gds-sso 17.1.1 → 18.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 299db37f74135bea6ee6479680dc31be21a3aab23a661ce27548f566829dd1d2
-  data.tar.gz: c440c23020cc6fd40294ccdb69031e6ea163ff29f3d33c8755fe7c725d4c24d3
+  metadata.gz: 6450ab2114242674c0c5f9ddeba9d15cca06e538f2f211a1c621469f9fd2d9af
+  data.tar.gz: eedc4aaa3abd89833c43af03c841f63dc6d68f9fbbd965a15aa917bc20ad933a
 SHA512:
-  metadata.gz: 1e6fead794241c45cdc8a0e23fd1734b11c8e1edad85d3eef4d56867d0bacbed944b1d083745c24573c5886df35f3f4d07d39c3a14966c0840a06736c0ebb548
-  data.tar.gz: 16850d916b1b8e0cfb2a974f171e3eb5c7625ef88b1a4abe4ec59bc5edcf90579b231890297f276974b5dd233ae45dd7c4184ca5324617558ab44f3529210bde
+  metadata.gz: cfe330d97944bac31202779575770107056ca493ac5af511eb5fb316bbd4a83b459367dd683d69c01656c3e446177dabd008e47cf6d83138f29f139b7e765374
+  data.tar.gz: 01b11032563802c91717c6418150dafadd4518f95845c938bb6ad855895971d541f1a95d59cddae92060e4896ec6fdea6620af24a72515cd9fb79074d705c3c3

data/README.md

@@ -177,12 +177,6 @@ Run the tests with:
 bundle exec rake
 ```
 
-By default, the tests use the master of [Signon](https://github.com/alphagov/signon) for running integration tests. If you want to use a branch (or commit, or tag), you can run it like this:
-
-```
-SIGNON_COMMITISH=my_branch_name bundle exec rake
-```
-
 ## Licence
 
 [MIT License](LICENCE)

data/lib/gds-sso/railtie.rb

@@ -6,6 +6,7 @@ module GDS
           config.cache = Rails.cache
           config.api_only = Rails.configuration.api_only
         end
+        OmniAuth.config.logger = Rails.logger
       end
     end
   end

data/lib/gds-sso/version.rb

@@ -1,5 +1,5 @@
 module GDS
   module SSO
-    VERSION = "17.1.1".freeze
+    VERSION = "18.0.0".freeze
   end
 end

data/spec/internal/app/controllers/example_controller.rb

@@ -1,7 +1,8 @@
 class ExampleController < ApplicationController
-  before_action :authenticate_user!, only: %i[restricted this_requires_signin_permission]
+  before_action :authenticate_user!, except: :not_restricted
+  before_action -> { authorise_user!("execute") }, only: :this_requires_execute_permission
 
-  def index
+  def not_restricted
     render body: "jabberwocky"
   end
 
@@ -9,7 +10,7 @@ class ExampleController < ApplicationController
     render body: "restricted kablooie"
   end
 
-  def this_requires_signin_permission
-    render body: "you have signin permission"
+  def this_requires_execute_permission
+    render body: "you have execute permission"
   end
 end

data/spec/internal/config/initializers/gds-sso.rb

@@ -2,5 +2,5 @@ GDS::SSO.config do |config|
   config.user_model   = "User"
   config.oauth_id     = "gds-sso-test"
   config.oauth_secret = "secret"
-  config.oauth_root_url = "http://localhost:4567"
+  config.oauth_root_url = "http://signon"
 end

data/spec/internal/config/routes.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
 Rails.application.routes.draw do
-  # Add your own routes here, or remove this file if you don't have need for it.
-  root to: "example#index"
+  get "/not-restricted" => "example#not_restricted"
   get "/restricted" => "example#restricted"
-  get "/this_requires_signin_permission" => "example#this_requires_signin_permission"
+  get "/this-requires-execute-permission" => "example#this_requires_execute_permission"
 end

data/spec/spec_helper.rb

@@ -2,22 +2,28 @@
 # Bad things happen if we don't ;-)
 ENV["GDS_SSO_STRATEGY"] = "real"
 
-require "bundler/setup"
-require "combustion"
 require "capybara/rspec"
+require "webmock/rspec"
+require "combustion"
 
-Combustion.initialize! :all
+Combustion.initialize! :all do
+  config.cache_store = :null_store
+end
 
 require "rspec/rails"
 require "capybara/rails"
-require "mechanize"
-require "capybara/mechanize"
+WebMock.disable_net_connect!
