add external authenticator

Author: ZPVIP

.gitignore

@@ -16,7 +16,7 @@
 .rails_generators~
 
 /coverage
-
+.idea
 /pkg
 
 # http://yehudakatz.com/2010/12/16/clarifying-the-roles-of-the-gemspec-and-gemfile/

app/assets/stylesheets/casino.scss

@@ -270,6 +270,18 @@ table {
   }
 }
 
+/// LOGIN EXTERNAL INLINE LIST ///
+#external_list
+{
+  margin: 0;
+  padding: 0;
+  margin-right: 10px;
+  list-style-type: none;
+  text-align: left;
+
+  li { display: inline-block; }
+}
+
 /// SESSIONS ///
 .sessions, .logout {
   width: 800px;

app/authenticators/casino/static_external_authenticator.rb

@@ -0,0 +1,28 @@
+require 'casino/external_authenticator'
+
+# The external static authenticator is just a simple example.
+# Never use this authenticator in a production environment!
+class CASino::StaticExternalAuthenticator < CASino::Authenticator
+
+  # @param [Hash] options
+  def initialize(options)
+    @users = options[:users] || {}
+  end
+
+  def validate(params, cookies)
+    token = :"#{cookies[:token]}"
+    if @users.include?(token)
+      {
+        username: @users[token][:username],
+        extra_attributes: @users[token].except(:token)
+      }
+    else
+      false
+    end
+  end
+
+  def view
+    return nil
+  end
+
+end

app/controllers/casino/sessions_controller.rb

@@ -3,7 +3,6 @@ class CASino::SessionsController < CASino::ApplicationController
   include CASino::AuthenticationProcessor
   include CASino::TwoFactorAuthenticatorProcessor
 
-  before_action :validate_login_ticket, only: [:create]
   before_action :ensure_service_allowed, only: [:new, :create]
   before_action :load_ticket_granting_ticket_from_parameter, only: [:validate_otp]
   before_action :ensure_signed_in, only: [:index, :destroy]
@@ -15,18 +14,21 @@ def index
   end
 
   def new
+    @external_authenticators = authenticators(:external_authenticators)
+    @login_ticket = CASino::LoginTicket.create.ticket
     tgt = current_ticket_granting_ticket
     return handle_signed_in(tgt) unless params[:renew] || tgt.nil?
     redirect_to(params[:service]) if params[:gateway] && params[:service].present?
   end
 
   def create
-    validation_result = validate_login_credentials(params[:username], params[:password])
-    if !validation_result
-      log_failed_login params[:username]
-      show_login_error I18n.t('login_credential_acceptor.invalid_login_credentials')
+    if CASino::LoginTicket.consume(params[:lt])
+      logger.debug "params[:lt]: #{params[:lt]} successfully validated"
+      authenticate_user
     else
-      sign_in(validation_result, long_term: params[:rememberMe], credentials_supplied: true)
+      external_authenticators = authenticators(:external_authenticators)
+      log_failed_login params[:username]
+      show_login_error(I18n.t('login_credential_acceptor.invalid_login_credentials'), external_authenticators)
     end
   end
 
@@ -62,17 +64,31 @@ def validate_otp
 
   private
 
-  def show_login_error(message)
-    flash.now[:error] = message
-    render :new, status: :forbidden
+  def validate_credentials
+    if params[:external]
+      validate_external_credentials(params, cookies)
+    else
+      validate_login_credentials(params[:username], params[:password])
+    end
   end
 
-  def validate_login_ticket
-    unless CASino::LoginTicket.consume(params[:lt])
-      show_login_error I18n.t('login_credential_acceptor.invalid_login_ticket')
+  def authenticate_user
+    validation_result = validate_credentials
+    if !validation_result.nil?
+      sign_in(validation_result, long_term: params[:rememberMe], credentials_supplied: true)
+    else
+      external_authenticators = authenticators(:external_authenticators)
+      log_failed_login params[:username]
+      show_login_error(I18n.t('login_credential_acceptor.invalid_login_credentials'), external_authenticators)
     end
   end
 
+  def show_login_error(message, external_authenticators)
+    flash.now[:error] = message
+    @external_authenticators = external_authenticators
+    render :new, status: :forbidden
+  end
+
   def ensure_service_allowed
     if params[:service].present? && !service_allowed?(params[:service])
       render 'service_not_allowed', status: :forbidden

app/processors/casino/authentication_processor.rb

@@ -4,13 +4,28 @@ module CASino::AuthenticationProcessor
   extend ActiveSupport::Concern
 
