gds-sso 20.0.0 → 21.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0ce653302bc22f4fd60d83307eff612eac4a491eff439eed0c602c288d798ef9
-  data.tar.gz: de16391f9abe70acb77dbb6b00ca2b2f3e5da82965777bf281099e03e8420204
+  metadata.gz: 72938e39cf2466b8a2dc2d22aca03d64ff33ab2a8c5d11c0c57f3710a2935205
+  data.tar.gz: 042b5c966919ab345d9ea3dc9e47197947fdd75e51ad263b0f0f038397c09fa9
 SHA512:
-  metadata.gz: 51ad269ab4ba83b3b21c8fe9cdcc8b713c3b14c98e2068a4f6c06b198f75e7641ad087b15422bffabfcb5313e43ba255dce86f5ed6ea7ab6c0c8b92b151656ec
-  data.tar.gz: 261cae8502648293bdd629d09379df37efd5ca632ffb0360463807d609174c9f532ebdce31993a48e55f6fd3576a09c792209a907c7647daa549b62623f044c3
+  metadata.gz: fdca3de72981e79aa420da0b3d6c4d689fba034d3d3cda4874082efe58bcf056128242ab09a4266b8d11f91da500d47b665e434ccb805a3f6a799d6d29f765f4
+  data.tar.gz: ad252eb2aeaf3986b68b54a15f7f4622f4d56e730d509690e1e80c77be6411201ebf618ba68efebaff825fe731a111de186b439b6834a4c1de91782745658335

data/README.md

@@ -90,7 +90,7 @@ Authorization: Bearer your-token-here
 
 To avoid making these requests for each incoming request, this gem will [automatically cache a successful response](https://github.com/alphagov/gds-sso/blob/master/lib/gds-sso/bearer_token.rb), using the [Rails cache](https://github.com/alphagov/gds-sso/blob/master/lib/gds-sso/railtie.rb).
 
-If you are using a Rails 5 app in
+If you are using a Rails app in
 [api_only](http://guides.rubyonrails.org/api_app.html) mode this gem will
 automatically disable the oauth layers which use session persistence. You can
 configure this gem to be in api_only mode (or not) with:
@@ -103,6 +103,19 @@ GDS::SSO.config do |config|
 end
 ```
 
+For apps that have both usage of web and API you can configure a lambda to
+match your API endpoints to ensure they don't support session auth and return
+JSON error messages:
+
+
+```ruby
+GDS::SSO.config do |config|
+  # ...
+  #
+  config.api_request_matcher = ->(request) { request.path.start_with?("/api/") }
+end
+```
+
 ### Use in production mode
 
 To use gds-sso in production you will need to setup the following environment variables, which we look for in [the config](https://github.com/alphagov/gds-sso/blob/master/lib/gds-sso/config.rb). You will need to have admin access to Signon to get these.

data/config/routes.rb

@@ -1,9 +1,10 @@
 Rails.application.routes.draw do
+  put  "/auth/gds/api/users/:uid",        to: "api/user#update"
+  post "/auth/gds/api/users/:uid/reauth", to: "api/user#reauth"
+
   next if GDS::SSO::Config.api_only
 
   get "/auth/gds/callback",               to: "authentications#callback", as: :gds_sign_in
   get "/auth/gds/sign_out",               to: "authentications#sign_out", as: :gds_sign_out
-  get  "/auth/failure",                   to: "authentications#failure",  as: :auth_failure
-  put  "/auth/gds/api/users/:uid",        to: "api/user#update"
-  post "/auth/gds/api/users/:uid/reauth", to: "api/user#reauth"
+  get "/auth/failure",                    to: "authentications#failure",  as: :auth_failure
 end

data/lib/gds-sso/api_access.rb

@@ -1,8 +1,34 @@
+require "rack/request"
+
 module GDS
   module SSO
     class ApiAccess
       def self.api_call?(env)
-        env["HTTP_AUTHORIZATION"].to_s =~ /\ABearer /
+        return env["gds_sso.api_call"] unless env["gds_sso.api_call"].nil?
+        return true if GDS::SSO::Config.api_only
+
+        if GDS::SSO::Config.api_request_matcher
+          request = Rack::Request.new(env)
+
+          gds_sso_api_request_matcher = GDS::SSO::Config.gds_sso_api_request_matcher
+          return true if gds_sso_api_request_matcher&.call(request)
+
+          return GDS::SSO::Config.api_request_matcher.call(request)
+        end
+
+        !bearer_token(env).nil?
