synapse-rubycas-server 1.1.4.pre → 1.1.4

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    ODQxZTBlYWM3YTJkNWIwMTYyNTc3OGM4OGNjMmJkYjE5YzA5MjVkZQ==
+  data.tar.gz: !binary |-
+    OGY5NmJjMGIyOGNjOGQ1NDMxODE0YTRjMTljNTRkMTM3NmU5Y2VkZg==
+!binary "U0hBNTEy":
+  metadata.gz: !binary |-
+    ZmQ3MjNmNGE0MjY1NGU4ZDk1ZTBkNDg0Nzk3YjNmODRhNTc3ODQxMWQyNTU1
+    NjgyNGQ2NDI1YzM3YTIzODAxZjZjY2Q5NmVkNDBhNjUyNTJiYWQ1NWY3NmM5
+    Yjg1N2FjNTMyNDIxMTM2ZDA3M2M4ZmE0ZWNkNTRlY2I4N2U5MDE=
+  data.tar.gz: !binary |-
+    NzQzMjMyN2YyMjI0MTEyNGRkM2U3YzRkNTRjOGFiNDI0Y2YxMTNjZTYxMmYy
+    NDlmMjAyYjUxODc5ZjVlZjhjYmNlMTQ0MjI0ZDJlNmI1OGI3NjgzYjUzMWJl
+    ZDZhMzEwNTlhOGI2ODAwOWEyZGI0ZGE0OWUzNTM3NmRmNzNiYzk=

data/Gemfile

@@ -1,29 +1,10 @@
 source "http://rubygems.org"
+gemspec
 
-gem 'appraisal'
-gem 'synapse-rubycas-server', "1.1.4"
-gem "mysql2"
-gem 'activerecord-mysql2-adapter'
-gem "activerecord"
-gem "activesupport"
-gem "sinatra"
-gem "sinatra-r18n"
-gem 'puma', "~> 2.1.1"
-gem "newrelic_rpm"
-gem "rake", "~> 10.0.4"
-
-group :development do
-  gem 'capistrano-ext'
-  gem 'capistrano_colors'
-  gem 'capistrano-rbenv'
-  gem 'capistrano-unicorn', :require => false
-  gem 'foreman'
-  gem 'hipchat'
-end
 
 # Gems for authenticators
 group :ldap do
-  gem "net-ldap", "~> 0.1.1"
+    gem "net-ldap", "~> 0.1.1"
 end
 
 group :active_resource do

data/Rakefile

@@ -1,9 +1,3 @@
 require 'appraisal'
 Dir['tasks/**/*.rake'].each { |rake| load rake }
 task :default => :spec
-
-
-desc "Open an irb session preloaded with this library"
-task :console do
-  sh "irb -rubygems -I lib -r casserver.rb"
-end

data/bin/rubycas-server

@@ -1,16 +1,30 @@
-#!/usr/bin/env ruby-local-exec
-#
-# This file was generated by Bundler.
-#
-# The application 'rubycas-server' is installed as part of a gem, and
-# this file is here to facilitate running it.
-#
+#!/usr/bin/env ruby
 
-require 'pathname'
-ENV['BUNDLE_GEMFILE'] ||= File.expand_path("../../Gemfile",
-  Pathname.new(__FILE__).realpath)
+# Enables UTF-8 compatibility in ruby 1.8.
+$KCODE = 'u' if RUBY_VERSION < '1.9'
 
 require 'rubygems'
-require 'bundler/setup'
 
-load Gem.bin_path('rubycas-server', 'rubycas-server')
+$:.unshift File.dirname(__FILE__) + "/../lib"
+
+if ARGV.join.match('--debugger')
+  require 'ruby-debug'
+  puts
+  puts "=> Debugger Enabled"
+end
+
+if ARGV.join.match('-c')
+  c = ARGV.join.match(/-c\s*([^\s]+)/)
+  if (c && c[1])
+    ENV['CONFIG_FILE'] = c[1]
+    puts
+    puts "=> Using custom config file #{ENV['CONFIG_FILE'].inspect}"
+  else
+    $stderr.puts("To specify a custom config file use `rubycas-server -c path/to/config_file_name.yml`.")
+    exit
+  end
+end
+
+require 'casserver'
+
+CASServer::Server.run!