 
 Dir[File.join(File.dirname(__FILE__), "support/**/*.rb")].sort.each { |f| require f }
 
+Capybara.register_driver :rack_test do |app|
+  Capybara::RackTest::Driver.new(app, follow_redirects: false)
+end
+
 RSpec.configure do |config|
   config.run_all_when_everything_filtered = true
   config.filter_run :focus
+  config.use_transactional_fixtures = true
 
   # Run specs in random order to surface order dependencies. If you find an
   # order dependency and want to debug it, you can fix the order by providing
@@ -25,6 +31,6 @@ RSpec.configure do |config|
   #     --seed 1234
   config.order = "random"
 
-  config.include(BackportControllerTestParams) if Rails.version < "5"
-  config.include(Warden::Test::Helpers)
+  config.include Warden::Test::Helpers
+  config.include Capybara::DSL
 end

data/spec/system/authentication_and_authorisation_spec.rb

@@ -0,0 +1,115 @@
+require "spec_helper"
+
+RSpec.describe "Authenication and authorisation" do
+  context "when accessing a route that doesn't require permissions or authentication" do
+    it "allows access" do
+      visit "/not-restricted"
+      expect(page).to have_content("jabberwocky")
+    end
+  end
+
+  context "when accessing a route that requires authentication" do
+    it "redirects an unauthenticated request to signon" do
+      # We manually follow the redirects because we have configured capybara
+      # to not follow redirects (and thus allow testing an external redirect)
+      visit "/restricted"
+      expect(page.response_headers["Location"]).to match("/auth/gds")
+      visit page.response_headers["Location"]
+      expect(page.response_headers["Location"]).to match("http://signon/oauth/authorize")
+    end
+
+    it "allows access for an authenticated user" do
+      stub_signon_authenticated
+
+      visit "/restricted"
+      expect(page).to have_content("restricted kablooie")
+    end
+
+    it "restricts access if a user is authenticated but remotely signed out" do
+      stub_signon_authenticated
+      User.last.set_remotely_signed_out!
+
+      visit "/restricted"
+      expect(page.status_code).to eql(302)
+      expect(page.response_headers["Location"]).to match("/auth/gds")
+    end
+
+    it "restricts access if a user is authenticated but session has expired" do
+      stub_signon_authenticated
+
+      Timecop.travel(Time.now.utc + GDS::SSO::Config.auth_valid_for + 5.minutes) do
+        visit "/restricted"
+        expect(page.status_code).to eql(302)
+        expect(page.response_headers["Location"]).to match("/auth/gds")
+      end
+    end
+
+    it "allows access when given a valid bearer token" do
+      stub_signon_user_request
+      page.driver.header("Authorization", "Bearer 123")
+
+      visit "/restricted"
+      expect(page).to have_content("restricted kablooie")
+    end
+
+    it "restricts access when given an invalid bearer token" do
+      stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
+        .to_return(status: 401)
+      page.driver.header("Authorization", "Bearer 123")
+
+      visit "/restricted"
+      expect(page.status_code).to eq(401)
+    end
+
+    it "returns a 401 when a bearer token is missing and the app is api_only" do
+      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
+
+      visit "/restricted"
+      expect(page.status_code).to eq(401)
+    end
+  end
+
+  context "when accessing a route that requires a permission" do
+    it "allows access when an authenticated user has the permission" do
+      stub_signon_authenticated(permissions: %w[execute])
+      visit "/this-requires-execute-permission"
+      expect(page).to have_content("you have execute permission")
+    end
+
+    it "restricts access when an authenticated user lacks the permission" do
+      stub_signon_authenticated
+      visit "/this-requires-execute-permission"
+      expect(page.status_code).to eq(403)
+    end
+  end
+
+  def stub_signon_authenticated(permissions: [])
+    # visit restricted page to trigger redirect URL to record state attribute
+    visit "/auth/gds"
+    state = CGI.parse(URI.parse(page.response_headers["Location"]).query)
+              .then { |query| query["state"].first }
+
+    stub_request(:post, "http://signon/oauth/access_token")
+      .to_return(body: { access_token: "token" }.to_json,
+                 headers: { content_type: "application/json" })
+
+    stub_signon_user_request(permissions: permissions)
+
+    visit "/auth/gds/callback?code=code&state=#{state}"
+  end
+
+  def stub_signon_user_request(permissions: [])
