uchouhan-rubycas-server 1.0.a
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +289 -0
- data/LICENSE +26 -0
- data/README.md +19 -0
- data/Rakefile +1 -0
- data/bin/rubycas-server +16 -0
- data/bin/rubycas-server-ctl +9 -0
- data/lib/casserver.rb +13 -0
- data/lib/casserver/authenticators/active_directory_ldap.rb +19 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/aes256.rb +43 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/bcrypt.rb +92 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/md5.rb +34 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/sha1.rb +59 -0
- data/lib/casserver/authenticators/authlogic_crypto_providers/sha512.rb +50 -0
- data/lib/casserver/authenticators/base.rb +67 -0
- data/lib/casserver/authenticators/client_certificate.rb +47 -0
- data/lib/casserver/authenticators/google.rb +58 -0
- data/lib/casserver/authenticators/ldap.rb +147 -0
- data/lib/casserver/authenticators/ntlm.rb +88 -0
- data/lib/casserver/authenticators/open_id.rb +22 -0
- data/lib/casserver/authenticators/sql.rb +133 -0
- data/lib/casserver/authenticators/sql_authlogic.rb +93 -0
- data/lib/casserver/authenticators/sql_encrypted.rb +77 -0
- data/lib/casserver/authenticators/sql_md5.rb +19 -0
- data/lib/casserver/authenticators/sql_rest_auth.rb +85 -0
- data/lib/casserver/authenticators/tacc.rb +67 -0
- data/lib/casserver/authenticators/test.rb +21 -0
- data/lib/casserver/cas.rb +327 -0
- data/lib/casserver/localization.rb +91 -0
- data/lib/casserver/model.rb +269 -0
- data/lib/casserver/server.rb +623 -0
- data/lib/casserver/utils.rb +32 -0
- data/lib/casserver/views/_login_form.erb +41 -0
- data/lib/casserver/views/layout.erb +17 -0
- data/lib/casserver/views/login.erb +29 -0
- data/lib/casserver/views/proxy.builder +11 -0
- data/lib/casserver/views/proxy_validate.builder +26 -0
- data/lib/casserver/views/service_validate.builder +19 -0
- data/lib/casserver/views/validate.erb +1 -0
- data/po/de_DE/rubycas-server.po +127 -0
- data/po/es_ES/rubycas-server.po +123 -0
- data/po/fr_FR/rubycas-server.po +128 -0
- data/po/ja_JP/rubycas-server.po +126 -0
- data/po/pl_PL/rubycas-server.po +123 -0
- data/po/pt_BR/rubycas-server.po +123 -0
- data/po/ru_RU/rubycas-server.po +118 -0
- data/po/rubycas-server.pot +112 -0
- data/po/zh_CN/rubycas-server.po +113 -0
- data/po/zh_TW/rubycas-server.po +113 -0
- data/public/themes/cas.css +121 -0
- data/public/themes/notice.png +0 -0
- data/public/themes/ok.png +0 -0
- data/public/themes/simple/bg.png +0 -0
- data/public/themes/simple/favicon.png +0 -0
- data/public/themes/simple/login_box_bg.png +0 -0
- data/public/themes/simple/logo.png +0 -0
- data/public/themes/simple/theme.css +28 -0
- data/public/themes/tadnet/bg.png +0 -0
- data/public/themes/tadnet/button.png +0 -0
- data/public/themes/tadnet/favicon.png +0 -0
- data/public/themes/tadnet/login_box_bg.png +0 -0
- data/public/themes/tadnet/logo.png +0 -0
- data/public/themes/tadnet/theme.css +55 -0
- data/public/themes/urbacon/bg.png +0 -0
- data/public/themes/urbacon/login_box_bg.png +0 -0
