osso 0.0.3.17 → 0.0.3.22

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b28fb9c155136c0d23356543f5d9ae0b15e551293bf18c4fbd44bd3340e6602e
-  data.tar.gz: f5c7495d581f4c27706a3fdeca7618707487308d6bc73d0f2372d4cf8fb1957d
+  metadata.gz: 1f017aca126a5a5d516394ae1f13be3eaa91deb759f602571ba372fec06b1ee2
+  data.tar.gz: ccac449dd89bf23b16a56a190837b2deeffc85bee95f7d7e6f7fd245b9762e17
 SHA512:
-  metadata.gz: 67543b72337e89ebc7b7c2f80c42df2d8aa4f0c7001959022858f68e72fda5f409627260b614ba2fb1c1afbe51ecdded8449d84137cb2c85eff16225f9e7c387
-  data.tar.gz: 69fdf0abd7db72588068ec909c84bf95a19e7b93ace562ce86f24e278dc5b54cbb8c1b49f77a18d8f161542931610a9b9cd1e70cf9b0edb41b6397f49a7b4bbb
+  metadata.gz: e80f57d49d9a440d6e77c9b1b69a73e44b5ef28fda17289c19b1ed9a7ad5157391544899ae4b0d783864200faab119bf92343fe6f20b13ed2820068d5ceb80aa
+  data.tar.gz: 9fc798d93fb897fb166a7234f9fef33d2d4fcf4d9df703f77963a604fe2b664ba7bd1f577079e787ea5706de6e22eed75138151d435a5ace8a1ab1d32af09285

data/.buildkite/pipeline.yml

@@ -6,6 +6,15 @@ steps:
       - bundle exec rake db:create
       - RACK_ENV=test bundle exec rake db:migrate
       - bundle exec rspec
+    artifact_paths:
+      - coverage/*
+  
+  - name: ":codeclimate:"
+    plugins:
+      - jobready/codeclimate-test-reporter#v2.0:
+          artifact: "coverage/.resultset.json"
+          input_type: simplecov
+          prefix: '/var/lib/buildkite-agent/builds/enterprise-oss-bk-1/enterpriseoss/osso-rb/'
   
   - block: ":rubygems: Publish :red_button:"
     branches: "main"

data/Gemfile

@@ -12,6 +12,7 @@ group :test do
   gem 'rack-test'
   gem 'rspec', '~> 3.2'
   gem 'rubocop'
+  gem 'simplecov', '= 0.17', require: false
   gem 'webmock', '~> 3.0'
 end
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.3.17)
+    osso (0.0.3.22)
       activesupport (>= 6.0.3.2)
       graphql
       jwt
@@ -48,6 +48,7 @@ GEM
       activerecord
       database_cleaner (~> 1.8.0)
     diff-lcs (1.4.4)
+    docile (1.3.2)
     factory_bot (6.0.2)
       activesupport (>= 5.0.0)
     faker (2.13.0)
@@ -58,6 +59,7 @@ GEM
     httpclient (2.8.3)
     i18n (1.8.3)
       concurrent-ruby (~> 1.0)
+    json (2.3.1)
     json-jwt (1.13.0)
       activesupport (>= 4.2)
       aes_key_wrap
@@ -133,6 +135,11 @@ GEM
       nokogiri (>= 1.5.10)
     ruby2_keywords (0.0.2)
     safe_yaml (1.0.5)
+    simplecov (0.17.0)
+      docile (~> 1.1)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
     sinatra (2.0.8.1)
       mustermann (~> 1.0)
       rack (~> 2.0)
@@ -174,6 +181,7 @@ DEPENDENCIES
   rack-test
   rspec (~> 3.2)
   rubocop
+  simplecov (= 0.17)
   webmock (~> 3.0)
 
