gds-sso 15.0.0 → 16.0.2

data/lib/gds-sso/controller_methods.rb

@@ -6,20 +6,19 @@ module GDS
 
       def self.included(base)
         base.rescue_from PermissionDeniedException do |e|
-          if GDS::SSO::Config.api_only?
+          if GDS::SSO::Config.api_only
             render json: { message: e.message }, status: :forbidden
           else
             render "authorisations/unauthorised", layout: "unauthorised", status: :forbidden, locals: { message: e.message }
           end
         end
 
-        unless GDS::SSO::Config.api_only?
+        unless GDS::SSO::Config.api_only
           base.helper_method :user_signed_in?
           base.helper_method :current_user
         end
       end
 
-
       def authorise_user!(permissions)
         # Ensure that we're authenticated (and by extension that current_user is set).
         # Otherwise current_user might be nil, and we'd error out
@@ -52,7 +51,7 @@ module GDS
       end
 
       def user_signed_in?
-        warden && warden.authenticated? && ! warden.user.remotely_signed_out?
+        warden && warden.authenticated? && !warden.user.remotely_signed_out?
       end
 
       def current_user
@@ -64,22 +63,22 @@ module GDS
       end
 
       def warden
-        request.env['warden']
+        request.env["warden"]
       end
 
-      private
+    private
 
       def authorise_user_with_at_least_one_of_permissions!(permissions)
         if permissions.none? { |permission| current_user.has_permission?(permission) }
           raise PermissionDeniedException,
-            "Sorry, you don't seem to have any of the permissions: #{permissions.to_sentence} for this app."
+                "Sorry, you don't seem to have any of the permissions: #{permissions.to_sentence} for this app."
         end
       end
 
       def authorise_user_with_all_permissions!(permissions)
         unless permissions.all? { |permission| current_user.has_permission?(permission) }
           raise PermissionDeniedException,
-            "Sorry, you don't seem to have all of the permissions: #{permissions.to_sentence} for this app."
+                "Sorry, you don't seem to have all of the permissions: #{permissions.to_sentence} for this app."
         end
       end
     end

data/lib/gds-sso/failure_app.rb

@@ -1,5 +1,5 @@
 require "action_controller/metal"
-require 'rails'
+require "rails"
 
 # Failure application that will be called every time :warden is thrown from
 # any strategy or hook.
@@ -18,7 +18,7 @@ module GDS
       def self.call(env)
         if GDS::SSO::ApiAccess.api_call?(env)
           action(:api_invalid_token).call(env)
-        elsif GDS::SSO::Config.api_only?
+        elsif GDS::SSO::Config.api_only
           action(:api_missing_token).call(env)
         else
           action(:redirect).call(env)
@@ -27,15 +27,15 @@ module GDS
 
       def redirect
         store_location!
-        redirect_to '/auth/gds'
+        redirect_to "/auth/gds"
       end
 
       def api_invalid_token
-        api_unauthorized('Bearer token does not appear to be valid', 'invalid_token')
+        api_unauthorized("Bearer token does not appear to be valid", "invalid_token")
       end
 
       def api_missing_token
-        api_unauthorized('No bearer token was provided', 'invalid_request')
+        api_unauthorized("No bearer token was provided", "invalid_request")
       end
 
       # Stores requested uri to redirect the user after signing in. We cannot use
@@ -45,13 +45,13 @@ module GDS
 
       # TOTALLY NOT DOING THE SCOPE THING. PROBABLY SHOULD.
       def store_location!
-        session["return_to"] = request.env['warden.options'][:attempted_path] if request.get?
+        session["return_to"] = request.env["warden.options"][:attempted_path] if request.get?
       end
 
-      private
+    private
 
       def api_unauthorized(message, bearer_error)
-        headers['WWW-Authenticate'] = %(Bearer error="#{bearer_error}")
+        headers["WWW-Authenticate"] = %(Bearer error="#{bearer_error}")
         render json: { message: message }, status: :unauthorized
       end
     end

data/lib/gds-sso/lint/user_spec.rb

@@ -1,10 +1,10 @@
 RSpec.shared_examples "a gds-sso user class" do
-  subject { described_class.new(:uid => '12345') }
+  subject { described_class.new(uid: "12345") }
 
   it "implements #where" do
     expect(described_class).to respond_to(:where)
 
-    result = described_class.where(uid: '123')
+    result = described_class.where(uid: "123")
     expect(result).to respond_to(:first)
   end
 
