gds-sso 14.1.1 → 15.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 654ea0b691b120d9bd29c356c2a6e924968115bd39e1d3caff88115dde73a6a6
-  data.tar.gz: '08202ba351cd39534a37ab23cc59d1d10a6588207073c5415d227e572d006022'
+  metadata.gz: d9939f8497b777014a8a39d2cf78cf00c70d9951c18d6e9fe6a64b74d5d8ad5a
+  data.tar.gz: 8d9d5ecedb3f70038be1708fd61e3306d8b6ea198dbb50e8b74245504f38aede
 SHA512:
-  metadata.gz: 224a12106ab6812e71eefcf067601da39c96e5e286748545e61998ec14f91e94e596ad0cea989066360cea61765e93be5282bf210d28767b217988529fbb2d8e
-  data.tar.gz: ab2285f0882d78fc99920c21b1ee1b4e631bdc0db170c589faa476bc485d9ca1ca06c2fb26b1fcd9eedd16a8b64a06d5cbfffcf17197bb6317d5726f487a9e4c
+  metadata.gz: 765326eafa7ccc1827c905c289a653bd0f6bfcd345f61b074b030d035e5b136281181ed157582163ffb328bc40183c252fbf0bfe97bec337a2bd22eb5a7ad8cf
+  data.tar.gz: 2a19bf5a37e1d4ac3aa3c98f6d653b3684baa30c5a898c9616a263e3f6a933aeec4379a1f366781e6962d7c11b3ceedc2e6d1504a12d20070a5fde53b7aa683d

data/README.md

@@ -14,55 +14,26 @@ Some of the applications that use this gem:
 
 ### Integration with a Rails 4+ app
 
-To use gds-sso you will need an oAuth client ID and secret for Signon or a compatible system.
-These can be provided by one of the team with admin access to Signon.
+- Include the gem in your Gemfile:
 
-Then include the gem in your Gemfile:
+  ```ruby
+  gem 'gds-sso', '<version>'
+  ```
 
-```ruby
-gem 'gds-sso', '<version>'
-```
-
-Create a `config/initializers/gds-sso.rb` that looks like:
-
-```ruby
-GDS::SSO.config do |config|
-  config.user_model   = 'User'
-
-  # set up ID and Secret in a way which doesn't require it to be checked in to source control...
-  config.oauth_id     = ENV['OAUTH_ID']
-  config.oauth_secret = ENV['OAUTH_SECRET']
+- Create a "users" table in the database: ([example migration with all the necessary fields](https://github.com/alphagov/content-publisher/blob/16c58a40745c1ea61ec241e5aeb702ae15238f98/db/migrate/20160622154200_create_users.rb))
 
-  # optional config for location of Signon
-  config.oauth_root_url = "http://localhost:3001"
-
-  # Pass in a caching adapter cache bearer token requests.
-  config.cache = Rails.cache
-end
-```
-
-The user model must include the `GDS::SSO::User` module.
-
-It should have the following fields:
-
-```ruby
-string   "name"
-string   "email"
-string   "uid"
-string   "organisation_slug"
-string   "organisation_content_id"
-array    "permissions"
-boolean  "remotely_signed_out", :default => false
-boolean  "disabled", :default => false
-```
+- Create a User model with the following:
 
-You also need to include `GDS::SSO::ControllerMethods` in your ApplicationController.
+  ```ruby
+  serialize :permissions, Array
+  ```
 
-For ActiveRecord, you probably want to declare permissions as "serialized" like this:
+- Add to your `ApplicationController`:
 
-```ruby
-serialize :permissions, Array
-```
+  ```ruby
+  include GDS::SSO::ControllerMethods
+  before_action :authenticate_user!
+  ```
 
 ### Securing your application
 
@@ -113,22 +84,11 @@ as an [API user](https://signon.publishing.service.gov.uk/api_users).
 To authorise with a bearer token, a request has to be made with the header:
 
 ```
+# See https://github.com/alphagov/gds-api-adapters/blob/41e9cbf12bec738489340bd9dc63d62427ee3fe7/lib/gds_api/json_client.rb#L122
 Authorization: Bearer your-token-here
 ```
 
