descope 1.0.6 → 1.0.7

data/spec/lib.descope/api/v1/management/sso_application_spec.rb

@@ -0,0 +1,217 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Descope::Api::V1::Management::SSOApplication do
+  before(:all) do
+    dummy_instance = DummyClass.new
+    dummy_instance.extend(Descope::Api::V1::Management::SSOApplication)
+    @instance = dummy_instance
+  end
+
+  context('.create_sso_oidc_application') do
+    it 'should respond to .create_saml_application' do
+      expect(@instance).to respond_to :create_saml_application
+    end
+
+    it 'is expected to create SAML application' do
+      expect(@instance).to receive(:post).with(
+        SSO_APPLICATION_OIDC_CREATE_PATH, {
+          id: 'tenant1',
+          name: 'test',
+          description: 'awesome tenant',
+          enabled: true,
+          logo: 'https://logo.com',
+          loginPageUrl: 'https://dummy.com/login'
+        }
+      )
+      expect do
+        @instance.create_sso_oidc_app(
+          id: 'tenant1',
+          name: 'test',
+          description: 'awesome tenant',
+          enabled: true,
+          logo: 'https://logo.com',
+          login_page_url: 'https://dummy.com/login'
+        )
+      end.not_to raise_error
+    end
+  end
+
+  context('.create_saml_application') do
+    it 'should respond to .create_saml_application' do
+      expect(@instance).to respond_to :create_saml_application
+    end
+
+    it 'is expected to create SAML application' do
+      expect(@instance).to receive(:post).with(
+        SSO_APPLICATION_SAML_CREATE_PATH, {
+          name: 'test',
+          description: 'awesome tenant',
+          id: 'tenant1',
+          loginPageUrl: 'https://dummy.com/login',
+          logo: 'https://logo.com',
+          enabled: true,
+          useMetadataInfo: true,
+          metadataUrl: 'https://dummy.com/metadata',
+          entityId: 'ent1234',
+          acsUrl: 'https://dummy.com/acs',
+          certificate: 'something',
+          attributeMapping: [
+            {
+              'abc': '123'
+            }
+          ],
+          groupsMapping: [
+            {
+              'abc': '123'
+            }
+          ],
+          acsAllowedCallbacks: true,
+          subjectNameIdType: 'test',
+          subjectNameIdFormat: 'test',
+          defaultRelayState: 'test',
+          forceAuthentication: true,
+          logoutRedirectUrl: 'https://dummy.com/logout'
+        }
+      )
+      expect do
+        @instance.create_saml_application(
+          name: 'test',
+          login_page_url: 'https://dummy.com/login',
+          id: 'tenant1',
+          description: 'awesome tenant',
+          logo: 'https://logo.com',
+          enabled: true,
+          use_metadata_info: true,
+          metadata_url: 'https://dummy.com/metadata',
+          entity_id: 'ent1234',
+          acs_url: 'https://dummy.com/acs',
+          certificate: 'something',
+          attribute_mapping: [
+            {
+              'abc': '123'
+            }
+          ],
+          groups_mapping: [
+            {
+              'abc': '123'
+            }
+          ],
+          acs_allowed_callbacks: true,
+          subject_name_id_type: 'test',
+          subject_name_id_format: 'test',
+          default_relay_state: 'test',
+          force_authentication: true,
+          logout_redirect_url: 'https://dummy.com/logout'
