osso 0.0.3.16 → 0.0.3.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +1 -0
- data/Gemfile.lock +1 -1
- data/lib/osso/graphql/mutation.rb +6 -0
- data/lib/osso/graphql/mutations/base_mutation.rb +18 -5
- data/lib/osso/graphql/mutations/configure_identity_provider.rb +8 -10
- data/lib/osso/graphql/mutations/create_enterprise_account.rb +2 -0
- data/lib/osso/graphql/mutations/create_identity_provider.rb +14 -5
- data/lib/osso/graphql/mutations/create_oauth_client.rb +1 -3
- data/lib/osso/graphql/mutations/delete_enterprise_account.rb +9 -11
- data/lib/osso/graphql/mutations/delete_oauth_client.rb +1 -3
- data/lib/osso/graphql/mutations/regenerate_oauth_credentials.rb +1 -3
- data/lib/osso/graphql/mutations/set_redirect_uris.rb +1 -3
- data/lib/osso/graphql/query.rb +7 -0
- data/lib/osso/graphql/resolvers.rb +1 -0
- data/lib/osso/graphql/resolvers/base_resolver.rb +21 -0
- data/lib/osso/graphql/resolvers/enterprise_account.rb +1 -11
- data/lib/osso/graphql/resolvers/enterprise_accounts.rb +2 -2
- data/lib/osso/graphql/resolvers/oauth_clients.rb +2 -2
- data/lib/osso/graphql/types.rb +1 -1
- data/lib/osso/graphql/types/admin_user.rb +22 -0
- data/lib/osso/graphql/types/base_object.rb +22 -0
- data/lib/osso/graphql/types/enterprise_account.rb +0 -5
- data/lib/osso/graphql/types/identity_provider.rb +0 -6
- data/lib/osso/graphql/types/oauth_client.rb +2 -4
- data/lib/osso/graphql/types/redirect_uri.rb +2 -4
- data/lib/osso/helpers/auth.rb +34 -15
- data/lib/osso/lib/route_map.rb +2 -2
- data/lib/osso/models/oauth_client.rb +1 -0
- data/lib/osso/routes/admin.rb +2 -2
- data/lib/osso/routes/auth.rb +7 -3
- data/lib/osso/routes/oauth.rb +21 -14
- data/lib/osso/version.rb +1 -1
- data/spec/graphql/mutations/configure_identity_provider_spec.rb +17 -4
- data/spec/graphql/mutations/create_enterprise_account_spec.rb +13 -4
- data/spec/graphql/mutations/create_identity_provider_spec.rb +18 -6
- data/spec/graphql/mutations/create_oauth_client_spec.rb +10 -3
- data/spec/graphql/mutations/delete_enterprise_account_spec.rb +18 -4
- data/spec/graphql/mutations/delete_oauth_client_spec.rb +8 -4
- data/spec/graphql/query/enterprise_account_spec.rb +21 -6
- data/spec/graphql/query/enterprise_accounts_spec.rb +4 -2
- data/spec/graphql/query/identity_provider_spec.rb +16 -6
- data/spec/graphql/query/oauth_clients_spec.rb +10 -7
- data/spec/routes/oauth_spec.rb +5 -2
- data/spec/support/views/error.erb +0 -0
- metadata +5 -3
- data/lib/osso/graphql/types/user.rb +0 -17
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b28fb9c155136c0d23356543f5d9ae0b15e551293bf18c4fbd44bd3340e6602e
|
|
4
|
+
data.tar.gz: f5c7495d581f4c27706a3fdeca7618707487308d6bc73d0f2372d4cf8fb1957d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 67543b72337e89ebc7b7c2f80c42df2d8aa4f0c7001959022858f68e72fda5f409627260b614ba2fb1c1afbe51ecdded8449d84137cb2c85eff16225f9e7c387
|
|
7
|
+
data.tar.gz: 69fdf0abd7db72588068ec909c84bf95a19e7b93ace562ce86f24e278dc5b54cbb8c1b49f77a18d8f161542931610a9b9cd1e70cf9b0edb41b6397f49a7b4bbb
|
data/.rubocop.yml
CHANGED
data/Gemfile.lock
CHANGED
|
@@ -14,6 +14,12 @@ module Osso
|
|
|
14
14
|
field :delete_oauth_client, mutation: Mutations::DeleteOauthClient
|
|
15
15
|
field :set_redirect_uris, mutation: Mutations::SetRedirectUris
|
|
16
16
|
field :regenerate_oauth_credentials, mutation: Mutations::RegenerateOauthCredentials
|
|
17
|
+
|
|
18
|
+
def self.authorized?(_object, _context)
|
|
19
|
+
# mutations are prevented from executing with ready? so
|
|
20
|
+
# its a bit odd that this hides it
|
|
21
|
+
true
|
|
22
|
+
end
|
|
17
23
|
end
|
|
18
24
|
end
|
|
19
25
|
end
|
|
@@ -15,13 +15,26 @@ module Osso
|
|
|
15
15
|
error.merge(data: nil)
|
|
16
16
|
end
|
|
17
17
|
|
|
18
|
-
def ready?(
|
|
19
|
-
return true if
|
|
18
|
+
def ready?(**args)
|
|
19
|
+
return true if internal_ready?
|
|
20
20
|
|
|
21
|
-
|
|
22
|
-
return true if domain == context[:scope]
|
|
21
|
+
return true if domain_ready?(args[:domain] || domain(**args))
|
|
23
22
|
|
|
24
|
-
raise ::GraphQL::ExecutionError,
|
|
23
|
+
raise ::GraphQL::ExecutionError, 'This user lacks the permission to make the requested changes'
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def admin_ready?
|
|
27
|
+
context[:scope] == 'admin'
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def internal_ready?
|
|
31
|
+
return true if admin_ready?
