gds-sso 19.0.0 → 19.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ddad93d93075a295b1b4a6561d7c37dfba8e89892be22fc2ba54f53b594f460
-  data.tar.gz: 2de1bc908bd25480554df696b32a08f72f3b02f8c74c72bfa4b3ccd59227ac6a
+  metadata.gz: 71c0501986a461e92a2a6b176ded8dce5c191f2b735465ab4bb0d62fa21692a6
+  data.tar.gz: c4498c2a13b319f7dcdf2f3280a5aeee424c7881c79ed031dc2242bddba4c9bb
 SHA512:
-  metadata.gz: cdae7d624ab18260632acc9945ce7790664dde1f99fc2dca57c7fe5569f8aacdf0180286c1acd34f60d054c4100ec212b2359ae4a5b056352edecc30c3721058
-  data.tar.gz: 6d71aefcfa8f20aed5a479ca032bd2abab343fe71054b61766dbf3f80ed88047203929119e92183f31f735810066a9683b7c36279310f9e8044ee9f38933bc54
+  metadata.gz: 65e314e7c2d79c2268a391d03cc5a3ce8501c17f2c024890222a434491425ab68c06e28fb4c992f65c1181189ba0c6a7f5a4d9078e9db8905bc90440913e8f0c
+  data.tar.gz: 9191a650b590f2099a73b8d86153ea87c7e3f93ef54b965cf7804257729864e07fa215efff25174881afe53c325ac02d1f49319a5fd10f81d09a61786e7657c9

data/lib/gds-sso/authorise_user.rb

@@ -0,0 +1,49 @@
+module GDS
+  module SSO
+    class AuthoriseUser
+      def self.call(...) = new(...).call
+
+      def initialize(current_user, permissions)
+        @current_user = current_user
+        @permissions = permissions
+      end
+
+      def call
+        case permissions
+        when String
+          unless current_user.has_permission?(permissions)
+            raise GDS::SSO::PermissionDeniedError, "Sorry, you don't seem to have the #{permissions} permission for this app."
+          end
+        when Hash
+          raise ArgumentError, "Must be either `any_of` or `all_of`" unless permissions.keys.size == 1
+
+          if permissions[:any_of]
+            authorise_user_with_at_least_one_of_permissions!(permissions[:any_of])
+          elsif permissions[:all_of]
+            authorise_user_with_all_permissions!(permissions[:all_of])
+          else
+            raise ArgumentError, "Must be either `any_of` or `all_of`"
+          end
+        end
+      end
+
+    private
+
+      attr_reader :current_user, :permissions
+
+      def authorise_user_with_at_least_one_of_permissions!(permissions)
+        if permissions.none? { |permission| current_user.has_permission?(permission) }
+          raise GDS::SSO::PermissionDeniedError,
+                "Sorry, you don't seem to have any of the permissions: #{permissions.to_sentence} for this app."
+        end
+      end
+
+      def authorise_user_with_all_permissions!(permissions)
+        unless permissions.all? { |permission| current_user.has_permission?(permission) }
+          raise GDS::SSO::PermissionDeniedError,
+                "Sorry, you don't seem to have all of the permissions: #{permissions.to_sentence} for this app."
+        end
+      end
+    end
+  end
+end

data/lib/gds-sso/authorised_user_constraint.rb

@@ -0,0 +1,21 @@
+module GDS
+  module SSO
+    class AuthorisedUserConstraint
+      def initialize(permissions)
+        @permissions = permissions
+      end
+
+      def matches?(request)
+        warden = request.env["warden"]
+        warden.authenticate! if !warden.authenticated? || warden.user.remotely_signed_out?
+
+        GDS::SSO::AuthoriseUser.call(warden.user, permissions)
+        true
+      end
+
+    private
+
+      attr_reader :permissions
+    end
+  end
+end

