osso 0.0.2.8

data/lib/osso/models/saml_providers/azure_saml_provider.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Subclass for Azure / ADFS IDP instances
+    class AzureSamlProvider < Models::SamlProvider
+      def name
+        'Azure'
+      end
+
+      def saml_options
+        attributes.slice(
+          'domain',
+          'idp_cert',
+          'idp_sso_target_url',
+        ).merge(
+          issuer: "id:#{id}",
+        ).symbolize_keys
+      end
+    end
+  end
+end

data/lib/osso/models/saml_providers/okta_saml_provider.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Subclass for Okta IDP instances
+    class OktaSamlProvider < Models::SamlProvider
+      def name
+        'Okta'
+      end
+
+      def saml_options
+        attributes.slice(
+          'domain',
+          'idp_cert',
+          'idp_sso_target_url',
+        ).merge(
+          issuer: id,
+          name_identifier_format: NAME_FORMAT,
+        ).symbolize_keys
+      end
+    end
+  end
+end

data/lib/osso/models/user.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class User < ActiveRecord::Base
+      belongs_to :enterprise_account
+      belongs_to :saml_provider
+      has_many :authorization_codes, dependent: :delete_all
+      has_many :access_tokens, dependent: :delete_all
+
+      def oauth_client
+        saml_provider.oauth_client
+      end
+
+      def as_json(*)
+        {
+          email: email,
+          id: id,
+          idp: saml_provider.name,
+        }
+      end
+    end
+  end
+end

data/lib/osso/rake.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+load 'active_record/railties/databases.rake'
+require "sinatra/activerecord/rake/activerecord_#{ActiveRecord::VERSION::MAJOR}"

data/lib/osso/routes/admin.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'jwt'
+
+module Osso
+  class Admin < Sinatra::Base
+    include AppConfig
+    helpers Helpers::Auth
+
+    before do
+      chomp_token
+    end
+
+    get '/' do
+      admin_protected!
+
+      erb :'public/index'
+    end
+
+    get '/enterprise' do
+      admin_protected!
+
+      erb :admin
+    end
+
+    get '/enterprise/:domain' do
+      enterprise_protected!(params[:domain])
+
+      @enterprise = Models::EnterpriseAccount.where(
+        domain: params[:domain],
+      ).first_or_create
+
+      erb :admin
+    end
+
+    get '/config' do
+      admin_protected!
+
+      erb :admin
+    end
+  end
+end

data/lib/osso/routes/auth.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'cgi'
+require 'omniauth'
+require 'omniauth-multi-provider'
+require 'omniauth-saml'
+
+module Osso
+  class Auth < Sinatra::Base
+    include AppConfig
+
+    UUID_REGEXP =
+      /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
+        freeze
+
+    def self.internal_redirect?(env)
+      env['HTTP_REFERER']&.match(env['SERVER_NAME'])
+    end
+
+    use OmniAuth::Builder do
+      OmniAuth::MultiProvider.register(
+        self,
+        provider_name: 'saml',
+        identity_provider_id_regex: UUID_REGEXP,
+        path_prefix: '/saml',
+        callback_suffix: 'callback',
+      ) do |saml_provider_id, _env|
+        provider = Models::SamlProvider.find(saml_provider_id)
+        provider.saml_options
+      end
+    end
+
+    # Enterprise users are sent here after authenticating against
+    # their Identity Provider. We find or create a user record,
+    # and then create an authorization code for that user. The user
+    # is redirected back to your application with this code
+    # as a URL query param, which you then exhange for an access token
+    post '/saml/:id/callback' do
+      provider = Models::SamlProvider.find(params[:id])
+      oauth_client = provider.oauth_client
+      redirect_uri = env['redirect_uri'] || oauth_client.default_redirect_uri.uri
+
+      attributes = env['omniauth.auth']&.
+        extra&.
+        response_object&.
+        attributes
+
+      user = Models::User.where(
+        email: attributes[:email],
+        idp_id: attributes[:id],
+      ).first_or_create! do |new_user|
+        new_user.enterprise_account_id = provider.enterprise_account_id
+        new_user.saml_provider_id = provider.id
+      end
+
+      authorization_code = user.authorization_codes.create!(
+        oauth_client: oauth_client,
+        redirect_uri: redirect_uri,
+      )
+
+      redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+    end
+  end
+end