+      end
+
+      def self.bearer_token(env)
+        Rack::Auth::AbstractRequest::AUTHORIZATION_KEYS.each do |key|
+          next unless env.key?(key)
+
+          if (match = env[key].match(/\ABearer (.+)/))
+            return match[1]
+          end
+        end
+
+        nil
       end
     end
   end

data/lib/gds-sso/authorised_user_constraint.rb

@@ -6,10 +6,9 @@ module GDS
       end
 
       def matches?(request)
-        warden = request.env["warden"]
-        warden.authenticate! if !warden.authenticated? || warden.user.remotely_signed_out?
+        user = GDS::SSO.authenticate_user!(request.env["warden"])
 
-        GDS::SSO::AuthoriseUser.call(warden.user, permissions)
+        GDS::SSO::AuthoriseUser.call(user, permissions)
         true
       end
 

data/lib/gds-sso/bearer_token.rb

@@ -6,6 +6,8 @@ module GDS
   module SSO
     module BearerToken
       def self.locate(token_string)
+        return if token_string.nil? || token_string.empty?
+
         user_details = GDS::SSO::Config.cache.fetch(["api-user-cache", token_string], expires_in: 5.minutes) do
           access_token = OAuth2::AccessToken.new(oauth_client, token_string)
           response_body = access_token.get("/user.json?client_id=#{CGI.escape(GDS::SSO::Config.oauth_id)}").body
@@ -56,7 +58,10 @@ module GDS
 
     module MockBearerToken
       def self.locate(_token_string)
-        dummy_api_user = GDS::SSO.test_user || GDS::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first
+        return unless ENV["GDS_SSO_MOCK_INVALID"].to_s.empty?
+        return GDS::SSO.test_user if GDS::SSO.test_user
+
+        dummy_api_user = GDS::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first
         if dummy_api_user.nil?
           dummy_api_user = GDS::SSO::Config.user_klass.new
           dummy_api_user.email = "dummyapiuser@domain.com"

data/lib/gds-sso/config.rb

@@ -29,6 +29,13 @@ module GDS
 
       mattr_accessor :api_only
 
+      mattr_accessor :api_request_matcher
+
+      # A matcher for GDS SSO's own API for updating user details. Shouldn't
+      # need configuring unless you mount the API at a different location.
+      mattr_accessor :gds_sso_api_request_matcher
+      @@gds_sso_api_request_matcher = ->(request) { request.path.start_with?("/auth/gds/api/") }
+
       mattr_accessor :intercept_401_responses
       @@intercept_401_responses = true
 

data/lib/gds-sso/controller_methods.rb

@@ -4,17 +4,9 @@ module GDS
     end
 
     module ControllerMethods
-      # TODO: remove this for the next major release
-      class PermissionDeniedException < PermissionDeniedError
-        def initialize(...)
-          warn "GDS::SSO::ControllerMethods::PermissionDeniedException is deprecated, please replace with GDS::SSO::PermissionDeniedError"
-          super(...)
-        end
-      end
-
       def self.included(base)
         base.rescue_from PermissionDeniedError do |e|
-          if GDS::SSO::Config.api_only
+          if GDS::SSO::ApiAccess.api_call?(request.env)
             render json: { message: e.message }, status: :forbidden
           else
             render "authorisations/unauthorised", layout: "unauthorised", status: :forbidden, locals: { message: e.message }

data/lib/gds-sso/failure_app.rb

@@ -6,20 +6,19 @@ require "rails"
 module GDS
   module SSO
     class FailureApp < ActionController::Metal
-      include ActionController::UrlFor
       include ActionController::Redirecting
       include AbstractController::Rendering
       include ActionController::Rendering
       include ActionController::Renderers
       use_renderers :json
 
-      include Rails.application.routes.url_helpers
-
       def self.call(env)
-        if GDS::SSO::ApiAccess.api_call?(env)
-          action(:api_invalid_token).call(env)
-        elsif GDS::SSO::Config.api_only
-          action(:api_missing_token).call(env)
+        if env["gds_sso.api_call"]
+          if env["gds_sso.api_bearer_token_present"]
+            action(:api_invalid_token).call(env)
+          else
+            action(:api_missing_token).call(env)
+          end
         else
           action(:redirect).call(env)
         end

data/lib/gds-sso/version.rb

@@ -1,5 +1,5 @@
 module GDS
   module SSO
-    VERSION = "20.0.0".freeze
+    VERSION = "21.1.0".freeze
   end
 end

data/lib/gds-sso/warden_config.rb

@@ -6,6 +6,12 @@ def logger
   Rails.logger || env["rack.logger"]
 end
 
+Warden::Manager.on_request do |proxy|
+  proxy.env["gds_sso.api_call"] ||= ::GDS::SSO::ApiAccess.api_call?(proxy.env)
+  proxy.env["gds_sso.api_bearer_token_present"] ||=
+    proxy.env["gds_sso.api_call"] && !::GDS::SSO::ApiAccess.bearer_token(proxy.env).nil?
