RubyGems - synapse-rubycas-server - Versions diffs - 1.1.3alpha - Mend

synapse-rubycas-server 1.1.3alpha

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

checksums.yaml +15 -0
data/CHANGELOG +353 -0
data/Gemfile +12 -0
data/LICENSE +26 -0
data/README.md +38 -0
data/Rakefile +3 -0
data/bin/rubycas-server +30 -0
data/config/config.example.yml +552 -0
data/config/unicorn.rb +88 -0
data/config.ru +11 -0
data/db/migrate/001_create_initial_structure.rb +47 -0
data/db/migrate/002_add_indexes_for_performance.rb +15 -0
data/lib/casserver/authenticators/active_directory_ldap.rb +17 -0
data/lib/casserver/authenticators/active_resource.rb +113 -0
data/lib/casserver/authenticators/authlogic_crypto_providers/aes256.rb +43 -0
data/lib/casserver/authenticators/authlogic_crypto_providers/bcrypt.rb +92 -0
data/lib/casserver/authenticators/authlogic_crypto_providers/md5.rb +34 -0
data/lib/casserver/authenticators/authlogic_crypto_providers/sha1.rb +59 -0
data/lib/casserver/authenticators/authlogic_crypto_providers/sha512.rb +50 -0
data/lib/casserver/authenticators/base.rb +70 -0
data/lib/casserver/authenticators/client_certificate.rb +47 -0
data/lib/casserver/authenticators/google.rb +62 -0
data/lib/casserver/authenticators/ldap.rb +131 -0
data/lib/casserver/authenticators/ntlm.rb +88 -0
data/lib/casserver/authenticators/open_id.rb +19 -0
data/lib/casserver/authenticators/sql.rb +158 -0
data/lib/casserver/authenticators/sql_authlogic.rb +93 -0
data/lib/casserver/authenticators/sql_bcrypt.rb +17 -0
data/lib/casserver/authenticators/sql_encrypted.rb +75 -0
data/lib/casserver/authenticators/sql_md5.rb +19 -0
data/lib/casserver/authenticators/sql_rest_auth.rb +82 -0
data/lib/casserver/authenticators/test.rb +21 -0
data/lib/casserver/base.rb +13 -0
data/lib/casserver/cas.rb +324 -0
data/lib/casserver/core_ext/directory_user.rb +81 -0
data/lib/casserver/core_ext/securerandom.rb +17 -0
data/lib/casserver/core_ext/string.rb +22 -0
data/lib/casserver/core_ext.rb +12 -0
data/lib/casserver/model/consumable.rb +31 -0
data/lib/casserver/model/ticket.rb +19 -0
data/lib/casserver/model.rb +248 -0
data/lib/casserver/server.rb +796 -0
data/lib/casserver/utils.rb +20 -0
data/lib/casserver/views/_login_form.erb +42 -0
data/lib/casserver/views/layout.erb +18 -0
data/lib/casserver/views/login.erb +30 -0
data/lib/casserver/views/proxy.builder +13 -0
data/lib/casserver/views/proxy_validate.builder +31 -0
data/lib/casserver/views/service_validate.builder +24 -0
data/lib/casserver/views/validate.erb +2 -0
data/lib/casserver.rb +19 -0
data/locales/de.yml +27 -0
data/locales/en.yml +26 -0
data/locales/es.yml +26 -0
data/locales/es_ar.yml +26 -0
data/locales/fr.yml +26 -0
data/locales/it.yml +26 -0
data/locales/jp.yml +26 -0
data/locales/pl.yml +26 -0
data/locales/pt.yml +26 -0
data/locales/ru.yml +26 -0
data/locales/zh.yml +26 -0
data/locales/zh_tw.yml +26 -0
data/public/themes/cas.css +126 -0
data/public/themes/notice.png +0 -0
data/public/themes/ok.png +0 -0
data/public/themes/simple/bg.png +0 -0
data/public/themes/simple/favicon.png +0 -0
data/public/themes/simple/login_box_bg.png +0 -0
data/public/themes/simple/logo.png +0 -0
data/public/themes/simple/theme.css +28 -0
data/public/themes/warning.png +0 -0
data/resources/init.d.sh +58 -0
data/spec/casserver/authenticators/active_resource_spec.rb +116 -0
data/spec/casserver/authenticators/ldap_spec.rb +57 -0
data/spec/casserver/cas_spec.rb +148 -0
data/spec/casserver/model_spec.rb +42 -0
data/spec/casserver/utils_spec.rb +24 -0
data/spec/casserver_spec.rb +221 -0
data/spec/config/alt_config.yml +50 -0
data/spec/config/default_config.yml +56 -0
data/spec/core_ext/string_spec.rb +28 -0
data/spec/spec.opts +4 -0
data/spec/spec_helper.rb +126 -0
data/tasks/bundler.rake +4 -0
data/tasks/db/migrate.rake +12 -0
data/tasks/spec.rake +10 -0
metadata +405 -0

