osso 0.0.3.13 → 0.0.3.18

data/lib/osso/graphql/types/enterprise_account.rb

@@ -9,7 +9,6 @@ module Osso
         description 'An Account for a company that wishes to use SAML via Osso'
         implements ::GraphQL::Types::Relay::Node
 
-        global_id_field :gid
         field :id, ID, null: false
         field :name, String, null: false
         field :domain, String, null: false
@@ -23,10 +22,6 @@ module Osso
         def identity_providers
           object.identity_providers
         end
-
-        def self.authorized?(object, context)
-          super && (context[:scope] == :admin || object.domain == context[:scope])
-        end
       end
     end
   end

data/lib/osso/graphql/types/identity_provider.rb

@@ -7,9 +7,7 @@ module Osso
     module Types
       class IdentityProvider < Types::BaseObject
         description 'Represents a SAML based IDP instance for an EnterpriseAccount'
-        implements ::GraphQL::Types::Relay::Node
 
-        global_id_field :gid
         field :id, ID, null: false
         field :enterprise_account_id, ID, null: false
         field :service, Types::IdentityProviderService, null: true
@@ -23,10 +21,6 @@ module Osso
         def documentation_pdf_url
           ENV['BASE_URL'] + '/identity_provider/documentation/' + @object.id
         end
-
-        def self.authorized?(object, context)
-          super && (context[:scope] == :admin || object.domain == context[:scope])
-        end
       end
     end
   end

data/lib/osso/graphql/types/oauth_client.rb

@@ -7,9 +7,7 @@ module Osso
     module Types
       class OauthClient < Types::BaseObject
         description 'An OAuth client used to consume Osso SAML users'
-        implements ::GraphQL::Types::Relay::Node
 
-        global_id_field :gid
         field :id, ID, null: false
         field :name, String, null: false
         field :client_id, String, null: false
@@ -24,8 +22,8 @@ module Osso
           object.secret
         end
 
-        def self.authorized?(object, context)
-          super && context[:scope] == :admin
+        def self.authorized?(_object, context)
+          admin_authorized?(context)
         end
       end
     end

data/lib/osso/graphql/types/redirect_uri.rb

@@ -7,15 +7,13 @@ module Osso
     module Types
       class RedirectUri < Types::BaseObject
         description 'An allowed redirect URI for an OauthClient'
-        implements ::GraphQL::Types::Relay::Node
 
-        global_id_field :gid
         field :id, ID, null: false
         field :uri, String, null: false
         field :primary, Boolean, null: false
 
-        def self.authorized?(object, context)
-          super && context[:scope] == :admin
+        def self.authorized?(_object, context)
+          context[:scope] == 'admin'
         end
       end
     end

data/lib/osso/helpers/auth.rb

@@ -3,10 +3,21 @@
 module Osso
   module Helpers
     module Auth
-      attr_accessor :current_scope
+      END_USER_SCOPE = 'end-user'
+      INTERNAL_SCOPE = 'internal'
+      ADMIN_SCOPE    = 'admin'
+
+      attr_accessor :current_user
+
+      def token_protected!
+        decode(token)
+      rescue JWT::DecodeError
+        halt 401
+      end
 
       def enterprise_protected!(domain = nil)
         return if admin_authorized?
+        return if internal_authorized?
         return if enterprise_authorized?(domain)
 
         halt 401 if request.post?
@@ -14,14 +25,26 @@ module Osso
         redirect ENV['JWT_URL']
       end
 
-      # use client id in payload to restrict customer
-      # users from accessing dev?
-      def enterprise_authorized?(_domain)
-        payload, _args = decode(token)
+      def enterprise_authorized?(domain)
+        decode(token)
+
+        @current_user[:scope] == END_USER_SCOPE &&
+          @current_user[:email].split('@')[1] == domain
+      rescue JWT::DecodeError
+        false
+      end
+
+      def internal_protected!
+        return if admin_authorized?
+        return if internal_authorized?
+
+        redirect ENV['JWT_URL']
+      end
 
-        @current_scope = payload['scope']
+      def internal_authorized?
+        decode(token)
 
-        true
+        @current_user[:scope] == INTERNAL_SCOPE
       rescue JWT::DecodeError
         false
       end
@@ -33,14 +56,9 @@ module Osso
       end
 
       def admin_authorized?
-        payload, _args = decode(token)
-
-        if payload['scope'] == 'admin'
-          @current_scope = :admin
-          return true
-        end
+        decode(token)
 
