osso 0.0.3.22 → 0.0.3.27

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1f017aca126a5a5d516394ae1f13be3eaa91deb759f602571ba372fec06b1ee2
-  data.tar.gz: ccac449dd89bf23b16a56a190837b2deeffc85bee95f7d7e6f7fd245b9762e17
+  metadata.gz: 61667cd9c9821cbbd903bd5ea753dfb67338a801e442b5e7ce21d77e06e2ada6
+  data.tar.gz: ef180637bd4da14905549a161e153e4a7b6b1dc9b9079d0e98952f7730e6d6ba
 SHA512:
-  metadata.gz: e80f57d49d9a440d6e77c9b1b69a73e44b5ef28fda17289c19b1ed9a7ad5157391544899ae4b0d783864200faab119bf92343fe6f20b13ed2820068d5ceb80aa
-  data.tar.gz: 9fc798d93fb897fb166a7234f9fef33d2d4fcf4d9df703f77963a604fe2b664ba7bd1f577079e787ea5706de6e22eed75138151d435a5ace8a1ab1d32af09285
+  metadata.gz: 59dde627b70d7f46a680dbf00ae260cd98613a679daaf14a2a08e7ce6aef7ab627ecf8b1ba8a459438b518f85e24b2db1e63375814c526f12733284fbbdc5a78
+  data.tar.gz: '09a8f59725b4a61aad3a92e8a676377d798049da26951882903c40a8ab7e2945e153097d4e94d896dc601d1d1fc01f518d05adc58af141ce56bc4a12697f40ab'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.3.22)
+    osso (0.0.3.27)
       activesupport (>= 6.0.3.2)
       graphql
       jwt

data/lib/osso/graphql/mutations/base_mutation.rb

@@ -11,8 +11,23 @@ module Osso
           data.merge(errors: [])
         end
 
-        def response_error(error)
-          error.merge(data: nil)
+        def response_error(errors)
+          raise ::GraphQL::ExecutionError.new(
+            'Mutation error',
+            extensions: {
+              'errors' => field_errors(errors),
+            }
+          )
+        end
+
+        def field_errors(errors)
+          errors.map do |attribute, messages|
+            attribute = attribute.to_s.camelize(:lower)
+            {
+              attribute: attribute,
+              message: messages,
+            }
+          end
         end
 
         def ready?(**args)

data/lib/osso/graphql/mutations/configure_identity_provider.rb

@@ -10,15 +10,14 @@ module Osso
         argument :sso_url, String, required: false
         argument :sso_cert, String, required: false
 
-        field :identity_provider, Types::IdentityProvider, null: false
-        field :errors, [String], null: false
+        field :identity_provider, Types::IdentityProvider, null: true
 
         def resolve(**args)
           provider = identity_provider(**args)
 
           return response_data(identity_provider: provider) if provider.update(args)
-
-          response_error(errors: provider.errors.messages)
+          
+          response_error(provider.errors)
         end
 
         def domain(**args)

data/lib/osso/graphql/mutations/create_enterprise_account.rb

@@ -19,7 +19,7 @@ module Osso
 
           return response_data(enterprise_account: enterprise_account) if enterprise_account.save
 
-          response_error(errors: enterprise_account.errors.full_messages)
+          response_error(enterprise_account.errors)
         end
 
         def find_client_db_id(oauth_client_identifier)

data/lib/osso/graphql/mutations/create_identity_provider.rb

@@ -23,7 +23,7 @@ module Osso
 
           return response_data(identity_provider: identity_provider) if identity_provider.save
 
-          response_error(errors: identity_provider.errors.full_messages)
+          response_error(identity_provider.errors)
         end
 
         def domain(**args)

data/lib/osso/graphql/mutations/create_oauth_client.rb

@@ -16,7 +16,7 @@ module Osso
 
           return response_data(oauth_client: oauth_client) if oauth_client.save
 
-          response_error(errors: oauth_client.errors.full_messages)
+          response_error(oauth_client.errors)
         end
 
         def ready?(*)

data/lib/osso/graphql/mutations/delete_enterprise_account.rb

@@ -20,7 +20,7 @@ module Osso
 
           return response_data(enterprise_account: nil) if customer.destroy
 
-          response_error(errors: customer.errors.full_messages)
+          response_error(customer.errors)
         end
 
