synapse-rubycas-server 1.1.3alpha

data/spec/casserver_spec.rb

@@ -0,0 +1,221 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/spec_helper'
+
+$LOG = Logger.new(File.basename(__FILE__).gsub('.rb','.log'))
+
+RSpec.configure do |config|
+  config.include Capybara::DSL
+end
+
+VALID_USERNAME = 'spec_user'
+VALID_PASSWORD = 'spec_password'
+
+ATTACK_USERNAME = '%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&password=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&lt=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&service=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E'
+INVALID_PASSWORD = 'invalid_password'
+
+describe 'CASServer' do
+  include Rack::Test::Methods
+
+  before do
+    @target_service = 'http://my.app.test'
+  end
+
+  describe "/login" do
+    before do
+      load_server("default_config")
+      reset_spec_database
+    end
+
+    it "logs in successfully with valid username and password without a target service" do
+      visit "/login"
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("You have successfully logged in")
+      Capybara.current_session.driver.response.headers['Set-Cookie'].should match 'path=/'
+    end
+
+    it "fails to log in with invalid password" do
+      visit "/login"
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => INVALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("Incorrect username or password")
+    end
+
+    it "logs in successfully with valid username and password and redirects to target service" do
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+
+      click_button 'login-submit'
+
+      page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?\?ticket=ST\-[1-9rA-Z]+/
+    end
+
+    it "preserves target service after invalid login" do
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => INVALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("Incorrect username or password")
+      page.should have_xpath('//input[@id="service"]', :value => @target_service)
+    end
+
+    it "uses appropriate localization based on Accept-Language header" do
+
+      page.driver.options[:headers] = {'HTTP_ACCEPT_LANGUAGE' => 'pl'}
+      #visit "/login?lang=pl"
+      visit "/login"
+      page.should have_content("Użytkownik")
+
+      page.driver.options[:headers] = {'HTTP_ACCEPT_LANGUAGE' => 'pt_BR'}
+      #visit "/login?lang=pt_BR"
+      visit "/login"
+      page.should have_content("Usuário")
+
+      page.driver.options[:headers] = {'HTTP_ACCEPT_LANGUAGE' => 'en'}
+      #visit "/login?lang=en"
+      visit "/login"
+      page.should have_content("Username")
+    end
+
+    it "is not vunerable to Cross Site Scripting" do
+      visit '/login?service=%22%2F%3E%3cscript%3ealert%2832%29%3c%2fscript%3e'
+      page.should_not have_content("alert(32)")
+      page.should_not have_xpath("//script")
+      #page.should have_xpath("<script>alert(32)</script>")
+    end
+
+  end # describe '/login'
+
+
+  describe '/logout' do
+    describe 'user logged in' do
+      before do
+        load_server("default_config")
+        reset_spec_database
+        visit "/login"
+        fill_in 'username', :with => VALID_USERNAME
+        fill_in 'password', :with => VALID_PASSWORD
+        click_button 'login-submit'
