vibes-rubycas-client 2.3.0.alpha

data/examples/rails/script/about

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+$LOAD_PATH.unshift "#{RAILTIES_PATH}/builtin/rails_info"
+require 'commands/about'

data/examples/rails/script/console

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/console'

data/examples/rails/script/server

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/server'

data/lib/casclient.rb

@@ -0,0 +1,89 @@
+require 'uri'
+require 'cgi'
+require 'logger'
+require 'net/https'
+require 'rexml/document'
+
+begin
+  require 'active_support'
+rescue LoadError
+  require 'rubygems'
+  require 'active_support'
+end
+
+$: << File.expand_path(File.dirname(__FILE__))
+
+module CASClient
+  class CASException < Exception
+  end
+
+  # Customized logger for the client.
+  # This is useful if you're trying to do logging in Rails, since Rails'
+  # clean_logger.rb pretty much completely breaks the base Logger class.
+  class Logger < ::Logger
+    def initialize(logdev, shift_age = 0, shift_size = 1048576)
+      @default_formatter = Formatter.new
+      super
+    end
+  
+    def format_message(severity, datetime, progrname, msg)
+      (@formatter || @default_formatter).call(severity, datetime, progname, msg)
+    end
+    
+    def break
+      self << $/
+    end
+    
+    class Formatter < ::Logger::Formatter
+      Format = "[%s#%d] %5s -- %s: %s\n"
+      
+      def call(severity, time, progname, msg)
+        Format % [format_datetime(time), $$, severity, progname, msg2str(msg)]
+      end
+    end
+  end
+
+  # Wraps a real Logger. If no real Logger is set, then this wrapper
+  # will quietly swallow any logging calls.
+  class LoggerWrapper
+    def initialize(real_logger=nil)
+      set_logger(real_logger)
+    end
+    # Assign the 'real' Logger instance that this dummy instance wraps around.
+    def set_real_logger(real_logger)
+      @real_logger = real_logger
+    end
+    # Log using the appropriate method if we have a logger
+    # if we dont' have a logger, gracefully ignore.
+    def method_missing(name, *args)
+      if @real_logger && @real_logger.respond_to?(name)
+        @real_logger.send(name, *args)
+      end
+    end
+  end
+end
+
+require 'casclient/tickets'
+require 'casclient/responses'
+require 'casclient/client'
+
+# Detect legacy configuration and show appropriate error message
+module CAS
+  module Filter
+    class << self
+    def method_missing(method, *args)
+      $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+      $stderr.puts
+      $stderr.puts "WARNING: Your RubyCAS-Client configuration is no longer valid!!"
+      $stderr.puts
+      $stderr.puts "For information on the new configuration format please see: "
+      $stderr.puts
+      $stderr.puts "   http://rubycas-client.googlecode.com/svn/trunk/rubycas-client/README.txt"
+      $stderr.puts
+      $stderr.puts "After upgrading your configuration you should also clear your application's session store."
+      $stderr.puts
+      $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+    end
+    end
+  end
+end

