gds-sso 20.0.0 → 21.1.0

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: gds-sso
 version: !ruby/object:Gem::Version
-  version: 20.0.0
+  version: 21.1.0
 platform: ruby
 authors:
 - GOV.UK Dev
 bindir: bin
 cert_chain: []
-date: 2025-03-26 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2
@@ -65,6 +65,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '5'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -108,19 +122,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.0.1
 - !ruby/object:Gem::Dependency
-  name: capybara
+  name: climate_control
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: combustion
   requirement: !ruby/object:Gem::Requirement
@@ -169,14 +183,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.0.2
+        version: 5.1.18
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.0.2
+        version: 5.1.18
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -191,20 +205,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.1'
-- !ruby/object:Gem::Dependency
-  name: timecop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -250,8 +250,6 @@ files:
 - lib/gds-sso/version.rb
 - lib/gds-sso/warden_config.rb
 - lib/omniauth/strategies/gds.rb
-- spec/controller/api_user_controller_spec.rb
-- spec/controller/controller_methods_spec.rb
 - spec/internal/app/assets/config/manifest.js
 - spec/internal/app/controllers/application_controller.rb
 - spec/internal/app/controllers/example_controller.rb
@@ -260,17 +258,21 @@ files:
 - spec/internal/config/initializers/gds-sso.rb
 - spec/internal/config/routes.rb
 - spec/internal/db/schema.rb
+- spec/request/api/user_spec.rb
+- spec/request/authentication_spec.rb
+- spec/request/demo_app_spec.rb
 - spec/spec_helper.rb
 - spec/support/controller_spy.rb
+- spec/support/request_helpers.rb
 - spec/support/serializable_user.rb
 - spec/support/test_user.rb
-- spec/support/timecop.rb
-- spec/system/authentication_and_authorisation_spec.rb
 - spec/unit/api_access_spec.rb
 - spec/unit/authorise_user_spec.rb
 - spec/unit/authorised_user_constraint_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
+- spec/unit/controller_methods_spec.rb
+- spec/unit/gds_sso_spec.rb
 - spec/unit/mock_bearer_token_spec.rb
 - spec/unit/railtie_spec.rb
 - spec/unit/session_serialisation_spec.rb
@@ -293,12 +295,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.6
+rubygems_version: 3.7.1
 specification_version: 4
 summary: Client for GDS' OAuth 2-based SSO
 test_files:
-- spec/controller/api_user_controller_spec.rb
-- spec/controller/controller_methods_spec.rb
 - spec/internal/app/assets/config/manifest.js
 - spec/internal/app/controllers/application_controller.rb
 - spec/internal/app/controllers/example_controller.rb
@@ -307,17 +307,21 @@ test_files:
 - spec/internal/config/initializers/gds-sso.rb
 - spec/internal/config/routes.rb
 - spec/internal/db/schema.rb
+- spec/request/api/user_spec.rb
+- spec/request/authentication_spec.rb
+- spec/request/demo_app_spec.rb
 - spec/spec_helper.rb
 - spec/support/controller_spy.rb
+- spec/support/request_helpers.rb
 - spec/support/serializable_user.rb
 - spec/support/test_user.rb
-- spec/support/timecop.rb
-- spec/system/authentication_and_authorisation_spec.rb
 - spec/unit/api_access_spec.rb
 - spec/unit/authorise_user_spec.rb
 - spec/unit/authorised_user_constraint_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
+- spec/unit/controller_methods_spec.rb
+- spec/unit/gds_sso_spec.rb
 - spec/unit/mock_bearer_token_spec.rb
 - spec/unit/railtie_spec.rb
 - spec/unit/session_serialisation_spec.rb

