osso 0.0.3.16 → 0.0.3.21

data/spec/graphql/query/enterprise_accounts_spec.rb

@@ -5,7 +5,9 @@ require 'spec_helper'
 describe Osso::GraphQL::Schema do
   describe 'EnterpriseAccounts' do
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
 
       it 'returns paginated Enterprise Accounts' do
         %w[A B C].map do |name|
@@ -44,7 +46,7 @@ describe Osso::GraphQL::Schema do
         response = described_class.execute(
           query,
           variables: { first: 2, sortOrder: 'descending', sortColumn: 'name' },
-          context: { scope: current_scope },
+          context: current_context,
         )
 
         expect(response['errors']).to be_nil

data/spec/graphql/query/identity_provider_spec.rb

@@ -32,12 +32,14 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         query,
         variables: variables,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
       it 'returns Identity Provider for id' do
         expect(subject['errors']).to be_nil
         expect(subject.dig('data', 'identityProvider', 'id')).to eq(id)
@@ -45,8 +47,12 @@ describe Osso::GraphQL::Schema do
     end
 
     describe 'for an email scoped user' do
-      let(:current_scope) { domain }
-
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: "user@#{domain}",
+        }
+      end
       it 'returns Enterprise Account for domain' do
         expect(subject['errors']).to be_nil
         expect(subject.dig('data', 'identityProvider', 'domain')).to eq(domain)
@@ -54,8 +60,12 @@ describe Osso::GraphQL::Schema do
     end
 
     describe 'for the wrong email scoped user' do
-      let(:current_scope) { 'bar.com' }
-
+      let(:current_context) do
+        {
+          scope: 'end-user',
+          email: 'user@bar.com',
+        }
+      end
       it 'returns Enterprise Account for domain' do
         expect(subject['errors']).to_not be_empty
         expect(subject.dig('data', 'enterpriseAccount')).to be_nil

data/spec/graphql/query/oauth_clients_spec.rb

@@ -25,12 +25,14 @@ describe Osso::GraphQL::Schema do
       described_class.execute(
         query,
         variables: nil,
-        context: { scope: current_scope },
+        context: current_context,
       )
     end
 
     describe 'for an admin user' do
-      let(:current_scope) { :admin }
+      let(:current_context) do
+        { scope: 'admin' }
+      end
 
       it 'returns Oauth Clients' do
         expect(subject['errors']).to be_nil
@@ -38,11 +40,12 @@ describe Osso::GraphQL::Schema do
       end
     end
 
-    describe 'for an email scoped user' do
-      let(:current_scope) { 'foo.com' }
-
-      it 'returns Oauth Clients' do
-        expect(subject['errors']).to be_nil
+    describe 'for an internal scoped user' do
+      let(:current_context) do
+        { scope: 'internal' }
+      end
+      it 'does not return Oauth Clients' do
+        expect(subject['errors']).to_not be_nil
         expect(subject.dig('data', 'oauthClients')).to be_nil
       end
     end

data/spec/helpers/auth_spec.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Helpers::Auth do
+  before do
+    ENV['JWT_HMAC_SECRET'] = 'super-secret'
+  end
+
+  subject(:app) do
+    Class.new { include Osso::Helpers::Auth }
+  end
+
+  describe 'with the token as a header' do
+    before do
+      allow_any_instance_of(subject).to receive(:request) do
+        double('Request', env: { 'admin_token' => token }, post?: false)
+      end
+
+      allow_any_instance_of(subject).to receive(:redirect) do
+        false
+      end
+    end
+
+    describe 'with an admin token' do
+      let(:token) { encode({ scope: 'admin' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods' do
+        expect(subject.new.enterprise_protected!).to_not be(false)
+      end
+
+      it 'allows #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to_not be(false)
+      end
+
+      it 'allows #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to_not be(false)
+      end
+    end
+
+    describe 'with an internal token' do
+      let(:token) { encode({ scope: 'internal' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods' do
+        expect(subject.new.enterprise_protected!).to_not be(false)
+      end
+
+      it 'allows #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to_not be(false)
+      end
+
+      it 'allows #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to be(false)
+      end
+    end
+
+    describe 'with an end-user token' do
+      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods for the scoped domain' do
+        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
+      end
+
+      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
+        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
+      end
+
+      it 'halts #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to be(false)
+      end
+
+      it 'halts #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to be(false)
+      end
+    end
+  end
+
+  def encode(payload)
+    JWT.encode(
+      payload,
+      ENV['JWT_HMAC_SECRET'],
+      'HS256',
+    )
+  end
+end