|
|
32
|
+
|
|
33
|
+
context[:scope] == 'internal'
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def domain_ready?(domain)
|
|
37
|
+
context[:email].split('@')[1] == domain
|
|
25
38
|
end
|
|
26
39
|
|
|
27
40
|
def account_domain(id)
|
|
@@ -13,22 +13,20 @@ module Osso
|
|
|
13
13
|
field :identity_provider, Types::IdentityProvider, null: false
|
|
14
14
|
field :errors, [String], null: false
|
|
15
15
|
|
|
16
|
-
def resolve(
|
|
17
|
-
provider =
|
|
16
|
+
def resolve(**args)
|
|
17
|
+
provider = identity_provider(**args)
|
|
18
18
|
|
|
19
19
|
return response_data(identity_provider: provider) if provider.update(args)
|
|
20
20
|
|
|
21
|
-
response_error(errors:
|
|
21
|
+
response_error(errors: provider.errors.messages)
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
-
def
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
domain = Osso::Models::IdentityProvider.find(id)&.domain
|
|
28
|
-
|
|
29
|
-
return true if domain == context[:scope]
|
|
24
|
+
def domain(**args)
|
|
25
|
+
identity_provider(**args)&.domain
|
|
26
|
+
end
|
|
30
27
|
|
|
31
|
-
|
|
28
|
+
def identity_provider(id:, **_args)
|
|
29
|
+
@identity_provider ||= Osso::Models::IdentityProvider.find(id)
|
|
32
30
|
end
|
|
33
31
|
end
|
|
34
32
|
end
|
|
@@ -8,12 +8,14 @@ module Osso
|
|
|
8
8
|
|
|
9
9
|
argument :domain, String, required: true
|
|
10
10
|
argument :name, String, required: true
|
|
11
|
+
argument :oauth_client_id, ID, required: false
|
|
11
12
|
|
|
12
13
|
field :enterprise_account, Types::EnterpriseAccount, null: false
|
|
13
14
|
field :errors, [String], null: false
|
|
14
15
|
|
|
15
16
|
def resolve(**args)
|
|
16
17
|
enterprise_account = Osso::Models::EnterpriseAccount.new(args)
|
|
18
|
+
enterprise_account.oauth_client_id ||= context[:oauth_client_id]
|
|
17
19
|
|
|
18
20
|
return response_data(enterprise_account: enterprise_account) if enterprise_account.save
|
|
19
21
|
|
|
@@ -12,18 +12,27 @@ module Osso
|
|
|
12
12
|
field :identity_provider, Types::IdentityProvider, null: false
|
|
13
13
|
field :errors, [String], null: false
|
|
14
14
|
|
|
15
|
-
def resolve(
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
15
|
+
def resolve(service: nil, **args)
|
|
16
|
+
customer = enterprise_account(**args)
|
|
17
|
+
|
|
18
|
+
identity_provider = customer.identity_providers.build(
|
|
19
19
|
service: service,
|
|
20
|
-
domain:
|
|
20
|
+
domain: customer.domain,
|
|
21
|
+
oauth_client_id: customer.oauth_client_id,
|
|
21
22
|
)
|
|
22
23
|
|
|
23
24
|
return response_data(identity_provider: identity_provider) if identity_provider.save
|
|
24
25
|
|
|
25
26
|
response_error(errors: identity_provider.errors.full_messages)
|
|
26
27
|
end
|
|
28
|
+
|
|
29
|
+
def domain(**args)
|
|
30
|
+
enterprise_account(**args)&.domain
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def enterprise_account(enterprise_account_id:, **_args)
|
|
34
|
+
@enterprise_account ||= Osso::Models::EnterpriseAccount.find(enterprise_account_id)
|
|
35
|
+
end
|
|
27
36
|
end
|
|
28
37
|
end
|
|
29
38
|
end
|
|
@@ -11,22 +11,20 @@ module Osso
|
|
|
11
11
|
field :enterprise_account, Types::EnterpriseAccount, null: true
|
|
12
12
|
field :errors, [String], null: false
|
|
13
13
|
|
|
14
|
-
def
|
|
15
|
-
enterprise_account
|
|
16
|
-
|
|
17
|
-
return response_data(enterprise_account: nil) if enterprise_account.destroy
|
|
18
|
-
|
|
19
|
-
response_error(errors: enterprise_account.errors.full_messages)
|
|
14
|
+
def enterprise_account(id:, **_args)
|
|
15
|
+
@enterprise_account ||= Osso::Models::EnterpriseAccount.find(id)
|
|
20
16
|
end
|
|
21
17
|
|
|
22
|
-
def
|
|
23
|
-
|
|
18
|
+
def resolve(**args)
|
|
19
|
+
customer = enterprise_account(**args)
|
|
24
20
|
|
|
25
|
-
|
|
21
|
+
return response_data(enterprise_account: nil) if customer.destroy
|
|
26
22
|
|
|
27
|
-
|
|
23
|
+
response_error(errors: customer.errors.full_messages)
|
|
24
|
+
end
|
|
28
25
|
|
|
29
|
-
|
|
26
|
+
def domain(**args)
|
|
27
|
+
enterprise_account(**args).domain
|
|
30
28
|
end
|
|
31
29
|
end
|
|
32
30
|
end
|
data/lib/osso/graphql/query.rb
CHANGED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Osso
|
|
4
|
+
module GraphQL
|
|
5
|
+
module Resolvers
|
|
6
|
+
class BaseResolver < ::GraphQL::Schema::Resolver
|
|
7
|
+
def admin_authorized?
|
|
8
|
+
context[:scope] == 'admin'
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def internal_authorized?
|
|
12
|
+
%w[admin internal].include?(context[:scope])
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def enterprise_authorized?(domain)
|
|
16
|
+
context[:scope] == domain
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
@@ -3,22 +3,12 @@
|
|
|
3
3
|
module Osso
|
|
4
4
|
module GraphQL
|
|
5
5
|
module Resolvers
|
|
6
|
-
class EnterpriseAccount <
|
|
6
|
+
class EnterpriseAccount < BaseResolver
|
|
7
7
|
type Types::EnterpriseAccount, null: false
|
|
8
8
|
|
|
9
9
|
def resolve(args)
|
|
10
|
-
return unless admin? || enterprise_authorized?(args[:domain])
|
|
11
|
-
|
|
12
10
|
Osso::Models::EnterpriseAccount.find_by(domain: args[:domain])
|
|
13
11
|
end
|
|
14
|
-
|
|
15
|
-
def admin?
|
|
16
|
-
context[:scope] == :admin
|
|
17
|
-
end
|
|
18
|
-
|
|
19
|
-
def enterprise_authorized?(domain)
|
|
20
|
-
context[:scope] == domain
|
|
21
|
-
end
|
|
22
12
|
end
|
|
23
13
|
end
|
|
24
14
|
end
|
|
@@ -3,11 +3,11 @@
|
|
|
3
3
|
module Osso
|
|
4
4
|
module GraphQL
|
|
5
5
|
module Resolvers
|
|
6
|
-
class EnterpriseAccounts <
|
|
6
|
+
class EnterpriseAccounts < BaseResolver
|
|
7
7
|
type Types::EnterpriseAccount.connection_type, null: true
|
|
8
8
|
|
|
9
9
|
def resolve(sort_column: nil, sort_order: nil)
|
|
10
|
-
return Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope]))
|
|
10
|
+
return Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope])) unless internal_authorized?
