Module: Cassy::CAS

Defined in:
lib/cassy/cas.rb

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.base_service_url(full_service_url) ⇒ Object 



145
146
147
148
149
150
151
152
153
154
155
 
# File 'lib/cassy/cas.rb', line 145

def base_service_url(full_service_url)
  # strips a url back to the domain part only
  # so that a service ticket can work for all urls on a given domain
  # eg http://www.something.com/something_else
  # is stripped back to
  # http://www.something.com
  # expects it to be in 'http://x' form
  return unless full_service_url
  match = full_service_url.match(/(http(s?):\/\/[a-z0-9\.:]*)/)
  match && match[0]
end

.cas_login(session_type = nil) ⇒ Object 



175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
 
# File 'lib/cassy/cas.rb', line 175

def (session_type = nil)
  if valid_credentials?
    username = ticket_username
    username = "#{username}-#{session_type}" if Cassy.config[:concurrent_session_types]

    @tgt||= Cassy::TicketGrantingTicket.generate(username, @extra_attributes, @hostname)
    @existing_ticket_for_service = @tgt.granted_service_tickets.where(:service => @service).where("created_on > ?", Time.now - Cassy.config[:maximum_session_lifetime]).where("consumed IS NOT NULL").first
    response.set_cookie('tgt', @tgt.to_s)
    if @ticketing_service
      find_or_generate_service_tickets(username, @tgt, @hostname)
      @st = @service_tickets[@ticketing_service]
      @service_with_ticket = @service && @st ? service_uri_with_ticket(@service, @st) : @default_redirect_url
    end
    # if there is an existing ticket for the service that redirected to cassy,
    # then the session isn't valid on the serviced app and we don't want to redirect to it.
    # Returning false here will fail the cas_login and the controller will see the instance variable and redirect to logout.
    !@existing_ticket_for_service
  else
    false
  end
end

.clean_service_url(dirty_service) ⇒ Object

Strips CAS-related parameters from a service URL and normalizes it, removing trailing / and ?. Also converts any spaces to +.

For example, “google.com?ticket=12345” will be returned as “google.com”. Also, “google.com/” would be returned as “google.com”.

Note that only the first occurance of each CAS-related parameter is removed, so that “google.com?ticket=12345&ticket=abcd” would be returned as “google.com?ticket=abcd”.



127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
 
# File 'lib/cassy/cas.rb', line 127

def clean_service_url(dirty_service)
  return dirty_service if dirty_service.blank?
  clean_service = dirty_service.dup
  ['service', 'ticket', 'gateway', 'renew'].each do |p|
    clean_service.sub!(Regexp.new("&?#{p}=[^&]*"), '')
  end

  clean_service.gsub!(/[\/\?&]$/, '') # remove trailing ?, /, or &
  clean_service.gsub!('?&', '?')
  clean_service.gsub!(' ', '+')

  logger.debug("Cleaned dirty service URL #{dirty_service.inspect} to #{clean_service.inspect}") if
    dirty_service != clean_service

  return clean_service
end

.detect_ticketing_service(service) ⇒ Object 



158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
 
# File 'lib/cassy/cas.rb', line 158

def detect_ticketing_service(service)
  # try to find the service in the valid_services list
  # if loosely_matched_services is true, try to match the base url of the service to one in the valid_services list
  # if still no luck, check if there is a default_redirect_url that we can use
  @service||= service
  @ticketing_service||= valid_services.detect{|s| s == @service } ||
    (settings[:loosely_match_services] == true && valid_services.detect{|s| base_service_url(s) == base_service_url(@service)})
  if !@ticketing_service && settings[:default_redirect_url]
    @default_redirect_url||= settings[:default_redirect_url][Rails.env]
    @ticketing_service = @default_redirect_url
  end
  @username||= params[:username].try(:strip)
  @password||= params[:password]
  @lt||= params['lt']
end

.valid_credentials?Boolean

Initializes authenticator, returns true / false depending on if user credentials are accurate

Returns:

  • (Boolean) 


199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
 
# File 'lib/cassy/cas.rb', line 199

def valid_credentials?
  detect_ticketing_service(params[:service])
  @extra_attributes = {}
  # Should probably be moved out of the request cycle and into an after init hook on the engine

  credentials = { :username => @username,
                  :password => @password,
                  :service  => @service,
                  :request  => @env
                }
  @user = authenticator.find_user(credentials) || authenticator.find_user_from_ticket(@tgt)
  valid = ((@user == @ticketed_user) || authenticator.validate(credentials)) && !!@user
  if valid && @user
    authenticator.extra_attributes_to_extract.each do |attr|
      @extra_attributes[attr] = @user.send(attr)
    end
  end
  return valid
end

