osso 0.0.3.16 → 0.0.3.21

data/lib/osso/routes/auth.rb

@@ -27,7 +27,11 @@ module Osso
       end
     end
 
-    namespace '/auth' do
+    namespace '/auth' do # rubocop:disable Metrics/BlockLength
+      get '/failure' do
+        @error = params[:message]
+        erb :error
+      end
       # Enterprise users are sent here after authenticating against
       # their Identity Provider. We find or create a user record,
       # and then create an authorization code for that user. The user
@@ -67,9 +71,9 @@ module Osso
       end
 
       def provider_state
-        return 'IDP_INITIATED' if valid_idp_initiated_flow
+        return @provider_state = 'IDP_INITIATED' if valid_idp_initiated_flow
 
-        session[:osso_oauth_state]
+        session.delete(:osso_oauth_state)
       end
 
       def valid_idp_initiated_flow

data/lib/osso/routes/oauth.rb

@@ -7,37 +7,43 @@ module Osso
     include AppConfig
     register Sinatra::Namespace
 
-    namespace '/oauth' do
+    namespace '/oauth' do # rubocop:disable Metrics/BlockLength
       # Send your users here in order to being an authentication
       # flow. This flow follows the authorization grant oauth
       # spec with one exception - you must also pass the domain
-      # of the user who wants to sign in.
+      # of the user who wants to sign in. If the sign in request
+      # is valid, the user is redirected to their Identity Provider.
+      # Once they complete IdP login, they will be returned to the
+      # redirect_uri with an authorization code parameter.
       get '/authorize' do
-        @enterprise = Models::EnterpriseAccount.
-          includes(:identity_providers).
-          find_by!(domain: params[:domain])
-
         Rack::OAuth2::Server::Authorize.new do |req, _res|
           client = Models::OauthClient.find_by!(identifier: req.client_id)
           session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
+          session[:osso_oauth_state] = params[:state]
         end.call(env)
 
-        if @enterprise.single_provider?
-          session[:osso_oauth_state] = params[:state]
-          redirect "/auth/saml/#{@enterprise.provider.id}"
-        end
+        enterprise = Models::EnterpriseAccount.
+          includes(:identity_providers).
+          find_by!(domain: params[:domain])
+
+        redirect "/auth/saml/#{enterprise.provider.id}" if enterprise.single_provider?
 
         # TODO: multiple provider support
         # erb :multiple_providers
 
       rescue Rack::OAuth2::Server::Authorize::BadRequest => e
         @error = e
-        return erb :error
+        erb :error
+      rescue ActiveRecord::RecordNotFound => e
+        @error = e
+        @error = 'No OAuth Client exists for the provided client_id' if e.model == 'Osso::Models::OauthClient'
+        @error = "No Customer exists with the domain #{params[:domain]}" if e.model == 'Osso::Models::EnterpriseAccount'
+        erb :error
       end
 
       # Exchange an authorization code for an access token.
-      # In addition to the authorization code, you must include all 
-      # paramaters required by OAuth spec: redirect_uri, client ID, 
+      # In addition to the authorization code, you must include all
+      # paramaters required by OAuth spec: redirect_uri, client ID,
       # and client secret
       post '/token' do
         Rack::OAuth2::Server::Token.new do |req, res|
@@ -50,7 +56,8 @@ module Osso
         end.call(env)
       end
 
-      # Use the access token to request a user profile
+      # Use the access token to request a profile for the user who
+      # just logged in. Access tokens are short-lived.
       get '/me' do
         json Models::AccessToken.
           includes(:user).