data/lib/casclient/client.rb

@@ -0,0 +1,271 @@
+module CASClient
+  # The client brokers all HTTP transactions with the CAS server.
+  class Client
+    attr_reader :cas_base_url 
+    attr_reader :log, :username_session_key, :extra_attributes_session_key
+    attr_writer :login_url, :validate_url, :proxy_url, :logout_url, :service_url
+    attr_accessor :proxy_callback_url, :proxy_retrieval_url
+    
+    def initialize(conf = nil)
+      configure(conf) if conf
+    end
+    
+    def configure(conf)
+      #TODO: raise error if conf contains unrecognized cas options (this would help detect user typos in the config)
+
+      raise ArgumentError, "Missing :cas_base_url parameter!" unless conf[:cas_base_url]
+      
+      @cas_base_url      = conf[:cas_base_url].gsub(/\/$/, '')       
+      
+      @login_url    = conf[:login_url]
+      @logout_url   = conf[:logout_url]
+      @validate_url = conf[:validate_url]
+      @proxy_url    = conf[:proxy_url]
+      @service_url  = conf[:service_url]
+      @force_ssl_verification  = conf[:force_ssl_verification]
+      @proxy_callback_url  = conf[:proxy_callback_url]
+      @proxy_retrieval_url = conf[:proxy_retrieval_url]
+      
+      @username_session_key         = conf[:username_session_key] || :cas_user
+      @extra_attributes_session_key = conf[:extra_attributes_session_key] || :cas_extra_attributes
+      
+      @log = CASClient::LoggerWrapper.new
+      @log.set_real_logger(conf[:logger]) if conf[:logger]
+    end
+    
+    def login_url
+      @login_url || (cas_base_url + "/login")
+    end
+    
+    def validate_url
+      @validate_url || (cas_base_url + "/proxyValidate")
+    end
+    
+    # Returns the CAS server's logout url.
+    #
+    # If a logout_url has not been explicitly configured,
+    # the default is cas_base_url + "/logout".
+    #
+    # destination_url:: Set this if you want the user to be
+    #                   able to immediately log back in. Generally
+    #                   you'll want to use something like <tt>request.referer</tt>.
+    #                   Note that the above behaviour describes RubyCAS-Server 
+    #                   -- other CAS server implementations might use this
+    #                   parameter differently (or not at all).
+    # follow_url:: This satisfies section 2.3.1 of the CAS protocol spec.
+    #              See http://www.ja-sig.org/products/cas/overview/protocol
+    def logout_url(destination_url = nil, follow_url = nil)
+      url = @logout_url || (cas_base_url + "/logout")
+      
+      if destination_url
+        # if present, remove the 'ticket' parameter from the destination_url
+        duri = URI.parse(destination_url)
+        h = duri.query ? query_to_hash(duri.query) : {}
+        h.delete('ticket')
+        duri.query = hash_to_query(h)
+        destination_url = duri.to_s.gsub(/\?$/, '')
+      end
+      
+      if destination_url || follow_url
+        uri = URI.parse(url)
+        h = uri.query ? query_to_hash(uri.query) : {}
+        h['destination'] = destination_url if destination_url
+        h['url'] = follow_url if follow_url
+        uri.query = hash_to_query(h)
+        uri.to_s
+      else
+        url
+      end
+    end
+    
+    def proxy_url
+      @proxy_url || (cas_base_url + "/proxy")
+    end
+    
+    def validate_service_ticket(st)
+      uri = URI.parse(validate_url)
+      h = uri.query ? query_to_hash(uri.query) : {}
+      h['service'] = st.service
+      h['ticket'] = st.ticket
+      h['renew'] = 1 if st.renew
+      h['pgtUrl'] = proxy_callback_url if proxy_callback_url
+      uri.query = hash_to_query(h)
+      
+      st.response = request_cas_response(uri, ValidationResponse)
+      
+      return st
+    end
+    alias validate_proxy_ticket validate_service_ticket
+    
+    # Returns true if the configured CAS server is up and responding;
+    # false otherwise.
+    def cas_server_is_up?
+      uri = URI.parse(login_url)
+      
+      log.debug "Checking if CAS server at URI '#{uri}' is up..."
+      
+      https = Net::HTTP.new(uri.host, uri.port)
+      https.use_ssl = (uri.scheme == 'https')
+      https.verify_mode = (@force_ssl_verification ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE)
+      
+      begin
+        raw_res = https.start do |conn|
+          conn.get("#{uri.path}?#{uri.query}")
+        end
+      rescue Errno::ECONNREFUSED => e
+        log.warn "CAS server did not respond! (#{e.inspect})"
+        return false
+      end
+      
+      log.debug "CAS server responded with #{raw_res.inspect}:\n#{raw_res.body}"
+      
+      return raw_res.kind_of?(Net::HTTPSuccess)
+    end
+    
+    # Requests a login using the given credentials for the given service; 
+    # returns a LoginResponse object.
+    def login_to_service(credentials, service)
+      lt = request_login_ticket
+      
+      data = credentials.merge(
+        :lt => lt,
+        :service => service 
+      )
+      
+      res = submit_data_to_cas(login_url, data)
+      response = CASClient::LoginResponse.new(res)
+
