rubycas · bradseefeld · Apr 30, 2012 · Jul 3, 2012 · Jul 5, 2012 · Jul 5, 2012
diff --git a/.gitignore b/.gitignore
@@ -18,3 +18,4 @@ resources/dev
 .bundle
 .vagrant
 Vagrantfile
+*.gem
diff --git a/lib/casserver/cas.rb b/lib/casserver/cas.rb
@@ -72,10 +72,17 @@ def generate_proxy_ticket(target_service, pgt)
     pt
   end
 
-  def generate_proxy_granting_ticket(pgt_url, st)
+  def generate_proxy_granting_ticket(pgt_url, st, validate_ssl = true, limit = 10)
+    $LOG.debug "Attempting to generate a proxy granting ticket for #{st}"
+    if limit <= 0
+      $LOG.warn "Generate proxy granting ticket limit has reached 0 and it will no longer be tried. This usually happens when there is an infinite redirect loop."
+      return  nil
+    end
+
     uri = URI.parse(pgt_url)
     https = Net::HTTP.new(uri.host,uri.port)
-    https.use_ssl = true
+    https.use_ssl = uri.scheme == "https"
+    https.verify_mode = OpenSSL::SSL::VERIFY_NONE unless validate_ssl
 
     # Here's what's going on here:
     #
@@ -99,11 +106,16 @@ def generate_proxy_granting_ticket(pgt_url, st)
       #         in-practice standard.
       path += (uri.query.nil? || uri.query.empty? ? '?' : '&') + "pgtId=#{pgt.ticket}&pgtIou=#{pgt.iou}"
 
+      $LOG.debug "Making PGT callback to #{path}"
       response = conn.request_get(path)
       # TODO: follow redirects... 2.5.4 says that redirects MAY be followed
       # NOTE: The following response codes are valid according to the JA-SIG implementation even without following redirects
 
-      if %w(200 202 301 302 304).include?(response.code)
+      if %w(301 302).include?(response.code) && response["Location"]
+        location = response["Location"].gsub("pgtId=#{pgt.ticket}&pgtIou=#{pgt.iou}", "").gsub(/\?$/, "")
+        $LOG.debug "PGT callback wants to redirect to #{location}. Following..."
+        generate_proxy_granting_ticket(location, st, validate_ssl, limit - 1)
+      elsif %w(200 202 304).include?(response.code)
         # 3.4 (proxy-granting ticket IOU)
         pgt.save!
         $LOG.debug "PGT generated for pgt_url '#{pgt_url}': #{pgt.inspect}"

diff --git a/lib/casserver/server.rb b/lib/casserver/server.rb
@@ -133,6 +133,7 @@ def self.load_config_file(config_file)
       end
 
       config.merge! HashWithIndifferentAccess.new(YAML.load(config_file))
+      config[:validate_ssl] = true if config[:validate_ssl].nil?
       set :server, config[:server] || 'webrick'
     end
 
@@ -648,7 +649,7 @@ def self.init_database!
         if @success
           @username = st.username
           if @pgt_url
-            pgt = generate_proxy_granting_ticket(@pgt_url, st)
+            pgt = generate_proxy_granting_ticket(@pgt_url, st, config[:validate_ssl])
             @pgtiou = pgt.iou if pgt
           end
           @extra_attributes = st.granted_by_tgt.extra_attributes || {}
@@ -696,7 +697,7 @@ def self.init_database!
           end
 
           if @pgt_url
-            pgt = generate_proxy_granting_ticket(@pgt_url, t)
+            pgt = generate_proxy_granting_ticket(@pgt_url, t, config[:validate_ssl])
             @pgtiou = pgt.iou if pgt
           end
 
@@ -785,4 +786,4 @@ def authenticated_username
       end
     end
   end
-end
+end
diff --git a/locales/de.yml b/locales/de.yml
@@ -24,4 +24,3 @@ label:
 
 button:
   login: "ANMELDEN"
-
diff --git a/locales/zh_tw.yml b/locales/zh_tw.yml
@@ -23,4 +23,4 @@ label:
   central_login_title: "整合登入"
 
 button:
-  login: "登入"
+  login: "登入"
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,3 +18,4 @@ resources/dev @@
     .bundle
     .vagrant
     Vagrantfile
+    *.gem