data/config.ru

@@ -1,6 +1,5 @@
 require 'rubygems'
-require 'bundler'
-Bundler.require
+require 'bundler/setup'
 
 $:.unshift "#{File.dirname(__FILE__)}/lib"
 require "casserver"

data/config/unicorn.rb

@@ -0,0 +1,88 @@
+# Sample configuration file for Unicorn (not Rack)
+#
+# See http://unicorn.bogomips.org/Unicorn/Configurator.html for complete
+# documentation.
+SINATRA_ROOT = `pwd`.strip
+
+# Use at least one worker per core if you're on a dedicated server,
+# more will usually help for _short_ waits on databases/caches.
+worker_processes 3
+
+# Help ensure your application will always spawn in the symlinked
+# "current" directory that Capistrano sets up.
+working_directory SINATRA_ROOT # available in 0.94.0+
+
+# listen on both a Unix domain socket and a TCP port,
+# we use a shorter backlog for quicker failover when busy
+# listen "/tmp/.sock", :backlog => 64
+listen 18889, :tcp_nopush => true
+
+# nuke workers after 30 seconds instead of 60 seconds (the default)
+timeout 30
+
+# feel free to point this anywhere accessible on the filesystem
+
+pid "#{SINATRA_ROOT}/tmp/pids/unicorn.pid"
+
+# relative_path "/test_platform"
+# some applications/frameworks log to stderr or stdout, so prevent
+# them from going to /dev/null when daemonized here:
+stderr_path "#{SINATRA_ROOT}/log/unicorn.stderr.log"
+stdout_path "#{SINATRA_ROOT}/log/unicorn.stdout.log"
+
+# combine REE with "preload_app true" for memory savings
+# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow
+preload_app false
+GC.respond_to?(:copy_on_write_friendly=) and
+  GC.copy_on_write_friendly = true
+
+before_fork do |server, worker|
+  # the following is highly recomended for Rails + "preload_app true"
+  # as there's no need for the master process to hold a connection
+  # defined?(ActiveRecord::Base) and
+  #   ActiveRecord::Base.connection.disconnect!
+
+  # The following is only recommended for memory/DB-constrained
+  # installations.  It is not needed if your system can house
+  # twice as many worker_processes as you have configured.
+  #
+  # # This allows a new master process to incrementally
+  # # phase out the old master process with SIGTTOU to avoid a
+  # # thundering herd (especially in the "preload_app false" case)
+  # # when doing a transparent upgrade.  The last worker spawned
+  # # will then kill off the old master process with a SIGQUIT.
+  old_pid = "#{server.config[:pid]}.oldbin"
+  
+  puts 'pid:'
+  puts '-------------------'
+  puts server.pid
+  puts old_pid
+  puts '---------------------'
+  
+  if old_pid != server.pid
+    begin
+      sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
+      Process.kill(sig, File.read(old_pid).to_i)
+    rescue Errno::ENOENT, Errno::ESRCH
+    end
+  end
+  #
+  # # *optionally* throttle the master from forking too quickly by sleeping
+  sleep 1
+end
+
+after_fork do |server, worker|
+  # per-process listener ports for debugging/admin/migrations
+  # addr = "127.0.0.1:#{9293 + worker.nr}"
+  # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true)
+
+  # the following is *required* for Rails + "preload_app true",
+  # defined?(ActiveRecord::Base) and
+  #   ActiveRecord::Base.establish_connection
+
+  # if preload_app is true, then you may also want to check and
+  # restart any other shared sockets/descriptors such as Memcached,
+  # and Redis.  TokyoCabinet file handles are safe to reuse
+  # between any number of forked children (assuming your kernel
+  # correctly implements pread()/pwrite() system calls)
+end

