"
-        request.cookies['lang'] = request.params['lang']
-        request.params['lang']
-      when !request.cookies['lang'].blank?
-        source = "'lang' cookie"
-        request.cookies['lang']
-      when !request.env['HTTP_ACCEPT_LANGUAGE'].blank?
-        source = "'HTTP_ACCEPT_LANGUAGE' header"
-        lang = request.env['HTTP_ACCEPT_LANGUAGE']
-      when !request.env['HTTP_USER_AGENT'].blank? && request.env['HTTP_USER_AGENT'] =~ /[^a-z]([a-z]{2}(-[a-z]{2})?)[^a-z]/i
-        source = "'HTTP_USER_AGENT' header"
-        $~[1]
-#      when !$CONF['default_locale'].blank?
-#        source = "'default_locale' config option"
-#        $CONF[:default_locale]
-      else
-        source = "default"
-        "en"
-      end
-
-      $LOG.debug "Detected locale is #{lang.inspect} (from #{source})"
-
-      lang.gsub!('_','-')
-
-      # TODO: Need to confirm that this method of splitting the accepted
-      #       language string is correct.
-      if lang =~ /[,;\|]/
-        langs = lang.split(/[,;\|]/)
-      else
-        langs = [lang]
-      end
-
-      # TODO: This method of selecting the desired language might not be
-      #       standards-compliant. For example, http://www.w3.org/TR/ltli/
-      #       suggests that de-de and de-*-DE might be acceptable identifiers
-      #       for selecting various wildcards. The algorithm below does not
-      #       currently support anything like this.
-
-      available = available_locales
-
-      if available.length == 1
-        $LOG.warn "Only the #{available.first.inspect} localization is available. You should run `rake localization:mo` to compile support for additional languages!"
-      elsif available.length == 0 # this should never actually happen
-        $LOG.error "No localizations available! Run `rake localization:mo` to compile support for additional languages."
-      end
-
-      # Try to pick a locale exactly matching the desired identifier, otherwise
-      # fall back to locale without region (i.e. given "en-US; de-DE", we would
-      # first look for "en-US", then "en", then "de-DE", then "de").
-
-      chosen_lang = nil
-      langs.each do |l|
-        a = available.find{ |a| a =~ Regexp.new("\\A#{l}\\Z", 'i') ||
-                                a =~ Regexp.new("#{l}-\w*",   'i')    }
-        if a
-          chosen_lang = a
-          break
-        end
-      end
-
-      chosen_lang = "en" if chosen_lang.blank?
-
-      $LOG.debug "Chosen locale is #{chosen_lang.inspect}"
-
-      return chosen_lang
-    end
-
-    def available_locales
-      (Dir.glob(File.join(File.dirname(File.expand_path(__FILE__)), "../../locale/[a-z]*")).map{|path| File.basename(path)} << "en").uniq.collect{|l| l.gsub('_','-')}
-    end
   end
 end

data/lib/casserver/server.rb

@@ -19,8 +19,14 @@ module CASServer
     include CASServer::CAS # CAS protocol helpers
     include Localization
 
+    # Use :public_folder for Sinatra >= 1.3, and :public for older versions.
+    def self.use_public_folder?
+      Sinatra.const_defined?("VERSION") && Gem::Version.new(Sinatra::VERSION) >= Gem::Version.new("1.3.0")
+    end
+
     set :app_file, __FILE__
-    set :public_folder, Proc.new { settings.config[:public_dir] || File.join(root, "..", "..", "public") }
+    set( use_public_folder? ? :public_folder : :public, # Workaround for differences in Sinatra versions.
+         Proc.new { settings.config[:public_dir] || File.join(root, "..", "..", "public") } )
 
     config = HashWithIndifferentAccess.new(
       :maximum_unused_login_ticket_lifetime => 5.minutes,
@@ -34,11 +40,13 @@ module CASServer
     def self.uri_path
       config[:uri_path]
     end
-    
+
     # Strip the config.uri_path from the request.path_info...
     # FIXME: do we really need to override all of Sinatra's #static! to make this happen?
     def static!
-      return if (public_dir = settings.public_folder).nil?
+      # Workaround for differences in Sinatra versions.
+      public_dir = Server.use_public_folder? ? settings.public_folder : settings.public
+      return if public_dir.nil?
       public_dir = File.expand_path(public_dir)
       
       path = File.expand_path(public_dir + unescape(request.path_info.gsub(/^#{settings.config[:uri_path]}/,'')))
@@ -281,7 +289,6 @@ module CASServer
     end
 
     before do
-      GetText.locale = determine_locale(request)
       content_type :html, 'charset' => 'utf-8'
       @theme = settings.config[:theme]
       @organization = settings.config[:organization]
@@ -320,7 +327,7 @@ module CASServer
 
       if tgt and !tgt_error
         @message = {:type => 'notice',
-          :message => _("You are currently logged in as '%s'. If this is not you, please log in below.") % tgt.username }
+          :message => t.notice.logged_in_as(tgt.username)}
       elsif tgt_error
         $LOG.debug("Ticket granting cookie could not be validated: #{tgt_error}")
       elsif !tgt
@@ -329,7 +336,7 @@ module CASServer
 