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3.16'
+  VERSION = '0.0.3.21'
 end

data/lib/tasks/bootstrap.rake

@@ -12,5 +12,7 @@ namespace :osso do
         name: environement,
       )
     end
+
+    Osso::Models::AppConfig.create!
   end
 end

data/spec/graphql/mutations/configure_identity_provider_spec.rb

@@ -39,12 +39,15 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         mutation,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
+
       it 'configures an identity provider' do
         expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'status')).
           to eq('Configured')
@@ -53,7 +56,12 @@ describe Osso::GraphQL::Schema do
 
     describe 'for an email scoped user' do
       let(:domain) { Faker::Internet.domain_name }
-      let(:current_scope) { domain }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
       let(:enterprise_account) { create(:enterprise_account, domain: domain) }
       let(:identity_provider) { create(:identity_provider, enterprise_account: enterprise_account, domain: domain) }
 
@@ -65,7 +73,12 @@ describe Osso::GraphQL::Schema do
 
     describe 'for the wrong email scoped user' do
       let(:domain) { Faker::Internet.domain_name }
-      let(:current_scope) { domain }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
 
       it 'does not configure an identity provider' do
         expect(subject.dig('errors')).to_not be_empty

data/spec/graphql/mutations/create_enterprise_account_spec.rb

@@ -5,6 +5,7 @@ require 'spec_helper'
 describe Osso::GraphQL::Schema do
   describe 'CreateIdentityProvider' do
     let(:domain) { Faker::Internet.domain_name }
+    let!(:oauth_client) { create(:oauth_client) }
     let(:variables) do
       {
         input: {
@@ -33,30 +34,78 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         mutation,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
+      let(:variables) do
+        {
+          input: {
+            name: Faker::Company.name,
+            domain: domain,
+            oauthClientId: oauth_client.id,
+          },
+        }
+      end
+
       it 'creates an Enterprise Account' do
         expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
+
+      it 'attaches the Enterprise Account to the correct OAuth Client' do
+        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
+      end
+    end
+
+    describe 'for an internal scoped user' do
+      let(:current_context) do
+        {
+          scope: 'internal',
+          email: 'user@saasco.com',
+          oauth_client_id: oauth_client.identifier,
+        }
+      end
+
+      it 'creates an Enterprise Account' do
+        expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
+        expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
+          to eq(domain)
+      end
+
+      it 'attaches the Enterprise Account to the correct OAuth Client' do
+        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
+      end
     end
 
     describe 'for an email scoped user' do
-      let(:current_scope) { domain }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+          oauth_client_id: oauth_client.identifier,
+        }
+      end
 
       it 'creates an Enterprise Account' do
         expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
+
+      it 'attaches the Enterprise Account to the correct OAuth Client' do
+        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
+      end
     end
     describe 'for the wrong email scoped user' do
-      let(:current_scope) { 'foo.com' }
+      let(:current_context) do
+        { scope: 'end-user', email: 'user@foo.com' }
+      end
 
       it 'does not create an Enterprise Account' do
         expect { subject }.to_not(change { Osso::Models::EnterpriseAccount.count })

data/spec/graphql/mutations/create_identity_provider_spec.rb

@@ -25,12 +25,14 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         mutation,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
       describe 'without a service' do
         let(:variables) { { input: { enterpriseAccountId: enterprise_account.id } } }
 
@@ -54,7 +56,12 @@ describe Osso::GraphQL::Schema do
 
     describe 'for an email scoped user' do
       let(:domain) { Faker::Internet.domain_name }
-      let(:current_scope) { domain }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
       let(:enterprise_account) { create(:enterprise_account, domain: domain) }
 
       describe 'without a service' do
@@ -80,12 +87,17 @@ describe Osso::GraphQL::Schema do
 
     describe 'for a wrong email scoped user' do
       let(:domain) { Faker::Internet.domain_name }
-      let(:current_scope) { domain }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
       let(:enterprise_account) { create(:enterprise_account, domain: domain) }
       let(:target_account) { create(:enterprise_account) }
 
       describe 'without a service' do
-        let(:variables) { { input: { enterpriseAccountId: target_account.id } } }
+        let(:variables) { { input: { enterpriseAccountId: target_account.id, domain: domain } } }
 
