osso 0.0.3.1 → 0.0.3.6

data/lib/osso/routes/auth.rb

@@ -8,6 +8,7 @@ require 'omniauth-saml'
 module Osso
   class Auth < Sinatra::Base
     include AppConfig
+    register Sinatra::Namespace
 
     UUID_REGEXP =
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
@@ -24,41 +25,43 @@ module Osso
         identity_provider_id_regex: UUID_REGEXP,
         path_prefix: '/saml',
         callback_suffix: 'callback',
-      ) do |saml_provider_id, _env|
-        provider = Models::SamlProvider.find(saml_provider_id)
+      ) do |identity_provider_id, _env|
+        provider = Models::IdentityProvider.find(identity_provider_id)
         provider.saml_options
       end
     end
 
-    # Enterprise users are sent here after authenticating against
-    # their Identity Provider. We find or create a user record,
-    # and then create an authorization code for that user. The user
-    # is redirected back to your application with this code
-    # as a URL query param, which you then exhange for an access token
-    post '/saml/:id/callback' do
-      provider = Models::SamlProvider.find(params[:id])
-      oauth_client = provider.oauth_client
-      redirect_uri = env['redirect_uri'] || oauth_client.default_redirect_uri.uri
+    namespace '/auth' do
+      # Enterprise users are sent here after authenticating against
+      # their Identity Provider. We find or create a user record,
+      # and then create an authorization code for that user. The user
+      # is redirected back to your application with this code
+      # as a URL query param, which you then exhange for an access token
+      post '/saml/:id/callback' do
+        provider = Models::IdentityProvider.find(params[:id])
+        oauth_client = provider.oauth_client
+        redirect_uri = env['redirect_uri'] || oauth_client.default_redirect_uri.uri
 
-      attributes = env['omniauth.auth']&.
-        extra&.
-        response_object&.
-        attributes
+        attributes = env['omniauth.auth']&.
+          extra&.
+          response_object&.
+          attributes
 
-      user = Models::User.where(
-        email: attributes[:email],
-        idp_id: attributes[:id],
-      ).first_or_create! do |new_user|
-        new_user.enterprise_account_id = provider.enterprise_account_id
-        new_user.saml_provider_id = provider.id
-      end
+        user = Models::User.where(
+          email: attributes[:email],
+          idp_id: attributes[:id],
+        ).first_or_create! do |new_user|
+          new_user.enterprise_account_id = provider.enterprise_account_id
+          new_user.identity_provider_id = provider.id
+        end
 
-      authorization_code = user.authorization_codes.create!(
-        oauth_client: oauth_client,
-        redirect_uri: redirect_uri,
-      )
+        authorization_code = user.authorization_codes.create!(
+          oauth_client: oauth_client,
+          redirect_uri: redirect_uri,
+        )
 
-      redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+      end
     end
   end
 end

data/lib/osso/routes/oauth.rb

@@ -5,54 +5,59 @@ require 'rack/oauth2'
 module Osso
   class Oauth < Sinatra::Base
     include AppConfig
-    # Send your users here in order to being an authentication
-    # flow. This flow follows the authorization grant oauth
-    # spec with one exception - you must also pass the domain
-    # of the user who wants to sign in.
-    get '/authorize' do
-      @enterprise = Models::EnterpriseAccount.
-        includes(:saml_providers).
-        find_by!(domain: params[:domain])
-
-      Rack::OAuth2::Server::Authorize.new do |req, _res|
-        client = Models::OauthClient.find_by!(identifier: req.client_id)
-        req.verify_redirect_uri!(client.redirect_uri_values)
-      end.call(env)
-
-      if @enterprise.single_provider?
-        session[:oauth_state] = params[:state]
-        redirect "/auth/saml/#{@enterprise.provider.id}"
+    register Sinatra::Namespace
+    # rubocop:disable Metrics/BlockLength
+    namespace '/oauth' do
+      # Send your users here in order to being an authentication
+      # flow. This flow follows the authorization grant oauth
+      # spec with one exception - you must also pass the domain
+      # of the user who wants to sign in.
+      get '/authorize' do
+        @enterprise = Models::EnterpriseAccount.
+          includes(:identity_providers).
+          find_by!(domain: params[:domain])
+
+        Rack::OAuth2::Server::Authorize.new do |req, _res|
+          client = Models::OauthClient.find_by!(identifier: req.client_id)
+          req.verify_redirect_uri!(client.redirect_uri_values)
+        end.call(env)
+
+        if @enterprise.single_provider?
+          session[:oauth_state] = params[:state]
+          redirect "/auth/saml/#{@enterprise.provider.id}"
+        end
+
+        # TODO: multiple provider support
+        # erb :multiple_providers
+
+      rescue Rack::OAuth2::Server::Authorize::BadRequest => e
+        @error = e
+        return erb :error
       end
 