data/lib/gds-sso/config.rb

@@ -29,6 +29,9 @@ module GDS
 
       mattr_accessor :api_only
 
+      mattr_accessor :intercept_401_responses
+      @@intercept_401_responses = true
+
       mattr_accessor :additional_mock_permissions_required
 
       mattr_accessor :connection_opts

data/lib/gds-sso/controller_methods.rb

@@ -1,11 +1,19 @@
 module GDS
   module SSO
+    class PermissionDeniedError < StandardError
+    end
+
     module ControllerMethods
-      class PermissionDeniedException < StandardError
+      # TODO: remove this for the next major release
+      class PermissionDeniedException < PermissionDeniedError
+        def initialize(...)
+          warn "GDS::SSO::ControllerMethods::PermissionDeniedException is deprecated, please replace with GDS::SSO::PermissionDeniedError"
+          super(...)
+        end
       end
 
       def self.included(base)
-        base.rescue_from PermissionDeniedException do |e|
+        base.rescue_from PermissionDeniedError do |e|
           if GDS::SSO::Config.api_only
             render json: { message: e.message }, status: :forbidden
           else
@@ -24,22 +32,7 @@ module GDS
         # Otherwise current_user might be nil, and we'd error out
         authenticate_user!
 
-        case permissions
-        when String
-          unless current_user.has_permission?(permissions)
-            raise PermissionDeniedException, "Sorry, you don't seem to have the #{permissions} permission for this app."
-          end
-        when Hash
-          raise ArgumentError, "Must be either `any_of` or `all_of`" unless permissions.keys.size == 1
-
-          if permissions[:any_of]
-            authorise_user_with_at_least_one_of_permissions!(permissions[:any_of])
-          elsif permissions[:all_of]
-            authorise_user_with_all_permissions!(permissions[:all_of])
-          else
-            raise ArgumentError, "Must be either `any_of` or `all_of`"
-          end
-        end
+        GDS::SSO::AuthoriseUser.call(current_user, permissions)
       end
 
       def authenticate_user!
@@ -65,22 +58,6 @@ module GDS
       def warden
         request.env["warden"]
       end
-
-    private
-
-      def authorise_user_with_at_least_one_of_permissions!(permissions)
-        if permissions.none? { |permission| current_user.has_permission?(permission) }
-          raise PermissionDeniedException,
-                "Sorry, you don't seem to have any of the permissions: #{permissions.to_sentence} for this app."
-        end
-      end
-
-      def authorise_user_with_all_permissions!(permissions)
-        unless permissions.all? { |permission| current_user.has_permission?(permission) }
-          raise PermissionDeniedException,
-                "Sorry, you don't seem to have all of the permissions: #{permissions.to_sentence} for this app."
-        end
-      end
     end
   end
 end

data/lib/gds-sso/failure_app.rb

@@ -52,7 +52,7 @@ module GDS
 
       def api_unauthorized(message, bearer_error)
         headers["WWW-Authenticate"] = %(Bearer error="#{bearer_error}")
-        render json: { message: message }, status: :unauthorized
+        render json: { message: }, status: :unauthorized
       end
     end
   end

data/lib/gds-sso/railtie.rb

@@ -1,6 +1,10 @@
 module GDS
   module SSO
     class Railtie < Rails::Railtie
+      config.action_dispatch.rescue_responses.merge!(
+        "GDS::SSO::PermissionDeniedError" => :forbidden,
+      )
+
       initializer "gds-sso.initializer" do
         GDS::SSO.config do |config|
           config.cache = Rails.cache

data/lib/gds-sso/version.rb

@@ -1,5 +1,5 @@
 module GDS
   module SSO
-    VERSION = "19.0.0".freeze
+    VERSION = "19.1.0".freeze
   end
 end

data/lib/gds-sso/warden_config.rb

@@ -29,7 +29,7 @@ Warden::Manager.serialize_from_session do |(uid, auth_timestamp)|
   end
 
