add CAS auth support. Provided by Tim Shadel

git-svn-id: svn+ssh://phoenix/srv/svn/webistrano/trunk@195 e1153f85-6c6c-dc11-afa8-0013d3c39b19

CHANGELOG.txt

@@ -1,6 +1,8 @@
 
 SVN
 
+* Added CAS-auth support. Provided by Tim Shadel.
+
 * Auto-scroll deployment log
 
 * Ability to cancel running deployments. Refactor deployment status.

app/controllers/application.rb

@@ -3,6 +3,7 @@ class ApplicationController < ActionController::Base
   include ExceptionNotifiable
   include AuthenticatedSystem
 
+  before_filter CASClient::Frameworks::Rails::Filter if WebistranoConfig[:authentication_method] == :cas
   before_filter :login_from_cookie, :login_required
   around_filter :set_timezone
 

app/controllers/sessions_controller.rb

@@ -26,8 +26,12 @@ def destroy
     self.current_user.forget_me if logged_in?
     cookies.delete :auth_token
     reset_session
-    flash[:notice] = "You have been logged out."
-    redirect_back_or_default( home_path )
+    if WebistranoConfig[:authentication_method] != :cas
+      flash[:notice] = "You have been logged out."
+      redirect_back_or_default( home_path )
+    else
+      redirect_to "#{CASClient::Frameworks::Rails::Filter.config[:logout_url]}?serviceUrl=#{home_url}"
+    end
   end
 
   def version

app/controllers/stylesheets_controller.rb

@@ -1,6 +1,9 @@
 class StylesheetsController < ApplicationController
 
   skip_before_filter :login_required
+  if WebistranoConfig[:authentication_method] == :cas
+    skip_before_filter CASClient::Frameworks::Rails::Filter
+  end
 
   session :off
 

app/models/user.rb

@@ -99,7 +99,7 @@ def encrypt_password
     end
 
     def password_required?
-      crypted_password.blank? || !password.blank?
+      WebistranoConfig[:authentication_method] != :cas && (crypted_password.blank? || !password.blank?)
     end
 
 

app/views/users/_form.html.erb

@@ -9,6 +9,7 @@
   <%= text_field 'user', 'email', :style =>'width:330px;' %>
 </p>
 
+<% unless WebistranoConfig[:authentication_method] == :cas -%>
 <p>
   <b>Password</b><br />
   <%= password_field 'user', 'password', :style =>'width:330px;' %>
@@ -18,6 +19,7 @@
   <b>Password confirmation</b><br />
   <%= password_field 'user', 'password_confirmation', :style =>'width:330px;' %>
 </p>
+<% end -%>
 
 <p>
   <b>Timezone</b><br />

config/cas.yml.example

@@ -0,0 +1,14 @@
+development:
+    :cas_base_url: https://cas.devexample.tld/cas/
+    :validate_url: https://cas.devexample.tld/cas/validate
+    :logout_url: https://cas.devexample.tld/cas/logout
+
+test:
+    :cas_base_url: https://cas.qaexample.tld/cas/
+    :validate_url: https://cas.qaexample.tld/cas/validate
+    :logout_url: https://cas.qaexample.tld/cas/logout
+
+production:
+    :cas_base_url: https://cas.example.tld/cas/
+    :validate_url: https://cas.example.tld/cas/validate
+    :logout_url: https://cas.example.tld/cas/logout

config/environment.rb

@@ -34,6 +34,7 @@
   # Force all environments to use the same logger level
   # (by default production uses :info, the others :debug)
   # config.log_level = :debug
+
 
   # Your secret key for verifying cookie session data integrity.
   # If you change this key, all old sessions will become invalid!
@@ -76,6 +77,11 @@
 
 # Include your application configuration below
 
+if WebistranoConfig[:authentication_method] == :cas
+  cas_options = YAML::load_file(RAILS_ROOT+'/config/cas.yml')
+  CASClient::Frameworks::Rails::Filter.configure(cas_options[RAILS_ENV])
+end
+
 WEBISTRANO_VERSION = '1.4'
 
 ActiveSupport::CoreExtensions::Time::Conversions::DATE_FORMATS.update(:log => '%Y-%m-%d %H:%M')

config/webistrano_config.rb.sample

@@ -7,6 +7,9 @@ WebistranoConfig = {
 
   # secret password for session HMAC
   :session_secret => 'please choose a long random string, min. 30 characters',
+
+  # Uncomment to use CAS authentication
+  # :authentication_method => :cas,
 