+    stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
+      .to_return(
+        body: {
+          user: {
+            uid: "123",
+            email: "test-user@example.com",
+            name: "Test User",
+            permissions: permissions,
+          },
+        }.to_json,
+        headers: { content_type: "application/json" },
+      )
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gds-sso
 version: !ruby/object:Gem::Version
-  version: 17.1.1
+  version: 18.0.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-11-21 00:00:00.000000000 Z
+date: 2023-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2
@@ -128,26 +128,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3'
-- !ruby/object:Gem::Dependency
-  name: capybara-mechanize
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.12.1
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.12.1
 - !ruby/object:Gem::Dependency
   name: combustion
   requirement: !ruby/object:Gem::Requirement
@@ -194,16 +174,16 @@ dependencies:
   name: rubocop-govuk
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.8.0
+        version: '4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.8.0
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -232,6 +212,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Client for GDS' OAuth 2-based SSO
 email:
 - govuk-dev@digital.cabinet-office.gov.uk
@@ -264,8 +258,6 @@ files:
 - lib/omniauth/strategies/gds.rb
 - spec/controller/api_user_controller_spec.rb
 - spec/controller/controller_methods_spec.rb
-- spec/fixtures/integration/authorize_api_users.sql
-- spec/fixtures/integration/signon.sql
 - spec/internal/app/assets/config/manifest.js
 - spec/internal/app/controllers/application_controller.rb
 - spec/internal/app/controllers/example_controller.rb
@@ -273,17 +265,13 @@ files:
 - spec/internal/config/database.yml
 - spec/internal/config/initializers/gds-sso.rb
 - spec/internal/config/routes.rb
-- spec/internal/config/storage.yml
 - spec/internal/db/schema.rb
-- spec/internal/public/favicon.ico
-- spec/requests/end_to_end_spec.rb
 - spec/spec_helper.rb
-- spec/support/backport_controller_test_params.rb
 - spec/support/controller_spy.rb
 - spec/support/serializable_user.rb
-- spec/support/signon_integration_helpers.rb
 - spec/support/test_user.rb
 - spec/support/timecop.rb
+- spec/system/authentication_and_authorisation_spec.rb
 - spec/unit/api_access_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
@@ -303,44 +291,38 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.7'
+      version: '3.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.4.18
 signing_key: 
 specification_version: 4
 summary: Client for GDS' OAuth 2-based SSO
 test_files:
-- spec/spec_helper.rb
-- spec/fixtures/integration/signon.sql
-- spec/fixtures/integration/authorize_api_users.sql
-- spec/requests/end_to_end_spec.rb
-- spec/support/controller_spy.rb
-- spec/support/timecop.rb
-- spec/support/serializable_user.rb
-- spec/support/test_user.rb
-- spec/support/signon_integration_helpers.rb
-- spec/support/backport_controller_test_params.rb
 - spec/controller/api_user_controller_spec.rb
 - spec/controller/controller_methods_spec.rb
-- spec/internal/config/routes.rb
+- spec/internal/app/assets/config/manifest.js
+- spec/internal/app/controllers/application_controller.rb
+- spec/internal/app/controllers/example_controller.rb
+- spec/internal/app/models/user.rb
 - spec/internal/config/database.yml
 - spec/internal/config/initializers/gds-sso.rb
-- spec/internal/config/storage.yml
-- spec/internal/app/models/user.rb
-- spec/internal/app/controllers/example_controller.rb
-- spec/internal/app/controllers/application_controller.rb
-- spec/internal/app/assets/config/manifest.js
+- spec/internal/config/routes.rb
 - spec/internal/db/schema.rb
-- spec/internal/public/favicon.ico
-- spec/unit/mock_bearer_token_spec.rb
-- spec/unit/bearer_token_spec.rb
+- spec/spec_helper.rb
+- spec/support/controller_spy.rb
+- spec/support/serializable_user.rb
+- spec/support/test_user.rb
+- spec/support/timecop.rb
+- spec/system/authentication_and_authorisation_spec.rb
 - spec/unit/api_access_spec.rb
-- spec/unit/user_spec.rb
-- spec/unit/session_serialisation_spec.rb
+- spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
+- spec/unit/mock_bearer_token_spec.rb
 - spec/unit/railtie_spec.rb
+- spec/unit/session_serialisation_spec.rb
+- spec/unit/user_spec.rb

data/spec/fixtures/integration/authorize_api_users.sql

@@ -1,7 +0,0 @@
-DELETE FROM `oauth_access_tokens`;
-
-INSERT INTO oauth_access_tokens (resource_owner_id, application_id, token, refresh_token, expires_in, created_at)