   if auth_timestamp && ((auth_timestamp + GDS::SSO::Config.auth_valid_for) > Time.now.utc)
-    GDS::SSO::Config.user_klass.where(uid: uid, remotely_signed_out: false).first
+    GDS::SSO::Config.user_klass.where(uid:, remotely_signed_out: false).first
   end
 end
 

data/lib/gds-sso.rb

@@ -10,10 +10,13 @@ require "gds-sso/railtie" if defined?(Rails)
 
 module GDS
   module SSO
-    autoload :FailureApp,        "gds-sso/failure_app"
-    autoload :ControllerMethods, "gds-sso/controller_methods"
-    autoload :User,              "gds-sso/user"
-    autoload :ApiAccess,         "gds-sso/api_access"
+    autoload :FailureApp,               "gds-sso/failure_app"
+    autoload :ControllerMethods,        "gds-sso/controller_methods"
+    autoload :User,                     "gds-sso/user"
+    autoload :ApiAccess,                "gds-sso/api_access"
+    autoload :AuthoriseUser,            "gds-sso/authorise_user"
+    autoload :AuthorisedUserConstraint, "gds-sso/authorised_user_constraint"
+    autoload :PermissionDeniedError,    "gds-sso/controller_methods"
 
     # User to return as logged in during tests
     mattr_accessor :test_user
@@ -52,6 +55,7 @@ module GDS
       config.app_middleware.use Warden::Manager do |config|
         config.default_strategies(*default_strategies)
         config.failure_app = GDS::SSO::FailureApp
+        config.intercept_401 = GDS::SSO::Config.intercept_401_responses
       end
     end
   end

data/lib/omniauth/strategies/gds.rb

@@ -15,7 +15,7 @@ class OmniAuth::Strategies::Gds < OmniAuth::Strategies::OAuth2
 
   extra do
     {
-      user: user,
+      user:,
       permissions: user["permissions"],
       organisation_slug: user["organisation_slug"],
       organisation_content_id: user["organisation_content_id"],

data/spec/controller/controller_methods_spec.rb

@@ -1,57 +1,24 @@
 require "spec_helper"
 
-RSpec.describe GDS::SSO::ControllerMethods, "#authorise_user!" do
-  let(:current_user) { double }
-  let(:expected_error) { GDS::SSO::ControllerMethods::PermissionDeniedException }
+RSpec.describe GDS::SSO::ControllerMethods do
+  describe "#authorise_user!" do
+    let(:current_user) { double }
+    let(:expected_error) { GDS::SSO::PermissionDeniedError }
 
-  context "with a single string permission argument" do
-    it "permits users with the required permission" do
-      allow(current_user).to receive(:has_permission?).with("good").and_return(true)
+    context "when the user is authorised" do
+      it "does not raise an error" do
+        allow(current_user).to receive(:has_permission?).with("good").and_return(true)
 
-      expect { ControllerSpy.new(current_user).authorise_user!("good") }.not_to raise_error
+        expect { ControllerSpy.new(current_user).authorise_user!("good") }.not_to raise_error
+      end
     end
 
-    it "does not permit the users without the required permission" do
-      allow(current_user).to receive(:has_permission?).with("good").and_return(false)
+    context "when the user is not authorised" do
+      it "raises an error" do
+        allow(current_user).to receive(:has_permission?).with("bad").and_return(false)
 