+      if response.is_success?
+        log.info("Login was successful for ticket: #{response.ticket.inspect}.")
+      end
+
+      return response
+    end
+  
+    # Requests a login ticket from the CAS server for use in a login request;
+    # returns a LoginTicket object.
+    #
+    # This only works with RubyCAS-Server, since obtaining login
+    # tickets in this manner is not part of the official CAS spec.
+    def request_login_ticket
+      uri = URI.parse(login_url+'Ticket')
+      https = Net::HTTP.new(uri.host, uri.port)
+      https.use_ssl = (uri.scheme == 'https')
+      https.verify_mode = (@force_ssl_verification ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE)
+      res = https.post(uri.path, ';')
+      
+      raise CASException, res.body unless res.kind_of? Net::HTTPSuccess
+      
+      res.body.strip
+    end
+    
+    # Requests a proxy ticket from the CAS server for the given service
+    # using the given pgt (proxy granting ticket); returns a ProxyTicket 
+    # object.
+    #
+    # The pgt required to request a proxy ticket is obtained as part of
+    # a ValidationResponse.
+    def request_proxy_ticket(pgt, target_service)
+      uri = URI.parse(proxy_url)
+      h = uri.query ? query_to_hash(uri.query) : {}
+      h['pgt'] = pgt.ticket
+      h['targetService'] = target_service
+      uri.query = hash_to_query(h)
+      
+      pr = request_cas_response(uri, ProxyResponse)
+      
+      pt = ProxyTicket.new(pr.proxy_ticket, target_service)
+      pt.response = pr
+      
+      return pt
+    end
+    
+    def retrieve_proxy_granting_ticket(pgt_iou)
+      uri = URI.parse(proxy_retrieval_url)
+      uri.query = (uri.query ? uri.query + "&" : "") + "pgtIou=#{CGI.escape(pgt_iou)}"
+      retrieve_url = uri.to_s
+      
+      log.debug "Retrieving PGT for PGT IOU #{pgt_iou.inspect} from #{retrieve_url.inspect}"
+      
+#      https = Net::HTTP.new(uri.host, uri.port)
+#      https.use_ssl = (uri.scheme == 'https')
+#      res = https.post(uri.path, ';')
+      uri = URI.parse(uri) unless uri.kind_of? URI
+      https = Net::HTTP.new(uri.host, uri.port)
+      https.use_ssl = (uri.scheme == 'https')
+      https.verify_mode = (@force_ssl_verification ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE)
+      
+      res = https.start do |conn|
+        conn.get("#{uri.path}?#{uri.query}")
+      end
+      
+      
+      raise CASException, res.body unless res.kind_of? Net::HTTPSuccess
+      
+      ProxyGrantingTicket.new(res.body.strip, pgt_iou)
+    end
+    
+    def add_service_to_login_url(service_url)
+      uri = URI.parse(login_url)
+      uri.query = (uri.query ? uri.query + "&" : "") + "service=#{CGI.escape(service_url)}"
+      uri.to_s
+    end
+    
+    private
+    # Fetches a CAS response of the given type from the given URI.
+    # Type should be either ValidationResponse or ProxyResponse.
+    def request_cas_response(uri, type)
+      log.debug "Requesting CAS response for URI #{uri}"
+      
+      uri = URI.parse(uri) unless uri.kind_of? URI
+      https = Net::HTTP.new(uri.host, uri.port)
+      https.use_ssl = (uri.scheme == 'https')
+      https.verify_mode = (@force_ssl_verification ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE)
+      
+      begin
+        raw_res = https.start do |conn|
+          conn.get("#{uri.path}?#{uri.query}")
+        end
+      rescue Errno::ECONNREFUSED => e
+        log.error "CAS server did not respond! (#{e.inspect})"
+        raise "The CAS authentication server at #{uri} is not responding!"
+      end
+      
+      # We accept responses of type 422 since RubyCAS-Server generates these
+      # in response to requests from the client that are processable but contain
+      # invalid CAS data (for example an invalid service ticket).
+      if raw_res.kind_of?(Net::HTTPSuccess) || raw_res.code.to_i == 422
+        log.debug "CAS server responded with #{raw_res.inspect}:\n#{raw_res.body}"
+      else
+        log.error "CAS server responded with an error! (#{raw_res.inspect})"
+        raise "The CAS authentication server at #{uri} responded with an error (#{raw_res.inspect})!"
+      end
+      
+      type.new(raw_res.body)
+    end
+    
+    # Submits some data to the given URI and returns a Net::HTTPResponse.
+    def submit_data_to_cas(uri, data)
+      uri = URI.parse(uri) unless uri.kind_of? URI
+      req = Net::HTTP::Post.new(uri.path)
+      req.set_form_data(data, ';')
+      https = Net::HTTP.new(uri.host, uri.port)
+      https.use_ssl = (uri.scheme == 'https')
+      https.verify_mode = (@force_ssl_verification ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE)
+      https.start {|conn| conn.request(req) }
+    end
+    
+    def query_to_hash(query)
+      CGI.parse(query)
+    end
+      
+    def hash_to_query(hash)
+      pairs = []
+      hash.each do |k, vals|
+        vals = [vals] unless vals.kind_of? Array
+        vals.each {|v| pairs << (v.nil? ? CGI.escape(k) : "#{CGI.escape(k)}=#{CGI.escape(v)}")}
+      end
+      pairs.join("&")
+    end
+  end
+end