data/lib/casserver/authenticators/test.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# encoding: UTF-8
+# Dummy authenticator used for testing.
+# Accepts any username as valid as long as the password is "testpassword"; otherwise authentication fails.
+# Raises an AuthenticationError when username is "do_error" (this is useful to test the Exception
+# handling functionality).
+class CASServer::Authenticators::Test < CASServer::Authenticators::Base
+  def validate(credentials)
+    read_standard_credentials(credentials)
+    raise CASServer::AuthenticatorError, "Username is 'do_error'!" if @username == 'do_error'
+    @extra_attributes[:test_utf_string] = "Ютф"
+    @extra_attributes[:test_numeric] = 123.45
+    @extra_attributes[:test_serialized] = {:foo => 'bar', :alpha => [1,2,3]}
+    valid_password = options[:password] || "testpassword"
+    return @password == valid_password
+  end
+end

data/lib/casserver/base.rb ADDED Viewed

@@ -0,0 +1,13 @@
+require 'sinatra/base'
+require 'sinatra/r18n'
+require 'logger'
+$LOG ||= Logger.new(STDOUT)
+module CASServer
+  class Base < Sinatra::Base
+    register Sinatra::R18n
+    R18n::I18n.default = 'en'
+    R18n.default_places { File.join(root,'..','..','locales') }
+  end
+end

