synapse-rubycas-server 1.1.3alpha

data/public/themes/cas.css

@@ -0,0 +1,126 @@
+* {
+  font-family: Verdana, sans-serif;
+}
+
+body {
+    text-align: center; /* hack for IE */
+}
+
+label {
+  font-weight: bold;
+  font-size: 9px;
+}
+
+input {
+  font-weight: normal;
+  font-size: 12px;
+}
+
+input.button {
+  /*font-weight: bold;*/
+  font-size: 10px;
+}
+
+#login-box {
+  margin: 0 auto;
+  width: 350px;
+  top: 130px;
+  position: relative;
+}
+
+#headline-container {
+  text-align: right;
+  border-bottom: 1px solid #899989;
+  font-family: Tahoma, Verdana, sans-serif;
+  font-size: 22px;
+  margin-right: 0px;
+  padding-right: 7px;
+  margin-left: 10px;
+  letter-spacing: -0.25px;
+}
+
+#logo-container {
+  vertical-align: top;
+}
+
+#logo {
+}
+
+#login-form-container {
+  vertical-align: top;
+}
+
+#username,
+#password {
+  width: 10em;
+}
+
+#login-form {
+  padding: 20px;
+}
+
+
+#form-layout {
+  position: relative;
+  top: 6px;
+  width: 100%;
+}
+
+#form-layout td {
+  text-align: center;
+  padding-bottom: 8px;
+}
+
+#form-layout td#submit-container {
+  text-align: right;
+  padding-right: 10px;
+}
+
+#form-layout #username-label-container,
+#form-layout #password-label-container {
+  text-align: right;
+}
+
+
+#infoline {
+  font-size: 9px;
+}
+
+#messagebox-container {
+  padding-left: 11px;
+  padding-right: 16px;
+}
+
+div.messagebox {
+  font-size: 12px;
+  padding: 5px;
+  padding-left: 55px;
+  text-align: center;
+  width: 70%;
+  min-height: 34px;
+  vertical-align: middle;
+}
+
+div.mistake {
+  color: #d00;
+  background-image: url(warning.png);
+  background-repeat: no-repeat;
+  background-position: 10px 5px;
+  font-weight: bold;
+}
+
+div.confirmation {
+  color: #280;
+  background-image: url(ok.png);
+  background-repeat: no-repeat;
+  background-position: 10px 5px;
+  font-weight: bold;
+}
+
+div.notice {
+  color: #04c;
+  background-image: url(notice.png);
+  background-repeat: no-repeat;
+  background-position: 10px 5px;
+  font-weight: bold;
+}

data/public/themes/simple/theme.css

@@ -0,0 +1,28 @@
+body {
+  background-image: url(bg.png);
+}
+
+#headline-container {
+  margin-bottom: 5px;
+}
+
+#login-box {
+  margin: 0 auto;
+  width: 450px;
+  top: 110px;
+  position: relative;
+}
+
+#login-form {
+  background-color: #fff;
+  border: 1px #aaa solid;
+}
+
+#logo-container {
+  vertical-align: middle;
+}
+
+#logo {
+    width: 128px;
+    height: 128px;
+}

data/resources/init.d.sh

@@ -0,0 +1,58 @@
+#! /bin/sh
+#
+# Copyright (c) 2008 Urbacon Ltd.
+#
+# System startup script for the RubyCAS-Server
+#
+# Instructions:
+#   1. Rename this file to 'rubycas-server'
+#   2. Copy it to your '/etc/init.d' directory
+#   3. chmod +x /etc/init.d/rubycas-server
+#
+# chkconfig - 85 15
+# description: Provides single-sign-on authentication for web applications.
+#
+### BEGIN INIT INFO
+# Provides: rubycas-server
+# Required-Start: $syslog
+# Should-Start:
+# Required-Stop:  $syslog
+# Should-Stop:
+# Default-Start:  3 5
+# Default-Stop:   0 1 2 6
+# Description:    Start the RubyCAS-Server
+### END INIT INFO
+
+CASSERVER_CTL=rubycas-server-ctl
+
+# Gracefully exit if the controller is missing.
+which $CASSERVER_CTL > /dev/null || exit 0
+
+# Source config
+. /etc/rc.status
+
+rc_reset
+case "$1" in
+    start)
+        $CASSERVER_CTL start
+        rc_status -v
+        ;;
+    stop)
+        $CASSERVER_CTL stop
+        rc_status -v
+        ;;
+    restart)
+        $0 stop
+        $0 start
+        rc_status
+        ;;
+    status)
+        $CASSERVER_CTL status
+        rc_status -v
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|status|restart}"
+        exit 1
+        ;;
+esac
+rc_exit

