synapse-rubycas-server 1.1.3alpha
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +15 -0
- data/CHANGELOG +353 -0
- data/Gemfile +12 -0
- data/LICENSE +26 -0
- data/README.md +38 -0
- data/Rakefile +3 -0
- data/bin/rubycas-server +30 -0
- data/config/config.example.yml +552 -0
- data/config/unicorn.rb +88 -0
- data/config.ru +11 -0
- data/db/migrate/001_create_initial_structure.rb +47 -0
- data/db/migrate/002_add_indexes_for_performance.rb +15 -0
- data/lib/casserver/authenticators/active_directory_ldap.rb +17 -0
- data/lib/casserver/authenticators/active_resource.rb +113 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/aes256.rb +43 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/bcrypt.rb +92 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/md5.rb +34 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/sha1.rb +59 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/sha512.rb +50 -0
- data/lib/casserver/authenticators/base.rb +70 -0
- data/lib/casserver/authenticators/client_certificate.rb +47 -0
- data/lib/casserver/authenticators/google.rb +62 -0
- data/lib/casserver/authenticators/ldap.rb +131 -0
- data/lib/casserver/authenticators/ntlm.rb +88 -0
- data/lib/casserver/authenticators/open_id.rb +19 -0
- data/lib/casserver/authenticators/sql.rb +158 -0
- data/lib/casserver/authenticators/sql_authlogic.rb +93 -0
- data/lib/casserver/authenticators/sql_bcrypt.rb +17 -0
- data/lib/casserver/authenticators/sql_encrypted.rb +75 -0
- data/lib/casserver/authenticators/sql_md5.rb +19 -0
- data/lib/casserver/authenticators/sql_rest_auth.rb +82 -0
- data/lib/casserver/authenticators/test.rb +21 -0
- data/lib/casserver/base.rb +13 -0
- data/lib/casserver/cas.rb +324 -0
- data/lib/casserver/core_ext/directory_user.rb +81 -0
- data/lib/casserver/core_ext/securerandom.rb +17 -0
- data/lib/casserver/core_ext/string.rb +22 -0
- data/lib/casserver/core_ext.rb +12 -0
- data/lib/casserver/model/consumable.rb +31 -0
- data/lib/casserver/model/ticket.rb +19 -0
- data/lib/casserver/model.rb +248 -0
- data/lib/casserver/server.rb +796 -0
- data/lib/casserver/utils.rb +20 -0
- data/lib/casserver/views/_login_form.erb +42 -0
- data/lib/casserver/views/layout.erb +18 -0
- data/lib/casserver/views/login.erb +30 -0
- data/lib/casserver/views/proxy.builder +13 -0
- data/lib/casserver/views/proxy_validate.builder +31 -0
- data/lib/casserver/views/service_validate.builder +24 -0
- data/lib/casserver/views/validate.erb +2 -0
- data/lib/casserver.rb +19 -0
- data/locales/de.yml +27 -0
- data/locales/en.yml +26 -0
- data/locales/es.yml +26 -0
- data/locales/es_ar.yml +26 -0
- data/locales/fr.yml +26 -0
- data/locales/it.yml +26 -0
- data/locales/jp.yml +26 -0
- data/locales/pl.yml +26 -0
- data/locales/pt.yml +26 -0
- data/locales/ru.yml +26 -0
- data/locales/zh.yml +26 -0
- data/locales/zh_tw.yml +26 -0
- data/public/themes/cas.css +126 -0
- data/public/themes/notice.png +0 -0
- data/public/themes/ok.png +0 -0
- data/public/themes/simple/bg.png +0 -0
- data/public/themes/simple/favicon.png +0 -0
- data/public/themes/simple/login_box_bg.png +0 -0
- data/public/themes/simple/logo.png +0 -0
- data/public/themes/simple/theme.css +28 -0
- data/public/themes/warning.png +0 -0
- data/resources/init.d.sh +58 -0
- data/spec/casserver/authenticators/active_resource_spec.rb +116 -0
- data/spec/casserver/authenticators/ldap_spec.rb +57 -0
- data/spec/casserver/cas_spec.rb +148 -0
- data/spec/casserver/model_spec.rb +42 -0
- data/spec/casserver/utils_spec.rb +24 -0
- data/spec/casserver_spec.rb +221 -0
- data/spec/config/alt_config.yml +50 -0
- data/spec/config/default_config.yml +56 -0