data/lib/casserver/cas.rb ADDED Viewed

@@ -0,0 +1,324 @@
+require 'uri'
+require 'net/https'
+require 'casserver/model'
+require 'casserver/core_ext'
+# Encapsulates CAS functionality. This module is meant to be included in
+# the CASServer::Controllers module.
+module CASServer::CAS
+  include CASServer::Model
+  def generate_login_ticket
+    # 3.5 (login ticket)
+    lt = LoginTicket.new
+    lt.ticket = "LT-" + String.random
+    lt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
+    lt.save!
+    $LOG.debug("Generated login ticket '#{lt.ticket}' for client" +
+      " at '#{lt.client_hostname}'")
+    lt
+  end
+  # Creates a TicketGrantingTicket for the given username. This is done when the user logs in
+  # for the first time to establish their SSO session (after their credentials have been validated).
+  #
+  # The optional 'extra_attributes' parameter takes a hash of additional attributes
+  # that will be sent along with the username in the CAS response to subsequent
+  # validation requests from clients.
+  def generate_ticket_granting_ticket(username, extra_attributes = {})
+    # 3.6 (ticket granting cookie/ticket)
+    tgt = TicketGrantingTicket.new
+    tgt.ticket = "TGC-" + String.random
+    tgt.username = username
+    tgt.extra_attributes = extra_attributes
+    tgt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
+    tgt.save!
+    $LOG.debug("Generated ticket granting ticket '#{tgt.ticket}' for user" +
+      " '#{tgt.username}' at '#{tgt.client_hostname}'" +
+      (extra_attributes.blank? ? "" : " with extra attributes #{extra_attributes.inspect}"))
+    tgt
+  end
+  def generate_service_ticket(service, username, tgt)
+    # 3.1 (service ticket)
+    st = ServiceTicket.new
+    st.ticket = "ST-" + String.random
+    st.service = service
+    st.username = username
+    st.granted_by_tgt_id = tgt.id
+    st.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
+    st.save!
+    $LOG.debug("Generated service ticket '#{st.ticket}' for service '#{st.service}'" +
+      " for user '#{st.username}' at '#{st.client_hostname}'")
+    st
+  end
+  def generate_proxy_ticket(target_service, pgt)
+    # 3.2 (proxy ticket)
+    pt = ProxyTicket.new
+    pt.ticket = "PT-" + String.random
+    pt.service = target_service
+    pt.username = pgt.service_ticket.username
+    pt.granted_by_pgt_id = pgt.id
+    pt.granted_by_tgt_id = pgt.service_ticket.granted_by_tgt_id
+    pt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
+    pt.save!
+    $LOG.debug("Generated proxy ticket '#{pt.ticket}' for target service '#{pt.service}'" +
+      " for user '#{pt.username}' at '#{pt.client_hostname}' using proxy-granting" +
+      " ticket '#{pgt.ticket}'")
+    pt
+  end
+  def generate_proxy_granting_ticket(pgt_url, st)
+    uri = URI.parse(pgt_url)
+    https = Net::HTTP.new(uri.host,uri.port)
+    https.use_ssl = true
+    # Here's what's going on here:
+    #
+    #   1. We generate a ProxyGrantingTicket (but don't store it in the database just yet)
+    #   2. Deposit the PGT and it's associated IOU at the proxy callback URL.
+    #   3. If the proxy callback URL responds with HTTP code 200, store the PGT and return it;
+    #      otherwise don't save it and return nothing.
+    #
+    https.start do |conn|
+      path = uri.path.empty? ? '/' : uri.path
+      path += '?' + uri.query unless (uri.query.nil? || uri.query.empty?)
+      pgt = ProxyGrantingTicket.new
+      pgt.ticket = "PGT-" + String.random(60)
+      pgt.iou = "PGTIOU-" + String.random(57)
+      pgt.service_ticket_id = st.id
+      pgt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
+      # FIXME: The CAS protocol spec says to use 'pgt' as the parameter, but in practice
+      #         the JA-SIG and Yale server implementations use pgtId. We'll go with the
+      #         in-practice standard.
+      path += (uri.query.nil? || uri.query.empty? ? '?' : '&') + "pgtId=#{pgt.ticket}&pgtIou=#{pgt.iou}"
+      response = conn.request_get(path)
+      # TODO: follow redirects... 2.5.4 says that redirects MAY be followed
+      # NOTE: The following response codes are valid according to the JA-SIG implementation even without following redirects
+      if %w(200 202 301 302 304).include?(response.code)
+        # 3.4 (proxy-granting ticket IOU)
+        pgt.save!
+        $LOG.debug "PGT generated for pgt_url '#{pgt_url}': #{pgt.inspect}"
+        pgt
+      else
+        $LOG.warn "PGT callback server responded with a bad result code '#{response.code}'. PGT will not be stored."
+        nil
+      end
+    end
+  end
+  def validate_login_ticket(ticket)
+    $LOG.debug("Validating login ticket '#{ticket}'")
+    success = false
+    if ticket.nil?
+      error = t.error.no_login_ticket
+      $LOG.warn "Missing login ticket."
+    elsif lt = LoginTicket.find_by_ticket(ticket)
+      if lt.consumed?
+        error = t.error.login_ticket_already_used
+        $LOG.warn "Login ticket '#{ticket}' previously used up"
+      elsif Time.now - lt.created_on < settings.config[:maximum_unused_login_ticket_lifetime]
+        $LOG.info "Login ticket '#{ticket}' successfully validated"
+      else
+        error = t.error.login_timeout
+        $LOG.warn "Expired login ticket '#{ticket}'"
+      end
+    else
+      error = t.error.invalid_login_ticket
+      $LOG.warn "Invalid login ticket '#{ticket}'"
+    end
+    lt.consume! if lt
+    error
+  end
+  def validate_ticket_granting_ticket(ticket)
+    $LOG.debug("Validating ticket granting ticket '#{ticket}'")
+    if ticket.nil?
+      error = "No ticket granting ticket given."
+      $LOG.debug error
+    elsif tgt = TicketGrantingTicket.find_by_ticket(ticket)
+      if settings.config[:maximum_session_lifetime] && Time.now - tgt.created_on > settings.config[:maximum_session_lifetime]
+	tgt.destroy
+        error = "Your session has expired. Please log in again."
+        $LOG.info "Ticket granting ticket '#{ticket}' for user '#{tgt.username}' expired."
+      else
+        $LOG.info "Ticket granting ticket '#{ticket}' for user '#{tgt.username}' successfully validated."
+      end
+    else
+      error = "Invalid ticket granting ticket '#{ticket}' (no matching ticket found in the database)."
+      $LOG.warn(error)
+    end
+    [tgt, error]
+  end
+  def validate_service_ticket(service, ticket, allow_proxy_tickets = false)
+    $LOG.debug "Validating service/proxy ticket '#{ticket}' for service '#{service}'"
