synapses-cas 0.1.0

data/config/unicorn.rb

@@ -0,0 +1,88 @@
+# Sample configuration file for Unicorn (not Rack)
+#
+# See http://unicorn.bogomips.org/Unicorn/Configurator.html for complete
+# documentation.
+SINATRA_ROOT = `pwd`.strip
+
+# Use at least one worker per core if you're on a dedicated server,
+# more will usually help for _short_ waits on databases/caches.
+worker_processes 3
+
+# Help ensure your application will always spawn in the symlinked
+# "current" directory that Capistrano sets up.
+working_directory SINATRA_ROOT # available in 0.94.0+
+
+# listen on both a Unix domain socket and a TCP port,
+# we use a shorter backlog for quicker failover when busy
+# listen "/tmp/.sock", :backlog => 64
+listen 18889, :tcp_nopush => true
+
+# nuke workers after 30 seconds instead of 60 seconds (the default)
+timeout 30
+
+# feel free to point this anywhere accessible on the filesystem
+
+pid "#{SINATRA_ROOT}/tmp/pids/unicorn.pid"
+
+# relative_path "/test_platform"
+# some applications/frameworks log to stderr or stdout, so prevent
+# them from going to /dev/null when daemonized here:
+stderr_path "#{SINATRA_ROOT}/log/unicorn.stderr.log"
+stdout_path "#{SINATRA_ROOT}/log/unicorn.stdout.log"
+
+# combine REE with "preload_app true" for memory savings
+# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow
+preload_app false
+GC.respond_to?(:copy_on_write_friendly=) and
+  GC.copy_on_write_friendly = true
+
+before_fork do |server, worker|
+  # the following is highly recomended for Rails + "preload_app true"
+  # as there's no need for the master process to hold a connection
+  # defined?(ActiveRecord::Base) and
+  #   ActiveRecord::Base.connection.disconnect!
+
+  # The following is only recommended for memory/DB-constrained
+  # installations.  It is not needed if your system can house
+  # twice as many worker_processes as you have configured.
+  #
+  # # This allows a new master process to incrementally
+  # # phase out the old master process with SIGTTOU to avoid a
+  # # thundering herd (especially in the "preload_app false" case)
+  # # when doing a transparent upgrade.  The last worker spawned
+  # # will then kill off the old master process with a SIGQUIT.
+  old_pid = "#{server.config[:pid]}.oldbin"
+  
+  puts 'pid:'
+  puts '-------------------'
+  puts server.pid
+  puts old_pid
+  puts '---------------------'
+  
+  if old_pid != server.pid
+    begin
+      sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
+      Process.kill(sig, File.read(old_pid).to_i)
+    rescue Errno::ENOENT, Errno::ESRCH
+    end
+  end
+  #
+  # # *optionally* throttle the master from forking too quickly by sleeping
+  sleep 1
+end
+
+after_fork do |server, worker|
+  # per-process listener ports for debugging/admin/migrations
+  # addr = "127.0.0.1:#{9293 + worker.nr}"
+  # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true)
+
+  # the following is *required* for Rails + "preload_app true",
+  # defined?(ActiveRecord::Base) and
+  #   ActiveRecord::Base.establish_connection
+
+  # if preload_app is true, then you may also want to check and
+  # restart any other shared sockets/descriptors such as Memcached,
+  # and Redis.  TokyoCabinet file handles are safe to reuse
+  # between any number of forked children (assuming your kernel
+  # correctly implements pread()/pwrite() system calls)
+end

