osso 0.0.3.7

data/spec/factories/authorization_code.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :authorization_code, class: Osso::Models::AuthorizationCode do
+    id { SecureRandom.uuid }
+    redirect_uri { Faker::Internet.url(path: '/saml-box/callback') }
+    user
+    oauth_client
+  end
+end

data/spec/factories/enterprise_account.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :enterprise_account, class: Osso::Models::EnterpriseAccount do
+    id { SecureRandom.uuid }
+    name { Faker::Company.name }
+    domain { Faker::Internet.domain_name }
+    oauth_client
+  end
+
+  factory :enterprise_with_okta, parent: :enterprise_account do
+    after :create do |enterprise|
+      create(
+        :okta_identity_provider,
+        domain: enterprise.domain,
+        enterprise_account_id: enterprise.id,
+      )
+    end
+  end
+
+  factory :enterprise_with_azure, parent: :enterprise_account do
+    after :create do |enterprise|
+      create(
+        :azure_identity_provider,
+        domain: enterprise.domain,
+        enterprise_account_id: enterprise.id,
+      )
+    end
+  end
+
+  factory :enterprise_with_multiple_providers, parent: :enterprise_account do
+    after :create do |enterprise|
+      create(
+        :okta_identity_provider,
+        domain: enterprise.domain,
+        enterprise_account_id: enterprise.id,
+      )
+
+      create(
+        :azure_identity_provider,
+        domain: enterprise.domain,
+        enterprise_account_id: enterprise.id,
+      )
+    end
+  end
+end

data/spec/factories/identity_providers.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :identity_provider, class: Osso::Models::IdentityProvider do
+    id { SecureRandom.uuid }
+    domain { Faker::Internet.domain_name }
+    oauth_client
+
+    factory :okta_identity_provider, parent: :identity_provider do
+      service { 'OKTA' }
+      sso_url do
+        'https://dev-162024.okta.com/app/vcardmedev162024_rubydemo2_1/exk51326b3U1941Hf4x6/sso/saml'
+      end
+    end
+
+    factory :azure_identity_provider, parent: :identity_provider do
+      service { 'AZURE' }
+      sso_url do
+        'https://login.microsoftonline.com/0af6c610-c40c-4683-9ea4-f25e509b8172/saml2'
+      end
+    end
+
+    factory :configured_identity_provider, parent: :identity_provider do
+      sso_cert do
+        <<~CERT
+          -----BEGIN CERTIFICATE-----
+          MIIDpDCCAoygAwIBAgIGAXEiD4LlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
+          A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+          MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xNjIwMjQxHDAaBgkqhkiG9w0BCQEW
+          DWluZm9Ab2t0YS5jb20wHhcNMjAwMzI4MTY1MTU0WhcNMzAwMzI4MTY1MjU0WjCBkjELMAkGA1UE
+          BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
+          BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTYyMDI0MRwwGgYJ
+          KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+          wsnP4UTfv3bxR5Jh0at51Dqjj+fKxFznzFW3XA5NbF2SlRLjeYcvj3+47TC0eP6xOsLWfnvdnx4v
+          dd9Ufn7jDCo5pL3JykMVEh2I0szF3RLC+a532ArcwgU9Px48+rWVwPkASS7l4NHAM4+gOBHJMQt2
+          AMohPT0kU41P8BEPzfwhNyiEXR66JNZIJUE8fM3Vpgnxm/VSwYzJf0NfOyfxv8JczF0zkDbpE7Tk
+          3Ww/PFFLoMxWzanWGJQ+blnhv6UV6H4fcfAbcwAplOdIVHjS2ghYBvYNGahuFxjia0+6csyZGrt8
+          H4XmR5Dr+jXY5K1b1VOA0k19/FCnHHN/smn25wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBgD9NE
+          4OCuR1+vucV8S1T6XXIL2hB7bXBAZEVHZ1aErRzktgXAMgVwG267vIkD5VOXBiTy9yNU5LK6G3k2
+          zewU190sL1dMfyPnoVZyn94nvwe9A+on0tmZdmk00xirKk3FJdacnZNE9Dl/afIrcNf6xAm0WsU9
+          kbMiRwwvjO4TAiygDQzbrRC8ZfmT3hpBa3aTUzAccrvEQcgarLk4r7UjXP7a2mCN3UIIh+snN2Ms
+          vXHL0r6fM3xbniz+5lleWtPFw73yySBc8znkWZ4Tn8Lh0r6o5nCRYbr2REUB7ZIfiIyBbZxIp4kv
+          a+habbnQDFiNVzEd8OPXHh4EqLxOPDRW
+          -----END CERTIFICATE-----
+        CERT
+      end
+    end
+  end
+end

