osso 0.0.3.14 → 0.0.3.19

data/spec/graphql/mutations/delete_oauth_client_spec.rb

@@ -29,21 +29,25 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         mutation,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
       it 'deletes the OauthClient' do
         expect { subject }.to change { Osso::Models::OauthClient.count }.by(-1)
       end
     end
 
     describe 'for an email scoped user' do
-      let(:current_scope) { 'foo.com' }
+      let(:current_context) do
+        { scope: 'end-user', email: 'user@foo.com' }
+      end
 
-      it 'does not create an OauthClient Account' do
+      it 'does not deletes the OauthClient' do
         expect { subject }.to_not(change { Osso::Models::OauthClient.count })
       end
     end

data/spec/graphql/query/enterprise_account_spec.rb

@@ -37,12 +37,17 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         query,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        {
+          scope: 'admin',
+        }
+      end
+
       it 'returns Enterprise Account for domain' do
         expect(subject['errors']).to be_nil
         expect(subject.dig('data', 'enterpriseAccount', 'domain')).to eq(domain)
@@ -50,7 +55,12 @@ describe Osso::GraphQL::Schema do
     end
 
     describe 'for an email scoped user' do
-      let(:current_scope) { domain }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
       it 'returns Enterprise Account for domain' do
         expect(subject['errors']).to be_nil
         expect(subject.dig('data', 'enterpriseAccount', 'domain')).to eq(domain)
@@ -58,9 +68,14 @@ describe Osso::GraphQL::Schema do
     end
 
     describe 'for the wrong email scoped user' do
-      let(:current_scope) { 'bar.com' }
-      it 'returns Enterprise Account for domain' do
-        expect(subject['errors']).to be_nil
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: 'foo@bar.com',
+        }
+      end
+      it 'does not return Enterprise Account for domain' do
+        expect(subject['errors']).to_not be_nil
         expect(subject.dig('data', 'enterpriseAccount')).to be_nil
       end
     end

data/spec/graphql/query/enterprise_accounts_spec.rb

@@ -5,7 +5,9 @@ require 'spec_helper'
 describe Osso::GraphQL::Schema do
   describe 'EnterpriseAccounts' do
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
 
       it 'returns paginated Enterprise Accounts' do
         %w[A B C].map do |name|
@@ -44,7 +46,7 @@ describe Osso::GraphQL::Schema do
         response = described_class.execute(
           query,
           variables: { first: 2, sortOrder: 'descending', sortColumn: 'name' },
-          context: { scope: current_scope },
+          context: current_context,
         )
 
         expect(response['errors']).to be_nil

data/spec/graphql/query/identity_provider_spec.rb

@@ -32,12 +32,14 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         query,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
       it 'returns Identity Provider for id' do
         expect(subject['errors']).to be_nil
         expect(subject.dig('data', 'identityProvider', 'id')).to eq(id)
@@ -45,8 +47,12 @@ describe Osso::GraphQL::Schema do
     end
 
     describe 'for an email scoped user' do
-      let(:current_scope) { domain }
-
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
       it 'returns Enterprise Account for domain' do
         expect(subject['errors']).to be_nil
         expect(subject.dig('data', 'identityProvider', 'domain')).to eq(domain)
@@ -54,8 +60,12 @@ describe Osso::GraphQL::Schema do
     end
 
     describe 'for the wrong email scoped user' do
-      let(:current_scope) { 'bar.com' }
-
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: 'user@bar.com',
+        }
+      end
       it 'returns Enterprise Account for domain' do
         expect(subject['errors']).to_not be_empty
         expect(subject.dig('data', 'enterpriseAccount')).to be_nil

data/spec/graphql/query/oauth_clients_spec.rb

@@ -25,12 +25,14 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         query,
         variables: nil,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
 
       it 'returns Oauth Clients' do
         expect(subject['errors']).to be_nil
@@ -38,11 +40,12 @@ describe Osso::GraphQL::Schema do
       end
     end
 
