gds-sso 21.0.0 → 21.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1cce044b9dcc019806b1a70222fb30c99abce4df707245ae7c4d795b92bba8d7
-  data.tar.gz: 966b8b0c9ef7b95ee5ec5229c8f087f1870447d4281b1b7b6bcc5fc5627155a6
+  metadata.gz: 72938e39cf2466b8a2dc2d22aca03d64ff33ab2a8c5d11c0c57f3710a2935205
+  data.tar.gz: 042b5c966919ab345d9ea3dc9e47197947fdd75e51ad263b0f0f038397c09fa9
 SHA512:
-  metadata.gz: 3f3fe06419fd98b0018ff60ce33f45fe6a0173ac2c632009f2ece0d821539ae12503ad5f0a85716d2db16811e3e3bff4e234122ebff71a708fbcba13339bee78
-  data.tar.gz: eb36c389d730f589805c6e17bbdcdbf30f545cd2874431283082a437b0668312e5be7faa062f58149f9e5ea11f653c6ff52e67acace2213ad28f9383896912dc
+  metadata.gz: fdca3de72981e79aa420da0b3d6c4d689fba034d3d3cda4874082efe58bcf056128242ab09a4266b8d11f91da500d47b665e434ccb805a3f6a799d6d29f765f4
+  data.tar.gz: ad252eb2aeaf3986b68b54a15f7f4622f4d56e730d509690e1e80c77be6411201ebf618ba68efebaff825fe731a111de186b439b6834a4c1de91782745658335

data/config/routes.rb

@@ -1,9 +1,10 @@
 Rails.application.routes.draw do
+  put  "/auth/gds/api/users/:uid",        to: "api/user#update"
+  post "/auth/gds/api/users/:uid/reauth", to: "api/user#reauth"
+
   next if GDS::SSO::Config.api_only
 
   get "/auth/gds/callback",               to: "authentications#callback", as: :gds_sign_in
   get "/auth/gds/sign_out",               to: "authentications#sign_out", as: :gds_sign_out
-  get  "/auth/failure",                   to: "authentications#failure",  as: :auth_failure
-  put  "/auth/gds/api/users/:uid",        to: "api/user#update"
-  post "/auth/gds/api/users/:uid/reauth", to: "api/user#reauth"
+  get "/auth/failure",                    to: "authentications#failure",  as: :auth_failure
 end

data/lib/gds-sso/api_access.rb

@@ -8,7 +8,12 @@ module GDS
         return true if GDS::SSO::Config.api_only
 
         if GDS::SSO::Config.api_request_matcher
-          return GDS::SSO::Config.api_request_matcher.call(Rack::Request.new(env))
+          request = Rack::Request.new(env)
+
+          gds_sso_api_request_matcher = GDS::SSO::Config.gds_sso_api_request_matcher
+          return true if gds_sso_api_request_matcher&.call(request)
+
+          return GDS::SSO::Config.api_request_matcher.call(request)
         end
 
         !bearer_token(env).nil?

data/lib/gds-sso/bearer_token.rb

@@ -58,6 +58,7 @@ module GDS
 
     module MockBearerToken
       def self.locate(_token_string)
+        return unless ENV["GDS_SSO_MOCK_INVALID"].to_s.empty?
         return GDS::SSO.test_user if GDS::SSO.test_user
 
         dummy_api_user = GDS::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first

data/lib/gds-sso/config.rb

@@ -31,6 +31,11 @@ module GDS
 
       mattr_accessor :api_request_matcher
 
+      # A matcher for GDS SSO's own API for updating user details. Shouldn't
+      # need configuring unless you mount the API at a different location.
+      mattr_accessor :gds_sso_api_request_matcher
+      @@gds_sso_api_request_matcher = ->(request) { request.path.start_with?("/auth/gds/api/") }
+
       mattr_accessor :intercept_401_responses
       @@intercept_401_responses = true
 

data/lib/gds-sso/version.rb

@@ -1,5 +1,5 @@
 module GDS
   module SSO
-    VERSION = "21.0.0".freeze
+    VERSION = "21.1.0".freeze
   end
 end

data/spec/internal/config/routes.rb

@@ -5,7 +5,7 @@ Rails.application.routes.draw do
   get "/restricted" => "example#restricted"
   get "/this-requires-execute-permission" => "example#this_requires_execute_permission"
 
-  constraints(GDS::SSO::AuthorisedUserConstraint.new("execute")) do
+  constraints(GDS::SSO::AuthorisedUserConstraint.new("constraint")) do
     get "/constraint-restricted" => "example#constraint_restricted"
   end
 end