data/lib/casserver.rb

@@ -3,10 +3,9 @@ module CASServer; end
 require 'active_record'
 require 'active_support'
 require 'sinatra/base'
+require 'casserver/core_ext/directory_user'
 require 'builder' # for XML views
 require 'logger'
-require 'net/ldap'
-require 'casserver/core_ext/directory_user'
 $LOG = Logger.new(STDOUT)
 
 require 'casserver/authenticators/base'

data/lib/casserver/cas.rb

@@ -34,332 +34,6 @@ module CASServer::CAS
     tgt.ticket = "TGC-" + String.random
     tgt.username = username
     tgt.extra_attributes = extra_attributes
-    tgt.expires = (Time.now + 2.weeks).strftime("%a, %d-%b-%Y %H:%M:%S GMT")
-    tgt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
-    tgt.save!
-    $LOG.debug("Generated ticket granting ticket '#{tgt.ticket}' for user" +
-      " '#{tgt.username}' at '#{tgt.client_hostname}' with expiration of '#{tgt.expires}'" +
-      (extra_attributes.blank? ? "" : " with extra attributes #{extra_attributes.inspect}"))
-    tgt
-  end
-
-  def generate_service_ticket(service, username, tgt)
-    # 3.1 (service ticket)
-    st = ServiceTicket.new
-    st.ticket = "ST-" + String.random
-    st.service = service
-    st.username = username
-    st.granted_by_tgt_id = tgt.id
-    st.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
-    st.save!
-    $LOG.debug("Generated service ticket '#{st.ticket}' for service '#{st.service}'" +
-      " for user '#{st.username}' at '#{st.client_hostname}'")
-    st
-  end
-
-  def generate_proxy_ticket(target_service, pgt)
-    # 3.2 (proxy ticket)
-    pt = ProxyTicket.new
-    pt.ticket = "PT-" + String.random
-    pt.service = target_service
-    pt.username = pgt.service_ticket.username
-    pt.granted_by_pgt_id = pgt.id
-    pt.granted_by_tgt_id = pgt.service_ticket.granted_by_tgt_id
-    pt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
-    pt.save!
-    $LOG.debug("Generated proxy ticket '#{pt.ticket}' for target service '#{pt.service}'" +
-      " for user '#{pt.username}' at '#{pt.client_hostname}' using proxy-granting" +
-      " ticket '#{pgt.ticket}'")
-    pt
-  end
-
-  def generate_proxy_granting_ticket(pgt_url, st)
-    uri = URI.parse(pgt_url)
-    https = Net::HTTP.new(uri.host,uri.port)
-    https.use_ssl = true
-
-    # Here's what's going on here:
-    #
-    #   1. We generate a ProxyGrantingTicket (but don't store it in the database just yet)
-    #   2. Deposit the PGT and it's associated IOU at the proxy callback URL.
-    #   3. If the proxy callback URL responds with HTTP code 200, store the PGT and return it;
-    #      otherwise don't save it and return nothing.
-    #
-    https.start do |conn|
-      path = uri.path.empty? ? '/' : uri.path
-      path += '?' + uri.query unless (uri.query.nil? || uri.query.empty?)
-
-      pgt = ProxyGrantingTicket.new
-      pgt.ticket = "PGT-" + String.random(60)
-      pgt.iou = "PGTIOU-" + String.random(57)
-      pgt.service_ticket_id = st.id
-      pgt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
-
-      # FIXME: The CAS protocol spec says to use 'pgt' as the parameter, but in practice
-      #         the JA-SIG and Yale server implementations use pgtId. We'll go with the
-      #         in-practice standard.
-      path += (uri.query.nil? || uri.query.empty? ? '?' : '&') + "pgtId=#{pgt.ticket}&pgtIou=#{pgt.iou}"
-
-      response = conn.request_get(path)
-      # TODO: follow redirects... 2.5.4 says that redirects MAY be followed
-      # NOTE: The following response codes are valid according to the JA-SIG implementation even without following redirects
-
-      if %w(200 202 301 302 304).include?(response.code)
-        # 3.4 (proxy-granting ticket IOU)
-        pgt.save!
