gds-sso 20.0.0 → 21.1.0

data/spec/request/demo_app_spec.rb

@@ -0,0 +1,264 @@
+require "spec_helper"
+
+describe "Integration tests with a demo app", type: :request do
+  describe "accessing a route that doesn't require authentication" do
+    it "allows access" do
+      get "/not-restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("jabberwocky")
+    end
+  end
+
+  describe "accessing a route the requires authentication" do
+    context "when GDS::SSO isn't configured to treat this as an explicit API request" do
+      it "redirects an unauthenticated request to sign-in" do
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+
+      it "responds successfully for an authenticated user" do
+        authenticate_with_stub_signon
+
+        get "/restricted"
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("restricted kablooie")
+      end
+
+      it "redirects to sign-in if a user is authenticated but remotely signed out" do
+        authenticate_with_stub_signon
+        User.last.set_remotely_signed_out!
+
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+
+      it "redirects to sign-in if a user's session has expired" do
+        authenticate_with_stub_signon
+
+        travel_to(Time.now.utc + GDS::SSO::Config.auth_valid_for + 1.second) do
+          get "/restricted"
+          expect(response).to redirect_to("/auth/gds")
+        end
+      end
+
+      it "allows access when given a valid bearer token" do
+        stub_successful_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("restricted kablooie")
+      end
+
+      it "restricts access when given an invalid bearer token" do
+        stub_failed_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer invalid" }
+        expect(response).to have_http_status(:unauthorized)
+        expect_invalid_bearer_token_response(response)
+      end
+    end
+
+    context "when an application is configured as API only" do
+      before { allow(GDS::SSO::Config).to receive(:api_only).and_return(true) }
+
+      it "allows access when given a valid bearer token" do
+        stub_successful_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("restricted kablooie")
+      end
+
+      it "rejects a request without a bearer token" do
+        get "/restricted"
+        expect(response).to have_http_status(:unauthorized)
+        expect_missing_bearer_token_response(response)
+      end
+
+      it "restricts access for an invalid bearer token" do
+        stub_failed_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer invalid" }
+        expect(response).to have_http_status(:unauthorized)
+        expect_invalid_bearer_token_response(response)
+      end
+    end
+
+    context "when API requests are differentiated by api_request_matcher" do
+      it "treats a match as an API request" do
+        allow(GDS::SSO::Config)
+          .to receive(:api_request_matcher)
+          .and_return(->(request) { request.path == "/restricted" })
+
+        get "/restricted"
+        expect(response).to have_http_status(:unauthorized)
+        expect_missing_bearer_token_response(response)
+      end
+
+      it "treats a non-match as a non-API request" do
+        allow(GDS::SSO::Config)
+          .to receive(:api_request_matcher)
+          .and_return(->(_request) { false })
+
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+    end
+  end
+
+  describe "when accessing routes without authentication and using the mock strategies" do
+    before { use_mock_strategies }
+
+    it "allows a user access without authentication" do
+      # non-bearer token mock requests require a user to exist
+      User.create!(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      get "/restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("restricted kablooie")
+    end
+
+    it "can be configured to fail authentication with an env var" do
+      ClimateControl.modify("GDS_SSO_MOCK_INVALID" => "1") do
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+    end
+
+    it "allows an API request without a bearer token" do
+      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
+
+      get "/restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("restricted kablooie")
+    end
+
+    it "can be configured to fail API authentication with an env var" do
+      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
+
+      ClimateControl.modify("GDS_SSO_MOCK_INVALID" => "1") do
+        get "/restricted"
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe "when accessing a route that requires permission" do
+    context "when GDS::SSO isn't configured to treat this as an explicit API request" do
+      it "allows a user with the permission to access the resource" do
+        authenticate_with_stub_signon(permissions: %w[execute])
+
+        get "/this-requires-execute-permission"
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("you have execute permission")
+      end
+
+      it "restricts a user lacking the permission" do
+        authenticate_with_stub_signon
+
+        get "/this-requires-execute-permission"
+        expect(response).to have_http_status(:forbidden)
+        expect(response.body).to include("Sorry, you don't seem to have the execute permission for this app.")
+      end
+    end
+
+    context "when GDS::SSO is configured to treat the request as an API request" do
+      before { allow(GDS::SSO::Config).to receive(:api_only).and_return(true) }
+
+      it "allows a user with the permission to access the resource" do
+        stub_successful_signon_user_request(permissions: %w[execute])
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("you have execute permission")
+      end
+
+      it "restricts a user lacking the permission" do
+        stub_successful_signon_user_request
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:forbidden)
+        expect_json_response(response, { "message" => "Sorry, you don't seem to have the execute permission for this app." })
+      end
+    end
+
+    context "when using bearer token for auth with the mock strategy" do
+      before { use_mock_strategies }
+
+      it "automatically grants permissions configured in GDS:SSO::Config.additional_mock_permissions_required" do
+        allow(GDS::SSO::Config).to receive(:additional_mock_permissions_required).and_return(%w[execute])
+
+        stub_successful_signon_user_request
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("you have execute permission")
+      end
+
+      it "doesn't grant access without that config" do
+        allow(GDS::SSO::Config).to receive(:additional_mock_permissions_required).and_return(nil)
+
+        stub_successful_signon_user_request
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:forbidden)
+        expect_json_response(response, { "message" => "Sorry, you don't seem to have the execute permission for this app." })
+      end
+    end
+  end
+
+  context "when accessing a route that is restricted by the authorised user constraint" do
+    it "allows access when an authenticated user has correct permissions" do
+      authenticate_with_stub_signon(permissions: %w[constraint])
+
+      get "/constraint-restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("constraint restricted")
+    end
+
+    it "redirects an unauthenticated request to signon" do
+      get "/constraint-restricted"
+
+      expect(response).to redirect_to("/auth/gds")
+    end
+
+    it "restricts access when an authenticated user does not have the correct permissions" do
+      authenticate_with_stub_signon
+
+      get "/constraint-restricted"
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
+  def expect_missing_bearer_token_response(response)
+    expect(response.headers).to include("WWW-Authenticate" => 'Bearer error="invalid_request"')
+    expect_json_response(response, { "message" => "No bearer token was provided" })
+  end
+
+  def expect_invalid_bearer_token_response(response)
+    expect(response.headers).to include("WWW-Authenticate" => 'Bearer error="invalid_token"')
+    expect_json_response(response, { "message" => "Bearer token does not appear to be valid" })
+  end
+
+  def expect_json_response(response, json)
+    expect(response.media_type).to eq("application/json")
+    expect(response.parsed_body).to eq(json)
+  end
+
+  def use_mock_strategies
+    # Using allow_any_instance_of because it's hard to access the instance
+    # of the class used within the Rails middleware
+    allow_any_instance_of(Warden::Config).to receive(:[]).and_call_original
+    allow_any_instance_of(Warden::Config)
+      .to receive(:[])
+      .with(:default_strategies)
+      .and_return({ _all: %i[mock_gds_sso gds_bearer_token] })
+
+    allow(Warden::OAuth2.config).to receive(:token_model).and_return(GDS::SSO::MockBearerToken)
+  end
+end

