osso 0.0.3.13 → 0.0.3.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f73668d92fba6a919487f77d474b948af28e79b33d60a1c1e2cec8104b0dcff
-  data.tar.gz: f736cdc806facf653635a037f8b9abb8202cda2e811b3b75a2dc52332b12ddab
+  metadata.gz: 6b1068b7192ca709b9ba61cccaae62a9d98b350c756f88890f48b7fe2f7e4780
+  data.tar.gz: c9b499428182dc6c920624fdbcd36c2e0d3b5a14e83259d95b506c3bbbf2efad
 SHA512:
-  metadata.gz: 3ea4d47b42b9d2e0ac48833e37ed3375d41d60eefac31166ba81dd86ae3b38f059518beeae625324af095f9c4da4433c83aefd92cb7038cc5e924293e26956e4
-  data.tar.gz: 36969b24b9047a0ab3920e206590697083a314618765dbe7352a5563b4bd93aaca7b50524f442eb994052db594393500a4a157a527d483049f49765367495b39
+  metadata.gz: 49a87999664fb1d809ced917bbd85c37e69c995c1e287683d0b84b3bbc97b9c24a19b31ffc0225a21c88fec9caa059b2b3bddd0d7b2e37480d7e2f92d0651cb9
+  data.tar.gz: 7a94be7b14bdb164d4f18fab52c9f7453f79e2547cfff606aa7ae854b281ac03017e176ea1b697130bc4a0a5191c31519f94aab974ebcd56a69ddc228e67eee9

data/.buildkite/pipeline.yml

@@ -5,4 +5,11 @@ steps:
       - bundle exec rake db:drop
       - bundle exec rake db:create
       - RACK_ENV=test bundle exec rake db:migrate
-      - bundle exec rspec
+      - bundle exec rspec
+  
+  - block: ":rubygems: Publish :red_button:"
+    branches: "main"
+  
+  - name: "Push :rubygems:"
+    commands: "./bin/publish"
+    branches: "main"

data/.rubocop.yml

@@ -1,4 +1,5 @@
 AllCops:
+  TargetRubyVersion: 2.6.0
   Exclude:
     - db/**/*
     - lib/osso/db/**/*

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.3.13)
+    osso (0.0.3.18)
       activesupport (>= 6.0.3.2)
       graphql
       jwt
@@ -66,7 +66,7 @@ GEM
     method_source (1.0.0)
     mini_portile2 (2.4.0)
     minitest (5.14.1)
-    multi_json (1.14.1)
+    multi_json (1.15.0)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
     nokogiri (1.10.9)

data/bin/publish

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Scriptacular - gemify.sh
+# Create a Ruby gem and push it to rubygems.org
+# Copyright 2013 Christopher Simpkins
+# MIT License
+
+GEM_NAME="osso-rb"
+GEMSPEC_SUFFIX=".gemspec"
+
+# run the gem build and parse for the gem release filename
+GEM_BUILD_NAME=$(gem build "$GEM_NAME$GEMSPEC_SUFFIX" |  awk '/File/ {print $2}' -)
+
+if [ -z "$GEM_BUILD_NAME" ]; then
+  echo "The gem build failed." >&2
+  exit 1
+fi
+
+gem push $GEM_BUILD_NAME

data/lib/osso/graphql/mutation.rb

@@ -6,16 +6,20 @@ module Osso
   module GraphQL
     module Types
       class MutationType < BaseObject
-        field :add_redirect_uris_to_oauth_client, mutation: Mutations::AddRedirectUrisToOauthClient, null: false
         field :configure_identity_provider, mutation: Mutations::ConfigureIdentityProvider, null: true
         field :create_identity_provider, mutation: Mutations::CreateIdentityProvider
         field :create_enterprise_account, mutation: Mutations::CreateEnterpriseAccount
         field :create_oauth_client, mutation: Mutations::CreateOauthClient
         field :delete_enterprise_account, mutation: Mutations::DeleteEnterpriseAccount
         field :delete_oauth_client, mutation: Mutations::DeleteOauthClient
-        field :delete_redirect_uri, mutation: Mutations::DeleteRedirectUri
         field :set_redirect_uris, mutation: Mutations::SetRedirectUris
         field :regenerate_oauth_credentials, mutation: Mutations::RegenerateOauthCredentials
+
+        def self.authorized?(_object, _context)
+          # mutations are prevented from executing with ready? so
+          # its a bit odd that this hides it
+          true
+        end
       end
     end
   end

data/lib/osso/graphql/mutations/base_mutation.rb

@@ -15,13 +15,26 @@ module Osso
           error.merge(data: nil)
         end
 
-        def ready?(enterprise_account_id: nil, domain: nil, identity_provider_id: nil, **args)
-          return true if context[:scope] == :admin
+        def ready?(**args)
+          return true if internal_ready?
 
-          domain ||= account_domain(enterprise_account_id) || provider_domain(identity_provider_id)
-          return true if domain == context[:scope]
+          return true if domain_ready?(args[:domain] || domain(**args))
 
-          raise ::GraphQL::ExecutionError, "This user lacks the scope to mutate records belonging to #{args[:domain]}"
+          raise ::GraphQL::ExecutionError, 'This user lacks the permission to make the requested changes'
+        end
+
+        def admin_ready?
+          context[:scope] == 'admin'
+        end
+
+        def internal_ready?
+          return true if admin_ready?
+
+          context[:scope] == 'internal'
+        end
+
+        def domain_ready?(domain)
+          context[:email].split('@')[1] == domain
         end
 
         def account_domain(id)

data/lib/osso/graphql/mutations/configure_identity_provider.rb

@@ -13,22 +13,20 @@ module Osso
         field :identity_provider, Types::IdentityProvider, null: false
         field :errors, [String], null: false
 
-        def resolve(id:, **args)
-          provider = Osso::Models::IdentityProvider.find(id)
+        def resolve(**args)
+          provider = identity_provider(**args)
 
           return response_data(identity_provider: provider) if provider.update(args)
 
-          response_error(errors: provder.errors.messages)
+          response_error(errors: provider.errors.messages)
         end
 
-        def ready?(id:, **_args)
-          return true if context[:scope] == :admin
-
-          domain = Osso::Models::IdentityProvider.find(id)&.domain
-
-          return true if domain == context[:scope]
+        def domain(**args)
+          identity_provider(**args)&.domain
+        end
 
-          raise ::GraphQL::ExecutionError, "This user lacks the scope to mutate records belonging to #{domain}"
+        def identity_provider(id:, **_args)
+          @identity_provider ||= Osso::Models::IdentityProvider.find(id)
         end
       end
     end

data/lib/osso/graphql/mutations/create_enterprise_account.rb

@@ -8,12 +8,14 @@ module Osso
 
         argument :domain, String, required: true
         argument :name, String, required: true
+        argument :oauth_client_id, ID, required: false
 
         field :enterprise_account, Types::EnterpriseAccount, null: false
         field :errors, [String], null: false
 
         def resolve(**args)
           enterprise_account = Osso::Models::EnterpriseAccount.new(args)
+          enterprise_account.oauth_client_id ||= context[:oauth_client_id]
 
           return response_data(enterprise_account: enterprise_account) if enterprise_account.save
 

data/lib/osso/graphql/mutations/create_identity_provider.rb

@@ -12,18 +12,27 @@ module Osso
         field :identity_provider, Types::IdentityProvider, null: false
         field :errors, [String], null: false
 
-        def resolve(enterprise_account_id:, service: nil)
-          enterprise_account = Osso::Models::EnterpriseAccount.find(enterprise_account_id)
-          identity_provider = enterprise_account.identity_providers.build(
-            enterprise_account_id: enterprise_account_id,
+        def resolve(service: nil, **args)
+          customer = enterprise_account(**args)
+
+          identity_provider = customer.identity_providers.build(
             service: service,
-            domain: enterprise_account.domain,
+            domain: customer.domain,
+            oauth_client_id: customer.oauth_client_id,
           )
 
           return response_data(identity_provider: identity_provider) if identity_provider.save
 
           response_error(errors: identity_provider.errors.full_messages)
         end
+
+        def domain(**args)
+          enterprise_account(**args)&.domain
+        end
+
+        def enterprise_account(enterprise_account_id:, **_args)
+          @enterprise_account ||= Osso::Models::EnterpriseAccount.find(enterprise_account_id)
+        end
       end
     end
   end

data/lib/osso/graphql/mutations/create_oauth_client.rb

@@ -20,9 +20,7 @@ module Osso
         end
 
         def ready?(*)
-          return true if context[:scope] == :admin
-
-          raise ::GraphQL::ExecutionError, 'Only admin users may mutate OauthClients'
+          admin_ready?
         end
       end
     end

data/lib/osso/graphql/mutations/delete_enterprise_account.rb

@@ -11,22 +11,20 @@ module Osso
         field :enterprise_account, Types::EnterpriseAccount, null: true
         field :errors, [String], null: false
 
-        def resolve(id:)
-          enterprise_account = Osso::Models::EnterpriseAccount.find(id)
-
-          return response_data(enterprise_account: nil) if enterprise_account.destroy
-
-          response_error(errors: enterprise_account.errors.full_messages)
+        def enterprise_account(id:, **_args)
+          @enterprise_account ||= Osso::Models::EnterpriseAccount.find(id)
         end
 
-        def ready?(id:)
-          return true if context[:scope] == :admin
+        def resolve(**args)
+          customer = enterprise_account(**args)
 
-          domain = account_domain(id)
+          return response_data(enterprise_account: nil) if customer.destroy
 
-          return true if domain == context[:scope]
+          response_error(errors: customer.errors.full_messages)
+        end
 
-          raise ::GraphQL::ExecutionError, "This user lacks the scope to mutate records belonging to #{domain}"
+        def domain(**args)
+          enterprise_account(**args).domain
         end
       end
     end

data/lib/osso/graphql/mutations/delete_oauth_client.rb

@@ -20,9 +20,7 @@ module Osso
         end
 
         def ready?(*)
-          return true if context[:scope] == :admin
-
-          raise ::GraphQL::ExecutionError, 'Only admin users may mutate OauthClients'
+          admin_ready?
         end
       end
     end

data/lib/osso/graphql/mutations/regenerate_oauth_credentials.rb

@@ -21,9 +21,7 @@ module Osso
         end
 
         def ready?(*)
-          return true if context[:scope] == :admin
-
-          raise ::GraphQL::ExecutionError, 'Only admin users may mutate OauthClients'
+          admin_ready?
         end
       end
     end

data/lib/osso/graphql/mutations/set_redirect_uris.rb

@@ -24,14 +24,12 @@ module Osso
         end
 
         def ready?(*)
-          return true if context[:scope] == :admin
-
-          raise ::GraphQL::ExecutionError, 'Only admin users may mutate OauthClients'
+          admin_ready?
         end
 
         def update_existing(oauth_client, redirect_uris)
           oauth_client.redirect_uris.each do |redirect|
-            updating_index = redirect_uris.index{ |incoming| incoming[:id] == redirect.id }
+            updating_index = redirect_uris.index { |incoming| incoming[:id] == redirect.id }
 
             if updating_index
               updating = redirect_uris.delete_at(updating_index)

data/lib/osso/graphql/query.rb

@@ -32,6 +32,13 @@ module Osso
         ) do
           argument :id, ID, required: true
         end
+
+        field(
+          :current_user,
+          Types::AdminUser,
+          null: false,
+          resolve: ->(_obj, _args, context) { context.to_h },
+        )
       end
     end
   end

data/lib/osso/graphql/resolvers.rb

@@ -7,6 +7,7 @@ module Osso
   end
 end
 
+require_relative 'resolvers/base_resolver'
 require_relative 'resolvers/enterprise_account'
 require_relative 'resolvers/enterprise_accounts'
 require_relative 'resolvers/oauth_clients'

data/lib/osso/graphql/resolvers/base_resolver.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class BaseResolver < ::GraphQL::Schema::Resolver
+        def admin_authorized?
+          context[:scope] == 'admin'
+        end
+
+        def internal_authorized?
+          %w[admin internal].include?(context[:scope])
+        end
+
+        def enterprise_authorized?(domain)
+          context[:scope] == domain
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers/enterprise_account.rb