data/lib/casclient/frameworks/merb/filter.rb

@@ -0,0 +1,105 @@
+module CASClient
+  module Frameworks
+    module Merb
+      module Filter
+        attr_reader :client
+
+        def cas_filter
+          @client ||= CASClient::Client.new(config)
+
+          service_ticket = read_ticket(self)
+
+          cas_login_url = client.add_service_to_login_url(read_service_url(self))
+
+          last_service_ticket = session[:cas_last_valid_ticket]
+          if (service_ticket && last_service_ticket && 
+              last_service_ticket.ticket == service_ticket.ticket && 
+              last_service_ticket.service == service_ticket.service)
+
+            # warn() rather than info() because we really shouldn't be re-validating the same ticket. 
+            # The only time when this is acceptable is if the user manually does a refresh and the ticket
+            # happens to be in the URL.
+            log.warn("Reusing previously validated ticket since the new ticket and service are the same.")
+            service_ticket = last_service_ticket
+          elsif last_service_ticket &&
+            !config[:authenticate_on_every_request] && 
+            session[client.username_session_key]
+            # Re-use the previous ticket if the user already has a local CAS session (i.e. if they were already
+            # previously authenticated for this service). This is to prevent redirection to the CAS server on every
+            # request.
+            # This behaviour can be disabled (so that every request is routed through the CAS server) by setting
+            # the :authenticate_on_every_request config option to false. 
+            log.debug "Existing local CAS session detected for #{session[client.username_session_key].inspect}. "+
+              "Previous ticket #{last_service_ticket.ticket.inspect} will be re-used."
+              service_ticket = last_service_ticket
+          end
+
+          if service_ticket
+            client.validate_service_ticket(service_ticket) unless service_ticket.has_been_validated?
+            validation_response = service_ticket.response
+
+            if service_ticket.is_valid?
+              log.info("Ticket #{service_ticket.inspect} for service #{service_ticket.service.inspect} " + 
+                "belonging to user #{validation_response.user.inspect} is VALID.")
+
+              session[client.username_session_key] = validation_response.user
+              session[client.extra_attributes_session_key] = validation_response.extra_attributes
+
+              # Store the ticket in the session to avoid re-validating the same service
+              # ticket with the CAS server.
+              session[:cas_last_valid_ticket] = service_ticket
+              return true
+            else  
+              log.warn("Ticket #{service_ticket.ticket.inspect} failed validation -- " + 
+                "#{validation_response.failure_code}: #{validation_response.failure_message}")
+              redirect cas_login_url
+              throw :halt
+            end
+          else
+            log.warn("No ticket -- redirecting to #{cas_login_url}")
+            redirect cas_login_url
+            throw :halt
+          end
+        end
+
+        private
+        # Copied from Rails adapter
+        def read_ticket(controller)
+          ticket = controller.params[:ticket]
+
+          return nil unless ticket
+
+          log.debug("Request contains ticket #{ticket.inspect}.")
+
+          if ticket =~ /^PT-/
+            ProxyTicket.new(ticket, read_service_url(controller), controller.params[:renew])
+          else
+            ServiceTicket.new(ticket, read_service_url(controller), controller.params[:renew])
+          end
+        end
+
+        # Also copied from Rails adapter
+        def read_service_url(controller)
+          if config[:service_url]
+            log.debug("Using explicitly set service url: #{config[:service_url]}")
+            return config[:service_url]
+          end
+
+          params = controller.params.dup
+          params.delete(:ticket)
+          service_url = request.protocol + '://' + request.host / controller.url(params.to_hash.symbolize_keys!)
+          log.debug("Guessed service url: #{service_url.inspect}")
+          return service_url
+        end
+
+        def log
+          ::Merb.logger
+        end
+
+        def config
+          ::Merb::Plugins.config[:"rubycas-client"]
+        end
+      end
+    end
+  end
+end