data/spec/spec_helper.rb

@@ -2,7 +2,7 @@
 # Bad things happen if we don't ;-)
 ENV["GDS_SSO_STRATEGY"] = "real"
 
-require "capybara/rspec"
+require "climate_control"
 require "webmock/rspec"
 require "combustion"
 
@@ -12,15 +12,10 @@ Combustion.initialize! :all do
 end
 
 require "rspec/rails"
-require "capybara/rails"
 WebMock.disable_net_connect!
 
 Dir[File.join(File.dirname(__FILE__), "support/**/*.rb")].sort.each { |f| require f }
 
-Capybara.register_driver :rack_test do |app|
-  Capybara::RackTest::Driver.new(app, follow_redirects: false)
-end
-
 RSpec.configure do |config|
   config.run_all_when_everything_filtered = true
   config.filter_run :focus
@@ -32,6 +27,20 @@ RSpec.configure do |config|
   #     --seed 1234
   config.order = "random"
 
+  config.include ActiveSupport::Testing::TimeHelpers
   config.include Warden::Test::Helpers
-  config.include Capybara::DSL
+  config.include RequestHelpers, type: :request
+  config.before(:each, type: :request) do
+    # we reload routes each test as GDS::SSO::Config affects what routes are
+    # available, we only want to run this once routes are loaded otherwise
+    # we can lose app routes
+    routes_reloader = Rails.application.routes_reloader
+
+    # Routes changed in Rails 8 to be lazily loaded so this wasn't a problem
+    # before Rails 8.
+    # TODO: remove this line once Rails 7 support is removed
+    next unless routes_reloader.respond_to?(:loaded)
+
+    routes_reloader.reload! if routes_reloader.loaded
+  end
 end