- data/public/themes/urbacon/logo.png +0 -0
- data/public/themes/urbacon/theme.css +33 -0
- data/public/themes/warning.png +0 -0
- data/resources/config.example.yml +574 -0
- data/resources/config.ru +42 -0
- data/resources/custom_views.example.rb +11 -0
- data/resources/init.d.sh +58 -0
- data/rubycas-server.gemspec +40 -0
- data/setup.rb +1585 -0
- data/spec/alt_config.yml +46 -0
- data/spec/casserver_spec.rb +114 -0
- data/spec/default_config.yml +46 -0
- data/spec/spec.opts +4 -0
- data/spec/spec_helper.rb +89 -0
- data/tasks/bundler.rake +4 -0
- data/tasks/db/migrate.rake +12 -0
- data/tasks/localization.rake +13 -0
- data/tasks/spec.rake +10 -0
- metadata +172 -0
@@ -0,0 +1,88 @@
|
|
1
|
+
# THIS AUTHENTICATOR DOES NOT WORK (not even close!)
|
2
|
+
#
|
3
|
+
# I started working on this but run into a wall, so I am commiting what I've got
|
4
|
+
# done and leaving it here with hopes of one day finishing it.
|
5
|
+
#
|
6
|
+
# The main problem is that although I've got the Lan Manager/NTLM password hash,
|
7
|
+
# I'm not sure what to do with it. i.e. I need to check it against the AD or SMB
|
8
|
+
# server or something... maybe faking an SMB share connection and using the LM
|
9
|
+
# response for authentication might do the trick?
|
10
|
+
|
11
|
+
require 'casserver/authenticators/base'
|
12
|
+
|
13
|
+
# Ruby/NTLM package from RubyForge
|
14
|
+
require 'net/ntlm'
|
15
|
+
|
16
|
+
module CASServer
|
17
|
+
module Authenticators
|
18
|
+
class NTLM
|
19
|
+
# This will have to be somehow called by the top of the 'get' method
|
20
|
+
# in the Login controller (maybe via a hook?)... if this code fails
|
21
|
+
# then the controller should fall back to some other method of authentication
|
22
|
+
# (probably AD/LDAP or something).
|
23
|
+
def filter_for_top_of_login_get_controller_method
|
24
|
+
$LOG.debug @env.inspect
|
25
|
+
if @env['HTTP_AUTHORIZATION'] =~ /NTLM ([^\s]+)/
|
26
|
+
# if we're here, then the client has sent back a Type1 or Type3 message
|
27
|
+
# in reply to our NTLM challenge or our Type2 message
|
28
|
+
data_raw = Base64.decode64($~[1])
|
29
|
+
$LOG.debug "T1 RAW: #{t1_raw}"
|
30
|
+
t = Net::NTLM::Message::Message.parse(t1_raw)
|
31
|
+
if t.kind_of? Net::NTLM::Type1
|
32
|
+
t1 = t
|
33
|
+
elsif t.kind_of? Net::NTLM::Type3
|
34
|
+
t3 = t
|
35
|
+
else
|
36
|
+
raise "Invalid NTLM reply from client."
|
37
|
+
end
|
38
|
+
|
39
|
+
if t1
|
40
|
+
$LOG.debug "T1: #{t1.inspect}"
|
41
|
+
|
42
|
+
# now put together a Type2 message asking for the client to send
|
43
|
+
# back NTLM credentials (LM hash and such)
|
44
|
+
t2 = Net::NTLM::Message::Type2.new
|
45
|
+
t2.set_flag :UNICODE
|
46
|
+
t2.set_flag :NTLM
|
47
|
+
t2.context = 0x0000000000000000 # this can probably just be left unassigned
|
48
|
+
t2.challenge = 0x0123456789abcdef # this should be a random 8-byte integer
|
49
|
+
|
50
|
+
$LOG.debug "T2: #{t2.inspect}"
|
51
|
+
$LOG.debug "T2: #{t2.serialize}"
|
52
|
+
headers["WWW-Authenticate"] = "NTLM #{t2.encode64}"