- data/spec/core_ext/string_spec.rb +28 -0
- data/spec/spec.opts +4 -0
- data/spec/spec_helper.rb +126 -0
- data/tasks/bundler.rake +4 -0
- data/tasks/db/migrate.rake +12 -0
- data/tasks/spec.rake +10 -0
- metadata +405 -0
@@ -0,0 +1,552 @@
|
|
1
|
+
# IMPORTANT NOTE ABOUT YAML CONFIGURATION FILES
|
2
|
+
# ---> Be sure to use spaces instead of tabs for indentation. YAML is
|
3
|
+
# white-space sensitive!
|
4
|
+
|
5
|
+
##### SERVER SETUP ################################################################
|
6
|
+
|
7
|
+
# There are several ways to run RubyCAS-Server:
|
8
|
+
#
|
9
|
+
# webrick -- stand-alone WEBrick server; should work out-of-the-box; this is
|
10
|
+
# the default method, but probably not suited for high-traffic usage
|
11
|
+
# mongrel -- stand-alone Mongrel server; fast, but you'll need to install
|
12
|
+
# and compile Mongrel and run it behind an https reverse proxy like
|
13
|
+
# Pound or Apache 2.2's mod_proxy (since Mongrel cannot serve out
|
14
|
+
# over SSL on its own).
|
15
|
+
# passenger -- served out by Apache via the mod_rails/mod_rack module
|
16
|
+
# (see http://www.modrails.com/)
|
17
|
+
#
|
18
|
+
# The following are example configurations for each of these three methods:
|
19
|
+
#
|
20
|
+
|
21
|
+
|
22
|
+
###
|
23
|
+
### WEBrick example
|
24
|
+
###
|
25
|
+
# WEBrick is a simple, all-Ruby web server. This is the easiest method for running
|
26
|
+
# RubyCAS-Server. All you need is an SSL certificate (enter its path under the
|
27
|
+
# ssl_cert option). WEBrick is fine for sites with low to medium traffic, but for
|
28
|
+
# high-performance scenarios you may want to look into deploying using Mongrel
|
29
|
+
# or Passenger.
|
30
|
+
|
31
|
+
server: webrick
|
32
|
+
port: 443
|
33
|
+
ssl_cert: /path/to/your/ssl.pem
|
34
|
+
|
35
|
+
# If your private key is in a separate file from the cert
|
36
|
+
|
37
|
+
#ssl_key: /path/to/your/private_key.pem
|
38
|
+
|
39
|
+
# If you do not already have an SSL certificate and would like to automatically
|
40
|
+
# generate one, run the "generate_ssl_certificate" rake task and use the following
|
41
|
+
# settings:
|
42
|
+
|
43
|
+
# ssl_cert: ssl/cert.pem
|
44
|
+
# ssl_key: ssl/key.pem
|
45
|
+
|
46
|
+
|
47
|
+
# By default the login page will be available at the root path
|
48
|
+
# (e.g. https://login.example.net/). The uri_path option lets you serve it from a
|
49
|
+
# different path (e.g. https://login.example.net/cas).
|
50
|
+
|
51
|
+
#uri_path: /cas
|
52
|
+
|
53
|
+
|
54
|
+
# This lets you bind the server to a specific address. Use 0.0.0.0 to listen on
|
55
|
+
# all available interfaces (this is the default).
|
56
|
+
|
57
|
+
#bind_address: 0.0.0.0
|
58
|
+
|
59
|
+
|
60
|
+
###
|
61
|
+
### Phusion Passenger (running under Apache configured for SSL)
|
62
|
+
###
|
63
|
+
|
64
|
+
# No additional configuration is requried to run RubyCAS-Server under
|
65
|
+
# passsenger. Just follow the normal instructions for a Passenger app
|
66
|
+
# (see http://www.modrails.com/).
|
67
|
+
#
|
68
|
+
# Here's an example Apache vhost config for RubyCAS-Server and Passenger:
|
69
|
+
#
|
70
|
+
# Listen 443
|
71
|
+
# <VirtualHost *:443>
|
72
|
+
# ServerAdmin admin@example.net
|
73
|
+
# ServerName login.example.net
|
74
|
+
#
|
75
|
+
# SSLEngine On
|
76
|
+
# SSLCertificateFile /etc/apache2/ssl.crt/example.pem
|
77
|
+
#
|
78
|
+
# RailsAutoDetect off
|
79
|
+
#
|
80
|
+
# DocumentRoot /usr/lib/ruby/gems/1.8/gems/rubycas-server-0.8.0/public
|
81
|
+
#
|
82
|
+
# <Directory "/usr/lib/ruby/gems/1.8/gems/rubycas-server-0.8.0/public">
|
83
|
+
# AllowOverride all
|