|
|
11
11
|
|
|
12
12
|
accounts = Osso::Models::EnterpriseAccount
|
|
13
13
|
|
|
@@ -3,11 +3,11 @@
|
|
|
3
3
|
module Osso
|
|
4
4
|
module GraphQL
|
|
5
5
|
module Resolvers
|
|
6
|
-
class OAuthClients <
|
|
6
|
+
class OAuthClients < BaseResolver
|
|
7
7
|
type [Types::OauthClient], null: true
|
|
8
8
|
|
|
9
9
|
def resolve
|
|
10
|
-
|
|
10
|
+
Osso::Models::OauthClient.all
|
|
11
11
|
end
|
|
12
12
|
end
|
|
13
13
|
end
|
data/lib/osso/graphql/types.rb
CHANGED
|
@@ -9,6 +9,7 @@ require_relative 'types/base_connection'
|
|
|
9
9
|
require_relative 'types/base_object'
|
|
10
10
|
require_relative 'types/base_enum'
|
|
11
11
|
require_relative 'types/base_input_object'
|
|
12
|
+
require_relative 'types/admin_user'
|
|
12
13
|
require_relative 'types/identity_provider_service'
|
|
13
14
|
require_relative 'types/identity_provider_status'
|
|
14
15
|
require_relative 'types/identity_provider'
|
|
@@ -16,4 +17,3 @@ require_relative 'types/enterprise_account'
|
|
|
16
17
|
require_relative 'types/redirect_uri'
|
|
17
18
|
require_relative 'types/redirect_uri_input'
|
|
18
19
|
require_relative 'types/oauth_client'
|
|
19
|
-
require_relative 'types/user'
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'graphql'
|
|
4
|
+
|
|
5
|
+
module Osso
|
|
6
|
+
module GraphQL
|
|
7
|
+
module Types
|
|
8
|
+
class AdminUser < Types::BaseObject
|
|
9
|
+
description 'An Admin User of Osso'
|
|
10
|
+
|
|
11
|
+
field :id, ID, null: false
|
|
12
|
+
field :email, String, null: false
|
|
13
|
+
field :scope, String, null: false
|
|
14
|
+
field :oauth_client_id, ID, null: true
|
|
15
|
+
|
|
16
|
+
def self.authorized?(_object, _context)
|
|
17
|
+
true
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|
|
@@ -10,6 +10,28 @@ module Osso
|
|
|
10
10
|
|
|
11
11
|
field :created_at, ::GraphQL::Types::ISO8601DateTime, null: false
|
|
12
12
|
field :updated_at, ::GraphQL::Types::ISO8601DateTime, null: false
|
|
13
|
+
|
|
14
|
+
def self.admin_authorized?(context)
|
|
15
|
+
context[:scope] == 'admin'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def self.internal_authorized?(context)
|
|
19
|
+
%w[admin internal].include?(context[:scope])
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def self.enterprise_authorized?(context, domain)
|
|
23
|
+
return false unless domain
|
|
24
|
+
|
|
25
|
+
context[:email].split('@')[1] == domain
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def self.authorized?(object, context)
|
|
29
|
+
# we first receive the payload object as a hash, but can depend on the
|
|
30
|
+
# return type to hide the actual objects non-admins shouldn't see
|
|
31
|
+
return true if object.class == Hash
|
|
32
|
+
|
|
33
|
+
internal_authorized?(context) || enterprise_authorized?(context, object&.domain)
|
|
34
|
+
end
|
|
13
35
|
end
|
|
14
36
|
end
|
|
15
37
|
end
|
|
@@ -9,7 +9,6 @@ module Osso
|
|
|
9
9
|
description 'An Account for a company that wishes to use SAML via Osso'
|
|
10
10
|
implements ::GraphQL::Types::Relay::Node
|
|
11
11
|
|
|
12
|
-
global_id_field :gid
|
|
13
12
|
field :id, ID, null: false
|
|
14
13
|
field :name, String, null: false
|
|
15
14
|
field :domain, String, null: false
|
|
@@ -23,10 +22,6 @@ module Osso
|
|
|
23
22
|
def identity_providers
|
|
24
23
|
object.identity_providers
|
|
25
24
|
end
|
|
26
|
-
|
|
27
|
-
def self.authorized?(object, context)
|
|
28
|
-
super && (context[:scope] == :admin || object.domain == context[:scope])
|
|
29
|
-
end
|
|
30
25
|
end
|
|
31
26
|
end
|
|
32
27
|
end
|
|
@@ -7,9 +7,7 @@ module Osso
|
|
|
7
7
|
module Types
|
|
8
8
|
class IdentityProvider < Types::BaseObject
|
|
9
9
|
description 'Represents a SAML based IDP instance for an EnterpriseAccount'
|
|
10
|
-
implements ::GraphQL::Types::Relay::Node
|
|
11
10
|
|
|
12
|
-
global_id_field :gid
|
|
13
11
|
field :id, ID, null: false
|
|
14
12
|
field :enterprise_account_id, ID, null: false
|
|
15
13
|
field :service, Types::IdentityProviderService, null: true
|
|
@@ -23,10 +21,6 @@ module Osso
|
|
|
23
21
|
def documentation_pdf_url
|
|
24
22
|
ENV['BASE_URL'] + '/identity_provider/documentation/' + @object.id
|
|
25
23
|
end
|
|
26
|
-
|
|
27
|
-
def self.authorized?(object, context)
|
|
28
|
-
super && (context[:scope] == :admin || object.domain == context[:scope])
|
|
29
|
-
end
|
|
30
24
|
end
|
|
31
25
|
end
|
|
32
26
|
end
|
|
@@ -7,9 +7,7 @@ module Osso
|
|
|
7
7
|
module Types
|
|
8
8
|
class OauthClient < Types::BaseObject
|
|
9
9
|
description 'An OAuth client used to consume Osso SAML users'
|
|
10
|
-
implements ::GraphQL::Types::Relay::Node
|
|
11
10
|
|
|
12
|
-
global_id_field :gid
|
|
13
11
|
field :id, ID, null: false
|
|
14
12
|
field :name, String, null: false
|
|
15
13
|
field :client_id, String, null: false
|
|
@@ -24,8 +22,8 @@ module Osso
|
|
|
24
22
|
object.secret
|
|
25
23
|
end
|
|
26
24
|
|
|
27
|
-
def self.authorized?(
|
|
28
|
-
|
|
25
|
+
def self.authorized?(_object, context)
|
|
26
|
+
admin_authorized?(context)
|
|
29
27
|
end
|
|
30
28
|
end
|
|
31
29
|
end
|
|
@@ -7,15 +7,13 @@ module Osso
|
|
|
7
7
|
module Types
|
|
8
8
|
class RedirectUri < Types::BaseObject
|
|
9
9
|
description 'An allowed redirect URI for an OauthClient'
|
|
10
|
-
implements ::GraphQL::Types::Relay::Node
|
|
11
10
|
|
|
12
|
-
global_id_field :gid
|
|
13
11
|
field :id, ID, null: false
|
|
14
12
|
field :uri, String, null: false
|
|
15
13
|
field :primary, Boolean, null: false
|
|
16
14
|
|
|
17
|
-
def self.authorized?(
|
|
18
|
-
|
|
15
|
+
def self.authorized?(_object, context)
|
|
16
|
+
context[:scope] == 'admin'
|
|
19
17
|
end
|
|
20
18
|
end
|
|
21
19
|
end
|
data/lib/osso/helpers/auth.rb
CHANGED
|
@@ -1,12 +1,22 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
+
require 'pry'
|
|
3
4
|
module Osso
|
|
4
5
|
module Helpers
|
|
5
6
|
module Auth
|
|
6
|
-
|
|
7
|
+
END_USER_SCOPE = 'end-user'
|
|
8
|
+
INTERNAL_SCOPE = 'internal'
|
|
9
|
+
ADMIN_SCOPE = 'admin'
|
|
10
|
+
|
|
11
|
+
attr_accessor :current_user
|
|
12
|
+
|
|
13
|
+
def token_protected!