         it 'does not creates a identity provider' do
           expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })
@@ -93,7 +105,7 @@ describe Osso::GraphQL::Schema do
       end
 
       describe 'with a service' do
-        let(:variables) { { input: { enterpriseAccountId: target_account.id, service: 'OKTA' } } }
+        let(:variables) { { input: { enterpriseAccountId: target_account.id, service: 'OKTA', domain: domain } } }
 
         it 'does not creates a identity provider' do
           expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })

data/spec/graphql/mutations/create_oauth_client_spec.rb

@@ -31,12 +31,14 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         mutation,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
       it 'creates an OauthClient' do
         expect { subject }.to change { Osso::Models::OauthClient.count }.by(1)
         expect(subject.dig('data', 'createOauthClient', 'oauthClient', 'clientId')).
@@ -45,7 +47,12 @@ describe Osso::GraphQL::Schema do
     end
 
     describe 'for an email scoped user' do
-      let(:current_scope) { 'foo.com' }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: 'user@foo.com',
+        }
+      end
 
       it 'does not create an OauthClient Account' do
         expect { subject }.to_not(change { Osso::Models::OauthClient.count })

data/spec/graphql/mutations/delete_enterprise_account_spec.rb

@@ -30,12 +30,15 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         mutation,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
+
       it 'deletes an Enterprise Account' do
         expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(-1)
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount')).
@@ -44,7 +47,12 @@ describe Osso::GraphQL::Schema do
     end
 
     describe 'for an email scoped user' do
-      let(:current_scope) { domain }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
 
       it 'deletes the Enterprise Account' do
         expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(-1)
@@ -52,8 +60,14 @@ describe Osso::GraphQL::Schema do
           to be_nil
       end
     end
+
     describe 'for the wrong email scoped user' do
-      let(:current_scope) { 'foo.com' }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: 'user@foo.com',
+        }
+      end
 
       it 'does not delete the Enterprise Account' do
         expect { subject }.to_not(change { Osso::Models::EnterpriseAccount.count })

data/spec/graphql/mutations/delete_oauth_client_spec.rb

@@ -29,21 +29,25 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         mutation,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
       it 'deletes the OauthClient' do
         expect { subject }.to change { Osso::Models::OauthClient.count }.by(-1)
       end
     end
 
     describe 'for an email scoped user' do
-      let(:current_scope) { 'foo.com' }
+      let(:current_context) do
+        { scope: 'end-user', email: 'user@foo.com' }
+      end
 
-      it 'does not create an OauthClient Account' do
+      it 'does not deletes the OauthClient' do
         expect { subject }.to_not(change { Osso::Models::OauthClient.count })
       end
     end

data/spec/graphql/query/enterprise_account_spec.rb

@@ -37,12 +37,17 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         query,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        {
+          scope: 'admin',
+        }
+      end
+
       it 'returns Enterprise Account for domain' do
         expect(subject['errors']).to be_nil
         expect(subject.dig('data', 'enterpriseAccount', 'domain')).to eq(domain)
@@ -50,7 +55,12 @@ describe Osso::GraphQL::Schema do
     end
 
     describe 'for an email scoped user' do
-      let(:current_scope) { domain }
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
       it 'returns Enterprise Account for domain' do
         expect(subject['errors']).to be_nil
         expect(subject.dig('data', 'enterpriseAccount', 'domain')).to eq(domain)
@@ -58,9 +68,14 @@ describe Osso::GraphQL::Schema do
     end
 
     describe 'for the wrong email scoped user' do
-      let(:current_scope) { 'bar.com' }
-      it 'returns Enterprise Account for domain' do
-        expect(subject['errors']).to be_nil
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: 'foo@bar.com',
+        }
+      end
+      it 'does not return Enterprise Account for domain' do
+        expect(subject['errors']).to_not be_nil
         expect(subject.dig('data', 'enterpriseAccount')).to be_nil
       end
     end