data/spec/routes/oauth_spec.rb

@@ -8,7 +8,10 @@ describe Osso::Oauth do
   describe 'get /oauth/authorize' do
     describe 'with a valid client ID and redirect URI' do
       describe 'for a domain that does not belong to an enterprise' do
-        it '404s' do
+        # TODO: better error handling and test
+        it 'renders an error page' do
+          described_class.set(:views, spec_views)
+
           create(:enterprise_with_okta, domain: 'foo.com')
 
           get(
@@ -19,7 +22,7 @@ describe Osso::Oauth do
             redirect_uri: client.redirect_uri_values.sample,
           )
 
-          expect(last_response.status).to eq(404)
+          expect(last_response.status).to eq(200)
         end
       end
 

data/spec/spec_helper.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require 'simplecov'
+SimpleCov.start
+
 require 'database_cleaner/active_record'
 require 'factory_bot'
 require 'faker'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.3.16
+  version: 0.0.3.21
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-17 00:00:00.000000000 Z
+date: 2020-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -270,6 +270,7 @@ files:
 - lib/osso/db/migrate/20200722230116_add_identity_provider_status_enum_and_use_on_identity_providers.rb
 - lib/osso/db/migrate/20200723153750_add_missing_timestamps.rb
 - lib/osso/db/migrate/20200723162228_drop_unneeded_tables.rb
+- lib/osso/db/migrate/20200826201852_create_app_config.rb
 - lib/osso/graphql/.DS_Store
 - lib/osso/graphql/mutation.rb
 - lib/osso/graphql/mutations.rb
@@ -282,13 +283,17 @@ files:
 - lib/osso/graphql/mutations/delete_oauth_client.rb
 - lib/osso/graphql/mutations/regenerate_oauth_credentials.rb
 - lib/osso/graphql/mutations/set_redirect_uris.rb
+- lib/osso/graphql/mutations/update_app_config.rb
 - lib/osso/graphql/query.rb
 - lib/osso/graphql/resolvers.rb
+- lib/osso/graphql/resolvers/base_resolver.rb
 - lib/osso/graphql/resolvers/enterprise_account.rb
 - lib/osso/graphql/resolvers/enterprise_accounts.rb
 - lib/osso/graphql/resolvers/oauth_clients.rb
 - lib/osso/graphql/schema.rb
 - lib/osso/graphql/types.rb
+- lib/osso/graphql/types/admin_user.rb
+- lib/osso/graphql/types/app_config.rb
 - lib/osso/graphql/types/base_connection.rb
 - lib/osso/graphql/types/base_enum.rb
 - lib/osso/graphql/types/base_input_object.rb
@@ -300,13 +305,13 @@ files:
 - lib/osso/graphql/types/oauth_client.rb
 - lib/osso/graphql/types/redirect_uri.rb
 - lib/osso/graphql/types/redirect_uri_input.rb
-- lib/osso/graphql/types/user.rb
 - lib/osso/helpers/auth.rb
 - lib/osso/helpers/helpers.rb
 - lib/osso/lib/app_config.rb
 - lib/osso/lib/oauth2_token.rb
 - lib/osso/lib/route_map.rb
 - lib/osso/models/access_token.rb
+- lib/osso/models/app_config.rb
 - lib/osso/models/authorization_code.rb
 - lib/osso/models/enterprise_account.rb
 - lib/osso/models/identity_provider.rb
@@ -340,6 +345,7 @@ files:
 - spec/graphql/query/enterprise_accounts_spec.rb
 - spec/graphql/query/identity_provider_spec.rb
 - spec/graphql/query/oauth_clients_spec.rb
+- spec/helpers/auth_spec.rb
 - spec/models/azure_saml_provider_spec.rb
 - spec/models/identity_provider_spec.rb
 - spec/models/okta_saml_provider_spec.rb
@@ -350,6 +356,7 @@ files:
 - spec/spec_helper.rb
 - spec/support/spec_app.rb
 - spec/support/views/admin.erb
+- spec/support/views/error.erb
 homepage: https://github.com/enterprise-oss/osso-rb
 licenses:
 - MIT

data/lib/osso/graphql/types/user.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-require 'graphql'
-require_relative 'base_object'
-
-module Osso
-  module GraphQL
-    module Types
-      class User < Types::BaseObject
-        description 'A User of the application'
-
-        field :id, ID, null: false
-        field :name, String, null: true
-      end
-    end
-  end
-end