|
53
|
+
|
54
|
+
# the client should respond to this with a Type3 message...
|
55
|
+
r('401', '', headers)
|
56
|
+
return
|
57
|
+
else
|
58
|
+
# NOTE: for some reason the server never receives the T3 response, even though monitoring
|
59
|
+
# the HTTP traffic I can see that the client does send it back... there's probably
|
60
|
+
# another bug hiding somewhere here
|
61
|
+
|
62
|
+
lm_response = t3.lm_response
|
63
|
+
ntlm_response = t3.ntlm_response
|
64
|
+
username = t3.user
|
65
|
+
# this is where we run up against a wall... we need some way to check the lm and/or ntlm
|
66
|
+
# reponse against the authentication server (probably Active Directory)... maybe a samba
|
67
|
+
# call would do it?
|
68
|
+
$LOG.debug "T3 LM: #{lm_response.inspect}"
|
69
|
+
$LOG.debug "T3 NTLM: #{ntlm_response.inspect}"
|
70
|
+
|
71
|
+
# assuming the authentication was successful, we'll now need to do something in the
|
72
|
+
# controller acting as if we'd received correct login credentials (i.e. proceed as if
|
73
|
+
# CAS authentication was successful).... if authentication failed, then we should
|
74
|
+
# just fall back to old-school web-based authentication, asking the user to enter
|
75
|
+
# their username and password the normal CAS way
|
76
|
+
end
|
77
|
+
else
|
78
|
+
# this sends the initial NTLM challenge, asking the browser
|
79
|
+
# to send back a Type1 message
|
80
|
+
headers['WWW-Authenticate'] = "NTLM"
|
81
|
+
headers['Connection'] = "Close"
|
82
|
+
r('401', '', headers)
|
83
|
+
return
|
84
|
+
end
|
85
|
+
end
|
86
|
+
end
|
87
|
+
end
|
88
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
require 'casserver/authenticators/base'
|
2
|
+
|
3
|
+
require 'openid'
|
4
|
+
require 'openid/extensions/sreg'
|
5
|
+
require 'openid/extensions/pape'
|
6
|
+
require 'openid/store/memory'
|
7
|
+
|
8
|
+
|
9
|
+
# CURRENTLY UNIMPLEMENTED
|
10
|
+
# This is just starter code.
|
11
|
+
class CASServer::Authenticators::OpenID < CASServer::Authenticators::Base
|
12
|
+
|
13
|
+
def validate(credentials)
|
14
|
+
raise NotImplementedError, "The OpenID authenticator is not yet implemented. "+
|
15
|
+
"See http://code.google.com/p/rubycas-server/issues/detail?id=36 if you are interested in helping this along."
|
16
|
+
|
17
|
+
read_standard_credentials(credentials)
|
18
|
+
|
19
|
+
store = OpenID::Store::Memory.new
|
20
|
+
consumer = OpenID::Consumer.new({}, store)
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,133 @@
|
|
1
|
+
require 'casserver/authenticators/base'
|
2
|
+
|
3
|
+
begin
|
4
|
+
require 'active_record'
|
5
|
+
rescue LoadError
|
6
|
+
require 'rubygems'
|
7
|
+
require 'active_record'
