synapses-cas 0.1.0

data/spec/alt_config.yml

@@ -0,0 +1,50 @@
+server: webrick
+port: 6543
+#ssl_cert: test.pem
+uri_path: /test
+#bind_address: 0.0.0.0
+
+# database:
+#   adapter: mysql
+#   database: casserver
+#   username: root
+#   password: 
+#   host: localhost
+#   reconnect: true
+database:
+ adapter: sqlite3
+ database: spec/casserver_spec.db
+ 
+disable_auto_migrations: true
+
+quiet: true
+
+authenticator:
+  class: CASServer::Authenticators::Test
+  password: spec_password
+
+theme: simple
+
+organization: "RSPEC-TEST"
+
+infoline: "This is an rspec test."
+
+#custom_views: /path/to/custom/views
+
+default_locale: en
+
+log:
+  file: casserver_spec.log
+  level: DEBUG
+
+#db_log:
+#  file: casserver_spec_db.log
+
+enable_single_sign_out: true
+
+#maximum_unused_login_ticket_lifetime: 300
+#maximum_unused_service_ticket_lifetime: 300
+
+#maximum_session_lifetime: 172800
+
+#downcase_username: true

data/spec/authenticators/active_resource_spec.rb

@@ -0,0 +1,109 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/../spec_helper'
+
+require 'casserver/authenticators/active_resource'
+
+describe CASServer::Authenticators::Helpers::Identity do
+
+  it { should be_an ActiveResource::Base }
+
+  it "class should respond to :authenticate" do
+    subject.class.should respond_to :authenticate
+  end
+
+  it "class should have a method_name accessor" do
+    CASServer::Authenticators::Helpers::Identity.method_name.should == :authenticate
+  end
+
+  it "class should have a method_name accessor" do
+    CASServer::Authenticators::Helpers::Identity.method_type.should == :post
+  end
+
+  it "class method_type accessor should validate type" do
+    expect {
+      CASServer::Authenticators::Helpers::Identity.method_type = :foo
+    }.to raise_error(ArgumentError)
+  end
+
+end
+
+describe CASServer::Authenticators::ActiveResource do
+
+  describe "#setup" do
+
+    it "should configure the identity object" do
+      CASServer::Authenticators::Helpers::Identity.should_receive(:user=).with('httpuser').once
+      CASServer::Authenticators::ActiveResource.setup :site => 'http://api.example.org', :user => 'httpuser'
+    end
+
+    it "should configure the method_type" do
+      CASServer::Authenticators::Helpers::Identity.should_receive(:method_type=).with('get').once
+      CASServer::Authenticators::ActiveResource.setup :site => 'http://api.example.org', :method_type => 'get'
+    end
+
+    it "should raise if site option is missing" do
+      expect {
+        CASServer::Authenticators::ActiveResource.setup({}).should
+      }.to raise_error(CASServer::AuthenticatorError, /site option/)
+    end
+  end
+
+  describe "#validate" do
+
+    let(:credentials) { {:username => 'validusername',
+                         :password => 'validpassword',
+                         :service => 'test.service'} }
+
+    let(:auth) { CASServer::Authenticators::ActiveResource.new }
+
+    def mock_authenticate identity = nil
+      identity = CASServer::Authenticators::Helpers::Identity.new if identity.nil?
+      CASServer::Authenticators::Helpers::Identity.stub!(:authenticate).and_return(identity)
+    end
+
+    def sample_identity attrs = {}
+      identity = CASServer::Authenticators::Helpers::Identity.new
+      attrs.each { |k,v| identity.send "#{k}=", v }
+      identity
+    end
+
+    it "should call Identity#autenticate with the given params" do
+      CASServer::Authenticators::Helpers::Identity.should_receive(:authenticate).with(credentials).once
+      auth.validate(credentials)
+    end
+
+    it "should return identity object attributes as extra attributes" do
+      auth.configure({}.with_indifferent_access)
+      identity = sample_identity({:email => 'foo@example.org'})
+      mock_authenticate identity
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == identity.attributes
+    end
+
+    it "should return false when http raises" do
+      CASServer::Authenticators::Helpers::Identity.stub!(:authenticate).and_raise(ActiveResource::ForbiddenAccess.new({}))
+      auth.validate(credentials).should be_false
+    end
+
+    it "should apply extra_attribute filter" do
+      auth.configure({ :extra_attributes => 'age'}.with_indifferent_access)
+      mock_authenticate sample_identity({ :email => 'foo@example.org', :age => 28 })
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == { "age" => "28" }
+    end
+
+    it "should only extract not filtered attributes" do
+      auth.configure({ :filter_attributes => 'age'}.with_indifferent_access)
+      mock_authenticate sample_identity({ :email => 'foo@example.org', :age => 28 })
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == { "email" => 'foo@example.org' }
+    end
+
+    it "should filter password if filter attributes is not given" do
+      auth.configure({}.with_indifferent_access)
+      mock_authenticate sample_identity({ :email => 'foo@example.org', :password => 'secret' })
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == { "email" => 'foo@example.org' }
+    end
+  end
+end