+end
+
 Warden::Manager.after_authentication do |user, _auth, _opts|
   # We've successfully signed in.
   # If they were remotely signed out, clear the flag as they're no longer suspended
@@ -35,7 +41,7 @@ end
 
 Warden::Strategies.add(:gds_sso) do
   def valid?
-    !::GDS::SSO::ApiAccess.api_call?(env)
+    !env["gds_sso.api_call"]
   end
 
   def authenticate!
@@ -61,11 +67,32 @@ end
 Warden::OAuth2.configure do |config|
   config.token_model = GDS::SSO::Config.use_mock_strategies? ? GDS::SSO::MockBearerToken : GDS::SSO::BearerToken
 end
-Warden::Strategies.add(:gds_bearer_token, Warden::OAuth2::Strategies::Bearer)
+
+# We're using our own bearer token strategy rather than the one in Warden::OAuth2
+# so that we can have all requests match either a bearer token or a session
+# strategy. It also allows us to avoid multiple DB queries to locate a user.
+Warden::Strategies.add(:gds_bearer_token, Class.new(Warden::OAuth2::Strategies::Token)) do
+  def valid?
+    env["gds_sso.api_call"]
+  end
+
+  def token_string
+    @token_string ||= GDS::SSO::ApiAccess.bearer_token(env)
+  end
+
+  def token
+    # Using a defined? based memo approach over @token ||= so that we can set
+    # @token to nil and not re-evaluate the assignment.
+    return @token if defined? @token
+
+    @token = Warden::OAuth2.config.token_model.locate(token_string)
+    @token
+  end
+end
 
 Warden::Strategies.add(:mock_gds_sso) do
   def valid?
-    !::GDS::SSO::ApiAccess.api_call?(env)
+    !env["gds_sso.api_call"]
   end
 
   def authenticate!

data/lib/gds-sso.rb

@@ -25,6 +25,12 @@ module GDS
       yield GDS::SSO::Config
     end
 
+    def self.authenticate_user!(warden)
+      warden.authenticate! if !warden.authenticated? || warden.user.remotely_signed_out?
+
+      warden.user
+    end
+
     class Engine < ::Rails::Engine
       # Force routes to be loaded if we are doing any eager load.
       # TODO - check this one - Stolen from Devise because it looked sensible...

data/spec/internal/config/routes.rb

@@ -5,7 +5,7 @@ Rails.application.routes.draw do
   get "/restricted" => "example#restricted"
   get "/this-requires-execute-permission" => "example#this_requires_execute_permission"
 
-  constraints(GDS::SSO::AuthorisedUserConstraint.new("execute")) do
+  constraints(GDS::SSO::AuthorisedUserConstraint.new("constraint")) do
     get "/constraint-restricted" => "example#constraint_restricted"
   end
 end

data/spec/request/api/user_spec.rb

@@ -0,0 +1,144 @@
+require "spec_helper"
+
+describe "Api::UserController", type: :request do
+  shared_examples "rejects a request from an unauthenticated user" do |method, path|
+    it "rejects the request when a user is unauthenticated" do
+      stub_failed_signon_user_request
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response).to have_http_status(:unauthorized)
+    end
+  end
+
+  shared_examples "rejects a request from an authenticated user lacking permission" do |method, path|
+    it "rejects the request when a user is authenticated but lacking permission" do
+      stub_successful_signon_user_request(permissions: [])
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
+  shared_examples "operates as an API endpoint if api_request_matcher doesn't match it" do |method, path|
+    it "doesn't redirect to /auth/gds because it's recognised as an API request" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(_request) { false })
+
+      stub_failed_signon_user_request
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response.media_type).to eq("application/json")
+    end
+  end
+
+  shared_examples "redirects to /auth/gds if gds_sso_api_request_matcher is configured to not match" do |method, path|
+    it "fails if gds_sso_api_request_matcher is configured to not match" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(_request) { false })
+
+      allow(GDS::SSO::Config)
+        .to receive(:gds_sso_api_request_matcher)
+        .and_return(nil)
+
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response).to redirect_to("/auth/gds")
+    end
+  end
+
+  describe "PUT /auth/gds/api/users/:uid" do
+    shared_params = [:put, "/auth/gds/api/users/#{SecureRandom.uuid}"]
+    it_behaves_like "rejects a request from an unauthenticated user", *shared_params
+    it_behaves_like "rejects a request from an authenticated user lacking permission", *shared_params
+    it_behaves_like "operates as an API endpoint if api_request_matcher doesn't match it", *shared_params
+    it_behaves_like "redirects to /auth/gds if gds_sso_api_request_matcher is configured to not match", *shared_params
+
+    it "updates an existing user" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.create!(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      put "/auth/gds/api/users/#{user.uid}",
