gds-sso 14.1.0 → 15.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 23a6e0c4d1ab3235317f3ebeb7751063cfb34651103e18f8566f1af14289f138
-  data.tar.gz: 98fdfb14f57717685360e7e870665325ad8e710fcf84abe236fbb29e4d7f5ebf
+  metadata.gz: a2435fe77d5992ffde6d0cb2aaf09ed4449c17c73908e4509e0a9a0ad6dc2763
+  data.tar.gz: fdeae2412f7a8a2f665b6d3ef8da833fc49737bab89336517b52c89bd3148cc5
 SHA512:
-  metadata.gz: 6a4a79296c5d292ee1644bdfe026523231bd5ed3209e64819eac71587eb5a6f300626c08e4650837fd3ed22e60713df397e478c0ba88c978c5be8659b1739216
-  data.tar.gz: a5644c1bd476202949cf7e94a734e80fbf4761cac7e2a4e83d23f31cdede40e0838b7106c41f82d1fb49d67d6b325901fac528883c20425257050315664a2d60
+  metadata.gz: b5357aa5392b165604cda90222b0edd561dceff9ec8aa18da4bf40d4bf4818b65cc32b7df96f2ef8ae8a92b0e094a84e729448c4d5bd0a54a4ce1d62fbafde85
+  data.tar.gz: 8ad294caa8d1e2c09256f3e41e7cf380cd271d9b5c3504daef1e3e0651cba1130e9f29a92c1c66c183c373b156858d61755e998b99ab1ad125ed92906d28ce14

data/Rakefile

@@ -1,19 +1,24 @@
-require 'bundler/setup'
-require 'bundler/gem_tasks'
+require "bundler/setup"
+require "bundler/gem_tasks"
 
 Bundler::GemHelper.install_tasks
 
-require 'rspec/core/rake_task'
+require "rspec/core/rake_task"
 desc "Run all specs"
 RSpec::Core::RakeTask.new(:spec) do |task|
-  task.pattern = 'spec/**/*_spec.rb'
+  task.pattern = "spec/**/*_spec.rb"
 end
 
 namespace :spec do
   desc "Run integration specs"
   RSpec::Core::RakeTask.new(:integration) do |task|
-    task.pattern = 'spec/integration/**/*_spec.rb'
+    task.pattern = "spec/integration/**/*_spec.rb"
   end
 end
 
-task :default => ["spec"]
+desc "Lint Ruby"
+task :lint do
+  sh "bundle exec rubocop --format clang"
+end
+
+task default: %i[spec lint]

data/app/controllers/api/user_controller.rb

@@ -6,43 +6,45 @@ class Api::UserController < ActionController::Base
   before_action :require_user_update_permission
 
   def update
-    user_json = JSON.parse(request.body.read)['user']
+    user_json = JSON.parse(request.body.read)["user"]
     oauth_hash = build_gds_oauth_hash(user_json)
     GDS::SSO::Config.user_klass.find_for_gds_oauth(oauth_hash)
-    head :ok, content_type: 'text/plain'
+    head :ok, content_type: "text/plain"
   end
 
   def reauth
-    user = GDS::SSO::Config.user_klass.where(:uid => params[:uid]).first
+    user = GDS::SSO::Config.user_klass.where(uid: params[:uid]).first
     if user.nil? || user.set_remotely_signed_out!
-      head :ok, content_type: 'text/plain'
+      head :ok, content_type: "text/plain"
     else
-      head 500, content_type: 'text/plain'
+      head 500, content_type: "text/plain"
     end
   end
 
-  private
-    # This should mirror the object created by the omniauth-gds strategy/gem
-    # By doing this, we can reuse the code for creating/updating the user
-    def build_gds_oauth_hash(user_json)
-      OmniAuth::AuthHash.new(
-          uid: user_json['uid'],
-          provider: 'gds',
-          info: {
-            name: user_json['name'],
-            email: user_json['email']
-          },
-          extra: {
-            user: {
-              permissions: user_json['permissions'],
-              organisation_slug: user_json['organisation_slug'],
-              organisation_content_id: user_json['organisation_content_id'],
-              disabled: user_json['disabled'],
-            }
-          })
-    end
+private
 