data/spec/request/api/user_spec.rb

@@ -0,0 +1,144 @@
+require "spec_helper"
+
+describe "Api::UserController", type: :request do
+  shared_examples "rejects a request from an unauthenticated user" do |method, path|
+    it "rejects the request when a user is unauthenticated" do
+      stub_failed_signon_user_request
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response).to have_http_status(:unauthorized)
+    end
+  end
+
+  shared_examples "rejects a request from an authenticated user lacking permission" do |method, path|
+    it "rejects the request when a user is authenticated but lacking permission" do
+      stub_successful_signon_user_request(permissions: [])
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
+  shared_examples "operates as an API endpoint if api_request_matcher doesn't match it" do |method, path|
+    it "doesn't redirect to /auth/gds because it's recognised as an API request" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(_request) { false })
+
+      stub_failed_signon_user_request
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response.media_type).to eq("application/json")
+    end
+  end
+
+  shared_examples "redirects to /auth/gds if gds_sso_api_request_matcher is configured to not match" do |method, path|
+    it "fails if gds_sso_api_request_matcher is configured to not match" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(_request) { false })
+
+      allow(GDS::SSO::Config)
+        .to receive(:gds_sso_api_request_matcher)
+        .and_return(nil)
+
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response).to redirect_to("/auth/gds")
+    end
+  end
+
+  describe "PUT /auth/gds/api/users/:uid" do
+    shared_params = [:put, "/auth/gds/api/users/#{SecureRandom.uuid}"]
+    it_behaves_like "rejects a request from an unauthenticated user", *shared_params
+    it_behaves_like "rejects a request from an authenticated user lacking permission", *shared_params
+    it_behaves_like "operates as an API endpoint if api_request_matcher doesn't match it", *shared_params
+    it_behaves_like "redirects to /auth/gds if gds_sso_api_request_matcher is configured to not match", *shared_params
+
+    it "updates an existing user" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.create!(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      put "/auth/gds/api/users/#{user.uid}",
+          headers: { "Authorization" => "Bearer anything" },
+          params: user_update_params(user, { "name" => "John Matrix" }),
+          as: :json
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+      expect(user.reload.name).to eq("John Matrix")
+    end
+
+    it "creates a new user if a user does not exist" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.new(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      put "/auth/gds/api/users/#{user.uid}",
+          headers: { "Authorization" => "Bearer anything" },
+          params: user_update_params(user),
+          as: :json
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+      expect(User.last.uid).to eq(user.uid)
+    end
+  end
+
+  describe "POST /auth/gds/api/users/:uid/reauth" do
+    shared_params = [:post, "/auth/gds/api/users/#{SecureRandom.uuid}/reauth"]
+    it_behaves_like "rejects a request from an unauthenticated user", *shared_params
+    it_behaves_like "rejects a request from an authenticated user lacking permission", *shared_params
+    it_behaves_like "operates as an API endpoint if api_request_matcher doesn't match it", *shared_params
+    it_behaves_like "redirects to /auth/gds if gds_sso_api_request_matcher is configured to not match", *shared_params
+
+    it "flags a user that exists as remotely signed out" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.create!(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      expect {
+        post "/auth/gds/api/users/#{user.uid}/reauth",
+             headers: { "Authorization" => "Bearer anything" }
+      }.to change { user.reload.remotely_signed_out }.to(true)
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+    end
+
+    it "responds successfully even if the user doesn't exist" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.new(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      post "/auth/gds/api/users/#{user.uid}/reauth",
+           headers: { "Authorization" => "Bearer anything" }
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+    end
+  end
+
+  def user_update_params(user, modifications = {})
+    fields = %i[uid name email permissions organisation_slug organisation_content_id disabled]
+    user_details = user.as_json(only: fields).merge(modifications)
+    { "user" => user_details }
+  end
+end

data/spec/request/authentication_spec.rb

@@ -0,0 +1,77 @@
+require "spec_helper"
+
+describe "AuthenticationController", type: :request do
+  describe "GET /auth/gds/callback" do
+    it "fails without a valid state param" do
+      get "/auth/gds/callback"
+
+      expect(response).to redirect_to("/auth/failure?message=csrf_detected&strategy=gds")
+    end
+
+    it "redirects to the attempted url if a user was restricted earlier in the session" do
+      get "/restricted"
+
+      state = request_to_establish_oauth_state
+
+      stub_signon_oauth_token_request
+      stub_successful_signon_user_request
+
+      get "/auth/gds/callback?state=#{state}"
+      expect(response).to redirect_to("/restricted")
+    end
+
+    it "redirects to the root path if the user hadn't tried to access a restricted url" do
+      state = request_to_establish_oauth_state
+
+      stub_signon_oauth_token_request
+      stub_successful_signon_user_request
+
+      get "/auth/gds/callback?state=#{state}"
+      expect(response).to redirect_to("/")
+    end
+
+    it "uses the OAuth2 proof key for code exchange feature for increased security" do
+      get "/auth/gds"
+
+      expect(response).to have_http_status(:redirect)
+      location = URI.parse(response.location)
+      query = Rack::Utils.parse_query(location.query)
+
+      expect(location.path).to eq("/oauth/authorize")
+      expect(query).to include("code_challenge", "code_challenge_method")
+
+      token_request = stub_request(:post, "http://signon/oauth/access_token")
+                        .with(body: hash_including("code_verifier"))
+
+      get "/auth/gds/callback?state=#{query['state']}"
+
+      expect(token_request).to have_been_made
+    end
+  end
+
+  describe "GET /auth/failure" do
+    it "responds successfully" do
+      get "/auth/failure"
+
+      expect(response).to have_http_status(:success)
+    end
+  end
+
+  describe "GET /auth/gds/sign_out" do
+    it "redirects to signon sign out" do
+      get "/auth/gds/sign_out"
+
+      expect(response).to redirect_to("http://signon/users/sign_out")
+    end
+
+    it "logs an authenticated user out" do
+      authenticate_with_stub_signon
+
+      get "/auth/gds/sign_out"
+
+      # access a restricted route to assert we're logged out
+      get "/restricted"
+      expect(response).to redirect_to("/auth/gds")
+    end
+  end
+end