         def domain(**args)

data/lib/osso/graphql/mutations/delete_oauth_client.rb

@@ -16,7 +16,7 @@ module Osso
 
           return response_data(oauth_client: nil) if oauth_client.destroy
 
-          response_error(errors: oauth_client.errors.full_messages)
+          response_error(oauth_client.errors)
         end
 
         def ready?(*)

data/lib/osso/graphql/mutations/regenerate_oauth_credentials.rb

@@ -13,11 +13,11 @@ module Osso
 
         def resolve(id:)
           oauth_client = Osso::Models::OauthClient.find(id)
-          oauth_client.generate_secrets
+          oauth_client.regenerate_secrets!
 
           return response_data(oauth_client: oauth_client) if oauth_client.save
 
-          response_error(errors: oauth_client.errors.full_messages)
+          response_error(oauth_client.errors)
         end
 
         def ready?(*)

data/lib/osso/graphql/mutations/set_redirect_uris.rb

@@ -20,7 +20,7 @@ module Osso
 
           response_data(oauth_client: oauth_client.reload)
         rescue StandardError => e
-          response_error(errors: e)
+          response_error(e)
         end
 
         def ready?(*)
@@ -33,17 +33,17 @@ module Osso
 
             if updating_index
               updating = redirect_uris.delete_at(updating_index)
-              redirect.update(updating.to_h)
+              redirect.update!(updating.to_h)
               next
             end
 
-            redirect.destroy
+            redirect.destroy!
           end
         end
 
         def create_new(oauth_client, redirect_uris)
           redirect_uris.map do |uri|
-            oauth_client.redirect_uris.create(uri.to_h.without(:id))
+            oauth_client.redirect_uris.create!(uri.to_h.without(:id))
           end
         end
       end

data/lib/osso/graphql/mutations/update_app_config.rb

@@ -17,7 +17,7 @@ module Osso
           app_config = Osso::Models::AppConfig.find
           return response_data(app_config: app_config) if app_config.update(**args)
 
-          response_error(errors: e)
+          response_error(app_config.errors)
         end
 
         def ready?(*)

data/lib/osso/graphql/types.rb

@@ -11,6 +11,7 @@ require_relative 'types/base_enum'
 require_relative 'types/base_input_object'
 require_relative 'types/admin_user'
 require_relative 'types/app_config'
+require_relative 'types/error'
 require_relative 'types/identity_provider_service'
 require_relative 'types/identity_provider_status'
 require_relative 'types/identity_provider'

data/lib/osso/graphql/types/error.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class Error < Types::BaseObject
+        description 'A mutation error'
+
+        field :attribute, String, null: false
+        field :message, String, null: false
+
+        def self.authorized?(_object, _context)
+          true
+        end
+      end
+    end
+  end
+end

data/lib/osso/models/identity_provider.rb

@@ -4,11 +4,14 @@ module Osso
   module Models
     # Base class for SAML Providers
     class IdentityProvider < ActiveRecord::Base
-      NAME_FORMAT = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
       belongs_to :enterprise_account
       belongs_to :oauth_client
       has_many :users
       before_save :set_status
+      validate :sso_cert_valid
+
+      PEM_HEADER = "-----BEGIN CERTIFICATE-----\n"
+      PEM_FOOTER = "\n-----END CERTIFICATE-----"
 
       def name
         service.titlecase
@@ -41,11 +44,35 @@ module Osso
         self.status = 'CONFIGURED' if sso_url && sso_cert
       end
 
+      def active!
+        update(status: 'ACTIVE')
+      end
+
+      def error!
+        update(status: 'ERROR')
+      end
+
       def root_url
-        return "https://${ENV['HEROKU_APP_NAME]}.herokuapp.com" if ENV['HEROKU_APP_NAME']
+        return "https://#{ENV['HEROKU_APP_NAME']}.herokuapp.com" if ENV['HEROKU_APP_NAME']
 