data/spec/authenticators/ldap_spec.rb

@@ -0,0 +1,53 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/../spec_helper'
+
+require 'casserver/authenticators/ldap'
+
+describe CASServer::Authenticators::LDAP do
+  before do
+    @ldap_entry = mock(Net::LDAP::Entry.new)
+    @ldap_entry.stub!(:[]).and_return("Test")
+    
+    @ldap = mock(Net::LDAP)
+    @ldap.stub!(:host=)
+    @ldap.stub!(:port=)
+    @ldap.stub!(:encryption)
+    @ldap.stub!(:bind_as).and_return(true)
+    @ldap.stub!(:authenticate).and_return(true)
+    @ldap.stub!(:search).and_return([@ldap_entry])
+    
+    Net::LDAP.stub!(:new).and_return(@ldap)
+  end
+  
+  describe '#validate' do
+
+    it 'validate with preauthentication and with extra attributes' do
+      auth = CASServer::Authenticators::LDAP.new
+
+      auth_config = HashWithIndifferentAccess.new(
+        :ldap => {
+          :host => "ad.example.net",
+          :port => 389,
+          :base => "dc=example,dc=net",
+          :filter => "(objectClass=person)",
+          :auth_user => "authenticator",
+          :auth_password => "itsasecret"
+        },
+        :extra_attributes => [:full_name, :address]
+      )
+      
+      auth.configure(auth_config.merge('auth_index' => 0))
+      auth.validate(
+        :username => 'validusername',
+        :password => 'validpassword',
+        :service =>  'test.service',
+        :request => {}
+      ).should == true
+      
+      auth.extra_attributes.should == {:full_name => 'Test', :address => 'Test'}
+    end
+    
+  end
+end
+
+

data/spec/casserver_spec.rb

@@ -0,0 +1,156 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/spec_helper'
+
+$LOG = Logger.new(File.basename(__FILE__).gsub('.rb','.log'))
+
+RSpec.configure do |config|
+  config.include Capybara::DSL
+end
+
+VALID_USERNAME = 'spec_user'
+VALID_PASSWORD = 'spec_password'
+
+ATTACK_USERNAME = '%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&password=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&lt=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&service=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E'
+INVALID_PASSWORD = 'invalid_password'
+
+describe 'CASServer' do
+
+  before do
+    @target_service = 'http://my.app.test'
+  end
+
+  describe "/login" do
+    before do
+      load_server(File.dirname(__FILE__) + "/default_config.yml")
+      reset_spec_database
+    end
+
+    it "logs in successfully with valid username and password without a target service" do
+      visit "/login"
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("You have successfully logged in")
+    end
+
+    it "fails to log in with invalid password" do
+      visit "/login"
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => INVALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("Incorrect username or password")
+    end
+
+    it "logs in successfully with valid username and password and redirects to target service" do
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+
+      click_button 'login-submit'
+
+      page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?\?ticket=ST\-[1-9rA-Z]+/
+    end
+
+    it "preserves target service after invalid login" do
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => INVALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("Incorrect username or password")
+      page.should have_xpath('//input[@id="service"]', :value => @target_service)
+    end
+
+    it "uses appropriate localization based on Accept-Language header" do
+      
+      page.driver.options[:headers] = {'HTTP_ACCEPT_LANGUAGE' => 'pl'}
+      #visit "/login?lang=pl"
+      visit "/login"
+      page.should have_content("Użytkownik")
+
+      page.driver.options[:headers] = {'HTTP_ACCEPT_LANGUAGE' => 'pt_BR'}
+      #visit "/login?lang=pt_BR"
+      visit "/login"
+      page.should have_content("Usuário")
+
+      page.driver.options[:headers] = {'HTTP_ACCEPT_LANGUAGE' => 'en'}
+      #visit "/login?lang=en"
+      visit "/login"
+      page.should have_content("Username")
+    end
+
+    it "is not vunerable to Cross Site Scripting" do
+      visit '/login?service=%22%2F%3E%3cscript%3ealert%2832%29%3c%2fscript%3e'
+      page.should_not have_content("alert(32)")
+      page.should_not have_xpath("//script")
+      #page.should have_xpath("<script>alert(32)</script>")
+    end
+
+  end # describe '/login'
+
+
+  describe '/logout' do
+
+    before do
+      load_server(File.dirname(__FILE__) + "/default_config.yml")
+      reset_spec_database
+    end
+
+    it "logs out successfully" do
+      visit "/logout"
+
+      page.should have_content("You have successfully logged out")
+    end
+
+    it "logs out successfully and redirects to target service" do
+      visit "/logout?gateway=true&service="+CGI.escape(@target_service)
+
+      page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?/
+    end
+
+  end # describe '/logout'
+
+  describe 'Configuration' do
+    it "uri_path value changes prefix of routes" do
+      load_server(File.dirname(__FILE__) + "/alt_config.yml")
+      @target_service = 'http://my.app.test'
+
+      visit "/test/login"
+      page.status_code.should_not == 404
+
+      visit "/test/logout"
+      page.status_code.should_not == 404
+    end
+  end
+
+  describe "proxyValidate" do
+    before do
+      load_server(File.dirname(__FILE__) + "/default_config.yml")
+      reset_spec_database
+
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+
+      click_button 'login-submit'
+
+      page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?\?ticket=ST\-[1-9rA-Z]+/
+      @ticket = page.current_url.match(/ticket=(.*)$/)[1]
+    end
+
+    it "should have extra attributes in proper format" do
+      visit "/serviceValidate?service=#{CGI.escape(@target_service)}&ticket=#{@ticket}"
+
+      encoded_utf_string = "&#1070;&#1090;&#1092;" # actual string is "Ютф"
+      page.body.should match("<test_utf_string>#{encoded_utf_string}</test_utf_string>")
+      page.body.should match("<test_numeric>123.45</test_numeric>")
+      page.body.should match("<test_utf_string>&#1070;&#1090;&#1092;</test_utf_string>")
+    end
+  end
+end