|
|
14
|
+
decode(token)
|
|
15
|
+
end
|
|
7
16
|
|
|
8
17
|
def enterprise_protected!(domain = nil)
|
|
9
18
|
return if admin_authorized?
|
|
19
|
+
return if internal_authorized?
|
|
10
20
|
return if enterprise_authorized?(domain)
|
|
11
21
|
|
|
12
22
|
halt 401 if request.post?
|
|
@@ -14,14 +24,26 @@ module Osso
|
|
|
14
24
|
redirect ENV['JWT_URL']
|
|
15
25
|
end
|
|
16
26
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
27
|
+
def enterprise_authorized?(domain)
|
|
28
|
+
decode(token)
|
|
29
|
+
|
|
30
|
+
@current_user[:scope] == END_USER_SCOPE &&
|
|
31
|
+
@current_user[:email].split('@')[1] == domain
|
|
32
|
+
rescue JWT::DecodeError
|
|
33
|
+
false
|
|
34
|
+
end
|
|
21
35
|
|
|
22
|
-
|
|
36
|
+
def internal_protected!
|
|
37
|
+
return if admin_authorized?
|
|
38
|
+
return if internal_authorized?
|
|
23
39
|
|
|
24
|
-
|
|
40
|
+
redirect ENV['JWT_URL']
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def internal_authorized?
|
|
44
|
+
decode(token)
|
|
45
|
+
|
|
46
|
+
@current_user[:scope] == INTERNAL_SCOPE
|
|
25
47
|
rescue JWT::DecodeError
|
|
26
48
|
false
|
|
27
49
|
end
|
|
@@ -33,14 +55,9 @@ module Osso
|
|
|
33
55
|
end
|
|
34
56
|
|
|
35
57
|
def admin_authorized?
|
|
36
|
-
|
|
58
|
+
decode(token)
|
|
37
59
|
|
|
38
|
-
|
|
39
|
-
@current_scope = :admin
|
|
40
|
-
return true
|
|
41
|
-
end
|
|
42
|
-
|
|
43
|
-
false
|
|
60
|
+
@current_user[:scope] == ADMIN_SCOPE
|
|
44
61
|
rescue JWT::DecodeError
|
|
45
62
|
false
|
|
46
63
|
end
|
|
@@ -60,12 +77,14 @@ module Osso
|
|
|
60
77
|
end
|
|
61
78
|
|
|
62
79
|
def decode(token)
|
|
63
|
-
JWT.decode(
|
|
80
|
+
payload, _args = JWT.decode(
|
|
64
81
|
token,
|
|
65
82
|
ENV['JWT_HMAC_SECRET'],
|
|
66
83
|
true,
|
|
67
84
|
{ algorithm: 'HS256' },
|
|
68
85
|
)
|
|
86
|
+
|
|
87
|
+
@current_user = payload.symbolize_keys
|
|
69
88
|
end
|
|
70
89
|
end
|
|
71
90
|
end
|
data/lib/osso/lib/route_map.rb
CHANGED
|
@@ -11,12 +11,12 @@ module Osso
|
|
|
11
11
|
use Osso::Oauth
|
|
12
12
|
|
|
13
13
|
post '/graphql' do
|
|
14
|
-
|
|
14
|
+
token_protected!
|
|
15
15
|
|
|
16
16
|
result = Osso::GraphQL::Schema.execute(
|
|
17
17
|
params[:query],
|
|
18
18
|
variables: params[:variables],
|
|
19
|
-
context:
|
|
19
|
+
context: current_user.symbolize_keys,
|
|
20
20
|
)
|
|
21
21
|
|
|
22
22
|
json result
|
data/lib/osso/routes/admin.rb
CHANGED
data/lib/osso/routes/auth.rb
CHANGED
|
@@ -27,7 +27,11 @@ module Osso
|
|
|
27
27
|
end
|
|
28
28
|
end
|
|
29
29
|
|
|
30
|
-
namespace '/auth' do
|
|
30
|
+
namespace '/auth' do # rubocop:disable Metrics/BlockLength
|
|
31
|
+
get '/failure' do
|
|
32
|
+
@error = params[:message]
|
|
33
|
+
erb :error
|
|
34
|
+
end
|
|
31
35
|
# Enterprise users are sent here after authenticating against
|
|
32
36
|
# their Identity Provider. We find or create a user record,
|
|
33
37
|
# and then create an authorization code for that user. The user
|
|
@@ -67,9 +71,9 @@ module Osso
|
|
|
67
71
|
end
|
|
68
72
|
|
|
69
73
|
def provider_state
|
|
70
|
-
return 'IDP_INITIATED' if valid_idp_initiated_flow
|
|
74
|
+
return @provider_state = 'IDP_INITIATED' if valid_idp_initiated_flow
|
|
71
75
|
|
|
72
|
-
session
|
|
76
|
+
session.delete(:osso_oauth_state)
|
|
73
77
|
end
|
|
74
78
|
|
|
75
79
|
def valid_idp_initiated_flow
|
data/lib/osso/routes/oauth.rb
CHANGED
|
@@ -7,37 +7,43 @@ module Osso
|
|
|
7
7
|
include AppConfig
|
|
8
8
|
register Sinatra::Namespace
|
|
9
9
|
|
|
10
|
-
namespace '/oauth' do
|
|
10
|
+
namespace '/oauth' do # rubocop:disable Metrics/BlockLength
|
|
11
11
|
# Send your users here in order to being an authentication
|
|
12
12
|
# flow. This flow follows the authorization grant oauth
|
|
13
13
|
# spec with one exception - you must also pass the domain
|
|
14
|
-
# of the user who wants to sign in.
|
|
14
|
+
# of the user who wants to sign in. If the sign in request
|
|
15
|
+
# is valid, the user is redirected to their Identity Provider.
|
|
16
|
+
# Once they complete IdP login, they will be returned to the
|
|
17
|
+
# redirect_uri with an authorization code parameter.
|
|
15
18
|
get '/authorize' do
|
|
16
|
-
@enterprise = Models::EnterpriseAccount.