-    describe 'for an email scoped user' do
-      let(:current_scope) { 'foo.com' }
-
-      it 'returns Oauth Clients' do
-        expect(subject['errors']).to be_nil
+    describe 'for an internal scoped user' do
+      let(:current_context) do
+        { scope: 'internal' }
+      end
+      it 'does not return Oauth Clients' do
+        expect(subject['errors']).to_not be_nil
         expect(subject.dig('data', 'oauthClients')).to be_nil
       end
     end

data/spec/helpers/auth_spec.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Helpers::Auth do
+  before do
+    ENV['JWT_HMAC_SECRET'] = 'super-secret'
+  end
+
+  subject(:app) do
+    Class.new { include Osso::Helpers::Auth }
+  end
+
+  describe 'with the token as a header' do
+    before do
+      allow_any_instance_of(subject).to receive(:request) do
+        double('Request', env: { 'admin_token' => token }, post?: false)
+      end
+
+      allow_any_instance_of(subject).to receive(:redirect) do
+        false
+      end
+    end
+
+    describe 'with an admin token' do
+      let(:token) { encode({ scope: 'admin' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods' do
+        expect(subject.new.enterprise_protected!).to_not be(false)
+      end
+
+      it 'allows #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to_not be(false)
+      end
+
+      it 'allows #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to_not be(false)
+      end
+    end
+
+    describe 'with an internal token' do
+      let(:token) { encode({ scope: 'internal' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods' do
+        expect(subject.new.enterprise_protected!).to_not be(false)
+      end
+
+      it 'allows #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to_not be(false)
+      end
+
+      it 'allows #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to be(false)
+      end
+    end
+
+    describe 'with an end-user token' do
+      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods for the scoped domain' do
+        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
+      end
+
+      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
+        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
+      end
+
+      it 'halts #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to be(false)
+      end
+
+      it 'halts #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to be(false)
+      end
+    end
+  end
+
+  def encode(payload)
+    JWT.encode(
+      payload,
+      ENV['JWT_HMAC_SECRET'],
+      'HS256',
+    )
+  end
+end

data/spec/models/identity_provider_spec.rb

@@ -14,4 +14,16 @@ describe Osso::Models::IdentityProvider do
       )
     end
   end
+
+  describe '#saml_options' do
+    it 'returns the required args' do
+      expect(subject.saml_options).
+        to match(
+          domain: subject.domain,
+          idp_cert: subject.sso_cert,
+          idp_sso_target_url: subject.sso_url,
+          issuer: subject.domain,
+        )
+    end
+  end
 end

data/spec/routes/auth_spec.rb

@@ -63,6 +63,24 @@ describe Osso::Auth do
             )
           end.to change { Osso::Models::AuthorizationCode.count }.by(1)
         end
+
+        describe 'for an IDP initiated login' do
+          it 'redirects with a default state' do
+            mock_saml_omniauth
+
+            post(
+              "/auth/saml/#{okta_provider.id}/callback",
+              nil,
+              {
+                'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => okta_provider,
+              },
+            )
+            expect(last_response).to be_redirect
+            follow_redirect!
+            expect(last_request.url).to match(/.*state=IDP_INITIATED$/)
+          end
+        end
       end
 
       describe 'on subsequent authentications' do

data/spec/routes/oauth_spec.rb

@@ -8,7 +8,10 @@ describe Osso::Oauth do
   describe 'get /oauth/authorize' do
     describe 'with a valid client ID and redirect URI' do
       describe 'for a domain that does not belong to an enterprise' do
-        it '404s' do
+        # TODO: better error handling and test
+        it 'renders an error page' do
+          described_class.set(:views, spec_views)
+
           create(:enterprise_with_okta, domain: 'foo.com')
 
           get(
@@ -19,7 +22,7 @@ describe Osso::Oauth do
             redirect_uri: client.redirect_uri_values.sample,
           )
 