Instance Method Details

#find_or_generate_service_tickets(username, tgt, hostname) ⇒ Object 



27
28
29
30
31
32
 
# File 'lib/cassy/cas.rb', line 27

def find_or_generate_service_tickets(username, tgt, hostname)
  @service_tickets={}
  valid_services.each do |service|
    @service_tickets[service] = Cassy::ServiceTicket.find_or_generate(service, username, tgt, hostname)
  end
end

#generate_login_ticketObject 



16
17
18
19
20
21
22
23
24
25
 
# File 'lib/cassy/cas.rb', line 16

def 
  # 3.5 (login ticket)
  lt = Cassy::LoginTicket.new
  lt.ticket = "LT-" + Cassy::Utils.random_string

  lt.client_hostname = env['HTTP_X_FORWARDED_FOR'] || env['REMOTE_HOST'] || env['REMOTE_ADDR']
  lt.save!
  logger.debug("Generated login ticket '#{lt.ticket}' for client at '#{lt.client_hostname}'")
  lt
end

#generate_proxy_granting_ticket(pgt_url, st) ⇒ Object 



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
 
# File 'lib/cassy/cas.rb', line 54

def generate_proxy_granting_ticket(pgt_url, st)
  uri = URI.parse(pgt_url)
  https = Net::HTTP.new(uri.host,uri.port)
  https.use_ssl = true

  # Here's what's going on here:
  #
  #   1. We generate a ProxyGrantingTicket (but don't store it in the database just yet)
  #   2. Deposit the PGT and it's associated IOU at the proxy callback URL.
  #   3. If the proxy callback URL responds with HTTP code 200, store the PGT and return it;
  #      otherwise don't save it and return nothing.
  #
  https.start do |conn|
    path = uri.path.empty? ? '/' : uri.path
    path += '?' + uri.query unless (uri.query.nil? || uri.query.empty?)

    pgt = ProxyGrantingTicket.new
    pgt.ticket = "PGT-" + Cassy::Utils.random_string(60)
    pgt.iou = "PGTIOU-" + Cassy::Utils.random_string(57)
    pgt.service_ticket_id = st.id
    pgt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']

    # FIXME: The CAS protocol spec says to use 'pgt' as the parameter, but in practice
    #         the JA-SIG and Yale server implementations use pgtId. We'll go with the
    #         in-practice standard.
    path += (uri.query.nil? || uri.query.empty? ? '?' : '&') + "pgtId=#{pgt.ticket}&pgtIou=#{pgt.iou}"

    response = conn.request_get(path)
    # TODO: follow redirects... 2.5.4 says that redirects MAY be followed
    # NOTE: The following response codes are valid according to the JA-SIG implementation even without following redirects

    if %w(200 202 301 302 304).include?(response.code)
      # 3.4 (proxy-granting ticket IOU)
      pgt.save!
      logger.debug "PGT generated for pgt_url '#{pgt_url}': #{pgt.inspect}"
      pgt
    else
      logger.warn "PGT callback server responded with a bad result code '#{response.code}'. PGT will not be stored."
      nil
    end
  end
end

#generate_proxy_ticket(target_service, pgt) ⇒ Object 



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'lib/cassy/cas.rb', line 38

def generate_proxy_ticket(target_service, pgt)
  # 3.2 (proxy ticket)
  pt = ProxyTicket.new
  pt.ticket = "PT-" + Cassy::Utils.random_string
  pt.service = target_service
  pt.username = pgt.service_ticket.username
  pt.granted_by_pgt_id = pgt.id
  pt.granted_by_tgt_id = pgt.service_ticket.granted_by_tgt.id
  pt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
  pt.save!
  logger.debug("Generated proxy ticket '#{pt.ticket}' for target service '#{pt.service}'" +
    " for user '#{pt.username}' at '#{pt.client_hostname}' using proxy-granting" +
    " ticket '#{pgt.ticket}'")
  pt
end

#service_uri_with_ticket(service, st) ⇒ Object

Raises:

  • (ArgumentError) 


97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
# File 'lib/cassy/cas.rb', line 97

def service_uri_with_ticket(service, st)
  raise ArgumentError, "Second argument must be a ServiceTicket!" unless st.kind_of? Cassy::ServiceTicket

  # This will choke with a URI::InvalidURIError if service URI is not properly URI-escaped...
  # This exception is handled further upstream (i.e. in the controller).
  service_uri = URI.parse(service)
  if service.include? "?"
    if service_uri.query.empty?
      query_separator = ""
    else
      query_separator = "&"
    end
  else
    query_separator = "?"
  end

  service_with_ticket = service + query_separator + "ticket=" + st.ticket
  service_with_ticket
end

#settingsObject 



12
13
14
 
# File 'lib/cassy/cas.rb', line 12

def settings
  Cassy.config
end

#valid_servicesObject 



34
35
36
 
# File 'lib/cassy/cas.rb', line 34

def valid_services
  @valid_services || settings[:service_list][Rails.env]
end