-        $LOG.debug "PGT generated for pgt_url '#{pgt_url}': #{pgt.inspect}"
-        pgt
-      else
-        $LOG.warn "PGT callback server responded with a bad result code '#{response.code}'. PGT will not be stored."
-        nil
-      end
-    end
-  end
-
-  def validate_login_ticket(ticket)
-    $LOG.debug("Validating login ticket '#{ticket}'")
-
-    success = false
-    if ticket.nil?
-      error = t.error.no_login_ticket
-      $LOG.warn "Missing login ticket."
-    elsif lt = LoginTicket.find_by_ticket(ticket)
-      if lt.consumed?
-        error = t.error.login_ticket_already_used
-        $LOG.warn "Login ticket '#{ticket}' previously used up"
-      elsif Time.now - lt.created_on < settings.config[:maximum_unused_login_ticket_lifetime]
-        $LOG.info "Login ticket '#{ticket}' successfully validated"
-      else
-        error = t.error.login_timeout
-        $LOG.warn "Expired login ticket '#{ticket}'"
-      end
-    else
-      error = t.error.invalid_login_ticket
-      $LOG.warn "Invalid login ticket '#{ticket}'"
-    end
-
-    lt.consume! if lt
-
-    error
-  end
-
-  def validate_ticket_granting_ticket(ticket)
-    $LOG.debug("Validating ticket granting ticket '#{ticket}'")
-
-    if ticket.nil?
-      error = "No ticket granting ticket given."
-      $LOG.debug error
-    elsif tgt = TicketGrantingTicket.find_by_ticket(ticket)
-      if settings.config[:maximum_session_lifetime] && Time.now - tgt.created_on > settings.config[:maximum_session_lifetime]
-	tgt.destroy
-        error = "Your session has expired. Please log in again."
-        $LOG.info "Ticket granting ticket '#{ticket}' for user '#{tgt.username}' expired."
-      else
-        $LOG.info "Ticket granting ticket '#{ticket}' for user '#{tgt.username}' successfully validated."
-      end
-    else
-      error = "Invalid ticket granting ticket '#{ticket}' (no matching ticket found in the database)."
-      $LOG.warn(error)
-    end
-
-    [tgt, error]
-  end
-
-  def validate_service_ticket(service, ticket, allow_proxy_tickets = false)
-    $LOG.debug "Validating service/proxy ticket '#{ticket}' for service '#{service}'"
-
-    if service.nil? or ticket.nil?
-      error = Error.new(:INVALID_REQUEST, "Ticket or service parameter was missing in the request.")
-      $LOG.warn "#{error.code} - #{error.message}"
-    elsif st = ServiceTicket.find_by_ticket(ticket)
-      if st.consumed?
-        error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' has already been used up.")
-        $LOG.warn "#{error.code} - #{error.message}"
-      elsif st.kind_of?(CASServer::Model::ProxyTicket) && !allow_proxy_tickets
-        error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' is a proxy ticket, but only service tickets are allowed here.")
-        $LOG.warn "#{error.code} - #{error.message}"
-      elsif Time.now - st.created_on > settings.config[:maximum_unused_service_ticket_lifetime]
-        error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' has expired.")
-        $LOG.warn "Ticket '#{ticket}' has expired."
-      elsif !st.matches_service? service
-        error = Error.new(:INVALID_SERVICE, "The ticket '#{ticket}' belonging to user '#{st.username}' is valid,"+
-          " but the requested service '#{service}' does not match the service '#{st.service}' associated with this ticket.")
-        $LOG.warn "#{error.code} - #{error.message}"
-      else
-        $LOG.info("Ticket '#{ticket}' for service '#{service}' for user '#{st.username}' successfully validated.")
-      end
-    else
-      error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' not recognized.")
-      $LOG.warn("#{error.code} - #{error.message}")
-    end
-
-    if st
-      st.consume!
-    end
-
-
-    [st, error]
-  end
-