data/spec/casserver/authenticators/active_resource_spec.rb

@@ -0,0 +1,116 @@
+# encoding: UTF-8
+require 'spec_helper'
+
+describe "CASServer::Authenticators::ActiveResource" do
+  before do
+    pending("Skip ActiveResource test due to missing gems") unless gem_available?("activeresource")
+    # Trigger autoload to load also Helpers module
+    # TODO this helper module should be inside activeresource namespace
+    CASServer::Authenticators::ActiveResource
+  end
+  describe "CASServer::Authenticators::Helpers::Identity" do
+    subject { CASServer::Authenticators::Helpers::Identity.new }
+
+    it { should be_an ActiveResource::Base }
+
+    it "class should respond to :authenticate" do
+      subject.class.should respond_to :authenticate
+    end
+
+    it "class should have a method_name accessor" do
+      CASServer::Authenticators::Helpers::Identity.method_name.should == :authenticate
+    end
+
+    it "class should have a method_name accessor" do
+      CASServer::Authenticators::Helpers::Identity.method_type.should == :post
+    end
+
+    it "class method_type accessor should validate type" do
+      expect {
+        CASServer::Authenticators::Helpers::Identity.method_type = :foo
+      }.to raise_error(ArgumentError)
+    end
+
+  end
+
+  describe "CASServer::Authenticators::ActiveResource" do
+
+    describe "#setup" do
+
+      it "should configure the identity object" do
+        CASServer::Authenticators::Helpers::Identity.should_receive(:user=).with('httpuser').once
+        CASServer::Authenticators::ActiveResource.setup :site => 'http://api.example.org', :user => 'httpuser'
+      end
+
+      it "should configure the method_type" do
+        CASServer::Authenticators::Helpers::Identity.should_receive(:method_type=).with('get').once
+        CASServer::Authenticators::ActiveResource.setup :site => 'http://api.example.org', :method_type => 'get'
+      end
+
+      it "should raise if site option is missing" do
+        expect {
+          CASServer::Authenticators::ActiveResource.setup({}).should
+        }.to raise_error(CASServer::AuthenticatorError, /site option/)
+      end
+    end
+
+    describe "#validate" do
+
+      let(:credentials) { {:username => 'validusername',
+                           :password => 'validpassword',
+                           :service => 'test.service'} }
+
+      let(:auth) { CASServer::Authenticators::ActiveResource.new }
+
+      def mock_authenticate identity = nil
+        identity = CASServer::Authenticators::Helpers::Identity.new if identity.nil?
+        CASServer::Authenticators::Helpers::Identity.stub!(:authenticate).and_return(identity)
+      end
+
+      def sample_identity attrs = {}
+        identity = CASServer::Authenticators::Helpers::Identity.new
+        attrs.each { |k,v| identity.send "#{k}=", v }
+        identity
+      end
+
+      it "should call Identity#autenticate with the given params" do
+        CASServer::Authenticators::Helpers::Identity.should_receive(:authenticate).with(credentials).once
+        auth.validate(credentials)
+      end
+
+      it "should return identity object attributes as extra attributes" do
+        auth.configure({}.with_indifferent_access)
+        identity = sample_identity({:email => 'foo@example.org'})
+        mock_authenticate identity
+        auth.validate(credentials).should be_true
+        auth.extra_attributes.should == identity.attributes
+      end
+
+      it "should return false when http raises" do
+        CASServer::Authenticators::Helpers::Identity.stub!(:authenticate).and_raise(ActiveResource::ForbiddenAccess.new({}))
+        auth.validate(credentials).should be_false
+      end
+
+      it "should apply extra_attribute filter" do
+        auth.configure({ :extra_attributes => 'age'}.with_indifferent_access)
+        mock_authenticate sample_identity({ :email => 'foo@example.org', :age => 28 })
+        auth.validate(credentials).should be_true
+        auth.extra_attributes.should == { "age" => "28" }
+      end
+
+      it "should only extract not filtered attributes" do
+        auth.configure({ :filter_attributes => 'age'}.with_indifferent_access)
+        mock_authenticate sample_identity({ :email => 'foo@example.org', :age => 28 })
+        auth.validate(credentials).should be_true
+        auth.extra_attributes.should == { "email" => 'foo@example.org' }
+      end
+
+      it "should filter password if filter attributes is not given" do
+        auth.configure({}.with_indifferent_access)
+        mock_authenticate sample_identity({ :email => 'foo@example.org', :password => 'secret' })
+        auth.validate(credentials).should be_true
+        auth.extra_attributes.should == { "email" => 'foo@example.org' }
+      end
+    end
+  end
+end

