Merge branch 'allowed_service_ips'

Conflicts: lib/casserver/server.rb spec/spec_helper.rb
rubycas · Dec 21, 2012 · d323c3a · d323c3a
2 parents 7145481 + 6b1ccf9
commit d323c3a
Show file tree

Hide file tree

Showing 10 changed files with 186 additions and 66 deletions.
diff --git a/config/config.example.yml b/config/config.example.yml
@@ -532,3 +532,12 @@ log:
 # convert this to "jsmith".
 
 #downcase_username: true
+
+# If you'd like to limit the service hosts that can use CAS for authentication,
+# add the individual IPs and IP ranges in CIDR notation below. Leaving this
+# setting blank will allow any server to authenticate users via the CAS server
+# and potentially harvest sensitive user information.
+
+#allowed_service_ips:
+#  - 127.0.0.1
+#  - 192.168.0.0/24
diff --git a/gemfiles/rails2.gemfile.lock b/gemfiles/rails2.gemfile.lock
@@ -29,6 +29,7 @@ GEM
       xpath (~> 0.1.4)
     childprocess (0.3.5)
       ffi (~> 1.0, >= 1.0.6)
+    crack (0.3.1)
     crypt-isaac (0.9.1)
     diff-lcs (1.1.3)
     ffi (1.1.5)
@@ -77,6 +78,9 @@ GEM
     sqlite3 (1.3.6)
     thor (0.16.0)
     tilt (1.3.3)
+    webmock (1.9.0)
+      addressable (>= 2.2.7)
+      crack (>= 0.1.7)
     xpath (0.1.4)
       nokogiri (~> 1.3)
 
@@ -92,10 +96,12 @@ DEPENDENCIES
   guard (~> 1.4.0)
   guard-rspec (= 2.0.0)
   net-ldap (~> 0.1.1)
+  nokogiri (~> 1.3)
   rack-test
   rake (= 0.8.7)
   rb-fsevent (~> 0.9.2)
   rspec
   rspec-core
   rubycas-server!
   sqlite3 (~> 1.3.1)
+  webmock (~> 1.8)
diff --git a/gemfiles/rails30.gemfile.lock b/gemfiles/rails30.gemfile.lock
@@ -39,6 +39,7 @@ GEM
       xpath (~> 0.1.4)
     childprocess (0.3.5)
       ffi (~> 1.0, >= 1.0.6)
+    crack (0.3.1)
     crypt-isaac (0.9.1)
     diff-lcs (1.1.3)
     ffi (1.1.5)
@@ -89,6 +90,9 @@ GEM
     thor (0.16.0)
     tilt (1.3.3)
     tzinfo (0.3.33)
+    webmock (1.9.0)
+      addressable (>= 2.2.7)
+      crack (>= 0.1.7)
     xpath (0.1.4)
       nokogiri (~> 1.3)
 
@@ -104,10 +108,12 @@ DEPENDENCIES
   guard (~> 1.4.0)
   guard-rspec (= 2.0.0)
   net-ldap (~> 0.1.1)
+  nokogiri (~> 1.3)
   rack-test
   rake (= 0.8.7)
   rb-fsevent (~> 0.9.2)
   rspec
   rspec-core
   rubycas-server!
   sqlite3 (~> 1.3.1)
+  webmock (~> 1.8)
diff --git a/gemfiles/rails31.gemfile.lock b/gemfiles/rails31.gemfile.lock
@@ -40,6 +40,7 @@ GEM
       xpath (~> 0.1.4)
     childprocess (0.3.5)
       ffi (~> 1.0, >= 1.0.6)
+    crack (0.3.1)
     crypt-isaac (0.9.1)
     diff-lcs (1.1.3)
     ffi (1.1.5)
@@ -90,6 +91,9 @@ GEM
     thor (0.16.0)
     tilt (1.3.3)
     tzinfo (0.3.33)
+    webmock (1.9.0)
+      addressable (>= 2.2.7)
+      crack (>= 0.1.7)
     xpath (0.1.4)
       nokogiri (~> 1.3)
 
@@ -105,10 +109,12 @@ DEPENDENCIES
   guard (~> 1.4.0)
   guard-rspec (= 2.0.0)
   net-ldap (~> 0.1.1)
+  nokogiri (~> 1.3)
   rack-test
   rake (= 0.8.7)
   rb-fsevent (~> 0.9.2)
   rspec
   rspec-core
   rubycas-server!
   sqlite3 (~> 1.3.1)
+  webmock (~> 1.8)
diff --git a/gemfiles/rails32.gemfile.lock b/gemfiles/rails32.gemfile.lock
@@ -40,6 +40,7 @@ GEM
       xpath (~> 0.1.4)
     childprocess (0.3.5)
       ffi (~> 1.0, >= 1.0.6)
+    crack (0.3.1)
     crypt-isaac (0.9.1)
     diff-lcs (1.1.3)
     ffi (1.1.5)
@@ -90,6 +91,9 @@ GEM
     thor (0.16.0)
     tilt (1.3.3)
     tzinfo (0.3.33)
+    webmock (1.9.0)
+      addressable (>= 2.2.7)
+      crack (>= 0.1.7)
     xpath (0.1.4)
       nokogiri (~> 1.3)
 
@@ -105,10 +109,12 @@ DEPENDENCIES
   guard (~> 1.4.0)
   guard-rspec (= 2.0.0)
   net-ldap (~> 0.1.1)
+  nokogiri (~> 1.3)
   rack-test
   rake (= 0.8.7)
   rb-fsevent (~> 0.9.2)
   rspec
   rspec-core
   rubycas-server!
   sqlite3 (~> 1.3.1)
+  webmock (~> 1.8)
diff --git a/lib/casserver/authenticators/base.rb b/lib/casserver/authenticators/base.rb
@@ -1,5 +1,4 @@
 require 'active_support'
-require 'active_support/hash_with_indifferent_access'
 require 'active_support/core_ext'
 
 module CASServer

diff --git a/lib/casserver/server.rb b/lib/casserver/server.rb
@@ -600,58 +600,68 @@ def self.init_database!
 		# 2.4
 
