gds-sso 21.0.0 → 22.0.0

data/spec/support/request_helpers.rb

@@ -0,0 +1,45 @@
+module RequestHelpers
+  def authenticate_with_stub_signon(permissions: [])
+    state = request_to_establish_oauth_state
+
+    stub_signon_oauth_token_request
+    stub_successful_signon_user_request(permissions:)
+
+    get "/auth/gds/callback?code=code&state=#{state}"
+    expect(response).to have_http_status(:redirect)
+  end
+
+  def request_to_establish_oauth_state
+    get "/auth/gds"
+    expect(response).to have_http_status(:redirect)
+    location = URI.parse(response.location)
+    query = Rack::Utils.parse_query(location.query)
+    query.fetch("state")
+  end
+
+  def stub_signon_oauth_token_request
+    stub_request(:post, "http://signon/oauth/access_token")
+      .to_return(body: { access_token: "token" }.to_json,
+                 headers: { content_type: "application/json" })
+  end
+
+  def stub_successful_signon_user_request(permissions: [])
+    stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
+      .to_return(
+        body: {
+          user: {
+            uid: "123",
+            email: "test-user@example.com",
+            name: "Test User",
+            permissions:,
+          },
+        }.to_json,
+        headers: { content_type: "application/json" },
+      )
+  end
+
+  def stub_failed_signon_user_request
+    stub_request(:get, "http://signon/user.json?client_id=gds-sso-test")
+      .to_return(status: 401)
+  end
+end

data/spec/unit/api_access_spec.rb

@@ -18,31 +18,49 @@ describe GDS::SSO::ApiAccess do
       expect(described_class.api_call?({})).to be(true)
     end
 
-    it "returns true if the request matches the api_request_matcher" do
-      allow(GDS::SSO::Config)
-        .to receive(:api_request_matcher)
-        .and_return(->(request) { request.path == "/api" })
+    context "when an api_request_matcher has been configured" do
+      before do
+        allow(GDS::SSO::Config)
+          .to receive(:api_request_matcher)
+          .and_return(->(request) { request.path == "/api" })
+      end
 
-      env = Rack::MockRequest.env_for("/api")
-      expect(described_class.api_call?(env)).to be(true)
-    end
+      it "returns true if the request matches the api_request_matcher" do
+        env = Rack::MockRequest.env_for("/api")
+        expect(described_class.api_call?(env)).to be(true)
+      end
 
-    it "returns false if the request doesn't match the api_request_matcher" do
-      allow(GDS::SSO::Config)
-        .to receive(:api_request_matcher)
-        .and_return(->(request) { request.path == "/api" })
+      it "returns true if the request is for GDS SSO API at default location" do
+        env = Rack::MockRequest.env_for("/auth/gds/api/#{SecureRandom.uuid}")
+        expect(described_class.api_call?(env)).to be(true)
+      end
 
-      env = Rack::MockRequest.env_for("/other")
-      expect(described_class.api_call?(env)).to be(false)
-    end
+      it "returns true if it matches a configured gds_sso_api_request_matcher" do
+        allow(GDS::SSO::Config)
+          .to receive(:gds_sso_api_request_matcher)
+          .and_return(->(request) { request.path == "/special/gds-sso/route" })
 
-    it "returns true if a bearer token is present" do
-      env = { "HTTP_AUTHORIZATION" => "Bearer 1234:5678" }
-      expect(described_class.api_call?(env)).to be(true)
+        env = Rack::MockRequest.env_for("/special/gds-sso/route")
+        expect(described_class.api_call?(env)).to be(true)
+      end
+
+      it "returns false if the request doesn't match the gds_sso_api_request_matcher or api_request_matcher" do
+        allow(GDS::SSO::Config).to receive(:gds_sso_api_request_matcher).and_return(nil)
+
+        env = Rack::MockRequest.env_for("/other")
+        expect(described_class.api_call?(env)).to be(false)
+      end
     end
 
-    it "returns false otherwise" do
-      expect(described_class.api_call?({})).to be(false)
+    context "when an api_request_matcher has not been configured" do
+      it "returns true if a bearer token is present" do
+        env = { "HTTP_AUTHORIZATION" => "Bearer 1234:5678" }
+        expect(described_class.api_call?(env)).to be(true)
+      end
+
+      it "returns false if nothing indicates an API call" do
+        expect(described_class.api_call?({})).to be(false)
+      end
     end
   end
 