data/spec/casserver/authenticators/ldap_spec.rb

@@ -0,0 +1,57 @@
+# encoding: UTF-8
+require 'spec_helper'
+
+describe "CASServer::Authenticators::LDAP" do
+  before do
+    pending("Skip LDAP test due to missing gems") unless gem_available?("net-ldap")
+
+    if $LOG.nil?
+      load_server('default_config') # a lazy way to make sure the logger is set up
+    end
+    # Trigger autoload to load net ldap
+    CASServer::Authenticators::LDAP
+
+    @ldap_entry = mock(Net::LDAP::Entry.new)
+    @ldap_entry.stub!(:[]).and_return("Test")
+
+    @ldap = mock(Net::LDAP)
+    @ldap.stub!(:host=)
+    @ldap.stub!(:port=)
+    @ldap.stub!(:encryption)
+    @ldap.stub!(:bind_as).and_return(true)
+    @ldap.stub!(:authenticate).and_return(true)
+    @ldap.stub!(:search).and_return([@ldap_entry])
+
+    Net::LDAP.stub!(:new).and_return(@ldap)
+  end
+
+  describe '#validate' do
+
+    it 'validate with preauthentication and with extra attributes' do
+      auth = CASServer::Authenticators::LDAP.new
+
+      auth_config = HashWithIndifferentAccess.new(
+        :ldap => {
+          :host => "ad.example.net",
+          :port => 389,
+          :base => "dc=example,dc=net",
+          :filter => "(objectClass=person)",
+          :auth_user => "authenticator",
+          :auth_password => "itsasecret"
+        },
+        :extra_attributes => [:full_name, :address]
+      )
+
+      auth.configure(auth_config.merge('auth_index' => 0))
+      auth.validate(
+        :username => 'validusername',
+        :password => 'validpassword',
+        :service =>  'test.service',
+        :request => {}
+      ).should == true
+
+      auth.extra_attributes.should == {:full_name => 'Test', :address => 'Test'}
+    end
+
+  end
+end

data/spec/casserver/cas_spec.rb

@@ -0,0 +1,148 @@
+require 'spec_helper'
+
+module CASServer; end
+require 'casserver/cas'
+require 'nokogiri'
+require 'cgi'
+
+describe CASServer::CAS do
+  before do
+    load_server("default_config")
+    @klass = Class.new {
+      include CASServer::CAS
+    }
+    @client_hostname = 'myhost.test'
+    @host = @klass.new
+    @host.instance_variable_set(:@env, {
+      'REMOTE_HOST' => @client_hostname
+    })
+  end
+
+  describe "#generate_login_ticket" do
+    before do
+      @lt = @host.generate_login_ticket
+    end
+
+    it "should return a login ticket" do
+      @lt.class.should == CASServer::Model::LoginTicket
+    end
+
+    it "should set the client_hostname" do
+      @lt.client_hostname.should == @client_hostname
+    end
+
+    it "should set the ticket string" do
+      @lt.ticket.should_not be_nil
+    end
+
+    it "SHOULD set the ticket string starting with 'LT'" do
+      @lt.ticket.should match /^LT/
+    end
+
+    it "should not mark the ticket as consumed" do
+      @lt.consumed.should be_nil
+    end
+  end
+
+  describe "#generate_ticket_granting_ticket(username, extra_attributes = {})" do
+    before do
+      @username = 'myuser'
+      @tgt = @host.generate_ticket_granting_ticket(@username)
+    end
+
+    it "should return a TicketGrantingTicket" do
+      @tgt.class.should == CASServer::Model::TicketGrantingTicket
+    end
+
+    it "should set the tgt's ticket string" do
+      @tgt.ticket.should_not be_nil
+    end
+
+    it "should generate a ticket string starting with 'TGC'" do
+      @tgt.ticket.should match /^TGC/
+    end
+
+    it "should set the tgt's username string" do
+      @tgt.username.should == @username
+    end
+
+    it "should set the tgt's client_hostname" do
+      @tgt.client_hostname.should == @client_hostname
+    end
+  end
+
+  describe "#generate_service_ticket(service, username, tgt)" do
+    before do
+      @username = 'testuser'
+      @service = 'myservice.test'
+      @tgt = double(CASServer::Model::TicketGrantingTicket)
+      @tgt.stub(:id => rand(10000))
+      @st = @host.generate_service_ticket(@service, @username, @tgt)
+    end
+
+    it "should return a ServiceTicket" do
+      @st.class.should == CASServer::Model::ServiceTicket
+    end
+
+    it "should not include the service identifer in the ticket string" do
+      @st.ticket.should_not match /#{@service}/
+    end
+
+    it "should not mark the ST as consumed" do
+      @st.consumed.should be_nil
+    end
+
+    it "MUST generate a ticket that starts with 'ST-'" do
+      @st.ticket.should match /^ST-/
+    end
+
+    it "should assoicate the ST with the supplied TGT" do
+      @st.granted_by_tgt_id.should == @tgt.id
+    end
+  end
+
+  describe "#generate_proxy_ticket(target_service, pgt)" do
+    before do
+      @target_service = 'remoteservice.test'
+      @st = CASServer::Model::ServiceTicket.new({
+        :username => 'joe',
+        :granted_by_tgt_id => rand(10000)
+      })
+      @pgt = double(CASServer::Model::ProxyGrantingTicket)
+      @pgt.stub({
+        :id => rand(10000),
+        :service_ticket => @st,
+        :ticket => 'some ticket'
+      })
+      @pt = @host.generate_proxy_ticket(@target_service, @pgt)
+    end
+
+    it "should return a ProxyGrantingTicket" do
+      @pt.class.should == CASServer::Model::ProxyTicket
+    end
+
+    it "should not consume the generated ticket" do
+      @pt.consumed.should be_nil
+    end
+
+    it "should start the ticket string with PT-" do
+      @pt.ticket.should match /^PT-/
+    end
+  end
+
+  describe "#send_logout_notification_for_service_ticket(st)" do
+    it "should send valid single sign out XML to the service URL" do
+      service_stub = stub_request(:post, 'http://example.com')
+      st = CASServer::Model::ServiceTicket.new(
+        :ticket => 'ST-0123456789ABCDEFGHIJKLMNOPQRS',
+        :service => 'http://example.com'
+      )
+      @host.send_logout_notification_for_service_ticket(st)
+
+      a_request(:post, 'example.com').with{ |req|
+        xml = CGI.parse(req.body)['logoutRequest'].first
+        Nokogiri::XML(xml).at_xpath('//samlp:SessionIndex').text.strip == st.ticket
+      }.should have_been_made
+    end
+  end
+end