data/spec/factories/oauth_client.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :oauth_client, class: Osso::Models::OauthClient do
+    id { SecureRandom.uuid }
+    name { Faker::Internet.domain_name }
+    after(:create) do |client|
+      create(:primary_redirect_uri, oauth_client: client)
+      create(:redirect_uri, oauth_client: client)
+    end
+  end
+end

data/spec/factories/redirect_uri.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :redirect_uri, class: Osso::Models::RedirectUri do
+    id { SecureRandom.uuid }
+    uri { Faker::Internet.url }
+    primary { false }
+    oauth_client
+  end
+
+  factory :primary_redirect_uri, parent: :redirect_uri do
+    primary { true }
+  end
+end

data/spec/factories/user.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :user, class: Osso::Models::User do
+    id { SecureRandom.uuid }
+    email { Faker::Internet.email }
+    idp_id { SecureRandom.hex(32) }
+    identity_provider { create(:okta_identity_provider) }
+    enterprise_account
+    after(:create) do |user|
+      create(
+        :authorization_code,
+        user: user,
+        redirect_uri: user.oauth_client.redirect_uri_values.sample,
+      )
+    end
+  end
+end

data/spec/graphql/mutations/configure_identity_provider_spec.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::GraphQL::Schema do
+  describe 'ConfigureIdentityProvider' do
+    let(:enterprise_account) { create(:enterprise_account) }
+    let(:identity_provider) { create(:identity_provider, enterprise_account: enterprise_account) }
+    let(:variables) do
+      {
+        input: {
+          id: identity_provider.id,
+          service: 'OKTA',
+          ssoUrl: 'https://example.com',
+          ssoCert: 'BEGIN_CERTIFICATE',
+        },
+      }
+    end
+    let(:mutation) do
+      <<~GRAPHQL
+         mutation ConfigureIdentityProvider($input: ConfigureIdentityProviderInput!) {
+          configureIdentityProvider(input: $input) {
+            identityProvider {
+              id
+              domain
+              configured
+              enterpriseAccountId
+              service
+              acsUrl
+              ssoCert
+              ssoUrl
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    subject do
+      described_class.execute(
+        mutation,
+        variables: variables,
+        context: { scope: current_scope },
+      )
+    end
+
+    describe 'for an admin user' do
+      let(:current_scope) { :admin }
+      it 'configures an identity provider' do
+        expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'configured')).
+          to be true
+      end
+    end
+
+    describe 'for an email scoped user' do
+      let(:domain) { Faker::Internet.domain_name }
+      let(:current_scope) { domain }
+      let(:enterprise_account) { create(:enterprise_account, domain: domain) }
+      let(:identity_provider) { create(:identity_provider, enterprise_account: enterprise_account, domain: domain) }
+
+      it 'configures an identity provider' do
+        expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'domain')).
+          to eq(domain)
+      end
+    end
+
+    describe 'for the wrong email scoped user' do
+      let(:domain) { Faker::Internet.domain_name }
+      let(:current_scope) { domain }
+
+      it 'does not configure an identity provider' do
+        expect(subject.dig('errors')).to_not be_empty
+      end
+    end
+  end
+end

data/spec/graphql/mutations/create_enterprise_account_spec.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::GraphQL::Schema do
+  describe 'CreateIdentityProvider' do
+    let(:domain) { Faker::Internet.domain_name }
+    let(:variables) do
+      {
+        input: {
+          name: Faker::Company.name,
+          domain: domain,
+        },
+      }
+    end
+
+    let(:mutation) do
+      <<~GRAPHQL
+         mutation CreateEnterpriseAccount($input: CreateEnterpriseAccountInput!) {
+          createEnterpriseAccount(input: $input) {
+            enterpriseAccount {
+              id
+              domain
+              name
+              status
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    subject do
+      described_class.execute(
+        mutation,
+        variables: variables,
+        context: { scope: current_scope },
+      )
+    end
+
+    describe 'for an admin user' do
+      let(:current_scope) { :admin }
+      it 'creates an Enterprise Account' do
+        expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
+        expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
+          to eq(domain)
+      end
+    end
+
+    describe 'for an email scoped user' do
+      let(:current_scope) { domain }
+
+      it 'creates an Enterprise Account' do
+        expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
+        expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
+          to eq(domain)
+      end
+    end
+    describe 'for the wrong email scoped user' do
+      let(:current_scope) { 'foo.com' }
+
+      it 'does not create an Enterprise Account' do
+        expect { subject }.to_not(change { Osso::Models::EnterpriseAccount.count })
+        expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
+          to be_nil
+      end
+    end
+  end
+end