data/spec/request/demo_app_spec.rb

@@ -0,0 +1,264 @@
+require "spec_helper"
+
+describe "Integration tests with a demo app", type: :request do
+  describe "accessing a route that doesn't require authentication" do
+    it "allows access" do
+      get "/not-restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("jabberwocky")
+    end
+  end
+
+  describe "accessing a route the requires authentication" do
+    context "when GDS::SSO isn't configured to treat this as an explicit API request" do
+      it "redirects an unauthenticated request to sign-in" do
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+
+      it "responds successfully for an authenticated user" do
+        authenticate_with_stub_signon
+
+        get "/restricted"
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("restricted kablooie")
+      end
+
+      it "redirects to sign-in if a user is authenticated but remotely signed out" do
+        authenticate_with_stub_signon
+        User.last.set_remotely_signed_out!
+
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+
+      it "redirects to sign-in if a user's session has expired" do
+        authenticate_with_stub_signon
+
+        travel_to(Time.now.utc + GDS::SSO::Config.auth_valid_for + 1.second) do
+          get "/restricted"
+          expect(response).to redirect_to("/auth/gds")
+        end
+      end
+
+      it "allows access when given a valid bearer token" do
+        stub_successful_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("restricted kablooie")
+      end
+
+      it "restricts access when given an invalid bearer token" do
+        stub_failed_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer invalid" }
+        expect(response).to have_http_status(:unauthorized)
+        expect_invalid_bearer_token_response(response)
+      end
+    end
+
+    context "when an application is configured as API only" do
+      before { allow(GDS::SSO::Config).to receive(:api_only).and_return(true) }
+
+      it "allows access when given a valid bearer token" do
+        stub_successful_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("restricted kablooie")
+      end
+
+      it "rejects a request without a bearer token" do
+        get "/restricted"
+        expect(response).to have_http_status(:unauthorized)
+        expect_missing_bearer_token_response(response)
+      end
+
+      it "restricts access for an invalid bearer token" do
+        stub_failed_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer invalid" }
+        expect(response).to have_http_status(:unauthorized)
+        expect_invalid_bearer_token_response(response)
+      end
+    end
+
+    context "when API requests are differentiated by api_request_matcher" do
+      it "treats a match as an API request" do
+        allow(GDS::SSO::Config)
+          .to receive(:api_request_matcher)
+          .and_return(->(request) { request.path == "/restricted" })
+
+        get "/restricted"
+        expect(response).to have_http_status(:unauthorized)
+        expect_missing_bearer_token_response(response)
+      end
+
+      it "treats a non-match as a non-API request" do
+        allow(GDS::SSO::Config)
+          .to receive(:api_request_matcher)
+          .and_return(->(_request) { false })
+
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+    end
+  end
+
+  describe "when accessing routes without authentication and using the mock strategies" do
+    before { use_mock_strategies }
+
+    it "allows a user access without authentication" do
+      # non-bearer token mock requests require a user to exist
+      User.create!(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      get "/restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("restricted kablooie")
+    end
+
+    it "can be configured to fail authentication with an env var" do
+      ClimateControl.modify("GDS_SSO_MOCK_INVALID" => "1") do
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+    end
+
+    it "allows an API request without a bearer token" do
+      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
+
+      get "/restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("restricted kablooie")
+    end
+
+    it "can be configured to fail API authentication with an env var" do
+      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
+
+      ClimateControl.modify("GDS_SSO_MOCK_INVALID" => "1") do
+        get "/restricted"
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe "when accessing a route that requires permission" do
+    context "when GDS::SSO isn't configured to treat this as an explicit API request" do
+      it "allows a user with the permission to access the resource" do
+        authenticate_with_stub_signon(permissions: %w[execute])
+
+        get "/this-requires-execute-permission"
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("you have execute permission")
+      end
+
+      it "restricts a user lacking the permission" do
+        authenticate_with_stub_signon
+
+        get "/this-requires-execute-permission"
+        expect(response).to have_http_status(:forbidden)
+        expect(response.body).to include("Sorry, you don't seem to have the execute permission for this app.")
+      end
+    end
+
+    context "when GDS::SSO is configured to treat the request as an API request" do
+      before { allow(GDS::SSO::Config).to receive(:api_only).and_return(true) }
+
+      it "allows a user with the permission to access the resource" do
+        stub_successful_signon_user_request(permissions: %w[execute])
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("you have execute permission")
+      end
+
+      it "restricts a user lacking the permission" do
+        stub_successful_signon_user_request
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:forbidden)
+        expect_json_response(response, { "message" => "Sorry, you don't seem to have the execute permission for this app." })
+      end
+    end
+
+    context "when using bearer token for auth with the mock strategy" do
+      before { use_mock_strategies }
+
+      it "automatically grants permissions configured in GDS:SSO::Config.additional_mock_permissions_required" do
+        allow(GDS::SSO::Config).to receive(:additional_mock_permissions_required).and_return(%w[execute])
+
+        stub_successful_signon_user_request
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("you have execute permission")
+      end
+
+      it "doesn't grant access without that config" do
+        allow(GDS::SSO::Config).to receive(:additional_mock_permissions_required).and_return(nil)
+
+        stub_successful_signon_user_request
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:forbidden)
+        expect_json_response(response, { "message" => "Sorry, you don't seem to have the execute permission for this app." })
+      end
+    end
+  end
+
+  context "when accessing a route that is restricted by the authorised user constraint" do
+    it "allows access when an authenticated user has correct permissions" do
+      authenticate_with_stub_signon(permissions: %w[constraint])
+
+      get "/constraint-restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("constraint restricted")
+    end
+
+    it "redirects an unauthenticated request to signon" do
+      get "/constraint-restricted"
+
+      expect(response).to redirect_to("/auth/gds")
+    end
+
+    it "restricts access when an authenticated user does not have the correct permissions" do
+      authenticate_with_stub_signon
+
+      get "/constraint-restricted"
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
+  def expect_missing_bearer_token_response(response)
+    expect(response.headers).to include("WWW-Authenticate" => 'Bearer error="invalid_request"')
+    expect_json_response(response, { "message" => "No bearer token was provided" })
+  end
+
+  def expect_invalid_bearer_token_response(response)
+    expect(response.headers).to include("WWW-Authenticate" => 'Bearer error="invalid_token"')
+    expect_json_response(response, { "message" => "Bearer token does not appear to be valid" })
+  end
+
+  def expect_json_response(response, json)
+    expect(response.media_type).to eq("application/json")
+    expect(response.parsed_body).to eq(json)
+  end
+
+  def use_mock_strategies
+    # Using allow_any_instance_of because it's hard to access the instance
+    # of the class used within the Rails middleware
+    allow_any_instance_of(Warden::Config).to receive(:[]).and_call_original
+    allow_any_instance_of(Warden::Config)
+      .to receive(:[])
+      .with(:default_strategies)
+      .and_return({ _all: %i[mock_gds_sso gds_bearer_token] })
+
+    allow(Warden::OAuth2.config).to receive(:token_model).and_return(GDS::SSO::MockBearerToken)
+  end
+end