+    if service.nil? or ticket.nil?
+      error = Error.new(:INVALID_REQUEST, "Ticket or service parameter was missing in the request.")
+      $LOG.warn "#{error.code} - #{error.message}"
+    elsif st = ServiceTicket.find_by_ticket(ticket)
+      if st.consumed?
+        error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' has already been used up.")
+        $LOG.warn "#{error.code} - #{error.message}"
+      elsif st.kind_of?(CASServer::Model::ProxyTicket) && !allow_proxy_tickets
+        error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' is a proxy ticket, but only service tickets are allowed here.")
+        $LOG.warn "#{error.code} - #{error.message}"
+      elsif Time.now - st.created_on > settings.config[:maximum_unused_service_ticket_lifetime]
+        error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' has expired.")
+        $LOG.warn "Ticket '#{ticket}' has expired."
+      elsif !st.matches_service? service
+        error = Error.new(:INVALID_SERVICE, "The ticket '#{ticket}' belonging to user '#{st.username}' is valid,"+
+          " but the requested service '#{service}' does not match the service '#{st.service}' associated with this ticket.")
+        $LOG.warn "#{error.code} - #{error.message}"
+      else
+        $LOG.info("Ticket '#{ticket}' for service '#{service}' for user '#{st.username}' successfully validated.")
+      end
+    else
+      error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' not recognized.")
+      $LOG.warn("#{error.code} - #{error.message}")
+    end
+    if st
+      st.consume!
+    end
+    [st, error]
+  end
+  def validate_proxy_ticket(service, ticket)
+    pt, error = validate_service_ticket(service, ticket, true)
+    if pt.kind_of?(CASServer::Model::ProxyTicket) && !error
+      if not pt.granted_by_pgt
+        error = Error.new(:INTERNAL_ERROR, "Proxy ticket '#{pt}' belonging to user '#{pt.username}' is not associated with a proxy granting ticket.")
+      elsif not pt.granted_by_pgt.service_ticket
+        error = Error.new(:INTERNAL_ERROR, "Proxy granting ticket '#{pt.granted_by_pgt}'"+
+          " (associated with proxy ticket '#{pt}' and belonging to user '#{pt.username}' is not associated with a service ticket.")
+      end
+    end
+    [pt, error]
+  end
+  def validate_proxy_granting_ticket(ticket)
+    if ticket.nil?
+      error = Error.new(:INVALID_REQUEST, "pgt parameter was missing in the request.")
+      $LOG.warn("#{error.code} - #{error.message}")
+    elsif pgt = ProxyGrantingTicket.find_by_ticket(ticket)
+      if pgt.service_ticket
+        $LOG.info("Proxy granting ticket '#{ticket}' belonging to user '#{pgt.service_ticket.username}' successfully validated.")
+      else
+        error = Error.new(:INTERNAL_ERROR, "Proxy granting ticket '#{ticket}' is not associated with a service ticket.")
+        $LOG.error("#{error.code} - #{error.message}")
+      end
+    else
+      error = Error.new(:BAD_PGT, "Invalid proxy granting ticket '#{ticket}' (no matching ticket found in the database).")
+      $LOG.warn("#{error.code} - #{error.message}")
+    end
+    [pgt, error]
+  end
+  # Takes an existing ServiceTicket object (presumably pulled from the database)
+  # and sends a POST with logout information to the service that the ticket
+  # was generated for.
+  #
+  # This makes possible the "single sign-out" functionality added in CAS 3.1.
+  # See http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out
+  def send_logout_notification_for_service_ticket(st)
+    uri = URI.parse(st.service)
+    uri.path = '/' if uri.path.empty?
+    time = Time.now
+    rand = String.random
+    path = uri.path
+    req = Net::HTTP::Post.new(path)
+    req.set_form_data('logoutRequest' => %{<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="#{rand}" Version="2.0" IssueInstant="#{time.rfc2822}">
+ <saml:NameID></saml:NameID>
+ <samlp:SessionIndex>#{st.ticket}</samlp:SessionIndex>
+ </samlp:LogoutRequest>})
+    begin
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true if uri.scheme =='https'
+      http.start do |conn|
+        response = conn.request(req)
+        if response.kind_of? Net::HTTPSuccess
+          $LOG.info "Logout notification successfully posted to #{st.service.inspect}."
+          return true
+        else
+          $LOG.error "Service #{st.service.inspect} responed to logout notification with code '#{response.code}'!"
+          return false
+        end
+      end
+    rescue Exception => e
+      $LOG.error "Failed to send logout notification to service #{st.service.inspect} due to #{e}"
+      return false
+    end
+  end
+  def service_uri_with_ticket(service, st)
+    raise ArgumentError, "Second argument must be a ServiceTicket!" unless st.kind_of? CASServer::Model::ServiceTicket
+    # This will choke with a URI::InvalidURIError if service URI is not properly URI-escaped...
+    # This exception is handled further upstream (i.e. in the controller).
+    service_uri = URI.parse(service)
+    if service.include? "?"
+      if service_uri.query.empty?
+        query_separator = ""
+      else
+        query_separator = "&"
+      end
+    else
+      query_separator = "?"
+    end
+    service_with_ticket = service + query_separator + "ticket=" + st.ticket
+    service_with_ticket
+  end
+  # Strips CAS-related parameters from a service URL and normalizes it,
+  # removing trailing / and ?. Also converts any spaces to +.
+  #
+  # For example, "http://google.com?ticket=12345" will be returned as
+  # "http://google.com". Also, "http://google.com/" would be returned as
+  # "http://google.com".
+  #
+  # Note that only the first occurance of each CAS-related parameter is
+  # removed, so that "http://google.com?ticket=12345&ticket=abcd" would be
+  # returned as "http://google.com?ticket=abcd".
+  def clean_service_url(dirty_service)
+    return dirty_service if dirty_service.blank?
+    clean_service = dirty_service.dup
+    ['service', 'ticket', 'gateway', 'renew'].each do |p|
+      clean_service.sub!(Regexp.new("&?#{p}=[^&]*"), '')
+    end
+    clean_service.gsub!(/[\/\?&]$/, '') # remove trailing ?, /, or &
+    clean_service.gsub!('?&', '?')
+    clean_service.gsub!(' ', '+')
+    $LOG.debug("Cleaned dirty service URL #{dirty_service.inspect} to #{clean_service.inspect}") if
+      dirty_service != clean_service
+    return clean_service
+  end
+  module_function :clean_service_url
+end