data/spec/graphql/mutations/create_identity_provider_spec.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::GraphQL::Schema do
+  describe 'CreateIdentityProvider' do
+    let(:enterprise_account) { create(:enterprise_account) }
+    let(:mutation) do
+      <<~GRAPHQL
+         mutation CreateIdentityProvider($input: CreateIdentityProviderInput!) {
+          createIdentityProvider(input: $input) {
+            identityProvider {
+              id
+              domain
+              enterpriseAccountId
+              service
+              acsUrl
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    subject do
+      described_class.execute(
+        mutation,
+        variables: variables,
+        context: { scope: current_scope },
+      )
+    end
+
+    describe 'for an admin user' do
+      let(:current_scope) { :admin }
+      describe 'without a service' do
+        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id } } }
+
+        it 'creates an identity provider' do
+          expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
+          expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'domain')).
+            to eq(enterprise_account.domain)
+        end
+      end
+
+      describe 'with a service' do
+        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id, service: 'OKTA' } } }
+
+        it 'creates an identity provider for given service ' do
+          expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
+          expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'service')).
+            to eq('OKTA')
+        end
+      end
+    end
+
+    describe 'for an email scoped user' do
+      let(:domain) { Faker::Internet.domain_name }
+      let(:current_scope) { domain }
+      let(:enterprise_account) { create(:enterprise_account, domain: domain) }
+
+      describe 'without a service' do
+        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id } } }
+
+        it 'creates an identity provider' do
+          expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
+          expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'domain')).
+            to eq(domain)
+        end
+      end
+
+      describe 'with a service' do
+        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id, service: 'OKTA' } } }
+
+        it 'creates an identity provider for given service ' do
+          expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
+          expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'service')).
+            to eq('OKTA')
+        end
+      end
+    end
+
+    describe 'for a wrong email scoped user' do
+      let(:domain) { Faker::Internet.domain_name }
+      let(:current_scope) { domain }
+      let(:enterprise_account) { create(:enterprise_account, domain: domain) }
+      let(:target_account) { create(:enterprise_account) }
+
+      describe 'without a service' do
+        let(:variables) { { input: { enterpriseAccountId: target_account.id } } }
+
+        it 'does not creates a identity provider' do
+          expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })
+        end
+      end
+
+      describe 'with a service' do
+        let(:variables) { { input: { enterpriseAccountId: target_account.id, service: 'OKTA' } } }
+
+        it 'does not creates a identity provider' do
+          expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })
+        end
+      end
+    end
+  end
+end

data/spec/graphql/query/enterprise_account_spec.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::GraphQL::Schema do
+  describe 'EnterpriseAccount' do
+    let(:domain) { Faker::Internet.domain_name }
+    let(:variables) { { domain: domain } }
+    let(:query) do
+      <<~GRAPHQL
+        query EnterpriseAccount($domain: String!) {
+          enterpriseAccount(domain: $domain) {
+            domain
+              id
+              identityProviders {
+                id
+                service
+                domain
+                acsUrl
+                ssoCert
+                ssoUrl
+                configured
+              }
+              name
+              status
+            }
+        }
+      GRAPHQL
+    end
+
+    before do
+      create(:enterprise_account)
+      create(:enterprise_account, domain: domain)
+    end
+
+    subject do
+      described_class.execute(
+        query,
+        variables: variables,
+        context: { scope: current_scope },
+      )
+    end
+
+    describe 'for an admin user' do
+      let(:current_scope) { :admin }
+      it 'returns Enterprise Account for domain' do
+        expect(subject['errors']).to be_nil
+        expect(subject.dig('data', 'enterpriseAccount', 'domain')).to eq(domain)
+      end
+    end
+
+    describe 'for an email scoped user' do
+      let(:current_scope) { domain }
+      it 'returns Enterprise Account for domain' do
+        expect(subject['errors']).to be_nil
+        expect(subject.dig('data', 'enterpriseAccount', 'domain')).to eq(domain)
+      end
+    end
+
+    describe 'for the wrong email scoped user' do
+      let(:current_scope) { 'bar.com' }
+      it 'returns Enterprise Account for domain' do
+        expect(subject['errors']).to be_nil
+        expect(subject.dig('data', 'enterpriseAccount')).to be_nil
+      end
+    end
+  end
+end