-This gem will then authenticate the token with the Signon application. If
-valid, the API client will be authorised in the same way as a single-sign-on
-user. The [gds-api-adapters gem](https://github.com/alphagov/gds-api-adapters#app-level-authentication)
-has functionality for sending the bearer token for each request. To avoid making
-these requests for each incoming request, specify a caching adapter like `Rails.cache`:
-
-```ruby
-GDS::SSO.config do |config|
-  # ...
-  # Pass in a caching adapter cache bearer token requests.
-  config.cache = Rails.cache
-end
-```
+To avoid making these requests for each incoming request, this gem will [automatically cache a successful response](https://github.com/alphagov/gds-sso/blob/master/lib/gds-sso/bearer_token.rb), using the [Rails cache](https://github.com/alphagov/gds-sso/blob/master/lib/gds-sso/railtie.rb).
 
 If you are using a Rails 5 app in
 [api_only](http://guides.rubyonrails.org/api_app.html) mode this gem will
@@ -143,6 +103,13 @@ GDS::SSO.config do |config|
 end
 ```
 
+### Use in production mode
+
+To use gds-sso in production you will need to setup the following environment variables, which we look for in [the config](https://github.com/alphagov/gds-sso/blob/master/lib/gds-sso/config.rb). You will need to have admin access to Signon to get these.
+
+- OAUTH_ID
+- OAUTH_SECRET
+
 ### Use in development mode
 
 In development, you generally want to be able to run an application without needing to run your own SSO server to be running as well. GDS-SSO facilitates this by using a 'mock' mode in development. Mock mode loads an arbitrary user from the local application's user tables:

data/Rakefile

@@ -1,19 +1,24 @@
-require 'bundler/setup'
-require 'bundler/gem_tasks'
+require "bundler/setup"
+require "bundler/gem_tasks"
 
 Bundler::GemHelper.install_tasks
 
-require 'rspec/core/rake_task'
+require "rspec/core/rake_task"
 desc "Run all specs"
 RSpec::Core::RakeTask.new(:spec) do |task|
-  task.pattern = 'spec/**/*_spec.rb'
+  task.pattern = "spec/**/*_spec.rb"
 end
 
 namespace :spec do
   desc "Run integration specs"
   RSpec::Core::RakeTask.new(:integration) do |task|
-    task.pattern = 'spec/integration/**/*_spec.rb'
+    task.pattern = "spec/integration/**/*_spec.rb"
   end
 end
 
-task :default => ["spec"]
+desc "Lint Ruby"
+task :lint do
+  sh "bundle exec rubocop --format clang"
+end
+
+task default: %i[spec lint]

data/app/controllers/api/user_controller.rb

@@ -6,43 +6,45 @@ class Api::UserController < ActionController::Base
   before_action :require_user_update_permission
 
   def update
-    user_json = JSON.parse(request.body.read)['user']
+    user_json = JSON.parse(request.body.read)["user"]
     oauth_hash = build_gds_oauth_hash(user_json)
     GDS::SSO::Config.user_klass.find_for_gds_oauth(oauth_hash)
-    head :ok, content_type: 'text/plain'
+    head :ok, content_type: "text/plain"
   end
 
   def reauth
-    user = GDS::SSO::Config.user_klass.where(:uid => params[:uid]).first
+    user = GDS::SSO::Config.user_klass.where(uid: params[:uid]).first
     if user.nil? || user.set_remotely_signed_out!
-      head :ok, content_type: 'text/plain'
+      head :ok, content_type: "text/plain"
     else
-      head 500, content_type: 'text/plain'
+      head 500, content_type: "text/plain"
     end
   end
 
-  private
-    # This should mirror the object created by the omniauth-gds strategy/gem
-    # By doing this, we can reuse the code for creating/updating the user
-    def build_gds_oauth_hash(user_json)
-      OmniAuth::AuthHash.new(
-          uid: user_json['uid'],
-          provider: 'gds',
-          info: {
-            name: user_json['name'],
-            email: user_json['email']