-      # TODO: multiple provider support
-      # erb :multiple_providers
-
-    rescue Rack::OAuth2::Server::Authorize::BadRequest => e
-      @error = e
-      return erb :error
-    end
-
-    # Exchange an authorization code token for an access token.
-    # In addition to the token, you must include all paramaters
-    # required by Oauth spec: redirect_uri, client ID, and client secret
-    post '/token' do
-      Rack::OAuth2::Server::Token.new do |req, res|
-        code = Models::AuthorizationCode.
-          find_by_token!(params[:code])
-        client = Models::OauthClient.find_by!(identifier: req.client_id)
-        req.invalid_client! if client.secret != req.client_secret
-        req.invalid_grant! if code.redirect_uri != req.redirect_uri
-        res.access_token = code.access_token.to_bearer_token
-      end.call(env)
-    end
+      # Exchange an authorization code token for an access token.
+      # In addition to the token, you must include all paramaters
+      # required by Oauth spec: redirect_uri, client ID, and client secret
+      post '/token' do
+        Rack::OAuth2::Server::Token.new do |req, res|
+          code = Models::AuthorizationCode.
+            find_by_token!(params[:code])
+          client = Models::OauthClient.find_by!(identifier: req.client_id)
+          req.invalid_client! if client.secret != req.client_secret
+          req.invalid_grant! if code.redirect_uri != req.redirect_uri
+          res.access_token = code.access_token.to_bearer_token
+        end.call(env)
+      end
 
-    # Use the access token to request a user profile
-    get '/me' do
-      json Models::AccessToken.
-        includes(:user).
-        valid.
-        find_by_token!(params[:access_token]).
-        user
+      # Use the access token to request a user profile
+      get '/me' do
+        json Models::AccessToken.
+          includes(:user).
+          valid.
+          find_by_token!(params[:access_token]).
+          user
+      end
     end
   end
 end
+# rubocop:enable Metrics/BlockLength

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3.1'
+  VERSION = '0.0.3.6'
 end

data/osso-rb.gemspec

@@ -2,6 +2,7 @@
 
 require_relative 'lib/osso/version'
 
+# rubocop:disable Metrics/BlockLength
 Gem::Specification.new do |spec|
   spec.name          = 'osso'
   spec.version       = Osso::VERSION
@@ -15,6 +16,7 @@ Gem::Specification.new do |spec|
   spec.license = 'MIT'
 
   spec.add_runtime_dependency 'activesupport', '>= 6.0.3.2'
+  spec.add_runtime_dependency 'graphql'
   spec.add_runtime_dependency 'jwt'
   spec.add_runtime_dependency 'omniauth-multi-provider'
   spec.add_runtime_dependency 'omniauth-saml'
@@ -29,12 +31,10 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'bundler', '~> 2.1'
   spec.add_development_dependency 'pry'
 
-  # Specify which files should be added to the gem when it is released.
-  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
   spec.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
   spec.files         = `git ls-files`.split("\n")
   spec.test_files    = `git ls-files -- {spec}/*`.split("\n")
   spec.bindir        = 'bin'
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 end
+# rubocop:enable Metrics/BlockLength

data/spec/factories/enterprise_account.rb

@@ -3,6 +3,7 @@
 FactoryBot.define do
   factory :enterprise_account, class: Osso::Models::EnterpriseAccount do
     id { SecureRandom.uuid }
+    name { Faker::Company.name }
     domain { Faker::Internet.domain_name }
     oauth_client
   end
@@ -10,7 +11,7 @@ FactoryBot.define do
   factory :enterprise_with_okta, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :okta_saml_provider,
+        :okta_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
@@ -20,7 +21,7 @@ FactoryBot.define do
   factory :enterprise_with_azure, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :azure_saml_provider,
+        :azure_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
@@ -30,13 +31,13 @@ FactoryBot.define do
   factory :enterprise_with_multiple_providers, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :okta_saml_provider,
+        :okta_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
 
       create(
-        :azure_saml_provider,
+        :azure_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )

data/spec/factories/identity_providers.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :identity_provider, class: Osso::Models::IdentityProvider do
+    id { SecureRandom.uuid }
+    domain { Faker::Internet.domain_name }
+    oauth_client
+
+    factory :okta_identity_provider, parent: :identity_provider do
+      service { 'OKTA' }
+      sso_url do
+        'https://dev-162024.okta.com/app/vcardmedev162024_rubydemo2_1/exk51326b3U1941Hf4x6/sso/saml'
+      end
+    end
+
+    factory :azure_identity_provider, parent: :identity_provider do
+      service { 'AZURE' }
+      sso_url do
+        'https://login.microsoftonline.com/0af6c610-c40c-4683-9ea4-f25e509b8172/saml2'
+      end
+    end
+
+    factory :configured_identity_provider, parent: :identity_provider do
+      sso_cert do
+        <<~CERT
+          -----BEGIN CERTIFICATE-----
+          MIIDpDCCAoygAwIBAgIGAXEiD4LlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
+          A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+          MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xNjIwMjQxHDAaBgkqhkiG9w0BCQEW
+          DWluZm9Ab2t0YS5jb20wHhcNMjAwMzI4MTY1MTU0WhcNMzAwMzI4MTY1MjU0WjCBkjELMAkGA1UE
+          BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
+          BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTYyMDI0MRwwGgYJ
+          KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+          wsnP4UTfv3bxR5Jh0at51Dqjj+fKxFznzFW3XA5NbF2SlRLjeYcvj3+47TC0eP6xOsLWfnvdnx4v
+          dd9Ufn7jDCo5pL3JykMVEh2I0szF3RLC+a532ArcwgU9Px48+rWVwPkASS7l4NHAM4+gOBHJMQt2
+          AMohPT0kU41P8BEPzfwhNyiEXR66JNZIJUE8fM3Vpgnxm/VSwYzJf0NfOyfxv8JczF0zkDbpE7Tk
+          3Ww/PFFLoMxWzanWGJQ+blnhv6UV6H4fcfAbcwAplOdIVHjS2ghYBvYNGahuFxjia0+6csyZGrt8
+          H4XmR5Dr+jXY5K1b1VOA0k19/FCnHHN/smn25wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBgD9NE
+          4OCuR1+vucV8S1T6XXIL2hB7bXBAZEVHZ1aErRzktgXAMgVwG267vIkD5VOXBiTy9yNU5LK6G3k2
+          zewU190sL1dMfyPnoVZyn94nvwe9A+on0tmZdmk00xirKk3FJdacnZNE9Dl/afIrcNf6xAm0WsU9
+          kbMiRwwvjO4TAiygDQzbrRC8ZfmT3hpBa3aTUzAccrvEQcgarLk4r7UjXP7a2mCN3UIIh+snN2Ms
+          vXHL0r6fM3xbniz+5lleWtPFw73yySBc8znkWZ4Tn8Lh0r6o5nCRYbr2REUB7ZIfiIyBbZxIp4kv
+          a+habbnQDFiNVzEd8OPXHh4EqLxOPDRW
+          -----END CERTIFICATE-----
+        CERT
+      end
+    end
+  end
+end

data/spec/factories/user.rb

@@ -5,7 +5,7 @@ FactoryBot.define do
     id { SecureRandom.uuid }
     email { Faker::Internet.email }
     idp_id { SecureRandom.hex(32) }
-    saml_provider { create(:okta_saml_provider) }
+    identity_provider { create(:okta_identity_provider) }
     enterprise_account
     after(:create) do |user|
       create(

data/spec/graphql/mutations/configure_identity_provider_spec.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::GraphQL::Schema do
+  describe 'ConfigureIdentityProvider' do
+    let(:enterprise_account) { create(:enterprise_account) }
+    let(:identity_provider) { create(:identity_provider, enterprise_account: enterprise_account) }
+    let(:variables) do
+      {
+        input: {
+          id: identity_provider.id,
+          service: 'OKTA',
+          ssoUrl: 'https://example.com',
+          ssoCert: 'BEGIN_CERTIFICATE',
+        },
+      }
+    end
+    let(:mutation) do
+      <<~GRAPHQL
+         mutation ConfigureIdentityProvider($input: ConfigureIdentityProviderInput!) {
+          configureIdentityProvider(input: $input) {
+            identityProvider {
+              id
+              domain
+              configured
+              enterpriseAccountId
+              service
+              acsUrl
+              ssoCert
+              ssoUrl
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    subject do
+      described_class.execute(
+        mutation,
+        variables: variables,
+        context: { scope: current_scope },
+      )
+    end
+
+    describe 'for an admin user' do
+      let(:current_scope) { :admin }
+      it 'configures an identity provider' do
+        expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'configured')).
+          to be true
+      end
+    end
+
+    describe 'for an email scoped user' do
+      let(:domain) { Faker::Internet.domain_name }
+      let(:current_scope) { domain }
+      let(:enterprise_account) { create(:enterprise_account, domain: domain) }
+
+      it 'creates an identity provider' do
+        expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'domain')).
+          to eq(domain)
+      end
+    end
+  end
+end

data/spec/graphql/mutations/create_enterprise_account_spec.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::GraphQL::Schema do
+  describe 'CreateIdentityProvider' do
+    let(:domain) { Faker::Internet.domain_name }
+    let(:variables) do
+      {
+        input: {
+          name: Faker::Company.name,
+          domain: domain,
+        },
+      }
+    end
+
+    let(:mutation) do
+      <<~GRAPHQL
+         mutation CreateEnterpriseAccount($input: CreateEnterpriseAccountInput!) {
+          createEnterpriseAccount(input: $input) {
+            enterpriseAccount {
+              id
+              domain
+              name
+              status
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    subject do
+      described_class.execute(
+        mutation,
+        variables: variables,
+        context: { scope: current_scope },
+      )
+    end
+
+    describe 'for an admin user' do
+      let(:current_scope) { :admin }
+      it 'creates an Enterprise Account' do
+        expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
+        expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
+          to eq(domain)
+      end
+    end
+
+    describe 'for an email scoped user' do
+      let(:current_scope) { domain }
+
+      it 'creates an Enterprise Account' do
+        expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
+        expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
+          to eq(domain)
+      end
+    end
+    describe 'for the wrong email scoped user' do
+      let(:current_scope) { 'foo.com' }
+
+      it 'does not create an Enterprise Account' do
+        expect { subject }.to_not(change { Osso::Models::EnterpriseAccount.count })
+        expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
+          to be_nil
+      end
+    end
+  end
+end