osso 0.0.3.14 → 0.0.3.19

data/lib/osso/graphql/resolvers.rb

@@ -7,6 +7,7 @@ module Osso
   end
 end
 
+require_relative 'resolvers/base_resolver'
 require_relative 'resolvers/enterprise_account'
 require_relative 'resolvers/enterprise_accounts'
 require_relative 'resolvers/oauth_clients'

data/lib/osso/graphql/resolvers/base_resolver.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class BaseResolver < ::GraphQL::Schema::Resolver
+        def admin_authorized?
+          context[:scope] == 'admin'
+        end
+
+        def internal_authorized?
+          %w[admin internal].include?(context[:scope])
+        end
+
+        def enterprise_authorized?(domain)
+          context[:scope] == domain
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers/enterprise_account.rb

@@ -3,22 +3,12 @@
 module Osso
   module GraphQL
     module Resolvers
-      class EnterpriseAccount < ::GraphQL::Schema::Resolver
+      class EnterpriseAccount < BaseResolver
         type Types::EnterpriseAccount, null: false
 
         def resolve(args)
-          return unless admin? || enterprise_authorized?(args[:domain])
-
           Osso::Models::EnterpriseAccount.find_by(domain: args[:domain])
         end
-
-        def admin?
-          context[:scope] == :admin
-        end
-
-        def enterprise_authorized?(domain)
-          context[:scope] == domain
-        end
       end
     end
   end

data/lib/osso/graphql/resolvers/enterprise_accounts.rb

@@ -3,11 +3,11 @@
 module Osso
   module GraphQL
     module Resolvers
-      class EnterpriseAccounts < ::GraphQL::Schema::Resolver
+      class EnterpriseAccounts < BaseResolver
         type Types::EnterpriseAccount.connection_type, null: true
 
         def resolve(sort_column: nil, sort_order: nil)
-          return Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope])) if context[:scope] != :admin
+          return Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope])) unless internal_authorized?
 
           accounts = Osso::Models::EnterpriseAccount
 

data/lib/osso/graphql/resolvers/oauth_clients.rb

@@ -3,11 +3,11 @@
 module Osso
   module GraphQL
     module Resolvers
-      class OAuthClients < ::GraphQL::Schema::Resolver
+      class OAuthClients < BaseResolver
         type [Types::OauthClient], null: true
 
         def resolve
-          return Osso::Models::OauthClient.all if context[:scope] == :admin
+          Osso::Models::OauthClient.all
         end
       end
     end

data/lib/osso/graphql/types.rb

@@ -9,6 +9,8 @@ require_relative 'types/base_connection'
 require_relative 'types/base_object'
 require_relative 'types/base_enum'
 require_relative 'types/base_input_object'
+require_relative 'types/admin_user'
+require_relative 'types/app_config'
 require_relative 'types/identity_provider_service'
 require_relative 'types/identity_provider_status'
 require_relative 'types/identity_provider'
@@ -16,4 +18,3 @@ require_relative 'types/enterprise_account'
 require_relative 'types/redirect_uri'
 require_relative 'types/redirect_uri_input'
 require_relative 'types/oauth_client'
-require_relative 'types/user'

data/lib/osso/graphql/types/admin_user.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class AdminUser < Types::BaseObject
+        description 'An Admin User of Osso'
+
+        field :id, ID, null: false
+        field :email, String, null: false
+        field :scope, String, null: false
+        field :oauth_client_id, ID, null: true
+
+        def self.authorized?(_object, _context)
+          true
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/app_config.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class AppConfig < Types::BaseObject
+        description 'Configuration values for your application'
+
+        field :id, ID, null: false
+        field :name, String, null: true
+        field :logo_url, String, null: true
+        field :contact_email, String, null: true
+
+        def self.authorized?(_object, context)
+          admin_authorized?(context)
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/base_object.rb