-          expect(last_response.status).to eq(404)
+          expect(last_response.status).to eq(200)
         end
       end
 

data/spec/spec_helper.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require 'simplecov'
+SimpleCov.start
+
 require 'database_cleaner/active_record'
 require 'factory_bot'
 require 'faker'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.3.14
+  version: 0.0.3.19
 platform: ruby
 authors:
 - Sam Bauch
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-13 00:00:00.000000000 Z
+date: 2020-08-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -226,6 +226,7 @@ email:
 executables:
 - annotate
 - console
+- publish
 - setup
 extensions: []
 extra_rdoc_files: []
@@ -246,6 +247,7 @@ files:
 - Rakefile
 - bin/annotate
 - bin/console
+- bin/publish
 - bin/setup
 - config/database.yml
 - db/schema.rb
@@ -268,6 +270,7 @@ files:
 - lib/osso/db/migrate/20200722230116_add_identity_provider_status_enum_and_use_on_identity_providers.rb
 - lib/osso/db/migrate/20200723153750_add_missing_timestamps.rb
 - lib/osso/db/migrate/20200723162228_drop_unneeded_tables.rb
+- lib/osso/db/migrate/20200826201852_create_app_config.rb
 - lib/osso/graphql/.DS_Store
 - lib/osso/graphql/mutation.rb
 - lib/osso/graphql/mutations.rb
@@ -280,13 +283,17 @@ files:
 - lib/osso/graphql/mutations/delete_oauth_client.rb
 - lib/osso/graphql/mutations/regenerate_oauth_credentials.rb
 - lib/osso/graphql/mutations/set_redirect_uris.rb
+- lib/osso/graphql/mutations/update_app_config.rb
 - lib/osso/graphql/query.rb
 - lib/osso/graphql/resolvers.rb
+- lib/osso/graphql/resolvers/base_resolver.rb
 - lib/osso/graphql/resolvers/enterprise_account.rb
 - lib/osso/graphql/resolvers/enterprise_accounts.rb
 - lib/osso/graphql/resolvers/oauth_clients.rb
 - lib/osso/graphql/schema.rb
 - lib/osso/graphql/types.rb
+- lib/osso/graphql/types/admin_user.rb
+- lib/osso/graphql/types/app_config.rb
 - lib/osso/graphql/types/base_connection.rb
 - lib/osso/graphql/types/base_enum.rb
 - lib/osso/graphql/types/base_input_object.rb
@@ -298,13 +305,13 @@ files:
 - lib/osso/graphql/types/oauth_client.rb
 - lib/osso/graphql/types/redirect_uri.rb
 - lib/osso/graphql/types/redirect_uri_input.rb
-- lib/osso/graphql/types/user.rb
 - lib/osso/helpers/auth.rb
 - lib/osso/helpers/helpers.rb
 - lib/osso/lib/app_config.rb
 - lib/osso/lib/oauth2_token.rb
 - lib/osso/lib/route_map.rb
 - lib/osso/models/access_token.rb
+- lib/osso/models/app_config.rb
 - lib/osso/models/authorization_code.rb
 - lib/osso/models/enterprise_account.rb
 - lib/osso/models/identity_provider.rb
@@ -338,6 +345,7 @@ files:
 - spec/graphql/query/enterprise_accounts_spec.rb
 - spec/graphql/query/identity_provider_spec.rb
 - spec/graphql/query/oauth_clients_spec.rb
+- spec/helpers/auth_spec.rb
 - spec/models/azure_saml_provider_spec.rb
 - spec/models/identity_provider_spec.rb
 - spec/models/okta_saml_provider_spec.rb
@@ -348,11 +356,12 @@ files:
 - spec/spec_helper.rb
 - spec/support/spec_app.rb
 - spec/support/views/admin.erb
+- spec/support/views/error.erb
 homepage: https://github.com/enterprise-oss/osso-rb
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -368,7 +377,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.0.3
-signing_key:
+signing_key: 
 specification_version: 4
 summary: Main functionality for Osso
 test_files: []