data/spec/spec_helper.rb

@@ -2,7 +2,7 @@
 # Bad things happen if we don't ;-)
 ENV["GDS_SSO_STRATEGY"] = "real"
 
-require "capybara/rspec"
+require "climate_control"
 require "webmock/rspec"
 require "combustion"
 
@@ -12,15 +12,10 @@ Combustion.initialize! :all do
 end
 
 require "rspec/rails"
-require "capybara/rails"
 WebMock.disable_net_connect!
 
 Dir[File.join(File.dirname(__FILE__), "support/**/*.rb")].sort.each { |f| require f }
 
-Capybara.register_driver :rack_test do |app|
-  Capybara::RackTest::Driver.new(app, follow_redirects: false)
-end
-
 RSpec.configure do |config|
   config.run_all_when_everything_filtered = true
   config.filter_run :focus
@@ -32,6 +27,20 @@ RSpec.configure do |config|
   #     --seed 1234
   config.order = "random"
 
+  config.include ActiveSupport::Testing::TimeHelpers
   config.include Warden::Test::Helpers
-  config.include Capybara::DSL
+  config.include RequestHelpers, type: :request
+  config.before(:each, type: :request) do
+    # we reload routes each test as GDS::SSO::Config affects what routes are
+    # available, we only want to run this once routes are loaded otherwise
+    # we can lose app routes
+    routes_reloader = Rails.application.routes_reloader
+
+    # Routes changed in Rails 8 to be lazily loaded so this wasn't a problem
+    # before Rails 8.
+    # TODO: remove this line once Rails 7 support is removed
+    next unless routes_reloader.respond_to?(:loaded)
+
+    routes_reloader.reload! if routes_reloader.loaded
+  end
 end

data/spec/support/request_helpers.rb

@@ -0,0 +1,45 @@
+module RequestHelpers
+  def authenticate_with_stub_signon(permissions: [])
+    state = request_to_establish_oauth_state
+
+    stub_signon_oauth_token_request
+    stub_successful_signon_user_request(permissions:)
+
+    get "/auth/gds/callback?code=code&state=#{state}"
+    expect(response).to have_http_status(:redirect)
+  end
+
+  def request_to_establish_oauth_state
+    get "/auth/gds"
+    expect(response).to have_http_status(:redirect)
+    location = URI.parse(response.location)
+    query = Rack::Utils.parse_query(location.query)
+    query.fetch("state")
+  end
+
+  def stub_signon_oauth_token_request
+    stub_request(:post, "http://signon/oauth/access_token")
+      .to_return(body: { access_token: "token" }.to_json,
+                 headers: { content_type: "application/json" })
+  end
+
+  def stub_successful_signon_user_request(permissions: [])
+    stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
+      .to_return(
+        body: {
+          user: {
+            uid: "123",
+            email: "test-user@example.com",
+            name: "Test User",
+            permissions:,
+          },
+        }.to_json,
+        headers: { content_type: "application/json" },
+      )
+  end
+
+  def stub_failed_signon_user_request
+    stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
+      .to_return(status: 401)
+  end
+end

data/spec/unit/api_access_spec.rb

@@ -18,31 +18,49 @@ describe GDS::SSO::ApiAccess do
       expect(described_class.api_call?({})).to be(true)
     end
 