data/spec/casserver/model_spec.rb

@@ -0,0 +1,42 @@
+# encoding: UTF-8
+require 'spec_helper'
+
+module CASServer
+end
+require 'casserver/model'
+
+describe CASServer::Model::LoginTicket, '.cleanup(max_lifetime, max_unconsumed_lifetime)' do
+  let(:max_lifetime) { -1 }
+  let(:max_unconsumed_lifetime) { -2 }
+
+  before do
+    load_server("default_config")
+    reset_spec_database
+    
+    CASServer::Model::LoginTicket.create :ticket => 'test', :client_hostname => 'test.local'
+  end
+
+  it 'should destroy all tickets created before the max lifetime' do
+    expect {
+      CASServer::Model::LoginTicket.cleanup(max_lifetime, max_unconsumed_lifetime)
+    }.to change(CASServer::Model::LoginTicket, :count).by(-1)
+  end
+
+  it 'should destroy all unconsumed tickets not exceeding the max lifetime' do
+    expect {
+      CASServer::Model::LoginTicket.cleanup(max_lifetime, max_unconsumed_lifetime)
+    }.to change(CASServer::Model::LoginTicket, :count).by(-1)
+  end
+end
+
+describe CASServer::Model::LoginTicket, '#to_s' do
+  let(:ticket) { 'test' }
+
+  before do
+    @login_ticket = CASServer::Model::LoginTicket.new :ticket => ticket
+  end
+
+  it 'should delegate #to_s to #ticket' do
+    @login_ticket.to_s.should == ticket
+  end
+end

data/spec/casserver/utils_spec.rb

@@ -0,0 +1,24 @@
+# encoding: UTF-8
+require 'spec_helper'
+
+module CASServer
+end
+require 'casserver/utils'
+
+describe CASServer::Utils, '#log_controller_action(controller, params)' do
+  let(:params) { {} }
+  let(:params_with_password) { { 'password' => 'test' } }
+  let(:params_with_password_filtered) { { 'password' => '******' } }
+
+  it 'should log the controller action' do
+    $LOG.should_receive(:debug).with 'Processing application::instance_eval {}'
+
+    subject.log_controller_action('application', params)
+  end
+
+  it 'should filter password parameters in the log' do
+    $LOG.should_receive(:debug).with "Processing application::instance_eval #{params_with_password_filtered.inspect}"
+
+    subject.log_controller_action('application', params_with_password)
+  end
+end