osso 0.0.3.27 → 0.0.5.pre.epsilon

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 61667cd9c9821cbbd903bd5ea753dfb67338a801e442b5e7ce21d77e06e2ada6
-  data.tar.gz: ef180637bd4da14905549a161e153e4a7b6b1dc9b9079d0e98952f7730e6d6ba
+  metadata.gz: 82bd613a1b8d5eb4f9c549d9d855c629698a120d2ee99bf3a52f6911fa4d080a
+  data.tar.gz: a67aec622f76bcc42cc16065d11a795c09893caa1115759b5739fa384108f6f2
 SHA512:
-  metadata.gz: 59dde627b70d7f46a680dbf00ae260cd98613a679daaf14a2a08e7ce6aef7ab627ecf8b1ba8a459438b518f85e24b2db1e63375814c526f12733284fbbdc5a78
-  data.tar.gz: '09a8f59725b4a61aad3a92e8a676377d798049da26951882903c40a8ab7e2945e153097d4e94d896dc601d1d1fc01f518d05adc58af141ce56bc4a12697f40ab'
+  metadata.gz: c2a1ba5df34d2e175ed7a3ab7e61dcb573b5eb9a636753f7159860f817e6b61515b9350b63a1ac1ffece994f27a7f17d61d2de05e5f6a0468168cfb7a268f879
+  data.tar.gz: 475eba77f824e32701ff9eae95bef4663f2e0de8d43c9d542846f6ecaec55edb1242251cb4ed50b9cb1db627252293cf406a633cc8c0c63fb7f419e10dc95e3c

data/.ruby-version

@@ -0,0 +1 @@
+2.6.6

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.3.27)
+    osso (0.0.5.pre.epsilon)
       activesupport (>= 6.0.3.2)
       graphql
       jwt
@@ -31,14 +31,13 @@ GEM
       zeitwerk (~> 2.2, >= 2.2.2)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
-    aes_key_wrap (1.0.1)
+    aes_key_wrap (1.1.0)
     annotate (3.1.1)
       activerecord (>= 3.2, < 7.0)
       rake (>= 10.4, < 14.0)
     ast (2.4.1)
     attr_required (1.0.1)
-    backports (3.18.1)
-    bindata (2.4.7)
+    bindata (2.4.8)
     coderay (1.1.3)
     concurrent-ruby (1.1.6)
     crack (0.4.3)
@@ -53,7 +52,7 @@ GEM
       activesupport (>= 5.0.0)
     faker (2.13.0)
       i18n (>= 1.6, < 2)
-    graphql (1.11.1)
+    graphql (1.11.4)
     hashdiff (1.0.1)
     hashie (4.1.0)
     httpclient (2.8.3)
@@ -64,23 +63,23 @@ GEM
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
-    jwt (2.2.1)
+    jwt (2.2.2)
     method_source (1.0.0)
     mini_portile2 (2.4.0)
     minitest (5.14.1)
     multi_json (1.15.0)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
-    nokogiri (1.10.9)
+    nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
     omniauth (1.9.1)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
     omniauth-multi-provider (0.2.1)
       omniauth
-    omniauth-saml (1.10.1)
+    omniauth-saml (1.10.2)
       omniauth (~> 1.3, >= 1.3.2)
-      ruby-saml (~> 1.7)
+      ruby-saml (~> 1.9)
     parallel (1.19.2)
     parser (2.7.1.4)
       ast (~> 2.4.1)
@@ -92,13 +91,13 @@ GEM
     rack (2.2.3)
     rack-contrib (2.2.0)
       rack (~> 2.0)
-    rack-oauth2 (1.14.0)
+    rack-oauth2 (1.16.0)
       activesupport
       attr_required
       httpclient
       json-jwt (>= 1.11.0)
       rack (>= 2.1.0)
-    rack-protection (2.0.8.1)
+    rack-protection (2.1.0)
       rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
@@ -140,20 +139,19 @@ GEM
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
-    sinatra (2.0.8.1)
+    sinatra (2.1.0)
       mustermann (~> 1.0)
-      rack (~> 2.0)
-      rack-protection (= 2.0.8.1)
+      rack (~> 2.2)
+      rack-protection (= 2.1.0)
       tilt (~> 2.0)
     sinatra-activerecord (2.0.18)
       activerecord (>= 4.1)
       sinatra (>= 1.0)
-    sinatra-contrib (2.0.8.1)
-      backports (>= 2.8.2)
+    sinatra-contrib (2.1.0)
       multi_json
       mustermann (~> 1.0)
-      rack-protection (= 2.0.8.1)
-      sinatra (= 2.0.8.1)
+      rack-protection (= 2.1.0)
+      sinatra (= 2.1.0)
       tilt (~> 2.0)
     thread_safe (0.3.6)
     tilt (2.0.10)