+        )
+      end.not_to raise_error
+    end
+
+    it 'is expected to raise error if metadata_url is empty' do
+      expect do
+        @instance.create_saml_application(
+          name: 'test',
+          login_page_url: 'https://dummy.com/login',
+          id: 'tenant1',
+          description: 'awesome tenant',
+          logo: 'https://logo.com',
+          enabled: true,
+          use_metadata_info: true,
+          entity_id: 'ent1234',
+          acs_url: 'https://dummy.com/acs',
+          certificate: 'something',
+          attribute_mapping: [
+            {
+              'abc': '123'
+            }
+          ],
+          groups_mapping: [
+            {
+              'abc': '123'
+            }
+          ],
+          acs_allowed_callbacks: true,
+          subject_name_id_type: 'test',
+          subject_name_id_format: 'test',
+          default_relay_state: 'test',
+          force_authentication: true,
+          logout_redirect_url: 'https://dummy.com/logout'
+        )
+      end.to raise_error(Descope::ArgumentException, 'metadata_url argument must be set')
+    end
+  end
+
+  it 'is expected to raise error if entity_id acs_url and certificate arguments are missing' do
+    expect do
+      @instance.create_saml_application(
+        name: 'test',
+        login_page_url: 'https://dummy.com/login',
+        id: 'tenant1',
+        description: 'awesome tenant',
+        logo: 'https://logo.com',
+        enabled: true,
+        attribute_mapping: [
+          {
+            'abc': '123'
+          }
+        ],
+        groups_mapping: [
+          {
+            'abc': '123'
+          }
+        ],
+        acs_allowed_callbacks: true,
+        subject_name_id_type: 'test',
+        subject_name_id_format: 'test',
+        default_relay_state: 'test',
+        force_authentication: true,
+        logout_redirect_url: 'https://dummy.com/logout'
+      )
+    end.to raise_error(Descope::ArgumentException, 'entity_id, acs_url, certificate arguments must be set')
+  end
+
+  it 'is expected to update sso oidc application' do
+    expect(@instance).to receive(:post).with(
+      SSO_APPLICATION_OIDC_UPDATE_PATH, {
+        id: 'tenant1',
+        name: 'test',
+        description: 'awesome tenant',
+        enabled: true,
+        logo: 'https://logo.com',
+        loginPageUrl: 'https://dummy.com/login'
+      }
+    )
+    expect do
+      @instance.update_sso_oidc_app(
+        id: 'tenant1',
+        name: 'test',
+        description: 'awesome tenant',
+        enabled: true,
+        logo: 'https://logo.com',
+        login_page_url: 'https://dummy.com/login'
+      )
+    end.not_to raise_error
+  end
+
+  it 'is expected to delete sso app' do
+    expect(@instance).to receive(:delete).with(
+      SSO_APPLICATION_DELETE_PATH, { id: 'tenant1' }
+    )
+    expect { @instance.delete_sso_app('tenant1') }.not_to raise_error
+  end
+
+  it 'is expected to load sso app' do
+    expect(@instance).to receive(:get).with(
+      SSO_APPLICATION_LOAD_PATH, { id: 'tenant1' }
+    )
+    expect { @instance.load_sso_app('tenant1') }.not_to raise_error
+  end
+
+  it 'is expected to load all sso apps' do
+    expect(@instance).to receive(:get).with(
+      SSO_APPLICATION_LOAD_ALL_PATH, {}
+    )
+    expect { @instance.load_all_sso_apps }.not_to raise_error
+  end
+end