data/db/migrate/001_create_initial_structure.rb

@@ -0,0 +1,47 @@
+class CreateInitialStructure < ActiveRecord::Migration
+  def self.up
+    # Oracle table names cannot exceed 30 chars...
+    # See http://code.google.com/p/rubycas-server/issues/detail?id=15
+    create_table 'casserver_lt', :force => true do |t|
+      t.string    'ticket',          :null => false
+      t.timestamp 'created_on',      :null => false
+      t.datetime  'consumed',        :null => true
+      t.string    'client_hostname', :null => false
+    end
+
+    create_table 'casserver_st', :force => true do |t|
+      t.string    'ticket',            :null => false
+      t.text      'service',           :null => false
+      t.timestamp 'created_on',        :null => false
+      t.datetime  'consumed',          :null => true
+      t.string    'client_hostname',   :null => false
+      t.string    'username',          :null => false
+      t.string    'type',              :null => false
+      t.integer   'granted_by_pgt_id', :null => true
+      t.integer   'granted_by_tgt_id', :null => true
+    end
+
+    create_table 'casserver_tgt', :force => true do |t|
+      t.string    'ticket',           :null => false
+      t.timestamp 'created_on',       :null => false
+      t.string    'client_hostname',  :null => false
+      t.string    'username',         :null => false
+      t.text      'extra_attributes', :null => true
+    end
+
+    create_table 'casserver_pgt', :force => true do |t|
+      t.string    'ticket',            :null => false
+      t.timestamp 'created_on',        :null => false
+      t.string    'client_hostname',   :null => false
+      t.string    'iou',               :null => false
+      t.integer   'service_ticket_id', :null => false
+    end
+  end # self.up
+
+  def self.down
+    drop_table 'casserver_pgt'
+    drop_table 'casserver_tgt'
+    drop_table 'casserver_st'
+    drop_table 'casserver_lt'
+  end # self.down
+end

data/lib/casserver.rb

@@ -0,0 +1,11 @@
+module CASServer; end
+
+require 'active_record'
+require 'active_support'
+require 'sinatra/base'
+require 'builder' # for XML views
+require 'logger'
+$LOG = Logger.new(STDOUT)
+
+require 'casserver/server'
+

data/lib/casserver/authenticators/active_directory_ldap.rb

@@ -0,0 +1,19 @@
+require 'casserver/authenticators/ldap'
+
+# Slightly modified version of the LDAP authenticator for Microsoft's ActiveDirectory.
+# The only difference is that the default_username_attribute for AD is 'sAMAccountName'
+# rather than 'uid'.
+class CASServer::Authenticators::ActiveDirectoryLDAP < CASServer::Authenticators::LDAP
+  protected
+  def default_username_attribute
+    "sAMAccountName"
+  end
+
+  def extract_extra_attributes(ldap_entry)
+    super(ldap_entry)
+    if @extra_attributes["objectGUID"]
+      @extra_attributes["guid"] = @extra_attributes["objectGUID"].to_s.unpack("H*").to_s
+    end
+    ldap_entry
+  end
+end