   # SMTP settings for outgoing email
   :smtp_delivery_method => :sendmail,
@@ -26,5 +29,5 @@ WebistranoConfig = {
   # Sender and recipient for Webistrano exceptions
   :exception_recipients => "team@example.com",
   :exception_sender_address => "webistrano@example.com"
-  
+
 }

lib/authenticated_system.rb

@@ -9,7 +9,7 @@ def logged_in?
     # Accesses the current user from the session.  Set it to :false if login fails
     # so that future calls do not hit the database.
     def current_user
-      @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie || :false)
+      @current_user ||= (login_from_cas || login_from_session || login_from_basic_auth || login_from_cookie || :false)
     end
 
     # Store the given user in the session.
@@ -95,6 +95,11 @@ def self.included(base)
       base.send :helper_method, :current_user, :logged_in?
     end
 
+    # Called from #current_user.  First attempt to login by the user id from cas.
+    def login_from_cas
+      self.current_user = User.find_by_login(session[:cas_user]) if session[:cas_user]
+    end
+
     # Called from #current_user.  First attempt to login by the user id stored in the session.
     def login_from_session
       self.current_user = User.find_by_id(session[:user]) if session[:user]

vendor/plugins/rubycas-client/CHANGELOG.txt

@@ -0,0 +1,138 @@
+= RubyCAS-Client Changelog
+
+== Version 2.1.0 :: In Progress...
+
+* Implemented single-sign-out functionality. The client will now intercept
+  single-sign-out requests and deal with them appropriately if the
+  :enable_single_sign_out config option is set to true. This is currently
+  disabled by default.
+* Added logout method to Rails adapter to simplify the logout process. The
+  logout method resets the local Rails session and redirects to the CAS
+  logout page.
+* The 'service' parameter in the logout method has been renamed to
+  'destination' to better match the behaviour of other CAS clients. So for
+  example, when you call logout_url("http://foo.example"), the method will
+  now return "https://cas.example?destination=https%3A%2F%2Ffoo.example"
+  instead of the old "https://cas.example?service=https%3A%2F%2Ffoo.example".
+  RubyCAS-Server has been modified to deal with this as of version 0.6.0.
+* Some behind-the-scenes change to the way previous authentication info is
+  reused by the Rails filter in subsequent requests (see the note below 
+  in the 2.0.1 release). From the user's and integrator's point of view 
+  there shouldn't be any obvious difference from 2.0.1.
+* Redirection loop interception: The client now logs a warning message when it 
+  believes that it is stuck in a redirection loop with the CAS server. If more 
+  than three of these redirects occur within one second, the client will
+  redirect back to the login page with renew=1, forcing the user to try
+  authenticating again. 
+* Fixed bug where the the service/destination parameter in the logout url
+  would retain the 'ticket' value. The ticket is now automatically stripped
+  from the logout url.
+* Extra user attributes are now automatically unserialized if the incoming data 
+  is in YAML format.
+
+== Version 2.0.1 :: 2008-02-27
+
+* The Rails filter no longer by default redirects to the CAS server on 
+  every request. This restores the behaviour of RubyCAS-Client 1.x.
+  In other words, if a session[:cas_user] value exists, the filter
+  will assume that the user is authenticated without going through the
+  CAS server. This behaviour can be disabled (so that a CAS re-check is 
+  done on every request) by setting the 'authenticate_on_every_request' 
+  option to true. See the "Re-authenticating on every request" section 
+  in the README.txt for details. 
+
+== Version 2.0.0 :: 2008-02-14
+
+* COMPLETE RE-WRITE OF THE ENTIRE CLIENT FROM THE GROUND UP. Oh yes.
+* Core client has been abstracted out of the Rails adapter. It should now
+  be possible to use the client in other frameworks (e.g. Camping).
+* Configuration syntax has completely changed. In other words, your old
+  rubycas-client-1.x configuration will no longer work. See the README
+  for details.
+* Added support for reading extra attributes from the CAS response (i.e. in
+  addition to just the username). However currently this is somewhat useless
+  since RubyCAS-Server does not yet provide a method for adding extra
+  attributes to the responses it generates.
+
+------------------------------------------------------------------------------
+
+== Version 1.1.0 :: 2007-12-21
+
+* Fixed serious bug having to do with logouts. You can now end the
+  CAS session on the client-side (i.e. force the client to re-authenticate)
+  by setting session[:casfilteruser] = nil.