         ENV.fetch('BASE_URL')
       end
+
+      def sso_cert_valid
+        return if sso_cert.blank?
+
+        has_header_and_footer = sso_cert.match(/#{PEM_HEADER}(?<cert>.*)#{PEM_FOOTER}/m)
+
+        if has_header_and_footer
+          OpenSSL::X509::Certificate.new(sso_cert)
+          self.sso_cert = has_header_and_footer[:cert]
+        else
+          OpenSSL::X509::Certificate.new([PEM_HEADER, sso_cert, PEM_FOOTER].join)
+        end
+
+      rescue OpenSSL::X509::CertificateError
+        errors.add(:sso_cert, 'x509 Certificate is malformed')
+      end
     end
   end
 end

data/lib/osso/models/oauth_client.rb

@@ -26,6 +26,11 @@ module Osso
         self.identifier ||= SecureRandom.hex(16)
         self.secret ||= SecureRandom.hex(32)
       end
+
+      def regenerate_secrets!
+        self.identifier = SecureRandom.hex(16)
+        self.secret = SecureRandom.hex(32)
+      end
     end
   end
 end

data/lib/osso/routes/auth.rb

@@ -41,6 +41,7 @@ module Osso
         provider = Models::IdentityProvider.find(params[:id])
         @oauth_client = provider.oauth_client
 
+        # TODO: PORC for validating attributes
         attributes = env['omniauth.auth']&.
           extra&.
           response_object&.
@@ -58,8 +59,7 @@ module Osso
           oauth_client: @oauth_client,
           redirect_uri: redirect_uri,
         )
-
-        # Mark IDP as active
+        provider.active!
 
         redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{provider_state}")
       end

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3.22'
+  VERSION = '0.0.3.27'
 end

data/spec/factories/identity_providers.rb

@@ -5,6 +5,7 @@ FactoryBot.define do
     id { SecureRandom.uuid }
     domain { Faker::Internet.domain_name }
     oauth_client
+    status { 'PENDING' }
 
     factory :okta_identity_provider, parent: :identity_provider do
       service { 'OKTA' }
@@ -21,6 +22,7 @@ FactoryBot.define do
     end
 
     factory :configured_identity_provider, parent: :identity_provider do
+      status { 'CONFIGURED' }
       sso_cert do
         <<~CERT
           -----BEGIN CERTIFICATE-----

data/spec/graphql/mutations/configure_identity_provider_spec.rb

@@ -12,7 +12,7 @@ describe Osso::GraphQL::Schema do
           id: identity_provider.id,
           service: 'OKTA',
           ssoUrl: 'https://example.com',
-          ssoCert: 'BEGIN_CERTIFICATE',
+          ssoCert: valid_x509_pem,
         },
       }
     end

data/spec/models/identity_provider_spec.rb

@@ -6,11 +6,20 @@ describe Osso::Models::IdentityProvider do
   subject { create(:okta_identity_provider) }
 
   describe '#assertion_consumer_service_url' do
-    it 'returns the expected URI' do
+    it 'returns the expected URI for BASE_URL' do
+      ENV['HEROKU_APP_NAME'] = nil
       ENV['BASE_URL'] = 'https://example.com'
 
       expect(subject.assertion_consumer_service_url).to eq(
-        "https://example.com/auth/saml/#{subject.id}/callback",
+        "#{ENV['BASE_URL']}/auth/saml/#{subject.id}/callback",
+      )
+    end
+
+    it 'returns the expected URI for HEROKU_APP_NAME' do
+      ENV['HEROKU_APP_NAME'] = 'test'
+
+      expect(subject.assertion_consumer_service_url).to eq(
+        "https://test.herokuapp.com/auth/saml/#{subject.id}/callback",
       )
     end
   end
@@ -26,4 +35,25 @@ describe Osso::Models::IdentityProvider do
         )
     end
   end
+  
+  describe '#validate_sso_cert' do
+    it 'rejects an invalid cert' do
+      subject.update(sso_cert: 'bad-cert')
+
+      expect(subject.errors.full_messages.first).to include('x509 Certificate is malformed')
+    end
+
+    it 'massages a cert with header and footer' do
+      subject.update(sso_cert: valid_x509_pem)
+
+      expect(subject.errors).to be_empty
+      expect(subject.sso_cert).to_not include('BEGIN CERTIFICATE')
+    end
+
+    it 'accepts a cert without header and footer' do
+      subject.update(sso_cert: raw_x509_string)
+
+      expect(subject.errors).to be_empty
+    end
+  end
 end

