gds-sso 15.0.0 → 15.0.1

data/lib/gds-sso/lint/user_test.rb

@@ -17,58 +17,58 @@ module GDS
       #
       class UserTest < ActiveSupport::TestCase
         def user_class
-          raise 'Reopen `GDS::SSO::Lint::UserTest` and add `#user_class` to return the class including `GDS::SSO::User`'
+          raise "Reopen `GDS::SSO::Lint::UserTest` and add `#user_class` to return the class including `GDS::SSO::User`"
         end
 
         setup do
-          @lint_user = user_class.new(uid: '12345')
+          @lint_user = user_class.new(uid: "12345")
         end
 
-        test 'implement #where' do
-          result = user_class.where(uid: '123')
+        test "implement #where" do
+          result = user_class.where(uid: "123")
           assert result.respond_to?(:first)
         end
 
-        test 'implement #update_attribute' do
+        test "implement #update_attribute" do
           @lint_user.update_attribute(:remotely_signed_out, true)
           assert @lint_user.remotely_signed_out?
         end
 
-        test 'implement #update!' do
-          @lint_user.update!(email: 'test@example.com')
-          assert_equal @lint_user.email, 'test@example.com'
+        test "implement #update!" do
+          @lint_user.update!(email: "test@example.com")
+          assert_equal @lint_user.email, "test@example.com"
         end
 
-        test 'implement #create!' do
+        test "implement #create!" do
           assert user_class.respond_to?(:create!)
         end
 
-        test 'verify the User class and GDS::SSO::User work together' do
+        test "verify the User class and GDS::SSO::User work together" do
           auth_hash = {
-            'uid' => '12345',
-            'info' => {
-              'name' => 'Joe Smith',
-              'email' => 'joe.smith@example.com',
+            "uid" => "12345",
+            "info" => {
+              "name" => "Joe Smith",
+              "email" => "joe.smith@example.com",
+            },
+            "extra" => {
+              "user" => {
+                "disabled" => false,
+                "permissions" => %w[signin],
+                "organisation_slug" => "cabinet-office",
+                "organisation_content_id" => "91e57ad9-29a3-4f94-9ab4-5e9ae6d13588",
+              },
             },
-            'extra' => {
-              'user' => {
-                'disabled' => false,
-                'permissions' => ['signin'],
-                'organisation_slug' => 'cabinet-office',
-                'organisation_content_id' => '91e57ad9-29a3-4f94-9ab4-5e9ae6d13588',
-              }
-            }
           }
 
           user = user_class.find_for_gds_oauth(auth_hash)
           assert_equal user_class, user.class
-          assert_equal '12345', user.uid
-          assert_equal 'Joe Smith', user.name
-          assert_equal 'joe.smith@example.com', user.email
+          assert_equal "12345", user.uid
+          assert_equal "Joe Smith", user.name
+          assert_equal "joe.smith@example.com", user.email
           assert_equal false, user.disabled
-          assert_equal ['signin'], user.permissions
-          assert_equal 'cabinet-office', user.organisation_slug
-          assert_equal '91e57ad9-29a3-4f94-9ab4-5e9ae6d13588', user.organisation_content_id
+          assert_equal %w[signin], user.permissions
+          assert_equal "cabinet-office", user.organisation_slug
+          assert_equal "91e57ad9-29a3-4f94-9ab4-5e9ae6d13588", user.organisation_content_id
         end
       end
     end

data/lib/gds-sso/user.rb

@@ -1,4 +1,4 @@
-require 'active_support/concern'
+require "active_support/concern"
 