data/lib/osso/routes/oauth.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'rack/oauth2'
+
+module Osso
+  class Oauth < Sinatra::Base
+    include AppConfig
+    # Send your users here in order to being an authentication
+    # flow. This flow follows the authorization grant oauth
+    # spec with one exception - you must also pass the domain
+    # of the user who wants to sign in.
+    get '/authorize' do
+      @enterprise = Models::EnterpriseAccount.
+        includes(:saml_providers).
+        find_by!(domain: params[:domain])
+
+      Rack::OAuth2::Server::Authorize.new do |req, _res|
+        client = Models::OauthClient.find_by!(identifier: req.client_id)
+        req.verify_redirect_uri!(client.redirect_uri_values)
+      end.call(env)
+
+      if @enterprise.single_provider?
+        session[:oauth_state] = params[:state]
+        redirect "/auth/saml/#{@enterprise.provider.id}"
+      end
+
+      erb :multiple_providers
+
+    rescue Rack::OAuth2::Server::Authorize::BadRequest => e
+      @error = e
+      return erb :error
+    end
+
+    # Exchange an authorization code token for an access token.
+    # In addition to the token, you must include all paramaters
+    # required by Oauth spec: redirect_uri, client ID, and client secret
+    post '/token' do
+      Rack::OAuth2::Server::Token.new do |req, res|
+        code = Models::AuthorizationCode.
+          find_by_token!(params[:code])
+        client = Models::OauthClient.find_by!(identifier: req.client_id)
+        req.invalid_client! if client.secret != req.client_secret
+        req.invalid_grant! if code.redirect_uri != req.redirect_uri
+        res.access_token = code.access_token.to_bearer_token
+      end.call(env)
+    end
+
+    # Use the access token to request a user profile
+    get '/me' do
+      json Models::AccessToken.
+        includes(:user).
+        valid.
+        find_by_token!(params[:access_token]).
+        user
+    end
+  end
+end

data/lib/osso/routes/routes.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require 'rack/contrib'
+require 'sinatra/base'
+require 'sinatra/contrib'
+require 'sinatra/json'
+
+require_relative 'admin'
+require_relative 'auth'
+require_relative 'oauth'

data/lib/osso/routes/views/error.erb

@@ -0,0 +1 @@
+<%= @error %>

data/lib/osso/routes/views/multiple_providers.erb

@@ -0,0 +1 @@
+multiple providers

data/lib/osso/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Osso
+  VERSION = '0.0.2.8'
+end

data/lib/osso.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Osso
+  require_relative 'osso/helpers/helpers'
+  require_relative 'osso/lib/app_config'
+  require_relative 'osso/lib/oauth2_token'
+  require_relative 'osso/models/models'
+  require_relative 'osso/routes/routes'
+end

data/lib/tasks/bootstrap.rake

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'sinatra/activerecord'
+require 'sinatra/activerecord/rake'
+require 'osso'
+require 'dotenv/tasks'
+
+namespace :osso do
+  desc 'Bootstrap Osso data for a deployment'
+  task bootstrap: :dotenv do
+    %w[Production Staging Development].each do |environement|
+      Osso::Models::OauthClient.create!(
+        name: environement,
+      )
+    end
+  end
+end

data/osso-rb.gemspec

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require_relative 'lib/osso/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'osso'
+  spec.version       = Osso::VERSION
+  spec.authors       = ['Sam Bauch']
+  spec.email         = ['sbauch@gmail.com']
+
+  spec.summary       = 'Main functionality for Osso'
+  spec.description   = 'This gem includes the main functionality for Osso apps,'
+  spec.homepage      = 'https://github.com/enterprise-oss/osso-rb'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
+  spec.license = 'MIT'
+
+  spec.add_runtime_dependency 'activesupport', '>= 6.0.3.2'
+  spec.add_runtime_dependency 'jwt'
+  spec.add_runtime_dependency 'omniauth-multi-provider'
+  spec.add_runtime_dependency 'omniauth-saml'
+  spec.add_runtime_dependency 'rack', '>= 2.1.4'
+  spec.add_runtime_dependency 'rack-contrib'
+  spec.add_runtime_dependency 'rack-oauth2'
+  spec.add_runtime_dependency 'rake'
+  spec.add_runtime_dependency 'sinatra'
+  spec.add_runtime_dependency 'sinatra-activerecord'
+  spec.add_runtime_dependency 'sinatra-contrib'
+
+  spec.add_development_dependency 'bundler', '~> 2.1'
+  spec.add_development_dependency 'pry'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  spec.files         = `git ls-files`.split("\n")
+  spec.test_files    = `git ls-files -- {spec}/*`.split("\n")
+  spec.bindir        = 'bin'
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+end

data/spec/factories/authorization_code.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :authorization_code, class: Osso::Models::AuthorizationCode do
+    id { SecureRandom.uuid }
+    redirect_uri { Faker::Internet.url(path: '/saml-box/callback') }
+    user
+    oauth_client
+  end
+end