data/spec/routes/auth_spec.rb

@@ -104,6 +104,17 @@ describe Osso::Auth do
             )
           end.to_not(change { Osso::Models::User.count })
         end
+        it 'marks the provider as ACTIVE' do
+          post(
+            "/auth/saml/#{okta_provider.id}/callback",
+            nil,
+            {
+              'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+              'identity_provider' => okta_provider,
+            },
+          )
+          expect(okta_provider.reload.status).to eq('ACTIVE')
+        end
       end
     end
 
@@ -126,6 +137,21 @@ describe Osso::Auth do
             )
           end.to change { Osso::Models::User.count }.by(1)
         end
+
+        it 'marks the provider ACTIVE' do
+          mock_saml_omniauth
+
+          post(
+            "/auth/saml/#{azure_provider.id}/callback",
+            nil,
+            {
+              'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+              'identity_provider' => azure_provider,
+            },
+          )
+
+          expect(azure_provider.reload.status).to eq('ACTIVE')
+        end
       end
 
       describe 'on subsequent authentications' do

data/spec/spec_helper.rb

@@ -21,6 +21,9 @@ require File.expand_path '../lib/osso.rb', __dir__
 require File.expand_path 'support/spec_app', __dir__
 
 module RSpecMixin
+  PEM_HEADER = "-----BEGIN CERTIFICATE-----\n"
+  PEM_FOOTER = "\n-----END CERTIFICATE-----"
+
   include Rack::Test::Methods
 
   def app
@@ -46,6 +49,16 @@ module RSpecMixin
   def spec_views
     File.dirname(__FILE__) + '/support/views'
   end
+
+  def valid_x509_pem
+    raw = File.read(File.dirname(__FILE__) + '/support/fixtures/test.pem')
+    OpenSSL::X509::Certificate.new(raw).to_pem
+  end
+
+  def raw_x509_string
+    raw = valid_x509_pem.match(/#{PEM_HEADER}(?<cert>.*)#{PEM_FOOTER}/m)
+    raw[:cert]
+  end
 end
 
 RSpec.configure do |config|

data/spec/support/fixtures/test.pem

@@ -0,0 +1,30 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANDYf/XXreldztPH
+0IJSkvgeQVZCu1ie+D2Ij9nEzJAuM10bD4p2IjI8EQUKUTn1OBbX4ykhn5Ovw9SU
+D8qEllQCzq7zuX54BEm8cHX3IXTpMLM90T2zJayS+3hQqXHzGXeX3fuP1KhNrrkL
+HAlDEtVD/vwIci/TS2Mep7weytOjAgMBAAECgYA23kpwCmQUhaLLHRn4wzz9luVP
+hmS2Gb3aXMB+VCfyUVEJSwzAMd02GXXXPyir83Ly/XEe40iLgogOl3+2kzLzEegI
+1wx9mydlar0kBIDKJkYdnikbvy0IKFNXRxqHl0Oecy9lArDKmBmadYsse8hsZLX2
+eZUmB8G50TeDyz/4gQJBAO1OM4dT/Uo/zTaTDMs7A+td1C4gvjpI7aKPwHdwmvoc
+dQN9BKoAV0EMoUcXvAeVreWEYGZrMwXQB6xT7aydyUMCQQDhTFffVlvsqOmQYhzf
+lbKS8orI0SZZHz8F5dnj1zwb4Xp+hl6tIAkxcZ1DxP4emfc1htd4GswzNqSVfFJv
+JXYhAkEAsmdWSekUxVtN9jd7KNbHTY2O1Nb87GijbtFPyvu3J015kxPMC9qRvm+2
+V/I6BCG9SI3Kw3TYOQh6nE3Eoz9EbQJBAKvzm4F+pOwsQw8KguT2mPNkoB4C2xTc
+LzquIi2t4VeaMOaOYYYa1EljYFcP66+pbS7yOlOViFJyGw1odHYWDmECQCBGi7f5
+qT4Bs3DoaIyD0w9F3LY/ny7+Pa7WGUqQvQWygUDObBtwojXhg/A9BGckUrQ2jmu/
+bhqnqQJs3f05ETA=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICDTCCAXYCCQCm0tqsG7zO2TANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCEJyb29rbHluMRYwFAYDVQQK
+DA1FbnRlcnByaXNlT1NTMB4XDTIwMDkwMjE0MTEyMVoXDTIxMDkwMjE0MTEyMVow
+SzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhCcm9v
+a2x5bjEWMBQGA1UECgwNRW50ZXJwcmlzZU9TUzCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEA0Nh/9det6V3O08fQglKS+B5BVkK7WJ74PYiP2cTMkC4zXRsPinYi
+MjwRBQpROfU4FtfjKSGfk6/D1JQPyoSWVALOrvO5fngESbxwdfchdOkwsz3RPbMl
+rJL7eFCpcfMZd5fd+4/UqE2uuQscCUMS1UP+/AhyL9NLYx6nvB7K06MCAwEAATAN
+BgkqhkiG9w0BAQsFAAOBgQDGze/POq+GSwOIYftr83+YkNTIQAg+bl8hiFMtJ3OV
+buFsI/oUGaKloXOrDLbygk+lvimFbj36k3IhwRI7iXJDCwZGxtVCC4+8VNqqT1Yj
+uZT9xHGYVszzGc8nz4wcaQ8M/W4mCuXet1qDwAi0Zo9yLBnyEdc6pluDdJuz0cg6
+xQ==
+-----END CERTIFICATE-----