84
|
+
# Allow from all
|
85
|
+
# </Directory>
|
86
|
+
# </VirtualHost>
|
87
|
+
#
|
88
|
+
|
89
|
+
|
90
|
+
##### DATABASE #################################################################
|
91
|
+
|
92
|
+
# Set up the database connection. Make sure that this database is secure!
|
93
|
+
#
|
94
|
+
# By default, we use MySQL, since it is widely used and does not require any
|
95
|
+
# additional ruby libraries besides ActiveRecord.
|
96
|
+
#
|
97
|
+
# With MySQL, your config would be something like the following:
|
98
|
+
# (be sure to create the casserver database in MySQL beforehand,
|
99
|
+
# i.e. `mysqladmin -u root create casserver`)
|
100
|
+
|
101
|
+
database:
|
102
|
+
adapter: mysql
|
103
|
+
database: casserver
|
104
|
+
username: root
|
105
|
+
password:
|
106
|
+
host: localhost
|
107
|
+
reconnect: true
|
108
|
+
|
109
|
+
# IMPORTANT! By default, the server can handle up to ~5 concurrent requests
|
110
|
+
# (without queuing). You can increase this by setting the database connection
|
111
|
+
# pool size to a higher number. For example, to handle up to ~10 concurrent
|
112
|
+
# requests:
|
113
|
+
#
|
114
|
+
#database:
|
115
|
+
# pool: 10
|
116
|
+
# adapter: mysql
|
117
|
+
# database: casserver
|
118
|
+
# username: root
|
119
|
+
# password:
|
120
|
+
# host: localhost
|
121
|
+
|
122
|
+
#
|
123
|
+
# Instead of MySQL you can use SQLite3, PostgreSQL, MSSQL, or anything else
|
124
|
+
# supported by ActiveRecord.
|
125
|
+
#
|
126
|
+
# With SQLite3 (which does not require a separate database server), your
|
127
|
+
# configuration would look something like the following (don't forget to install
|
128
|
+
# the sqlite3-ruby gem beforehand!):
|
129
|
+
|
130
|
+
#database:
|
131
|
+
# adapter: sqlite3
|
132
|
+
# database: /var/lib/casserver.db
|
133
|
+
|
134
|
+
|
135
|
+
# By default RubyCAS-Server will run migrations at every startup to ensure
|
136
|
+
# that its database schema is up-to-date. To disable this behaviour set
|
137
|
+
# the following option to true:
|
138
|
+
|
139
|
+
#disable_auto_migrations: true
|
140
|
+
|
141
|
+
##### AUTHENTICATION ###########################################################
|
142
|
+
|
143
|
+
# Configure how username/passwords are validated.
|
144
|
+
#
|
145
|
+
# !!! YOU MUST CONFIGURE AT LEAST ONE OF THESE AUTHENTICATION METHODS !!!
|
146
|
+
#
|
147
|
+
# There are several built-in methods for authentication:
|
148
|
+
# SQL, ActiveDirectory, LDAP, and GoogleAccounts. If none of these work for you,
|
149
|
+
# it is relatively easy to write your own custom Authenticator class (see below).
|
150
|
+
#
|
151
|
+
# === SQL Authentication =======================================================
|
152
|
+
#
|
153
|
+
# The simplest method is to validate against a SQL database. This assumes
|
154
|
+
# that all of your users are stored in a table that has a 'username' column
|
155
|
+
# and a 'password' column. When the user logs in, CAS connects to this database
|
156
|
+
# and looks for a matching username/password in the users table. If a matching
|
157
|
+
# username and password is found, authentication is successful.
|
158
|
+
#
|
159
|
+
# If you prefer to have your passwords stored in an encrypted form, have a
|
160
|
+
# look at the SQLEncrypted authenticator:
|
161
|
+
# http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
|
162
|
+
#
|
163
|
+
# If your users table stores passwords with MD5 hashing (for example as with
|
164
|
+
# Drupal) try using the SQLMd5 version of the SQL authenticator.
|
165
|
+
#
|
166
|
+
# Example:
|
167
|
+
#
|
168
|
+
#authenticator:
|
169
|
+
# class: CASServer::Authenticators::SQL
|
170
|
+
# database:
|
171
|
+
# adapter: mysql
|
172
|
+
# database: some_database_with_users_table
|
173
|
+
# username: root
|
174
|
+
# password:
|
175
|
+
# host: localhost
|
176
|
+
# user_table: users
|
177
|
+
# username_column: username
|
178
|
+
# password_column: password
|
179
|
+
#
|
180
|
+
# When replying to a CAS client's validation request, the server will normally
|
181
|
+
# provide the client with the authenticated user's username. However it is
|
182
|
+
# possible for the server to provide the client with additional attributes.
|
183
|
+
# You can configure the SQL authenticator to provide data from additional
|
184
|
+
# columns in the users table by listing the names of the columns under the
|
185
|
+
# 'extra_attributes' option. Note though that this functionality is experimental.
|
186
|
+
# It should work with RubyCAS-Client, but may or may not work with other CAS
|
187
|
+
# clients.
|
188
|
+
#
|
189
|
+
# For example, with this configuration, the 'full_name' and 'access_level'
|
190
|
+
# columns will be provided to your CAS clients along with the username:
|
191
|
+
#
|
192
|
+
#authenticator:
|
193
|
+
# class: CASServer::Authenticators::SQL
|
194
|
+
# database:
|
195
|
+
# adapter: mysql
|
196
|
+
# database: some_database_with_users_table
|
197
|
+
# user_table: users
|
198
|
+
# username_column: username
|
199
|
+
# password_column: password
|
200
|
+
# extra_attributes: full_name, access_level
|
201
|
+
#
|
202
|
+
#
|
203
|
+
#
|
204
|
+
# === Google Authentication ====================================================
|
205
|
+
#
|
206
|
+
# The Google authenticator allows users to log in to your CAS server using
|
207
|
+
# their Google account credentials (i.e. the same email and password they
|
208
|
+
# would use to log in to Google services like Gmail). This authenticator
|
209
|
+
# requires no special configuration -- just specify its class name:
|
210
|
+
#
|
211
|
+
#authenticator:
|
212
|
+
# class: CASServer::Authenticators::Google
|
213
|
+
#
|
214
|
+
# If you are behind an http proxy, you can try specifying proxy settings as follows:
|
215
|
+
#
|
216
|
+
#authenticator:
|
217
|
+
# class: CASServer::Authenticators::Google
|
218
|
+
# proxy:
|
219
|
+
# host: your-proxy-server
|
220
|
+
# port: 8080
|
221
|
+
# username: nil
|
222
|
+
# password: nil
|
223
|
+
#
|
224
|
+
# If you want to restrict access to only those Google accounts in a
|
225
|
+
# particular domain, as might be the case for an organization that
|
226
|
+
# uses Google for its domain's e-mail, add the restricted_domain
|
227
|
+
# option:
|
228
|
+
#
|
229
|
+
#authenticator:
|
230
|
+
# class: CASServer::Authenticators::Google
|
231
|
+
# restricted_domain: example.com
|
232
|
+
#
|
233
|
+
# Note that as with all authenticators, it is possible to use the Google
|
234
|
+
# authenticator alongside other authenticators. For example, CAS can first
|
235
|
+
# attempt to validate the account with Google, and if that fails, fall back
|
236
|
+
# to some other local authentication mechanism.
|
237
|
+
#
|
238
|
+
# For example:
|
239
|
+
#
|
240
|
+
#authenticator:
|
241
|
+
# - class: CASServer::Authenticators::Google
|
242
|
+
# - class: CASServer::Authenticators::SQL
|
243
|
+
# database:
|
244
|
+
# adapter: mysql
|
245
|
+
# database: some_database_with_users_table
|
246
|
+
# username: root
|
247
|
+
# password:
|
248
|
+
# host: localhost
|
249
|
+
# user_table: user
|
250
|
+
# username_column: username
|
251
|
+
# password_column: password
|
252
|
+
#
|
253
|
+
#
|
254
|
+
# === ActiveDirectory Authentication ===========================================
|
255
|
+
#
|
256
|
+
# This method authenticates against Microsoft's Active Directory using LDAP.
|
257
|
+
# You must configure the ActiveDirectory server, and base DN. The port number
|
258
|
+
# and LDAP filter are optional. You must also enter a CN and password
|
259
|
+
# for a special "authenticator" user. This account is used to log in to
|
260
|
+
# the ActiveDirectory server and search LDAP. This does not have to be an
|
261
|
+
# administrative account -- it only has to be able to search for other
|
262
|
+
# users.
|
263
|
+
#
|
264
|
+
# Note that the auth_user parameter must be the user's CN (Common Name).
|
265
|
+
# In Active Directory, the CN is genarally the user's full name, which is usually
|
266
|
+
# NOT the same as their username (sAMAccountName).
|
267
|
+
#
|
268
|
+
# For example:
|
269
|
+
#
|
270
|
+
#authenticator:
|
271
|
+
# class: CASServer::Authenticators::ActiveDirectoryLDAP
|
272
|
+
# ldap:
|
273
|
+
# host: ad.example.net
|
274
|
+
# port: 389
|
275
|
+
# base: dc=example,dc=net
|
276
|
+
# filter: (objectClass=person)
|
277
|
+
# auth_user: authenticator
|
278
|
+
# auth_password: itsasecret
|
279
|
+
#
|
280
|
+
# A more complicated example, where the authenticator will use TLS encryption,
|
281
|
+
# will ignore users with disabled accounts, and will pass on the 'cn' and 'mail'
|
282
|
+
# attributes to CAS clients:
|
283
|
+
#
|
284
|
+
#authenticator:
|
285
|
+
# class: CASServer::Authenticators::ActiveDirectoryLDAP
|
286
|
+
# ldap:
|
287
|
+
# host: ad.example.net
|
288
|
+
# port: 636
|
289
|
+
# base: dc=example,dc=net
|
290
|
+
# filter: (objectClass=person) & !(msExchHideFromAddressLists=TRUE)
|
291
|
+
# auth_user: authenticator
|
292
|
+
# auth_password: itsasecret
|
293
|
+
# encryption: simple_tls
|
294
|
+
# extra_attributes: cn, mail
|
295
|
+
#
|
296
|
+
# It is possible to authenticate against Active Directory without the
|
297
|
+
# authenticator user, but this requires that users type in their CN as
|
298
|
+
# the username rather than typing in their sAMAccountName. In other words
|
299
|
+
# users will likely have to authenticate by typing their full name,
|
300
|
+
# rather than their username. If you prefer to do this, then just
|
301
|
+
# omit the auth_user and auth_password values in the above example.
|
302
|
+
#
|
303
|
+
#
|
304
|
+
# === LDAP Authentication ======================================================
|
305
|
+
#
|
306
|
+
# This is a more general version of the ActiveDirectory authenticator.
|
307
|
+
# The configuration is similar, except you don't need an authenticator
|
308
|
+
# username or password. The following example has been reported to work
|
309
|
+
# for a basic OpenLDAP setup.
|
310
|
+
#
|
311
|
+
#authenticator:
|
312
|
+
# class: CASServer::Authenticators::LDAP
|
313
|
+
# ldap:
|
314
|
+
# host: ldap.example.net
|
315
|
+
# port: 389
|
316
|
+
# base: dc=example,dc=net
|
317
|
+
# username_attribute: uid
|
318
|
+
# filter: (objectClass=person)
|
319
|
+
#
|
320
|
+
# If you need more secure connections via TSL, specify the 'encryption'
|
321
|
+
# option and change the port. This example also forces the authenticator
|
322
|
+
# to connect using a special "authenticator" user with the given
|
323
|
+
# username and password (see the ActiveDirectoryLDAP authenticator
|
324
|
+
# explanation above):
|
325
|
+
#
|
326
|
+
#authenticator:
|
327
|
+
# class: CASServer::Authenticators::LDAP
|
328
|
+
# ldap:
|
329
|
+
# host: ldap.example.net
|
330
|
+
# port: 636
|
331
|
+
# base: dc=example,dc=net
|
332
|
+
# filter: (objectClass=person)
|
333
|
+
# encryption: simple_tls
|
334
|
+
# auth_user: cn=admin,dc=example,dc=net
|
335
|
+
# auth_password: secret
|
336
|
+
#
|
337
|
+
# If you need additional data about the user passed to the client (for example,
|
338
|
+
# their 'cn' and 'mail' attributes, you can specify the list of attributes
|
339
|
+
# under the extra_attributes config option:
|
340
|
+
#
|
341
|
+
#authenticator:
|
342
|
+
# class: CASServer::Authenticators::LDAP
|
343
|
+
# ldap:
|
344
|
+
# host: ldap.example.net
|
345
|
+
# port: 389
|
346
|
+
# base: dc=example,dc=net
|
347
|
+
# filter: (objectClass=person)
|
348
|
+
# extra_attributes: cn, mail
|
349
|
+
#
|
350
|
+
# Note that the above functionality is somewhat limited by client compatibility.
|
351
|
+
# See the SQL authenticator notes above for more info.
|
352
|
+
#
|
353
|
+
#
|
354
|
+
# === Custom Authentication ====================================================
|
355
|
+
#
|
356
|
+
# It should be relatively easy to write your own Authenticator class. Have a look
|
357
|
+
# at the built-in authenticators in the casserver/authenticators directory. Your
|
358
|
+
# authenticator should extend the CASServer::Authenticators::Base class and must
|
359
|
+
# implement a validate() method that takes a single hash argument. When the user
|
360
|
+
# submits the login form, the username and password they entered is passed to
|
361
|
+
# validate() as a hash under :username and :password keys. In the future, this
|
362
|
+
# hash might also contain other data such as the domain that the user is logging
|
363
|
+
# in to.
|
364
|
+
#
|
365
|
+
# To use your custom authenticator, specify it's class name and path to the
|
366
|
+
# source file in the authenticator section of the config. Any other parameters
|
367
|
+
# you specify in the authenticator configuration will be passed on to the
|
368
|
+
# authenticator and made availabe in the validate() method as an @options hash.
|
369
|
+
#
|
370
|
+
# Example:
|
371
|
+
#
|
372
|
+
#authenticator:
|
373
|
+
# class: FooModule::MyCustomAuthenticator
|
374
|
+
# source: /path/to/source.rb
|
375
|
+
# option_a: foo
|
376
|
+
# another_option: yeeha
|
377
|
+
#
|
378
|
+
# === Multiple Authenticators ==================================================
|
379
|
+
#
|
380
|
+
# If you need to have more than one source for authentication, such as an LDAP
|
381
|
+
# directory and a database, you can use multiple authenticators by making
|
382
|
+
# :authenticator an array of authenticators.
|
383
|
+
#
|
384
|
+
#authenticator:
|
385
|
+
# -
|
386
|
+
# class: CASServer::Authenticators::ActiveDirectoryLDAP
|
387
|
+
# ldap:
|
388
|
+
# host: ad.example.net
|
389
|
+
# port: 389
|
390
|
+
# base: dc=example,dc=net
|
391
|
+
# filter: (objectClass=person)
|
392
|
+
# -
|
393
|
+
# class: CASServer::Authenticators::SQL
|
394
|
+
# database:
|
395
|
+
# adapter: mysql
|
396
|
+
# database: some_database_with_users_table
|
397
|
+
# username: root
|
398
|
+
# password:
|
399
|
+
# host: localhost
|
400
|
+
# user_table: user
|
401
|
+
# username_column: username
|
402
|
+
# password_column: password
|
403
|
+
#
|
404
|
+
# During authentication, the user credentials will be checked against the first
|
405
|
+
# authenticator and on failure fall through to the second authenticator.
|
406
|
+
#
|
407
|
+
|
408
|
+
|
409
|
+
##### LOOK & FEEL ##############################################################
|
410
|
+
|
411
|
+
# Set the path to the theme directory that determines how your CAS pages look.
|
412
|
+
#
|
413
|
+
# Custom themes are not well supported yet, but will be in the near future. In
|
414
|
+
# the meantime, if you want to create a custom theme, you can create a
|
415
|
+
# subdirectory under the CASServer's themes dir (for example,
|
416
|
+
# '/usr/lib/ruby/1.8/gems/casserver-xxx/public/themes', if you installed CASServer
|
417
|
+
# on Linux as a gem). A theme is basically just a theme.css file that overrides
|
418
|
+
# the themes/cas.css styles along with a collection of image files
|
419
|
+
# like logo.png and bg.png.
|
420
|
+
#
|
421
|
+
# By default, we use the 'simple' theme which you can find in themes/simple.
|
422
|
+
theme: simple
|
423
|
+
|
424
|
+
# The name of your company/organization. This will show up on the login page.
|
425
|
+
organization: CAS
|
426
|
+
|
427
|
+
# A short bit of text that shows up on the login page. You can make this blank
|
428
|
+
# if you prefer to have no extra text shown at the bottom of the login box.
|
429
|
+
infoline: Powered by <a href="http://rubycas.github.com">RubyCAS-Server</a>
|
430
|
+
|
431
|
+
# Custom views directory. If set, this will be used instead of 'lib/casserver/views'.
|
432
|
+
#custom_views: /path/to/custom/views
|
433
|
+
|
434
|
+
# Custom public directory. If set, static content (css, etc.) will be served from here rather
|
435
|
+
# than from rubycas-server's internal 'public' directory (but be mindful of any overriding
|
436
|
+
# settings you may have in your web server's config).
|
437
|
+
#public_dir: /path/to/custom/public
|
438
|
+
|
439
|
+
##### LOCALIZATION (L10N) #######################################################
|
440
|
+
# The server will attempt to detect the user's locale and show text in the
|
441
|
+
# appropriate language based on:
|
442
|
+
#
|
443
|
+
# 1. The 'locale' URL parameter (if any)
|
444
|
+
# 2. The 'locale' session (if any)
|
445
|
+
# 3. The HTTP_ACCEPT_LANGUAGE header supplied by the user's browser.
|
446
|
+
#
|
447
|
+
# The format is the same as standard linux locales (langagecode_COUNTRYCODE):
|
448
|
+
#
|
449
|
+
# ru_RU - Russian, Russia
|
450
|
+
# eo_AQ - Esperanto, Antarctica
|
451
|
+
#
|
452
|
+
# It will also work if you leave out the region (i.e. just "ru" for Russian,
|
453
|
+
# "eo" for Esperanto).
|
454
|
+
#
|
455
|
+
# If you are interested in contributing new translations or have corrections
|
456
|
+
# to the existing translations, see
|
457
|
+
# https://github.com/rubycas/rubycas-server/wiki/Localization
|
458
|
+
|
459
|
+
##### LOGGING ##################################################################
|
460
|
+
|
461
|
+
# Configure general logging. This log is where you'll want to look in case of
|
462
|
+
# problems.
|
463
|
+
#
|
464
|
+
# You may want to change the file to something like /var/log/casserver.log
|
465
|
+
# Set the level to DEBUG if you want more detailed logging.
|
466
|
+
|
467
|
+
log:
|
468
|
+
file: /var/log/casserver.log
|
469
|
+
level: INFO
|
470
|
+
|
471
|
+
|
472
|
+
# If you want full database logging, uncomment this next section.
|
473
|
+
# Every SQL query will be logged here. This is useful for debugging database
|
474
|
+
# problems.
|
475
|
+
|
476
|
+
#db_log:
|
477
|
+
# file: /var/log/casserver_db.log
|
478
|
+
|
479
|
+
|
480
|
+
# Setting the following option to true will disable CLI output to stdout.
|
481
|
+
# i.e. this will get rid of messages like ">>> Redirecting RubyCAS-Server log..."
|
482
|
+
# This is useful when, for example, you're running rspecs.
|
483
|
+
|
484
|
+
#quiet: true
|
485
|
+
|
486
|
+
|
487
|
+
##### SINGLE SIGN-OUT ##########################################################
|
488
|
+
|
489
|
+
# When a user logs in to a CAS-enabled client application, that application
|
490
|
+
# generally opens its own local user session. When the user then logs out
|
491
|
+
# through the CAS server, each of the CAS-enabled client applications need
|
492
|
+
# to be notified so that they can close their own local sessions for that user.
|
493
|
+
#
|
494
|
+
# Up until recently this was not possible within CAS. However, a method for
|
495
|
+
# performing this notification was recently added to the protocol (in CAS 3.1).
|
496
|
+
# This works exactly as described above -- when the user logs out, the CAS
|
497
|
+
# server individually contacts each client service and notifies it of the
|
498
|
+
# logout. Currently not all client applications support this, so this
|
499
|
+
# behaviour is disabled by default. To enable it, uncomment the following
|
500
|
+
# configuration line. Note that currently it is not possible to enable
|
501
|
+
# or disable single-sign-out on a per-service basis, but this functionality
|
502
|
+
# is planned for a future release.
|
503
|
+
|
504
|
+
#enable_single_sign_out: true
|
505
|
+
|
506
|
+
|
507
|
+
##### OTHER ####################################################################
|
508
|
+
|
509
|
+
# You can set various ticket expiry times (specify the value in seconds).
|
510
|
+
|
511
|
+
# Unused login and service tickets become unusable this many seconds after
|
512
|
+
# they are created. (Defaults to 5 minutes)
|
513
|
+
|
514
|
+
#maximum_unused_login_ticket_lifetime: 300
|
515
|
+
#maximum_unused_service_ticket_lifetime: 300
|
516
|
+
|
517
|
+
# The server must periodically delete old tickets (login tickets, service tickets
|
518
|
+
# proxy-granting tickets, and ticket-granting tickets) to prevent buildup of
|
519
|
+
# stale data. This effectively limits the maximum length of a CAS session to
|
520
|
+
# the lifetime given here (in seconds). (Defaults to 48 hours)
|
521
|
+
#
|
522
|
+
# Note that this limit is not enforced on the client side; it refers only to the
|
523
|
+
# the maximum lifetime of tickets on the CAS server.
|
524
|
+
|
525
|
+
#maximum_session_lifetime: 172800
|
526
|
+
|
527
|
+
# Set custom cookie parameters such as max-age or secure
|
528
|
+
|
529
|
+
#cookie_options:
|
530
|
+
# domain:
|
531
|
+
# path:
|
532
|
+
# max_age:
|
533
|
+
# expires:
|
534
|
+
# secure:
|
535
|
+
# httponly:
|
536
|
+
|
537
|
+
# If you want the usernames entered on the login page to be automatically
|
538
|
+
# downcased (converted to lowercase), enable the following option. When this
|
539
|
+
# option is set to true, if the user enters "JSmith" as their username, the
|
540
|
+
# system will automatically
|
541
|
+
# convert this to "jsmith".
|
542
|
+
|
543
|
+
#downcase_username: true
|
544
|
+
|
545
|
+
# If you'd like to limit the service hosts that can use CAS for authentication,
|
546
|
+
# add the individual IPs and IP ranges in CIDR notation below. Leaving this
|
547
|
+
# setting blank will allow any server to authenticate users via the CAS server
|
548
|
+
# and potentially harvest sensitive user information.
|
549
|
+
|
550
|
+
#allowed_service_ips:
|
551
|
+
# - 127.0.0.1
|
552
|
+
# - 192.168.0.0/24
|
data/config/unicorn.rb
ADDED
@@ -0,0 +1,88 @@
|
|
1
|
+
# Sample configuration file for Unicorn (not Rack)
|
2
|
+
#
|
3
|
+
# See http://unicorn.bogomips.org/Unicorn/Configurator.html for complete
|
4
|
+
# documentation.
|
5
|
+
SINATRA_ROOT = `pwd`.strip
|
6
|
+
|
7
|
+
# Use at least one worker per core if you're on a dedicated server,
|
8
|
+
# more will usually help for _short_ waits on databases/caches.
|
9
|
+
worker_processes 3
|
10
|
+
|
11
|
+
# Help ensure your application will always spawn in the symlinked
|
12
|
+
# "current" directory that Capistrano sets up.
|
13
|
+
working_directory SINATRA_ROOT # available in 0.94.0+
|
14
|
+
|
15
|
+
# listen on both a Unix domain socket and a TCP port,
|
16
|
+
# we use a shorter backlog for quicker failover when busy
|
17
|
+
# listen "/tmp/.sock", :backlog => 64
|
18
|
+
listen 18889, :tcp_nopush => true
|
19
|
+
|
20
|
+
# nuke workers after 30 seconds instead of 60 seconds (the default)
|
21
|
+
timeout 30
|
22
|
+
|
23
|
+
# feel free to point this anywhere accessible on the filesystem
|
24
|
+
|
25
|
+
pid "#{SINATRA_ROOT}/tmp/pids/unicorn.pid"
|
26
|
+
|
27
|
+
# relative_path "/test_platform"
|
28
|
+
# some applications/frameworks log to stderr or stdout, so prevent
|
29
|
+
# them from going to /dev/null when daemonized here:
|
30
|
+
stderr_path "#{SINATRA_ROOT}/log/unicorn.stderr.log"
|
31
|
+
stdout_path "#{SINATRA_ROOT}/log/unicorn.stdout.log"