 module GDS
   module SSO
@@ -21,29 +21,29 @@ module GDS
 
       def self.user_params_from_auth_hash(auth_hash)
         {
-          'uid' => auth_hash['uid'],
-          'email' => auth_hash['info']['email'],
-          'name' => auth_hash['info']['name'],
-          'permissions' => auth_hash['extra']['user']['permissions'],
-          'organisation_slug' => auth_hash['extra']['user']['organisation_slug'],
-          'organisation_content_id' => auth_hash['extra']['user']['organisation_content_id'],
-          'disabled' => auth_hash['extra']['user']['disabled'],
+          "uid" => auth_hash["uid"],
+          "email" => auth_hash["info"]["email"],
+          "name" => auth_hash["info"]["name"],
+          "permissions" => auth_hash["extra"]["user"]["permissions"],
+          "organisation_slug" => auth_hash["extra"]["user"]["organisation_slug"],
+          "organisation_content_id" => auth_hash["extra"]["user"]["organisation_content_id"],
+          "disabled" => auth_hash["extra"]["user"]["disabled"],
         }
       end
 
       def clear_remotely_signed_out!
-        self.update_attribute(:remotely_signed_out, false)
+        update_attribute(:remotely_signed_out, false)
       end
 
       def set_remotely_signed_out!
-        self.update_attribute(:remotely_signed_out, true)
+        update_attribute(:remotely_signed_out, true)
       end
 
       module ClassMethods
         def find_for_gds_oauth(auth_hash)
           user_params = GDS::SSO::User.user_params_from_auth_hash(auth_hash.to_hash)
-          user = self.where(:uid => user_params['uid']).first ||
-                 self.where(:email => user_params['email']).first
+          user = where(uid: user_params["uid"]).first ||
+            where(email: user_params["email"]).first
 
           if user
             user.update!(user_params)

data/lib/gds-sso/version.rb

@@ -1,5 +1,5 @@
 module GDS
   module SSO
-    VERSION = "15.0.0"
+    VERSION = "15.0.1".freeze
   end
 end

data/lib/gds-sso/warden_config.rb

@@ -1,63 +1,55 @@
-require 'warden'
-require 'warden-oauth2'
-require 'gds-sso/bearer_token'
+require "warden"
+require "warden-oauth2"
+require "gds-sso/bearer_token"
 
 def logger
-  if Rails.logger # if we are actually running in a rails app
-    Rails.logger
-  else
-    env['rack.logger']
-  end
+  Rails.logger || env["rack.logger"]
 end
 
-Warden::Manager.after_authentication do |user, auth, opts|
+Warden::Manager.after_authentication do |user, _auth, _opts|
   # We've successfully signed in.
   # If they were remotely signed out, clear the flag as they're no longer suspended
   user.clear_remotely_signed_out!
 end
 
 Warden::Manager.serialize_into_session do |user|
-  if user.respond_to?(:uid) and user.uid
+  if user.respond_to?(:uid) && user.uid
     [user.uid, Time.now.utc.iso8601]
-  else
-    nil
   end
 end
 
 Warden::Manager.serialize_from_session do |(uid, auth_timestamp)|
   # This will reject old sessions that don't have a previous login timestamp
   if auth_timestamp.is_a?(String)
-    auth_timestamp = begin
-      Time.parse(auth_timestamp)
+    begin
+      auth_timestamp = Time.parse(auth_timestamp)
     rescue ArgumentError
-      nil
+      auth_timestamp = nil
     end
   end
 
-  if auth_timestamp and (auth_timestamp + GDS::SSO::Config.auth_valid_for) > Time.now.utc
-    GDS::SSO::Config.user_klass.where(:uid => uid, :remotely_signed_out => false).first
-  else
-    nil
+  if auth_timestamp && ((auth_timestamp + GDS::SSO::Config.auth_valid_for) > Time.now.utc)
+    GDS::SSO::Config.user_klass.where(uid: uid, remotely_signed_out: false).first
   end
 end
 
 Warden::Strategies.add(:gds_sso) do
   def valid?
-    ! ::GDS::SSO::ApiAccess.api_call?(env)
+    !::GDS::SSO::ApiAccess.api_call?(env)
   end
 
   def authenticate!
     logger.debug("Authenticating with gds_sso strategy")
 