-    def require_user_update_permission
-      authorise_user!("user_update_permission")
-    end
+  # This should mirror the object created by the omniauth-gds strategy/gem
+  # By doing this, we can reuse the code for creating/updating the user
+  def build_gds_oauth_hash(user_json)
+    OmniAuth::AuthHash.new(
+      uid: user_json["uid"],
+      provider: "gds",
+      info: {
+        name: user_json["name"],
+        email: user_json["email"],
+      },
+      extra: {
+        user: {
+          permissions: user_json["permissions"],
+          organisation_slug: user_json["organisation_slug"],
+          organisation_content_id: user_json["organisation_content_id"],
+          disabled: user_json["disabled"],
+        },
+      },
+    )
+  end
+
+  def require_user_update_permission
+    authorise_user!("user_update_permission")
+  end
 end

data/app/controllers/authentications_controller.rb

@@ -1,16 +1,14 @@
 class AuthenticationsController < ActionController::Base
   include GDS::SSO::ControllerMethods
 
-  before_action :authenticate_user!, :only => :callback
+  before_action :authenticate_user!, only: :callback
   layout false
 
   def callback
-    redirect_to session["return_to"] || '/'
+    redirect_to session["return_to"] || "/"
   end
 
-  def failure
-
-  end
+  def failure; end
 
   def sign_out
     logout

data/app/views/layouts/unauthorised.html.erb

@@ -7,7 +7,7 @@
       <%= yield %>
     </div>
     <div id="footer" class="cf">
-      &copy; <%= Date.today.year %> <a href="http://digital.cabinetoffice.gov.uk/"><abbr title="Government Digital Service">GDS</abbr></a>.
+      &copy; <%= Date.today.year %> <a href="https://www.gov.uk/government/organisations/government-digital-service">Government Digital Service</a>
     </div>
   </body>
 </html>

data/config/routes.rb

@@ -1,8 +1,9 @@
 Rails.application.routes.draw do
   next if GDS::SSO::Config.api_only?
-  get '/auth/gds/callback',               to: 'authentications#callback', as: :gds_sign_in
-  get '/auth/gds/sign_out',               to: 'authentications#sign_out', as: :gds_sign_out
-  get  '/auth/failure',                   to: 'authentications#failure',  as: :auth_failure
-  put  '/auth/gds/api/users/:uid',        to: "api/user#update"
-  post '/auth/gds/api/users/:uid/reauth', to: "api/user#reauth"
+
+  get "/auth/gds/callback",               to: "authentications#callback", as: :gds_sign_in
+  get "/auth/gds/sign_out",               to: "authentications#sign_out", as: :gds_sign_out
+  get  "/auth/failure",                   to: "authentications#failure",  as: :auth_failure
+  put  "/auth/gds/api/users/:uid",        to: "api/user#update"
+  post "/auth/gds/api/users/:uid/reauth", to: "api/user#reauth"
 end

data/lib/gds-sso.rb

@@ -1,16 +1,17 @@
-require 'rails'
+require "rails"
 
-require 'gds-sso/config'
-require 'gds-sso/warden_config'
-require 'omniauth'
-require 'omniauth-gds'
+require "gds-sso/config"
+require "gds-sso/version"
+require "gds-sso/warden_config"
+require "omniauth"
+require "omniauth-gds"
 
 module GDS
   module SSO
-    autoload :FailureApp,        'gds-sso/failure_app'
-    autoload :ControllerMethods, 'gds-sso/controller_methods'
-    autoload :User,              'gds-sso/user'
-    autoload :ApiAccess,         'gds-sso/api_access'
+    autoload :FailureApp,        "gds-sso/failure_app"
+    autoload :ControllerMethods, "gds-sso/controller_methods"
+    autoload :User,              "gds-sso/user"
+    autoload :ApiAccess,         "gds-sso/api_access"
 
     # User to return as logged in during tests
     mattr_accessor :test_user
@@ -22,24 +23,30 @@ module GDS
     class Engine < ::Rails::Engine
       # Force routes to be loaded if we are doing any eager load.
       # TODO - check this one - Stolen from Devise because it looked sensible...
-      config.before_eager_load { |app| app.reload_routes! }
+      config.before_eager_load(&:reload_routes!)
 
