devise_g5_authenticatable 0.1.0

data/lib/devise_g5_authenticatable/routes.rb

@@ -0,0 +1,58 @@
+module Devise
+  class Mapping
+    alias :original_initialize :initialize
+
+    def initialize(name, options)
+      set_default_g5_controllers(options)
+      original_initialize(name, options)
+    end
+
+    private
+    def set_default_g5_controllers(options)
+      options[:controllers] ||= {}
+      options[:controllers].reverse_merge!({
+        registrations: 'devise_g5_authenticatable/registrations',
+        sessions: 'devise_g5_authenticatable/sessions'
+      })
+      options
+    end
+  end
+end
+
+module ActionDispatch::Routing
+  class Mapper
+    protected
+    def devise_session(mapping, controllers)
+      set_omniauth_path_prefix(mapping)
+      build_session_routes(mapping, controllers)
+      build_g5_omniauth_routes(mapping, controllers)
+    end
+
+    def set_omniauth_path_prefix(mapping)
+      path_prefix = Devise.omniauth_path_prefix || "/#{mapping.fullpath}/auth".squeeze("/")
+      set_omniauth_path_prefix!(path_prefix) unless ::OmniAuth.config.path_prefix.present?
+    end
+
+    def build_session_routes(mapping, controllers)
+      resource :session, only: [], controller: controllers[:sessions], path: '' do
+        get   :new,     path: mapping.path_names[:sign_in], as: :new
+        post  :create,  path: mapping.path_names[:sign_in]
+        match :destroy, path: mapping.path_names[:sign_out], as: :destroy, via: mapping.sign_out_via
+      end
+    end
+
+    def build_g5_omniauth_routes(mapping, controllers)
+      match 'auth/g5',
+        controller: controllers[:sessions],
+        action: 'omniauth_passthru',
+        as: :g5_authorize,
+        via: [:get, :post]
+
+      match 'auth/g5/callback',
+        controller: controllers[:sessions],
+        action: 'create',
+        as: :g5_callback,
+        via: [:get, :post]
+    end
+  end
+end

data/lib/devise_g5_authenticatable/version.rb

@@ -0,0 +1,3 @@
+module DeviseG5Authenticatable
+  VERSION = '0.1.0'
+end

data/lib/tasks/g5/export_users.rake

@@ -0,0 +1,13 @@
+require 'devise_g5_authenticatable/g5/user_exporter'
+
+namespace :g5 do
+  desc "Create an auth user for each row in users table and dump id/password for update in auth server"
+  task :export_users, [:authorization_code, :client_id, :client_secret, :redirect_uri, :endpoint] => :environment do |t, args|
+    args.with_defaults(client_id: ENV['G5_AUTH_CLIENT_ID'],
+                       client_secret: ENV['G5_AUTH_CLIENT_SECRET'],
+                       redirect_uri: ENV['G5_AUTH_REDIRECT_URI'],
+                       endpoint: ENV['G5_AUTH_ENDPOINT'],
+                       authorization_code: ENV['G5_AUTH_AUTHORIZATION_CODE'])
+    puts G5::UserExporter.new(args).export
+  end
+end