@@ -31,49 +31,48 @@ RSpec.shared_examples "a gds-sso user class" do
   describe "#has_all_permissions?" do
     it "is false when there are no permissions" do
       subject.update!(permissions: nil)
-      required_permissions = ["signin"]
+      required_permissions = %w[signin]
       expect(subject.has_all_permissions?(required_permissions)).to be_falsy
     end
 
     it "is false when it does not have all required permissions" do
-      subject.update!(permissions: ["signin"])
-      required_permissions = ["signin", "not_granted_permission_one", "not_granted_permission_two"]
+      subject.update!(permissions: %w[signin])
+      required_permissions = %w[signin not_granted_permission_one not_granted_permission_two]
       expect(subject.has_all_permissions?(required_permissions)).to be false
     end
 
     it "is true when it has all required permissions" do
-      subject.update!(permissions: ["signin", "internal_app"])
-      required_permissions = ["signin", "internal_app"]
+      subject.update!(permissions: %w[signin internal_app])
+      required_permissions = %w[signin internal_app]
       expect(subject.has_all_permissions?(required_permissions)).to be true
     end
-
   end
 
   specify "the User class and GDS::SSO::User mixin work together" do
     auth_hash = {
-      'uid' => '12345',
-      'info' => {
-        'name' => 'Joe Smith',
-        'email' => 'joe.smith@example.com',
+      "uid" => "12345",
+      "info" => {
+        "name" => "Joe Smith",
+        "email" => "joe.smith@example.com",
+      },
+      "extra" => {
+        "user" => {
+          "disabled" => false,
+          "permissions" => %w[signin],
+          "organisation_slug" => "cabinet-office",
+          "organisation_content_id" => "91e57ad9-29a3-4f94-9ab4-5e9ae6d13588",
+        },
       },
-      'extra' => {
-        'user' => {
-          'disabled' => false,
-          'permissions' => ['signin'],
-          'organisation_slug' => 'cabinet-office',
-          'organisation_content_id' => '91e57ad9-29a3-4f94-9ab4-5e9ae6d13588'
-        }
-      }
     }
 
     user = described_class.find_for_gds_oauth(auth_hash)
     expect(user).to be_an_instance_of(described_class)
-    expect(user.uid).to eq('12345')
+    expect(user.uid).to eq("12345")
     expect(user.name).to eq("Joe Smith")
-    expect(user.email).to eq('joe.smith@example.com')
+    expect(user.email).to eq("joe.smith@example.com")
     expect(user).not_to be_disabled
-    expect(user.permissions).to eq(['signin'])
-    expect(user.organisation_slug).to eq('cabinet-office')
-    expect(user.organisation_content_id).to eq('91e57ad9-29a3-4f94-9ab4-5e9ae6d13588')
+    expect(user.permissions).to eq(%w[signin])
+    expect(user.organisation_slug).to eq("cabinet-office")
+    expect(user.organisation_content_id).to eq("91e57ad9-29a3-4f94-9ab4-5e9ae6d13588")
   end
 end

data/lib/gds-sso/lint/user_test.rb

@@ -17,58 +17,58 @@ module GDS
       #
       class UserTest < ActiveSupport::TestCase
         def user_class
-          raise 'Reopen `GDS::SSO::Lint::UserTest` and add `#user_class` to return the class including `GDS::SSO::User`'
+          raise "Reopen `GDS::SSO::Lint::UserTest` and add `#user_class` to return the class including `GDS::SSO::User`"
         end
 
         setup do
-          @lint_user = user_class.new(uid: '12345')
+          @lint_user = user_class.new(uid: "12345")
         end
 
-        test 'implement #where' do
-          result = user_class.where(uid: '123')
+        test "implement #where" do
+          result = user_class.where(uid: "123")
           assert result.respond_to?(:first)
         end
 
-        test 'implement #update_attribute' do
+        test "implement #update_attribute" do
           @lint_user.update_attribute(:remotely_signed_out, true)
           assert @lint_user.remotely_signed_out?
         end
 
-        test 'implement #update!' do
-          @lint_user.update!(email: 'test@example.com')
-          assert_equal @lint_user.email, 'test@example.com'
+        test "implement #update!" do
+          @lint_user.update!(email: "test@example.com")
+          assert_equal @lint_user.email, "test@example.com"
         end
 
-        test 'implement #create!' do
+        test "implement #create!" do
           assert user_class.respond_to?(:create!)
         end
 
-        test 'verify the User class and GDS::SSO::User work together' do
+        test "verify the User class and GDS::SSO::User work together" do
           auth_hash = {
-            'uid' => '12345',
-            'info' => {
-              'name' => 'Joe Smith',
-              'email' => 'joe.smith@example.com',
+            "uid" => "12345",
+            "info" => {
+              "name" => "Joe Smith",
+              "email" => "joe.smith@example.com",
+            },
+            "extra" => {
+              "user" => {
+                "disabled" => false,
+                "permissions" => %w[signin],
+                "organisation_slug" => "cabinet-office",
+                "organisation_content_id" => "91e57ad9-29a3-4f94-9ab4-5e9ae6d13588",
+              },
             },
-            'extra' => {
-              'user' => {
-                'disabled' => false,
-                'permissions' => ['signin'],
-                'organisation_slug' => 'cabinet-office',
-                'organisation_content_id' => '91e57ad9-29a3-4f94-9ab4-5e9ae6d13588',
-              }
-            }
           }
 
           user = user_class.find_for_gds_oauth(auth_hash)
           assert_equal user_class, user.class
-          assert_equal '12345', user.uid
-          assert_equal 'Joe Smith', user.name
-          assert_equal 'joe.smith@example.com', user.email
+          assert_equal "12345", user.uid
+          assert_equal "Joe Smith", user.name
+          assert_equal "joe.smith@example.com", user.email
           assert_equal false, user.disabled
-          assert_equal ['signin'], user.permissions
-          assert_equal 'cabinet-office', user.organisation_slug
-          assert_equal '91e57ad9-29a3-4f94-9ab4-5e9ae6d13588', user.organisation_content_id
+          assert_equal %w[signin], user.permissions
+          assert_equal "cabinet-office", user.organisation_slug
+          assert_equal "91e57ad9-29a3-4f94-9ab4-5e9ae6d13588", user.organisation_content_id
         end
       end
     end

data/lib/gds-sso/railtie.rb

@@ -0,0 +1,12 @@
+module GDS
+  module SSO
+    class Railtie < Rails::Railtie
+      initializer "gds-sso.initializer" do
+        GDS::SSO.config do |config|
+          config.cache = Rails.cache
+          config.api_only = Rails.configuration.api_only
+        end
+      end
+    end
+  end
+end

data/lib/gds-sso/user.rb

@@ -1,4 +1,4 @@
-require 'active_support/concern'
+require "active_support/concern"
 
 module GDS
   module SSO
@@ -21,29 +21,29 @@ module GDS
 
       def self.user_params_from_auth_hash(auth_hash)
         {
-          'uid' => auth_hash['uid'],
-          'email' => auth_hash['info']['email'],
-          'name' => auth_hash['info']['name'],
-          'permissions' => auth_hash['extra']['user']['permissions'],
-          'organisation_slug' => auth_hash['extra']['user']['organisation_slug'],
-          'organisation_content_id' => auth_hash['extra']['user']['organisation_content_id'],
-          'disabled' => auth_hash['extra']['user']['disabled'],
+          "uid" => auth_hash["uid"],
+          "email" => auth_hash["info"]["email"],
+          "name" => auth_hash["info"]["name"],
+          "permissions" => auth_hash["extra"]["user"]["permissions"],
+          "organisation_slug" => auth_hash["extra"]["user"]["organisation_slug"],
+          "organisation_content_id" => auth_hash["extra"]["user"]["organisation_content_id"],
+          "disabled" => auth_hash["extra"]["user"]["disabled"],
         }
       end
 
       def clear_remotely_signed_out!
-        self.update_attribute(:remotely_signed_out, false)
+        update_attribute(:remotely_signed_out, false)
       end
 
       def set_remotely_signed_out!
-        self.update_attribute(:remotely_signed_out, true)
+        update_attribute(:remotely_signed_out, true)
       end
 
       module ClassMethods
         def find_for_gds_oauth(auth_hash)
           user_params = GDS::SSO::User.user_params_from_auth_hash(auth_hash.to_hash)
-          user = self.where(:uid => user_params['uid']).first ||
-                 self.where(:email => user_params['email']).first
+          user = where(uid: user_params["uid"]).first ||
+            where(email: user_params["email"]).first
 
           if user
             user.update!(user_params)

data/lib/gds-sso/version.rb

@@ -1,5 +1,5 @@
 module GDS
   module SSO
-    VERSION = "15.0.0"
+    VERSION = "16.0.2".freeze
   end
 end

data/lib/gds-sso/warden_config.rb

@@ -1,63 +1,55 @@
-require 'warden'
-require 'warden-oauth2'
-require 'gds-sso/bearer_token'
+require "warden"
+require "warden-oauth2"
+require "gds-sso/bearer_token"
 
 def logger
-  if Rails.logger # if we are actually running in a rails app
-    Rails.logger
-  else
-    env['rack.logger']
-  end
+  Rails.logger || env["rack.logger"]
 end
 