       config.app_middleware.use ::OmniAuth::Builder do
         next if GDS::SSO::Config.api_only?
+
         provider :gds, GDS::SSO::Config.oauth_id, GDS::SSO::Config.oauth_secret,
-          client_options: {
-            site: GDS::SSO::Config.oauth_root_url,
-            authorize_url: "#{GDS::SSO::Config.oauth_root_url}/oauth/authorize",
-            token_url: "#{GDS::SSO::Config.oauth_root_url}/oauth/access_token",
-          }
+                 client_options: {
+                   site: GDS::SSO::Config.oauth_root_url,
+                   authorize_url: "#{GDS::SSO::Config.oauth_root_url}/oauth/authorize",
+                   token_url: "#{GDS::SSO::Config.oauth_root_url}/oauth/access_token",
+                   connection_opts: {
+                     headers: {
+                       user_agent: "gds-sso/#{GDS::SSO::VERSION} (#{ENV['GOVUK_APP_NAME']})",
+                     },
+                   },
+                 }
       end
 
       def self.default_strategies
-        Config.use_mock_strategies? ? [:mock_gds_sso, :gds_bearer_token] : [:gds_sso, :gds_bearer_token]
+        Config.use_mock_strategies? ? %i[mock_gds_sso gds_bearer_token] : %i[gds_sso gds_bearer_token]
       end
 
       config.app_middleware.use Warden::Manager do |config|
-        config.default_strategies *self.default_strategies
+        config.default_strategies(*default_strategies)
         config.failure_app = GDS::SSO::FailureApp
       end
     end

data/lib/gds-sso/api_access.rb

@@ -2,7 +2,7 @@ module GDS
   module SSO
     class ApiAccess
       def self.api_call?(env)
-        /\ABearer / === env['HTTP_AUTHORIZATION'].to_s
+        env["HTTP_AUTHORIZATION"].to_s =~ /\ABearer /
       end
     end
   end

data/lib/gds-sso/bearer_token.rb

@@ -1,11 +1,12 @@
-require 'multi_json'
-require 'oauth2'
+require "multi_json"
+require "oauth2"
+require "gds-sso/version"
 
 module GDS
   module SSO
     module BearerToken
       def self.locate(token_string)
-        user_details = GDS::SSO::Config.cache.fetch(['api-user-cache', token_string], expires_in: 5.minutes) do
+        user_details = GDS::SSO::Config.cache.fetch(["api-user-cache", token_string], expires_in: 5.minutes) do
           access_token = OAuth2::AccessToken.new(oauth_client, token_string)
           response_body = access_token.get("/user.json?client_id=#{CGI.escape(GDS::SSO::Config.oauth_id)}").body
           omniauth_style_response(response_body)
@@ -20,12 +21,12 @@ module GDS
         @oauth_client ||= OAuth2::Client.new(
           GDS::SSO::Config.oauth_id,
           GDS::SSO::Config.oauth_secret,
-          :site => GDS::SSO::Config.oauth_root_url,
-          :connection_opts => {
-            :headers => {
-              :user_agent => "gds-sso/#{GDS::SSO::VERSION} (#{ENV['GOVUK_APP_NAME']})"
-            }
-          }
+          site: GDS::SSO::Config.oauth_root_url,
+          connection_opts: {
+            headers: {
+              user_agent: "gds-sso/#{GDS::SSO::VERSION} (#{ENV['GOVUK_APP_NAME']})",
+            },
+          }.merge(GDS::SSO::Config.connection_opts),
         )
       end
 
@@ -34,32 +35,32 @@ module GDS
       # structure. Here we're addressing signon directly so
       # we need to transform the response ourselves.
       def self.omniauth_style_response(response_body)
-        input = MultiJson.decode(response_body)['user']
+        input = MultiJson.decode(response_body)["user"]
 
         {
-          'uid' => input['uid'],
-          'info' => {
-            'email' => input['email'],
-            'name' => input['name']
+          "uid" => input["uid"],
+          "info" => {
+            "email" => input["email"],
+            "name" => input["name"],
+          },
+          "extra" => {
+            "user" => {
+              "permissions" => input["permissions"],
+              "organisation_slug" => input["organisation_slug"],
+              "organisation_content_id" => input["organisation_content_id"],
+            },
           },
-          'extra' => {
-            'user' => {
-              'permissions' => input['permissions'],
-              'organisation_slug' => input['organisation_slug'],
-              'organisation_content_id' => input['organisation_content_id'],
-            }
-          }
         }
       end
     end
 