data/spec/factories/enterprise_account.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :enterprise_account, class: Osso::Models::EnterpriseAccount do
+    id { SecureRandom.uuid }
+    domain { Faker::Internet.domain_name }
+    oauth_client
+  end
+
+  factory :enterprise_with_okta, parent: :enterprise_account do
+    after :create do |enterprise|
+      create(
+        :okta_saml_provider,
+        domain: enterprise.domain,
+        enterprise_account_id: enterprise.id,
+      )
+    end
+  end
+
+  factory :enterprise_with_azure, parent: :enterprise_account do
+    after :create do |enterprise|
+      create(
+        :azure_saml_provider,
+        domain: enterprise.domain,
+        enterprise_account_id: enterprise.id,
+      )
+    end
+  end
+
+  factory :enterprise_with_multiple_providers, parent: :enterprise_account do
+    after :create do |enterprise|
+      create(
+        :okta_saml_provider,
+        domain: enterprise.domain,
+        enterprise_account_id: enterprise.id,
+      )
+
+      create(
+        :azure_saml_provider,
+        domain: enterprise.domain,
+        enterprise_account_id: enterprise.id,
+      )
+    end
+  end
+end

data/spec/factories/oauth_client.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :oauth_client, class: Osso::Models::OauthClient do
+    id { SecureRandom.uuid }
+    name { Faker::Internet.domain_name }
+    after(:create) do |client|
+      create(:primary_redirect_uri, oauth_client: client)
+      create(:redirect_uri, oauth_client: client)
+    end
+  end
+end

data/spec/factories/redirect_uri.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :redirect_uri, class: Osso::Models::RedirectUri do
+    id { SecureRandom.uuid }
+    uri { Faker::Internet.url }
+    primary { false }
+    oauth_client
+  end
+
+  factory :primary_redirect_uri, parent: :redirect_uri do
+    primary { true }
+  end
+end

data/spec/factories/saml_providers.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :saml_provider, class: Osso::Models::SamlProvider do
+    id { SecureRandom.uuid }
+    domain { Faker::Internet.domain_name }
+    oauth_client
+    idp_cert do
+      <<~CERT
+        -----BEGIN CERTIFICATE-----
+        MIIDpDCCAoygAwIBAgIGAXEiD4LlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
+        A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+        MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xNjIwMjQxHDAaBgkqhkiG9w0BCQEW
+        DWluZm9Ab2t0YS5jb20wHhcNMjAwMzI4MTY1MTU0WhcNMzAwMzI4MTY1MjU0WjCBkjELMAkGA1UE
+        BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
+        BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTYyMDI0MRwwGgYJ
+        KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+        wsnP4UTfv3bxR5Jh0at51Dqjj+fKxFznzFW3XA5NbF2SlRLjeYcvj3+47TC0eP6xOsLWfnvdnx4v
+        dd9Ufn7jDCo5pL3JykMVEh2I0szF3RLC+a532ArcwgU9Px48+rWVwPkASS7l4NHAM4+gOBHJMQt2
+        AMohPT0kU41P8BEPzfwhNyiEXR66JNZIJUE8fM3Vpgnxm/VSwYzJf0NfOyfxv8JczF0zkDbpE7Tk
+        3Ww/PFFLoMxWzanWGJQ+blnhv6UV6H4fcfAbcwAplOdIVHjS2ghYBvYNGahuFxjia0+6csyZGrt8
+        H4XmR5Dr+jXY5K1b1VOA0k19/FCnHHN/smn25wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBgD9NE
+        4OCuR1+vucV8S1T6XXIL2hB7bXBAZEVHZ1aErRzktgXAMgVwG267vIkD5VOXBiTy9yNU5LK6G3k2
+        zewU190sL1dMfyPnoVZyn94nvwe9A+on0tmZdmk00xirKk3FJdacnZNE9Dl/afIrcNf6xAm0WsU9
+        kbMiRwwvjO4TAiygDQzbrRC8ZfmT3hpBa3aTUzAccrvEQcgarLk4r7UjXP7a2mCN3UIIh+snN2Ms
+        vXHL0r6fM3xbniz+5lleWtPFw73yySBc8znkWZ4Tn8Lh0r6o5nCRYbr2REUB7ZIfiIyBbZxIp4kv
+        a+habbnQDFiNVzEd8OPXHh4EqLxOPDRW
+        -----END CERTIFICATE-----
+      CERT
+    end
+
+    factory :okta_saml_provider, parent: :saml_provider, class: Osso::Models::OktaSamlProvider do
+      provider { 'Osso::Models::OktaSamlProvider' }
+      idp_sso_target_url do
+        'https://dev-162024.okta.com/app/vcardmedev162024_rubydemo2_1/exk51326b3U1941Hf4x6/sso/saml'
+      end
+    end
+
+    factory :azure_saml_provider, parent: :saml_provider, class: Osso::Models::AzureSamlProvider do
+      provider { 'Osso::Models::AzureSamlProvider' }
+      idp_sso_target_url do
+        'https://login.microsoftonline.com/0af6c610-c40c-4683-9ea4-f25e509b8172/saml2'
+      end
+    end
+  end
+end