data/spec/controller/api_user_controller_spec.rb

@@ -1,114 +0,0 @@
-require "spec_helper"
-
-def user_update_json
-  {
-    "user" => {
-      "uid" => @user_to_update.uid,
-      "name" => "Joshua Marshall",
-      "email" => "user@domain.com",
-      "permissions" => ["signin", "new permission"],
-      "organisation_slug" => "justice-league",
-      "organisation_content_id" => "aae1319e-5788-4677-998c-f1a53af528d0",
-      "disabled" => false,
-    },
-  }.to_json
-end
-
-describe Api::UserController, type: :controller do
-  before :each do
-    user_to_update_attrs = [{
-      uid: "a1s2d3#{rand(10_000)}",
-      email: "old@domain.com",
-      name: "Moshua Jarshall",
-      permissions: %w[signin],
-    }]
-
-    signon_sso_push_user_attrs = [{
-      uid: "a1s2d3#{rand(10_000)}",
-      email: "ssopushuser@legit.com",
-      name: "SSO Push user",
-      permissions: %w[signin user_update_permission],
-    }]
-
-    @user_to_update = User.create!(*user_to_update_attrs)
-    @signon_sso_push_user = User.create!(*signon_sso_push_user_attrs)
-  end
-
-  describe "PUT update" do
-    it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
-      malicious_user = User.new({
-        uid: "2",
-        name: "User",
-        permissions: %w[signin],
-      })
-
-      request.env["warden"] = double("stub warden", authenticate!: true, authenticated?: true, user: malicious_user)
-
-      request.env["RAW_POST_DATA"] = user_update_json
-      put :update, body: user_update_json, params: { uid: @user_to_update.uid }
-
-      expect(response.status).to eq(403)
-    end
-
-    it "should create/update the user record in the same way as the OAuth callback" do
-      # Test that it authenticates
-      request.env["warden"] = double("mock warden")
-      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
-
-      request.env["RAW_POST_DATA"] = user_update_json
-      put :update, body: user_update_json, params: { uid: @user_to_update.uid }
-
-      @user_to_update.reload
-      expect(@user_to_update.name).to eq("Joshua Marshall")
-      expect(@user_to_update.email).to eq("user@domain.com")
-      expect(@user_to_update.permissions).to eq(["signin", "new permission"])
-      expect(@user_to_update.organisation_slug).to eq("justice-league")
-      expect(@user_to_update.organisation_content_id).to eq("aae1319e-5788-4677-998c-f1a53af528d0")
-      expect(response.content_type).to eq("text/plain")
-    end
-  end
-
-  describe "POST reauth" do
-    it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
-      malicious_user = User.new({
-        uid: "2",
-        name: "User",
-        permissions: %w[signin],
-      })
-
-      request.env["warden"] = double("stub warden", authenticate!: true, authenticated?: true, user: malicious_user)
-
-      post :reauth, params: { uid: @user_to_update.uid }
-
-      expect(response.status).to eq(403)
-    end
-
-    it "should return success if user record doesn't exist" do
-      request.env["warden"] = double("mock warden")
-      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
-
-      post :reauth, params: { uid: "nonexistent-user" }
-
-      expect(response.status).to eq(200)
-      expect(response.content_type).to eq("text/plain")
-    end
-
-    it "should set remotely_signed_out to true on the user" do
-      # Test that it authenticates
-      request.env["warden"] = double("mock warden")
-      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
-
-      post :reauth, params: { uid: @user_to_update.uid }
-
-      @user_to_update.reload
-      expect(@user_to_update).to be_remotely_signed_out
-      expect(response.content_type).to eq("text/plain")
-    end
-  end
-end

data/spec/support/timecop.rb

@@ -1,7 +0,0 @@
-require "timecop"
-
-RSpec.configure do |config|
-  config.after :each do
-    Timecop.return
-  end
-end