|
|
17
|
-
includes(:identity_providers).
|
|
18
|
-
find_by!(domain: params[:domain])
|
|
19
|
-
|
|
20
19
|
Rack::OAuth2::Server::Authorize.new do |req, _res|
|
|
21
20
|
client = Models::OauthClient.find_by!(identifier: req.client_id)
|
|
22
21
|
session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
|
|
22
|
+
session[:osso_oauth_state] = params[:state]
|
|
23
23
|
end.call(env)
|
|
24
24
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
25
|
+
enterprise = Models::EnterpriseAccount.
|
|
26
|
+
includes(:identity_providers).
|
|
27
|
+
find_by!(domain: params[:domain])
|
|
28
|
+
|
|
29
|
+
redirect "/auth/saml/#{enterprise.provider.id}" if enterprise.single_provider?
|
|
29
30
|
|
|
30
31
|
# TODO: multiple provider support
|
|
31
32
|
# erb :multiple_providers
|
|
32
33
|
|
|
33
34
|
rescue Rack::OAuth2::Server::Authorize::BadRequest => e
|
|
34
35
|
@error = e
|
|
35
|
-
|
|
36
|
+
erb :error
|
|
37
|
+
rescue ActiveRecord::RecordNotFound => e
|
|
38
|
+
@error = e
|
|
39
|
+
@error = 'No OAuth Client exists for the provided client_id' if e.model == 'Osso::Models::OauthClient'
|
|
40
|
+
@error = "No Customer exists with the domain #{params[:domain]}" if e.model == 'Osso::Models::EnterpriseAccount'
|
|
41
|
+
erb :error
|
|
36
42
|
end
|
|
37
43
|
|
|
38
44
|
# Exchange an authorization code for an access token.
|
|
39
|
-
# In addition to the authorization code, you must include all
|
|
40
|
-
# paramaters required by OAuth spec: redirect_uri, client ID,
|
|
45
|
+
# In addition to the authorization code, you must include all
|
|
46
|
+
# paramaters required by OAuth spec: redirect_uri, client ID,
|
|
41
47
|
# and client secret
|
|
42
48
|
post '/token' do
|
|
43
49
|
Rack::OAuth2::Server::Token.new do |req, res|
|
|
@@ -50,7 +56,8 @@ module Osso
|
|
|
50
56
|
end.call(env)
|
|
51
57
|
end
|
|
52
58
|
|
|
53
|
-
# Use the access token to request a user
|
|
59
|
+
# Use the access token to request a profile for the user who
|
|
60
|
+
# just logged in. Access tokens are short-lived.
|
|
54
61
|
get '/me' do
|
|
55
62
|
json Models::AccessToken.
|
|
56
63
|
includes(:user).
|
data/lib/osso/version.rb
CHANGED
|
@@ -39,12 +39,15 @@ describe Osso::GraphQL::Schema do
|
|
|
39
39
|
described_class.execute(
|
|
40
40
|
mutation,
|
|
41
41
|
variables: variables,
|
|
42
|
-
context:
|
|
42
|
+
context: current_context,
|
|
43
43
|
)
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
describe 'for an admin user' do
|
|
47
|
-
let(:
|
|
47
|
+
let(:current_context) do
|
|
48
|
+
{ scope: 'admin' }
|
|
49
|
+
end
|
|
50
|
+
|
|
48
51
|
it 'configures an identity provider' do
|
|
49
52
|
expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'status')).
|
|
50
53
|
to eq('Configured')
|
|
@@ -53,7 +56,12 @@ describe Osso::GraphQL::Schema do
|
|
|
53
56
|
|
|
54
57
|
describe 'for an email scoped user' do
|
|
55
58
|
let(:domain) { Faker::Internet.domain_name }
|
|
56
|
-
let(:
|
|
59
|
+
let(:current_context) do
|
|
60
|
+
{
|
|
61
|
+
scope: 'end-user',
|
|
62
|
+
email: "user@#{domain}",
|
|
63
|
+
}
|
|
64
|
+
end
|
|
57
65
|
let(:enterprise_account) { create(:enterprise_account, domain: domain) }
|
|
58
66
|
let(:identity_provider) { create(:identity_provider, enterprise_account: enterprise_account, domain: domain) }
|
|
59
67
|
|
|
@@ -65,7 +73,12 @@ describe Osso::GraphQL::Schema do
|
|
|
65
73
|
|
|
66
74
|
describe 'for the wrong email scoped user' do
|
|
67
75
|
let(:domain) { Faker::Internet.domain_name }
|
|
68
|
-
let(:
|
|
76
|
+
let(:current_context) do
|
|
77
|
+
{
|
|
78
|
+
scope: 'end-user',
|
|
79
|
+
email: "user@#{domain}",
|
|
80
|
+
}
|
|
81
|
+
end
|
|
69
82
|
|
|
70
83
|
it 'does not configure an identity provider' do
|
|
71
84
|
expect(subject.dig('errors')).to_not be_empty
|
|
@@ -33,12 +33,14 @@ describe Osso::GraphQL::Schema do
|
|
|
33
33
|
described_class.execute(
|
|
34
34
|
mutation,
|
|
35
35
|
variables: variables,
|
|
36
|
-
context:
|
|
36
|
+
context: current_context,
|
|
37
37
|
)
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
describe 'for an admin user' do
|
|
41
|
-
let(:
|
|
41
|
+
let(:current_context) do
|
|
42
|
+
{ scope: 'admin' }
|
|
43
|
+
end
|
|
42
44
|
it 'creates an Enterprise Account' do
|
|
43
45
|
expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
|
|
44
46
|
expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
|
|
@@ -47,7 +49,12 @@ describe Osso::GraphQL::Schema do
|
|
|
47
49
|
end
|
|
48
50
|
|
|
49
51
|
describe 'for an email scoped user' do
|
|
50
|
-
let(:
|
|
52
|
+
let(:current_context) do
|
|
53
|
+
{
|
|
54
|
+
scope: 'end-user',
|
|
55
|
+
email: "user@#{domain}",
|
|
56
|
+
}
|