-    it "returns true if the request matches the api_request_matcher" do
-      allow(GDS::SSO::Config)
-        .to receive(:api_request_matcher)
-        .and_return(->(request) { request.path == "/api" })
+    context "when an api_request_matcher has been configured" do
+      before do
+        allow(GDS::SSO::Config)
+          .to receive(:api_request_matcher)
+          .and_return(->(request) { request.path == "/api" })
+      end
 
-      env = Rack::MockRequest.env_for("/api")
-      expect(described_class.api_call?(env)).to be(true)
-    end
+      it "returns true if the request matches the api_request_matcher" do
+        env = Rack::MockRequest.env_for("/api")
+        expect(described_class.api_call?(env)).to be(true)
+      end
 
-    it "returns false if the request doesn't match the api_request_matcher" do
-      allow(GDS::SSO::Config)
-        .to receive(:api_request_matcher)
-        .and_return(->(request) { request.path == "/api" })
+      it "returns true if the request is for GDS SSO API at default location" do
+        env = Rack::MockRequest.env_for("/auth/gds/api/#{SecureRandom.uuid}")
+        expect(described_class.api_call?(env)).to be(true)
+      end
 
-      env = Rack::MockRequest.env_for("/other")
-      expect(described_class.api_call?(env)).to be(false)
-    end
+      it "returns true if it matches a configured gds_sso_api_request_matcher" do
+        allow(GDS::SSO::Config)
+          .to receive(:gds_sso_api_request_matcher)
+          .and_return(->(request) { request.path == "/special/gds-sso/route" })
 
-    it "returns true if a bearer token is present" do
-      env = { "HTTP_AUTHORIZATION" => "Bearer 1234:5678" }
-      expect(described_class.api_call?(env)).to be(true)
+        env = Rack::MockRequest.env_for("/special/gds-sso/route")
+        expect(described_class.api_call?(env)).to be(true)
+      end
+
+      it "returns false if the request doesn't match the gds_sso_api_request_matcher or api_request_matcher" do
+        allow(GDS::SSO::Config).to receive(:gds_sso_api_request_matcher).and_return(nil)
+
+        env = Rack::MockRequest.env_for("/other")
+        expect(described_class.api_call?(env)).to be(false)
+      end
     end
 
-    it "returns false otherwise" do
-      expect(described_class.api_call?({})).to be(false)
+    context "when an api_request_matcher has not been configured" do
+      it "returns true if a bearer token is present" do
+        env = { "HTTP_AUTHORIZATION" => "Bearer 1234:5678" }
+        expect(described_class.api_call?(env)).to be(true)
+      end
+
+      it "returns false if nothing indicates an API call" do
+        expect(described_class.api_call?({})).to be(false)
+      end
     end
   end
 

data/spec/unit/mock_bearer_token_spec.rb

@@ -10,6 +10,12 @@ describe GDS::SSO::MockBearerToken do
       expect(described_class.locate("anything")).to be(test_user)
     end
 
+    it "returns nil if ENV['GDS_SSO_MOCK_INVALID'] is set" do
+      ClimateControl.modify("GDS_SSO_MOCK_INVALID" => "1") do
+        expect(described_class.locate("anything")).to be_nil
+      end
+    end
+
     it "doesn't modify the permissions of GDS::SSO.test_user" do
       test_user = TestUser.new(permissions: [])
       allow(GDS::SSO).to receive(:test_user).and_return(test_user)

data/spec/unit/session_serialisation_spec.rb

@@ -14,11 +14,12 @@ describe Warden::SessionSerializer do
 
   describe "serializing a user" do
     it "should return the uid and an ISO 8601 string timestamp" do
-      Timecop.freeze
-      result = @serializer.serialize(@user)
+      freeze_time do
+        result = @serializer.serialize(@user)
 
-      expect(result).to eq([1234, Time.now.utc.iso8601])
-      expect(result.last).to be_a(String)
+        expect(result).to eq([1234, Time.now.utc.iso8601])
+        expect(result.last).to be_a(String)
+      end
     end
 