data/spec/unit/failure_app_spec.rb

@@ -0,0 +1,31 @@
+require "spec_helper"
+
+describe GDS::SSO::FailureApp, type: :request do
+  describe "#redirect" do
+    before do
+      Rails.application.routes.draw do
+        get "redirect", to: GDS::SSO::FailureApp.action(:redirect)
+      end
+    end
+
+    after { Rails.application.reload_routes! }
+
+    it "should store the return_to path in session when it is reasonably short" do
+      attempted_path = "some-reasonably-short-path"
+
+      get "/redirect", env: { "warden.options" => { attempted_path: } }
+
+      expect(response).to redirect_to("/auth/gds")
+      expect(session["return_to"]).to eq(attempted_path)
+    end
+
+    it "should not attempt to store the return_to path in session when it is very long" do
+      attempted_path = "some-#{'very-' * 1000}-long-path"
+
+      get "/redirect", env: { "warden.options" => { attempted_path: } }
+
+      expect(response).to redirect_to("/auth/gds")
+      expect(session["return_to"]).to be_nil
+    end
+  end
+end

data/spec/unit/mock_bearer_token_spec.rb

@@ -10,6 +10,12 @@ describe GDS::SSO::MockBearerToken do
       expect(described_class.locate("anything")).to be(test_user)
     end
 
+    it "returns nil if ENV['GDS_SSO_MOCK_INVALID'] is set" do
+      ClimateControl.modify("GDS_SSO_MOCK_INVALID" => "1") do
+        expect(described_class.locate("anything")).to be_nil
+      end
+    end
+
     it "doesn't modify the permissions of GDS::SSO.test_user" do
       test_user = TestUser.new(permissions: [])
       allow(GDS::SSO).to receive(:test_user).and_return(test_user)

data/spec/unit/session_serialisation_spec.rb

@@ -14,11 +14,12 @@ describe Warden::SessionSerializer do
 
   describe "serializing a user" do
     it "should return the uid and an ISO 8601 string timestamp" do
-      Timecop.freeze
-      result = @serializer.serialize(@user)
+      freeze_time do
+        result = @serializer.serialize(@user)
 
-      expect(result).to eq([1234, Time.now.utc.iso8601])
-      expect(result.last).to be_a(String)
+        expect(result).to eq([1234, Time.now.utc.iso8601])
+        expect(result.last).to be_a(String)
+      end
     end
 
     it "should return nil if the user has no uid" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gds-sso
 version: !ruby/object:Gem::Version
-  version: 21.0.0
+  version: 22.0.0
 platform: ruby
 authors:
 - GOV.UK Dev
@@ -122,19 +122,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.0.1
 - !ruby/object:Gem::Dependency
-  name: capybara
+  name: climate_control
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: combustion
   requirement: !ruby/object:Gem::Requirement
@@ -169,28 +169,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6'
+        version: '8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6'
+        version: '8'
 - !ruby/object:Gem::Dependency
   name: rubocop-govuk
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.0.2
+        version: 5.1.19
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.0.2
+        version: 5.1.19
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -205,20 +205,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.1'
-- !ruby/object:Gem::Dependency
-  name: timecop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -264,8 +250,6 @@ files:
 - lib/gds-sso/version.rb
 - lib/gds-sso/warden_config.rb
 - lib/omniauth/strategies/gds.rb
-- spec/controller/api_user_controller_spec.rb
-- spec/controller/controller_methods_spec.rb
 - spec/internal/app/assets/config/manifest.js
 - spec/internal/app/controllers/application_controller.rb
 - spec/internal/app/controllers/example_controller.rb
@@ -274,17 +258,21 @@ files:
 - spec/internal/config/initializers/gds-sso.rb
 - spec/internal/config/routes.rb
 - spec/internal/db/schema.rb
+- spec/request/api/user_spec.rb
+- spec/request/authentication_spec.rb
+- spec/request/demo_app_spec.rb
 - spec/spec_helper.rb
 - spec/support/controller_spy.rb
+- spec/support/request_helpers.rb
 - spec/support/serializable_user.rb
 - spec/support/test_user.rb
-- spec/support/timecop.rb
-- spec/system/authentication_and_authorisation_spec.rb
 - spec/unit/api_access_spec.rb
 - spec/unit/authorise_user_spec.rb
 - spec/unit/authorised_user_constraint_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
+- spec/unit/controller_methods_spec.rb
+- spec/unit/failure_app_spec.rb
 - spec/unit/gds_sso_spec.rb
 - spec/unit/mock_bearer_token_spec.rb
 - spec/unit/railtie_spec.rb
@@ -312,8 +300,6 @@ rubygems_version: 3.7.1
 specification_version: 4
 summary: Client for GDS' OAuth 2-based SSO
 test_files:
-- spec/controller/api_user_controller_spec.rb
-- spec/controller/controller_methods_spec.rb
 - spec/internal/app/assets/config/manifest.js
 - spec/internal/app/controllers/application_controller.rb
 - spec/internal/app/controllers/example_controller.rb
@@ -322,17 +308,21 @@ test_files:
 - spec/internal/config/initializers/gds-sso.rb
 - spec/internal/config/routes.rb
 - spec/internal/db/schema.rb
+- spec/request/api/user_spec.rb
+- spec/request/authentication_spec.rb
+- spec/request/demo_app_spec.rb
 - spec/spec_helper.rb
 - spec/support/controller_spy.rb
+- spec/support/request_helpers.rb
 - spec/support/serializable_user.rb
 - spec/support/test_user.rb
-- spec/support/timecop.rb
-- spec/system/authentication_and_authorisation_spec.rb
 - spec/unit/api_access_spec.rb
 - spec/unit/authorise_user_spec.rb
 - spec/unit/authorised_user_constraint_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
+- spec/unit/controller_methods_spec.rb
+- spec/unit/failure_app_spec.rb
 - spec/unit/gds_sso_spec.rb
 - spec/unit/mock_bearer_token_spec.rb
 - spec/unit/railtie_spec.rb

