osso 0.0.3.11 → 0.0.3.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ffe9bf4e6f4de963af60c998d318a471e1ff3e33ef5a6c544c8923de762020bc
-  data.tar.gz: a994f84634c584268e517688ec62b61315da4fa1ab2ea05787305b34deb964f5
+  metadata.gz: 6e33fd333f7c329404b9a9bdeb62551629b38a8b615b6aef556bc4b4c0ca2a03
+  data.tar.gz: e8c21ea78f2f33e5b6497c85148ff67221949ded6c34380dcb48a6eb450d6dc6
 SHA512:
-  metadata.gz: 6c4e301385bb83a8ca5f7d66e4a3b3383c7ea3f58f395dc83e1cbadadb2a6896e1852ed787ae9a33a37a2871c3d5c28e5f33e072b7980ad904f958e95b4addb8
-  data.tar.gz: 8529f13cc30d05946b7fa798b117483dd20b9415d27b6caccecfff228a666b73bfd1f36ceb7e19d7977803159a56aff0eca9075cb380fe7fde3ce560a1847217
+  metadata.gz: 76779ec670e1a6c12589a3b2a1f319e8855ba8770a83489787d56c43bb8a23aa9a75ee9b9864dfce76f54061e3829ce639214ba5f5a4c7c8efc699e1776801a6
+  data.tar.gz: 356194bce279f215d58ea36e0e7e188c4ee134a4a4b55ce435fdee255caf23c39974f0b87a305e332a84b7aaf519db6ee13525beecd47117b9f9ebbd765679e3

data/.buildkite/pipeline.yml

@@ -5,4 +5,11 @@ steps:
       - bundle exec rake db:drop
       - bundle exec rake db:create
       - RACK_ENV=test bundle exec rake db:migrate
-      - bundle exec rspec
+      - bundle exec rspec
+  
+  - block: ":rubygems: Publish :red_button:"
+    branches: "main"
+  
+  - name: "Push :rubygems:"
+    commands: "./bin/publish"
+    branches: "main"

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.3.11)
+    osso (0.0.3.16)
       activesupport (>= 6.0.3.2)
       graphql
       jwt
@@ -66,7 +66,7 @@ GEM
     method_source (1.0.0)
     mini_portile2 (2.4.0)
     minitest (5.14.1)
-    multi_json (1.14.1)
+    multi_json (1.15.0)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
     nokogiri (1.10.9)

data/bin/publish

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Scriptacular - gemify.sh
+# Create a Ruby gem and push it to rubygems.org
+# Copyright 2013 Christopher Simpkins
+# MIT License
+
+GEM_NAME="osso-rb"
+GEMSPEC_SUFFIX=".gemspec"
+
+# run the gem build and parse for the gem release filename
+GEM_BUILD_NAME=$(gem build "$GEM_NAME$GEMSPEC_SUFFIX" |  awk '/File/ {print $2}' -)
+
+if [ -z "$GEM_BUILD_NAME" ]; then
+  echo "The gem build failed." >&2
+  exit 1
+fi
+
+gem push $GEM_BUILD_NAME

data/lib/osso/graphql/mutation.rb

@@ -12,6 +12,8 @@ module Osso
         field :create_oauth_client, mutation: Mutations::CreateOauthClient
         field :delete_enterprise_account, mutation: Mutations::DeleteEnterpriseAccount
         field :delete_oauth_client, mutation: Mutations::DeleteOauthClient
+        field :set_redirect_uris, mutation: Mutations::SetRedirectUris
+        field :regenerate_oauth_credentials, mutation: Mutations::RegenerateOauthCredentials
       end
     end
   end

data/lib/osso/graphql/mutations.rb

@@ -12,3 +12,5 @@ require_relative 'mutations/create_enterprise_account'
 require_relative 'mutations/create_oauth_client'
 require_relative 'mutations/delete_enterprise_account'
 require_relative 'mutations/delete_oauth_client'
+require_relative 'mutations/regenerate_oauth_credentials'
+require_relative 'mutations/set_redirect_uris'