-          },
-          extra: {
-            user: {
-              permissions: user_json['permissions'],
-              organisation_slug: user_json['organisation_slug'],
-              organisation_content_id: user_json['organisation_content_id'],
-              disabled: user_json['disabled'],
-            }
-          })
-    end
+private
 
-    def require_user_update_permission
-      authorise_user!("user_update_permission")
-    end
+  # This should mirror the object created by the omniauth-gds strategy/gem
+  # By doing this, we can reuse the code for creating/updating the user
+  def build_gds_oauth_hash(user_json)
+    OmniAuth::AuthHash.new(
+      uid: user_json["uid"],
+      provider: "gds",
+      info: {
+        name: user_json["name"],
+        email: user_json["email"],
+      },
+      extra: {
+        user: {
+          permissions: user_json["permissions"],
+          organisation_slug: user_json["organisation_slug"],
+          organisation_content_id: user_json["organisation_content_id"],
+          disabled: user_json["disabled"],
+        },
+      },
+    )
+  end
+
+  def require_user_update_permission
+    authorise_user!("user_update_permission")
+  end
 end

data/app/controllers/authentications_controller.rb

@@ -1,16 +1,14 @@
 class AuthenticationsController < ActionController::Base
   include GDS::SSO::ControllerMethods
 
-  before_action :authenticate_user!, :only => :callback
+  before_action :authenticate_user!, only: :callback
   layout false
 
   def callback
-    redirect_to session["return_to"] || '/'
+    redirect_to session["return_to"] || "/"
   end
 
-  def failure
-
-  end
+  def failure; end
 
   def sign_out
     logout

data/app/views/layouts/unauthorised.html.erb

@@ -7,7 +7,7 @@
       <%= yield %>
     </div>
     <div id="footer" class="cf">
-      &copy; <%= Date.today.year %> <a href="http://digital.cabinetoffice.gov.uk/"><abbr title="Government Digital Service">GDS</abbr></a>.
+      &copy; <%= Date.today.year %> <a href="https://www.gov.uk/government/organisations/government-digital-service">Government Digital Service</a>
     </div>
   </body>
 </html>

data/config/routes.rb

@@ -1,8 +1,9 @@
 Rails.application.routes.draw do
-  next if GDS::SSO::Config.api_only?
-  get '/auth/gds/callback',               to: 'authentications#callback', as: :gds_sign_in
-  get '/auth/gds/sign_out',               to: 'authentications#sign_out', as: :gds_sign_out
-  get  '/auth/failure',                   to: 'authentications#failure',  as: :auth_failure
-  put  '/auth/gds/api/users/:uid',        to: "api/user#update"
-  post '/auth/gds/api/users/:uid/reauth', to: "api/user#reauth"
+  next if GDS::SSO::Config.api_only
+
+  get "/auth/gds/callback",               to: "authentications#callback", as: :gds_sign_in
+  get "/auth/gds/sign_out",               to: "authentications#sign_out", as: :gds_sign_out
+  get  "/auth/failure",                   to: "authentications#failure",  as: :auth_failure
+  put  "/auth/gds/api/users/:uid",        to: "api/user#update"
+  post "/auth/gds/api/users/:uid/reauth", to: "api/user#reauth"
 end

data/lib/gds-sso.rb

@@ -1,16 +1,19 @@
-require 'rails'
+require "rails"
 
-require 'gds-sso/config'
-require 'gds-sso/warden_config'
-require 'omniauth'
-require 'omniauth-gds'
+require "gds-sso/config"
+require "gds-sso/version"
+require "gds-sso/warden_config"
+require "omniauth"
+require "omniauth-gds"
+
+require "gds-sso/railtie" if defined?(Rails)
 
 module GDS
   module SSO
-    autoload :FailureApp,        'gds-sso/failure_app'
-    autoload :ControllerMethods, 'gds-sso/controller_methods'
-    autoload :User,              'gds-sso/user'