|
57
|
+
end
|
|
51
58
|
|
|
52
59
|
it 'creates an Enterprise Account' do
|
|
53
60
|
expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
|
|
@@ -56,7 +63,9 @@ describe Osso::GraphQL::Schema do
|
|
|
56
63
|
end
|
|
57
64
|
end
|
|
58
65
|
describe 'for the wrong email scoped user' do
|
|
59
|
-
let(:
|
|
66
|
+
let(:current_context) do
|
|
67
|
+
{ scope: 'end-user', email: 'user@foo.com' }
|
|
68
|
+
end
|
|
60
69
|
|
|
61
70
|
it 'does not create an Enterprise Account' do
|
|
62
71
|
expect { subject }.to_not(change { Osso::Models::EnterpriseAccount.count })
|
|
@@ -25,12 +25,14 @@ describe Osso::GraphQL::Schema do
|
|
|
25
25
|
described_class.execute(
|
|
26
26
|
mutation,
|
|
27
27
|
variables: variables,
|
|
28
|
-
context:
|
|
28
|
+
context: current_context,
|
|
29
29
|
)
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
describe 'for an admin user' do
|
|
33
|
-
let(:
|
|
33
|
+
let(:current_context) do
|
|
34
|
+
{ scope: 'admin' }
|
|
35
|
+
end
|
|
34
36
|
describe 'without a service' do
|
|
35
37
|
let(:variables) { { input: { enterpriseAccountId: enterprise_account.id } } }
|
|
36
38
|
|
|
@@ -54,7 +56,12 @@ describe Osso::GraphQL::Schema do
|
|
|
54
56
|
|
|
55
57
|
describe 'for an email scoped user' do
|
|
56
58
|
let(:domain) { Faker::Internet.domain_name }
|
|
57
|
-
let(:
|
|
59
|
+
let(:current_context) do
|
|
60
|
+
{
|
|
61
|
+
scope: 'end-user',
|
|
62
|
+
email: "user@#{domain}",
|
|
63
|
+
}
|
|
64
|
+
end
|
|
58
65
|
let(:enterprise_account) { create(:enterprise_account, domain: domain) }
|
|
59
66
|
|
|
60
67
|
describe 'without a service' do
|
|
@@ -80,12 +87,17 @@ describe Osso::GraphQL::Schema do
|
|
|
80
87
|
|
|
81
88
|
describe 'for a wrong email scoped user' do
|
|
82
89
|
let(:domain) { Faker::Internet.domain_name }
|
|
83
|
-
let(:
|
|
90
|
+
let(:current_context) do
|
|
91
|
+
{
|
|
92
|
+
scope: 'end-user',
|
|
93
|
+
email: "user@#{domain}",
|
|
94
|
+
}
|
|
95
|
+
end
|
|
84
96
|
let(:enterprise_account) { create(:enterprise_account, domain: domain) }
|
|
85
97
|
let(:target_account) { create(:enterprise_account) }
|
|
86
98
|
|
|
87
99
|
describe 'without a service' do
|
|
88
|
-
let(:variables) { { input: { enterpriseAccountId: target_account.id } } }
|
|
100
|
+
let(:variables) { { input: { enterpriseAccountId: target_account.id, domain: domain } } }
|
|
89
101
|
|
|
90
102
|
it 'does not creates a identity provider' do
|
|
91
103
|
expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })
|
|
@@ -93,7 +105,7 @@ describe Osso::GraphQL::Schema do
|
|
|
93
105
|
end
|
|
94
106
|
|
|
95
107
|
describe 'with a service' do
|
|
96
|
-
let(:variables) { { input: { enterpriseAccountId: target_account.id, service: 'OKTA' } } }
|
|
108
|
+
let(:variables) { { input: { enterpriseAccountId: target_account.id, service: 'OKTA', domain: domain } } }
|
|
97
109
|
|
|
98
110
|
it 'does not creates a identity provider' do
|
|
99
111
|
expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })
|
|
@@ -31,12 +31,14 @@ describe Osso::GraphQL::Schema do
|
|
|
31
31
|
described_class.execute(
|
|
32
32
|
mutation,
|
|
33
33
|
variables: variables,
|
|
34
|
-
context:
|
|
34
|
+
context: current_context,
|
|
35
35
|
)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
describe 'for an admin user' do
|
|
39
|
-
let(:
|
|
39
|
+
let(:current_context) do
|
|
40
|
+
{ scope: 'admin' }
|
|
41
|
+
end
|
|
40
42
|
it 'creates an OauthClient' do
|
|
41
43
|
expect { subject }.to change { Osso::Models::OauthClient.count }.by(1)
|
|
42
44
|
expect(subject.dig('data', 'createOauthClient', 'oauthClient', 'clientId')).
|
|
@@ -45,7 +47,12 @@ describe Osso::GraphQL::Schema do
|
|
|
45
47
|
end
|
|
46
48
|
|
|
47
49
|
describe 'for an email scoped user' do
|
|
48
|
-
let(:
|
|
50
|
+
let(:current_context) do
|
|
51
|
+
{
|
|
52
|
+
scope: 'end-user',
|
|
53
|
+
email: 'user@foo.com',
|
|
54
|
+
}
|
|
55
|
+
end
|
|
49
56
|
|
|
50
57
|
it 'does not create an OauthClient Account' do
|
|
51
58
|
expect { subject }.to_not(change { Osso::Models::OauthClient.count })
|
|
@@ -30,12 +30,15 @@ describe Osso::GraphQL::Schema do
|
|
|
30
30
|
described_class.execute(
|
|
31
31
|
mutation,
|
|
32
32
|
variables: variables,
|
|
33
|
-
context:
|
|
33
|
+
context: current_context,
|
|
34
34
|
)
|
|
35
35
|
end
|
|
36
36
|
|
|
37
37
|
describe 'for an admin user' do
|
|
38
|
-
let(:
|
|
38
|
+
let(:current_context) do
|
|
39
|
+
{ scope: 'admin' }
|
|
40
|
+
end
|
|
41
|
+
|
|
39
42
|
it 'deletes an Enterprise Account' do
|
|
40
43
|
expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(-1)
|
|
41
44
|
expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount')).
