Basic auth token validation

rbCAS · Aug 10, 2014 · 70fc1a4 · 70fc1a4
1 parent 060544c
commit 70fc1a4
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 11 deletions.
diff --git a/app/controllers/casino/auth_tokens_controller.rb b/app/controllers/casino/auth_tokens_controller.rb
@@ -0,0 +1,56 @@
+class CASino::AuthTokensController < CASino::ApplicationController
+  before_action :validate_auth_token_signature, :validate_auth_token_ticket
+
+  def login
+    raise "#{auth_token_data[:username]} logged in successfully"
+  end
+
+  private
+  def validate_auth_token_signature
+    digest = OpenSSL::Digest::SHA256.new
+    Dir.glob(Rails.root.join('config/auth_token_signers/*.pem')) do |file|
+      key = OpenSSL::PKey::RSA.new File.read(file)
+      if key.verify(digest, auth_token_signature, auth_token)
+        logger.info "Successfully validated auth token signature with #{file}"
+        return true
+      end
+    end
+    logger.info 'Auth token signature is not valid'
+    redirect_to_login
+  end
+
+  def validate_auth_token_ticket
+    unless auth_token_ticket_valid?(auth_token_data[:ticket])
+      redirect_to_login
+    end
+  end
+
+  def redirect_to_login
+    redirect_to login_path(service: params[:service])
+  end
+
+  def auth_token_signature
+    @auth_token_signature ||= base64_decode(params[:ats])
+  end
+
+  def auth_token
+    @auth_token ||= base64_decode(params[:at])
+  end
+
+  def base64_decode(data)
+    return '' if data.nil?
+    begin
+      Base64.strict_decode64(data)
+    rescue
+      ''
+    end
+  end
+
+  def auth_token_data
+    JSON.parse(auth_token).symbolize_keys
+  end
+
+  def auth_token_ticket_valid?(auth_token_ticket)
+    CASino::AuthTokenTicket.consume(auth_token_ticket)
+  end
+end
diff --git a/app/models/casino/auth_token_ticket.rb b/app/models/casino/auth_token_ticket.rb
@@ -1,16 +1,8 @@
 class CASino::AuthTokenTicket < ActiveRecord::Base
   include CASino::ModelConcern::Ticket
-  validates :ticket, uniqueness: true
+  include CASino::ModelConcern::ConsumableTicket
 
-  def self.cleanup
-    self.delete_all(['created_at < ?', CASino.config.auth_token_ticket[:lifetime].seconds.ago])
-  end
+  self.ticket_prefix = 'ATT'.freeze
+  self.ticket_lifetime = CASino.config.auth_token_ticket[:lifetime].seconds
 
-  def self.ticket_prefix
-    'ATT'.freeze
-  end
-
-  def to_s
-    self.ticket
-  end
 end
diff --git a/app/models/casino/model_concern/consumable_ticket.rb b/app/models/casino/model_concern/consumable_ticket.rb
@@ -0,0 +1,20 @@
+module CASino::ModelConcern::ConsumableTicket
+  extend ActiveSupport::Concern
+
+  module ClassMethods
+    def consume(ticket_identifier)
+      ticket = find_by_ticket(ticket_identifier)
+      if ticket.nil?
+        Rails.logger.info "#{model_name.human} '#{ticket_identifier}' not found"
+        false
+      elsif ticket.created_at < ticket_lifetime.ago
+        Rails.logger.info "#{model_name.human} '#{ticket.ticket}' expired"
+        false
+      else
+        Rails.logger.debug "#{model_name.human} '#{ticket.ticket}' successfully validated"
+        ticket.delete
+        true
+      end
+    end
+  end
+end
diff --git a/app/models/casino/model_concern/ticket.rb b/app/models/casino/model_concern/ticket.rb
@@ -2,7 +2,19 @@ module CASino::ModelConcern::Ticket
   extend ActiveSupport::Concern
 
   included do
+    validates :ticket, uniqueness: true
     before_create :ensure_ticket_present
+    class_attribute :ticket_prefix, :ticket_lifetime
+  end
+
+  module ClassMethods
+    def cleanup
+      delete_all(['created_at < ?', ticket_lifetime.ago])
+    end
+  end
+
+  def to_s
+    ticket
   end
 
   private

diff --git a/config/routes.rb b/config/routes.rb
@@ -17,6 +17,8 @@
   get 'proxyValidate' => 'proxy_tickets#proxy_validate'
   get 'proxy' => 'proxy_tickets#create'
 
+  get 'authTokenLogin' => 'auth_tokens#login'
+
   root to: redirect('login')
 
   # The priority is based upon order of creation: