gds-sso 15.0.0 → 16.0.2

data/spec/requests/end_to_end_spec.rb

@@ -1,5 +1,5 @@
-require 'spec_helper'
-require 'timecop'
+require "spec_helper"
+require "timecop"
 
 describe "Integration of client using GDS-SSO with signon" do
   include SignonIntegrationHelpers
@@ -11,7 +11,7 @@ describe "Integration of client using GDS-SSO with signon" do
   before :each do
     # points to an internal app, using combustion gem
     # see spec/internal
-    @client_host = 'www.example-client.com'
+    @client_host = "www.example-client.com"
     Capybara.current_driver = :mechanize
     Capybara::Mechanize.local_hosts << @client_host
 
@@ -20,96 +20,96 @@ describe "Integration of client using GDS-SSO with signon" do
 
   describe "Web client accesses" do
     before :each do
-      page.driver.header 'accept', 'text/html'
+      page.driver.header "accept", "text/html"
     end
 
     specify "a non-restricted page can be accessed without authentication" do
       visit "http://#{@client_host}/"
-      expect(page).to have_content('jabberwocky')
+      expect(page).to have_content("jabberwocky")
     end
 
     specify "first access to a restricted page requires authentication and application approval" do
       visit "http://#{@client_host}/restricted"
       expect(page).to have_content("Sign in")
-      fill_in "Email", :with => "test@example-client.com"
-      fill_in "Password", :with => "q1w2e3r4t5y6u7i8o9p0"
+      fill_in "Email", with: "test@example-client.com"
+      fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
       click_on "Sign in"
 
-      expect(page).to have_content('restricted kablooie')
+      expect(page).to have_content("restricted kablooie")
     end
 
     specify "access to a restricted page for an approved application requires only authentication" do
       # First we login to authorise the app
       visit "http://#{@client_host}/restricted"
-      fill_in "Email", :with => "test@example-client.com"
-      fill_in "Password", :with => "q1w2e3r4t5y6u7i8o9p0"
+      fill_in "Email", with: "test@example-client.com"
+      fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
       click_on "Sign in"
 
       # At this point the app should be authorised, we reset the session to simulate a new browser visit.
       reset_session!
-      page.driver.header 'accept', 'text/html'
+      page.driver.header "accept", "text/html"
 
       visit "http://#{@client_host}/restricted"
       expect(page).to have_content("Sign in")
 
-      fill_in "Email", :with => "test@example-client.com"
-      fill_in "Password", :with => "q1w2e3r4t5y6u7i8o9p0"
+      fill_in "Email", with: "test@example-client.com"
+      fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
       click_on "Sign in"
 
-      expect(page).to have_content('restricted kablooie')
+      expect(page).to have_content("restricted kablooie")
     end
 
     specify "access to a page that requires signin permission granted" do
       # First we login to authorise the app
       visit "http://#{@client_host}/this_requires_signin_permission"
-      fill_in "Email", :with => "test@example-client.com"
-      fill_in "Password", :with => "q1w2e3r4t5y6u7i8o9p0"
+      fill_in "Email", with: "test@example-client.com"
+      fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
       click_on "Sign in"
 
       # At this point the app should be authorised, we reset the session to simulate a new browser visit.
       reset_session!
-      page.driver.header 'accept', 'text/html'
+      page.driver.header "accept", "text/html"
 
       visit "http://#{@client_host}/this_requires_signin_permission"
       expect(page).to have_content("Sign in")
 
-      fill_in "Email", :with => "test@example-client.com"
-      fill_in "Password", :with => "q1w2e3r4t5y6u7i8o9p0"
+      fill_in "Email", with: "test@example-client.com"
+      fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
       click_on "Sign in"
 
-      expect(page).to have_content('you have signin permission')
+      expect(page).to have_content("you have signin permission")
     end
 
     describe "remotely signed out" do
       specify "should prevent all access to the application until successful signin" do
         # First we login and authorise the app
         visit "http://#{@client_host}/restricted"
-        fill_in "Email", :with => "test@example-client.com"
-        fill_in "Password", :with => "q1w2e3r4t5y6u7i8o9p0"
+        fill_in "Email", with: "test@example-client.com"
+        fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
         click_on "Sign in"
 
-        page.driver.header 'accept', 'text/html'
-        expect(page).to have_content('restricted kablooie')
+        page.driver.header "accept", "text/html"
+        expect(page).to have_content("restricted kablooie")
 
         # logout from signon
         visit "http://localhost:4567/users/sign_out"
 
         # Simulate a POST to /auth/gds/api/users/:uid/reauth by signon
         # This is already tested in api_user_controller_spec.rb
-        user = User.where(:email => "test@example-client.com").first
+        user = User.where(email: "test@example-client.com").first
         user.set_remotely_signed_out!
 
         # attempt to visit a restricted page
         visit "http://#{@client_host}/restricted"
 
         # be redirected to signon
-        expect(page).to have_content('GOV.UK Signon')
-        fill_in "Email", :with => "test@example-client.com"
-        fill_in "Password", :with => "q1w2e3r4t5y6u7i8o9p0"
+        expect(page).to have_content("GOV.UK Signon")
+        fill_in "Email", with: "test@example-client.com"
+        fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
         click_on "Sign in"
 
         # then back again to the restricted page
-        expect(page).to have_content('restricted kablooie')
+        expect(page).to have_content("restricted kablooie")
       end
     end
 
@@ -117,11 +117,11 @@ describe "Integration of client using GDS-SSO with signon" do
       it "should force you to re-authenticate with signon N hours after login" do
         visit "http://#{@client_host}/restricted"
         expect(page).to have_content("Sign in")
-        fill_in "Email", :with => "test@example-client.com"
-        fill_in "Password", :with => "q1w2e3r4t5y6u7i8o9p0"
+        fill_in "Email", with: "test@example-client.com"
+        fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
         click_on "Sign in"
 
-        expect(page).to have_content('restricted kablooie')
+        expect(page).to have_content("restricted kablooie")
 
         visit "http://localhost:4567/users/sign_out"
 
@@ -135,11 +135,11 @@ describe "Integration of client using GDS-SSO with signon" do
       it "should accept signon's remembered authentication N hours after login" do
         visit "http://#{@client_host}/restricted"
         expect(page).to have_content("Sign in")
-        fill_in "Email", :with => "test@example-client.com"
-        fill_in "Password", :with => "q1w2e3r4t5y6u7i8o9p0"
+        fill_in "Email", with: "test@example-client.com"
+        fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
         click_on "Sign in"
 
-        expect(page).to have_content('restricted kablooie')
+        expect(page).to have_content("restricted kablooie")
 
         Timecop.travel(Time.now.utc + GDS::SSO::Config.auth_valid_for + 5.minutes) do
           visit "http://#{@client_host}/restricted"
@@ -148,15 +148,14 @@ describe "Integration of client using GDS-SSO with signon" do
         expect(page).to have_content("restricted kablooie")
       end
 
-
       it "should not require re-authentication with signon fewer than N hours after login" do
         visit "http://#{@client_host}/restricted"
         expect(page).to have_content("Sign in")
-        fill_in "Email", :with => "test@example-client.com"
-        fill_in "Password", :with => "q1w2e3r4t5y6u7i8o9p0"
+        fill_in "Email", with: "test@example-client.com"
+        fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
         click_on "Sign in"
 
-        expect(page).to have_content('restricted kablooie')
+        expect(page).to have_content("restricted kablooie")
 
         Timecop.travel(Time.now.utc + GDS::SSO::Config.auth_valid_for - 5.minutes) do
           visit "http://#{@client_host}/restricted"
@@ -169,31 +168,31 @@ describe "Integration of client using GDS-SSO with signon" do
 
   describe "OAuth based API client accesses" do
     before :each do
-      page.driver.header 'accept', 'application/json'
+      page.driver.header "accept", "application/json"
       authorize_signon_api_user
 
       token = "caaeb53be5c7277fb0ef158181bfd1537b57f9e3b83eb795be3cd0af6e118b28"
-      page.driver.header 'authorization', "Bearer #{token}"
+      page.driver.header "authorization", "Bearer #{token}"
     end
 
     specify "access to a restricted page for an api client requires auth" do
-      page.driver.header 'authorization', 'Bearer Bad Token'
+      page.driver.header "authorization", "Bearer Bad Token"
       visit "http://#{@client_host}/restricted"
       expect(page.driver.response.status).to eq(401)
     end
 
     specify "setting a correct bearer token allows sign in" do
       visit "http://#{@client_host}/restricted"
-      expect(page).to have_content('restricted kablooie')
+      expect(page).to have_content("restricted kablooie")
     end
 
     specify "setting a correct bearer token picks up permissions" do
       visit "http://#{@client_host}/this_requires_signin_permission"
-      expect(page).to have_content('you have signin permission')
+      expect(page).to have_content("you have signin permission")
     end
 
     specify "a token for one app cannot be used to access a different app" do
-      page.driver.header 'authorization', "Bearer 98c72f4da02fdc43398e029d05567542944d2a9b0df3c20b0accd8bd6c5dc728"
+      page.driver.header "authorization", "Bearer 98c72f4da02fdc43398e029d05567542944d2a9b0df3c20b0accd8bd6c5dc728"
       visit "http://#{@client_host}/restricted"
       expect(page.driver.response.status).to eq(401)
     end

data/spec/spec_helper.rb

@@ -1,21 +1,19 @@
 # Yes, we really do want to turn off the test environment check here.
 # Bad things happen if we don't ;-)
-ENV['GDS_SSO_STRATEGY'] = 'real'
+ENV["GDS_SSO_STRATEGY"] = "real"
 
-require 'bundler/setup'
-require 'combustion'
-require 'capybara/rspec'
+require "bundler/setup"
+require "combustion"
+require "capybara/rspec"
 
 Combustion.initialize! :all
 
-require 'rspec/rails'
-require 'capybara/rails'
-require 'mechanize'
-require 'capybara/mechanize'
+require "rspec/rails"
+require "capybara/rails"
+require "mechanize"
+require "capybara/mechanize"
 
-include Warden::Test::Helpers
-
-Dir[File.join(File.dirname(__FILE__), "support/**/*.rb")].each {|f| require f}
+Dir[File.join(File.dirname(__FILE__), "support/**/*.rb")].sort.each { |f| require f }
 
 RSpec.configure do |config|
   config.run_all_when_everything_filtered = true
@@ -25,7 +23,8 @@ RSpec.configure do |config|
   # order dependency and want to debug it, you can fix the order by providing
   # the seed, which is printed after each run.
   #     --seed 1234
-  config.order = 'random'
+  config.order = "random"
 
-  config.include(BackportControllerTestParams) if Rails.version < '5'
+  config.include(BackportControllerTestParams) if Rails.version < "5"
+  config.include(Warden::Test::Helpers)
 end

data/spec/support/controller_spy.rb

@@ -0,0 +1,14 @@
+class ControllerSpy < ApplicationController
+  include GDS::SSO::ControllerMethods
+  # rubocop:disable Lint/MissingSuper
+  def initialize(current_user)
+    @current_user = current_user
+  end
+  # rubocop:enable Lint/MissingSuper
+
+  def authenticate_user!
+    true
+  end
+
+  attr_reader :current_user
+end

data/spec/support/serializable_user.rb

@@ -0,0 +1,3 @@
+class SerializableUser
+  include GDS::SSO::User
+end

data/spec/support/signon_integration_helpers.rb

@@ -1,15 +1,16 @@
-require 'net/http'
+require "net/http"
 
 module SignonIntegrationHelpers
   def wait_for_signon_to_start
     retries = 0
     url = GDS::SSO::Config.oauth_root_url
     puts "Waiting for signon to start at #{url}"
-    while ! signon_started?(url)
-      print '.'
+    until signon_started?(url)
+      print "."
       if retries > 20
         raise "Signon is not running at #{url}. Please start with `./start_signon.sh`. Under jenkins this should happen automatically."
       end
+
       retries += 1
       sleep 1
     end
@@ -35,20 +36,21 @@ module SignonIntegrationHelpers
   end
 
   def load_signon_fixture(filename)
-    require 'erb'
-    parsed = ERB.new(File.read(signon_path + "/config/database.yml")).result
-    db = YAML.load(parsed)['test']
+    require "erb"
+    parsed = ERB.new(File.read("#{signon_path}/config/database.yml")).result
+    db = YAML.safe_load(parsed, aliases: true)["test"]
 
     cmd = "mysql #{db['database']} -u#{db['username']} -p#{db['password']} < #{fixture_file(filename)}"
     system cmd or raise "Error loading signon fixture"
   end
 
 private
+
   def fixture_file(filename)
-    File.join(File.dirname(__FILE__), '../fixtures/integration', filename)
+    File.join(File.dirname(__FILE__), "../fixtures/integration", filename)
   end
 
   def signon_path
-    Rails.root.join('..','..','tmp','signon').to_s
+    Rails.root.join("..", "..", "tmp", "signon").to_s
   end
 end

data/spec/support/test_user.rb

@@ -0,0 +1,29 @@
+class TestUser < OpenStruct
+  include GDS::SSO::User
+
+  def self.where(_opts)
+    []
+  end
+
+  def self.create!(options, _scope = {})
+    new(options)
+  end
+
+  def update_attribute(key, value)
+    send("#{key}=".to_sym, value)
+  end
+
+  def update!(options)
+    options.each do |key, value|
+      update_attribute(key, value)
+    end
+  end
+
+  def remotely_signed_out?
+    remotely_signed_out
+  end
+
+  def disabled?
+    disabled
+  end
+end

data/spec/support/timecop.rb

@@ -1,4 +1,4 @@
-require 'timecop'
+require "timecop"
 