data/lib/casserver/authenticators/active_resource.rb

@@ -0,0 +1,127 @@
+require 'casserver/authenticators/base'
+
+begin
+  require 'active_resource'
+rescue LoadError
+  require 'rubygems'
+  begin
+    gem 'activeresource', '~> 3.0.0'
+  rescue Gem::LoadError
+    $stderr.puts
+    $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+    $stderr.puts
+    $stderr.puts "To use the ActiveResource authenticator, you must first install the 'activeresource' gem."
+    $stderr.puts
+    $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+    exit 1
+  end
+  require 'active_resource'
+end
+
+module CASServer
+  module Authenticators
+
+    module Helpers
+      class Identity < ActiveResource::Base
+
+        # define method_name accessor
+        cattr_accessor(:method_name)
+        self.method_name = :authenticate
+
+        def self.method_type
+          @@method_type ||= :post
+        end
+
+        def self.method_type= type
+          methods = [:get, :post, :put, :delete]
+          raise ArgumentError, "Method type should be one of #{methods.map { |m| m.to_s.upcase }.join(', ')}" unless methods.include? type.to_sym
+          @@method_type = type
+        end
+
+        # Autenticate an identity using the given method
+        # @param [Hash] credentials
+        def self.authenticate(credentials = {})
+          response = send(method_type, method_name, credentials)
+          new.from_authentication_data(response)
+        end
+
+        # Used to load object attributes from the given response
+        def from_authentication_data response
+          load_attributes_from_response(response)
+        end
+      end
+    end
+
+    class ActiveResource < Base
+
+      # This is called at server startup.
+      # Any class-wide initializiation for the authenticator should be done here.
+      # (e.g. establish database connection).
+      # You can leave this empty if you don't need to set up anything.
+      def self.setup(options)
+        raise AuthenticatorError, 'You must define at least site option' unless options[:site]
+        # apply options to active resource object
+        options.each do |method, arg|
+          Helpers::Identity.send "#{method}=", arg if Helpers::Identity.respond_to? "#{method}="
+        end
+        $LOG.info "ActiveResource configuration loaded"
+      end
+
+      # Override this to implement your authentication credential validation.
+      # This is called each time the user tries to log in. The credentials hash
+      # holds the credentials as entered by the user (generally under :username
+      # and :password keys; :service and :request are also included by default)
+      #
+      # Note that the standard credentials can be read in to instance variables
+      # by calling #read_standard_credentials.
+      def validate(credentials)
+        begin
+          $LOG.debug("Starting Active Resource authentication")
+          result = Helpers::Identity.authenticate(credentials.except(:request))
+          extract_extra_attributes(result) if result
+          !!result
+        rescue ::ActiveResource::ConnectionError => e
+          if e.response.blank? # band-aid for ARes 2.3.x -- craps out if to_s is called without a response
+            e = e.class.to_s
+          end
+          $LOG.warn("Error during authentication: #{e}")
+          false
+        end
+      end
+
+      private
+
+      def extract_extra_attributes(resource)
+        @extra_attributes = {}
+        $LOG.debug("Parsing extra attributes")
+        if @options[:extra_attributes]
+          extra_attributes_to_extract.each do |attr|
+            @extra_attributes[attr] = resource.send(attr).to_s
+          end
+        else
+          @extra_attributes = resource.attributes
+        end
+        # do filtering
+        extra_attributes_to_filter.each do |attr|
+          @extra_attributes.delete(attr)
+        end
+      end
+
+      # extract attributes to filter from the given configuration
+      def extra_attributes_to_filter
+        # default value if not set
+        return ['password'] unless @options[:filter_attributes]
+        # parse option value
+        if @options[:filter_attributes].kind_of? Array
+          attrs = @options[:filter_attributes]
+        elsif @options[:filter_attributes].kind_of? String
+          attrs = @options[:filter_attributes].split(',').collect { |col| col.strip }
+        else
+          $LOG.error("Can't figure out attribute list from #{@options[:filter_attributes].inspect}. This must be an Array of column names or a comma-separated list.")
+          attrs = []
+        end
+        attrs
+      end
+    end
+  end
+end

data/lib/casserver/authenticators/authlogic_crypto_providers/aes256.rb

@@ -0,0 +1,43 @@
+require "openssl"
+
+module Authlogic
+  module CryptoProviders
+    # This encryption method is reversible if you have the supplied key. So in order to use this encryption method you must supply it with a key first.
+    # In an initializer, or before your application initializes, you should do the following:
+    #
+    #   Authlogic::CryptoProviders::AES256.key = "my really long and unique key, preferrably a bunch of random characters"
+    #
+    # My final comment is that this is a strong encryption method, but its main weakness is that its reversible. If you do not need to reverse the hash
+    # then you should consider Sha512 or BCrypt instead.
+    #
+    # Keep your key in a safe place, some even say the key should be stored on a separate server.
+    # This won't hurt performance because the only time it will try and access the key on the separate server is during initialization, which only
+    # happens once. The reasoning behind this is if someone does compromise your server they won't have the key also. Basically, you don't want to
+    # store the key with the lock.
+    class AES256
+      class << self
+        attr_writer :key
+
+        def encrypt(*tokens)
+          aes.encrypt
+          aes.key = @key
+          [aes.update(tokens.join) + aes.final].pack("m").chomp
+        end
+
+        def matches?(crypted, *tokens)
+          aes.decrypt
+          aes.key = @key
+          (aes.update(crypted.unpack("m").first) + aes.final) == tokens.join
+        rescue OpenSSL::CipherError
+          false
+        end
+
+        private
+          def aes
+            raise ArgumentError.new("You must provide a key like #{name}.key = my_key before using the #{name}") if @key.blank?
+            @aes ||= OpenSSL::Cipher::Cipher.new("AES-256-ECB")
+          end
+      end
+    end
+  end
+end