-        false
+        @current_user[:scope] == ADMIN_SCOPE
       rescue JWT::DecodeError
         false
       end
@@ -60,12 +78,14 @@ module Osso
       end
 
       def decode(token)
-        JWT.decode(
+        payload, _args = JWT.decode(
           token,
           ENV['JWT_HMAC_SECRET'],
           true,
           { algorithm: 'HS256' },
         )
+
+        @current_user = payload.symbolize_keys
       end
     end
   end

data/lib/osso/lib/route_map.rb

@@ -11,12 +11,12 @@ module Osso
         use Osso::Oauth
 
         post '/graphql' do
-          enterprise_protected!
+          token_protected!
 
           result = Osso::GraphQL::Schema.execute(
             params[:query],
             variables: params[:variables],
-            context: { scope: current_scope },
+            context: current_user.symbolize_keys,
           )
 
           json result

data/lib/osso/models/identity_provider.rb

@@ -19,20 +19,14 @@ module Osso
       end
 
       def saml_options
-        attributes.slice(
-          'domain',
-          'idp_cert',
-          'idp_sso_target_url',
-        ).symbolize_keys
+        {
+          domain: domain,
+          idp_sso_target_url: sso_url,
+          idp_cert: sso_cert,
+          issuer: domain,
+        }
       end
 
-      # def saml_options
-      #   raise(
-      #     NoMethodError,
-      #     '#saml_options must be defined on each provider specific subclass',
-      #   )
-      # end
-
       def assertion_consumer_service_url
         [
           ENV.fetch('BASE_URL'),

data/lib/osso/models/oauth_client.rb

@@ -5,6 +5,7 @@ module Osso
   module Models
     class OauthClient < ActiveRecord::Base
       has_many :access_tokens
+      has_many :enterprise_accounts
       has_many :refresh_tokens
       has_many :identity_providers
       has_many :redirect_uris

data/lib/osso/models/redirect_uri.rb

@@ -4,17 +4,6 @@ module Osso
   module Models
     class RedirectUri < ActiveRecord::Base
       belongs_to :oauth_client
-
-      # TODO
-      # before_validation :set_primary, on: :creaet, :update
-
-      private
-
-      def set_primary
-        if primary_was.true? && primary.false?
-
-        end
-      end
     end
   end
 end

data/lib/osso/routes/admin.rb

@@ -14,13 +14,13 @@ module Osso
 
     namespace '/admin' do
       get '' do
-        admin_protected!
+        internal_protected!
 
         erb :admin
       end
 
       get '/enterprise' do
-        admin_protected!
+        internal_protected!
 
         erb :admin
       end

data/lib/osso/routes/auth.rb

@@ -14,10 +14,6 @@ module Osso
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
         freeze
 
-    def self.internal_redirect?(env)
-      env['HTTP_REFERER']&.match(env['SERVER_NAME'])
-    end
-
     use OmniAuth::Builder do
       OmniAuth::MultiProvider.register(
         self,
@@ -26,21 +22,24 @@ module Osso
         path_prefix: '/auth/saml',
         callback_suffix: 'callback',
       ) do |identity_provider_id, _env|
-        provider = Models::IdentityProvider.find(identity_provider_id)
-        provider.saml_options
+        Models::IdentityProvider.find(identity_provider_id).
+          saml_options
       end
     end
 
-    namespace '/auth' do
+    namespace '/auth' do # rubocop:disable Metrics/BlockLength
+      get '/failure' do
+        @error = params[:message]
+        erb :error
+      end
       # Enterprise users are sent here after authenticating against
       # their Identity Provider. We find or create a user record,
       # and then create an authorization code for that user. The user
       # is redirected back to your application with this code
-      # as a URL query param, which you then exhange for an access token
+      # as a URL query param, which you then exchange for an access token.
       post '/saml/:id/callback' do
         provider = Models::IdentityProvider.find(params[:id])
-        oauth_client = provider.oauth_client
-        redirect_uri = env['redirect_uri'] || oauth_client.primary_redirect_uri.uri
+        @oauth_client = provider.oauth_client
 
         attributes = env['omniauth.auth']&.
           extra&.
@@ -56,11 +55,29 @@ module Osso
         end
 
         authorization_code = user.authorization_codes.create!(
-          oauth_client: oauth_client,
+          oauth_client: @oauth_client,
           redirect_uri: redirect_uri,
         )
 