data/lib/casserver/core_ext/directory_user.rb ADDED Viewed

@@ -0,0 +1,81 @@
+# ActiveDirectory user class
+class DirectoryUser
+  require 'net/ldap'
+  TREEBASE =  "dc=synapsedev,dc=com"
+  FIELDS = [
+    "accountExpires", "displayName", "dn", "mail", "title", "sn", "givenName",
+    "c", "co", "company", "department", "employeeType", "facsimiletelephonenumber",
+    "hashedPassword", "l", "mail", "mobile", "manager", "physicalDeliveryOfficeName",
+    "pinNumber", "postalcode", "proxyAddresses", "pwdLastSet", "sAMAccountName",
+    "sAMAccountType", "streetAddress", "synapseAccessCardNumber",
+    "synapseConferencingStatus", "synapseConferencingUniqueID", "synapseExtendedAttributes",
+    "synapseExtendedAttributesTest", "synapseExtensionNumber", "synapseRecursiveGroups",
+    "synapseEmployeeStartDate", "synapsePersonalEmailAddress", "synapseEmergencyContact",
+    "synapseDateOfBirth", "synapseBusinessUnit", "synapseObjectGUID", "telephoneNumber",
+    "title", "userAccountControl", "userPrincipalName", "uSNChanged",
+    "uSNCreated", "whenCreated", "whenChanged"
+  ]
+  # Public: Change password for ActiveDirectory user
+  #
+  # pwd - The new password for the user
+  #
+  # Examples
+  #   user = DirectoryUser.find_by_account_name('conference.test')
+  #   user.change_password("MyNewPassword")
+  #   # => true
+  #
+  # Returns true if the password was updated
+  # Return error if the password was not updated
+  def self.change_user_password(username, password)
+    filter = "(&(objectCategory=person)(objectClass=user)(samaccountname=#{username}))"
+    ldap_con = self.ldap_connect(username, password)
+    if ldap_con
+      result = self.ldap_search(TREEBASE, filter, FIELDS, ldap_con).first
+      dn = result[:dn].first
+      ops = [
+          [ :delete, :unicodePwd, [microsoft_encode_password(password)] ],
+          [ :add, :unicodePwd, [microsoft_encode_password(password)] ]
+      ]
+      ldap_con.modify(:dn => dn, :operations => ops)
+      if ldap_con.get_operation_result.code == 0
+        return true
+      else
+        raise StandardError, "Password field was not updated for #{username}. LDAP #{ldap_con.get_operation_result.code} Error: #{ldap_con.get_operation_result.message}"
+      end
+    else
+      raise StandardError, "Ldap failed to connect Error #{ldap_con.get_operation_result.message}"
+    end
+  end
+  def self.ldap_search(treebase, filter, attrs, ldap_con)
+    results = []
+    results = ldap_con.search( :base => treebase, :filter => filter, :attributes => attrs )
+    if results
+      results
+    else
+      raise StandardError, "No results for ldap search #{filter} in treebase #{treebase} LDAP Error: #{ldap_con.get_operation_result}"
+    end
+  end
+  def self.ldap_connect(username, password)
+    ldap = Net::LDAP.new(
+      :host =>  "core-dc-1.synapsedev.com",
+      :port => 636,
+      :encryption => :simple_tls
+    )
+    ldap.authenticate("SYNAPSEDEV\\#{username}", password)
+    ldap
+  end
+  def self.microsoft_encode_password(pwd)
+    ret = ""
+    pwd = "\"" + pwd + "\""
+    pwd.length.times{|i| ret+= "#{pwd[i..i]}\000" }
+    ret
+  end
+end