data/spec/support/request_helpers.rb

@@ -0,0 +1,45 @@
+module RequestHelpers
+  def authenticate_with_stub_signon(permissions: [])
+    state = request_to_establish_oauth_state
+
+    stub_signon_oauth_token_request
+    stub_successful_signon_user_request(permissions:)
+
+    get "/auth/gds/callback?code=code&state=#{state}"
+    expect(response).to have_http_status(:redirect)
+  end
+
+  def request_to_establish_oauth_state
+    get "/auth/gds"
+    expect(response).to have_http_status(:redirect)
+    location = URI.parse(response.location)
+    query = Rack::Utils.parse_query(location.query)
+    query.fetch("state")
+  end
+
+  def stub_signon_oauth_token_request
+    stub_request(:post, "http://signon/oauth/access_token")
+      .to_return(body: { access_token: "token" }.to_json,
+                 headers: { content_type: "application/json" })
+  end
+
+  def stub_successful_signon_user_request(permissions: [])
+    stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
+      .to_return(
+        body: {
+          user: {
+            uid: "123",
+            email: "test-user@example.com",
+            name: "Test User",
+            permissions:,
+          },
+        }.to_json,
+        headers: { content_type: "application/json" },
+      )
+  end
+
+  def stub_failed_signon_user_request
+    stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
+      .to_return(status: 401)
+  end
+end

data/spec/unit/api_access_spec.rb

@@ -1,17 +1,89 @@
 require "spec_helper"
 require "gds-sso/api_access"
+require "rack/mock_request"
 
 describe GDS::SSO::ApiAccess do
-  it "should not consider IE7 accept header as an api call" do
-    ie7_accept_header = "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, " \
-      "application/x-shockwave-flash, application/xaml+xml, application/x-ms-xbap, " \
-      "application/x-ms-application, */*"
-    expect(GDS::SSO::ApiAccess.api_call?("HTTP_ACCEPT" => ie7_accept_header)).to be_falsey
+  describe ".api_call?" do
+    it "returns true if the rack env has already been tagged as an api_call" do
+      expect(described_class.api_call?({ "gds_sso.api_call" => true })).to be(true)
+    end
+
+    it "returns false if the rack env has already been tagged as not an api_call" do
+      expect(described_class.api_call?({ "gds_sso.api_call" => false })).to be(false)
+    end
+
+    it "returns true if GDS::SSO has been configured as api_only" do
+      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
+
+      expect(described_class.api_call?({})).to be(true)
+    end
+
+    context "when an api_request_matcher has been configured" do
+      before do
+        allow(GDS::SSO::Config)
+          .to receive(:api_request_matcher)
+          .and_return(->(request) { request.path == "/api" })
+      end
+
+      it "returns true if the request matches the api_request_matcher" do
+        env = Rack::MockRequest.env_for("/api")
+        expect(described_class.api_call?(env)).to be(true)
+      end
+
+      it "returns true if the request is for GDS SSO API at default location" do
+        env = Rack::MockRequest.env_for("/auth/gds/api/#{SecureRandom.uuid}")
+        expect(described_class.api_call?(env)).to be(true)
+      end
+
+      it "returns true if it matches a configured gds_sso_api_request_matcher" do
+        allow(GDS::SSO::Config)
+          .to receive(:gds_sso_api_request_matcher)
+          .and_return(->(request) { request.path == "/special/gds-sso/route" })
+
+        env = Rack::MockRequest.env_for("/special/gds-sso/route")
+        expect(described_class.api_call?(env)).to be(true)
+      end
+
+      it "returns false if the request doesn't match the gds_sso_api_request_matcher or api_request_matcher" do
+        allow(GDS::SSO::Config).to receive(:gds_sso_api_request_matcher).and_return(nil)
+
+        env = Rack::MockRequest.env_for("/other")
+        expect(described_class.api_call?(env)).to be(false)
+      end
+    end
+
+    context "when an api_request_matcher has not been configured" do
+      it "returns true if a bearer token is present" do
+        env = { "HTTP_AUTHORIZATION" => "Bearer 1234:5678" }
+        expect(described_class.api_call?(env)).to be(true)
+      end
+
+      it "returns false if nothing indicates an API call" do
+        expect(described_class.api_call?({})).to be(false)
+      end
+    end
   end
 