-  VALUES (1, 1, 'caaeb53be5c7277fb0ef158181bfd1537b57f9e3b83eb795be3cd0af6e118b28', '1bc343797483954d7306d67e96687feccdfdaa8b23ed662ae23e2b03e6661d16', POW(2, 31)-1, '2012-06-27 13:57:47');
-
-INSERT INTO oauth_access_tokens (resource_owner_id, application_id, token, refresh_token, expires_in, created_at)
-  VALUES (1, 2, '98c72f4da02fdc43398e029d05567542944d2a9b0df3c20b0accd8bd6c5dc728', 'e2da0489a58219fd4f542139909737627874ceacd2af23f5c268ccecb36e85af', POW(2, 31)-1, '2014-07-14 09:06:14');

data/spec/fixtures/integration/signon.sql

@@ -1,26 +0,0 @@
--- Clean data from database
-DELETE FROM `oauth_access_grants`;
-DELETE FROM `oauth_access_tokens`;
-DELETE FROM `oauth_applications`;
-DELETE FROM `supported_permissions`;
-DELETE FROM `users`;
-DELETE FROM `user_application_permissions`;
-
--- Setup fixture data
-INSERT INTO `oauth_applications` (id, name, uid, secret, redirect_uri, created_at, updated_at, home_uri, description)
-              VALUES (1,'GDS_SSO integration test','gds-sso-test','secret','http://www.example-client.com/auth/gds/callback','2012-04-19 13:26:54','2012-04-19 13:26:54', 'http://home.com', 'GDS_SSO integration test');
-INSERT INTO `oauth_applications` (id, name, uid, secret, redirect_uri, created_at, updated_at, home_uri, description)
-              VALUES (2,'A different appilcation','application-2','different secret','http://www.example-client2.com/auth/gds/callback','2014-07-14-09:07:32','2014-07-14-09:07:32', 'http://www.example-client2.com', '');
-
-INSERT INTO `supported_permissions` (id, application_id, name, created_at, updated_at)
-              VALUES (1,1,'signin','2012-04-19 13:26:54','2012-04-19 13:26:54');
-INSERT INTO `supported_permissions` (id, application_id, name, created_at, updated_at)
-              VALUES (2,2,'signin','2012-04-19 13:26:54','2012-04-19 13:26:54');
-
-INSERT INTO `users` (id, email, encrypted_password, password_salt, created_at, updated_at, confirmed_at, name, uid, role, password_changed_at)
-              VALUES (1,'test@example-client.com','3a890fe5e95b328b83f2ba57ea893cae595f4937291ff5550acb68f4a8dafeac22e5f8120c1e66be8f2b769df142dd3d111b404c5c1741595c9ecc9e7e6ad827','QCsZsJs7m5ojdgvysHSy','2012-04-19 13:26:54','2012-04-19 13:26:54','2012-04-19 13:26:54','Test User','integration-uid', "normal", NOW());
-
-INSERT INTO `user_application_permissions` (user_id, application_id, supported_permission_id, created_at, updated_at)
-              VALUES (1,1,1,'2012-04-19 13:26:54','2012-04-19 13:26:54');
-INSERT INTO `user_application_permissions` (user_id, application_id, supported_permission_id, created_at, updated_at)
-              VALUES (1,2,2,'2012-04-19 13:26:54','2012-04-19 13:26:54');

data/spec/internal/config/storage.yml

@@ -1,3 +0,0 @@
-test:
-  service: Disk
-  root: <%= Rails.root.join("tmp/storage") %>

data/spec/requests/end_to_end_spec.rb

@@ -1,215 +0,0 @@
-require "spec_helper"
-require "timecop"
-
-describe "Integration of client using GDS-SSO with signon" do
-  include SignonIntegrationHelpers
-
-  before :all do
-    wait_for_signon_to_start
-  end
-
-  before :each do
-    # points to an internal app, using combustion gem
-    # see spec/internal
-    @client_host = "www.example-client.com"
-    Capybara.current_driver = :mechanize
-    Capybara::Mechanize.local_hosts << @client_host
-
-    load_signon_setup_fixture
-  end
-
-  describe "Web client accesses" do
-    before :each do
-      page.driver.header "accept", "text/html"
-    end
-
-    specify "a non-restricted page can be accessed without authentication" do
-      visit "http://#{@client_host}/"
-      expect(page).to have_content("jabberwocky")
-    end
-
-    specify "first access to a restricted page requires authentication and application approval" do
-      visit "http://#{@client_host}/restricted"
-      expect(page).to have_content("Sign in")
-      fill_in "Email", with: "test@example-client.com"
-      fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
-      click_on "Sign in"
-
-      expect(page).to have_content("restricted kablooie")
-    end
-
-    specify "access to a restricted page for an approved application requires only authentication" do
-      # First we login to authorise the app
-      visit "http://#{@client_host}/restricted"
-      fill_in "Email", with: "test@example-client.com"
-      fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
-      click_on "Sign in"
-
-      # At this point the app should be authorised, we reset the session to simulate a new browser visit.