|
8
|
+
end
|
9
|
+
|
10
|
+
# Authenticates against a plain SQL table.
|
11
|
+
#
|
12
|
+
# This assumes that all of your users are stored in a table that has a 'username'
|
13
|
+
# column and a 'password' column. When the user logs in, CAS conects to the
|
14
|
+
# database and looks for a matching username/password in the users table. If a
|
15
|
+
# matching username and password is found, authentication is successful.
|
16
|
+
#
|
17
|
+
# Any database backend supported by ActiveRecord can be used.
|
18
|
+
#
|
19
|
+
# Config example:
|
20
|
+
#
|
21
|
+
# authenticator:
|
22
|
+
# class: CASServer::Authenticators::SQL
|
23
|
+
# database:
|
24
|
+
# adapter: mysql
|
25
|
+
# database: some_database_with_users_table
|
26
|
+
# username: root
|
27
|
+
# password:
|
28
|
+
# server: localhost
|
29
|
+
# user_table: users
|
30
|
+
# username_column: username
|
31
|
+
# password_column: password
|
32
|
+
#
|
33
|
+
# When replying to a CAS client's validation request, the server will normally
|
34
|
+
# provide the client with the authenticated user's username. However it is now
|
35
|
+
# possible for the server to provide the client with additional attributes.
|
36
|
+
# You can configure the SQL authenticator to provide data from additional
|
37
|
+
# columns in the users table by listing the names of the columns under the
|
38
|
+
# 'extra_attributes' option. Note though that this functionality is experimental.
|
39
|
+
# It should work with RubyCAS-Client, but may or may not work with other CAS
|
40
|
+
# clients.
|
41
|
+
#
|
42
|
+
# For example, with this configuration, the 'full_name' and 'access_level'
|
43
|
+
# columns will be provided to your CAS clients along with the username:
|
44
|
+
#
|
45
|
+
# authenticator:
|
46
|
+
# class: CASServer::Authenticators::SQL
|
47
|
+
# database:
|
48
|
+
# adapter: mysql
|
49
|
+
# database: some_database_with_users_table
|
50
|
+
# user_table: users
|
51
|
+
# username_column: username
|
52
|
+
# password_column: password
|
53
|
+
# ignore_type_column: true # indicates if you want to ignore Single Table Inheritance 'type' field
|
54
|
+
# extra_attributes: full_name, access_level
|
55
|
+
#
|
56
|
+
class CASServer::Authenticators::SQL < CASServer::Authenticators::Base
|
57
|
+
def self.setup(options)
|
58
|
+
raise CASServer::AuthenticatorError, "Invalid authenticator configuration!" unless options[:database]
|
59
|
+
|
60
|
+
user_model_name = "CASUser_#{options[:auth_index]}"
|
61
|
+
$LOG.debug "CREATING USER MODEL #{user_model_name}"
|
62
|
+
|
63
|
+
class_eval %{
|
64
|
+
class #{user_model_name} < ActiveRecord::Base
|
65
|
+
end
|
66
|
+
}
|
67
|
+
|
68
|
+
@user_model = const_get(user_model_name)
|
69
|
+
@user_model.establish_connection(options[:database])
|
70
|
+
@user_model.set_table_name(options[:user_table] || 'users')
|
71
|
+
@user_model.inheritance_column = 'no_inheritance_column' if options[:ignore_type_column]
|
72
|
+
end
|
73
|
+
|
74
|
+
def self.user_model
|
75
|
+
@user_model
|
76
|
+
end
|
77
|
+
|
78
|
+
def validate(credentials)
|
79
|
+
read_standard_credentials(credentials)
|
80
|
+
raise_if_not_configured
|
81
|
+
|
82
|
+
user_model = self.class.user_model
|
83
|
+
|
84
|
+
username_column = @options[:username_column] || 'username'
|
85
|
+
password_column = @options[:password_column] || 'password'
|
86
|
+
|
87
|
+
$LOG.debug "#{self.class}: [#{user_model}] " + "Connection pool size: #{user_model.connection_pool.instance_variable_get(:@checked_out).length}/#{user_model.connection_pool.instance_variable_get(:@connections).length}"
|
88
|
+
results = user_model.find(:all, :conditions => ["#{username_column} = ? AND #{password_column} = ?", @username, @password])
|
89
|
+
user_model.connection_pool.checkin(user_model.connection)
|
90
|
+
|
91
|
+
if results.size > 0
|
92
|
+
$LOG.warn("#{self.class}: Multiple matches found for user #{@username.inspect}") if results.size > 1
|
93
|
+
|
94
|
+
unless @options[:extra_attributes].blank?