data/lib/osso/graphql/mutations/regenerate_oauth_credentials.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class RegenerateOauthCredentials < BaseMutation
+        null false
+
+        argument :id, ID, required: true
+
+        field :oauth_client, Types::OauthClient, null: false
+        field :errors, [String], null: false
+
+        def resolve(id:)
+          oauth_client = Osso::Models::OauthClient.find(id)
+          oauth_client.generate_secrets
+
+          return response_data(oauth_client: oauth_client) if oauth_client.save
+
+          response_error(errors: oauth_client.errors.full_messages)
+        end
+
+        def ready?(*)
+          return true if context[:scope] == :admin
+
+          raise ::GraphQL::ExecutionError, 'Only admin users may mutate OauthClients'
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/set_redirect_uris.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class SetRedirectUris < BaseMutation
+        null false
+
+        argument :id, ID, required: true
+        argument :redirect_uris, [Types::RedirectUrisInput], required: true
+
+        field :oauth_client, Types::OauthClient, null: true
+        field :errors, [String], null: false
+
+        def resolve(id:, redirect_uris:)
+          oauth_client = Osso::Models::OauthClient.find(id)
+
+          update_existing(oauth_client, redirect_uris)
+          create_new(oauth_client, redirect_uris)
+
+          response_data(oauth_client: oauth_client.reload)
+        rescue StandardError => e
+          response_error(errors: e)
+        end
+
+        def ready?(*)
+          return true if context[:scope] == :admin
+
+          raise ::GraphQL::ExecutionError, 'Only admin users may mutate OauthClients'
+        end
+
+        def update_existing(oauth_client, redirect_uris)
+          oauth_client.redirect_uris.each do |redirect|
+            updating_index = redirect_uris.index { |incoming| incoming[:id] == redirect.id }
+
+            if updating_index
+              updating = redirect_uris.delete_at(updating_index)
+              redirect.update(updating.to_h)
+              next
+            end
+
+            redirect.destroy
+          end
+        end
+
+        def create_new(oauth_client, redirect_uris)
+          redirect_uris.map do |uri|
+            oauth_client.redirect_uris.create(uri.to_h.without(:id))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/query.rb

@@ -8,12 +8,13 @@ module Osso
           argument :sort_column, String, required: false
           argument :sort_order, String, required: false
         end
-        field :oauth_clients, null: true, resolver: Resolvers::OAuthClients
 
         field :enterprise_account, null: true, resolver: Resolvers::EnterpriseAccount do
           argument :domain, String, required: true
         end
 
+        field :oauth_clients, null: true, resolver: Resolvers::OAuthClients
+
         field(
           :identity_provider,
           Types::IdentityProvider,
@@ -22,6 +23,15 @@ module Osso
         ) do
           argument :id, ID, required: true
         end
+
+        field(
+          :oauth_client,
+          Types::OauthClient,
+          null: true,
+          resolve: ->(_obj, args, _context) { Osso::Models::OauthClient.find(args[:id]) },
+        ) do
+          argument :id, ID, required: true
+        end
       end
     end
   end

data/lib/osso/graphql/types.rb

@@ -13,5 +13,7 @@ require_relative 'types/identity_provider_service'
 require_relative 'types/identity_provider_status'
 require_relative 'types/identity_provider'
 require_relative 'types/enterprise_account'
+require_relative 'types/redirect_uri'
+require_relative 'types/redirect_uri_input'
 require_relative 'types/oauth_client'
 require_relative 'types/user'

data/lib/osso/graphql/types/oauth_client.rb

@@ -14,6 +14,7 @@ module Osso
         field :name, String, null: false
         field :client_id, String, null: false
         field :client_secret, String, null: false
+        field :redirect_uris, [Types::RedirectUri], null: true
 
         def client_id
           object.identifier

data/lib/osso/graphql/types/redirect_uri.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class RedirectUri < Types::BaseObject
+        description 'An allowed redirect URI for an OauthClient'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :uri, String, null: false
+        field :primary, Boolean, null: false
+
+        def self.authorized?(object, context)
+          super && context[:scope] == :admin
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/redirect_uri_input.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class RedirectUrisInput < Types::BaseInputObject
+        description 'Attributes for creating or updating a collection of redirect URIs for an Oauth Client'
+        argument :id, ID, 'Database ID', required: false
+        argument :uri, String, 'URI value', required: true
+        argument :primary, Boolean, 'Whether the URI is the primary uri used in IDP initiated login', required: true
+      end
+    end
+  end
+end

data/lib/osso/helpers/auth.rb

@@ -14,6 +14,8 @@ module Osso
         redirect ENV['JWT_URL']
       end
 
+      # use client id in payload to restrict customer
+      # users from accessing dev?
       def enterprise_authorized?(_domain)
         payload, _args = decode(token)
 

data/lib/osso/models/identity_provider.rb

@@ -19,20 +19,14 @@ module Osso
       end
 
       def saml_options
-        attributes.slice(
-          'domain',
-          'idp_cert',
-          'idp_sso_target_url',
-        ).symbolize_keys
+        {
+          domain: domain,
+          idp_sso_target_url: sso_url,
+          idp_cert: sso_cert,
+          issuer: domain,
+        }
       end
 
-      # def saml_options
-      #   raise(
-      #     NoMethodError,
-      #     '#saml_options must be defined on each provider specific subclass',
-      #   )
-      # end
-
       def assertion_consumer_service_url
         [
           ENV.fetch('BASE_URL'),

data/lib/osso/models/oauth_client.rb

@@ -9,11 +9,11 @@ module Osso
       has_many :identity_providers
       has_many :redirect_uris
 