data/spec/default_config.yml

@@ -0,0 +1,50 @@
+server: webrick
+port: 6543
+#ssl_cert: test.pem
+#uri_path: /cas
+#bind_address: 0.0.0.0
+
+# database:
+#   adapter: mysql
+#   database: casserver
+#   username: root
+#   password: 
+#   host: localhost
+#   reconnect: true
+database:
+ adapter: sqlite3
+ database: spec/casserver_spec.db
+ 
+disable_auto_migrations: true
+
+quiet: true
+
+authenticator:
+  class: CASServer::Authenticators::Test
+  password: spec_password
+
+theme: simple
+
+organization: "RSPEC-TEST"
+
+infoline: "This is an rspec test."
+
+#custom_views: /path/to/custom/views
+
+default_locale: en
+
+log:
+  file: casserver_spec.log
+  level: DEBUG
+
+#db_log:
+#  file: casserver_spec_db.log
+
+enable_single_sign_out: true
+
+#maximum_unused_login_ticket_lifetime: 300
+#maximum_unused_service_ticket_lifetime: 300
+
+#maximum_session_lifetime: 172800
+
+#downcase_username: true

data/spec/model_spec.rb

@@ -0,0 +1,42 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/spec_helper'
+
+module CASServer
+end
+require 'casserver/model'
+
+describe CASServer::Model::LoginTicket, '.cleanup(max_lifetime, max_unconsumed_lifetime)' do
+  let(:max_lifetime) { -1 }
+  let(:max_unconsumed_lifetime) { -2 }
+
+  before do
+    load_server(File.dirname(__FILE__) + "/default_config.yml")
+    reset_spec_database
+    
+    CASServer::Model::LoginTicket.create :ticket => 'test', :client_hostname => 'test.local'
+  end
+
+  it 'should destroy all tickets created before the max lifetime' do
+    expect {
+      CASServer::Model::LoginTicket.cleanup(max_lifetime, max_unconsumed_lifetime)
+    }.to change(CASServer::Model::LoginTicket, :count).by(-1)
+  end
+
+  it 'should destroy all unconsumed tickets not exceeding the max lifetime' do
+    expect {
+      CASServer::Model::LoginTicket.cleanup(max_lifetime, max_unconsumed_lifetime)
+    }.to change(CASServer::Model::LoginTicket, :count).by(-1)
+  end
+end
+
+describe CASServer::Model::LoginTicket, '#to_s' do
+  let(:ticket) { 'test' }
+
+  before do
+    @login_ticket = CASServer::Model::LoginTicket.new :ticket => ticket
+  end
+
+  it 'should delegate #to_s to #ticket' do
+    @login_ticket.to_s.should == ticket
+  end
+end