|
95
|
+
if results.size > 1
|
96
|
+
$LOG.warn("#{self.class}: Unable to extract extra_attributes because multiple matches were found for #{@username.inspect}")
|
97
|
+
else
|
98
|
+
user = results.first
|
99
|
+
|
100
|
+
extract_extra(user)
|
101
|
+
log_extra
|
102
|
+
end
|
103
|
+
end
|
104
|
+
|
105
|
+
return true
|
106
|
+
else
|
107
|
+
return false
|
108
|
+
end
|
109
|
+
end
|
110
|
+
|
111
|
+
protected
|
112
|
+
|
113
|
+
def raise_if_not_configured
|
114
|
+
raise CASServer::AuthenticatorError.new(
|
115
|
+
"Cannot validate credentials because the authenticator hasn't yet been configured"
|
116
|
+
) unless @options
|
117
|
+
end
|
118
|
+
|
119
|
+
def extract_extra user
|
120
|
+
@extra_attributes = {}
|
121
|
+
extra_attributes_to_extract.each do |col|
|
122
|
+
@extra_attributes[col] = user.send(col)
|
123
|
+
end
|
124
|
+
end
|
125
|
+
|
126
|
+
def log_extra
|
127
|
+
if @extra_attributes.empty?
|
128
|
+
$LOG.warn("#{self.class}: Did not read any extra_attributes for user #{@username.inspect} even though an :extra_attributes option was provided.")
|
129
|
+
else
|
130
|
+
$LOG.debug("#{self.class}: Read the following extra_attributes for user #{@username.inspect}: #{@extra_attributes.inspect}")
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
@@ -0,0 +1,93 @@
|
|
1
|
+
require 'casserver/authenticators/sql'
|
2
|
+
|
3
|
+
# These were pulled directly from Authlogic, and new ones can be added
|
4
|
+
# just by including new Crypto Providers
|
5
|
+
require File.dirname(__FILE__) + '/authlogic_crypto_providers/aes256'
|
6
|
+
require File.dirname(__FILE__) + '/authlogic_crypto_providers/bcrypt'
|
7
|
+
require File.dirname(__FILE__) + '/authlogic_crypto_providers/md5'
|
8
|
+
require File.dirname(__FILE__) + '/authlogic_crypto_providers/sha1'
|
9
|
+
require File.dirname(__FILE__) + '/authlogic_crypto_providers/sha512'
|
10
|
+
|
11
|
+
begin
|
12
|
+
require 'active_record'
|
13
|
+
rescue LoadError
|
14
|
+
require 'rubygems'
|
15
|
+
require 'active_record'