-    autoload :ApiAccess,         'gds-sso/api_access'
+    autoload :FailureApp,        "gds-sso/failure_app"
+    autoload :ControllerMethods, "gds-sso/controller_methods"
+    autoload :User,              "gds-sso/user"
+    autoload :ApiAccess,         "gds-sso/api_access"
 
     # User to return as logged in during tests
     mattr_accessor :test_user
@@ -22,24 +25,30 @@ module GDS
     class Engine < ::Rails::Engine
       # Force routes to be loaded if we are doing any eager load.
       # TODO - check this one - Stolen from Devise because it looked sensible...
-      config.before_eager_load { |app| app.reload_routes! }
+      config.before_eager_load(&:reload_routes!)
 
       config.app_middleware.use ::OmniAuth::Builder do
-        next if GDS::SSO::Config.api_only?
+        next if GDS::SSO::Config.api_only
+
         provider :gds, GDS::SSO::Config.oauth_id, GDS::SSO::Config.oauth_secret,
-          client_options: {
-            site: GDS::SSO::Config.oauth_root_url,
-            authorize_url: "#{GDS::SSO::Config.oauth_root_url}/oauth/authorize",
-            token_url: "#{GDS::SSO::Config.oauth_root_url}/oauth/access_token",
-          }
+                 client_options: {
+                   site: GDS::SSO::Config.oauth_root_url,
+                   authorize_url: "#{GDS::SSO::Config.oauth_root_url}/oauth/authorize",
+                   token_url: "#{GDS::SSO::Config.oauth_root_url}/oauth/access_token",
+                   connection_opts: {
+                     headers: {
+                       user_agent: "gds-sso/#{GDS::SSO::VERSION} (#{ENV['GOVUK_APP_NAME']})",
+                     },
+                   },
+                 }
       end
 
       def self.default_strategies
-        Config.use_mock_strategies? ? [:mock_gds_sso, :gds_bearer_token] : [:gds_sso, :gds_bearer_token]
+        Config.use_mock_strategies? ? %i[mock_gds_sso gds_bearer_token] : %i[gds_sso gds_bearer_token]
       end
 
       config.app_middleware.use Warden::Manager do |config|
-        config.default_strategies *self.default_strategies
+        config.default_strategies(*default_strategies)
         config.failure_app = GDS::SSO::FailureApp
       end
     end

data/lib/gds-sso/api_access.rb

@@ -2,7 +2,7 @@ module GDS
   module SSO
     class ApiAccess
       def self.api_call?(env)
-        /\ABearer / === env['HTTP_AUTHORIZATION'].to_s
+        env["HTTP_AUTHORIZATION"].to_s =~ /\ABearer /
       end
     end
   end

data/lib/gds-sso/bearer_token.rb

@@ -1,12 +1,12 @@
-require 'multi_json'
-require 'oauth2'
-require 'gds-sso/version'
+require "multi_json"
+require "oauth2"
+require "gds-sso/version"
 
 module GDS
   module SSO
     module BearerToken
       def self.locate(token_string)
-        user_details = GDS::SSO::Config.cache.fetch(['api-user-cache', token_string], expires_in: 5.minutes) do
+        user_details = GDS::SSO::Config.cache.fetch(["api-user-cache", token_string], expires_in: 5.minutes) do
           access_token = OAuth2::AccessToken.new(oauth_client, token_string)
           response_body = access_token.get("/user.json?client_id=#{CGI.escape(GDS::SSO::Config.oauth_id)}").body
           omniauth_style_response(response_body)
@@ -21,12 +21,12 @@ module GDS
         @oauth_client ||= OAuth2::Client.new(
           GDS::SSO::Config.oauth_id,
           GDS::SSO::Config.oauth_secret,
-          :site => GDS::SSO::Config.oauth_root_url,
-          :connection_opts => {
-            :headers => {
-              :user_agent => "gds-sso/#{GDS::SSO::VERSION} (#{ENV['GOVUK_APP_NAME']})"
-            }
-          }
+          site: GDS::SSO::Config.oauth_root_url,
+          connection_opts: {
+            headers: {
