gds-sso 21.0.0 → 22.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1cce044b9dcc019806b1a70222fb30c99abce4df707245ae7c4d795b92bba8d7
-  data.tar.gz: 966b8b0c9ef7b95ee5ec5229c8f087f1870447d4281b1b7b6bcc5fc5627155a6
+  metadata.gz: cc434aa156074fb389c79d10a05993a5493d692a06af85e7d1409b6329ad296e
+  data.tar.gz: 2a4625eae41416c741ed0c0288eb7f4f4d4cb19d78338e5e967ea2761149e6f1
 SHA512:
-  metadata.gz: 3f3fe06419fd98b0018ff60ce33f45fe6a0173ac2c632009f2ece0d821539ae12503ad5f0a85716d2db16811e3e3bff4e234122ebff71a708fbcba13339bee78
-  data.tar.gz: eb36c389d730f589805c6e17bbdcdbf30f545cd2874431283082a437b0668312e5be7faa062f58149f9e5ea11f653c6ff52e67acace2213ad28f9383896912dc
+  metadata.gz: 35c3637ecf9de2b951b2367924f4b4aff1538a84e2ba0c318ef79dc95eccdd075d9f1c176feaed71dc60a03f8b2d6891bcf08148d85571cfadff303ccaf904ae
+  data.tar.gz: f9c2193558be493ce2f58414c72cb9ec240f835e2e3d5005cfa271716d9b504bbfbba080e487443b4905071209876acd5886f0280ce83630305ae1d2d254d7ae

data/config/routes.rb

@@ -1,9 +1,10 @@
 Rails.application.routes.draw do
+  put  "/auth/gds/api/users/:uid",        to: "api/user#update"
+  post "/auth/gds/api/users/:uid/reauth", to: "api/user#reauth"
+
   next if GDS::SSO::Config.api_only
 
   get "/auth/gds/callback",               to: "authentications#callback", as: :gds_sign_in
   get "/auth/gds/sign_out",               to: "authentications#sign_out", as: :gds_sign_out
-  get  "/auth/failure",                   to: "authentications#failure",  as: :auth_failure
-  put  "/auth/gds/api/users/:uid",        to: "api/user#update"
-  post "/auth/gds/api/users/:uid/reauth", to: "api/user#reauth"
+  get "/auth/failure",                    to: "authentications#failure",  as: :auth_failure
 end

data/lib/gds-sso/api_access.rb

@@ -8,7 +8,12 @@ module GDS
         return true if GDS::SSO::Config.api_only
 
         if GDS::SSO::Config.api_request_matcher
-          return GDS::SSO::Config.api_request_matcher.call(Rack::Request.new(env))
+          request = Rack::Request.new(env)
+
+          gds_sso_api_request_matcher = GDS::SSO::Config.gds_sso_api_request_matcher
+          return true if gds_sso_api_request_matcher&.call(request)
+
+          return GDS::SSO::Config.api_request_matcher.call(request)
         end
 
         !bearer_token(env).nil?

data/lib/gds-sso/bearer_token.rb

@@ -58,6 +58,7 @@ module GDS
 
     module MockBearerToken
       def self.locate(_token_string)
+        return unless ENV["GDS_SSO_MOCK_INVALID"].to_s.empty?
         return GDS::SSO.test_user if GDS::SSO.test_user
 
         dummy_api_user = GDS::SSO::Config.user_klass.where(email: "dummyapiuser@domain.com").first

data/lib/gds-sso/config.rb

@@ -31,6 +31,11 @@ module GDS
 
       mattr_accessor :api_request_matcher
 
+      # A matcher for GDS SSO's own API for updating user details. Shouldn't
+      # need configuring unless you mount the API at a different location.
+      mattr_accessor :gds_sso_api_request_matcher
+      @@gds_sso_api_request_matcher = ->(request) { request.path.start_with?("/auth/gds/api/") }
+
       mattr_accessor :intercept_401_responses
       @@intercept_401_responses = true
 

data/lib/gds-sso/failure_app.rb

@@ -6,6 +6,8 @@ require "rails"
 module GDS
   module SSO
     class FailureApp < ActionController::Metal
+      MAX_RETURN_TO_PATH_SIZE = 2048
+
       include ActionController::Redirecting
       include AbstractController::Rendering
       include ActionController::Rendering
@@ -44,7 +46,12 @@ module GDS
 
       # TOTALLY NOT DOING THE SCOPE THING. PROBABLY SHOULD.
       def store_location!
-        session["return_to"] = request.env["warden.options"][:attempted_path] if request.get?
+        return unless request.get?
+
+        attempted_path = request.env["warden.options"][:attempted_path]
+        return if attempted_path.bytesize > MAX_RETURN_TO_PATH_SIZE
+
+        session["return_to"] = attempted_path
       end
 
     private

data/lib/gds-sso/version.rb

@@ -1,5 +1,5 @@
 module GDS
   module SSO
-    VERSION = "21.0.0".freeze
+    VERSION = "22.0.0".freeze
   end
 end

data/spec/internal/config/routes.rb

@@ -5,7 +5,7 @@ Rails.application.routes.draw do
   get "/restricted" => "example#restricted"
   get "/this-requires-execute-permission" => "example#this_requires_execute_permission"
 
-  constraints(GDS::SSO::AuthorisedUserConstraint.new("execute")) do
+  constraints(GDS::SSO::AuthorisedUserConstraint.new("constraint")) do
     get "/constraint-restricted" => "example#constraint_restricted"
   end
 end

data/spec/request/api/user_spec.rb

@@ -0,0 +1,144 @@
+require "spec_helper"
+
+describe "Api::UserController", type: :request do
+  shared_examples "rejects a request from an unauthenticated user" do |method, path|
+    it "rejects the request when a user is unauthenticated" do
+      stub_failed_signon_user_request
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response).to have_http_status(:unauthorized)
+    end
+  end
+
+  shared_examples "rejects a request from an authenticated user lacking permission" do |method, path|
+    it "rejects the request when a user is authenticated but lacking permission" do
+      stub_successful_signon_user_request(permissions: [])
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
+  shared_examples "operates as an API endpoint if api_request_matcher doesn't match it" do |method, path|
+    it "doesn't redirect to /auth/gds because it's recognised as an API request" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(_request) { false })
+
+      stub_failed_signon_user_request
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response.media_type).to eq("application/json")
+    end
+  end
+
+  shared_examples "redirects to /auth/gds if gds_sso_api_request_matcher is configured to not match" do |method, path|
+    it "fails if gds_sso_api_request_matcher is configured to not match" do
+      allow(GDS::SSO::Config)
+        .to receive(:api_request_matcher)
+        .and_return(->(_request) { false })
+
+      allow(GDS::SSO::Config)
+        .to receive(:gds_sso_api_request_matcher)
+        .and_return(nil)
+
+      public_send(method, path, headers: { "Authorization" => "Bearer anything" })
+      expect(response).to redirect_to("/auth/gds")
+    end
+  end
+
+  describe "PUT /auth/gds/api/users/:uid" do
+    shared_params = [:put, "/auth/gds/api/users/#{SecureRandom.uuid}"]
+    it_behaves_like "rejects a request from an unauthenticated user", *shared_params
+    it_behaves_like "rejects a request from an authenticated user lacking permission", *shared_params
+    it_behaves_like "operates as an API endpoint if api_request_matcher doesn't match it", *shared_params
+    it_behaves_like "redirects to /auth/gds if gds_sso_api_request_matcher is configured to not match", *shared_params
+
+    it "updates an existing user" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.create!(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      put "/auth/gds/api/users/#{user.uid}",
+          headers: { "Authorization" => "Bearer anything" },
+          params: user_update_params(user, { "name" => "John Matrix" }),
+          as: :json
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+      expect(user.reload.name).to eq("John Matrix")
+    end
+
+    it "creates a new user if a user does not exist" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.new(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      put "/auth/gds/api/users/#{user.uid}",
+          headers: { "Authorization" => "Bearer anything" },
+          params: user_update_params(user),
+          as: :json
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+      expect(User.last.uid).to eq(user.uid)
+    end
+  end
+
+  describe "POST /auth/gds/api/users/:uid/reauth" do
+    shared_params = [:post, "/auth/gds/api/users/#{SecureRandom.uuid}/reauth"]
+    it_behaves_like "rejects a request from an unauthenticated user", *shared_params
+    it_behaves_like "rejects a request from an authenticated user lacking permission", *shared_params
+    it_behaves_like "operates as an API endpoint if api_request_matcher doesn't match it", *shared_params
+    it_behaves_like "redirects to /auth/gds if gds_sso_api_request_matcher is configured to not match", *shared_params
+
+    it "flags a user that exists as remotely signed out" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.create!(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      expect {
+        post "/auth/gds/api/users/#{user.uid}/reauth",
+             headers: { "Authorization" => "Bearer anything" }
+      }.to change { user.reload.remotely_signed_out }.to(true)
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+    end
+
+    it "responds successfully even if the user doesn't exist" do
+      stub_successful_signon_user_request(permissions: %w[user_update_permission])
+
+      user = User.new(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      post "/auth/gds/api/users/#{user.uid}/reauth",
+           headers: { "Authorization" => "Bearer anything" }
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("")
+    end
+  end
+
+  def user_update_params(user, modifications = {})
+    fields = %i[uid name email permissions organisation_slug organisation_content_id disabled]
+    user_details = user.as_json(only: fields).merge(modifications)
+    { "user" => user_details }
+  end
+end

data/spec/request/authentication_spec.rb

@@ -0,0 +1,77 @@
+require "spec_helper"
+
+describe "AuthenticationController", type: :request do
+  describe "GET /auth/gds/callback" do
+    it "fails without a valid state param" do
+      get "/auth/gds/callback"
+
+      expect(response).to redirect_to("/auth/failure?message=csrf_detected&strategy=gds")
+    end
+
+    it "redirects to the attempted url if a user was restricted earlier in the session" do
+      get "/restricted"
+
+      state = request_to_establish_oauth_state
+
+      stub_signon_oauth_token_request
+      stub_successful_signon_user_request
+
+      get "/auth/gds/callback?state=#{state}"
+      expect(response).to redirect_to("/restricted")
+    end
+
+    it "redirects to the root path if the user hadn't tried to access a restricted url" do
+      state = request_to_establish_oauth_state
+
+      stub_signon_oauth_token_request
+      stub_successful_signon_user_request
+
+      get "/auth/gds/callback?state=#{state}"
+      expect(response).to redirect_to("/")
+    end
+
+    it "uses the OAuth2 proof key for code exchange feature for increased security" do
+      get "/auth/gds"
+
+      expect(response).to have_http_status(:redirect)
+      location = URI.parse(response.location)
+      query = Rack::Utils.parse_query(location.query)
+
+      expect(location.path).to eq("/oauth/authorize")
+      expect(query).to include("code_challenge", "code_challenge_method")
+
+      token_request = stub_request(:post, "http://signon/oauth/access_token")
+                        .with(body: hash_including("code_verifier"))
+
+      get "/auth/gds/callback?state=#{query['state']}"
+
+      expect(token_request).to have_been_made
+    end
+  end
+
+  describe "GET /auth/failure" do
+    it "responds successfully" do
+      get "/auth/failure"
+
+      expect(response).to have_http_status(:success)
+    end
+  end
+
+  describe "GET /auth/gds/sign_out" do
+    it "redirects to signon sign out" do
+      get "/auth/gds/sign_out"
+
+      expect(response).to redirect_to("http://signon/users/sign_out")
+    end
+
+    it "logs an authenticated user out" do
+      authenticate_with_stub_signon
+
+      get "/auth/gds/sign_out"
+
+      # access a restricted route to assert we're logged out
+      get "/restricted"
+      expect(response).to redirect_to("/auth/gds")
+    end
+  end
+end

data/spec/request/demo_app_spec.rb

@@ -0,0 +1,264 @@
+require "spec_helper"
+
+describe "Integration tests with a demo app", type: :request do
+  describe "accessing a route that doesn't require authentication" do
+    it "allows access" do
+      get "/not-restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("jabberwocky")
+    end
+  end
+
+  describe "accessing a route the requires authentication" do
+    context "when GDS::SSO isn't configured to treat this as an explicit API request" do
+      it "redirects an unauthenticated request to sign-in" do
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+
+      it "responds successfully for an authenticated user" do
+        authenticate_with_stub_signon
+
+        get "/restricted"
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("restricted kablooie")
+      end
+
+      it "redirects to sign-in if a user is authenticated but remotely signed out" do
+        authenticate_with_stub_signon
+        User.last.set_remotely_signed_out!
+
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+
+      it "redirects to sign-in if a user's session has expired" do
+        authenticate_with_stub_signon
+
+        travel_to(Time.now.utc + GDS::SSO::Config.auth_valid_for + 1.second) do
+          get "/restricted"
+          expect(response).to redirect_to("/auth/gds")
+        end
+      end
+
+      it "allows access when given a valid bearer token" do
+        stub_successful_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("restricted kablooie")
+      end
+
+      it "restricts access when given an invalid bearer token" do
+        stub_failed_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer invalid" }
+        expect(response).to have_http_status(:unauthorized)
+        expect_invalid_bearer_token_response(response)
+      end
+    end
+
+    context "when an application is configured as API only" do
+      before { allow(GDS::SSO::Config).to receive(:api_only).and_return(true) }
+
+      it "allows access when given a valid bearer token" do
+        stub_successful_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("restricted kablooie")
+      end
+
+      it "rejects a request without a bearer token" do
+        get "/restricted"
+        expect(response).to have_http_status(:unauthorized)
+        expect_missing_bearer_token_response(response)
+      end
+
+      it "restricts access for an invalid bearer token" do
+        stub_failed_signon_user_request
+
+        get "/restricted", headers: { "Authorization" => "Bearer invalid" }
+        expect(response).to have_http_status(:unauthorized)
+        expect_invalid_bearer_token_response(response)
+      end
+    end
+
+    context "when API requests are differentiated by api_request_matcher" do
+      it "treats a match as an API request" do
+        allow(GDS::SSO::Config)
+          .to receive(:api_request_matcher)
+          .and_return(->(request) { request.path == "/restricted" })
+
+        get "/restricted"
+        expect(response).to have_http_status(:unauthorized)
+        expect_missing_bearer_token_response(response)
+      end
+
+      it "treats a non-match as a non-API request" do
+        allow(GDS::SSO::Config)
+          .to receive(:api_request_matcher)
+          .and_return(->(_request) { false })
+
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+    end
+  end
+
+  describe "when accessing routes without authentication and using the mock strategies" do
+    before { use_mock_strategies }
+
+    it "allows a user access without authentication" do
+      # non-bearer token mock requests require a user to exist
+      User.create!(
+        uid: SecureRandom.uuid,
+        email: "user@example.com",
+        name: "Example User",
+        permissions: [],
+      )
+
+      get "/restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("restricted kablooie")
+    end
+
+    it "can be configured to fail authentication with an env var" do
+      ClimateControl.modify("GDS_SSO_MOCK_INVALID" => "1") do
+        get "/restricted"
+        expect(response).to redirect_to("/auth/gds")
+      end
+    end
+
+    it "allows an API request without a bearer token" do
+      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
+
+      get "/restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("restricted kablooie")
+    end
+
+    it "can be configured to fail API authentication with an env var" do
+      allow(GDS::SSO::Config).to receive(:api_only).and_return(true)
+
+      ClimateControl.modify("GDS_SSO_MOCK_INVALID" => "1") do
+        get "/restricted"
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe "when accessing a route that requires permission" do
+    context "when GDS::SSO isn't configured to treat this as an explicit API request" do
+      it "allows a user with the permission to access the resource" do
+        authenticate_with_stub_signon(permissions: %w[execute])
+
+        get "/this-requires-execute-permission"
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("you have execute permission")
+      end
+
+      it "restricts a user lacking the permission" do
+        authenticate_with_stub_signon
+
+        get "/this-requires-execute-permission"
+        expect(response).to have_http_status(:forbidden)
+        expect(response.body).to include("Sorry, you don't seem to have the execute permission for this app.")
+      end
+    end
+
+    context "when GDS::SSO is configured to treat the request as an API request" do
+      before { allow(GDS::SSO::Config).to receive(:api_only).and_return(true) }
+
+      it "allows a user with the permission to access the resource" do
+        stub_successful_signon_user_request(permissions: %w[execute])
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("you have execute permission")
+      end
+
+      it "restricts a user lacking the permission" do
+        stub_successful_signon_user_request
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:forbidden)
+        expect_json_response(response, { "message" => "Sorry, you don't seem to have the execute permission for this app." })
+      end
+    end
+
+    context "when using bearer token for auth with the mock strategy" do
+      before { use_mock_strategies }
+
+      it "automatically grants permissions configured in GDS:SSO::Config.additional_mock_permissions_required" do
+        allow(GDS::SSO::Config).to receive(:additional_mock_permissions_required).and_return(%w[execute])
+
+        stub_successful_signon_user_request
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:success)
+        expect(response.body).to eq("you have execute permission")
+      end
+
+      it "doesn't grant access without that config" do
+        allow(GDS::SSO::Config).to receive(:additional_mock_permissions_required).and_return(nil)
+
+        stub_successful_signon_user_request
+
+        get "/this-requires-execute-permission", headers: { "Authorization" => "Bearer 123" }
+        expect(response).to have_http_status(:forbidden)
+        expect_json_response(response, { "message" => "Sorry, you don't seem to have the execute permission for this app." })
+      end
+    end
+  end
+
+  context "when accessing a route that is restricted by the authorised user constraint" do
+    it "allows access when an authenticated user has correct permissions" do
+      authenticate_with_stub_signon(permissions: %w[constraint])
+
+      get "/constraint-restricted"
+      expect(response).to have_http_status(:success)
+      expect(response.body).to eq("constraint restricted")
+    end
+
+    it "redirects an unauthenticated request to signon" do
+      get "/constraint-restricted"
+
+      expect(response).to redirect_to("/auth/gds")
+    end
+
+    it "restricts access when an authenticated user does not have the correct permissions" do
+      authenticate_with_stub_signon
+
+      get "/constraint-restricted"
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
+  def expect_missing_bearer_token_response(response)
+    expect(response.headers).to include("WWW-Authenticate" => 'Bearer error="invalid_request"')
+    expect_json_response(response, { "message" => "No bearer token was provided" })
+  end
+
+  def expect_invalid_bearer_token_response(response)
+    expect(response.headers).to include("WWW-Authenticate" => 'Bearer error="invalid_token"')
+    expect_json_response(response, { "message" => "Bearer token does not appear to be valid" })
+  end
+
+  def expect_json_response(response, json)
+    expect(response.media_type).to eq("application/json")
+    expect(response.parsed_body).to eq(json)
+  end
+
+  def use_mock_strategies
+    # Using allow_any_instance_of because it's hard to access the instance
+    # of the class used within the Rails middleware
+    allow_any_instance_of(Warden::Config).to receive(:[]).and_call_original
+    allow_any_instance_of(Warden::Config)
+      .to receive(:[])
+      .with(:default_strategies)
+      .and_return({ _all: %i[mock_gds_sso gds_bearer_token] })
+
+    allow(Warden::OAuth2.config).to receive(:token_model).and_return(GDS::SSO::MockBearerToken)
+  end
+end

data/spec/spec_helper.rb

@@ -2,7 +2,7 @@
 # Bad things happen if we don't ;-)
 ENV["GDS_SSO_STRATEGY"] = "real"
 
-require "capybara/rspec"
+require "climate_control"
 require "webmock/rspec"
 require "combustion"
 
@@ -12,15 +12,10 @@ Combustion.initialize! :all do
 end
 
 require "rspec/rails"
-require "capybara/rails"
 WebMock.disable_net_connect!
 
 Dir[File.join(File.dirname(__FILE__), "support/**/*.rb")].sort.each { |f| require f }
 
-Capybara.register_driver :rack_test do |app|
-  Capybara::RackTest::Driver.new(app, follow_redirects: false)
-end
-
 RSpec.configure do |config|
   config.run_all_when_everything_filtered = true
   config.filter_run :focus
@@ -32,6 +27,20 @@ RSpec.configure do |config|
   #     --seed 1234
   config.order = "random"
 
+  config.include ActiveSupport::Testing::TimeHelpers
   config.include Warden::Test::Helpers
-  config.include Capybara::DSL
+  config.include RequestHelpers, type: :request
+  config.before(:each, type: :request) do
+    # we reload routes each test as GDS::SSO::Config affects what routes are
+    # available, we only want to run this once routes are loaded otherwise
+    # we can lose app routes
+    routes_reloader = Rails.application.routes_reloader
+
+    # Routes changed in Rails 8 to be lazily loaded so this wasn't a problem
+    # before Rails 8.
+    # TODO: remove this line once Rails 7 support is removed
+    next unless routes_reloader.respond_to?(:loaded)
+
+    routes_reloader.reload! if routes_reloader.loaded
+  end
 end