-  def validate_proxy_ticket(service, ticket)
-    pt, error = validate_service_ticket(service, ticket, true)
-
-    if pt.kind_of?(CASServer::Model::ProxyTicket) && !error
-      if not pt.granted_by_pgt
-        error = Error.new(:INTERNAL_ERROR, "Proxy ticket '#{pt}' belonging to user '#{pt.username}' is not associated with a proxy granting ticket.")
-      elsif not pt.granted_by_pgt.service_ticket
-        error = Error.new(:INTERNAL_ERROR, "Proxy granting ticket '#{pt.granted_by_pgt}'"+
-          " (associated with proxy ticket '#{pt}' and belonging to user '#{pt.username}' is not associated with a service ticket.")
-      end
-    end
-
-    [pt, error]
-  end
-
-  def validate_proxy_granting_ticket(ticket)
-    if ticket.nil?
-      error = Error.new(:INVALID_REQUEST, "pgt parameter was missing in the request.")
-      $LOG.warn("#{error.code} - #{error.message}")
-    elsif pgt = ProxyGrantingTicket.find_by_ticket(ticket)
-      if pgt.service_ticket
-        $LOG.info("Proxy granting ticket '#{ticket}' belonging to user '#{pgt.service_ticket.username}' successfully validated.")
-      else
-        error = Error.new(:INTERNAL_ERROR, "Proxy granting ticket '#{ticket}' is not associated with a service ticket.")
-        $LOG.error("#{error.code} - #{error.message}")
-      end
-    else
-      error = Error.new(:BAD_PGT, "Invalid proxy granting ticket '#{ticket}' (no matching ticket found in the database).")
-      $LOG.warn("#{error.code} - #{error.message}")
-    end
-
-    [pgt, error]
-  end
-
-  # Takes an existing ServiceTicket object (presumably pulled from the database)
-  # and sends a POST with logout information to the service that the ticket
-  # was generated for.
-  #
-  # This makes possible the "single sign-out" functionality added in CAS 3.1.
-  # See http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out
-  def send_logout_notification_for_service_ticket(st)
-    uri = URI.parse(st.service)
-    uri.path = '/' if uri.path.empty?
-    time = Time.now
-    rand = String.random
-    path = uri.path
-    req = Net::HTTP::Post.new(path)
-    req.set_form_data('logoutRequest' => %{<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="#{rand}" Version="2.0" IssueInstant="#{time.rfc2822}">
- <saml:NameID></saml:NameID>
- <samlp:SessionIndex>#{st.ticket}</samlp:SessionIndex>
- </samlp:LogoutRequest>})
-
-    begin
-      http = Net::HTTP.new(uri.host, uri.port)
-      http.use_ssl = true if uri.scheme =='https'
-
-      http.start do |conn|
-        response = conn.request(req)
-        if response.kind_of? Net::HTTPSuccess
-          $LOG.info "Logout notification successfully posted to #{st.service.inspect}."
-          return true
-        else
-          $LOG.error "Service #{st.service.inspect} responed to logout notification with code '#{response.code}'!"
-          return false
-        end
-      end
-    rescue Exception => e
-      $LOG.error "Failed to send logout notification to service #{st.service.inspect} due to #{e}"
-      return false
-    end
-  end
-
-  def service_uri_with_ticket(service, st)
-    raise ArgumentError, "Second argument must be a ServiceTicket!" unless st.kind_of? CASServer::Model::ServiceTicket
-
-    # This will choke with a URI::InvalidURIError if service URI is not properly URI-escaped...
-    # This exception is handled further upstream (i.e. in the controller).
-    service_uri = URI.parse(service)
-
-    if service.include? "?"
-      if service_uri.query.empty?
-        query_separator = ""
-      else
-        query_separator = "&"
-      end
-    else
-      query_separator = "?"
-    end
-
-    service_with_ticket = service + query_separator + "ticket=" + st.ticket
-    service_with_ticket
-  end
-