+* Added new GatewayFilter. This is identical to the normal Filter but
+  has the gateway option set to true by default. This should make
+  using the gateway option easier.
+* The CAS::Filter methods are now properly documented.
+* Simplified guess_service produces better URLs when redirecting to the CAS
+  server for authentication and the service URL is not explicitly specified. 
+  [delagoya]
+* The correct method for overriding the service URL for the client is now
+  properly documented. You should use service_url=, as server_name= no longer
+  works and instead generates a warning message.
+* logout_url() now takes an additional 'service' parameter. If specified, this
+  URL will be passed on to the CAS server as part of the logout URL. 
+
+== Version 1.0.0 :: 2007-07-26
+
+* RubyCAS-Client has matured to the point where it is probably safe to
+  take it out of beta and release version 1.0.
+* Non-SSL CAS URLs will now work. This may be useful for demo purposes, 
+  but certainly shouldn't be used in production. The client automatically
+  disables SSL if the CAS URL starts with http (rather than https). [rubywmq]
+
+== Version 0.12.0
+
+* Prior to redirecting to the CAS login page, the client now stores the
+  current service URI in a session variable. This value is used to
+  validate the service ticket after the user comes back from the CAS
+  server's login page. This should address issues where redirection
+  from the CAS server resulted in a slightly different URI from the original
+  one used prior to login redirection (for example due to variations in the
+  way routing rules are applied by the server).
+* The client now handles malformed CAS server responses more gracefully.
+  This makes debugging a malfunctioning CAS server somewhat easier.
+* When receiving a proxy-granting ticket, the cas_proxy_callback_controller
+  can now take a parameter called 'pgt' (which is what ought to be used
+  according to the published CAS spec) or 'pgtId' (which is what the JA-SIG
+  CAS server uses).
+* Logging has been somewhat quieted down. Many messages that were previously
+  logged as INFO are now logged as DEBUG.
+
+== Version 0.11.0
+
+* Added this changelog to advise users of major changes to the library.
+* Large chunks of the library have been re-written. Beware of the possibility
+  of new bugs (although the re-write was meant to fix a whole slew of existing
+  bugs, so you're almost certainly better off upgrading).
+* service and targetService parameters in requests are now properly URI-encoded,
+  so the filter should behave properly when your service has query parameters.
+  Thanks sakazuki for pointing out the problem.
+* You can now force the CAS client to re-authenticate itself with the CAS server
+  (i.e. override the authentication stored in the session) by providing a new
+  service ticket in the URI. In other words, the client will authenticate with
+  CAS if: a) you have a 'ticket' parameter in the URI, and there is currently no
+  authentication info in the session, or b) you have a 'ticket' parameter in the
+  URI and this ticket is different than the ticket that was used to authenticat
+  the existing session. This is especially useful when you are using CAS proxying,
+  since it allows you to force re-authentication in proxied applications (for
+  example, when the user has logged out and a new user has logged in in the parent
+  proxy-granting application).
+* If your service URI has a 'ticket' parameter, it will now be automatically
+  removed when passing the service as a parameter in any CAS request. This is
+  done because at least some CAS servers will happily accept a service URI with
+  a 'ticket' parameter, which will result in a URI with  multiple 'ticket' 
+  parameters once you are redirected back to CAS (and that in turn can result 
+  in an endless redirection loop).
+* Logging has been greatly improved, which should make debugging your CAS
+  installation much easier. Look for the logs under log/cas_client_RAILS_ENV.log
+* When you install RubyCAS-Client as a Rails plugin, it will now by default
+  use a custom logger. You can change this by explicitly setting your own
+  logger in your environment.rb, or by modifying the plugin's init.rb.
+* CasProxyCallbackController no longer checks to make sure that the incoming
+  request is secure. The check is impossible since the secure header is not 
+  passed on by at least some reverse proxies (like Pound), and if you are using
+  the callback controller then you are almost certainly also using a reverse
+  proxy.
+* Cleaned up and updated documentation, fixed some example code.

vendor/plugins/rubycas-client/History.txt

@@ -0,0 +1 @@
+See CHANGELOG.txt