+          headers: { "Authorization" => "Bearer anything" },
+          params: user_update_params(user, { "name" => "John Matrix" }),
+          as: :json
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+      expect(user.reload.name).to eq("John Matrix")
+    end
+
+    it "creates a new user if a user does not exist" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.new(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      put "/auth/gds/api/users/#{user.uid}",
+          headers: { "Authorization" => "Bearer anything" },
+          params: user_update_params(user),
+          as: :json
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+      expect(User.last.uid).to eq(user.uid)
+    end
+  end
+
+  describe "POST /auth/gds/api/users/:uid/reauth" do
+    shared_params = [:post, "/auth/gds/api/users/#{SecureRandom.uuid}/reauth"]
+    it_behaves_like "rejects a request from an unauthenticated user", *shared_params
+    it_behaves_like "rejects a request from an authenticated user lacking permission", *shared_params
+    it_behaves_like "operates as an API endpoint if api_request_matcher doesn't match it", *shared_params
+    it_behaves_like "redirects to /auth/gds if gds_sso_api_request_matcher is configured to not match", *shared_params
+
+    it "flags a user that exists as remotely signed out" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.create!(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      expect {
+        post "/auth/gds/api/users/#{user.uid}/reauth",
+             headers: { "Authorization" => "Bearer anything" }
+      }.to change { user.reload.remotely_signed_out }.to(true)
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+    end
+
+    it "responds successfully even if the user doesn't exist" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.new(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      post "/auth/gds/api/users/#{user.uid}/reauth",
+           headers: { "Authorization" => "Bearer anything" }
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+    end
+  end
+
+  def user_update_params(user, modifications = {})
+    fields = %i[uid name email permissions organisation_slug organisation_content_id disabled]
+    user_details = user.as_json(only: fields).merge(modifications)
+    { "user" => user_details }
+  end
+end

data/spec/request/authentication_spec.rb

@@ -0,0 +1,77 @@
+require "spec_helper"
+
+describe "AuthenticationController", type: :request do
+  describe "GET /auth/gds/callback" do
+    it "fails without a valid state param" do
+      get "/auth/gds/callback"
+
+      expect(response).to redirect_to("/auth/failure?message=csrf_detected&strategy=gds")
+    end
+
+    it "redirects to the attempted url if a user was restricted earlier in the session" do
+      get "/restricted"
+
+      state = request_to_establish_oauth_state
+
+      stub_signon_oauth_token_request
+      stub_successful_signon_user_request
+
+      get "/auth/gds/callback?state=#{state}"
+      expect(response).to redirect_to("/restricted")
+    end
+
+    it "redirects to the root path if the user hadn't tried to access a restricted url" do
+      state = request_to_establish_oauth_state
+
+      stub_signon_oauth_token_request
+      stub_successful_signon_user_request
+
+      get "/auth/gds/callback?state=#{state}"
+      expect(response).to redirect_to("/")
+    end
+
+    it "uses the OAuth2 proof key for code exchange feature for increased security" do
+      get "/auth/gds"
+
+      expect(response).to have_http_status(:redirect)
+      location = URI.parse(response.location)
+      query = Rack::Utils.parse_query(location.query)
+
+      expect(location.path).to eq("/oauth/authorize")
+      expect(query).to include("code_challenge", "code_challenge_method")
+
+      token_request = stub_request(:post, "http://signon/oauth/access_token")
+                        .with(body: hash_including("code_verifier"))
+
+      get "/auth/gds/callback?state=#{query['state']}"
+
+      expect(token_request).to have_been_made
+    end
+  end
+
+  describe "GET /auth/failure" do
+    it "responds successfully" do
+      get "/auth/failure"
+
+      expect(response).to have_http_status(:success)
+    end
+  end
+
+  describe "GET /auth/gds/sign_out" do
+    it "redirects to signon sign out" do
+      get "/auth/gds/sign_out"
+
+      expect(response).to redirect_to("http://signon/users/sign_out")
+    end
+
+    it "logs an authenticated user out" do
+      authenticate_with_stub_signon
+
+      get "/auth/gds/sign_out"
+
+      # access a restricted route to assert we're logged out
+      get "/restricted"
+      expect(response).to redirect_to("/auth/gds")
+    end
+  end
+end