|
|
@@ -44,7 +47,12 @@ describe Osso::GraphQL::Schema do
|
|
|
44
47
|
end
|
|
45
48
|
|
|
46
49
|
describe 'for an email scoped user' do
|
|
47
|
-
let(:
|
|
50
|
+
let(:current_context) do
|
|
51
|
+
{
|
|
52
|
+
scope: 'end-user',
|
|
53
|
+
email: "user@#{domain}",
|
|
54
|
+
}
|
|
55
|
+
end
|
|
48
56
|
|
|
49
57
|
it 'deletes the Enterprise Account' do
|
|
50
58
|
expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(-1)
|
|
@@ -52,8 +60,14 @@ describe Osso::GraphQL::Schema do
|
|
|
52
60
|
to be_nil
|
|
53
61
|
end
|
|
54
62
|
end
|
|
63
|
+
|
|
55
64
|
describe 'for the wrong email scoped user' do
|
|
56
|
-
let(:
|
|
65
|
+
let(:current_context) do
|
|
66
|
+
{
|
|
67
|
+
scope: 'end-user',
|
|
68
|
+
email: 'user@foo.com',
|
|
69
|
+
}
|
|
70
|
+
end
|
|
57
71
|
|
|
58
72
|
it 'does not delete the Enterprise Account' do
|
|
59
73
|
expect { subject }.to_not(change { Osso::Models::EnterpriseAccount.count })
|
|
@@ -29,21 +29,25 @@ describe Osso::GraphQL::Schema do
|
|
|
29
29
|
described_class.execute(
|
|
30
30
|
mutation,
|
|
31
31
|
variables: variables,
|
|
32
|
-
context:
|
|
32
|
+
context: current_context,
|
|
33
33
|
)
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
describe 'for an admin user' do
|
|
37
|
-
let(:
|
|
37
|
+
let(:current_context) do
|
|
38
|
+
{ scope: 'admin' }
|
|
39
|
+
end
|
|
38
40
|
it 'deletes the OauthClient' do
|
|
39
41
|
expect { subject }.to change { Osso::Models::OauthClient.count }.by(-1)
|
|
40
42
|
end
|
|
41
43
|
end
|
|
42
44
|
|
|
43
45
|
describe 'for an email scoped user' do
|
|
44
|
-
let(:
|
|
46
|
+
let(:current_context) do
|
|
47
|
+
{ scope: 'end-user', email: 'user@foo.com' }
|
|
48
|
+
end
|
|
45
49
|
|
|
46
|
-
it 'does not
|
|
50
|
+
it 'does not deletes the OauthClient' do
|
|
47
51
|
expect { subject }.to_not(change { Osso::Models::OauthClient.count })
|
|
48
52
|
end
|
|
49
53
|
end
|
|
@@ -37,12 +37,17 @@ describe Osso::GraphQL::Schema do
|
|
|
37
37
|
described_class.execute(
|
|
38
38
|
query,
|
|
39
39
|
variables: variables,
|
|
40
|
-
context:
|
|
40
|
+
context: current_context,
|
|
41
41
|
)
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
describe 'for an admin user' do
|
|
45
|
-
let(:
|
|
45
|
+
let(:current_context) do
|
|
46
|
+
{
|
|
47
|
+
scope: 'admin',
|
|
48
|
+
}
|
|
49
|
+
end
|
|
50
|
+
|
|
46
51
|
it 'returns Enterprise Account for domain' do
|
|
47
52
|
expect(subject['errors']).to be_nil
|
|
48
53
|
expect(subject.dig('data', 'enterpriseAccount', 'domain')).to eq(domain)
|
|
@@ -50,7 +55,12 @@ describe Osso::GraphQL::Schema do
|
|
|
50
55
|
end
|
|
51
56
|
|
|
52
57
|
describe 'for an email scoped user' do
|
|
53
|
-
let(:
|
|
58
|
+
let(:current_context) do
|
|
59
|
+
{
|
|
60
|
+
scope: 'end-user',
|
|
61
|
+
email: "user@#{domain}",
|
|
62
|
+
}
|
|
63
|
+
end
|
|
54
64
|
it 'returns Enterprise Account for domain' do
|
|
55
65
|
expect(subject['errors']).to be_nil
|
|
56
66
|
expect(subject.dig('data', 'enterpriseAccount', 'domain')).to eq(domain)
|
|
@@ -58,9 +68,14 @@ describe Osso::GraphQL::Schema do
|
|
|
58
68
|
end
|
|
59
69
|
|
|
60
70
|
describe 'for the wrong email scoped user' do
|
|
61
|
-
let(:
|
|
62
|
-
|
|
63
|
-
|
|
71
|
+
let(:current_context) do
|
|
72
|
+
{
|
|
73
|
+
scope: 'end-user',
|
|
74
|
+
email: 'foo@bar.com',
|
|
75
|
+
}
|
|
76
|
+
end
|
|
77
|
+
it 'does not return Enterprise Account for domain' do
|
|
78
|
+
expect(subject['errors']).to_not be_nil
|
|
64
79
|
expect(subject.dig('data', 'enterpriseAccount')).to be_nil
|
|
65
80
|
end
|
|
66
81
|
end
|
|
@@ -5,7 +5,9 @@ require 'spec_helper'
|
|
|
5
5
|
describe Osso::GraphQL::Schema do
|
|
6
6
|
describe 'EnterpriseAccounts' do
|
|
7
7
|
describe 'for an admin user' do
|
|
8
|
-
let(:
|
|
8
|
+
let(:current_context) do
|
|
9
|
+
{ scope: 'admin' }
|
|
10
|
+
end
|
|
9
11
|
|
|
10
12
|
it 'returns paginated Enterprise Accounts' do
|
|
11
13
|
%w[A B C].map do |name|
|
|
@@ -44,7 +46,7 @@ describe Osso::GraphQL::Schema do
|
|
|
44
46
|
response = described_class.execute(
|
|
45
47
|
query,
|
|
46
48
|
variables: { first: 2, sortOrder: 'descending', sortColumn: 'name' },
|
|
47
|
-
context:
|
|
49
|
+
context: current_context,
|
|
48
50
|
)
|
|
49
51
|
|
|
50
52
|
expect(response['errors']).to be_nil
|
|
@@ -32,12 +32,14 @@ describe Osso::GraphQL::Schema do
|
|
|
32
32
|
described_class.execute(
|
|
33
33
|
query,
|
|
34
34
|
variables: variables,
|
|
35
|
-
context:
|
|
35
|
+
context: current_context,
|
|
36
36
|
)
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
describe 'for an admin user' do
|
|
40
|
-
let(:
|
|
40
|
+
let(:current_context) do
|
|
41
|
+
{ scope: 'admin' }
|
|
42
|
+
end
|
|
41
43
|
it 'returns Identity Provider for id' do
|
|
42
44
|
expect(subject['errors']).to be_nil
|
|
43
45
|
expect(subject.dig('data', 'identityProvider', 'id')).to eq(id)
|
|
@@ -45,8 +47,12 @@ describe Osso::GraphQL::Schema do
|
|
|
45
47
|
end
|
|
46
48
|
|
|
47
49
|