       if params['redirection_loop_intercepted']
         @message = {:type => 'mistake',
-          :message => _("The client and server are unable to negotiate authentication. Please try logging in again later.")}
+          :message => t.error.unable_to_authenticate}
       end
 
       begin
@@ -351,14 +358,14 @@ module CASServer
         elsif @gateway
             $LOG.error("This is a gateway request but no service parameter was given!")
             @message = {:type => 'mistake',
-              :message => _("The server cannot fulfill this gateway request because no service parameter was given.")}
+              :message => t.error.no_service_parameter_given}
         else
           $LOG.info("Proceeding with CAS login without a target service.")
         end
       rescue URI::InvalidURIError
         $LOG.error("The service '#{@service}' is not a valid URI!")
         @message = {:type => 'mistake',
-          :message => _("The target service your browser supplied appears to be invalid. Please contact your system administrator for help.")}
+          :message => t.error.invalid_target_service}
       end
 
       lt = generate_login_ticket
@@ -387,7 +394,7 @@ module CASServer
           render :login_form
         else
           status 500
-          render _("Could not guess the CAS login URI. Please supply a submitToURI parameter with your request.")
+          render t.error.invalid_submit_to_uri
         end
       else
         render @template_engine, :login
@@ -420,7 +427,7 @@ module CASServer
         # generate another login ticket to allow for re-submitting the form
         @lt = generate_login_ticket.ticket
         status 500
-        render @template_engine, :login
+        return render @template_engine, :login
       end
 
       # generate another login ticket to allow for re-submitting the form after a post
@@ -468,7 +475,7 @@ module CASServer
 
           if @service.blank?
             $LOG.info("Successfully authenticated user '#{@username}' at '#{tgt.client_hostname}'. No service param was given, so we will not redirect.")
-            @message = {:type => 'confirmation', :message => _("You have successfully logged in.")}
+            @message = {:type => 'confirmation', :message => t.notice.success_logged_in}
           else
             @st = generate_service_ticket(@service, @username, tgt)
 
@@ -481,20 +488,20 @@ module CASServer
               $LOG.error("The service '#{@service}' is not a valid URI!")
               @message = {
                 :type => 'mistake',
-                :message => _("The target service your browser supplied appears to be invalid. Please contact your system administrator for help.")
+                :message => t.error.invalid_target_service
               }
             end
           end
         else
           $LOG.warn("Invalid credentials given for user '#{@username}'")
-          @message = {:type => 'mistake', :message => _("Incorrect username or password.")}
+          @message = {:type => 'mistake', :message => t.error.incorrect_username_or_password}
           status 401
         end
       rescue CASServer::AuthenticatorError => e
         $LOG.error(e)
         # generate another login ticket to allow for re-submitting the form
         @lt = generate_login_ticket.ticket
-        @message = {:type => 'mistake', :message => _(e.to_s)}
+        @message = {:type => 'mistake', :message => e.to_s}
         status 401
       end
 
@@ -553,9 +560,9 @@ module CASServer
         $LOG.warn("User tried to log out without a valid ticket-granting ticket.")
       end
 
-      @message = {:type => 'confirmation', :message => _("You have successfully logged out.")}
+      @message = {:type => 'confirmation', :message => t.notice.success_logged_out}
 
-      @message[:message] +=_(" Please click on the following link to continue:") if @continue_url
+      @message[:message] += t.notice.click_to_continue if @continue_url
 
       @lt = generate_login_ticket
 
@@ -581,7 +588,7 @@ module CASServer
 
       status 422
 
-      "To generate a login ticket, you must make a POST request."
+      t.error.login_ticket_needs_post_request
     end
 
 

data/lib/casserver/views/_login_form.erb

@@ -1,11 +1,11 @@
 <%# coding: UTF-8 -%>
 <form method="post" action="<%= @form_action || "login" %>" id="login-form"
-      onsubmit="submitbutton = document.getElementById('login-submit'); submitbutton.value='<%= _("Please wait...") %>'; submitbutton.disabled=true; return true;">
+      onsubmit="submitbutton = document.getElementById('login-submit'); submitbutton.value='<%= t.notice.please_wait %>'; submitbutton.disabled=true; return true;">
   <table id="form-layout">
     <tr>
       <td id="username-label-container">
         <label id="username-label" for="username">
-          <%= _("Username") %>
+          <%= t.label.username %>
         </label>
       </td>
       <td id="username-container">
@@ -16,7 +16,7 @@
     <tr>
       <td id="password-label-container">
         <label id="password-label" for="password">
-          <%= _("Password") %>
+          <%= t.label.password %>
         </label>
       </td>
       <td id="password-container">
@@ -29,7 +29,7 @@
       <td id="submit-container">
         <input type="hidden" id="lt" name="lt" value="<%= escape_html @lt %>" />
         <input type="hidden" id="service" name="service" value="<%= escape_html @service %>" />
-        <input type="submit" class="button" accesskey="l" value="<%= _("LOGIN") %>"
+        <input type="submit" class="button" accesskey="l" value="<%= t.button.login %>"
                tabindex="4" id="login-submit" />
       </td>
     </tr>