-        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+        # Mark IDP as active
+
+        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{provider_state}")
+      end
+
+      def redirect_uri
+        return @oauth_client.primary_redirect_uri.uri if valid_idp_initiated_flow
+
+        session[:osso_oauth_redirect_uri]
+      end
+
+      def provider_state
+        return @provider_state = 'IDP_INITIATED' if valid_idp_initiated_flow
+
+        session.delete(:osso_oauth_state)
+      end
+
+      def valid_idp_initiated_flow
+        !session[:osso_oauth_redirect_uri] && !session[:osso_oauth_state]
       end
     end
   end

data/lib/osso/routes/oauth.rb

@@ -6,38 +6,45 @@ module Osso
   class Oauth < Sinatra::Base
     include AppConfig
     register Sinatra::Namespace
-    # rubocop:disable Metrics/BlockLength
-    namespace '/oauth' do
+
+    namespace '/oauth' do # rubocop:disable Metrics/BlockLength
       # Send your users here in order to being an authentication
       # flow. This flow follows the authorization grant oauth
       # spec with one exception - you must also pass the domain
-      # of the user who wants to sign in.
+      # of the user who wants to sign in. If the sign in request
+      # is valid, the user is redirected to their Identity Provider.
+      # Once they complete IdP login, they will be returned to the
+      # redirect_uri with an authorization code parameter.
       get '/authorize' do
-        @enterprise = Models::EnterpriseAccount.
-          includes(:identity_providers).
-          find_by!(domain: params[:domain])
-
         Rack::OAuth2::Server::Authorize.new do |req, _res|
           client = Models::OauthClient.find_by!(identifier: req.client_id)
-          req.verify_redirect_uri!(client.redirect_uri_values)
+          session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
+          session[:osso_oauth_state] = params[:state]
         end.call(env)
 
-        if @enterprise.single_provider?
-          session[:oauth_state] = params[:state]
-          redirect "/auth/saml/#{@enterprise.provider.id}"
-        end
+        enterprise = Models::EnterpriseAccount.
+          includes(:identity_providers).
+          find_by!(domain: params[:domain])
+
+        redirect "/auth/saml/#{enterprise.provider.id}" if enterprise.single_provider?
 
         # TODO: multiple provider support
         # erb :multiple_providers
 
       rescue Rack::OAuth2::Server::Authorize::BadRequest => e
         @error = e
-        return erb :error
+        erb :error
+      rescue ActiveRecord::RecordNotFound => e
+        @error = e
+        @error = 'No OAuth Client exists for the provided client_id' if e.model == 'Osso::Models::OauthClient'
+        @error = "No Customer exists with the domain #{params[:domain]}" if e.model == 'Osso::Models::EnterpriseAccount'
+        erb :error
       end
 
-      # Exchange an authorization code token for an access token.
-      # In addition to the token, you must include all paramaters
-      # required by Oauth spec: redirect_uri, client ID, and client secret
+      # Exchange an authorization code for an access token.
+      # In addition to the authorization code, you must include all
+      # paramaters required by OAuth spec: redirect_uri, client ID,
+      # and client secret
       post '/token' do
         Rack::OAuth2::Server::Token.new do |req, res|
           code = Models::AuthorizationCode.
@@ -49,7 +56,8 @@ module Osso
         end.call(env)
       end
 
-      # Use the access token to request a user profile
+      # Use the access token to request a profile for the user who
+      # just logged in. Access tokens are short-lived.
       get '/me' do
         json Models::AccessToken.
           includes(:user).
@@ -60,4 +68,3 @@ module Osso
     end
   end
 end
-# rubocop:enable Metrics/BlockLength

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3.13'
+  VERSION = '0.0.3.18'
 end

data/spec/graphql/mutations/configure_identity_provider_spec.rb

@@ -39,12 +39,15 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         mutation,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
+
       it 'configures an identity provider' do
         expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'status')).
           to eq('Configured')
@@ -53,7 +56,12 @@ describe Osso::GraphQL::Schema do
 
     describe 'for an email scoped user' do
       let(:domain) { Faker::Internet.domain_name }
-      let(:current_scope) { domain }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
       let(:enterprise_account) { create(:enterprise_account, domain: domain) }
       let(:identity_provider) { create(:identity_provider, enterprise_account: enterprise_account, domain: domain) }
 
@@ -65,7 +73,12 @@ describe Osso::GraphQL::Schema do
 
     describe 'for the wrong email scoped user' do
       let(:domain) { Faker::Internet.domain_name }
-      let(:current_scope) { domain }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
 
       it 'does not configure an identity provider' do
         expect(subject.dig('errors')).to_not be_empty