     module MockBearerToken
-      def self.locate(token_string)
+      def self.locate(_token_string)
         dummy_api_user = GDS::SSO.test_user || GDS::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first
         if dummy_api_user.nil?
           dummy_api_user = GDS::SSO::Config.user_klass.new
           dummy_api_user.email = "dummyapiuser@domain.com"
-          dummy_api_user.uid = "#{rand(10000)}"
+          dummy_api_user.uid = rand(10_000).to_s
           dummy_api_user.name = "Dummy API user created by gds-sso"
         end
 

data/lib/gds-sso/config.rb

@@ -1,8 +1,10 @@
-require 'active_support/cache/null_store'
+require "active_support/cache/null_store"
 
 module GDS
   module SSO
     module Config
+      # rubocop:disable Style/ClassVars
+
       # Name of the User class
       mattr_accessor :user_model
       @@user_model = "User"
@@ -27,8 +29,15 @@ module GDS
 
       mattr_accessor :additional_mock_permissions_required
 
+      mattr_accessor :connection_opts
+      @@connection_opts = {
+        request: {
+          open_timeout: 5,
+        },
+      }
+
       def self.permissions_for_dummy_api_user
-        ["signin"].push(*additional_mock_permissions_required)
+        %w[signin].push(*additional_mock_permissions_required)
       end
 
       def self.user_klass
@@ -50,6 +59,8 @@ module GDS
         default = config.respond_to?(:api_only) ? config.api_only : false
         @@api_only.nil? ? default : @@api_only
       end
+
+      # rubocop:enable Style/ClassVars
     end
   end
 end

data/lib/gds-sso/controller_methods.rb

@@ -19,7 +19,6 @@ module GDS
         end
       end
 
-
       def authorise_user!(permissions)
         # Ensure that we're authenticated (and by extension that current_user is set).
         # Otherwise current_user might be nil, and we'd error out
@@ -52,7 +51,7 @@ module GDS
       end
 
       def user_signed_in?
-        warden && warden.authenticated? && ! warden.user.remotely_signed_out?
+        warden && warden.authenticated? && !warden.user.remotely_signed_out?
       end
 
       def current_user
@@ -64,22 +63,22 @@ module GDS
       end
 
       def warden
-        request.env['warden']
+        request.env["warden"]
       end
 
-      private
+    private
 
       def authorise_user_with_at_least_one_of_permissions!(permissions)
         if permissions.none? { |permission| current_user.has_permission?(permission) }
           raise PermissionDeniedException,
-            "Sorry, you don't seem to have any of the permissions: #{permissions.to_sentence} for this app."
+                "Sorry, you don't seem to have any of the permissions: #{permissions.to_sentence} for this app."
         end
       end
 
       def authorise_user_with_all_permissions!(permissions)
         unless permissions.all? { |permission| current_user.has_permission?(permission) }
           raise PermissionDeniedException,
-            "Sorry, you don't seem to have all of the permissions: #{permissions.to_sentence} for this app."
+                "Sorry, you don't seem to have all of the permissions: #{permissions.to_sentence} for this app."
         end
       end
     end

data/lib/gds-sso/failure_app.rb

@@ -1,5 +1,5 @@
 require "action_controller/metal"
-require 'rails'
+require "rails"
 
 # Failure application that will be called every time :warden is thrown from
 # any strategy or hook.
@@ -27,15 +27,15 @@ module GDS
 
       def redirect
         store_location!
-        redirect_to '/auth/gds'
+        redirect_to "/auth/gds"
       end
 
       def api_invalid_token
-        api_unauthorized('Bearer token does not appear to be valid', 'invalid_token')
+        api_unauthorized("Bearer token does not appear to be valid", "invalid_token")
       end
 
       def api_missing_token
-        api_unauthorized('No bearer token was provided', 'invalid_request')
+        api_unauthorized("No bearer token was provided", "invalid_request")
       end
 
       # Stores requested uri to redirect the user after signing in. We cannot use
@@ -45,13 +45,13 @@ module GDS
 
       # TOTALLY NOT DOING THE SCOPE THING. PROBABLY SHOULD.
       def store_location!
-        session["return_to"] = request.env['warden.options'][:attempted_path] if request.get?
+        session["return_to"] = request.env["warden.options"][:attempted_path] if request.get?
       end
 