@@ -10,6 +10,28 @@ module Osso
 
         field :created_at, ::GraphQL::Types::ISO8601DateTime, null: false
         field :updated_at, ::GraphQL::Types::ISO8601DateTime, null: false
+
+        def self.admin_authorized?(context)
+          context[:scope] == 'admin'
+        end
+
+        def self.internal_authorized?(context)
+          %w[admin internal].include?(context[:scope])
+        end
+
+        def self.enterprise_authorized?(context, domain)
+          return false unless domain
+
+          context[:email].split('@')[1] == domain
+        end
+
+        def self.authorized?(object, context)
+          # we first receive the payload object as a hash, but can depend on the
+          # return type to hide the actual objects non-admins shouldn't see
+          return true if object.class == Hash
+
+          internal_authorized?(context) || enterprise_authorized?(context, object&.domain)
+        end
       end
     end
   end

data/lib/osso/graphql/types/enterprise_account.rb

@@ -9,7 +9,6 @@ module Osso
         description 'An Account for a company that wishes to use SAML via Osso'
         implements ::GraphQL::Types::Relay::Node
 
-        global_id_field :gid
         field :id, ID, null: false
         field :name, String, null: false
         field :domain, String, null: false
@@ -23,10 +22,6 @@ module Osso
         def identity_providers
           object.identity_providers
         end
-
-        def self.authorized?(object, context)
-          super && (context[:scope] == :admin || object.domain == context[:scope])
-        end
       end
     end
   end

data/lib/osso/graphql/types/identity_provider.rb

@@ -7,9 +7,7 @@ module Osso
     module Types
       class IdentityProvider < Types::BaseObject
         description 'Represents a SAML based IDP instance for an EnterpriseAccount'
-        implements ::GraphQL::Types::Relay::Node
 
-        global_id_field :gid
         field :id, ID, null: false
         field :enterprise_account_id, ID, null: false
         field :service, Types::IdentityProviderService, null: true
@@ -23,10 +21,6 @@ module Osso
         def documentation_pdf_url
           ENV['BASE_URL'] + '/identity_provider/documentation/' + @object.id
         end
-
-        def self.authorized?(object, context)
-          super && (context[:scope] == :admin || object.domain == context[:scope])
-        end
       end
     end
   end

data/lib/osso/graphql/types/oauth_client.rb

@@ -7,9 +7,7 @@ module Osso
     module Types
       class OauthClient < Types::BaseObject
         description 'An OAuth client used to consume Osso SAML users'
-        implements ::GraphQL::Types::Relay::Node
 
-        global_id_field :gid
         field :id, ID, null: false
         field :name, String, null: false
         field :client_id, String, null: false
@@ -24,8 +22,8 @@ module Osso
           object.secret
         end
 
-        def self.authorized?(object, context)
-          super && context[:scope] == :admin
+        def self.authorized?(_object, context)
+          admin_authorized?(context)
         end
       end
     end

data/lib/osso/graphql/types/redirect_uri.rb

@@ -7,15 +7,13 @@ module Osso
     module Types
       class RedirectUri < Types::BaseObject
         description 'An allowed redirect URI for an OauthClient'
-        implements ::GraphQL::Types::Relay::Node
 
-        global_id_field :gid
         field :id, ID, null: false
         field :uri, String, null: false
         field :primary, Boolean, null: false
 
-        def self.authorized?(object, context)
-          super && context[:scope] == :admin
+        def self.authorized?(_object, context)
+          context[:scope] == 'admin'
         end
       end
     end

data/lib/osso/helpers/auth.rb

@@ -3,10 +3,21 @@
 module Osso
   module Helpers
     module Auth
-      attr_accessor :current_scope
+      END_USER_SCOPE = 'end-user'
+      INTERNAL_SCOPE = 'internal'
+      ADMIN_SCOPE    = 'admin'
+
+      attr_accessor :current_user
+
+      def token_protected!
+        decode(token)
+      rescue JWT::DecodeError
+        halt 401
+      end
 
       def enterprise_protected!(domain = nil)
         return if admin_authorized?
+        return if internal_authorized?
         return if enterprise_authorized?(domain)
 
         halt 401 if request.post?
@@ -14,33 +25,42 @@ module Osso
         redirect ENV['JWT_URL']
       end
 
-      # use client id in payload to restrict customer
-      # users from accessing dev?
-      def enterprise_authorized?(_domain)
-        payload, _args = decode(token)
-
-        @current_scope = payload['scope']
+      def internal_protected!
+        return if admin_authorized?
+        return if internal_authorized?
 