data/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_08_26_201852) do
+ActiveRecord::Schema.define(version: 2020_09_13_154919) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "pgcrypto"
@@ -62,7 +62,7 @@ ActiveRecord::Schema.define(version: 2020_08_26_201852) do
   end
 
 # Could not dump table "identity_providers" because of following StandardError
-#   Unknown type 'identity_provider_status' for column 'status'
+#   Unknown type 'identity_provider_service' for column 'service'
 
   create_table "oauth_clients", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
     t.string "name", null: false

data/lib/osso.rb

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 
 module Osso
+  require_relative 'osso/error/error'
   require_relative 'osso/helpers/helpers'
   require_relative 'osso/lib/app_config'
   require_relative 'osso/lib/oauth2_token'
   require_relative 'osso/lib/route_map'
+  require_relative 'osso/lib/saml_handler'
   require_relative 'osso/models/models'
   require_relative 'osso/routes/routes'
   require_relative 'osso/graphql/schema'

data/lib/osso/db/migrate/20200714223226_add_identity_provider_service_enum.rb

@@ -1,17 +1,13 @@
 class AddIdentityProviderServiceEnum < ActiveRecord::Migration[6.0]
-  def change
-    def up
-      execute <<-SQL
-        CREATE TYPE identity_provider_service AS ENUM ('OKTA', 'AZURE');
-      SQL
-      change_column :identity_providers, :service, :identity_provider_service
-    end
-  
-    def down
-      chnage_column :identity_providers, :service, :text
-      execute <<-SQL
-        DROP TYPE identity_provider_service;
-      SQL
-    end
+  def up
+    execute "CREATE TYPE identity_provider_service AS ENUM ('OKTA', 'AZURE');"
+    change_column :identity_providers, :service, 'identity_provider_service USING CAST(service as identity_provider_service)'
+  end
+
+  def down
+    chnage_column :identity_providers, :service, :text
+    execute <<-SQL
+      DROP TYPE identity_provider_service;
+    SQL
   end
 end

data/lib/osso/db/migrate/20200913154919_add_one_login_to_identity_provider_service_enum.rb

@@ -0,0 +1,28 @@
+class AddOneLoginToIdentityProviderServiceEnum < ActiveRecord::Migration[6.0]
+  disable_ddl_transaction!
+
+  def up
+    execute <<-SQL
+      ALTER TYPE identity_provider_service ADD VALUE 'ONELOGIN';
+    SQL
+  end
+  
+  def down
+    execute <<~SQL
+      CREATE TYPE identity_provider_service_new AS ENUM ('AZURE', 'OKTA');
+
+      -- Remove values that won't be compatible with new definition
+      DELETE FROM identity_providers WHERE service = 'ONELOGIN';
+      
+      -- Convert to new type, casting via text representation
+      ALTER TABLE identity_providers 
+        ALTER COLUMN service TYPE identity_provider_service_new 
+          USING (service::text::identity_provider_service_new);
+      
+      -- and swap the types
+      DROP TYPE identity_provider_service;
+      
+      ALTER TYPE identity_provider_service_new RENAME TO identity_provider_service;
+    SQL
+  end
+end

data/lib/osso/db/migrate/20200916125543_add_google_to_identity_provider_service_enum.rb