     it "should return nil if the user has no uid" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gds-sso
 version: !ruby/object:Gem::Version
-  version: 21.0.0
+  version: 21.1.0
 platform: ruby
 authors:
 - GOV.UK Dev
@@ -122,19 +122,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.0.1
 - !ruby/object:Gem::Dependency
-  name: capybara
+  name: climate_control
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: combustion
   requirement: !ruby/object:Gem::Requirement
@@ -183,14 +183,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.0.2
+        version: 5.1.18
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.0.2
+        version: 5.1.18
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -205,20 +205,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.1'
-- !ruby/object:Gem::Dependency
-  name: timecop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -264,8 +250,6 @@ files:
 - lib/gds-sso/version.rb
 - lib/gds-sso/warden_config.rb
 - lib/omniauth/strategies/gds.rb
-- spec/controller/api_user_controller_spec.rb
-- spec/controller/controller_methods_spec.rb
 - spec/internal/app/assets/config/manifest.js
 - spec/internal/app/controllers/application_controller.rb
 - spec/internal/app/controllers/example_controller.rb
@@ -274,17 +258,20 @@ files:
 - spec/internal/config/initializers/gds-sso.rb
 - spec/internal/config/routes.rb
 - spec/internal/db/schema.rb
+- spec/request/api/user_spec.rb
+- spec/request/authentication_spec.rb
+- spec/request/demo_app_spec.rb
 - spec/spec_helper.rb
 - spec/support/controller_spy.rb
+- spec/support/request_helpers.rb
 - spec/support/serializable_user.rb
 - spec/support/test_user.rb
-- spec/support/timecop.rb
-- spec/system/authentication_and_authorisation_spec.rb
 - spec/unit/api_access_spec.rb
 - spec/unit/authorise_user_spec.rb
 - spec/unit/authorised_user_constraint_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
+- spec/unit/controller_methods_spec.rb
 - spec/unit/gds_sso_spec.rb
 - spec/unit/mock_bearer_token_spec.rb
 - spec/unit/railtie_spec.rb
@@ -312,8 +299,6 @@ rubygems_version: 3.7.1
 specification_version: 4
 summary: Client for GDS' OAuth 2-based SSO
 test_files:
-- spec/controller/api_user_controller_spec.rb
-- spec/controller/controller_methods_spec.rb
 - spec/internal/app/assets/config/manifest.js
 - spec/internal/app/controllers/application_controller.rb
 - spec/internal/app/controllers/example_controller.rb
@@ -322,17 +307,20 @@ test_files:
 - spec/internal/config/initializers/gds-sso.rb
 - spec/internal/config/routes.rb
 - spec/internal/db/schema.rb
+- spec/request/api/user_spec.rb
+- spec/request/authentication_spec.rb
+- spec/request/demo_app_spec.rb
 - spec/spec_helper.rb
 - spec/support/controller_spy.rb
+- spec/support/request_helpers.rb
 - spec/support/serializable_user.rb
 - spec/support/test_user.rb
-- spec/support/timecop.rb
-- spec/system/authentication_and_authorisation_spec.rb
 - spec/unit/api_access_spec.rb
 - spec/unit/authorise_user_spec.rb
 - spec/unit/authorised_user_constraint_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
+- spec/unit/controller_methods_spec.rb
 - spec/unit/gds_sso_spec.rb
 - spec/unit/mock_bearer_token_spec.rb
 - spec/unit/railtie_spec.rb

data/spec/controller/api_user_controller_spec.rb

@@ -1,114 +0,0 @@
-require "spec_helper"
-
-def user_update_json
-  {
-    "user" => {
-      "uid" => @user_to_update.uid,
-      "name" => "Joshua Marshall",
-      "email" => "user@domain.com",
-      "permissions" => ["signin", "new permission"],
-      "organisation_slug" => "justice-league",
-      "organisation_content_id" => "aae1319e-5788-4677-998c-f1a53af528d0",
-      "disabled" => false,
-    },
-  }.to_json
-end
-
-describe Api::UserController, type: :controller do
-  before :each do
-    user_to_update_attrs = [{
-      uid: "a1s2d3#{rand(10_000)}",
-      email: "old@domain.com",
-      name: "Moshua Jarshall",
-      permissions: %w[signin],
-    }]
-
-    signon_sso_push_user_attrs = [{
-      uid: "a1s2d3#{rand(10_000)}",
-      email: "ssopushuser@legit.com",
-      name: "SSO Push user",
-      permissions: %w[signin user_update_permission],
-    }]
-
-    @user_to_update = User.create!(*user_to_update_attrs)
-    @signon_sso_push_user = User.create!(*signon_sso_push_user_attrs)
-  end
-
-  describe "PUT update" do
-    it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
-      malicious_user = User.new({
-        uid: "2",
-        name: "User",
-        permissions: %w[signin],
-      })
-
-      request.env["warden"] = double("stub warden", authenticate!: true, authenticated?: true, user: malicious_user)
-
-      request.env["RAW_POST_DATA"] = user_update_json
-      put :update, body: user_update_json, params: { uid: @user_to_update.uid }
-
-      expect(response.status).to eq(403)
-    end
-
-    it "should create/update the user record in the same way as the OAuth callback" do
-      # Test that it authenticates
-      request.env["warden"] = double("mock warden")
-      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
-
-      request.env["RAW_POST_DATA"] = user_update_json
-      put :update, body: user_update_json, params: { uid: @user_to_update.uid }
-
-      @user_to_update.reload
-      expect(@user_to_update.name).to eq("Joshua Marshall")
-      expect(@user_to_update.email).to eq("user@domain.com")
-      expect(@user_to_update.permissions).to eq(["signin", "new permission"])
-      expect(@user_to_update.organisation_slug).to eq("justice-league")
-      expect(@user_to_update.organisation_content_id).to eq("aae1319e-5788-4677-998c-f1a53af528d0")
-      expect(response.content_type).to eq("text/plain")
-    end
-  end
-
-  describe "POST reauth" do
-    it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
-      malicious_user = User.new({
-        uid: "2",
-        name: "User",
-        permissions: %w[signin],
-      })
-
-      request.env["warden"] = double("stub warden", authenticate!: true, authenticated?: true, user: malicious_user)
-
-      post :reauth, params: { uid: @user_to_update.uid }
-
-      expect(response.status).to eq(403)
-    end
-
-    it "should return success if user record doesn't exist" do
-      request.env["warden"] = double("mock warden")
-      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
-
-      post :reauth, params: { uid: "nonexistent-user" }
-
-      expect(response.status).to eq(200)
-      expect(response.content_type).to eq("text/plain")
-    end
-
-    it "should set remotely_signed_out to true on the user" do
-      # Test that it authenticates
-      request.env["warden"] = double("mock warden")
-      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
-
-      post :reauth, params: { uid: @user_to_update.uid }
-
-      @user_to_update.reload
-      expect(@user_to_update).to be_remotely_signed_out
-      expect(response.content_type).to eq("text/plain")
-    end
-  end
-end