-        true
-      rescue JWT::DecodeError
-        false
+        redirect ENV['JWT_URL']
       end
 
       def admin_protected!
-        return if admin_authorized?
+        return true if admin_authorized?
 
         redirect ENV['JWT_URL']
       end
 
-      def admin_authorized?
-        payload, _args = decode(token)
+      private
 
-        if payload['scope'] == 'admin'
-          @current_scope = :admin
-          return true
-        end
+      def enterprise_authorized?(domain)
+        decode(token)
 
+        @current_user[:scope] == END_USER_SCOPE &&
+          @current_user[:email].split('@')[1] == domain
+      rescue JWT::DecodeError
         false
+      end
+
+      def internal_authorized?
+        decode(token)
+
+        @current_user[:scope] == INTERNAL_SCOPE
+      rescue JWT::DecodeError
+        false
+      end
+
+      def admin_authorized?
+        decode(token)
+
+        @current_user[:scope] == ADMIN_SCOPE
       rescue JWT::DecodeError
         false
       end
@@ -60,12 +80,14 @@ module Osso
       end
 
       def decode(token)
-        JWT.decode(
+        payload, _args = JWT.decode(
           token,
           ENV['JWT_HMAC_SECRET'],
           true,
           { algorithm: 'HS256' },
         )
+
+        @current_user = payload.symbolize_keys
       end
     end
   end

data/lib/osso/lib/route_map.rb

@@ -11,12 +11,12 @@ module Osso
         use Osso::Oauth
 
         post '/graphql' do
-          enterprise_protected!
+          token_protected!
 
           result = Osso::GraphQL::Schema.execute(
             params[:query],
             variables: params[:variables],
-            context: { scope: current_scope },
+            context: current_user.symbolize_keys,
           )
 
           json result

data/lib/osso/models/app_config.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class AppConfig < ::ActiveRecord::Base
+      validate :limit_to_one, on: :create
+
+      def self.find
+        first
+      end
+
+      private
+
+      def limit_to_one
+        return if Osso::Models::AppConfig.count.zero?
+
+        errors[:base] << 'AppConfig already exists'
+      end
+    end
+  end
+end
+
+# == Schema Information
+#
+# Table name: app_configs
+#
+#  id            :uuid             not null, primary key
+#  contact_email :string
+#  logo_url      :string
+#  name          :string
+#  created_at    :datetime         not null
+#  updated_at    :datetime         not null
+#

data/lib/osso/models/identity_provider.rb

@@ -19,20 +19,14 @@ module Osso
       end
 
       def saml_options
-        attributes.slice(
-          'domain',
-          'idp_cert',
-          'idp_sso_target_url',
-        ).symbolize_keys
+        {
+          domain: domain,
+          idp_sso_target_url: sso_url,
+          idp_cert: sso_cert,
+          issuer: domain,
+        }
       end
 
-      # def saml_options
-      #   raise(
-      #     NoMethodError,
-      #     '#saml_options must be defined on each provider specific subclass',
-      #   )
-      # end
-
       def assertion_consumer_service_url
         [
           ENV.fetch('BASE_URL'),

data/lib/osso/models/models.rb

@@ -10,6 +10,7 @@ module Osso
 end
 
 require_relative 'access_token'
+require_relative 'app_config'
 require_relative 'authorization_code'
 require_relative 'enterprise_account'
 require_relative 'oauth_client'

data/lib/osso/models/oauth_client.rb

@@ -5,6 +5,7 @@ module Osso
   module Models
     class OauthClient < ActiveRecord::Base
       has_many :access_tokens
+      has_many :enterprise_accounts
       has_many :refresh_tokens
       has_many :identity_providers
       has_many :redirect_uris