data/spec/lib.descope/api/v1/management/sso_settings_spec.rb

@@ -87,7 +87,7 @@ describe Descope::Api::V1::Management::SSOSettings do
 
     it 'is expected to configure SSO settings' do
       expect(@instance).to receive(:post).with(
-        SSO_SAML_PATH, {
+        SSO_SETTINGS_PATH, {
           tenantId: '123',
           settings: {
             name: 'test',
@@ -132,7 +132,7 @@ describe Descope::Api::V1::Management::SSOSettings do
 
     it 'is expected to configure SAML metadata' do
       expect(@instance).to receive(:post).with(
-        SSO_SAML_METADATA_PATH, {
+        SSO_METADATA_PATH, {
           tenantId: '123',
           settings: {
             name: 'test',

data/spec/lib.descope/api/v1/management/user_spec.rb

@@ -9,55 +9,69 @@ describe Descope::Api::V1::Management::User do
     @instance = dummy_instance
   end
 
-  context '.create_user' do
+  context '.create_user_and_test_user' do
     it 'is expected to respond to a user create method' do
       expect(@instance).to respond_to(:create_user)
+      expect(@instance).to respond_to(:create_test_user)
     end
 
+    user_tenants_args = [
+      {
+        tenant_id: 'tenant1'
+      },
+      {
+        tenant_id: 'tenant2',
+        role_names: %w[role1 role2]
+      }
+    ]
+
+    params = {
+      loginId: 'name@mail.com',
+      email: 'name@mail.com',
+      phone: '+1-212-669-2542',
+      name: 'name',
+      givenName: 'name',
+      familyName: 'Ruby SDK',
+      userTenants: associated_tenants_to_hash_array(user_tenants_args),
+      test: false,
+      picture: 'https://www.example.com/picture.png',
+      customAttributes: { 'attr1' => 'value1', 'attr2' => 'value2' },
+      additionalIdentifiers: %w[id-1 id-2],
+      password: 's3cr3t',
+      ssoAppIds: %w[app1 app2],
+      invite: false
+    }
+
+    args = {
+      login_id: 'name@mail.com',
+      email: 'name@mail.com',
+      phone: '+1-212-669-2542',
+      name: 'name',
+      given_name: 'name',
+      family_name: 'Ruby SDK',
+      user_tenants: user_tenants_args,
+      picture: 'https://www.example.com/picture.png',
+      custom_attributes: { 'attr1' => 'value1', 'attr2' => 'value2' },
+      additional_identifiers: %w[id-1 id-2],
+      password: 's3cr3t',
+      sso_app_ids: %w[app1 app2]
+    }
+
     it 'is expected to create a user with user data' do
-      user_tenants_args = [
-        {
-          tenant_id: 'tenant1'
-        },
-        {
-          tenant_id: 'tenant2',
-          role_names: %w[role1 role2]
-        }
-      ]
-      expect(@instance).to receive(:post).with(
-        USER_CREATE_PATH, {
-          loginId: 'name@mail.com',
-          email: 'name@mail.com',
-          phone: '+1-212-669-2542',
-          name: 'name',
-          givenName: 'name',
-          familyName: 'Ruby SDK',
-          userTenants: associated_tenants_to_hash_array(user_tenants_args),
-          test: false,
-          picture: 'https://www.example.com/picture.png',
-          customAttributes: { 'attr1' => 'value1', 'attr2' => 'value2' },
-          additionalIdentifiers: %w[id-1 id-2],
-          password: 's3cr3t',
-          ssoAppIds: %w[app1 app2],
-          invite: false
-        }
-      )
+      expect(@instance).to receive(:post).with(USER_CREATE_PATH, params)
 
       expect do
-        @instance.create_user(
-          login_id: 'name@mail.com',
-          email: 'name@mail.com',
-          phone: '+1-212-669-2542',
-          name: 'name',
-          given_name: 'name',
-          family_name: 'Ruby SDK',
-          user_tenants: user_tenants_args,
-          picture: 'https://www.example.com/picture.png',
-          custom_attributes: { 'attr1' => 'value1', 'attr2' => 'value2' },
-          additional_identifiers: %w[id-1 id-2],
-          password: 's3cr3t',
-          sso_app_ids: %w[app1 app2]
-        )
+        @instance.create_user(**args)
+      end.not_to raise_error
+    end
+
+    it 'is expected to create a test user with user data' do
+      params[:test] = true
+      expect(@instance).to receive(:post).with(TEST_USER_CREATE_PATH, params)
+
+      expect do
+        args[:test] = true
+        @instance.create_test_user(**args)
       end.not_to raise_error
     end
   end
@@ -108,14 +122,16 @@ describe Descope::Api::V1::Management::User do
           loginId: 'name@mail.com',
           email: 'name@mail.com',
           test: false,
-          invite: true
+          invite: true,
+          templateId: "tid",
         }
       )
 
       expect do
         @instance.invite_user(
           login_id: 'name@mail.com',
-          email: 'name@mail.com'
+          email: 'name@mail.com',
+          template_id: "tid",
         )
       end.not_to raise_error
     end
@@ -223,6 +239,8 @@ describe Descope::Api::V1::Management::User do
     it 'is expected to respond to a search_all method' do
       expect(@instance).to respond_to(:search_all_users)
 