data/spec/support/timecop.rb

@@ -1,7 +0,0 @@
-require "timecop"
-
-RSpec.configure do |config|
-  config.after :each do
-    Timecop.return
-  end
-end

data/spec/system/authentication_and_authorisation_spec.rb

@@ -1,245 +0,0 @@
-require "spec_helper"
-
-RSpec.describe "Authenication and authorisation" do
-  context "omniauth request phase" do
-    let(:redirect_url) { URI.parse(page.response_headers["Location"]) }
-    let(:authorize_params) { Rack::Utils.parse_query(redirect_url.query) }
-
-    before do
-      visit "/auth/gds"
-    end
-
-    it "includes pkce code_challenge_method in request for /oauth/authorize" do
-      expect(redirect_url.path).to eql("/oauth/authorize")
-      expect(authorize_params["code_challenge_method"]).to eq("S256")
-    end
-
-    it "includes pkce code_challenge in request for /oauth/authorize" do
-      expect(redirect_url.path).to eql("/oauth/authorize")
-      expect(authorize_params["code_challenge"]).to be_present
-    end
-  end
-
-  context "omniauth callback phase" do
-    it "includes pkce code_verifier in request for /oauth/access_token" do
-      visit "/auth/gds"
-
-      redirect_url = URI.parse(page.response_headers["Location"])
-      expect(redirect_url.path).to eql("/oauth/authorize")
-      state = Rack::Utils.parse_query(redirect_url.query)["state"]
-
-      stub_request(:post, "http://signon/oauth/access_token")
-
-      visit "/auth/gds/callback?state=#{state}"
-
-      expect(WebMock).to have_requested(:post, "http://signon/oauth/access_token")
-        .with(body: hash_including({ "code_verifier" => /.*/ }))
-    end
-  end
-
-  context "when accessing a route that doesn't require permissions or authentication" do
-    it "allows access" do
-      visit "/not-restricted"
-      expect(page).to have_content("jabberwocky")
-    end
-  end
-
-  context "when accessing a route that requires authentication" do
-    it "redirects an unauthenticated request to signon" do
-      # We manually follow the redirects because we have configured capybara
-      # to not follow redirects (and thus allow testing an external redirect)
-      visit "/restricted"
-      expect(page.response_headers["Location"]).to match("/auth/gds")
-      visit page.response_headers["Location"]
-      expect(page.response_headers["Location"]).to match("http://signon/oauth/authorize")
-    end
-
-    it "allows access for an authenticated user" do
-      stub_signon_authenticated
-
-      visit "/restricted"
-      expect(page).to have_content("restricted kablooie")
-    end
-
-    it "restricts access if a user is authenticated but remotely signed out" do
-      stub_signon_authenticated
-      User.last.set_remotely_signed_out!
-
-      visit "/restricted"
-      expect(page.status_code).to eql(302)
-      expect(page.response_headers["Location"]).to match("/auth/gds")
-    end
-
-    it "restricts access if a user is authenticated but session has expired" do
-      stub_signon_authenticated
-
-      Timecop.travel(Time.now.utc + GDS::SSO::Config.auth_valid_for + 5.minutes) do
-        visit "/restricted"
-        expect(page.status_code).to eql(302)
-        expect(page.response_headers["Location"]).to match("/auth/gds")
-      end
-    end
-
-    it "restricts access when the request doesn't match the api_request_matcher" do
-      allow(GDS::SSO::Config)
-        .to receive(:api_request_matcher)
-        .and_return(->(_request) { false })
-
-      visit "/restricted"
-      expect(page.status_code).to eql(302)
-      expect(page.response_headers["Location"]).to match("/auth/gds")
-    end
-
-    it "allows access when given a valid bearer token" do
-      stub_signon_user_request
-      page.driver.header("Authorization", "Bearer 123")
-
-      visit "/restricted"
-      expect(page).to have_content("restricted kablooie")
-    end
-
-    it "restricts access when given an invalid bearer token" do
-      stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
-        .to_return(status: 401)
-      page.driver.header("Authorization", "Bearer 123")
-
-      visit "/restricted"
-      expect(page.status_code).to eq(401)
-      expect(page.response_headers["WWW-Authenticate"]).to eq('Bearer error="invalid_token"')
-      expect_json_response({ "message" => "Bearer token does not appear to be valid" })
-    end
-
-    it "returns a JSON 401 when a bearer token is missing and the app is api_only" do
-      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
-
-      visit "/restricted"
-      expect(page.status_code).to eq(401)
-      expect(page.response_headers["WWW-Authenticate"]).to eq('Bearer error="invalid_request"')
-      expect_json_response({ "message" => "No bearer token was provided" })
-    end
-
-    it "returns a JSON 401 when a bearer token is missing and the request matches the api_request_matcher" do