 		# 2.4.1
-		get "#{uri_path}/validate" do
-			CASServer::Utils::log_controller_action(self.class, params)
+    get "#{uri_path}/validate" do
+      CASServer::Utils::log_controller_action(self.class, params)
 
-			# required
-			@service = clean_service_url(params['service'])
-			@ticket = params['ticket']
-			# optional
-			@renew = params['renew']
+      if ip_allowed?(request.ip)
+        # required
+        @service = clean_service_url(params['service'])
+        @ticket = params['ticket']
+        # optional
+        @renew = params['renew']
 
-			st, @error = validate_service_ticket(@service, @ticket)
-			@success = st && !@error
+        st, @error = validate_service_ticket(@service, @ticket)
+        @success = st && !@error
 
-			@username = st.username if @success
+        @username = st.username if @success
+      else
+        @success = false
+        @error = Error.new(:INVALID_REQUEST, 'The IP address of this service has not been allowed')
+      end
 
       status response_status_from_error(@error) if @error
 
-			render @template_engine, :validate, :layout => false
-		end
+      render @template_engine, :validate, :layout => false
+    end
 
 
     # 2.5
 
     # 2.5.1
     get "#{uri_path}/serviceValidate" do
-			CASServer::Utils::log_controller_action(self.class, params)
+      CASServer::Utils::log_controller_action(self.class, params)
 
       # force xml content type
       content_type 'text/xml', :charset => 'utf-8'
 
-			# required
-			@service = clean_service_url(params['service'])
-			@ticket = params['ticket']
-			# optional
-			@pgt_url = params['pgtUrl']
-			@renew = params['renew']
-
-			st, @error = validate_service_ticket(@service, @ticket)
-			@success = st && !@error
-
-			if @success
-        @username = st.username
-        if @pgt_url
-          pgt = generate_proxy_granting_ticket(@pgt_url, st)
-          @pgtiou = pgt.iou if pgt
+      if ip_allowed?(request.ip)
+        # required
+        @service = clean_service_url(params['service'])
+        @ticket = params['ticket']
+        # optional
+        @pgt_url = params['pgtUrl']
+        @renew = params['renew']
+
+        st, @error = validate_service_ticket(@service, @ticket)
+        @success = st && !@error
+
+        if @success
+          @username = st.username
+          if @pgt_url
+            pgt = generate_proxy_granting_ticket(@pgt_url, st)
+            @pgtiou = pgt.iou if pgt
+          end
+          @extra_attributes = st.granted_by_tgt.extra_attributes || {}
         end
-        @extra_attributes = st.granted_by_tgt.extra_attributes || {}
+      else
+        @success = false
+        @error = Error.new(:INVALID_REQUEST, 'The IP address of this service has not been allowed')
       end
 
       status response_status_from_error(@error) if @error
 
-			render :builder, :proxy_validate
-		end
+      render :builder, :proxy_validate
+    end
 
 
     # 2.6
@@ -663,32 +673,38 @@ def self.init_database!
       # force xml content type
       content_type 'text/xml', :charset => 'utf-8'
 
-      # required
-      @service = clean_service_url(params['service'])
-      @ticket = params['ticket']
-      # optional
-      @pgt_url = params['pgtUrl']
-      @renew = params['renew']
+      if ip_allowed?(request.ip)
 
-      @proxies = []
+        # required
+        @service = clean_service_url(params['service'])
+        @ticket = params['ticket']
+        # optional
+        @pgt_url = params['pgtUrl']
+        @renew = params['renew']
 
-      t, @error = validate_proxy_ticket(@service, @ticket)
-      @success = t && !@error
+        @proxies = []
 
-      @extra_attributes = {}
-      if @success
-        @username = t.username
+        t, @error = validate_proxy_ticket(@service, @ticket)
+        @success = t && !@error
 
-        if t.kind_of? CASServer::Model::ProxyTicket
-          @proxies << t.granted_by_pgt.service_ticket.service
-        end
+        @extra_attributes = {}
+        if @success
+          @username = t.username
 
-        if @pgt_url
-          pgt = generate_proxy_granting_ticket(@pgt_url, t)
-          @pgtiou = pgt.iou if pgt
-        end
+          if t.kind_of? CASServer::Model::ProxyTicket
+            @proxies << t.granted_by_pgt.service_ticket.service
+          end
 
-        @extra_attributes = t.granted_by_tgt.extra_attributes || {}
+          if @pgt_url
+            pgt = generate_proxy_granting_ticket(@pgt_url, t)
+            @pgtiou = pgt.iou if pgt
+          end
+
+          @extra_attributes = t.granted_by_tgt.extra_attributes || {}
+        end
+      else
+        @success = false
+        @error = Error.new(:INVALID_REQUEST, 'The IP address of this service has not been allowed')
       end
 
       status response_status_from_error(@error) if @error
@@ -751,6 +767,14 @@ def compile_template(engine, data, options, views)
       super engine, data, options, views
     end
 
+    def ip_allowed?(ip)
+      require 'ipaddr'
+
+      allowed_ips = Array(settings.config[:allowed_service_ips])
+
+      allowed_ips.empty? || allowed_ips.any? { |i| IPAddr.new(i) === ip }
+    end
+
     helpers do
       def authenticated?
         @authenticated
@@ -761,4 +785,4 @@ def authenticated_username
       end
     end
   end
-end
+end