Gollum via Rack and CAS SSO
For the CAS server you can use Jasig CAS server or RubyCas-server.
For production I recommand jasig CAS server, but for test RubyCas-server is nice. you must use 'extra_attributes' to have the right user/email for the commits. it's not mandatory, but if you don't do this, every commit will be created by the gollum username/email.
mkdir /tmp/Rubycas-server
cd /tmp/Rubycas-server
cat >Gemfile << __EOF
source 'http://rubygems.org'
gem 'rubycas-server'
gem 'sqlite3'
__EOF
bundle install --path=`pwd`/.bundle
cat > minimal.yml << __EOF
server: webrick
port: 1443
uri_path: /cas
database:
adapter: sqlite3
database: /tmp/Rubycas-server/casserver.db
authenticator:
class: CASServer::Authenticators::Test
theme: simple
organization: CAS
infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
default_locale: en
log:
file: /tmp/Rubycas-server/cas.log
level: INFO
__EOF
bundle exec rubycas-server -c minimal.yml
Accepts any username as valid as long as the password is "testpassword"; otherwise authentication fails.
Now you can use https://127.0.0.1:1443/cas as sso
parameter
You can also run gollum with any rack-compatible server CAS SSO inside. It's obvioulsy like Gollum via Rack, you have to setup the CAS client in this config.ru
file inside your wiki repository.
#!/usr/bin/env ruby
require 'rubygems'
require 'rack/cas'
# you may set this line after you change the default git adapter if needed
require 'gollum/app'
# I use external config file settings
gollum_config_file = File.dirname(File.expand_path(__FILE__)) + '/config_gollum.yml'
$my_settings = Hash.new { |hash, key| hash[key] = '' }
if File.readable?(gollum_config_file) then
$my_settings = YAML.load_file(gollum_config_file)
end
Precious::App.set(:gollum_path, $my_settings[:wiki_path])
Precious::App.set(:wiki_options,$my_settings[:wiki_options])
use Rack::Session::Cookie,
:key => 'rack.session', :path => '/',
:secret => Digest::SHA2.file(gollum_config_file).hexdigest # lol
use Rack::CAS, server_url: $my_settings[:sso]
module Precious
class App < Sinatra::Base
['/create/*','/edit/*'].each do |path|
before path do
unless session['cas'] && session['cas']['user']
halt 401, 'Unauthorized'
end
unless $my_settings[:writers] &&
$my_settings[:writers].index(session['cas']['user'])
halt 403, 'Forbidden write acces for ' + session['cas']['user']
end
session['gollum.author'] = {:name => "#{eval $my_settings[:name]}",
:email => "#{eval $my_settings[:email]}"}
end
end
end
end
run Precious::App
You must create a gollum_config_file
too, like this one.
## Username (session['cas']['user']) with write access
## All users have read access
:writers:
- USER1
- USER2
## path of the wiki git repo
:wiki_path: /tmp/gollum-wiki.git
## CAS single sign on server
:sso: https://caserver/cas
## CAS attributs for git commit (name and email)
:name: session['cas']['extra_attributes']['displayName'] # Active Directory attribute
:email: session['cas']['extra_attributes']['mail'] # Active Directory attribute
## Wiki options for gollum
:wiki_options:
:mathjax: true
:live_preview: true
:universal_toc: false
:repo_is_bare: true
Now everyone have read only on the wiki, but USER1 and USER2 have read and write acces.
In this CAS setup we haven't any extra_attributes, so we must forged it from information we know.
- user => cas user name
- email => user@test.com
## Username (session['cas']['user']) with write access
## All users have read access
:writers:
- foo
## path of the wiki git repo
:wiki_path: /tmp/gollum-wiki.git
## CAS single sign on server
:sso: https://127.0.0.1:1443/cas
## CAS attributs for git commit (name and email)
:name: session['cas']['user']
:email: session['cas']['user'] + '@test.com'
## Wiki options for gollum
:wiki_options:
:mathjax: true
:live_preview: true
:universal_toc: false
:repo_is_bare: true