data/spec/controllers/helpers_spec.rb

@@ -0,0 +1,295 @@
+require 'spec_helper'
+
+describe DeviseG5Authenticatable::Helpers do
+  controller(ActionController::Base) do
+    include Devise::Controllers::Helpers
+    include DeviseG5Authenticatable::Helpers
+  end
+
+  describe '#clear_blank_passwords' do
+    subject(:clear_passwords) { get :index, password_params }
+    before { clear_passwords }
+
+    controller do
+      before_filter :clear_blank_passwords, only: :index
+
+      def index
+        render status: 200, text: 'Index'
+      end
+    end
+
+    context 'when password params are populated' do
+      let(:password_params) do
+        {
+          scope => {
+            password: password,
+            password_confirmation: password_confirmation,
+            current_password: current_password,
+            email: 'foo@test.host'
+          }
+        }
+      end
+
+      let(:scope) { :user }
+
+      let(:password) { 'some_secret' }
+      let(:password_confirmation) { 'some_other_secret' }
+      let(:current_password) { 'current_secret' }
+
+      context 'with user scope' do
+        let(:scope) { :user }
+
+        context 'with non-blank password params' do
+          it 'should not change the password param' do
+            expect(controller.params[:user][:password]).to eq(password)
+          end
+
+          it 'should not change the password_confirmation param' do
+            expect(controller.params[:user][:password_confirmation]).to eq(password_confirmation)
+          end
+
+          it 'should not change the current_password param' do
+            expect(controller.params[:user][:current_password]).to eq(current_password)
+          end
+
+          it 'should not change the non-password param' do
+            expect(controller.params[:user][:email]).to eq(password_params[:user][:email])
+          end
+        end
+
+        context 'when password is nil' do
+          let(:password) {}
+
+          it 'should set the password param to nil' do
+            expect(controller.params[:user][:password]).to be_nil
+          end
+
+          it 'should not change the password confirmation param' do
+            expect(controller.params[:user][:password_confirmation]).to eq(password_confirmation)
+          end
+
+          it 'should not change the current_password param' do
+            expect(controller.params[:user][:current_password]).to eq(current_password)
+          end
+        end
+
+        context 'when password is blank' do
+          let(:password) { '                ' }
+
+          it 'should set the password param to nil' do
+            expect(controller.params[:user][:password]).to be_nil
+          end
+
+          it 'should not change the password confirmation param' do
+            expect(controller.params[:user][:password_confirmation]).to eq(password_confirmation)
+          end
+
+          it 'should not change the current_password param' do
+            expect(controller.params[:user][:current_password]).to eq(current_password)
+          end
+        end
+
+        context 'when password confirmation is nil' do
+          let(:password_confirmation) {}
+
+          it 'should not change the password param' do
+            expect(controller.params[:user][:password]).to eq(password)
+          end
+
+          it 'should set the password_confirmation param to nil' do
+            expect(controller.params[:user][:password_confirmation]).to be_nil
+          end
+
+          it 'should not change the current_password param' do
+            expect(controller.params[:user][:current_password]).to eq(current_password)
+          end
+        end
+
+        context 'when password confirmation is blank' do
+          let(:password_confirmation) { '      ' }
+
+          it 'should not change the password param' do
+            expect(controller.params[:user][:password]).to eq(password)
+          end
+
+          it 'should set the password_confirmation param to nil' do
+            expect(controller.params[:user][:password_confirmation]).to be_nil
+          end
+
+          it 'should not change the current_password param' do
+            expect(controller.params[:user][:current_password]).to eq(current_password)
+          end
+        end
+
+        context 'when current_password is nil' do
+          let(:current_password) {}
+
+          it 'should not change the password param' do
+            expect(controller.params[:user][:password]).to eq(password)
+          end
+
+          it 'should not change the password_confirmation param' do
+            expect(controller.params[:user][:password_confirmation]).to eq(password_confirmation)