-      expect { ControllerSpy.new(current_user).authorise_user!("good") }.to raise_error(expected_error)
-    end
-  end
-
-  context "with the `all_of` option" do
-    it "permits users with all of the required permissions" do
-      allow(current_user).to receive(:has_permission?).with("good").and_return(true)
-      allow(current_user).to receive(:has_permission?).with("bad").and_return(true)
-
-      expect { ControllerSpy.new(current_user).authorise_user!(all_of: %w[good bad]) }.not_to raise_error
-    end
-
-    it "does not permit users without all of the required permissions" do
-      allow(current_user).to receive(:has_permission?).with("good").and_return(false)
-      allow(current_user).to receive(:has_permission?).with("bad").and_return(true)
-
-      expect { ControllerSpy.new(current_user).authorise_user!(all_of: %w[good bad]) }.to raise_error(expected_error)
-    end
-  end
-
-  context "with the `any_of` option" do
-    it "permits users with any of the required permissions" do
-      allow(current_user).to receive(:has_permission?).with("good").and_return(true)
-      allow(current_user).to receive(:has_permission?).with("bad").and_return(false)
-
-      expect { ControllerSpy.new(current_user).authorise_user!(any_of: %w[good bad]) }.not_to raise_error
-    end
-
-    it "does not permit users without any of the required permissions" do
-      allow(current_user).to receive(:has_permission?).and_return(false)
-
-      expect { ControllerSpy.new(current_user).authorise_user!(any_of: %w[good bad]) }.to raise_error(expected_error)
-    end
-  end
-
-  context "with none of `any_of` or `all_of`" do
-    it "raises an `ArgumentError`" do
-      expect { ControllerSpy.new(current_user).authorise_user!(whoops: "bad") }.to raise_error(ArgumentError)
+        expect { ControllerSpy.new(current_user).authorise_user!("bad") }.to raise_error(expected_error)
+      end
     end
   end
 end

data/spec/internal/app/controllers/example_controller.rb

@@ -1,7 +1,6 @@
 class ExampleController < ApplicationController
   before_action :authenticate_user!, except: :not_restricted
   before_action -> { authorise_user!("execute") }, only: :this_requires_execute_permission
-
   def not_restricted
     render body: "jabberwocky"
   end
@@ -13,4 +12,8 @@ class ExampleController < ApplicationController
   def this_requires_execute_permission
     render body: "you have execute permission"
   end
+
+  def constraint_restricted
+    render body: "constraint restricted"
+  end
 end

data/spec/internal/config/routes.rb

@@ -4,4 +4,8 @@ Rails.application.routes.draw do
   get "/not-restricted" => "example#not_restricted"
   get "/restricted" => "example#restricted"
   get "/this-requires-execute-permission" => "example#this_requires_execute_permission"
+
+  constraints(GDS::SSO::AuthorisedUserConstraint.new("execute")) do
+    get "/constraint-restricted" => "example#constraint_restricted"
+  end
 end

data/spec/spec_helper.rb

@@ -8,6 +8,7 @@ require "combustion"
 
 Combustion.initialize! :all do
   config.cache_store = :null_store
+  config.action_dispatch.show_exceptions = :all
 end
 
 require "rspec/rails"

data/spec/support/test_user.rb

@@ -1,3 +1,5 @@
+require "ostruct"
+
 class TestUser < OpenStruct
   include GDS::SSO::User
 

data/spec/system/authentication_and_authorisation_spec.rb

@@ -119,6 +119,27 @@ RSpec.describe "Authenication and authorisation" do
     end
   end
 
+  context "when accessing a route that is restricted by the authorised user constraint" do
+    it "allows access when an authenticated user has correct permissions" do
+      stub_signon_authenticated(permissions: %w[execute])
+      visit "/constraint-restricted"
+      expect(page).to have_content("constraint restricted")
+    end
+
+    it "redirects an unauthenticated request to signon" do
+      visit "/constraint-restricted"
+      expect(page.response_headers["Location"]).to match("/auth/gds")
+      visit page.response_headers["Location"]
+      expect(page.response_headers["Location"]).to match("http://signon/oauth/authorize")
+    end
+
+    it "restricts access when an authenticated user does not have the correct permissions" do
+      stub_signon_authenticated(permissions: %w[no-access])
+      visit "/constraint-restricted"
+      expect(page.status_code).to eq(403)
+    end
+  end
+
   def stub_signon_authenticated(permissions: [])
     # visit restricted page to trigger redirect URL to record state attribute
     visit "/auth/gds"
@@ -129,7 +150,7 @@ RSpec.describe "Authenication and authorisation" do
       .to_return(body: { access_token: "token" }.to_json,
                  headers: { content_type: "application/json" })
 