describe 'for an email scoped user' do
|
|
48
|
-
let(:
|
|
49
|
-
|
|
50
|
+
let(:current_context) do
|
|
51
|
+
{
|
|
52
|
+
scope: 'end-user',
|
|
53
|
+
email: "user@#{domain}",
|
|
54
|
+
}
|
|
55
|
+
end
|
|
50
56
|
it 'returns Enterprise Account for domain' do
|
|
51
57
|
expect(subject['errors']).to be_nil
|
|
52
58
|
expect(subject.dig('data', 'identityProvider', 'domain')).to eq(domain)
|
|
@@ -54,8 +60,12 @@ describe Osso::GraphQL::Schema do
|
|
|
54
60
|
end
|
|
55
61
|
|
|
56
62
|
describe 'for the wrong email scoped user' do
|
|
57
|
-
let(:
|
|
58
|
-
|
|
63
|
+
let(:current_context) do
|
|
64
|
+
{
|
|
65
|
+
scope: 'end-user',
|
|
66
|
+
email: 'user@bar.com',
|
|
67
|
+
}
|
|
68
|
+
end
|
|
59
69
|
it 'returns Enterprise Account for domain' do
|
|
60
70
|
expect(subject['errors']).to_not be_empty
|
|
61
71
|
expect(subject.dig('data', 'enterpriseAccount')).to be_nil
|
|
@@ -25,12 +25,14 @@ describe Osso::GraphQL::Schema do
|
|
|
25
25
|
described_class.execute(
|
|
26
26
|
query,
|
|
27
27
|
variables: nil,
|
|
28
|
-
context:
|
|
28
|
+
context: current_context,
|
|
29
29
|
)
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
describe 'for an admin user' do
|
|
33
|
-
let(:
|
|
33
|
+
let(:current_context) do
|
|
34
|
+
{ scope: 'admin' }
|
|
35
|
+
end
|
|
34
36
|
|
|
35
37
|
it 'returns Oauth Clients' do
|
|
36
38
|
expect(subject['errors']).to be_nil
|
|
@@ -38,11 +40,12 @@ describe Osso::GraphQL::Schema do
|
|
|
38
40
|
end
|
|
39
41
|
end
|
|
40
42
|
|
|
41
|
-
describe 'for an
|
|
42
|
-
let(:
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
43
|
+
describe 'for an internal scoped user' do
|
|
44
|
+
let(:current_context) do
|
|
45
|
+
{ scope: 'internal' }
|
|
46
|
+
end
|
|
47
|
+
it 'does not return Oauth Clients' do
|
|
48
|
+
expect(subject['errors']).to_not be_nil
|
|
46
49
|
expect(subject.dig('data', 'oauthClients')).to be_nil
|
|
47
50
|
end
|
|
48
51
|
end
|
data/spec/routes/oauth_spec.rb
CHANGED
|
@@ -8,7 +8,10 @@ describe Osso::Oauth do
|
|
|
8
8
|
describe 'get /oauth/authorize' do
|
|
9
9
|
describe 'with a valid client ID and redirect URI' do
|
|
10
10
|
describe 'for a domain that does not belong to an enterprise' do
|
|
11
|
-
|
|
11
|
+
# TODO: better error handling and test
|
|
12
|
+
it 'renders an error page' do
|
|
13
|
+
described_class.set(:views, spec_views)
|
|
14
|
+
|
|
12
15
|
create(:enterprise_with_okta, domain: 'foo.com')
|
|
13
16
|
|
|
14
17
|
get(
|
|
@@ -19,7 +22,7 @@ describe Osso::Oauth do
|
|
|
19
22
|
redirect_uri: client.redirect_uri_values.sample,
|
|
20
23
|
)
|
|
21
24
|
|
|
22
|
-
expect(last_response.status).to eq(
|
|
25
|
+
expect(last_response.status).to eq(200)
|
|
23
26
|
end
|
|
24
27
|
end
|
|
25
28
|
|
|
File without changes
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: osso
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.3.
|
|
4
|
+
version: 0.0.3.17
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Bauch
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-08-
|
|
11
|
+
date: 2020-08-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -284,11 +284,13 @@ files:
|
|
|
284
284
|
- lib/osso/graphql/mutations/set_redirect_uris.rb
|
|
285
285
|
- lib/osso/graphql/query.rb
|
|
286
286
|
- lib/osso/graphql/resolvers.rb
|
|
287
|
+
- lib/osso/graphql/resolvers/base_resolver.rb
|
|
287
288
|
- lib/osso/graphql/resolvers/enterprise_account.rb
|
|
288
289
|
- lib/osso/graphql/resolvers/enterprise_accounts.rb
|
|
289
290
|
- lib/osso/graphql/resolvers/oauth_clients.rb
|
|
290
291
|
- lib/osso/graphql/schema.rb
|
|
291
292
|
- lib/osso/graphql/types.rb
|
|
293
|
+
- lib/osso/graphql/types/admin_user.rb
|
|
292
294
|
- lib/osso/graphql/types/base_connection.rb
|
|
293
295
|
- lib/osso/graphql/types/base_enum.rb
|
|
294
296
|
- lib/osso/graphql/types/base_input_object.rb
|
|
@@ -300,7 +302,6 @@ files:
|
|
|
300
302
|
- lib/osso/graphql/types/oauth_client.rb
|
|
301
303
|
- lib/osso/graphql/types/redirect_uri.rb
|
|
302
304
|
- lib/osso/graphql/types/redirect_uri_input.rb
|
|
303
|
-
- lib/osso/graphql/types/user.rb
|
|
304
305
|
- lib/osso/helpers/auth.rb
|
|
305
306
|
- lib/osso/helpers/helpers.rb
|
|
306
307
|
- lib/osso/lib/app_config.rb
|
|
@@ -350,6 +351,7 @@ files:
|
|
|
350
351
|
- spec/spec_helper.rb
|
|
351
352
|
- spec/support/spec_app.rb
|
|
352
353
|
- spec/support/views/admin.erb
|
|
354
|
+
- spec/support/views/error.erb
|
|
353
355
|
homepage: https://github.com/enterprise-oss/osso-rb
|
|
354
356
|
licenses:
|
|
355
357
|
- MIT
|
|
@@ -1,17 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require 'graphql'
|
|
4
|
-
require_relative 'base_object'
|
|
5
|
-
|
|
6
|
-
module Osso
|
|
7
|
-
module GraphQL
|
|
8
|
-
module Types
|
|
9
|
-
class User < Types::BaseObject
|
|
10
|
-
description 'A User of the application'
|
|
11
|
-
|
|
12
|
-
field :id, ID, null: false
|
|
13
|
-
field :name, String, null: true
|
|
14
|
-
end
|
|
15
|
-
end
|
|
16
|
-
end
|
|
17
|
-
end
|