+        page.should have_content("You have successfully logged in")
+      end
+
+      it "logs out user who is looged in" do
+        visit "/logout"
+        page.should have_content("You have successfully logged out")
+      end
+
+      it "logs out successfully and redirects to target service" do
+        visit "/logout?gateway=true&service="+CGI.escape(@target_service)
+
+        page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?/
+      end
+    end
+
+    describe "user not logged in" do
+      it "try logs out user which is not logged in" do
+        visit "/logout"
+        page.should have_content("You have successfully logged out")
+      end
+    end
+
+  end # describe '/logout'
+
+  describe 'Configuration' do
+    it "uri_path value changes prefix of routes" do
+      load_server("alt_config")
+      @target_service = 'http://my.app.test'
+
+      visit "/test/login"
+      page.status_code.should_not == 404
+
+      visit "/test/logout"
+      page.status_code.should_not == 404
+    end
+  end
+
+  describe 'validation' do
+    let(:allowed_ip) { '127.0.0.1' }
+    let(:unallowed_ip) { '10.0.0.1' }
+    let(:service) { @target_service }
+
+    before do
+      load_server('default_config')  # 127.0.0.0/24 is allowed here
+      reset_spec_database
+
+      ticket = get_ticket_for(service)
+
+      Rack::Request.any_instance.stub(:ip).and_return(request_ip)
+      get "/#{path}?service=#{CGI.escape(service)}&ticket=#{CGI.escape(ticket)}"
+    end
+
+    subject { last_response }
+
+    describe 'validate' do
+      let(:path) { 'validate' }
+
+      context 'from allowed IP' do
+        let(:request_ip) { allowed_ip }
+
+        it { should be_ok }
+        its(:body) { should match 'yes' }
+      end
+
+      context 'from unallowed IP' do
+        let(:request_ip) { unallowed_ip }
+
+        its(:status) { should eql 422 }
+        its(:body) { should match 'no' }
+      end
+    end
+
+    describe 'serviceValidate' do
+      let(:path) { 'serviceValidate' }
+
+      context 'from allowed IP' do
+        let(:request_ip) { allowed_ip }
+
+        it { should be_ok }
+        its(:content_type) { should match 'text/xml' }
+        its(:body) { should match /cas:authenticationSuccess/i }
+        its(:body) { should match '<test_utf_string>Ютф</test_utf_string>' }
+      end
+
+      context 'from unallowed IP' do
+        let(:request_ip) { unallowed_ip }
+
+        its(:status) { should eql 422 }
+        its(:content_type) { should match 'text/xml' }
+        its(:body) { should match /cas:authenticationFailure.*INVALID_REQUEST/i }
+      end
+    end
+
+    describe 'proxyValidate' do
+      let(:path) { 'proxyValidate' }
+
+      context 'from allowed IP' do
+        let(:request_ip) { allowed_ip }
+
+        it { should be_ok }
+        its(:content_type) { should match 'text/xml' }
+        its(:body) { should match /cas:authenticationSuccess/i }
+      end
+
+      context 'from unallowed IP' do
+        let(:request_ip) { unallowed_ip }
+
+        its(:status) { should eql 422 }
+        its(:content_type) { should match 'text/xml' }
+        its(:body) { should match /cas:authenticationFailure.*INVALID_REQUEST/i }
+      end
+    end
+  end
+end