data/lib/casserver/core_ext/securerandom.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require 'securerandom'
+module CASServer::CoreExt
+  module SecureRandom
+    # This is a copypaste job from 1.9.3, ActiveSupport
+    # doesn't come with this method and it is an easier
+    # way to get a random string that's good for tickets.
+    # Less code to maintain means less things we can break.
+    def self.urlsafe_base64(n=nil, padding=false)
+      s = [::SecureRandom.random_bytes(n)].pack("m*")
+      s.delete!("\n")
+      s.tr!("+/","-_")
+      s.delete!("=") if !padding
+      s
+    end
+  end
+end

data/lib/casserver/core_ext/string.rb ADDED Viewed

@@ -0,0 +1,22 @@
+require 'securerandom'
+module CASServer
+  module CoreExt
+    module String
+      def self.included(base)
+        base.extend(ClassMethods)
+      end
+      module ClassMethods
+        # if we're on ruby 1.9 we'll use the built in version
+        # this will break if someone trys to use ActiveSupport 3.2+
+        # with Ruby 1.8
+        def random(length = 29)
+          str = "#{Time.now.to_i}r#{SecureRandom.urlsafe_base64(length)}"
+          str.gsub!('_','-')
+          str[0..(length - 1)]
+        end
+      end
+    end
+  end
+end

data/lib/casserver/core_ext.rb ADDED Viewed

@@ -0,0 +1,12 @@
+require 'casserver/core_ext/string'
+# We only need to modify securerandom if we're using
+# ActiveSupport's implementation.
+if RUBY_VERSION < "1.9"
+  require 'securerandom'
+  require 'casserver/core_ext/securerandom'
+  SecureRandom.send(:include, CASServer::CoreExt::SecureRandom)
+end
+String.send(:include, CASServer::CoreExt::String)

data/lib/casserver/model/consumable.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# encoding: UTF-8
+module CASServer::Model
+  module Consumable
+    def consume!
+      self.consumed = Time.now
+      self.save!
+    end
+    def self.included(mod)
+      mod.extend(ClassMethods)
+    end
+    module ClassMethods
+      def cleanup(max_lifetime, max_unconsumed_lifetime)
+        transaction do
+          conditions = ["created_on < ? OR (consumed IS NULL AND created_on < ?)",
+                          Time.now - max_lifetime,
+                          Time.now - max_unconsumed_lifetime]
+          expired_tickets_count = count(:conditions => conditions)
+          $LOG.debug("Destroying #{expired_tickets_count} expired #{self.name.demodulize}"+
+            "#{'s' if expired_tickets_count > 1}.") if expired_tickets_count > 0
+          destroy_all(conditions)
+        end
+      end
+    end
+  end
+end

data/lib/casserver/model/ticket.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module CASServer::Model
+  module Ticket
+    def to_s
+      ticket
+    end
+    def self.cleanup(max_lifetime)
+      transaction do
+        conditions = ["created_on < ?", Time.now - max_lifetime]
+        expired_tickets_count = count(:conditions => conditions)
+        $LOG.debug("Destroying #{expired_tickets_count} expired #{self.name.demodulize}"+
+          "#{'s' if expired_tickets_count > 1}.") if expired_tickets_count > 0
+        destroy_all(conditions)
+      end
+    end
+  end
+end