data/spec/system/authentication_and_authorisation_spec.rb

@@ -1,172 +0,0 @@
-require "spec_helper"
-
-RSpec.describe "Authenication and authorisation" do
-  context "omniauth request phase" do
-    let(:redirect_url) { URI.parse(page.response_headers["Location"]) }
-    let(:authorize_params) { Rack::Utils.parse_query(redirect_url.query) }
-
-    before do
-      visit "/auth/gds"
-    end
-
-    it "includes pkce code_challenge_method in request for /oauth/authorize" do
-      expect(redirect_url.path).to eql("/oauth/authorize")
-      expect(authorize_params["code_challenge_method"]).to eq("S256")
-    end
-
-    it "includes pkce code_challenge in request for /oauth/authorize" do
-      expect(redirect_url.path).to eql("/oauth/authorize")
-      expect(authorize_params["code_challenge"]).to be_present
-    end
-  end
-
-  context "omniauth callback phase" do
-    it "includes pkce code_verifier in request for /oauth/access_token" do
-      visit "/auth/gds"
-
-      redirect_url = URI.parse(page.response_headers["Location"])
-      expect(redirect_url.path).to eql("/oauth/authorize")
-      state = Rack::Utils.parse_query(redirect_url.query)["state"]
-
-      stub_request(:post, "http://signon/oauth/access_token")
-
-      visit "/auth/gds/callback?state=#{state}"
-
-      expect(WebMock).to have_requested(:post, "http://signon/oauth/access_token")
-        .with(body: hash_including({ "code_verifier" => /.*/ }))
-    end
-  end
-
-  context "when accessing a route that doesn't require permissions or authentication" do
-    it "allows access" do
-      visit "/not-restricted"
-      expect(page).to have_content("jabberwocky")
-    end
-  end
-
-  context "when accessing a route that requires authentication" do
-    it "redirects an unauthenticated request to signon" do
-      # We manually follow the redirects because we have configured capybara
-      # to not follow redirects (and thus allow testing an external redirect)
-      visit "/restricted"
-      expect(page.response_headers["Location"]).to match("/auth/gds")
-      visit page.response_headers["Location"]
-      expect(page.response_headers["Location"]).to match("http://signon/oauth/authorize")
-    end
-
-    it "allows access for an authenticated user" do
-      stub_signon_authenticated
-
-      visit "/restricted"
-      expect(page).to have_content("restricted kablooie")
-    end
-
-    it "restricts access if a user is authenticated but remotely signed out" do
-      stub_signon_authenticated
-      User.last.set_remotely_signed_out!
-
-      visit "/restricted"
-      expect(page.status_code).to eql(302)
-      expect(page.response_headers["Location"]).to match("/auth/gds")
-    end
-
-    it "restricts access if a user is authenticated but session has expired" do
-      stub_signon_authenticated
-
-      Timecop.travel(Time.now.utc + GDS::SSO::Config.auth_valid_for + 5.minutes) do
-        visit "/restricted"
-        expect(page.status_code).to eql(302)
-        expect(page.response_headers["Location"]).to match("/auth/gds")
-      end
-    end
-
-    it "allows access when given a valid bearer token" do
-      stub_signon_user_request
-      page.driver.header("Authorization", "Bearer 123")
-
-      visit "/restricted"
-      expect(page).to have_content("restricted kablooie")
-    end
-
-    it "restricts access when given an invalid bearer token" do
-      stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
-        .to_return(status: 401)
-      page.driver.header("Authorization", "Bearer 123")
-
-      visit "/restricted"
-      expect(page.status_code).to eq(401)
-    end
-
-    it "returns a 401 when a bearer token is missing and the app is api_only" do
-      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
-
-      visit "/restricted"
-      expect(page.status_code).to eq(401)
-    end
-  end
-
-  context "when accessing a route that requires a permission" do
-    it "allows access when an authenticated user has the permission" do
-      stub_signon_authenticated(permissions: %w[execute])
-      visit "/this-requires-execute-permission"
-      expect(page).to have_content("you have execute permission")
-    end
-
-    it "restricts access when an authenticated user lacks the permission" do
-      stub_signon_authenticated
-      visit "/this-requires-execute-permission"
-      expect(page.status_code).to eq(403)
-    end
-  end
-
-  context "when accessing a route that is restricted by the authorised user constraint" do
-    it "allows access when an authenticated user has correct permissions" do
-      stub_signon_authenticated(permissions: %w[execute])
-      visit "/constraint-restricted"
-      expect(page).to have_content("constraint restricted")
-    end
-
-    it "redirects an unauthenticated request to signon" do
-      visit "/constraint-restricted"
-      expect(page.response_headers["Location"]).to match("/auth/gds")
-      visit page.response_headers["Location"]
-      expect(page.response_headers["Location"]).to match("http://signon/oauth/authorize")
-    end
-
-    it "restricts access when an authenticated user does not have the correct permissions" do
-      stub_signon_authenticated(permissions: %w[no-access])
-      visit "/constraint-restricted"
-      expect(page.status_code).to eq(403)
-    end
-  end
-
-  def stub_signon_authenticated(permissions: [])
-    # visit restricted page to trigger redirect URL to record state attribute
-    visit "/auth/gds"
-    state = CGI.parse(URI.parse(page.response_headers["Location"]).query)
-              .then { |query| query["state"].first }
-
-    stub_request(:post, "http://signon/oauth/access_token")
-      .to_return(body: { access_token: "token" }.to_json,
-                 headers: { content_type: "application/json" })
-
-    stub_signon_user_request(permissions:)
-
-    visit "/auth/gds/callback?code=code&state=#{state}"
-  end
-
-  def stub_signon_user_request(permissions: [])
-    stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
-      .to_return(
-        body: {
-          user: {
-            uid: "123",
-            email: "test-user@example.com",
-            name: "Test User",
-            permissions:,
-          },
-        }.to_json,
-        headers: { content_type: "application/json" },
-      )
-  end
-end