-    if request.env['omniauth.auth'].nil?
+    if request.env["omniauth.auth"].nil?
       fail!("No credentials, bub")
     else
-      user = prep_user(request.env['omniauth.auth'])
+      user = prep_user(request.env["omniauth.auth"])
       success!(user)
     end
   end
 
-  private
+private
 
   def prep_user(auth_hash)
     user = GDS::SSO::Config.user_klass.find_for_gds_oauth(auth_hash)
@@ -73,27 +65,25 @@ Warden::Strategies.add(:gds_bearer_token, Warden::OAuth2::Strategies::Bearer)
 
 Warden::Strategies.add(:mock_gds_sso) do
   def valid?
-    ! ::GDS::SSO::ApiAccess.api_call?(env)
+    !::GDS::SSO::ApiAccess.api_call?(env)
   end
 
   def authenticate!
     logger.warn("Authenticating with mock_gds_sso strategy")
 
     test_user = GDS::SSO.test_user
-    test_user ||= ENV['GDS_SSO_MOCK_INVALID'].present? ? nil : GDS::SSO::Config.user_klass.first
+    test_user ||= ENV["GDS_SSO_MOCK_INVALID"].present? ? nil : GDS::SSO::Config.user_klass.first
     if test_user
       # Brute force ensure test user has correct perms to signin
-      if ! test_user.has_permission?("signin")
+      unless test_user.has_permission?("signin")
         permissions = test_user.permissions || []
         test_user.update_attribute(:permissions, permissions << "signin")
       end
       success!(test_user)
+    elsif Rails.env.test? && ENV["GDS_SSO_MOCK_INVALID"].present?
+      fail!(:invalid)
     else
-      if Rails.env.test? && ENV['GDS_SSO_MOCK_INVALID'].present?
-        fail!(:invalid)
-      else
-        raise "GDS-SSO running in mock mode and no test user found. Normally we'd load the first user in the database. Create a user in the database."
-      end
+      raise "GDS-SSO running in mock mode and no test user found. Normally we'd load the first user in the database. Create a user in the database."
     end
   end
 end

data/spec/controller/api_user_controller_spec.rb

@@ -10,24 +10,25 @@ def user_update_json
       "organisation_slug" => "justice-league",
       "organisation_content_id" => "aae1319e-5788-4677-998c-f1a53af528d0",
       "disabled" => false,
-    }
+    },
   }.to_json
 end
 
 describe Api::UserController, type: :controller do
-
   before :each do
     user_to_update_attrs = [{
-          :uid => "a1s2d3#{rand(10000)}",
-          :email => "old@domain.com",
-          :name => "Moshua Jarshall",
-          :permissions => ["signin"] }]
-
-     signon_sso_push_user_attrs = [{
-          :uid => "a1s2d3#{rand(10000)}",
-          :email => "ssopushuser@legit.com",
-          :name => "SSO Push user",
-          :permissions => ["signin", "user_update_permission"] }]
+      uid: "a1s2d3#{rand(10_000)}",
+      email: "old@domain.com",
+      name: "Moshua Jarshall",
+      permissions: %w[signin],
+    }]
+
+    signon_sso_push_user_attrs = [{
+      uid: "a1s2d3#{rand(10_000)}",
+      email: "ssopushuser@legit.com",
+      name: "SSO Push user",
+      permissions: %w[signin user_update_permission],
+    }]
 
     @user_to_update = User.create!(*user_to_update_attrs)
     @signon_sso_push_user = User.create!(*signon_sso_push_user_attrs)
@@ -36,13 +37,14 @@ describe Api::UserController, type: :controller do
   describe "PUT update" do
     it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
       malicious_user = User.new({
-          :uid => '2',
-          :name => "User",
-          :permissions =>["signin"] })
+        uid: "2",
+        name: "User",
+        permissions: %w[signin],
+      })
 
-      request.env['warden'] = double("stub warden", :authenticate! => true, authenticated?: true, user: malicious_user)
+      request.env["warden"] = double("stub warden", authenticate!: true, authenticated?: true, user: malicious_user)
 