 BUNDLED WITH

data/README.md

@@ -1,2 +1,3 @@
-[![Maintainability](https://api.codeclimate.com/v1/badges/2b04828dc45bcb5abcb1/maintainability)](https://codeclimate.com/github/enterprise-oss/osso-rb/maintainability)
-[![Build status](https://badge.buildkite.com/0e01845bdd51be4131b9cbd496d9caa39cd48f171fc2d9a9ca.svg)](https://buildkite.com/enterpriseoss/osso-rb)
+[![Maintainability](https://api.codeclimate.com/v1/badges/0d80be043d2747e91ef3/maintainability)](https://codeclimate.com/repos/5f4676cc3f757b01b6011403/maintainability)
+[![Test Coverage](https://api.codeclimate.com/v1/badges/0d80be043d2747e91ef3/test_coverage)](https://codeclimate.com/repos/5f4676cc3f757b01b6011403/test_coverage)
+[![Build status](https://badge.buildkite.com/0e01845bdd51be4131b9cbd496d9caa39cd48f171fc2d9a9ca.svg)](https://buildkite.com/enterpriseoss/osso-rb)

data/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_07_23_162228) do
+ActiveRecord::Schema.define(version: 2020_08_26_201852) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "pgcrypto"
@@ -27,6 +27,14 @@ ActiveRecord::Schema.define(version: 2020_07_23_162228) do
     t.index ["user_id"], name: "index_access_tokens_on_user_id"
   end
 
+  create_table "app_configs", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.string "contact_email"
+    t.string "logo_url"
+    t.string "name"
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+  end
+
   create_table "authorization_codes", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
     t.string "token"
     t.string "redirect_uri"

data/lib/osso/db/migrate/20200826201852_create_app_config.rb

@@ -0,0 +1,11 @@
+class CreateAppConfig < ActiveRecord::Migration[6.0]
+  def change
+    create_table :app_configs, id: :uuid do |t|
+      t.string :contact_email
+      t.string :logo_url
+      t.string :name
+      
+      t.timestamps
+    end
+  end
+end

data/lib/osso/graphql/mutation.rb

@@ -14,6 +14,7 @@ module Osso
         field :delete_oauth_client, mutation: Mutations::DeleteOauthClient
         field :set_redirect_uris, mutation: Mutations::SetRedirectUris
         field :regenerate_oauth_credentials, mutation: Mutations::RegenerateOauthCredentials
+        field :update_app_config, mutation: Mutations::UpdateAppConfig
 
         def self.authorized?(_object, _context)
           # mutations are prevented from executing with ready? so

data/lib/osso/graphql/mutations.rb

@@ -14,3 +14,4 @@ require_relative 'mutations/delete_enterprise_account'
 require_relative 'mutations/delete_oauth_client'
 require_relative 'mutations/regenerate_oauth_credentials'
 require_relative 'mutations/set_redirect_uris'
+require_relative 'mutations/update_app_config'

data/lib/osso/graphql/mutations/create_enterprise_account.rb

@@ -8,19 +8,24 @@ module Osso
 
         argument :domain, String, required: true
         argument :name, String, required: true
-        argument :oauth_client_id, ID, required: false
+        argument :oauth_client_id, String, required: false
 
         field :enterprise_account, Types::EnterpriseAccount, null: false
         field :errors, [String], null: false
 
         def resolve(**args)
           enterprise_account = Osso::Models::EnterpriseAccount.new(args)
-          enterprise_account.oauth_client_id ||= context[:oauth_client_id]
+          enterprise_account.oauth_client_id ||= find_client_db_id(context[:oauth_client_id])
 
           return response_data(enterprise_account: enterprise_account) if enterprise_account.save
 
           response_error(errors: enterprise_account.errors.full_messages)
         end
+
+        def find_client_db_id(oauth_client_identifier)
+          Osso::Models::OauthClient.find_by(identifier: oauth_client_identifier).
+            id
+        end
       end
     end
   end

data/lib/osso/graphql/mutations/update_app_config.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class UpdateAppConfig < BaseMutation
+        null false
+
+        argument :name, String, required: false
+        argument :logo_url, String, required: false
+        argument :contact_email, String, required: false
+
+        field :app_config, Types::AppConfig, null: true
+        field :errors, [String], null: false
+
+        def resolve(**args)
+          app_config = Osso::Models::AppConfig.find
+          return response_data(app_config: app_config) if app_config.update(**args)
+
+          response_error(errors: e)
+        end
+
+        def ready?(*)
+          admin_ready?
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/query.rb