+      tenant_role_ids = { 'tenant1' => ['roleA', 'roleB'] }
+      tenant_role_names = { 'tenant1' => ['roleName1', 'roleName2'] }
       expect(@instance).to receive(:post).with(
         USERS_SEARCH_PATH, {
           loginId: 'someone@example.com',
@@ -234,7 +252,13 @@ describe Descope::Api::V1::Management::User do
           ssoOnly: false,
           text: 'some text',
           testUsersOnly: false,
-          withTestUser: false
+          withTestUser: false,
+          tenantRoleIds: {
+            'tenant1' => { values: ['roleA', 'roleB'] }
+          },
+          tenantRoleNames: {
+            'tenant1' => { values: ['roleName1', 'roleName2'] }
+          }
         }
       )
 
@@ -248,7 +272,9 @@ describe Descope::Api::V1::Management::User do
           page: 1,
           sso_app_ids: [],
           test_users_only: false,
-          with_test_user: false
+          with_test_user: false,
+          tenant_role_ids: tenant_role_ids,
+          tenant_role_names: tenant_role_names
         )
       end.not_to raise_error
     end
@@ -704,4 +730,66 @@ describe Descope::Api::V1::Management::User do
       end.not_to raise_error
     end
   end
+
+  context '.patch_user' do
+    it 'is expected to respond to a patch user method' do
+      expect(@instance).to respond_to(:patch_user)
+    end
+
+    it 'is expected to respond to a user patch method' do
+      expect(@instance).to receive(:patch).with(
+        USER_PATCH_PATH, {
+          loginId: 'name@mail.com',
+          email: 'name@mail.com',
+          givenName: 'mister',
+          name: 'something else',
+          test: false,
+          invite: false
+        }
+      )
+
+      expect do
+        @instance.patch_user(
+          login_id: 'name@mail.com',
+          email: 'name@mail.com',
+          given_name: 'mister',
+          name: 'something else'
+        )
+      end.not_to raise_error
+    end
+  end
+
+  context '.search_all_test_users' do
+    it 'is expected to respond to a search_all_test_users method' do
+      expect(@instance).to respond_to(:search_all_test_users)
+
+      tenant_role_ids = { 'tenant1' => ['roleA', 'roleB'] }
+      tenant_role_names = { 'tenant1' => ['roleName1', 'roleName2'] }
+      expect(@instance).to receive(:post).with(
+        TEST_USERS_SEARCH_PATH, {
+          tenantIds: %w[t1 t2],
+          roleNames: %w[r1 r2],
+          limit: 0,
+          page: 0,
+          testUsersOnly: true,
+          withTestUser: true,
+          tenantRoleIds: {
+            'tenant1' => { values: ['roleA', 'roleB'] }
+          },
+          tenantRoleNames: {
+            'tenant1' => { values: ['roleName1', 'roleName2'] }
+          }
+        }
+      )
+
+      expect do
+        @instance.search_all_test_users(
+          tenant_ids: %w[t1 t2],
+          role_names: %w[r1 r2],
+          tenant_role_ids: tenant_role_ids,
+          tenant_role_names: tenant_role_names
+        )
+      end.not_to raise_error
+    end
+  end
 end

data/spec/lib.descope/api/v1/session_spec.rb

@@ -31,12 +31,32 @@ describe Descope::Api::V1::Session do
     end
 
     it 'is expected to post refresh session' do
-      jwt_response = { 'fake': 'response' }
-      allow(@instance).to receive(:generate_jwt_response).and_return(jwt_response)
-
-      expect(@instance).to receive(:post).with(REFRESH_TOKEN_PATH, {}, {}, 'refresh_token')
-      allow(@instance).to receive(:validate_token).with('refresh_token', nil).and_return({})
-      expect { @instance.refresh_session(refresh_token: 'refresh_token') }.not_to raise_error
+      jwt_response = {
+        'sessionJwt' => 'fake_session_jwt',
+        'refreshJwt' => 'fake_refresh_jwt',
+        'cookies' => {
+          'refresh_token' => 'fake_refresh_cookie'
+        }
+      }
+      refresh_token = 'refresh_token'
+      audience = nil
+
+      allow(@instance).to receive(:validate_refresh_token_not_nil).with(refresh_token).and_return(true)
+      allow(@instance).to receive(:validate_token).with(refresh_token, audience).and_return(true)
+      allow(@instance).to receive(:post).with(REFRESH_TOKEN_PATH, {}, {}, refresh_token).and_return(jwt_response)
+      refresh_cookie = jwt_response['cookies'][REFRESH_SESSION_COOKIE_NAME] || jwt_response['refreshJwt']
+
+      allow(@instance).to receive(:generate_jwt_response).with(
+        response_body: jwt_response,
+        refresh_cookie:,
+        audience:
+      ).and_return(jwt_response)
+
+      expect { @instance.refresh_session(refresh_token:, audience:) }.not_to raise_error
+
+      # Optionally verify the response if needed
+      result = @instance.refresh_session(refresh_token:, audience:)
+      expect(result).to eq(jwt_response)
     end
   end
 
