From eeb853dd29e3c3d0104fb9bae4749f113d3dc0bb Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Sun, 2 Mar 2014 16:53:20 +0100 Subject: [PATCH 1/3] ServiceTicket changed to SPTicket ServiceTicket.find_by_ticket returns null if the ticket is a ProxyTicket, due to ActiveRecord class name filtering. Changed to SPTicket. --- lib/casserver/cas.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/casserver/cas.rb b/lib/casserver/cas.rb index d652d217..7c269683 100644 --- a/lib/casserver/cas.rb +++ b/lib/casserver/cas.rb @@ -170,7 +170,7 @@ def validate_service_ticket(service, ticket, allow_proxy_tickets = false) if service.nil? or ticket.nil? error = Error.new(:INVALID_REQUEST, "Ticket or service parameter was missing in the request.") $LOG.warn "#{error.code} - #{error.message}" - elsif st = ServiceTicket.find_by_ticket(ticket) + elsif st = SPTicket.find_by_ticket(ticket) if st.consumed? error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' has already been used up.") $LOG.warn "#{error.code} - #{error.message}" From 10fc31b3692e094a7ba62d9f3fcfcc7823c5ebd9 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Sun, 2 Mar 2014 16:55:21 +0100 Subject: [PATCH 2/3] granted_by_tgt moved to SPTicket ProxyTicket uses granted_by_tgt as well, moved to parent class SPTicket. --- lib/casserver/model.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/casserver/model.rb b/lib/casserver/model.rb index 28fcfb11..d7a22b22 100644 --- a/lib/casserver/model.rb +++ b/lib/casserver/model.rb @@ -18,6 +18,10 @@ class LoginTicket < ActiveRecord::Base class SPTicket < ActiveRecord::Base include Consumable include Ticket + + belongs_to :granted_by_tgt, + :class_name => 'CASServer::Model::TicketGrantingTicket', + :foreign_key => :granted_by_tgt_id if ActiveRecord::VERSION::STRING >= '3.2' self.table_name = 'casserver_st' @@ -32,9 +36,6 @@ def matches_service?(service) end class ServiceTicket < SPTicket - belongs_to :granted_by_tgt, - :class_name => 'CASServer::Model::TicketGrantingTicket', - :foreign_key => :granted_by_tgt_id has_one :proxy_granting_ticket, :foreign_key => :created_by_st_id end From fad148340bbcd78cc01db41238f42b4646ddc6a7 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Sat, 13 Jun 2015 16:20:38 +0200 Subject: [PATCH 3/3] Update server.rb Pgt was being destroyed by username at logout causing non-valid pgts if the user was connected on other devices. --- lib/casserver/server.rb | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/lib/casserver/server.rb b/lib/casserver/server.rb index 77f7633a..2c1e5c55 100644 --- a/lib/casserver/server.rb +++ b/lib/casserver/server.rb @@ -529,18 +529,17 @@ def self.init_database! send_logout_notification_for_service_ticket(st) if config[:enable_single_sign_out] # TODO: Maybe we should do some special handling if send_logout_notification_for_service_ticket fails? # (the above method returns false if the POST results in a non-200 HTTP response). + pgts = CASServer::Model::ProxyGrantingTicket.find_all_by_service_ticket_id(st.id) + + pgts.each do |pgt| + $LOG.debug("Deleting Proxy-Granting Ticket '#{pgt}' for user '#{pgt.service_ticket.username}'") + pgt.destroy + end + $LOG.debug "Deleting #{st.class.name.demodulize} #{st.ticket.inspect} for service #{st.service}." st.destroy end - pgts = CASServer::Model::ProxyGrantingTicket.find(:all, - :conditions => [CASServer::Model::ServiceTicket.quoted_table_name+".username = ?", tgt.username], - :include => :service_ticket) - pgts.each do |pgt| - $LOG.debug("Deleting Proxy-Granting Ticket '#{pgt}' for user '#{pgt.service_ticket.username}'") - pgt.destroy - end - $LOG.debug("Deleting #{tgt.class.name.demodulize} '#{tgt}' for user '#{tgt.username}'") tgt.destroy end