osso 0.0.3.7

data/lib/osso/graphql/types.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Osso
+  module Types
+  end
+end
+
+require_relative 'types/base_object'
+require_relative 'types/base_enum'
+require_relative 'types/base_input_object'
+require_relative 'types/identity_provider_service'
+require_relative 'types/identity_provider'
+require_relative 'types/enterprise_account'
+require_relative 'types/oauth_client'
+require_relative 'types/user'

data/lib/osso/graphql/types/base_enum.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseEnum < ::GraphQL::Schema::Enum
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/base_input_object.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseInputObject < ::GraphQL::Schema::InputObject
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/base_object.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseObject < ::GraphQL::Schema::Object
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/enterprise_account.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class EnterpriseAccount < Types::BaseObject
+        description 'An Account for a company that wishes to use SAML via Osso'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :name, String, null: false
+        field :domain, String, null: false
+        field :identity_providers, [Types::IdentityProvider], null: true
+        field :status, String, null: false
+
+        def status
+          'active'
+        end
+
+        def identity_providers
+          object.identity_providers
+        end
+
+        def self.authorized?(object, context)
+          super && (context[:scope] == :admin || object.domain == context[:scope])
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/identity_provider.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class IdentityProvider < Types::BaseObject
+        description 'Represents a SAML based IDP instance for an EnterpriseAccount'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :enterprise_account_id, ID, null: false
+        field :service, Types::IdentityProviderService, null: true
+        field :domain, String, null: false
+        field :acs_url, String, null: false
+        field :sso_url, String, null: true
+        field :sso_cert, String, null: true
+        field :configured, Boolean, null: false
+        field :documentation_pdf_url, String, null: true
+
+        def configured
+          !!(@object.sso_url && @object.sso_cert)
+        end
+
+        def documentation_pdf_url
+          ENV['BASE_URL'] + '/identity_provider/documentation/' + @object.id
+        end
+
+        def self.authorized?(object, context)
+          super && (context[:scope] == :admin || object.domain == context[:scope])
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/identity_provider_service.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class IdentityProviderService < BaseEnum
+        value('AZURE', 'Microsoft Azure Identity Provider', value: 'Osso::Models::AzureSamlProvider')
+        value('OKTA', 'Okta Identity Provider', value: 'Osso::Models::OktaSamlProvider')
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/oauth_client.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class OAuthClient < Types::BaseObject
+        description 'An OAuth client used to consume Osso SAML users'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :name, String, null: false
+        field :client_id, String, null: false
+        field :client_secret, String, null: false
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/user.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'graphql'
+require_relative 'base_object'
+
+module Osso
+  module GraphQL
+    module Types
+      class User < Types::BaseObject
+        description 'A User of the application'
+
+        field :id, ID, null: false
+        field :name, String, null: true
+      end
+    end
+  end
+end

data/lib/osso/helpers/auth.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Osso
+  module Helpers
+    module Auth
+      attr_accessor :current_scope
+
+      def enterprise_protected!(domain = nil)
+        return if admin_authorized?
+        return if enterprise_authorized?(domain)
+
+        halt 401 if request.post?
+
+        redirect ENV['JWT_URL']
+      end
+
+      def enterprise_authorized?(_domain)
+        payload, _args = JWT.decode(
+          token,
+          ENV['JWT_HMAC_SECRET'],
+          true,
+          { algorithm: 'HS256' },
+        )
+
+        @current_scope = payload['scope']
+
+        true
+      rescue JWT::DecodeError
+        false
+      end
+
+      def admin_protected!
+        return if admin_authorized?
+
+        redirect ENV['JWT_URL']
+      end
+
+      def admin_authorized?
+        payload, _args = JWT.decode(
+          token,
+          ENV['JWT_HMAC_SECRET'],
+          true,
+          { algorithm: 'HS256' },
+        )
+
+        if payload['scope'] == 'admin'
+          @current_scope = :admin
+          return true
+        end
+
+        false
+      rescue JWT::DecodeError
+        false
+      end
+
+      def token
+        request.env['admin_token'] || session['admin_token'] || request['admin_token']
+      end
+
+      def chomp_token
+        return unless request['admin_token'].present?
+
+        session['admin_token'] = request['admin_token']
+
+        return if request.post?
+
+        redirect request.path
+      end
+    end
+  end
+end

data/lib/osso/helpers/helpers.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Osso
+  module Helpers
+  end
+end
+
+require_relative 'auth'