   def validate_login_credentials(username, password)
+    validate :authenticators do |authenticator_name, authenticator|
+      authenticator.validate(username, password)
+    end
+  end
+
+  def validate_external_credentials(params, cookies)
+    validate :external_authenticators do |authenticator_name, authenticator|
+      if authenticator_name == params[:external]
+        authenticator.validate(params, cookies)
+      end
+    end
+  end
+
+  def validate(type, &validator)
     authentication_result = nil
-    authenticators.each do |authenticator_name, authenticator|
+    authenticators(type).each do |authenticator_name, authenticator|
       begin
-        data = authenticator.validate(username, password)
+        data = validator.call(authenticator_name, authenticator)
       rescue CASino::Authenticator::AuthenticatorError => e
         Rails.logger.error "Authenticator '#{authenticator_name}' (#{authenticator.class}) raised an error: #{e}"
       end
+
       if data
         authentication_result = { authenticator: authenticator_name, user_data: data }
         Rails.logger.info("Credentials for username '#{data[:username]}' successfully validated using authenticator '#{authenticator_name}' (#{authenticator.class})")
@@ -21,15 +36,17 @@ def validate_login_credentials(username, password)
   end
 
   def load_user_data(authenticator_name, username)
-    authenticator = authenticators[authenticator_name]
+    authenticator = authenticators(:authenticators)[authenticator_name]
     return nil if authenticator.nil?
     return nil unless authenticator.respond_to?(:load_user_data)
     authenticator.load_user_data(username)
   end
 
-  def authenticators
-    @authenticators ||= {}.tap do |authenticators|
-      CASino.config[:authenticators].each do |name, auth|
+  def authenticators(type)
+    authenticators ||= {}
+    return authenticators[type] if authenticators.has_key?(type)
+    authenticators[type] = begin
+      CASino.config[type].each do |name, auth|
         next unless auth.is_a?(Hash)
 
         authenticator = if auth[:class]
@@ -38,7 +55,7 @@ def authenticators
                           load_authenticator(auth[:authenticator])
                         end
 
-        authenticators[name] = authenticator.new(auth[:options])
+        CASino.config[type][name] = authenticator.new(auth[:options])
       end
     end
   end

app/views/casino/sessions/_external.html.erb

@@ -0,0 +1,17 @@
+<% unless @external_authenticators.nil? %>
+  <% if @external_authenticators.any? %>
+    <ul id="external_list">
+    <% @external_authenticators.each do |authenticator_name, authenticator| %>
+      <% unless authenticator.view.nil? %>
+        <li>
+          <%= form_tag(login_path, method: :post) do %>
+            <%= hidden_field_tag :lt, @login_ticket %>
+            <%= hidden_field_tag :external, authenticator_name %>
+            <%= render authenticator.view, :authenticator => authenticator %>
+          <% end %>
+        </li>
+      <% end %>
+    <% end %>
+    </ul>
+  <% end%>
+<% end%>

app/views/casino/sessions/new.html.erb

@@ -13,7 +13,7 @@
 
     <div class="form">
       <%= form_tag(login_path, method: :post, id: 'login-form') do %>
-        <%= hidden_field_tag :lt, CASino::LoginTicket.create.ticket %>
+        <%= hidden_field_tag :lt, @login_ticket %>
         <%= hidden_field_tag :service, params[:service] unless params[:service].nil? %>
         <%= label_tag :username, t('login.label_username') %>
         <%= text_field_tag :username, params[:username], autofocus:true %>
@@ -24,6 +24,7 @@
         <% end %>
         <%= button_tag t('login.label_button'), :class => 'button' %>
       <% end %>
+      <%= render 'external' %>
     </div>
   </div>
   <%= render 'footer' %>

lib/casino.rb

@@ -6,6 +6,7 @@ module CASino
 
   defaults = {
     authenticators: HashWithIndifferentAccess.new,
+    external_authenticators: HashWithIndifferentAccess.new,
     require_service_rules: false,
     logger: Rails.logger,
     frontend: HashWithIndifferentAccess.new(

lib/casino/external_authenticator.rb

@@ -0,0 +1,14 @@
+module CASino
+  class ExternalAuthenticator
+    class ExternalAuthenticatorError < StandardError; end
+
+    def validate(params, cookies)
+      raise NotImplementedError, "This method must be implemented by a class extending #{self.class}"
+    end
+
+    def view
+      raise NotImplementedError, "This method must be implemented by a class extending #{self.class}"
+    end
+
+  end
+end

spec/authenticator/base_spec.rb

@@ -1,6 +1,7 @@
 require 'spec_helper'
 
 require 'casino/authenticator'
+require 'casino/external_authenticator'
 
 describe CASino::Authenticator do
   subject {
@@ -13,3 +14,21 @@
     end
   end
 end
+
+describe CASino::ExternalAuthenticator do
+  subject {
+    CASino::ExternalAuthenticator.new
+  }
+
+  context '#validate' do
+    it 'raises an error' do
+      expect { subject.validate(nil, nil) }.to raise_error(NotImplementedError)
+    end
+  end
+
+  context '#view' do
+    it 'raises an error' do
+      expect { subject.view }.to raise_error(NotImplementedError)
+    end
+  end
+end