-    stub_signon_user_request(permissions: permissions)
+    stub_signon_user_request(permissions:)
 
     visit "/auth/gds/callback?code=code&state=#{state}"
   end
@@ -142,7 +163,7 @@ RSpec.describe "Authenication and authorisation" do
             uid: "123",
             email: "test-user@example.com",
             name: "Test User",
-            permissions: permissions,
+            permissions:,
           },
         }.to_json,
         headers: { content_type: "application/json" },

data/spec/unit/authorise_user_spec.rb

@@ -0,0 +1,69 @@
+require "spec_helper"
+require "gds-sso/authorise_user"
+
+describe GDS::SSO::AuthoriseUser do
+  describe "#call" do
+    let(:current_user) { double }
+
+    context "with a single string permission argument" do
+      let(:permissions) { "admin" }
+      let(:expected_error) { GDS::SSO::PermissionDeniedError }
+
+      it "permits users with the required permission" do
+        allow(current_user).to receive(:has_permission?).with("admin").and_return(true)
+
+        expect { described_class.call(current_user, permissions) }.not_to raise_error
+      end
+
+      it "does not permit the users without the required permission" do
+        allow(current_user).to receive(:has_permission?).with("admin").and_return(false)
+
+        expect { described_class.call(current_user, permissions) }.to raise_error(expected_error)
+      end
+    end
+
+    context "with the `all_of` option" do
+      let(:permissions) { { all_of: %w[admin editor] } }
+      let(:expected_error) { GDS::SSO::PermissionDeniedError }
+
+      it "permits users with all of the required permissions" do
+        allow(current_user).to receive(:has_permission?).with("admin").and_return(true)
+        allow(current_user).to receive(:has_permission?).with("editor").and_return(true)
+
+        expect { described_class.call(current_user, permissions) }.not_to raise_error
+      end
+
+      it "does not permit users without all of the required permissions" do
+        allow(current_user).to receive(:has_permission?).with("admin").and_return(false)
+        allow(current_user).to receive(:has_permission?).with("editor").and_return(true)
+
+        expect { described_class.call(current_user, permissions) }.to raise_error(expected_error)
+      end
+    end
+
+    context "with the `any_of` option" do
+      let(:permissions) { { any_of: %w[admin editor] } }
+      let(:expected_error) { GDS::SSO::PermissionDeniedError }
+
+      it "permits users with any of the required permissions" do
+        allow(current_user).to receive(:has_permission?).with("admin").and_return(true)
+        allow(current_user).to receive(:has_permission?).with("editor").and_return(false)
+
+        expect { described_class.call(current_user, permissions) }.not_to raise_error
+      end
+
+      it "does not permit users without any of the required permissions" do
+        allow(current_user).to receive(:has_permission?).and_return(false)
+
+        expect { described_class.call(current_user, permissions) }.to raise_error(expected_error)
+      end
+    end
+
+    context "with none of `any_of` or `all_of`" do
+      it "raises an `ArgumentError`" do
+        expect { described_class.call(current_user, { admin: true }) }
+          .to raise_error(ArgumentError)
+      end
+    end
+  end
+end