@@ -114,4 +134,97 @@ describe Descope::Api::V1::Session do
       expect { @instance.validate_and_refresh_session(session_token: 'session_token', refresh_token: 'refresh_token') }.to_not raise_error
     end
   end
+
+  context 'cookie domain fix for refresh_session' do
+    let(:refresh_token) { 'test_refresh_token' }
+    let(:session_jwt) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ0ZXN0In0.signature' }
+    let(:refresh_jwt) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ0ZXN0In0.refresh_sig' }
+
+    context 'when using cookie-only tokens with custom domain' do
+      let(:cookie_only_response) do
+        {
+          'userId' => 'test123',
+          'cookieExpiration' => 1640704758,
+          'cookieDomain' => 'dev.lulukuku.com',
+          'cookies' => {
+            'DS' => session_jwt,
+            'DSR' => refresh_jwt
+          }
+        }
+      end
+
+      it 'extracts tokens from cookies when not in response body' do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({})
+        allow(@instance).to receive(:post).and_return(cookie_only_response)
+        allow(@instance).to receive(:generate_jwt_response).and_return(cookie_only_response)
+
+        expect { @instance.refresh_session(refresh_token: refresh_token) }.not_to raise_error
+        
+        result = @instance.refresh_session(refresh_token: refresh_token)
+        expect(result).to eq(cookie_only_response)
+      end
+
+      it 'passes correct refresh_cookie to generate_jwt_response' do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({})
+        allow(@instance).to receive(:post).and_return(cookie_only_response)
+
+        # Verify that refresh_cookie is extracted correctly from cookies
+        expected_refresh_cookie = refresh_jwt
+        expect(@instance).to receive(:generate_jwt_response).with(
+          response_body: cookie_only_response,
+          refresh_cookie: expected_refresh_cookie,
+          audience: nil
+        ).and_return(cookie_only_response)
+
+        @instance.refresh_session(refresh_token: refresh_token)
+      end
+    end
+
+    context 'when using mixed configuration (some tokens in body, some in cookies)' do
+      let(:mixed_response) do
+        {
+          'sessionJwt' => session_jwt,  # Session token in response body
+          'userId' => 'test123',
+          'cookies' => {
+            'DSR' => refresh_jwt        # Refresh token in cookies only
+          }
+        }
+      end
+
+      it 'handles mixed token locations correctly' do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({})
+        allow(@instance).to receive(:post).and_return(mixed_response)
+        allow(@instance).to receive(:generate_jwt_response).and_return(mixed_response)
+
+        expect { @instance.refresh_session(refresh_token: refresh_token) }.not_to raise_error
+      end
+    end
+
+    context 'backward compatibility with traditional response body tokens' do
+      let(:traditional_response) do
+        {
+          'sessionJwt' => session_jwt,
+          'refreshJwt' => refresh_jwt,
+          'userId' => 'test123'
+        }
+      end
+
+      it 'continues to work with response body tokens' do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({})
+        allow(@instance).to receive(:post).and_return(traditional_response)
+        
+        expect(@instance).to receive(:generate_jwt_response).with(
+          response_body: traditional_response,
+          refresh_cookie: refresh_jwt,  # Should use refreshJwt from response body
+          audience: nil
+        ).and_return(traditional_response)
+
+        @instance.refresh_session(refresh_token: refresh_token)
+      end
+    end
+  end
 end