@@ -24,6 +24,13 @@ module Osso
           argument :id, ID, required: true
         end
 
+        field(
+          :app_config,
+          Types::AppConfig,
+          null: false,
+          resolve: ->(_obj, _args, _context) { Osso::Models::AppConfig.find },
+        )
+
         field(
           :oauth_client,
           Types::OauthClient,

data/lib/osso/graphql/resolvers/base_resolver.rb

@@ -15,6 +15,10 @@ module Osso
         def enterprise_authorized?(domain)
           context[:scope] == domain
         end
+
+        def context_domain
+          context[:email].split('@')[1]
+        end
       end
     end
   end

data/lib/osso/graphql/resolvers/enterprise_accounts.rb

@@ -7,7 +7,7 @@ module Osso
         type Types::EnterpriseAccount.connection_type, null: true
 
         def resolve(sort_column: nil, sort_order: nil)
-          return Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope])) unless internal_authorized?
+          return Array(Osso::Models::EnterpriseAccount.find_by(domain: context_domain)) unless internal_authorized?
 
           accounts = Osso::Models::EnterpriseAccount
 

data/lib/osso/graphql/types.rb

@@ -10,6 +10,7 @@ require_relative 'types/base_object'
 require_relative 'types/base_enum'
 require_relative 'types/base_input_object'
 require_relative 'types/admin_user'
+require_relative 'types/app_config'
 require_relative 'types/identity_provider_service'
 require_relative 'types/identity_provider_status'
 require_relative 'types/identity_provider'

data/lib/osso/graphql/types/app_config.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class AppConfig < Types::BaseObject
+        description 'Configuration values for your application'
+
+        field :id, ID, null: false
+        field :name, String, null: true
+        field :logo_url, String, null: true
+        field :contact_email, String, null: true
+
+        def self.authorized?(_object, context)
+          admin_authorized?(context)
+        end
+      end
+    end
+  end
+end

data/lib/osso/helpers/auth.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'pry'
 module Osso
   module Helpers
     module Auth
@@ -12,6 +11,8 @@ module Osso
 
       def token_protected!
         decode(token)
+      rescue JWT::DecodeError
+        halt 401
       end
 
       def enterprise_protected!(domain = nil)
@@ -24,6 +25,21 @@ module Osso
         redirect ENV['JWT_URL']
       end
 
+      def internal_protected!
+        return if admin_authorized?
+        return if internal_authorized?
+
+        redirect ENV['JWT_URL']
+      end
+
+      def admin_protected!
+        return true if admin_authorized?
+
+        redirect ENV['JWT_URL']
+      end
+
+      private
+
       def enterprise_authorized?(domain)
         decode(token)
 
@@ -33,13 +49,6 @@ module Osso
         false
       end
 
-      def internal_protected!
-        return if admin_authorized?
-        return if internal_authorized?
-
-        redirect ENV['JWT_URL']
-      end
-
       def internal_authorized?
         decode(token)
 
@@ -48,12 +57,6 @@ module Osso
         false
       end
 
-      def admin_protected!
-        return if admin_authorized?
-
-        redirect ENV['JWT_URL']
-      end
-
       def admin_authorized?
         decode(token)
 

data/lib/osso/models/app_config.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class AppConfig < ::ActiveRecord::Base
+      validate :limit_to_one, on: :create
+
+      def self.find
+        first
+      end
+
+      private
+
+      def limit_to_one
+        return if Osso::Models::AppConfig.count.zero?
+
+        errors[:base] << 'AppConfig already exists'
+      end
+    end
+  end
+end
+
+# == Schema Information
+#
+# Table name: app_configs
+#
+#  id            :uuid             not null, primary key
+#  contact_email :string
+#  logo_url      :string
+#  name          :string
+#  created_at    :datetime         not null
+#  updated_at    :datetime         not null
+#

data/lib/osso/models/identity_provider.rb

@@ -12,10 +12,6 @@ module Osso
 
       def name
         service.titlecase
-        # raise(
-        #   NoMethodError,
-        #   '#name must be defined on each provider specific subclass',
-        # )
       end
 
