gds-sso 0.7.9 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/app/controllers/api/user_controller.rb +31 -0
- data/config/routes.rb +2 -1
- data/lib/gds-sso/controller_methods.rb +4 -0
- data/lib/gds-sso/version.rb +1 -1
- data/spec/controller/api_user_controller_spec.rb +57 -0
- data/spec/internal/log/test.log +75 -3844
- data/spec/spec_helper.rb +4 -0
- metadata +36 -33
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
class Api::UserController < ApplicationController
|
|
2
|
+
before_filter :authenticate_user!
|
|
3
|
+
before_filter :require_user_update_permission
|
|
4
|
+
|
|
5
|
+
def update
|
|
6
|
+
user_json = JSON.parse(request.body.read)['user']
|
|
7
|
+
oauth_hash = build_gds_oauth_hash(user_json)
|
|
8
|
+
GDS::SSO::Config.user_klass.find_for_gds_oauth(oauth_hash)
|
|
9
|
+
head :ok
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
private
|
|
13
|
+
# This should mirror the object created by the omniauth-gds strategy/gem
|
|
14
|
+
# By doing this, we can reuse the code for creating/updating the user
|
|
15
|
+
def build_gds_oauth_hash(user_json)
|
|
16
|
+
OmniAuth::AuthHash.new(
|
|
17
|
+
uid: user_json['uid'],
|
|
18
|
+
provider: 'gds',
|
|
19
|
+
info: {
|
|
20
|
+
name: user_json['name'],
|
|
21
|
+
email: user_json['email']
|
|
22
|
+
},
|
|
23
|
+
extra: {
|
|
24
|
+
user: { permissions: user_json['permissions'] }
|
|
25
|
+
})
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def require_user_update_permission
|
|
29
|
+
authorise_user!(GDS::SSO::Config.default_scope, "user_update_permission")
|
|
30
|
+
end
|
|
31
|
+
end
|
data/config/routes.rb
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
Rails.application.routes.draw do
|
|
2
2
|
match '/auth/gds/callback', to: 'authentications#callback', as: :gds_sign_in
|
|
3
3
|
match '/auth/gds/sign_out', to: 'authentications#sign_out', as: :gds_sign_out
|
|
4
|
-
match '/auth/failure',
|
|
4
|
+
match '/auth/failure', to: 'authentications#failure', as: :auth_failure
|
|
5
|
+
match '/auth/gds/api/user', to: "api/user#update", via: "PUT"
|
|
5
6
|
end
|
|
@@ -14,6 +14,10 @@ module GDS
|
|
|
14
14
|
|
|
15
15
|
|
|
16
16
|
def authorise_user!(scope, permission)
|
|
17
|
+
# Ensure that we're authenticated (and by extension that current_user is set).
|
|
18
|
+
# Otherwise current_user might be nil, and we'd error out
|
|
19
|
+
authenticate_user!
|
|
20
|
+
|
|
17
21
|
if not current_user.has_permission?(scope, permission)
|
|
18
22
|
raise PermissionDeniedException, "Sorry, you don't seem to have the #{permission} permission for #{scope}."
|
|
19
23
|
end
|
data/lib/gds-sso/version.rb
CHANGED
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
require "spec_helper"
|
|
2
|
+
|
|
3
|
+
def user_update_json
|
|
4
|
+
{
|
|
5
|
+
"user" => {
|
|
6
|
+
"uid" => "a1s2d3",
|
|
7
|
+
"name" => "Joshua Marshall",
|
|
8
|
+
"email" => "user@domain.com",
|
|
9
|
+
"permissions" => {
|
|
10
|
+
"GDS_SSO integration test" => ["signin", "new permission"]
|
|
11
|
+
}
|
|
12
|
+
}
|
|
13
|
+
}.to_json
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
describe Api::UserController, type: :controller do
|
|
17
|
+
|
|
18
|
+
before :each do
|
|
19
|
+
@user_to_update = User.new({
|
|
20
|
+
:uid => 'a1s2d3',
|
|
21
|
+
:name => "Moshua Jarshall",
|
|
22
|
+
:permissions => { "GDS_SSO integration test" => ["signin"] } })
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
describe "PUT update" do
|
|
26
|
+
it "should deny access to anybody but the API user (or a user with 'user_update_permission')" do
|
|
27
|
+
malicious_user = User.new({
|
|
28
|
+
:uid => '2',
|
|
29
|
+
:name => "User",
|
|
30
|
+
:permissions => { "GDS_SSO integration test" => ["signin"] } })
|
|
31
|
+
|
|
32
|
+
request.env['warden'] = stub("stub warden", :authenticate! => true, authenticated?: true, user: malicious_user)
|
|
33
|
+
|
|
34
|
+
request.env['RAW_POST_DATA'] = user_update_json
|
|
35
|
+
put :update
|
|
36
|
+
|
|
37
|
+
assert_equal 403, response.status
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
it "should create/update the user record in the same way as the OAuth callback" do
|
|
41
|
+
# Test that it authenticates
|
|
42
|
+
request.env['warden'] = mock("stub warden", authenticated?: true, user: GDS::SSO::ApiUser.new)
|
|
43
|
+
request.env['warden'].expects(:authenticate!).at_least_once.returns(true)
|
|
44
|
+
|
|
45
|
+
@user_to_update.expects(:update_attributes).with({
|
|
46
|
+
"uid" => "a1s2d3",
|
|
47
|
+
"name" => "Joshua Marshall",
|
|
48
|
+
"email" => "user@domain.com",
|
|
49
|
+
"permissions" => { "GDS_SSO integration test" => ["signin", "new permission"] }}, as: :oauth)
|
|
50
|
+
|
|
51
|
+
User.expects(:find_by_uid).with("a1s2d3").returns(@user_to_update)
|
|
52
|
+
|
|
53
|
+
request.env['RAW_POST_DATA'] = user_update_json
|
|
54
|
+
put :update
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
end
|