data/spec/config/alt_config.yml

@@ -0,0 +1,50 @@
+server: webrick
+port: 6543
+#ssl_cert: test.pem
+uri_path: /test
+#bind_address: 0.0.0.0
+
+# database:
+#   adapter: mysql
+#   database: casserver
+#   username: root
+#   password: 
+#   host: localhost
+#   reconnect: true
+database:
+ adapter: sqlite3
+ database: spec/casserver_spec.db
+ 
+disable_auto_migrations: true
+
+quiet: true
+
+authenticator:
+  class: CASServer::Authenticators::Test
+  password: spec_password
+
+theme: simple
+
+organization: "RSPEC-TEST"
+
+infoline: "This is an rspec test."
+
+#custom_views: /path/to/custom/views
+
+default_locale: en
+
+log:
+  file: casserver_spec.log
+  level: DEBUG
+
+#db_log:
+#  file: casserver_spec_db.log
+
+enable_single_sign_out: true
+
+#maximum_unused_login_ticket_lifetime: 300
+#maximum_unused_service_ticket_lifetime: 300
+
+#maximum_session_lifetime: 172800
+
+#downcase_username: true

data/spec/config/default_config.yml

@@ -0,0 +1,56 @@
+server: webrick
+port: 6543
+#ssl_cert: test.pem
+#uri_path: /cas
+#bind_address: 0.0.0.0
+
+# database:
+#   adapter: mysql
+#   database: casserver
+#   username: root
+#   password:
+#   host: localhost
+#   reconnect: true
+database:
+ adapter: sqlite3
+ database: spec/casserver_spec.db
+
+disable_auto_migrations: true
+
+quiet: true
+
+authenticator:
+  class: CASServer::Authenticators::Test
+  password: spec_password
+
+theme: simple
+
+organization: "RSPEC-TEST"
+
+infoline: "This is an rspec test."
+
+#custom_views: /path/to/custom/views
+
+default_locale: en
+
+log:
+  file: casserver_spec.log
+  level: DEBUG
+
+#db_log:
+#  file: casserver_spec_db.log
+
+enable_single_sign_out: true
+
+#maximum_unused_login_ticket_lifetime: 300
+#maximum_unused_service_ticket_lifetime: 300
+
+#maximum_session_lifetime: 172800
+
+cookie_options:
+  path: "/"
+
+#downcase_username: true
+
+allowed_service_ips:
+  - 127.0.0.0/24

data/spec/core_ext/string_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper'
+require 'casserver/core_ext'
+
+describe CASServer::CoreExt::String do
+  describe '.random(length = 29)' do
+    context 'when max length is not passed in' do
+      it 'should return a random string of length 29' do
+        String.random.length.should == 29
+      end
+    end
+
+    context 'when max length is passed in' do
+      it 'should return a random string of the desired length' do
+        String.random(30).length.should == 30
+      end
+    end
+
+    it 'should include the letter r in the random string' do
+      String.random.should include 'r'
+    end
+
+    it 'should return a random string' do
+      random_string = String.random
+      another_random_string = String.random
+      random_string.should_not == another_random_string
+    end
+  end
+end