|
16
|
+
end
|
17
|
+
|
18
|
+
# This is a version of the SQL authenticator that works nicely with Authlogic.
|
19
|
+
# Passwords are encrypted the same way as it done in Authlogic.
|
20
|
+
# Before use you this, you MUST configure rest_auth_digest_streches and rest_auth_site_key in
|
21
|
+
# config.
|
22
|
+
#
|
23
|
+
# Using this authenticator requires restful authentication plugin on rails (client) side.
|
24
|
+
#
|
25
|
+
# * git://github.com/binarylogic/authlogic.git
|
26
|
+
#
|
27
|
+
# Usage:
|
28
|
+
|
29
|
+
# authenticator:
|
30
|
+
# class: CASServer::Authenticators::SQLAuthlogic
|
31
|
+
# database:
|
32
|
+
# adapter: mysql
|
33
|
+
# database: some_database_with_users_table
|
34
|
+
# user: root
|
35
|
+
# password:
|
36
|
+
# server: localhost
|
37
|
+
# user_table: user
|
38
|
+
# username_column: login
|
39
|
+
# password_column: crypted_password
|
40
|
+
# salt_column: password_salt
|
41
|
+
# encryptor: Sha1
|
42
|
+
# encryptor_options:
|
43
|
+
# digest_format: --SALT--PASSWORD--
|
44
|
+
# stretches: 1
|
45
|
+
#
|
46
|
+
class CASServer::Authenticators::SQLAuthlogic < CASServer::Authenticators::SQL
|
47
|
+
|
48
|
+
def validate(credentials)
|
49
|
+
read_standard_credentials(credentials)
|
50
|
+
raise_if_not_configured
|
51
|
+
|
52
|
+
user_model = self.class.user_model
|
53
|
+
|
54
|
+
username_column = @options[:username_column] || "login"
|
55
|
+
password_column = @options[:password_column] || "crypted_password"
|
56
|
+
salt_column = @options[:salt_column]
|
57
|
+
|
58
|
+
$LOG.debug "#{self.class}: [#{user_model}] " + "Connection pool size: #{user_model.connection_pool.instance_variable_get(:@checked_out).length}/#{user_model.connection_pool.instance_variable_get(:@connections).length}"
|
59
|
+
results = user_model.find(:all, :conditions => ["#{username_column} = ?", @username])
|
60
|
+
user_model.connection_pool.checkin(user_model.connection)
|
61
|
+
|
62
|
+
begin
|
63
|
+
encryptor = eval("Authlogic::CryptoProviders::" + @options[:encryptor] || "Sha512")
|
64
|
+
rescue
|
65
|
+
$LOG.warn("Could not initialize Authlogic crypto class for '#{@options[:encryptor]}'")
|
66
|
+
encryptor = Authlogic::CryptoProviders::Sha512
|
67
|
+
end
|
68
|
+
|
69
|
+
@options[:encryptor_options].each do |name, value|
|
70
|
+
encryptor.send("#{name}=", value) if encryptor.respond_to?("#{name}=")
|
71
|
+
end
|
72
|
+
|
73
|
+
if results.size > 0
|
74
|
+
$LOG.warn("Multiple matches found for user '#{@username}'") if results.size > 1
|
75
|
+
user = results.first
|
76
|
+
tokens = [@password, (not salt_column.nil?) && user.send(salt_column) || nil].compact
|
77
|
+
crypted = user.send(password_column)
|
78
|
+
|
79
|
+
unless @options[:extra_attributes].blank?
|
80
|
+
if results.size > 1
|
81
|
+
$LOG.warn("#{self.class}: Unable to extract extra_attributes because multiple matches were found for #{@username.inspect}")
|
82
|
+
else
|
83
|
+
extract_extra(user)
|
84
|
+
log_extra
|
85
|
+
end
|
86
|
+
end
|
87
|
+
|
88
|
+
return encryptor.matches?(crypted, tokens)
|
89
|
+
else
|
90
|
+
return false
|
91
|
+
end
|
92
|
+
end
|
93
|
+
end
|
@@ -0,0 +1,77 @@
|
|
1
|
+
require 'casserver/authenticators/sql'
|
2
|
+
|
3
|
+
require 'digest/sha1'
|
4
|
+
require 'digest/sha2'
|
5
|
+
|
6
|
+
$: << File.dirname(File.expand_path(__FILE__)) + "/../../../vendor/isaac_0.9.1"
|
7
|
+
require 'crypt-isaac'