+          end
+
+          it 'should set the current password param to nil' do
+            expect(controller.params[:user][:current_password]).to be_nil
+          end
+        end
+
+        context 'when current_password is blank' do
+          let(:current_password) { '   ' }
+
+          it 'should not change the password param' do
+            expect(controller.params[:user][:password]).to eq(password)
+          end
+
+          it 'should not change the password_confirmation param' do
+            expect(controller.params[:user][:password_confirmation]).to eq(password_confirmation)
+          end
+
+          it 'should set the current password param to nil' do
+            expect(controller.params[:user][:current_password]).to be_nil
+          end
+        end
+      end
+
+      context 'with admin scope' do
+        let(:scope) { :admin }
+
+        context 'when password is blank' do
+          let(:password) { '              ' }
+
+          it 'should set the admin password param to nil' do
+            expect(controller.params[:admin][:password]).to be_nil
+          end
+        end
+
+        context 'when password confirmation is blank' do
+          let(:password_confirmation) { '     ' }
+
+          it 'should set the admin password confirmation to nil' do
+            expect(controller.params[:admin][:password_confirmation]).to be_nil
+          end
+        end
+
+        context 'when current password is blank' do
+          let(:current_password) { '   ' }
+
+          it 'should set the admin current password param to nil' do
+            expect(controller.params[:admin][:current_password]).to be_nil
+          end
+        end
+      end
+    end
+
+    context 'when there are no password params' do
+      let(:password_params) { Hash.new }
+
+      it 'should not change any params' do
+        expect(controller.params[:user]).to be_nil
+      end
+    end
+  end
+
+  describe '#set_updated_by_user' do
+    subject(:set_updated_by_user) { post :create, user_params }
+
+    controller do
+      define_helpers(:user)
+      define_helpers(:admin)
+
+      before_filter :set_updated_by_user, only: :create
+
+      def create
+        render status: 200, text: 'Create'
+      end
+    end
+
+    before { sign_in :user, current_user }
+    let(:current_user) { create(:user) }
+
+    before { set_updated_by_user }
+
+    context 'when there is a user param' do
+      let(:user_params) { {user: attributes_for(:user)} }
+
+      it 'should set the user updated_by' do
+        expect(controller.params[:user][:updated_by]).to eq(current_user)
+      end
+    end
+
+    context 'when there is no user param' do
+      let(:user_params) { Hash.new }
+
+      it 'should set the updated_by' do
+        expect(controller.params[:updated_by]).to eq(current_user)
+      end
+    end
+  end
+
+  describe '#set_updated_by_admin' do
+    subject(:set_updated_by_admin) { post :create, admin_params }
+
+    controller do
+      define_helpers(:user)
+      define_helpers(:admin)
+
+      before_filter :set_updated_by_admin, only: :create
+
+      def create
+        render status: 200, text: 'Create'
+      end
+    end
+
+    before { sign_in :admin, current_admin }
+    let(:current_admin) { create(:admin) }
+
+    before { set_updated_by_admin }
+
+    context 'when there is an admin param' do
+      let(:admin_params) { {admin: attributes_for(:admin)} }
+
+      it 'should set the admin updated_by' do
+        expect(controller.params[:admin][:updated_by]).to eq(current_admin)
+      end
+    end
+
+    context 'when there is no admin param' do
+      let(:admin_params) { Hash.new }
+
+      it 'should set the updated_by' do
+        expect(controller.params[:updated_by]).to eq(current_admin)
+      end
+    end
+  end
+
+  describe '#handle_resource_error' do
+    subject(:action_with_error) { post :create }
+
+    before { request.env['devise.mapping'] = Devise.mappings[:user] }
+
+    controller(DeviseController) do
+      rescue_from ActiveRecord::RecordNotSaved, with: :handle_resource_error
+
+      def create
+        self.resource = resource_class.new
+        raise ActiveRecord::RecordNotSaved.new('my_error')
+      end
+    end
+
+    before { action_with_error }
+
+    it 'should be successful' do
+      expect(response).to be_success
+    end
+
+    it 'should set the base error on the resource' do
+      expect(controller.resource.errors[:base]).to eq(['my_error'])
+    end
+
+    it 'should render the model creation form' do
+      expect(response).to render_template('anonymous/new')
+    end
+  end
+end