-      before_validation :setup, on: :create
+      before_validation :generate_secrets, on: :create
       validates :name, :secret, presence: true
       validates :identifier, presence: true, uniqueness: true
 
-      def default_redirect_uri
+      def primary_redirect_uri
         redirect_uris.find(&:primary)
       end
 
@@ -21,9 +21,7 @@ module Osso
         redirect_uris.map(&:uri)
       end
 
-      private
-
-      def setup
+      def generate_secrets
         self.identifier = SecureRandom.hex(16)
         self.secret = SecureRandom.hex(32)
       end

data/lib/osso/models/redirect_uri.rb

@@ -4,17 +4,6 @@ module Osso
   module Models
     class RedirectUri < ActiveRecord::Base
       belongs_to :oauth_client
-
-      # TODO
-      # before_validation :set_primary, on: :creaet, :update
-
-      private
-
-      def set_primary
-        if primary_was.true? && primary.false?
-
-        end
-      end
     end
   end
 end

data/lib/osso/routes/admin.rb

@@ -36,6 +36,12 @@ module Osso
 
         erb :admin
       end
+
+      get '/config/:id' do
+        admin_protected!
+
+        erb :admin
+      end
     end
   end
 end

data/lib/osso/routes/auth.rb

@@ -14,20 +14,16 @@ module Osso
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
         freeze
 
-    def self.internal_redirect?(env)
-      env['HTTP_REFERER']&.match(env['SERVER_NAME'])
-    end
-
     use OmniAuth::Builder do
       OmniAuth::MultiProvider.register(
         self,
         provider_name: 'saml',
         identity_provider_id_regex: UUID_REGEXP,
-        path_prefix: '/saml',
+        path_prefix: '/auth/saml',
         callback_suffix: 'callback',
       ) do |identity_provider_id, _env|
-        provider = Models::IdentityProvider.find(identity_provider_id)
-        provider.saml_options
+        Models::IdentityProvider.find(identity_provider_id).
+          saml_options
       end
     end
 
@@ -36,11 +32,10 @@ module Osso
       # their Identity Provider. We find or create a user record,
       # and then create an authorization code for that user. The user
       # is redirected back to your application with this code
-      # as a URL query param, which you then exhange for an access token
+      # as a URL query param, which you then exchange for an access token.
       post '/saml/:id/callback' do
         provider = Models::IdentityProvider.find(params[:id])
-        oauth_client = provider.oauth_client
-        redirect_uri = env['redirect_uri'] || oauth_client.default_redirect_uri.uri
+        @oauth_client = provider.oauth_client
 
         attributes = env['omniauth.auth']&.
           extra&.
@@ -56,11 +51,29 @@ module Osso
         end
 
         authorization_code = user.authorization_codes.create!(
-          oauth_client: oauth_client,
+          oauth_client: @oauth_client,
           redirect_uri: redirect_uri,
         )
 
-        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+        # Mark IDP as active
+
+        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{provider_state}")
+      end
+
+      def redirect_uri
+        return @oauth_client.primary_redirect_uri.uri if valid_idp_initiated_flow
+
+        session[:osso_oauth_redirect_uri]
+      end
+
+      def provider_state
+        return 'IDP_INITIATED' if valid_idp_initiated_flow
+
+        session[:osso_oauth_state]
+      end
+
+      def valid_idp_initiated_flow
+        !session[:osso_oauth_redirect_uri] && !session[:osso_oauth_state]
       end
     end
   end

data/lib/osso/routes/oauth.rb

@@ -6,7 +6,7 @@ module Osso
   class Oauth < Sinatra::Base
     include AppConfig
     register Sinatra::Namespace
-    # rubocop:disable Metrics/BlockLength
+
     namespace '/oauth' do
       # Send your users here in order to being an authentication
       # flow. This flow follows the authorization grant oauth
@@ -19,11 +19,11 @@ module Osso
 
         Rack::OAuth2::Server::Authorize.new do |req, _res|
           client = Models::OauthClient.find_by!(identifier: req.client_id)
-          req.verify_redirect_uri!(client.redirect_uri_values)
+          session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
         end.call(env)
 
         if @enterprise.single_provider?
-          session[:oauth_state] = params[:state]
+          session[:osso_oauth_state] = params[:state]
           redirect "/auth/saml/#{@enterprise.provider.id}"
         end
 