|
8
|
+
|
9
|
+
# This is a more secure version of the SQL authenticator. Passwords are encrypted
|
10
|
+
# rather than being stored in plain text.
|
11
|
+
#
|
12
|
+
# Based on code contributed by Ben Mabey.
|
13
|
+
#
|
14
|
+
# Using this authenticator requires some configuration on the client side. Please see
|
15
|
+
# http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
|
16
|
+
class CASServer::Authenticators::SQLEncrypted < CASServer::Authenticators::SQL
|
17
|
+
# Include this module into your application's user model.
|
18
|
+
#
|
19
|
+
# Your model must have an 'encrypted_password' column where the password will be stored,
|
20
|
+
# and an 'encryption_salt' column that will be populated with a random string before
|
21
|
+
# the user record is first created.
|
22
|
+
module EncryptedPassword
|
23
|
+
def self.included(mod)
|
24
|
+
raise "#{self} should be inclued in an ActiveRecord class!" unless mod.respond_to?(:before_save)
|
25
|
+
mod.before_save :generate_encryption_salt
|
26
|
+
end
|
27
|
+
|
28
|
+
def encrypt(str)
|
29
|
+
generate_encryption_salt unless encryption_salt
|
30
|
+
Digest::SHA256.hexdigest("#{encryption_salt}::#{str}")
|
31
|
+
end
|
32
|
+
|
33
|
+
def password=(password)
|
34
|
+
self[:encrypted_password] = encrypt(password)
|
35
|
+
end
|
36
|
+
|
37
|
+
def generate_encryption_salt
|
38
|
+
self.encryption_salt = Digest::SHA1.hexdigest(Crypt::ISAAC.new.rand(2**31).to_s) unless
|
39
|
+
encryption_salt
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
def self.setup(options)
|
44
|
+
super(options)
|
45
|
+
user_model.__send__(:include, EncryptedPassword)
|
46
|
+
end
|
47
|
+
|
48
|
+
def validate(credentials)
|
49
|
+
read_standard_credentials(credentials)
|
50
|
+
raise_if_not_configured
|
51
|
+
|
52
|
+
user_model = self.class.user_model
|
53
|
+
|
54
|
+
username_column = @options[:username_column] || "username"
|
55
|
+
encrypt_function = @options[:encrypt_function] || 'user.encrypted_password == Digest::SHA256.hexdigest("#{user.encryption_salt}::#{@password}")'
|
56
|
+
|
57
|
+
$LOG.debug "#{self.class}: [#{user_model}] " + "Connection pool size: #{user_model.connection_pool.instance_variable_get(:@checked_out).length}/#{user_model.connection_pool.instance_variable_get(:@connections).length}"
|
58
|
+
results = user_model.find(:all, :conditions => ["#{username_column} = ?", @username])
|
59
|
+
user_model.connection_pool.checkin(user_model.connection)
|
60
|
+
|
61
|
+
if results.size > 0
|
62
|
+
$LOG.warn("Multiple matches found for user '#{@username}'") if results.size > 1
|
63
|
+
user = results.first
|
64
|
+
unless @options[:extra_attributes].blank?
|
65
|
+
if results.size > 1
|
66
|
+
$LOG.warn("#{self.class}: Unable to extract extra_attributes because multiple matches were found for #{@username.inspect}")
|
67
|
+
else
|
68
|
+
extract_extra(user)
|
69
|
+
log_extra
|
70
|
+
end
|
71
|
+
end
|
72
|
+
return eval(encrypt_function)
|
73
|
+
else
|
74
|
+
return false
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
require 'casserver/authenticators/sql'
|
2
|
+
|
3
|
+
require 'digest/md5'
|
4
|
+
|
5
|
+
# Essentially the same as the standard SQL authenticator, but this version
|
6
|
+
# assumes that your password is stored as an MD5 hash.
|
7
|
+
#
|
8
|
+
# This was contributed by malcomm for Drupal authentication. To work with
|
9
|
+
# Drupal, you should use 'name' for the :username_column config option, and
|
10
|
+
# 'pass' for the :password_column.
|
11
|
+
class CASServer::Authenticators::SQLMd5 < CASServer::Authenticators::SQL
|
12
|
+
|
13
|
+
protected
|
14
|
+
def read_standard_credentials(credentials)
|
15
|
+
super
|
16
|
+
@password = Digest::MD5.hexdigest(@password)
|
17
|
+
end
|
18
|
+
|
19
|
+
end
|
@@ -0,0 +1,85 @@
|
|
1
|
+
require 'casserver/authenticators/sql_encrypted'
|
2
|
+
|
3
|
+
require 'digest/sha1'
|
4
|
+
|
5
|
+
begin
|
6
|
+
require 'active_record'
|
7
|
+
rescue LoadError
|
8
|
+
require 'rubygems'
|
9
|
+
require 'active_record'