-      allow(GDS::SSO::Config)
-        .to receive(:api_request_matcher)
-        .and_return(->(request) { request.path == "/restricted" })
-
-      visit "/restricted"
-      expect(page.status_code).to eq(401)
-      expect(page.response_headers["WWW-Authenticate"]).to eq('Bearer error="invalid_request"')
-      expect_json_response({ "message" => "No bearer token was provided" })
-    end
-  end
-
-  context "when accessing a route that requires authentication with the mock strategies" do
-    before do
-      # Using allow_any_instance_of because it's hard to access the instance
-      # of the class used within the Rails middleware
-      allow_any_instance_of(Warden::Config).to receive(:[]).and_call_original
-      allow_any_instance_of(Warden::Config)
-        .to receive(:[])
-        .with(:default_strategies)
-        .and_return({ _all: %i[mock_gds_sso gds_bearer_token] })
-
-      allow(Warden::OAuth2.config).to receive(:token_model).and_return(GDS::SSO::MockBearerToken)
-      allow(GDS::SSO).to receive(:test_user).and_return(TestUser.new)
-    end
-
-    it "allows access without being logged in" do
-      visit "/restricted"
-      expect(page.status_code).to eq(200)
-      expect(page.body).to have_content("restricted kablooie")
-    end
-
-    it "allows access to an API mock user" do
-      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
-
-      visit "/restricted"
-      expect(page.status_code).to eq(200)
-      expect(page.body).to have_content("restricted kablooie")
-    end
-  end
-
-  context "when accessing a route that requires a permission" do
-    it "allows access when an authenticated user has the permission" do
-      stub_signon_authenticated(permissions: %w[execute])
-      visit "/this-requires-execute-permission"
-      expect(page).to have_content("you have execute permission")
-    end
-
-    it "restricts access when an authenticated user lacks the permission" do
-      stub_signon_authenticated
-      visit "/this-requires-execute-permission"
-      expect(page.status_code).to eq(403)
-      expect(page).to have_content("Sorry, you don't seem to have the execute permission for this app.")
-    end
-
-    it "returns a JSON response when it's an API call" do
-      allow(GDS::SSO::Config)
-        .to receive(:api_request_matcher)
-        .and_return(->(request) { request.path == "/this-requires-execute-permission" })
-
-      stub_signon_user_request
-      page.driver.header("Authorization", "Bearer 123")
-
-      visit "/this-requires-execute-permission"
-      expect(page.status_code).to eq(403)
-      expect_json_response({ "message" => "Sorry, you don't seem to have the execute permission for this app." })
-    end
-  end
-
-  context "when accessing a route that is restricted by the authorised user constraint" do
-    it "allows access when an authenticated user has correct permissions" do
-      stub_signon_authenticated(permissions: %w[execute])
-      visit "/constraint-restricted"
-      expect(page).to have_content("constraint restricted")
-    end
-
-    it "redirects an unauthenticated request to signon" do
-      visit "/constraint-restricted"
-      expect(page.response_headers["Location"]).to match("/auth/gds")
-      visit page.response_headers["Location"]
-      expect(page.response_headers["Location"]).to match("http://signon/oauth/authorize")
-    end
-
-    it "restricts access when an authenticated user does not have the correct permissions" do
-      stub_signon_authenticated(permissions: %w[no-access])
-      visit "/constraint-restricted"
-      expect(page.status_code).to eq(403)
-    end
-  end
-
-  def stub_signon_authenticated(permissions: [])
-    # visit restricted page to trigger redirect URL to record state attribute
-    visit "/auth/gds"
-    state = CGI.parse(URI.parse(page.response_headers["Location"]).query)
-              .then { |query| query["state"].first }
-
-    stub_request(:post, "http://signon/oauth/access_token")
-      .to_return(body: { access_token: "token" }.to_json,
-                 headers: { content_type: "application/json" })
-
-    stub_signon_user_request(permissions:)
-
-    visit "/auth/gds/callback?code=code&state=#{state}"
-  end
-
-  def stub_signon_user_request(permissions: [])
-    stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
-      .to_return(
-        body: {
-          user: {
-            uid: "123",
-            email: "test-user@example.com",
-            name: "Test User",
-            permissions:,
-          },
-        }.to_json,
-        headers: { content_type: "application/json" },
-      )
-  end
-
-  def expect_json_response(json_match)
-    expect(page.response_headers["content-type"]).to match(/application\/json/)
-    expect(JSON.parse(page.body)).to match(json_match)
-  end
-end