@@ -35,9 +35,10 @@ module Osso
         return erb :error
       end
 
-      # Exchange an authorization code token for an access token.
-      # In addition to the token, you must include all paramaters
-      # required by Oauth spec: redirect_uri, client ID, and client secret
+      # Exchange an authorization code for an access token.
+      # In addition to the authorization code, you must include all 
+      # paramaters required by OAuth spec: redirect_uri, client ID, 
+      # and client secret
       post '/token' do
         Rack::OAuth2::Server::Token.new do |req, res|
           code = Models::AuthorizationCode.
@@ -60,4 +61,3 @@ module Osso
     end
   end
 end
-# rubocop:enable Metrics/BlockLength

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3.11'
+  VERSION = '0.0.3.16'
 end

data/spec/models/identity_provider_spec.rb

@@ -14,4 +14,16 @@ describe Osso::Models::IdentityProvider do
       )
     end
   end
+
+  describe '#saml_options' do
+    it 'returns the required args' do
+      expect(subject.saml_options).
+        to match(
+          domain: subject.domain,
+          idp_cert: subject.sso_cert,
+          idp_sso_target_url: subject.sso_url,
+          issuer: subject.domain,
+        )
+    end
+  end
 end

data/spec/routes/auth_spec.rb

@@ -3,6 +3,31 @@
 require 'spec_helper'
 
 describe Osso::Auth do
+  describe 'get /auth/saml/:uuid' do
+    describe 'for an Okta SAML provider' do
+      let(:enterprise) { create(:enterprise_with_okta) }
+      let(:okta_provider) { enterprise.identity_providers.first }
+      it 'uses omniauth saml' do
+        get("/auth/saml/#{okta_provider.id}")
+
+        expect(last_response).to be_redirect
+        follow_redirect!
+        expect(last_request.url).to match("auth/saml/#{okta_provider.id}")
+      end
+    end
+
+    describe 'for an Azure SAML provider' do
+      let(:enterprise) { create(:enterprise_with_okta) }
+      let(:azure_provider) { enterprise.identity_providers.first }
+      it 'uses omniauth saml' do
+        get("/auth/saml/#{azure_provider.id}")
+
+        expect(last_response).to be_redirect
+        follow_redirect!
+        expect(last_request.url).to match("auth/saml/#{azure_provider.id}")
+      end
+    end
+  end
   describe 'post /auth/saml/:uuid/callback' do
     describe 'for an Okta SAML provider' do
       let(:enterprise) { create(:enterprise_with_okta) }
@@ -38,6 +63,24 @@ describe Osso::Auth do
             )
           end.to change { Osso::Models::AuthorizationCode.count }.by(1)
         end
+
+        describe 'for an IDP initiated login' do
+          it 'redirects with a default state' do
+            mock_saml_omniauth
+
+            post(
+              "/auth/saml/#{okta_provider.id}/callback",
+              nil,
+              {
+                'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => okta_provider,
+              },
+            )
+            expect(last_response).to be_redirect
+            follow_redirect!
+            expect(last_request.url).to match(/.*state=IDP_INITIATED$/)
+          end
+        end
       end
 
       describe 'on subsequent authentications' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.3.11
+  version: 0.0.3.16
 platform: ruby
 authors:
 - Sam Bauch
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-27 00:00:00.000000000 Z
+date: 2020-08-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -226,6 +226,7 @@ email:
 executables:
 - annotate
 - console
+- publish
 - setup
 extensions: []
 extra_rdoc_files: []
@@ -246,6 +247,7 @@ files:
 - Rakefile
 - bin/annotate
 - bin/console
+- bin/publish
 - bin/setup
 - config/database.yml
 - db/schema.rb
@@ -278,6 +280,8 @@ files:
 - lib/osso/graphql/mutations/create_oauth_client.rb
 - lib/osso/graphql/mutations/delete_enterprise_account.rb
 - lib/osso/graphql/mutations/delete_oauth_client.rb
+- lib/osso/graphql/mutations/regenerate_oauth_credentials.rb
+- lib/osso/graphql/mutations/set_redirect_uris.rb
 - lib/osso/graphql/query.rb
 - lib/osso/graphql/resolvers.rb
 - lib/osso/graphql/resolvers/enterprise_account.rb
@@ -294,6 +298,8 @@ files:
 - lib/osso/graphql/types/identity_provider_service.rb
 - lib/osso/graphql/types/identity_provider_status.rb
 - lib/osso/graphql/types/oauth_client.rb
+- lib/osso/graphql/types/redirect_uri.rb
+- lib/osso/graphql/types/redirect_uri_input.rb
 - lib/osso/graphql/types/user.rb
 - lib/osso/helpers/auth.rb
 - lib/osso/helpers/helpers.rb
@@ -348,7 +354,7 @@ homepage: https://github.com/enterprise-oss/osso-rb
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -364,7 +370,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.0.3
-signing_key:
+signing_key: 
 specification_version: 4
 summary: Main functionality for Osso
 test_files: []