|
32
|
+
|
33
|
+
# combine REE with "preload_app true" for memory savings
|
34
|
+
# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow
|
35
|
+
preload_app false
|
36
|
+
GC.respond_to?(:copy_on_write_friendly=) and
|
37
|
+
GC.copy_on_write_friendly = true
|
38
|
+
|
39
|
+
before_fork do |server, worker|
|
40
|
+
# the following is highly recomended for Rails + "preload_app true"
|
41
|
+
# as there's no need for the master process to hold a connection
|
42
|
+
# defined?(ActiveRecord::Base) and
|
43
|
+
# ActiveRecord::Base.connection.disconnect!
|
44
|
+
|
45
|
+
# The following is only recommended for memory/DB-constrained
|
46
|
+
# installations. It is not needed if your system can house
|
47
|
+
# twice as many worker_processes as you have configured.
|
48
|
+
#
|
49
|
+
# # This allows a new master process to incrementally
|
50
|
+
# # phase out the old master process with SIGTTOU to avoid a
|
51
|
+
# # thundering herd (especially in the "preload_app false" case)
|
52
|
+
# # when doing a transparent upgrade. The last worker spawned
|
53
|
+
# # will then kill off the old master process with a SIGQUIT.
|
54
|
+
old_pid = "#{server.config[:pid]}.oldbin"
|
55
|
+
|
56
|
+
puts 'pid:'
|
57
|
+
puts '-------------------'
|
58
|
+
puts server.pid
|
59
|
+
puts old_pid
|
60
|
+
puts '---------------------'
|
61
|
+
|
62
|
+
if old_pid != server.pid
|
63
|
+
begin
|
64
|
+
sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
|
65
|
+
Process.kill(sig, File.read(old_pid).to_i)
|
66
|
+
rescue Errno::ENOENT, Errno::ESRCH
|
67
|
+
end
|
68
|
+
end
|
69
|
+
#
|
70
|
+
# # *optionally* throttle the master from forking too quickly by sleeping
|
71
|
+
sleep 1
|
72
|
+
end
|
73
|
+
|
74
|
+
after_fork do |server, worker|
|
75
|
+
# per-process listener ports for debugging/admin/migrations
|
76
|
+
# addr = "127.0.0.1:#{9293 + worker.nr}"
|
77
|
+
# server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true)
|
78
|
+
|
79
|
+
# the following is *required* for Rails + "preload_app true",
|
80
|
+
# defined?(ActiveRecord::Base) and
|
81
|
+
# ActiveRecord::Base.establish_connection
|
82
|
+
|
83
|
+
# if preload_app is true, then you may also want to check and
|
84
|
+
# restart any other shared sockets/descriptors such as Memcached,
|
85
|
+
# and Redis. TokyoCabinet file handles are safe to reuse
|
86
|
+
# between any number of forked children (assuming your kernel
|
87
|
+
# correctly implements pread()/pwrite() system calls)
|
88
|
+
end
|
data/config.ru
ADDED
@@ -0,0 +1,47 @@
|
|
1
|
+
class CreateInitialStructure < ActiveRecord::Migration
|
2
|
+
def self.up
|
3
|
+
# Oracle table names cannot exceed 30 chars...
|
4
|
+
# See http://code.google.com/p/rubycas-server/issues/detail?id=15
|
5
|
+
create_table 'casserver_lt', :force => true do |t|
|
6
|
+
t.string 'ticket', :null => false
|
7
|
+
t.timestamp 'created_on', :null => false
|
8
|
+
t.datetime 'consumed', :null => true
|
9
|
+
t.string 'client_hostname', :null => false
|
10
|
+
end
|
11
|
+
|
12
|
+
create_table 'casserver_st', :force => true do |t|
|
13
|
+
t.string 'ticket', :null => false
|
14
|
+
t.text 'service', :null => false
|
15
|
+
t.timestamp 'created_on', :null => false
|
16
|
+
t.datetime 'consumed', :null => true
|
17
|
+
t.string 'client_hostname', :null => false
|
18
|
+
t.string 'username', :null => false
|
19
|
+
t.string 'type', :null => false
|
20
|
+
t.integer 'granted_by_pgt_id', :null => true
|
21
|
+
t.integer 'granted_by_tgt_id', :null => true
|
22
|
+
end
|
23
|
+
|
24
|
+
create_table 'casserver_tgt', :force => true do |t|
|
25
|
+
t.string 'ticket', :null => false
|
26
|
+
t.timestamp 'created_on', :null => false
|
27
|
+
t.string 'client_hostname', :null => false
|
28
|
+
t.string 'username', :null => false
|
29
|
+
t.text 'extra_attributes', :null => true
|
30
|
+
end
|
31
|
+
|
32
|
+
create_table 'casserver_pgt', :force => true do |t|
|
33
|
+
t.string 'ticket', :null => false
|
34
|
+
t.timestamp 'created_on', :null => false
|
35
|
+
t.string 'client_hostname', :null => false
|
36
|
+
t.string 'iou', :null => false
|
37
|
+
t.integer 'service_ticket_id', :null => false
|
38
|
+
end
|
39
|
+
end # self.up
|
40
|
+
|
41
|
+
def self.down
|
42
|
+
drop_table 'casserver_pgt'
|
43
|
+
drop_table 'casserver_tgt'
|
44
|
+
drop_table 'casserver_st'
|
45
|
+
drop_table 'casserver_lt'
|
46
|
+
end # self.down
|
47
|
+
end
|