data/spec/controller/api_user_controller_spec.rb

@@ -1,114 +0,0 @@
-require "spec_helper"
-
-def user_update_json
-  {
-    "user" => {
-      "uid" => @user_to_update.uid,
-      "name" => "Joshua Marshall",
-      "email" => "user@domain.com",
-      "permissions" => ["signin", "new permission"],
-      "organisation_slug" => "justice-league",
-      "organisation_content_id" => "aae1319e-5788-4677-998c-f1a53af528d0",
-      "disabled" => false,
-    },
-  }.to_json
-end
-
-describe Api::UserController, type: :controller do
-  before :each do
-    user_to_update_attrs = [{
-      uid: "a1s2d3#{rand(10_000)}",
-      email: "old@domain.com",
-      name: "Moshua Jarshall",
-      permissions: %w[signin],
-    }]
-
-    signon_sso_push_user_attrs = [{
-      uid: "a1s2d3#{rand(10_000)}",
-      email: "ssopushuser@legit.com",
-      name: "SSO Push user",
-      permissions: %w[signin user_update_permission],
-    }]
-
-    @user_to_update = User.create!(*user_to_update_attrs)
-    @signon_sso_push_user = User.create!(*signon_sso_push_user_attrs)
-  end
-
-  describe "PUT update" do
-    it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
-      malicious_user = User.new({
-        uid: "2",
-        name: "User",
-        permissions: %w[signin],
-      })
-
-      request.env["warden"] = double("stub warden", authenticate!: true, authenticated?: true, user: malicious_user)
-
-      request.env["RAW_POST_DATA"] = user_update_json
-      put :update, body: user_update_json, params: { uid: @user_to_update.uid }
-
-      expect(response.status).to eq(403)
-    end
-
-    it "should create/update the user record in the same way as the OAuth callback" do
-      # Test that it authenticates
-      request.env["warden"] = double("mock warden")
-      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
-
-      request.env["RAW_POST_DATA"] = user_update_json
-      put :update, body: user_update_json, params: { uid: @user_to_update.uid }
-
-      @user_to_update.reload
-      expect(@user_to_update.name).to eq("Joshua Marshall")
-      expect(@user_to_update.email).to eq("user@domain.com")
-      expect(@user_to_update.permissions).to eq(["signin", "new permission"])
-      expect(@user_to_update.organisation_slug).to eq("justice-league")
-      expect(@user_to_update.organisation_content_id).to eq("aae1319e-5788-4677-998c-f1a53af528d0")
-      expect(response.content_type).to eq("text/plain")
-    end
-  end
-
-  describe "POST reauth" do
-    it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
-      malicious_user = User.new({
-        uid: "2",
-        name: "User",
-        permissions: %w[signin],
-      })
-
-      request.env["warden"] = double("stub warden", authenticate!: true, authenticated?: true, user: malicious_user)
-
-      post :reauth, params: { uid: @user_to_update.uid }
-
-      expect(response.status).to eq(403)
-    end
-
-    it "should return success if user record doesn't exist" do
-      request.env["warden"] = double("mock warden")
-      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
-
-      post :reauth, params: { uid: "nonexistent-user" }
-
-      expect(response.status).to eq(200)
-      expect(response.content_type).to eq("text/plain")
-    end
-
-    it "should set remotely_signed_out to true on the user" do
-      # Test that it authenticates
-      request.env["warden"] = double("mock warden")
-      expect(request.env["warden"]).to receive(:authenticate!).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:authenticated?).at_least(:once).and_return(true)
-      expect(request.env["warden"]).to receive(:user).at_least(:once).and_return(@signon_sso_push_user)
-
-      post :reauth, params: { uid: @user_to_update.uid }
-
-      @user_to_update.reload
-      expect(@user_to_update).to be_remotely_signed_out
-      expect(response.content_type).to eq("text/plain")
-    end
-  end
-end

data/spec/support/timecop.rb

@@ -1,7 +0,0 @@
-require "timecop"
-
-RSpec.configure do |config|
-  config.after :each do
-    Timecop.return
-  end
-end