-  context "with a bearer token" do
-    it "it is considered an api call" do
-      expect(GDS::SSO::ApiAccess.api_call?("HTTP_AUTHORIZATION" => "Bearer deadbeef12345678")).to be_truthy
+  describe ".bearer_token" do
+    it "returns a bearer token set in a HTTP_AUTHORIZATION header" do
+      env = { "HTTP_AUTHORIZATION" => "Bearer 1234:5678" }
+      expect(described_class.bearer_token(env)).to eq("1234:5678")
+    end
+
+    it "returns nil for an empty bearer token in the HTTP_AUTHORIZATION header" do
+      env = { "HTTP_AUTHORIZATION" => "Bearer " }
+      expect(described_class.bearer_token(env)).to be_nil
+    end
+
+    it "supports all the authorization headers configured in Rack::Auth::AbstractRequest::AUTHORIZATION_KEYS" do
+      Rack::Auth::AbstractRequest::AUTHORIZATION_KEYS.each do |header|
+        env = { header => "Bearer 1234" }
+        expect(described_class.bearer_token(env)).to eq("1234")
+      end
+    end
+
+    it "returns nil if a bearer token isn't set" do
+      expect(described_class.bearer_token({})).to be_nil
     end
   end
 end

data/spec/unit/authorised_user_constraint_spec.rb

@@ -3,48 +3,25 @@ require "gds-sso/authorised_user_constraint"
 
 describe GDS::SSO::AuthorisedUserConstraint do
   before do
+    allow(GDS::SSO).to receive(:authenticate_user!).and_return(user)
     allow(GDS::SSO::AuthoriseUser).to receive(:call).and_return(true)
   end
 
   describe "#matches?" do
-    let(:user) { double("user", remotely_signed_out?: remotely_signed_out) }
-    let(:warden) do
-      double(
-        "warden",
-        authenticated?: user_authenticated,
-        user:,
-        authenticate!: nil,
-      )
-    end
-    let(:user_authenticated) { true }
-    let(:remotely_signed_out) { false }
+    let(:user) { TestUser.new }
+    let(:warden) { instance_double("Warden::Proxy") }
     let(:request) { double("request", env: { "warden" => warden }) }
 
-    it "authorises the user" do
-      expect(GDS::SSO::AuthoriseUser).to receive(:call).with(warden.user, %w[signin])
-      expect(warden).not_to receive(:authenticate!)
+    it "authenticates the user" do
+      expect(GDS::SSO).to receive(:authenticate_user!).with(warden)
 
       described_class.new(%w[signin]).matches?(request)
     end
 
-    context "when the user is not authenticated" do
-      let(:user_authenticated) { false }
-
-      it "authenticates the user" do
-        expect(warden).to receive(:authenticate!)
-
-        described_class.new(%w[signin]).matches?(request)
-      end
-    end
-
-    context "when the user is remotely signed out" do
-      let(:remotely_signed_out) { true }
-
-      it "authenticates the user" do
-        expect(warden).to receive(:authenticate!)
+    it "authorises the user" do
+      expect(GDS::SSO::AuthoriseUser).to receive(:call).with(user, %w[signin])
 
-        described_class.new(%w[signin]).matches?(request)
-      end
+      described_class.new(%w[signin]).matches?(request)
     end
   end
 end

data/spec/unit/bearer_token_spec.rb

@@ -25,5 +25,13 @@ describe GDS::SSO::BearerToken do
 
       expect(same_user_again.id).to eql(created_user.id)
     end
+
+    it "returns nil for a nil token string" do
+      expect(described_class.locate(nil)).to be_nil
+    end
+
+    it "returns nil for an empty token string" do
+      expect(described_class.locate("")).to be_nil
+    end
   end
 end

data/spec/unit/gds_sso_spec.rb

@@ -0,0 +1,37 @@
+require "spec_helper"
+
+describe GDS::SSO do
+  describe "#authenticate_user!" do
+    let(:user) { TestUser.new }
+    let(:warden) do
+      instance_double("Warden::Proxy",
+                      authenticate!: true,
+                      authenticated?: false,
+                      user:)
+    end
+
+    context "when a user is not already authenticated" do
+      it "authenticates the user and returns the user object" do
+        expect(described_class.authenticate_user!(warden)).to be(user)
+        expect(warden).to have_received(:authenticate!)
+      end
+    end
+
+    context "when a user is already authenticated and not remotely signed out" do
+      it "doesn't reauthenticate the user" do
+        allow(warden).to receive(:authenticated?).and_return(true)
+        expect(described_class.authenticate_user!(warden)).to be(user)
+
+        expect(warden).not_to have_received(:authenticate!)
+      end
+    end
+
+    context "when a user is already authenticated and remotely signed out" do
+      it "authenticates the user again" do
+        user.remotely_signed_out = true
+        expect(described_class.authenticate_user!(warden)).to be(user)
+        expect(warden).to have_received(:authenticate!)
+      end
+    end
+  end
+end