data/lib/casserver/authenticators/authlogic_crypto_providers/bcrypt.rb

@@ -0,0 +1,92 @@
+begin
+  require "bcrypt"
+rescue LoadError
+end
+
+module Authlogic
+  module CryptoProviders
+    # For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear launch codes you might want to consier BCrypt. This is an extremely
+    # secure hashing algorithm, mainly because it is slow. A brute force attack on a BCrypt encrypted password would take much longer than a brute force attack on a
+    # password encrypted with a Sha algorithm. Keep in mind you are sacrificing performance by using this, generating a password takes exponentially longer than any
+    # of the Sha algorithms. I did some benchmarking to save you some time with your decision:
+    #
+    #   require "bcrypt"
+    #   require "digest"
+    #   require "benchmark"
+    #
+    #   Benchmark.bm(18) do |x|
+    #     x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
+    #     x.report("BCrypt (cost = 2:") { 100.times { BCrypt::Password.create("mypass", :cost => 2) } }
+    #     x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
+    #     x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
+    #   end
+    #
+    #                           user     system      total        real
+    #   BCrypt (cost = 10): 10.780000   0.060000  10.840000 ( 11.100289)
+    #   BCrypt (cost = 2):  0.180000   0.000000   0.180000 (  0.181914)
+    #   Sha512:             0.000000   0.000000   0.000000 (  0.000829)
+    #   Sha1:               0.000000   0.000000   0.000000 (  0.000395)
+    #
+    # You can play around with the cost to get that perfect balance between performance and security.
+    #
+    # Decided BCrypt is for you? Just insall the bcrypt gem:
+    #
+    #   gem install bcrypt-ruby
+    #
+    # Tell acts_as_authentic to use it:
+    #
+    #   acts_as_authentic do |c|
+    #     c.crypto_provider = Authlogic::CryptoProviders::BCrypt
+    #   end
+    #
+    # You are good to go!
+    class BCrypt
+      class << self
+        # This is the :cost option for the BCrpyt library. The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
+        # Set this to whatever you want, play around with it to get that perfect balance between security and performance.
+        def cost
+          @cost ||= 10
+        end
+        attr_writer :cost
+
+        # Creates a BCrypt hash for the password passed.
+        def encrypt(*tokens)
+          ::BCrypt::Password.create(join_tokens(tokens), :cost => cost)
+        end
+
+        # Does the hash match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(hash, *tokens)
+          $LOG.debug hash
+          $LOG.debug tokens.inspect
+
+          hash = new_from_hash(hash)
+          return false if hash.blank?
+          hash == join_tokens(tokens)
+        end
+
+        # This method is used as a flag to tell Authlogic to "resave" the password upon a successful login, using the new cost
+        def cost_matches?(hash)
+          hash = new_from_hash(hash)
+          if hash.blank?
+            false
+          else
+            hash.cost == cost
+          end
+        end
+
+        private
+          def join_tokens(tokens)
+            tokens.flatten.join
+          end
+
+          def new_from_hash(hash)
+            begin
+              ::BCrypt::Password.new(hash)
+            rescue ::BCrypt::Errors::InvalidHash
+              return nil
+            end
+          end
+      end
+    end
+  end
+end

data/lib/casserver/authenticators/authlogic_crypto_providers/md5.rb

@@ -0,0 +1,34 @@
+require "digest/md5"
+
+module Authlogic
+  module CryptoProviders
+    # This class was made for the users transitioning from md5 based systems.
+    # I highly discourage using this crypto provider as it superbly inferior
+    # to your other options.
+    #
+    # Please use any other provider offered by Authlogic.
+    class MD5
+      class << self
+        attr_accessor :join_token
+
+        # The number of times to loop through the encryption.
+        def stretches
+          @stretches ||= 1
+        end
+        attr_writer :stretches
+
+        # Turns your raw password into a MD5 hash.
+        def encrypt(*tokens)
+          digest = tokens.flatten.join(join_token)
+          stretches.times { digest = Digest::MD5.hexdigest(digest) }
+          digest
+        end
+
+        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(crypted, *tokens)
+          encrypt(*tokens) == crypted
+        end
+      end
+    end
+  end
+end