-      request.env['RAW_POST_DATA'] = user_update_json
+      request.env["RAW_POST_DATA"] = user_update_json
       put :update, body: user_update_json, params: { uid: @user_to_update.uid }
 
       expect(response.status).to eq(403)
@@ -50,12 +52,12 @@ describe Api::UserController, type: :controller do
 
     it "should create/update the user record in the same way as the OAuth callback" do
       # Test that it authenticates
-      request.env['warden'] = double("mock warden")
-      expect(request.env['warden']).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env['warden']).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env['warden']).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
+      request.env["warden"] = double("mock warden")
+      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
+      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
+      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
 
-      request.env['RAW_POST_DATA'] = user_update_json
+      request.env["RAW_POST_DATA"] = user_update_json
       put :update, body: user_update_json, params: { uid: @user_to_update.uid }
 
       @user_to_update.reload
@@ -64,18 +66,19 @@ describe Api::UserController, type: :controller do
       expect(@user_to_update.permissions).to eq(["signin", "new permission"])
       expect(@user_to_update.organisation_slug).to eq("justice-league")
       expect(@user_to_update.organisation_content_id).to eq("aae1319e-5788-4677-998c-f1a53af528d0")
-      expect(response.content_type).to eq('text/plain')
+      expect(response.content_type).to eq("text/plain")
     end
   end
 
   describe "POST reauth" do
     it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
       malicious_user = User.new({
-          :uid => '2',
-          :name => "User",
-          :permissions => ["signin"] })
+        uid: "2",
+        name: "User",
+        permissions: %w[signin],
+      })
 
-      request.env['warden'] = double("stub warden", :authenticate! => true, authenticated?: true, user: malicious_user)
+      request.env["warden"] = double("stub warden", authenticate!: true, authenticated?: true, user: malicious_user)
 
       post :reauth, params: { uid: @user_to_update.uid }
 
@@ -83,29 +86,29 @@ describe Api::UserController, type: :controller do
     end
 
     it "should return success if user record doesn't exist" do
-      request.env['warden'] = double("mock warden")
-      expect(request.env['warden']).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env['warden']).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env['warden']).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
+      request.env["warden"] = double("mock warden")
+      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
+      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
+      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
 
       post :reauth, params: { uid: "nonexistent-user" }
 
       expect(response.status).to eq(200)
-      expect(response.content_type).to eq('text/plain')
+      expect(response.content_type).to eq("text/plain")
     end
 
     it "should set remotely_signed_out to true on the user" do
       # Test that it authenticates
-      request.env['warden'] = double("mock warden")
-      expect(request.env['warden']).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env['warden']).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env['warden']).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
+      request.env["warden"] = double("mock warden")
+      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
+      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
+      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
 
       post :reauth, params: { uid: @user_to_update.uid }
 
       @user_to_update.reload
       expect(@user_to_update).to be_remotely_signed_out
-      expect(response.content_type).to eq('text/plain')
+      expect(response.content_type).to eq("text/plain")
     end
   end
 end

data/spec/controller/controller_methods_spec.rb

@@ -1,6 +1,6 @@
-require 'spec_helper'
+require "spec_helper"
 
-RSpec.describe GDS::SSO::ControllerMethods, '#authorise_user!' do
+RSpec.describe GDS::SSO::ControllerMethods, "#authorise_user!" do
   class ControllerSpy < ApplicationController
     include GDS::SSO::ControllerMethods
 
@@ -18,54 +18,54 @@ RSpec.describe GDS::SSO::ControllerMethods, '#authorise_user!' do
   let(:current_user) { double }
   let(:expected_error) { GDS::SSO::ControllerMethods::PermissionDeniedException }
 
-  context 'with a single string permission argument' do
-    it 'permits users with the required permission' do
-      allow(current_user).to receive(:has_permission?).with('good').and_return(true)
+  context "with a single string permission argument" do
+    it "permits users with the required permission" do
+      allow(current_user).to receive(:has_permission?).with("good").and_return(true)
 