 RSpec.configure do |config|
   config.after :each do

data/spec/unit/api_access_spec.rb

@@ -1,17 +1,17 @@
-require 'spec_helper'
-require 'gds-sso/api_access'
+require "spec_helper"
+require "gds-sso/api_access"
 
 describe GDS::SSO::ApiAccess do
   it "should not consider IE7 accept header as an api call" do
-    ie7_accept_header = 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ' +
-      'application/x-shockwave-flash, application/xaml+xml, application/x-ms-xbap, ' +
-      'application/x-ms-application, */*'
-    expect(GDS::SSO::ApiAccess.api_call?('HTTP_ACCEPT' => ie7_accept_header)).to be_falsey
+    ie7_accept_header = "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, " \
+      "application/x-shockwave-flash, application/xaml+xml, application/x-ms-xbap, " \
+      "application/x-ms-application, */*"
+    expect(GDS::SSO::ApiAccess.api_call?("HTTP_ACCEPT" => ie7_accept_header)).to be_falsey
   end
 
   context "with a bearer token" do
     it "it is considered an api call" do
-      expect(GDS::SSO::ApiAccess.api_call?('HTTP_AUTHORIZATION' => 'Bearer deadbeef12345678')).to be_truthy
+      expect(GDS::SSO::ApiAccess.api_call?("HTTP_AUTHORIZATION" => "Bearer deadbeef12345678")).to be_truthy
     end
   end
 end

data/spec/unit/bearer_token_spec.rb

@@ -1,28 +1,27 @@
-require 'spec_helper'
-require 'gds-sso/bearer_token'
+require "spec_helper"
+require "gds-sso/bearer_token"
 
 describe GDS::SSO::BearerToken do
-  describe '.locate' do
-    it 'creates a new user for a token' do
+  describe ".locate" do
+    it "creates a new user for a token" do
       response = double(body: {
         user: {
-          uid: 'asd',
-          email: 'user@example.com',
-          name: 'A Name',
-          permissions: ['signin'],
-          organisation_slug: 'hmrc',
-          organisation_content_id: '67a2b78d-eee3-45b3-80e2-792e7f71cecc',
-        }
+          uid: "asd",
+          email: "user@example.com",
+          name: "A Name",
+          permissions: %w[signin],
+          organisation_slug: "hmrc",
+          organisation_content_id: "67a2b78d-eee3-45b3-80e2-792e7f71cecc",
+        },
       }.to_json)
 
-
       allow_any_instance_of(OAuth2::AccessToken).to receive(:get).and_return(response)
 
-      created_user = GDS::SSO::BearerToken.locate('MY-API-TOKEN')
+      created_user = GDS::SSO::BearerToken.locate("MY-API-TOKEN")
 
-      expect(created_user.email).to eql('user@example.com')
+      expect(created_user.email).to eql("user@example.com")
 
-      same_user_again = GDS::SSO::BearerToken.locate('MY-API-TOKEN')
+      same_user_again = GDS::SSO::BearerToken.locate("MY-API-TOKEN")
 
       expect(same_user_again.id).to eql(created_user.id)
     end

data/spec/unit/config_spec.rb

@@ -1,26 +1,26 @@
-require 'spec_helper'
+require "spec_helper"
 
 describe GDS::SSO::Config do
   describe "#permissions_for_dummy_user" do
     context "with no additional mock permissions" do
       it "returns signin" do
         subject.additional_mock_permissions_required = nil
-        expect(subject.permissions_for_dummy_api_user).to eq(["signin"])
+        expect(subject.permissions_for_dummy_api_user).to eq(%w[signin])
       end
     end
 
     context "with an additional mock permission as a string" do
       it "returns an array of permissions" do
         subject.additional_mock_permissions_required = "internal_app"
-        expected_permissions = ["signin", "internal_app"]
+        expected_permissions = %w[signin internal_app]
         expect(subject.permissions_for_dummy_api_user).to eq(expected_permissions)
       end
     end
 
     context "with additional mock permissions as an array" do
       it "returns an array of permissions" do
-        subject.additional_mock_permissions_required = ["another_permission", "yet_another_permission"]
-        expected_permissions = ["signin", "another_permission", "yet_another_permission"]
+        subject.additional_mock_permissions_required = %w[another_permission yet_another_permission]
+        expected_permissions = %w[signin another_permission yet_another_permission]
         expect(subject.permissions_for_dummy_api_user).to eq(expected_permissions)
       end
     end