data/spec/controllers/sessions_controller_spec.rb

@@ -0,0 +1,256 @@
+require 'spec_helper'
+
+describe DeviseG5Authenticatable::SessionsController do
+  before { request.env['devise.mapping'] = Devise.mappings[scope] }
+  let(:scope) { :user }
+
+  describe '#new' do
+    subject(:new_session) { get :new }
+
+    context 'with user scope' do
+      it 'should redirect to the scoped authorize path' do
+        expect(new_session).to redirect_to(user_g5_authorize_path)
+      end
+    end
+
+    context 'with admin scope' do
+      let(:scope) { :admin }
+
+      it 'should redirect to the scoped authorize path' do
+        expect(new_session).to redirect_to(admin_g5_authorize_path)
+      end
+    end
+  end
+
+  describe '#omniauth_passthru' do
+    subject(:passthru) { get :omniauth_passthru }
+
+    it 'should return a 404' do
+      expect(passthru).to be_not_found
+    end
+  end
+
+  describe '#create' do
+    subject(:create_session) { post :create }
+
+    let(:auth_hash) do
+      OmniAuth::AuthHash.new({
+        provider: 'g5',
+        uid: '45',
+        info: {name: 'Foo Bar',
+               email: 'foo@bar.com'},
+        credentials: {token: 'abc123'}
+      })
+    end
+    before { request.env['omniauth.auth'] = auth_hash }
+
+    context 'when local model exists' do
+      let(:model) do
+        stub_model(model_class, provider: auth_hash.provider,
+                         uid: auth_hash.uid,
+                         email: auth_hash.email,
+                         g5_access_token: auth_hash.credentials.token,
+                         save!: true,
+                         update_g5_credentials: true,
+                         email_changed?: false)
+      end
+      before { model_class.stub(find_and_update_for_g5_oauth: model) }
+
+      context 'with user scope' do
+        let(:model_class) { User }
+        let(:scope) { :user }
+
+        it 'should find the user and update the oauth credentials' do
+          User.should_receive(:find_and_update_for_g5_oauth).with(auth_hash).and_return(model)
+          create_session
+        end
+
+        it 'should set the flash message' do
+          create_session
+          expect(flash[:notice]).to eq('Signed in successfully.')
+        end
+
+        it 'should sign in the user' do
+          expect { create_session }.to change { controller.current_user }.from(nil).to(model)
+        end
+
+        it 'should redirect the user' do
+          create_session
+          expect(response).to be_a_redirect
+        end
+      end
+
+      context 'with admin scope' do
+        let(:model_class) { Admin }
+        let(:scope) { :admin }
+
+        it 'should find the admin and update the oauth credentials' do
+          Admin.should_receive(:find_and_update_for_g5_oauth).with(auth_hash).and_return(model)
+          create_session
+        end
+
+        it 'should sign in the admin' do
+          expect { create_session }.to change { controller.current_admin }.from(nil).to(model)
+        end
+      end
+    end
+
+    context 'when local model does not exist' do
+      before { model_class.stub(find_and_update_for_g5_oauth: nil) }
+
+      context 'with user scope' do
+        let(:scope) { :user }
+        let(:model_class) { User }
+
+        it 'should set the flash message' do
+          create_session
+          expect(flash[:alert]).to eq('You must sign up before continuing.')
+        end
+
+        it 'should not sign in a user' do
+          expect { create_session }.to_not change { controller.current_user }
+        end
+
+        it 'should redirect to the user registration path' do
+          expect(create_session).to redirect_to(new_user_registration_path)
+        end
+
+        it 'should set the auth data on the session' do
+          expect { create_session }.to change { session['omniauth.auth'] }.to(auth_hash)
+        end
+      end
+
+      context 'with admin scope' do
+        let(:scope) { :admin }
+        let(:model_class) { Admin }
+
+        it 'should redirect to the admin registration path' do
+          expect(create_session).to redirect_to(new_admin_registration_path)
+        end
+
+        it 'should set the auth data on the session' do
+          expect { create_session }.to change { session['omniauth.auth'] }.to(auth_hash)
+        end
+      end
+    end
+  end
+
+  describe '#destroy' do
+    subject(:destroy_session) { delete :destroy }
+
+    let(:auth_client) { double(:auth_client, sign_out_url: auth_sign_out_url) }
+    let(:auth_sign_out_url) { 'https://auth.test.host/sign_out?redirect_url=http%3A%2F%2Ftest.host%2F' }
+    before do
+      allow(G5AuthenticationClient::Client).to receive(:new).and_return(auth_client)
+    end
+
+    let(:model) { create(scope) }
+
+    before do
+      sign_in(scope, model)
+      allow(model).to receive(:revoke_g5_credentials!)
+    end
+
+    context 'with user scope' do
+      let(:scope) { :user }
+
+      it 'should sign out the user locally' do
+        expect { destroy_session }.to change { controller.current_user }.to(nil)
+      end
+
+      it 'should construct the sign out URL with the correct redirect URL' do
+        expect(auth_client).to receive(:sign_out_url).
+          with(root_url).
+          and_return(auth_sign_out_url)
+        destroy_session
+      end
+
+      it 'should redirect to the auth server to sign out globally' do
+        expect(destroy_session).to redirect_to(auth_sign_out_url)
+      end
+
+      it 'should revoke the g5 access token' do
+        expect(controller.current_user).to receive(:revoke_g5_credentials!)
+        destroy_session
+      end
+    end
+
+    context 'with admin scope' do
+      let(:scope) { :admin }
+
+      it 'should sign out the admin locally' do
+        expect { destroy_session }.to change { controller.current_admin }.to(nil)
+      end
+
+      it 'should revoke the g5 access token' do
+        expect(controller.current_admin).to receive(:revoke_g5_credentials!)
+        destroy_session
+      end
+    end
+  end
+
+  describe '#failure' do
+    subject(:failure) do
+      # We need some trickery here because the failure action is actually rack
+      # rather than rails
+      rack_response = described_class.action(:failure).call(request.env)
+      @response = ActionDispatch::TestResponse.from_response(rack_response.last)
+    end
+
+    before do
+      request.env['omniauth.error'] = error
+      request.env['omniauth.error.strategy'] = omniauth_strategy
+    end
+
+    let(:omniauth_strategy) { double(:omniauth_strategy, name: 'G5') }
+
+    context 'with error_reason' do
+      let(:error) { double(:error, error_reason: reason) }
+      let(:reason) { 'The error reason' }
+
+      it 'should set the flash message' do
+        failure
+        expect(flash[:alert]).to eq("Could not authenticate you from G5 because \"#{reason}\".")
+      end
+
+      it 'should be a redirect' do
+        failure
+        expect(response).to be_a_redirect
+      end
+
+      it 'should redirect to root path' do
+        failure
+        expect(response).to redirect_to(root_path)
+      end
+    end
+
+    context 'with error string' do
+      let(:error) { double(:error, error: message) }
+      let(:message) { 'The error string' }
+
+      it 'should set the flash message' do
+        failure
+        expect(flash[:alert]).to eq("Could not authenticate you from G5 because \"#{message}\".")
+      end
+
+      it 'should redirect to the root path' do
+        expect(failure).to redirect_to(root_path)
+      end
+    end
+
+    context 'with omniauth error type' do
+      before { request.env['omniauth.error.type'] = :invalid_credentials }
+      let(:humanized_type) { 'Invalid credentials' }
+      let(:error) { Object.new }
+
+      it 'should set the flash message' do
+        failure
+        expect(flash[:alert]).to eq("Could not authenticate you from G5 because \"#{humanized_type}\".")
+      end
+
+      it 'should redirect to the root path' do
+        expect(failure).to redirect_to(root_path)
+      end
+    end
+  end
+end