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.3.22
+  version: 0.0.3.27
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-27 00:00:00.000000000 Z
+date: 2020-09-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -231,7 +231,6 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- ".DS_Store"
 - ".buildkite/hooks/environment"
 - ".buildkite/hooks/pre-command"
 - ".buildkite/pipeline.yml"
@@ -299,6 +298,7 @@ files:
 - lib/osso/graphql/types/base_input_object.rb
 - lib/osso/graphql/types/base_object.rb
 - lib/osso/graphql/types/enterprise_account.rb
+- lib/osso/graphql/types/error.rb
 - lib/osso/graphql/types/identity_provider.rb
 - lib/osso/graphql/types/identity_provider_service.rb
 - lib/osso/graphql/types/identity_provider_status.rb
@@ -346,14 +346,13 @@ files:
 - spec/graphql/query/identity_provider_spec.rb
 - spec/graphql/query/oauth_clients_spec.rb
 - spec/helpers/auth_spec.rb
-- spec/models/azure_saml_provider_spec.rb
 - spec/models/identity_provider_spec.rb
-- spec/models/okta_saml_provider_spec.rb
 - spec/routes/admin_spec.rb
 - spec/routes/app_spec.rb
 - spec/routes/auth_spec.rb
 - spec/routes/oauth_spec.rb
 - spec/spec_helper.rb
+- spec/support/fixtures/test.pem
 - spec/support/spec_app.rb
 - spec/support/views/admin.erb
 - spec/support/views/error.erb

data/spec/models/azure_saml_provider_spec.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-# describe Osso::Models::AzureSamlProvider do
-#   subject { create(:azure_identity_provider) }
-
-#   describe '#saml_options' do
-#     it 'returns the required args' do
-#       expect(subject.saml_options).
-#         to match(
-#           domain: subject.domain,
-#           idp_cert: subject.idp_cert,
-#           idp_sso_target_url: subject.idp_sso_target_url,
-#           issuer: "id:#{subject.id}",
-#         )
-#     end
-#   end
-# end

data/spec/models/okta_saml_provider_spec.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-# describe Osso::Models::OktaSamlProvider do
-#   subject { create(:okta_identity_provider) }
-
-#   describe '#saml_options' do
-#     it 'returns the required args' do
-#       expect(subject.saml_options).
-#         to match(
-#           domain: subject.domain,
-#           idp_cert: subject.idp_cert,
-#           idp_sso_target_url: subject.idp_sso_target_url,
-#           issuer: subject.id,
-#           name_identifier_format: described_class::NAME_FORMAT,
-#         )
-#     end
-#   end
-# end