-Warden::Manager.after_authentication do |user, auth, opts|
+Warden::Manager.after_authentication do |user, _auth, _opts|
   # We've successfully signed in.
   # If they were remotely signed out, clear the flag as they're no longer suspended
   user.clear_remotely_signed_out!
 end
 
 Warden::Manager.serialize_into_session do |user|
-  if user.respond_to?(:uid) and user.uid
+  if user.respond_to?(:uid) && user.uid
     [user.uid, Time.now.utc.iso8601]
-  else
-    nil
   end
 end
 
 Warden::Manager.serialize_from_session do |(uid, auth_timestamp)|
   # This will reject old sessions that don't have a previous login timestamp
   if auth_timestamp.is_a?(String)
-    auth_timestamp = begin
-      Time.parse(auth_timestamp)
+    begin
+      auth_timestamp = Time.parse(auth_timestamp)
     rescue ArgumentError
-      nil
+      auth_timestamp = nil
     end
   end
 
-  if auth_timestamp and (auth_timestamp + GDS::SSO::Config.auth_valid_for) > Time.now.utc
-    GDS::SSO::Config.user_klass.where(:uid => uid, :remotely_signed_out => false).first
-  else
-    nil
+  if auth_timestamp && ((auth_timestamp + GDS::SSO::Config.auth_valid_for) > Time.now.utc)
+    GDS::SSO::Config.user_klass.where(uid: uid, remotely_signed_out: false).first
   end
 end
 
 Warden::Strategies.add(:gds_sso) do
   def valid?
-    ! ::GDS::SSO::ApiAccess.api_call?(env)
+    !::GDS::SSO::ApiAccess.api_call?(env)
   end
 
   def authenticate!
     logger.debug("Authenticating with gds_sso strategy")
 
-    if request.env['omniauth.auth'].nil?
+    if request.env["omniauth.auth"].nil?
       fail!("No credentials, bub")
     else
-      user = prep_user(request.env['omniauth.auth'])
+      user = prep_user(request.env["omniauth.auth"])
       success!(user)
     end
   end
 
-  private
+private
 
   def prep_user(auth_hash)
     user = GDS::SSO::Config.user_klass.find_for_gds_oauth(auth_hash)
@@ -73,27 +65,25 @@ Warden::Strategies.add(:gds_bearer_token, Warden::OAuth2::Strategies::Bearer)
 
 Warden::Strategies.add(:mock_gds_sso) do
   def valid?
-    ! ::GDS::SSO::ApiAccess.api_call?(env)
+    !::GDS::SSO::ApiAccess.api_call?(env)
   end
 
   def authenticate!
     logger.warn("Authenticating with mock_gds_sso strategy")
 
     test_user = GDS::SSO.test_user
-    test_user ||= ENV['GDS_SSO_MOCK_INVALID'].present? ? nil : GDS::SSO::Config.user_klass.first
+    test_user ||= ENV["GDS_SSO_MOCK_INVALID"].present? ? nil : GDS::SSO::Config.user_klass.first
     if test_user
       # Brute force ensure test user has correct perms to signin
-      if ! test_user.has_permission?("signin")
+      unless test_user.has_permission?("signin")
         permissions = test_user.permissions || []
         test_user.update_attribute(:permissions, permissions << "signin")
       end
       success!(test_user)
+    elsif Rails.env.test? && ENV["GDS_SSO_MOCK_INVALID"].present?
+      fail!(:invalid)
     else
-      if Rails.env.test? && ENV['GDS_SSO_MOCK_INVALID'].present?
-        fail!(:invalid)
-      else
-        raise "GDS-SSO running in mock mode and no test user found. Normally we'd load the first user in the database. Create a user in the database."
-      end
+      raise "GDS-SSO running in mock mode and no test user found. Normally we'd load the first user in the database. Create a user in the database."
     end
   end
 end