       def saml_options
@@ -29,7 +25,7 @@ module Osso
 
       def assertion_consumer_service_url
         [
-          ENV.fetch('BASE_URL'),
+          root_url,
           'auth',
           'saml',
           id,
@@ -44,6 +40,12 @@ module Osso
 
         self.status = 'CONFIGURED' if sso_url && sso_cert
       end
+
+      def root_url
+        return "https://${ENV['HEROKU_APP_NAME]}.herokuapp.com" if ENV['HEROKU_APP_NAME']
+
+        ENV.fetch('BASE_URL')
+      end
     end
   end
 end

data/lib/osso/models/models.rb

@@ -10,6 +10,7 @@ module Osso
 end
 
 require_relative 'access_token'
+require_relative 'app_config'
 require_relative 'authorization_code'
 require_relative 'enterprise_account'
 require_relative 'oauth_client'

data/lib/osso/models/oauth_client.rb

@@ -23,8 +23,8 @@ module Osso
       end
 
       def generate_secrets
-        self.identifier = SecureRandom.hex(16)
-        self.secret = SecureRandom.hex(32)
+        self.identifier ||= SecureRandom.hex(16)
+        self.secret ||= SecureRandom.hex(32)
       end
     end
   end

data/lib/osso/routes/admin.rb

@@ -13,6 +13,12 @@ module Osso
     end
 
     namespace '/admin' do
+      get '/login' do
+        token_protected!
+
+        erb :admin
+      end
+
       get '' do
         internal_protected!
 
@@ -20,7 +26,7 @@ module Osso
       end
 
       get '/enterprise' do
-        internal_protected!
+        token_protected!
 
         erb :admin
       end

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3.17'
+  VERSION = '0.0.3.22'
 end

data/lib/tasks/bootstrap.rake

@@ -12,5 +12,7 @@ namespace :osso do
         name: environement,
       )
     end
+
+    Osso::Models::AppConfig.create!
   end
 end

data/spec/graphql/mutations/create_enterprise_account_spec.rb

@@ -5,6 +5,7 @@ require 'spec_helper'
 describe Osso::GraphQL::Schema do
   describe 'CreateIdentityProvider' do
     let(:domain) { Faker::Internet.domain_name }
+    let!(:oauth_client) { create(:oauth_client) }
     let(:variables) do
       {
         input: {
@@ -41,11 +42,45 @@ describe Osso::GraphQL::Schema do
       let(:current_context) do
         { scope: 'admin' }
       end
+      let(:variables) do
+        {
+          input: {
+            name: Faker::Company.name,
+            domain: domain,
+            oauthClientId: oauth_client.id,
+          },
+        }
+      end
+
+      it 'creates an Enterprise Account' do
+        expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
+        expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
+          to eq(domain)
+      end
+
+      it 'attaches the Enterprise Account to the correct OAuth Client' do
+        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
+      end
+    end
+
+    describe 'for an internal scoped user' do
+      let(:current_context) do
+        {
+          scope: 'internal',
+          email: 'user@saasco.com',
+          oauth_client_id: oauth_client.identifier,
+        }
+      end
+
       it 'creates an Enterprise Account' do
         expect { subject }.to change { Osso::Models::EnterpriseAccount.count }.by(1)
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
+
+      it 'attaches the Enterprise Account to the correct OAuth Client' do
+        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
+      end
     end
 
     describe 'for an email scoped user' do
@@ -53,6 +88,7 @@ describe Osso::GraphQL::Schema do
         {
           scope: 'end-user',
           email: "user@#{domain}",
+          oauth_client_id: oauth_client.identifier,
         }
       end
 