-      private
+    private
 
       def api_unauthorized(message, bearer_error)
-        headers['WWW-Authenticate'] = %(Bearer error="#{bearer_error}")
+        headers["WWW-Authenticate"] = %(Bearer error="#{bearer_error}")
         render json: { message: message }, status: :unauthorized
       end
     end

data/lib/gds-sso/lint/user_spec.rb

@@ -1,10 +1,10 @@
 RSpec.shared_examples "a gds-sso user class" do
-  subject { described_class.new(:uid => '12345') }
+  subject { described_class.new(uid: "12345") }
 
   it "implements #where" do
     expect(described_class).to respond_to(:where)
 
-    result = described_class.where(uid: '123')
+    result = described_class.where(uid: "123")
     expect(result).to respond_to(:first)
   end
 
@@ -15,8 +15,8 @@ RSpec.shared_examples "a gds-sso user class" do
     expect(subject).to be_remotely_signed_out
   end
 
-  it "implements #update_attributes" do
-    subject.update_attributes(email: "ab@c.com")
+  it "implements #update!" do
+    subject.update!(email: "ab@c.com")
     expect(subject.email).to eq("ab@c.com")
   end
 
@@ -30,50 +30,49 @@ RSpec.shared_examples "a gds-sso user class" do
 
   describe "#has_all_permissions?" do
     it "is false when there are no permissions" do
-      subject.update_attributes(permissions: nil)
-      required_permissions = ["signin"]
+      subject.update!(permissions: nil)
+      required_permissions = %w[signin]
       expect(subject.has_all_permissions?(required_permissions)).to be_falsy
     end
 
     it "is false when it does not have all required permissions" do
-      subject.update_attributes(permissions: ["signin"])
-      required_permissions = ["signin", "not_granted_permission_one", "not_granted_permission_two"]
+      subject.update!(permissions: %w[signin])
+      required_permissions = %w[signin not_granted_permission_one not_granted_permission_two]
       expect(subject.has_all_permissions?(required_permissions)).to be false
     end
 
     it "is true when it has all required permissions" do
-      subject.update_attributes(permissions: ["signin", "internal_app"])
-      required_permissions = ["signin", "internal_app"]
+      subject.update!(permissions: %w[signin internal_app])
+      required_permissions = %w[signin internal_app]
       expect(subject.has_all_permissions?(required_permissions)).to be true
     end
-
   end
 
   specify "the User class and GDS::SSO::User mixin work together" do
     auth_hash = {
-      'uid' => '12345',
-      'info' => {
-        'name' => 'Joe Smith',
-        'email' => 'joe.smith@example.com',
+      "uid" => "12345",
+      "info" => {
+        "name" => "Joe Smith",
+        "email" => "joe.smith@example.com",
+      },
+      "extra" => {
+        "user" => {
+          "disabled" => false,
+          "permissions" => %w[signin],
+          "organisation_slug" => "cabinet-office",
+          "organisation_content_id" => "91e57ad9-29a3-4f94-9ab4-5e9ae6d13588",
+        },
       },
-      'extra' => {
-        'user' => {
-          'disabled' => false,
-          'permissions' => ['signin'],
-          'organisation_slug' => 'cabinet-office',
-          'organisation_content_id' => '91e57ad9-29a3-4f94-9ab4-5e9ae6d13588'
-        }
-      }
     }
 
     user = described_class.find_for_gds_oauth(auth_hash)
     expect(user).to be_an_instance_of(described_class)
-    expect(user.uid).to eq('12345')
+    expect(user.uid).to eq("12345")
     expect(user.name).to eq("Joe Smith")
-    expect(user.email).to eq('joe.smith@example.com')
+    expect(user.email).to eq("joe.smith@example.com")
     expect(user).not_to be_disabled
-    expect(user.permissions).to eq(['signin'])
-    expect(user.organisation_slug).to eq('cabinet-office')
-    expect(user.organisation_content_id).to eq('91e57ad9-29a3-4f94-9ab4-5e9ae6d13588')
+    expect(user.permissions).to eq(%w[signin])
+    expect(user.organisation_slug).to eq("cabinet-office")
+    expect(user.organisation_content_id).to eq("91e57ad9-29a3-4f94-9ab4-5e9ae6d13588")
   end
 end