Class: CASino::SecondFactorAuthenticationAcceptorProcessor

Inherits:

Processor

• Object
• Processor
• CASino::SecondFactorAuthenticationAcceptorProcessor

Includes:

ProcessorConcern::ServiceTickets, ProcessorConcern::TicketGrantingTickets, ProcessorConcern::TwoFactorAuthenticators

Defined in:

app/processors/casino/second_factor_authentication_acceptor_processor.rb

Overview

The SecondFactorAuthenticationAcceptor processor can be used to activate a previously generated ticket-granting ticket with pending two-factor authentication.

This feature is not described in the CAS specification so it’s completly optional to implement this on the web application side.

Constant Summary

Constants included from ProcessorConcern::ServiceTickets

ProcessorConcern::ServiceTickets::RESERVED_CAS_PARAMETER_KEYS

Constants included from ProcessorConcern::Tickets

ProcessorConcern::Tickets::ALLOWED_TICKET_STRING_CHARACTERS

Instance Method Summary

• #process(params = nil, user_agent = nil) ⇒ Object

  The method will call one of the following methods on the listener: * ‘#user_not_logged_in`: The user should be redirected to /login.

Methods included from ProcessorConcern::TwoFactorAuthenticators

#validate_one_time_password

Methods included from ProcessorConcern::TicketGrantingTickets

#acquire_ticket_granting_ticket, #cleanup_expired_ticket_granting_tickets, #find_valid_ticket_granting_ticket, #load_or_initialize_user, #remove_ticket_granting_ticket

Methods included from ProcessorConcern::Browser

#browser_info, #same_browser?

Methods included from ProcessorConcern::ServiceTickets

#acquire_service_ticket, #clean_service_url

Methods included from ProcessorConcern::ProxyTickets

#acquire_proxy_ticket, #ticket_valid_for_service?, #validate_ticket_for_service

Methods included from ProcessorConcern::Tickets

#random_ticket_string

Methods inherited from Processor

#initialize

Constructor Details

This class inherits a constructor from CASino::Processor

Instance Method Details

#process(params = nil, user_agent = nil) ⇒ Object

The method will call one of the following methods on the listener:

• ‘#user_not_logged_in`: The user should be redirected to /login.

• ‘#user_logged_in`: The first argument (String) is the URL (if any), the user should be redirected to. The second argument (String) is the ticket-granting ticket. It should be stored in a cookie named “tgt”.

• ‘#invalid_one_time_password`: The user should be asked for a new OTP.

Parameters:

• params (Hash) (defaults to: nil) —

  parameters supplied by user. The processor will look for keys :otp and :service.

• user_agent (String) (defaults to: nil) —

  user-agent delivered by the client

# File 'app/processors/casino/second_factor_authentication_acceptor_processor.rb', line 18

def process(params = nil, user_agent = nil)
  cookies ||= {}
  tgt = find_valid_ticket_granting_ticket(params[:tgt], user_agent, true)
  if tgt.nil?
    @listener.user_not_logged_in
  else
    validation_result = validate_one_time_password(params[:otp], tgt.user.active_two_factor_authenticator)
    if validation_result.success?
      tgt.awaiting_two_factor_authentication = false
      tgt.save!
      begin
        url = unless params[:service].blank?
          acquire_service_ticket(tgt, params[:service], true).service_with_ticket_url
        end
        if tgt.long_term?
          @listener.user_logged_in(url, tgt.ticket, CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now)
        else
          @listener.user_logged_in(url, tgt.ticket)
        end
      rescue ServiceNotAllowedError => e
        @listener.service_not_allowed(clean_service_url params[:service])
      end
    else
      @listener.invalid_one_time_password
    end
  end
end