-      reset_session!
-      page.driver.header "accept", "text/html"
-
-      visit "http://#{@client_host}/restricted"
-      expect(page).to have_content("Sign in")
-
-      fill_in "Email", with: "test@example-client.com"
-      fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
-      click_on "Sign in"
-
-      expect(page).to have_content("restricted kablooie")
-    end
-
-    specify "access to a page that requires signin permission granted" do
-      # First we login to authorise the app
-      visit "http://#{@client_host}/this_requires_signin_permission"
-      fill_in "Email", with: "test@example-client.com"
-      fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
-      click_on "Sign in"
-
-      # At this point the app should be authorised, we reset the session to simulate a new browser visit.
-      reset_session!
-      page.driver.header "accept", "text/html"
-
-      visit "http://#{@client_host}/this_requires_signin_permission"
-      expect(page).to have_content("Sign in")
-
-      fill_in "Email", with: "test@example-client.com"
-      fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
-      click_on "Sign in"
-
-      expect(page).to have_content("you have signin permission")
-    end
-
-    describe "remotely signed out" do
-      specify "should prevent all access to the application until successful signin" do
-        # First we login and authorise the app
-        visit "http://#{@client_host}/restricted"
-        fill_in "Email", with: "test@example-client.com"
-        fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
-        click_on "Sign in"
-
-        page.driver.header "accept", "text/html"
-        expect(page).to have_content("restricted kablooie")
-
-        # logout from signon
-        visit "http://localhost:4567/users/sign_out"
-
-        # Simulate a POST to /auth/gds/api/users/:uid/reauth by signon
-        # This is already tested in api_user_controller_spec.rb
-        user = User.where(email: "test@example-client.com").first
-        user.set_remotely_signed_out!
-
-        # attempt to visit a restricted page
-        visit "http://#{@client_host}/restricted"
-
-        # be redirected to signon
-        expect(page).to have_content("GOV.UK Signon")
-        fill_in "Email", with: "test@example-client.com"
-        fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
-        click_on "Sign in"
-
-        # then back again to the restricted page
-        expect(page).to have_content("restricted kablooie")
-      end
-    end
-
-    describe "session expiry" do
-      it "should force you to re-authenticate with signon N hours after login" do
-        visit "http://#{@client_host}/restricted"
-        expect(page).to have_content("Sign in")
-        fill_in "Email", with: "test@example-client.com"
-        fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
-        click_on "Sign in"
-
-        expect(page).to have_content("restricted kablooie")
-
-        visit "http://localhost:4567/users/sign_out"
-
-        Timecop.travel(Time.now.utc + GDS::SSO::Config.auth_valid_for + 5.minutes) do
-          visit "http://#{@client_host}/restricted"
-        end
-
-        expect(page).to have_content("Sign in")
-      end
-
-      it "should accept signon's remembered authentication N hours after login" do
-        visit "http://#{@client_host}/restricted"
-        expect(page).to have_content("Sign in")
-        fill_in "Email", with: "test@example-client.com"
-        fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
-        click_on "Sign in"
-
-        expect(page).to have_content("restricted kablooie")
-
-        Timecop.travel(Time.now.utc + GDS::SSO::Config.auth_valid_for + 5.minutes) do
-          visit "http://#{@client_host}/restricted"
-        end
-
-        expect(page).to have_content("restricted kablooie")
-      end
-
-      it "should not require re-authentication with signon fewer than N hours after login" do
-        visit "http://#{@client_host}/restricted"
-        expect(page).to have_content("Sign in")
-        fill_in "Email", with: "test@example-client.com"