data/lib/osso/lib/app_config.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'rack/contrib'
+
+module Osso
+  module AppConfig
+    def self.included(klass)
+      klass.class_eval do
+        use Rack::JSONBodyParser
+        use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
+
+        error ActiveRecord::RecordNotFound do
+          status 404
+        end
+
+        set :root, Dir.pwd
+      end
+    end
+  end
+end

data/lib/osso/lib/oauth2_token.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+
+module Osso
+  module OAuth2Token
+    def self.included(klass)
+      klass.class_eval do
+        cattr_accessor :default_lifetime
+        self.default_lifetime = 1.minute
+        belongs_to :user
+        belongs_to :oauth_client
+
+        before_validation :setup, on: :create
+        validates :oauth_client, :expires_at, presence: true
+        validates :token, presence: true, uniqueness: true
+
+        scope :valid, -> { where('expires_at > ?', Time.now.utc) }
+      end
+    end
+
+    def expires_in
+      (expires_at - Time.now.utc).to_i
+    end
+
+    def expired!
+      self.expires_at = Time.now.utc
+      save!
+    end
+
+    private
+
+    def setup
+      self.token = SecureRandom.hex(32)
+      self.expires_at ||= default_lifetime.from_now
+    end
+  end
+end

data/lib/osso/lib/route_map.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+# rubocop:disable Metrics/MethodLength
+
+module Osso
+  module RouteMap
+    def self.included(klass)
+      klass.class_eval do
+        use Osso::Admin
+        use Osso::Auth
+        use Osso::Oauth
+
+        post '/graphql' do
+          enterprise_protected!
+
+          result = Osso::GraphQL::Schema.execute(
+            params[:query],
+            variables: params[:variables],
+            context: { scope: current_scope },
+          )
+
+          json result
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/MethodLength

data/lib/osso/models/access_token.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class AccessToken < ::ActiveRecord::Base
+      include OAuth2Token
+      self.default_lifetime = 10.minutes
+      belongs_to :refresh_token
+
+      def to_bearer_token
+        Rack::OAuth2::AccessToken::Bearer.new(
+          access_token: token,
+          expires_in: expires_in,
+        )
+      end
+
+      private
+
+      def setup
+        super
+        return unless refresh_token
+
+        self.user = refresh_token.user
+        self.client = refresh_token.client
+        self.expires_at = [expires_at, refresh_token.expires_at].min
+      end
+    end
+  end
+end

data/lib/osso/models/authorization_code.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class AuthorizationCode < ActiveRecord::Base
+      include OAuth2Token
+
+      def access_token
+        @access_token ||= expired! &&
+          user.access_tokens.create(oauth_client: oauth_client)
+      end
+    end
+  end
+end

data/lib/osso/models/enterprise_account.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Base class for Enterprises. This should map one-to-one with
+    # your own Account model. Persisting the EnterpriseAccount id
+    # in your application's database is recommended. The table also
+    # includes fields for external IDs such that you can persist
+    # your ID for an account in your Osso instance.
+    class EnterpriseAccount < ActiveRecord::Base
+      belongs_to :oauth_client
+      has_many :users
+      has_many :identity_providers
+
+      def single_provider?
+        identity_providers.one?
+      end
+
+      def provider
+        return nil unless single_provider?
+
+        identity_providers.first
+      end
+
+      alias identity_provider provider
+    end
+  end
+end

data/lib/osso/models/identity_provider.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Base class for SAML Providers
+    class IdentityProvider < ActiveRecord::Base
+      NAME_FORMAT = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+      belongs_to :enterprise_account
+      belongs_to :oauth_client
+      has_many :users
+
+      def name
+        service.titlecase
+        # raise(
+        #   NoMethodError,
+        #   '#name must be defined on each provider specific subclass',
+        # )
+      end
+
+      def saml_options
+        attributes.slice(
+          'domain',
+          'idp_cert',
+          'idp_sso_target_url',
+        ).symbolize_keys
+      end
+
+      # def saml_options
+      #   raise(
+      #     NoMethodError,
+      #     '#saml_options must be defined on each provider specific subclass',
+      #   )
+      # end
+
+      def assertion_consumer_service_url
+        [
+          ENV.fetch('BASE_URL'),
+          'auth',
+          'saml',
+          id,
+          'callback',
+        ].join('/')
+      end
+
+      alias acs_url assertion_consumer_service_url
+    end
+  end
+end