-  # Strips CAS-related parameters from a service URL and normalizes it,
-  # removing trailing / and ?. Also converts any spaces to +.
-  #
-  # For example, "http://google.com?ticket=12345" will be returned as
-  # "http://google.com". Also, "http://google.com/" would be returned as
-  # "http://google.com".
-  #
-  # Note that only the first occurance of each CAS-related parameter is
-  # removed, so that "http://google.com?ticket=12345&ticket=abcd" would be
-  # returned as "http://google.com?ticket=abcd".
-  def clean_service_url(dirty_service)
-    return dirty_service if dirty_service.blank?
-    clean_service = dirty_service.dup
-    ['service', 'ticket', 'gateway', 'renew'].each do |p|
-      clean_service.sub!(Regexp.new("&?#{p}=[^&]*"), '')
-    end
-
-    clean_service.gsub!(/[\/\?&]$/, '') # remove trailing ?, /, or &
-    clean_service.gsub!('?&', '?')
-    clean_service.gsub!(' ', '+')
-
-    $LOG.debug("Cleaned dirty service URL #{dirty_service.inspect} to #{clean_service.inspect}") if
-      dirty_service != clean_service
-
-    return clean_service
-  end
-  module_function :clean_service_url
-
-end
-require 'uri'
-require 'net/https'
-
-require 'casserver/model'
-require 'casserver/core_ext'
-
-# Encapsulates CAS functionality. This module is meant to be included in
-# the CASServer::Controllers module.
-module CASServer::CAS
-
-  include CASServer::Model
-
-  def generate_login_ticket
-    # 3.5 (login ticket)
-    lt = LoginTicket.new
-    lt.ticket = "LT-" + String.random
-
-    lt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
-    lt.save!
-    $LOG.debug("Generated login ticket '#{lt.ticket}' for client" +
-      " at '#{lt.client_hostname}'")
-    lt
-  end
-
-  # Creates a TicketGrantingTicket for the given username. This is done when the user logs in
-  # for the first time to establish their SSO session (after their credentials have been validated).
-  #
-  # The optional 'extra_attributes' parameter takes a hash of additional attributes
-  # that will be sent along with the username in the CAS response to subsequent
-  # validation requests from clients.
-  def generate_ticket_granting_ticket(username, extra_attributes = {})
-    # 3.6 (ticket granting cookie/ticket)
-    tgt = TicketGrantingTicket.new
-    tgt.ticket = "TGC-" + String.random
-    tgt.username = username
-    tgt.extra_attributes = extra_attributes
-    # tgt.expires = (Time.now + 2.weeks).strftime("%a, %d-%b-%Y %H:%M:%S GMT")
     tgt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
     tgt.save!
     $LOG.debug("Generated ticket granting ticket '#{tgt.ticket}' for user" +
@@ -413,7 +87,7 @@ module CASServer::CAS
     https.start do |conn|
       path = uri.path.empty? ? '/' : uri.path
       path += '?' + uri.query unless (uri.query.nil? || uri.query.empty?)
-
+      
       pgt = ProxyGrantingTicket.new
       pgt.ticket = "PGT-" + String.random(60)
       pgt.iou = "PGTIOU-" + String.random(57)
@@ -428,7 +102,7 @@ module CASServer::CAS
       response = conn.request_get(path)
       # TODO: follow redirects... 2.5.4 says that redirects MAY be followed
       # NOTE: The following response codes are valid according to the JA-SIG implementation even without following redirects
-
+      
       if %w(200 202 301 302 304).include?(response.code)
         # 3.4 (proxy-granting ticket IOU)
         pgt.save!
@@ -577,11 +251,11 @@ module CASServer::CAS
  <saml:NameID></saml:NameID>
  <samlp:SessionIndex>#{st.ticket}</samlp:SessionIndex>
  </samlp:LogoutRequest>})
-
+ 
     begin
       http = Net::HTTP.new(uri.host, uri.port)
       http.use_ssl = true if uri.scheme =='https'
-
+      
       http.start do |conn|
         response = conn.request(req)
         if response.kind_of? Net::HTTPSuccess