@@ -61,6 +97,10 @@ describe Osso::GraphQL::Schema do
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
+
+      it 'attaches the Enterprise Account to the correct OAuth Client' do
+        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
+      end
     end
     describe 'for the wrong email scoped user' do
       let(:current_context) do

data/spec/helpers/auth_spec.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Helpers::Auth do
+  before do
+    ENV['JWT_HMAC_SECRET'] = 'super-secret'
+  end
+
+  subject(:app) do
+    Class.new { include Osso::Helpers::Auth }
+  end
+
+  describe 'with the token as a header' do
+    before do
+      allow_any_instance_of(subject).to receive(:request) do
+        double('Request', env: { 'admin_token' => token }, post?: false)
+      end
+
+      allow_any_instance_of(subject).to receive(:redirect) do
+        false
+      end
+    end
+
+    describe 'with an admin token' do
+      let(:token) { encode({ scope: 'admin' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods' do
+        expect(subject.new.enterprise_protected!).to_not be(false)
+      end
+
+      it 'allows #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to_not be(false)
+      end
+
+      it 'allows #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to_not be(false)
+      end
+    end
+
+    describe 'with an internal token' do
+      let(:token) { encode({ scope: 'internal' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods' do
+        expect(subject.new.enterprise_protected!).to_not be(false)
+      end
+
+      it 'allows #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to_not be(false)
+      end
+
+      it 'allows #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to be(false)
+      end
+    end
+
+    describe 'with an end-user token' do
+      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods for the scoped domain' do
+        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
+      end
+
+      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
+        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
+      end
+
+      it 'halts #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to be(false)
+      end
+
+      it 'halts #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to be(false)
+      end
+    end
+  end
+
+  def encode(payload)
+    JWT.encode(
+      payload,
+      ENV['JWT_HMAC_SECRET'],
+      'HS256',
+    )
+  end
+end

data/spec/spec_helper.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require 'simplecov'
+SimpleCov.start
+
 require 'database_cleaner/active_record'
 require 'factory_bot'
 require 'faker'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.3.17
+  version: 0.0.3.22
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-19 00:00:00.000000000 Z
+date: 2020-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -270,6 +270,7 @@ files:
 - lib/osso/db/migrate/20200722230116_add_identity_provider_status_enum_and_use_on_identity_providers.rb
 - lib/osso/db/migrate/20200723153750_add_missing_timestamps.rb
 - lib/osso/db/migrate/20200723162228_drop_unneeded_tables.rb
+- lib/osso/db/migrate/20200826201852_create_app_config.rb
 - lib/osso/graphql/.DS_Store
 - lib/osso/graphql/mutation.rb
 - lib/osso/graphql/mutations.rb
@@ -282,6 +283,7 @@ files:
 - lib/osso/graphql/mutations/delete_oauth_client.rb
 - lib/osso/graphql/mutations/regenerate_oauth_credentials.rb
 - lib/osso/graphql/mutations/set_redirect_uris.rb
+- lib/osso/graphql/mutations/update_app_config.rb
 - lib/osso/graphql/query.rb
 - lib/osso/graphql/resolvers.rb
 - lib/osso/graphql/resolvers/base_resolver.rb
@@ -291,6 +293,7 @@ files:
 - lib/osso/graphql/schema.rb
 - lib/osso/graphql/types.rb
 - lib/osso/graphql/types/admin_user.rb
+- lib/osso/graphql/types/app_config.rb
 - lib/osso/graphql/types/base_connection.rb
 - lib/osso/graphql/types/base_enum.rb
 - lib/osso/graphql/types/base_input_object.rb
@@ -308,6 +311,7 @@ files:
 - lib/osso/lib/oauth2_token.rb
 - lib/osso/lib/route_map.rb
 - lib/osso/models/access_token.rb
+- lib/osso/models/app_config.rb
 - lib/osso/models/authorization_code.rb
 - lib/osso/models/enterprise_account.rb
 - lib/osso/models/identity_provider.rb
@@ -341,6 +345,7 @@ files:
 - spec/graphql/query/enterprise_accounts_spec.rb
 - spec/graphql/query/identity_provider_spec.rb
 - spec/graphql/query/oauth_clients_spec.rb
+- spec/helpers/auth_spec.rb
 - spec/models/azure_saml_provider_spec.rb
 - spec/models/identity_provider_spec.rb
 - spec/models/okta_saml_provider_spec.rb