@@ -3,22 +3,12 @@
 module Osso
   module GraphQL
     module Resolvers
-      class EnterpriseAccount < ::GraphQL::Schema::Resolver
+      class EnterpriseAccount < BaseResolver
         type Types::EnterpriseAccount, null: false
 
         def resolve(args)
-          return unless admin? || enterprise_authorized?(args[:domain])
-
           Osso::Models::EnterpriseAccount.find_by(domain: args[:domain])
         end
-
-        def admin?
-          context[:scope] == :admin
-        end
-
-        def enterprise_authorized?(domain)
-          context[:scope] == domain
-        end
       end
     end
   end

data/lib/osso/graphql/resolvers/enterprise_accounts.rb

@@ -3,11 +3,11 @@
 module Osso
   module GraphQL
     module Resolvers
-      class EnterpriseAccounts < ::GraphQL::Schema::Resolver
+      class EnterpriseAccounts < BaseResolver
         type Types::EnterpriseAccount.connection_type, null: true
 
         def resolve(sort_column: nil, sort_order: nil)
-          return Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope])) if context[:scope] != :admin
+          return Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope])) unless internal_authorized?
 
           accounts = Osso::Models::EnterpriseAccount
 

data/lib/osso/graphql/resolvers/oauth_clients.rb

@@ -3,11 +3,11 @@
 module Osso
   module GraphQL
     module Resolvers
-      class OAuthClients < ::GraphQL::Schema::Resolver
+      class OAuthClients < BaseResolver
         type [Types::OauthClient], null: true
 
         def resolve
-          return Osso::Models::OauthClient.all if context[:scope] == :admin
+          Osso::Models::OauthClient.all
         end
       end
     end

data/lib/osso/graphql/types.rb

@@ -9,6 +9,7 @@ require_relative 'types/base_connection'
 require_relative 'types/base_object'
 require_relative 'types/base_enum'
 require_relative 'types/base_input_object'
+require_relative 'types/admin_user'
 require_relative 'types/identity_provider_service'
 require_relative 'types/identity_provider_status'
 require_relative 'types/identity_provider'
@@ -16,4 +17,3 @@ require_relative 'types/enterprise_account'
 require_relative 'types/redirect_uri'
 require_relative 'types/redirect_uri_input'
 require_relative 'types/oauth_client'
-require_relative 'types/user'

data/lib/osso/graphql/types/admin_user.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class AdminUser < Types::BaseObject
+        description 'An Admin User of Osso'
+
+        field :id, ID, null: false
+        field :email, String, null: false
+        field :scope, String, null: false
+        field :oauth_client_id, ID, null: true
+
+        def self.authorized?(_object, _context)
+          true
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/base_object.rb

@@ -10,6 +10,28 @@ module Osso
 
         field :created_at, ::GraphQL::Types::ISO8601DateTime, null: false
         field :updated_at, ::GraphQL::Types::ISO8601DateTime, null: false
+
+        def self.admin_authorized?(context)
+          context[:scope] == 'admin'
+        end
+
+        def self.internal_authorized?(context)
+          %w[admin internal].include?(context[:scope])
+        end
+
+        def self.enterprise_authorized?(context, domain)
+          return false unless domain
+
+          context[:email].split('@')[1] == domain
+        end
+
+        def self.authorized?(object, context)
+          # we first receive the payload object as a hash, but can depend on the
+          # return type to hide the actual objects non-admins shouldn't see
+          return true if object.class == Hash
+
+          internal_authorized?(context) || enterprise_authorized?(context, object&.domain)
+        end
       end
     end
   end