data/spec/unit/authorised_user_constraint_spec.rb

@@ -0,0 +1,50 @@
+require "spec_helper"
+require "gds-sso/authorised_user_constraint"
+
+describe GDS::SSO::AuthorisedUserConstraint do
+  before do
+    allow(GDS::SSO::AuthoriseUser).to receive(:call).and_return(true)
+  end
+
+  describe "#matches?" do
+    let(:user) { double("user", remotely_signed_out?: remotely_signed_out) }
+    let(:warden) do
+      double(
+        "warden",
+        authenticated?: user_authenticated,
+        user:,
+        authenticate!: nil,
+      )
+    end
+    let(:user_authenticated) { true }
+    let(:remotely_signed_out) { false }
+    let(:request) { double("request", env: { "warden" => warden }) }
+
+    it "authorises the user" do
+      expect(GDS::SSO::AuthoriseUser).to receive(:call).with(warden.user, %w[signin])
+      expect(warden).not_to receive(:authenticate!)
+
+      described_class.new(%w[signin]).matches?(request)
+    end
+
+    context "when the user is not authenticated" do
+      let(:user_authenticated) { false }
+
+      it "authenticates the user" do
+        expect(warden).to receive(:authenticate!)
+
+        described_class.new(%w[signin]).matches?(request)
+      end
+    end
+
+    context "when the user is remotely signed out" do
+      let(:remotely_signed_out) { true }
+
+      it "authenticates the user" do
+        expect(warden).to receive(:authenticate!)
+
+        described_class.new(%w[signin]).matches?(request)
+      end
+    end
+  end
+end

data/spec/unit/railtie_spec.rb

@@ -11,4 +11,23 @@ RSpec.describe GDS::SSO::Railtie do
   it "honours API only setting" do
     expect(GDS::SSO::Config.api_only).to eq false
   end
+
+  describe "configuring intercept_401_responses" do
+    it "sets warden intercept_401 to false when the configuration option is set to false" do
+      allow(GDS::SSO::Config).to receive(:intercept_401_responses).and_return(false)
+
+      expect(warden_manager.config[:intercept_401]).to be(false)
+    end
+
+    it "sets warden intercept_401 to true when the configuration option is set to true" do
+      allow(GDS::SSO::Config).to receive(:intercept_401_responses).and_return(true)
+
+      expect(warden_manager.config[:intercept_401]).to be(true)
+    end
+  end
+
+  def warden_manager
+    middleware = Rails.application.config.middleware.find { |m| m.name.include?("Warden::Manager") }
+    Warden::Manager.new(nil, &middleware.block)
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gds-sso
 version: !ruby/object:Gem::Version
-  version: 19.0.0
+  version: 19.1.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-05 00:00:00.000000000 Z
+date: 2024-04-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2
@@ -58,34 +58,28 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '6'
+        version: '5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '6'
+        version: '5'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '6'
+        version: '7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '6'
+        version: '7'
 - !ruby/object:Gem::Dependency
   name: warden
   requirement: !ruby/object:Gem::Requirement
@@ -174,16 +168,16 @@ dependencies:
   name: rubocop-govuk
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '4'
+        version: 4.16.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '4'
+        version: 4.16.1
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -244,6 +238,8 @@ files:
 - config/routes.rb
 - lib/gds-sso.rb
 - lib/gds-sso/api_access.rb
+- lib/gds-sso/authorise_user.rb
+- lib/gds-sso/authorised_user_constraint.rb
 - lib/gds-sso/bearer_token.rb
 - lib/gds-sso/config.rb
 - lib/gds-sso/controller_methods.rb
@@ -272,6 +268,8 @@ files:
 - spec/support/timecop.rb
 - spec/system/authentication_and_authorisation_spec.rb
 - spec/unit/api_access_spec.rb
+- spec/unit/authorise_user_spec.rb
+- spec/unit/authorised_user_constraint_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
 - spec/unit/mock_bearer_token_spec.rb
@@ -290,14 +288,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.0'
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.5
+rubygems_version: 3.5.9
 signing_key: 
 specification_version: 4
 summary: Client for GDS' OAuth 2-based SSO
@@ -319,6 +317,8 @@ test_files:
 - spec/support/timecop.rb
 - spec/system/authentication_and_authorisation_spec.rb
 - spec/unit/api_access_spec.rb
+- spec/unit/authorise_user_spec.rb
+- spec/unit/authorised_user_constraint_spec.rb
 - spec/unit/bearer_token_spec.rb
 - spec/unit/config_spec.rb
 - spec/unit/mock_bearer_token_spec.rb