|
10
|
+
end
|
11
|
+
|
12
|
+
# This is a version of the SQL authenticator that works nicely with RestfulAuthentication.
|
13
|
+
# Passwords are encrypted the same way as it done in RestfulAuthentication.
|
14
|
+
# Before use you this, you MUST configure rest_auth_digest_streches and rest_auth_site_key in
|
15
|
+
# config.
|
16
|
+
#
|
17
|
+
# Using this authenticator requires restful authentication plugin on rails (client) side.
|
18
|
+
#
|
19
|
+
# * git://github.com/technoweenie/restful-authentication.git
|
20
|
+
#
|
21
|
+
class CASServer::Authenticators::SQLRestAuth < CASServer::Authenticators::SQLEncrypted
|
22
|
+
|
23
|
+
def validate(credentials)
|
24
|
+
read_standard_credentials(credentials)
|
25
|
+
raise_if_not_configured
|
26
|
+
|
27
|
+
user_model = self.class.user_model
|
28
|
+
|
29
|
+
username_column = @options[:username_column] || "email"
|
30
|
+
|
31
|
+
$LOG.debug "#{self.class}: [#{user_model}] " + "Connection pool size: #{user_model.connection_pool.instance_variable_get(:@checked_out).length}/#{user_model.connection_pool.instance_variable_get(:@connections).length}"
|
32
|
+
results = user_model.find(:all, :conditions => ["#{username_column} = ?", @username])
|
33
|
+
user_model.connection_pool.checkin(user_model.connection)
|
34
|
+
|
35
|
+
if results.size > 0
|
36
|
+
$LOG.warn("Multiple matches found for user '#{@username}'") if results.size > 1
|
37
|
+
user = results.first
|
38
|
+
if user.crypted_password == user.encrypt(@password)
|
39
|
+
unless @options[:extra_attributes].blank?
|
40
|
+
extract_extra(user)
|
41
|
+
log_extra
|
42
|
+
end
|
43
|
+
return true
|
44
|
+
else
|
45
|
+
return false
|
46
|
+
end
|
47
|
+
else
|
48
|
+
return false
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
52
|
+
def self.setup(options)
|
53
|
+
super(options)
|
54
|
+
user_model.__send__(:include, EncryptedPassword)
|
55
|
+
end
|
56
|
+
|
57
|
+
module EncryptedPassword
|
58
|
+
|
59
|
+
# XXX: this constants MUST be defined in config.
|
60
|
+
# For more details # look at restful-authentication docs.
|
61
|
+
#
|
62
|
+
REST_AUTH_DIGEST_STRETCHES = $CONF.rest_auth_digest_streches
|
63
|
+
REST_AUTH_SITE_KEY = $CONF.rest_auth_site_key
|
64
|
+
|
65
|
+
def self.included(mod)
|
66
|
+
raise "#{self} should be inclued in an ActiveRecord class!" unless mod.respond_to?(:before_save)
|
67
|
+
end
|
68
|
+
|
69
|
+
def encrypt(password)
|
70
|
+
password_digest(password, self.salt)
|
71
|
+
end
|
72
|
+
|
73
|
+
def secure_digest(*args)
|
74
|
+
Digest::SHA1.hexdigest(args.flatten.join('--'))
|
75
|
+
end
|
76
|
+
|
77
|
+
def password_digest(password, salt)
|
78
|
+
digest = REST_AUTH_SITE_KEY
|
79
|
+
REST_AUTH_DIGEST_STRETCHES.times do
|
80
|
+
digest = secure_digest(digest, salt, password, REST_AUTH_SITE_KEY)
|
81
|
+
end
|
82
|
+
digest
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|