data/spec/unit/mock_bearer_token_spec.rb

@@ -2,21 +2,60 @@ require "spec_helper"
 require "gds-sso/bearer_token"
 
 describe GDS::SSO::MockBearerToken do
-  it "updates the permissions of the user" do
-    # setup - ensure extra mock permissions required are nil and
-    # call .locate to create the dummy user initially
-    GDS::SSO::Config.additional_mock_permissions_required = nil
-    dummy_user = subject.locate("ABC")
-    expect(dummy_user.permissions).to match_array(%w[signin])
-
-    # add an extra permission
-    GDS::SSO::Config.additional_mock_permissions_required = "extra_permission"
-
-    # ensure the dummy user is returned
-    expect(GDS::SSO).to receive(:test_user).and_return(dummy_user)
-
-    # call .locate again...this should update our permissions
-    dummy_user_two = subject.locate("ABC")
-    expect(dummy_user_two.permissions).to match_array(%w[signin extra_permission])
+  describe ".locate" do
+    it "returns a GDS::SSO.test_user if one is set" do
+      test_user = TestUser.new
+      allow(GDS::SSO).to receive(:test_user).and_return(test_user)
+
+      expect(described_class.locate("anything")).to be(test_user)
+    end
+
+    it "returns nil if ENV['GDS_SSO_MOCK_INVALID'] is set" do
+      ClimateControl.modify("GDS_SSO_MOCK_INVALID" => "1") do
+        expect(described_class.locate("anything")).to be_nil
+      end
+    end
+
+    it "doesn't modify the permissions of GDS::SSO.test_user" do
+      test_user = TestUser.new(permissions: [])
+      allow(GDS::SSO).to receive(:test_user).and_return(test_user)
+      allow(GDS::SSO::Config).to receive(:permissions_for_dummy_api_user)
+        .and_return(%w[signin extra_permission])
+
+      expect(described_class.locate("anything")).to be(test_user)
+      expect(test_user.permissions).not_to include("extra_permission")
+    end
+
+    it "returns a user with dummyapiuser@domain.com if one exists" do
+      test_user = TestUser.new
+      allow(GDS::SSO::Config).to receive(:user_klass).and_return(TestUser)
+      allow(TestUser).to receive(:where).and_return([test_user])
+
+      expect(described_class.locate("anything")).to be(test_user)
+      expect(TestUser).to have_received(:where).with(email: "dummyapiuser@domain.com")
+    end
+
+    it "creates a user with dummyapiuser@domain.com if one does not exist" do
+      allow(GDS::SSO::Config).to receive(:user_klass).and_return(TestUser)
+      allow(GDS::SSO::Config).to receive(:additional_mock_permissions_required).and_return(nil)
+      allow(TestUser).to receive(:where).and_return([])
+
+      test_user = described_class.locate("anything")
+      expect(test_user).to be_an_instance_of(TestUser)
+      expect(test_user).to have_attributes(email: "dummyapiuser@domain.com",
+                                           name: "Dummy API user created by gds-sso",
+                                           permissions: %w[signin])
+    end
+
+    it "uses GDS::SSO::Config to overwrite any existing permissions" do
+      test_user = TestUser.new(permissions: %w[signin other_permission])
+      allow(GDS::SSO::Config).to receive(:user_klass).and_return(TestUser)
+      allow(TestUser).to receive(:where).and_return([test_user])
+      allow(GDS::SSO::Config).to receive(:permissions_for_dummy_api_user)
+        .and_return(%w[signin extra_permission])
+
+      test_user = described_class.locate("anything")
+      expect(test_user.permissions).to match_array(%w[signin extra_permission])
+    end
   end
 end

data/spec/unit/session_serialisation_spec.rb

@@ -14,11 +14,12 @@ describe Warden::SessionSerializer do
 
   describe "serializing a user" do
     it "should return the uid and an ISO 8601 string timestamp" do
-      Timecop.freeze
-      result = @serializer.serialize(@user)
+      freeze_time do
+        result = @serializer.serialize(@user)
 
-      expect(result).to eq([1234, Time.now.utc.iso8601])
-      expect(result.last).to be_a(String)
+        expect(result).to eq([1234, Time.now.utc.iso8601])
+        expect(result.last).to be_a(String)
+      end
     end
 
     it "should return nil if the user has no uid" do