-        fill_in "Password", with: "q1w2e3r4t5y6u7i8o9p0"
-        click_on "Sign in"
-
-        expect(page).to have_content("restricted kablooie")
-
-        Timecop.travel(Time.now.utc + GDS::SSO::Config.auth_valid_for - 5.minutes) do
-          visit "http://#{@client_host}/restricted"
-        end
-
-        expect(page).to have_content("restricted kablooie")
-      end
-    end
-  end
-
-  describe "OAuth based API client accesses" do
-    before :each do
-      page.driver.header "accept", "application/json"
-      authorize_signon_api_user
-
-      token = "caaeb53be5c7277fb0ef158181bfd1537b57f9e3b83eb795be3cd0af6e118b28"
-      page.driver.header "authorization", "Bearer #{token}"
-    end
-
-    specify "access to a restricted page for an api client requires auth" do
-      page.driver.header "authorization", "Bearer Bad Token"
-      visit "http://#{@client_host}/restricted"
-      expect(page.driver.response.status).to eq(401)
-    end
-
-    specify "setting a correct bearer token allows sign in" do
-      visit "http://#{@client_host}/restricted"
-      expect(page).to have_content("restricted kablooie")
-    end
-
-    specify "setting a correct bearer token picks up permissions" do
-      visit "http://#{@client_host}/this_requires_signin_permission"
-      expect(page).to have_content("you have signin permission")
-    end
-
-    specify "a token for one app cannot be used to access a different app" do
-      page.driver.header "authorization", "Bearer 98c72f4da02fdc43398e029d05567542944d2a9b0df3c20b0accd8bd6c5dc728"
-      visit "http://#{@client_host}/restricted"
-      expect(page.driver.response.status).to eq(401)
-    end
-  end
-
-  context "when in api_only mode" do
-    around do |examples|
-      GDS::SSO::Config.api_only = true
-      Combustion::Application.reload_routes!
-      examples.run
-      GDS::SSO::Config.api_only = false
-      Combustion::Application.reload_routes!
-    end
-
-    specify "accessing without a bearer token is not authorized" do
-      visit "http://#{@client_host}/restricted"
-      expect(page.driver.response.status).to eq(401)
-    end
-  end
-end

data/spec/support/backport_controller_test_params.rb

@@ -1,21 +0,0 @@
-module BackportControllerTestParams
-  def delete(*args)
-    action, rest = *args
-    super(action, rest[:params])
-  end
-
-  def get(*args)
-    action, rest = *args
-    super(action, rest[:params])
-  end
-
-  def post(*args)
-    action, rest = *args
-    super(action, rest[:params])
-  end
-
-  def put(*args)
-    action, rest = *args
-    super(action, rest[:params])
-  end
-end

data/spec/support/signon_integration_helpers.rb

@@ -1,56 +0,0 @@
-require "net/http"
-
-module SignonIntegrationHelpers
-  def wait_for_signon_to_start
-    retries = 0
-    url = GDS::SSO::Config.oauth_root_url
-    puts "Waiting for signon to start at #{url}"
-    until signon_started?(url)
-      print "."
-      if retries > 20
-        raise "Signon is not running at #{url}. Please start with `./start_signon.sh`. Under jenkins this should happen automatically."
-      end
-
-      retries += 1
-      sleep 1
-    end
-    puts "Signon is now running at #{url}"
-  end
-
-  def signon_started?(url)
-    uri = URI.parse(url)
-    conn = Net::HTTP.start(uri.host, uri.port)
-    true
-  rescue Errno::ECONNREFUSED
-    false
-  ensure
-    conn.try(:finish)
-  end
-
-  def load_signon_setup_fixture
-    load_signon_fixture("signon.sql")
-  end
-
-  def authorize_signon_api_user
-    load_signon_fixture("authorize_api_users.sql")
-  end
-
-  def load_signon_fixture(filename)
-    require "erb"
-    parsed = ERB.new(File.read("#{signon_path}/config/database.yml")).result
-    db = YAML.safe_load(parsed, aliases: true)["test"]
-
-    cmd = "mysql #{db['database']} -u#{db['username']} -p#{db['password']} < #{fixture_file(filename)}"
-    system cmd or raise "Error loading signon fixture"
-  end
-
-private
-
-  def fixture_file(filename)
-    File.join(File.dirname(__FILE__), "../fixtures/integration", filename)
-  end
-
-  def signon_path
-    Rails.root.join("..", "..", "tmp", "signon").to_s
-  end
-end