data/spec/factories/user.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :user, class: Osso::Models::User do
+    id { SecureRandom.uuid }
+    email { Faker::Internet.email }
+    idp_id { SecureRandom.hex(32) }
+    saml_provider { create(:okta_saml_provider) }
+    enterprise_account
+    after(:create) do |user|
+      create(
+        :authorization_code,
+        user: user,
+        redirect_uri: user.oauth_client.redirect_uri_values.sample,
+      )
+    end
+  end
+end

data/spec/models/azure_saml_provider_spec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Models::AzureSamlProvider do
+  subject { create(:azure_saml_provider) }
+
+  describe '#saml_options' do
+    it 'returns the required args' do
+      expect(subject.saml_options).
+        to match(
+          domain: subject.domain,
+          idp_cert: subject.idp_cert,
+          idp_sso_target_url: subject.idp_sso_target_url,
+          issuer: "id:#{subject.id}",
+        )
+    end
+  end
+end

data/spec/models/okta_saml_provider_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Models::OktaSamlProvider do
+  subject { create(:okta_saml_provider) }
+
+  describe '#saml_options' do
+    it 'returns the required args' do
+      expect(subject.saml_options).
+        to match(
+          domain: subject.domain,
+          idp_cert: subject.idp_cert,
+          idp_sso_target_url: subject.idp_sso_target_url,
+          issuer: subject.id,
+          name_identifier_format: described_class::NAME_FORMAT,
+        )
+    end
+  end
+end

data/spec/models/saml_provider_spec.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Models::SamlProvider do
+  subject { create(:okta_saml_provider) }
+
+  describe '.create' do
+    it 'creates an enterprise account' do
+      domain = Faker::Internet.domain_name
+
+      provider = described_class.create(
+        domain: domain,
+        provider: 'Osso::Models::OktaSamlProvider',
+      )
+
+      expect(provider.enterprise_account).to be_a(Osso::Models::EnterpriseAccount)
+      expect(provider.enterprise_account.domain).to eq(domain)
+    end
+  end
+
+  describe '#assertion_consumer_service_url' do
+    it 'returns the expected URI' do
+      ENV['BASE_URL'] = 'https://example.com'
+
+      expect(subject.assertion_consumer_service_url).to eq(
+        "https://example.com/auth/saml/#{subject.id}/callback",
+      )
+    end
+  end
+end

data/spec/routes/admin_spec.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Admin do
+  let(:jwt_url) { 'https://foo.com/jwt' }
+  let(:jwt_hmac_secret) { SecureRandom.hex(32) }
+
+  before do
+    ENV['JWT_URL'] = jwt_url
+    ENV['JWT_HMAC_SECRET'] = jwt_hmac_secret
+  end
+
+  describe 'get /admin' do
+    it 'redirects to JWT_URL without a session or token' do
+      get('/admin')
+
+      expect(last_response).to be_redirect
+      follow_redirect!
+      expect(last_request.url).to eq(jwt_url)
+    end
+
+    it 'redirects to JWT_URL with an invalid token' do
+      get('/admin', token: SecureRandom.hex(32))
+
+      expect(last_response).to be_redirect
+      follow_redirect!
+      expect(last_request.url).to eq(jwt_url)
+    end
+
+    it 'chomps the token and redirects to request path with valid token' do
+      token = JWT.encode(
+        { email: 'admin@saas.com', scope: 'admin' },
+        jwt_hmac_secret,
+        'HS256',
+      )
+
+      get('/admin', { admin_token: token })
+
+      expect(last_response).to be_redirect
+      follow_redirect!
+      expect(last_request.url).to match('/admin')
+    end
+
+    it 'renders the admin page for a valid session token' do
+      token = JWT.encode(
+        { email: 'admin@saas.com', scope: 'admin' },
+        jwt_hmac_secret,
+        'HS256',
+      )
+
+      get('/admin', {}, 'rack.session' => { admin_token: token })
+
+      expect(last_response).to be_ok
+    end
+  end
+end

data/spec/routes/app_spec.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'App' do
+end