data/spec/spec.opts

@@ -0,0 +1,4 @@
+--colour
+--format nested
+--loadby mtime
+--reverse

data/spec/spec_helper.rb

@@ -0,0 +1,126 @@
+require 'rubygems'
+require 'rack/test'
+require 'rspec'
+#require 'spec/autorun'
+#require 'spec/interop/test'
+require 'logger'
+require 'ostruct'
+require 'webmock/rspec'
+
+require 'capybara'
+require 'capybara/dsl'
+require 'casserver/authenticators/base'
+require 'casserver/core_ext.rb'
+
+CASServer::Authenticators.autoload :LDAP, 'casserver/authenticators/ldap.rb'
+CASServer::Authenticators.autoload :ActiveDirectoryLDAP, 'casserver/authenticators/active_directory_ldap.rb'
+CASServer::Authenticators.autoload :SQL, 'casserver/authenticators/sql.rb'
+CASServer::Authenticators.autoload :SQLEncrypted, 'lib/casserver/authenticators/sql_encrypted.rb'
+CASServer::Authenticators.autoload :Google, 'casserver/authenticators/google.rb'
+CASServer::Authenticators.autoload :ActiveResource, 'casserver/authenticators/active_resource.rb'
+CASServer::Authenticators.autoload :Test, 'casserver/authenticators/test.rb'
+
+# require builder because it doesn't pull in the version
+# info automatically...
+begin
+  require 'builder'
+  require 'builder/version'
+rescue LoadError
+  puts "builder not found, testing ActiveRecord 2.3?"
+end
+
+if Dir.getwd =~ /\/spec$/
+  # Avoid potential weirdness by changing the working directory to the CASServer root
+  FileUtils.cd('..')
+end
+
+def silence_warnings
+  old_verbose, $VERBOSE = $VERBOSE, nil
+  yield
+ensure
+  $VERBOSE = old_verbose
+end
+
+# Ugly monkeypatch to allow us to test for correct redirection to
+# external services.
+#
+# This will likely break in the future when Capybara or RackTest are upgraded.
+class Capybara::RackTest::Browser
+  def current_url
+    if @redirected_to_external_url
+      @redirected_to_external_url
+    else
+      request.url rescue ""
+    end
+  end
+
+  def follow_redirects!
+    if last_response.redirect? && last_response['Location'] =~ /^http[s]?:/
+      @redirected_to_external_url = last_response['Location']
+    else
+      5.times do
+        follow_redirect! if last_response.redirect?
+      end
+      raise Capybara::InfiniteRedirectError, "redirected more than 5 times, check for infinite redirects." if last_response.redirect?
+    end
+  end
+end
+
+# This called in specs' `before` block.
+# Due to the way Sinatra applications are loaded,
+# we're forced to delay loading of the server code
+# until the start of each test so that certain
+# configuraiton options can be changed (e.g. `uri_path`)
+def load_server(config_file = 'default_config')
+  ENV['CONFIG_FILE'] = File.join(File.dirname(__FILE__),'config',"#{config_file}.yml")
+
+  silence_warnings do
+    load File.dirname(__FILE__) + '/../lib/casserver/server.rb'
+  end
+
+  # set test environment
+  CASServer::Server.set :environment, :test
+  CASServer::Server.set :run, false
+  CASServer::Server.set :raise_errors, true
+  CASServer::Server.set :logging, false
+
+  CASServer::Server.enable(:raise_errors)
+  CASServer::Server.disable(:show_exceptions)
+
+  #Capybara.current_driver = :selenium
+  Capybara.app = CASServer::Server
+
+  def app
+    CASServer::Server
+  end
+end
+
+# Deletes the sqlite3 database specified in the app's config
+# and runs the db:migrate rake tasks to rebuild the database schema.
+def reset_spec_database
+  raise "Cannot reset the spec database because config[:database][:database] is not defined." unless
+    CASServer::Server.config[:database] && CASServer::Server.config[:database][:database]
+
+  FileUtils.rm_f(CASServer::Server.config[:database][:database])
+
+  ActiveRecord::Base.logger = Logger.new(STDOUT)
+  ActiveRecord::Base.logger.level = Logger::ERROR
+  ActiveRecord::Migration.verbose = false
+  ActiveRecord::Migrator.migrate("db/migrate")
+end
+
+def get_ticket_for(service, username = 'spec_user', password = 'spec_password')
+  visit "/login?service=#{CGI.escape(service)}"
+  fill_in 'username', :with => username
+  fill_in 'password', :with => password
+  click_button 'login-submit'
+
+  page.current_url.match(/ticket=(.*)$/)[1]
+end
+def gem_available?(name)
+  if Gem::Specification.methods.include?(:find_all_by_name)
+    not Gem::Specification.find_all_by_name(name).empty?
+  else
+    Gem.available?(name)
+  end
+end

data/tasks/bundler.rake

@@ -0,0 +1,4 @@
+require 'bundler'
+namespace :bundler do
+  Bundler::GemHelper.install_tasks(:name => 'rubycas-server')
+end

data/tasks/db/migrate.rake

@@ -0,0 +1,12 @@
+namespace :db do
+  desc "bring your CAS server database schema up to date (options CONFIG=/path/to/config.yml)"
+  task :migrate do |t|
+    $:.unshift File.dirname(__FILE__) + "/../../lib"
+    
+    require 'casserver/server'
+    
+    CASServer::Model::Ticket.logger = Logger.new(STDOUT)
+    ActiveRecord::Migration.verbose = true
+    ActiveRecord::Migrator.migrate("db/migrate")
+  end
+end

data/tasks/spec.rake

@@ -0,0 +1,10 @@
+begin
+  require 'rspec/core/rake_task'
+  desc 'Run RSpecs to confirm that all functionality is working as expected'
+  RSpec::Core::RakeTask.new('spec') do |t|
+    t.rspec_opts = ['--colour', '--format nested']
+    t.pattern = 'spec/**/*_spec.rb'
+  end
+rescue LoadError
+  puts "Hiding spec tasks because RSpec is not available"
+end