+              user_agent: "gds-sso/#{GDS::SSO::VERSION} (#{ENV['GOVUK_APP_NAME']})",
+            },
+          }.merge(GDS::SSO::Config.connection_opts),
         )
       end
 
@@ -35,32 +35,32 @@ module GDS
       # structure. Here we're addressing signon directly so
       # we need to transform the response ourselves.
       def self.omniauth_style_response(response_body)
-        input = MultiJson.decode(response_body)['user']
+        input = MultiJson.decode(response_body)["user"]
 
         {
-          'uid' => input['uid'],
-          'info' => {
-            'email' => input['email'],
-            'name' => input['name']
+          "uid" => input["uid"],
+          "info" => {
+            "email" => input["email"],
+            "name" => input["name"],
+          },
+          "extra" => {
+            "user" => {
+              "permissions" => input["permissions"],
+              "organisation_slug" => input["organisation_slug"],
+              "organisation_content_id" => input["organisation_content_id"],
+            },
           },
-          'extra' => {
-            'user' => {
-              'permissions' => input['permissions'],
-              'organisation_slug' => input['organisation_slug'],
-              'organisation_content_id' => input['organisation_content_id'],
-            }
-          }
         }
       end
     end
 
     module MockBearerToken
-      def self.locate(token_string)
+      def self.locate(_token_string)
         dummy_api_user = GDS::SSO.test_user || GDS::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first
         if dummy_api_user.nil?
           dummy_api_user = GDS::SSO::Config.user_klass.new
           dummy_api_user.email = "dummyapiuser@domain.com"
-          dummy_api_user.uid = "#{rand(10000)}"
+          dummy_api_user.uid = rand(10_000).to_s
           dummy_api_user.name = "Dummy API user created by gds-sso"
         end
 

data/lib/gds-sso/config.rb

@@ -1,21 +1,26 @@
-require 'active_support/cache/null_store'
+require "active_support/cache/null_store"
+require "plek"
 
 module GDS
   module SSO
     module Config
+      # rubocop:disable Style/ClassVars
+
       # Name of the User class
       mattr_accessor :user_model
       @@user_model = "User"
 
       # OAuth ID
       mattr_accessor :oauth_id
+      @@oauth_id = ENV.fetch("OAUTH_ID", "test-oauth-id")
 
       # OAuth Secret
       mattr_accessor :oauth_secret
+      @@oauth_secret = ENV.fetch("OAUTH_SECRET", "test-oauth-secret")
 
       # Location of the OAuth server
       mattr_accessor :oauth_root_url
-      @@oauth_root_url = "http://localhost:3001"
+      @@oauth_root_url = Plek.new.external_url_for("signon")
 
       mattr_accessor :auth_valid_for
       @@auth_valid_for = 20 * 3600
@@ -23,12 +28,19 @@ module GDS
       mattr_accessor :cache
       @@cache = ActiveSupport::Cache::NullStore.new
 
-      mattr_writer :api_only
+      mattr_accessor :api_only
 
       mattr_accessor :additional_mock_permissions_required
 
+      mattr_accessor :connection_opts
+      @@connection_opts = {
+        request: {
+          open_timeout: 5,
+        },
+      }
+
       def self.permissions_for_dummy_api_user
-        ["signin"].push(*additional_mock_permissions_required)
+        %w[signin].push(*additional_mock_permissions_required)
       end
 
       def self.user_klass
@@ -45,11 +57,7 @@ module GDS
         ENV.fetch("GDS_SSO_STRATEGY", default_strategy) == "mock"
       end
 
-      def self.api_only?
-        config = Rails.configuration
-        default = config.respond_to?(:api_only) ? config.api_only : false
-        @@api_only.nil? ? default : @@api_only
-      end
+      # rubocop:enable Style/ClassVars
     end
   end
 end