-      expect { ControllerSpy.new(current_user).authorise_user!('good') }.not_to raise_error
+      expect { ControllerSpy.new(current_user).authorise_user!("good") }.not_to raise_error
     end
 
-    it 'does not permit the users without the required permission' do
-      allow(current_user).to receive(:has_permission?).with('good').and_return(false)
+    it "does not permit the users without the required permission" do
+      allow(current_user).to receive(:has_permission?).with("good").and_return(false)
 
-      expect { ControllerSpy.new(current_user).authorise_user!('good') }.to raise_error(expected_error)
+      expect { ControllerSpy.new(current_user).authorise_user!("good") }.to raise_error(expected_error)
     end
   end
 
-  context 'with the `all_of` option' do
-    it 'permits users with all of the required permissions' do
-      allow(current_user).to receive(:has_permission?).with('good').and_return(true)
-      allow(current_user).to receive(:has_permission?).with('bad').and_return(true)
+  context "with the `all_of` option" do
+    it "permits users with all of the required permissions" do
+      allow(current_user).to receive(:has_permission?).with("good").and_return(true)
+      allow(current_user).to receive(:has_permission?).with("bad").and_return(true)
 
-      expect { ControllerSpy.new(current_user).authorise_user!(all_of: %w(good bad)) }.not_to raise_error
+      expect { ControllerSpy.new(current_user).authorise_user!(all_of: %w[good bad]) }.not_to raise_error
     end
 
-    it 'does not permit users without all of the required permissions' do
-      allow(current_user).to receive(:has_permission?).with('good').and_return(false)
-      allow(current_user).to receive(:has_permission?).with('bad').and_return(true)
+    it "does not permit users without all of the required permissions" do
+      allow(current_user).to receive(:has_permission?).with("good").and_return(false)
+      allow(current_user).to receive(:has_permission?).with("bad").and_return(true)
 
-      expect { ControllerSpy.new(current_user).authorise_user!(all_of: %w(good bad)) }.to raise_error(expected_error)
+      expect { ControllerSpy.new(current_user).authorise_user!(all_of: %w[good bad]) }.to raise_error(expected_error)
     end
   end
 
-  context 'with the `any_of` option' do
-    it 'permits users with any of the required permissions' do
-      allow(current_user).to receive(:has_permission?).with('good').and_return(true)
-      allow(current_user).to receive(:has_permission?).with('bad').and_return(false)
+  context "with the `any_of` option" do
+    it "permits users with any of the required permissions" do
+      allow(current_user).to receive(:has_permission?).with("good").and_return(true)
+      allow(current_user).to receive(:has_permission?).with("bad").and_return(false)
 
-      expect { ControllerSpy.new(current_user).authorise_user!(any_of: %w(good bad)) }.not_to raise_error
+      expect { ControllerSpy.new(current_user).authorise_user!(any_of: %w[good bad]) }.not_to raise_error
     end
 
-    it 'does not permit users without any of the required permissions' do
+    it "does not permit users without any of the required permissions" do
       allow(current_user).to receive(:has_permission?).and_return(false)
 
-      expect { ControllerSpy.new(current_user).authorise_user!(any_of: %w(good bad)) }.to raise_error(expected_error)
+      expect { ControllerSpy.new(current_user).authorise_user!(any_of: %w[good bad]) }.to raise_error(expected_error)
     end
   end
 
-  context 'with none of `any_of` or `all_of`' do
-    it 'raises an `ArgumentError`' do
-      expect { ControllerSpy.new(current_user).authorise_user!(whoops: 'bad') }.to raise_error(ArgumentError)
+  context "with none of `any_of` or `all_of`" do
+    it "raises an `ArgumentError`" do
+      expect { ControllerSpy.new(current_user).authorise_user!(whoops: "bad") }.to raise_error(ArgumentError)
     end
   end
 end