@@ -0,0 +1,28 @@
+class AddGoogleToIdentityProviderServiceEnum < ActiveRecord::Migration[6.0]
+  disable_ddl_transaction!
+
+  def up
+    execute <<-SQL
+      ALTER TYPE identity_provider_service ADD VALUE 'GOOGLE';
+    SQL
+  end
+  
+  def down
+    execute <<~SQL
+      CREATE TYPE identity_provider_service_new AS ENUM ('AZURE', 'OKTA', 'ONELOGIN');
+
+      -- Remove values that won't be compatible with new definition
+      DELETE FROM identity_providers WHERE service = 'GOOGLE';
+      
+      -- Convert to new type, casting via text representation
+      ALTER TABLE identity_providers 
+        ALTER COLUMN service TYPE identity_provider_service_new 
+          USING (service::text::identity_provider_service_new);
+      
+      -- and swap the types
+      DROP TYPE identity_provider_service;
+      
+      ALTER TYPE identity_provider_service_new RENAME TO identity_provider_service;
+    SQL
+  end
+end

data/lib/osso/error/error.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Osso
+  module Error
+  end
+end
+
+require_relative 'missing_saml_attribute_error'
+require_relative 'oauth_error'
+require_relative 'saml_config_error'

data/lib/osso/error/missing_saml_attribute_error.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Osso
+  module Error
+    class MissingSamlAttributeError < StandardError; end
+
+    class MissingSamlEmailAttributeError < MissingSamlAttributeError
+      def message
+        'SAML response does not include the attribute `email`. ' \
+          "Review the setup guide and check the attributes you're sending from your Identity Provider."
+      end
+    end
+
+    class MissingSamlIdAttributeError < MissingSamlAttributeError
+      def message
+        'SAML response does not include the attribute `id` or `idp_id`.' \
+          "Review the setup guide and check the attributes you're sending from your Identity Provider."
+      end
+    end
+  end
+end

data/lib/osso/error/oauth_error.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Osso
+  module Error
+    class OAuthError < StandardError; end
+
+    class NoAccountForOAuthClientError < OAuthError
+      def message
+        'No customer account exists for the requested domain and OAuth client pair.' \
+          "Review our OAuth documentation, and check you're using the correct OAuth client identifier"
+      end
+    end
+
+    class InvalidOAuthClientIdentifier < MissingSamlAttributeError
+      def message
+        'No OAuth client exists for the requested OAuth client identifier.' \
+          "Review our OAuth documentation, and check you're using the correct OAuth client identifier"
+      end
+    end
+
+    class InvalidRedirectUri < MissingSamlAttributeError
+      def message
+        'Invalid Redirect URI for the requested OAuth client identifier.' \
+          "Review our OAuth documentation, check you're using the correct OAuth client identifier " \
+          'and confirm your Redirect URI allow list.'
+      end
+    end
+  end
+end

data/lib/osso/error/saml_config_error.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Osso
+  module Error
+    class SamlConfigError < StandardError; end
+
+    class InvalidACSURLError < SamlConfigError
+      def message
+        'The ACS URL specfied in your Identity Provider configuration is malformed.'
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/base_mutation.rb

@@ -16,7 +16,7 @@ module Osso
             'Mutation error',
             extensions: {
               'errors' => field_errors(errors),
-            }
+            },
           )
         end
 

data/lib/osso/graphql/mutations/configure_identity_provider.rb

@@ -16,7 +16,7 @@ module Osso
           provider = identity_provider(**args)
 
           return response_data(identity_provider: provider) if provider.update(args)
-          
+
           response_error(provider.errors)
         end
 

data/lib/osso/graphql/types/identity_provider.rb

@@ -16,11 +16,6 @@ module Osso
         field :sso_url, String, null: true
         field :sso_cert, String, null: true
         field :status, Types::IdentityProviderStatus, null: false
-        field :documentation_pdf_url, String, null: true
-
-        def documentation_pdf_url
-          ENV['BASE_URL'] + '/identity_provider/documentation/' + @object.id
-        end
       end
     end
   end

data/lib/osso/graphql/types/identity_provider_service.rb

@@ -4,8 +4,10 @@ module Osso
   module GraphQL
     module Types
       class IdentityProviderService < BaseEnum
-        value('AZURE', 'Microsoft Azure Identity Provider', value: 'Osso::Models::AzureSamlProvider')
-        value('OKTA', 'Okta Identity Provider', value: 'Osso::Models::OktaSamlProvider')
+        value('AZURE', 'Microsoft Azure Identity Provider', value: 'AZURE')
+        value('OKTA', 'Okta Identity Provider', value: 'OKTA')
+        value('ONELOGIN', 'OneLogin Identity Provider', value: 'ONELOGIN')
+        value('GOOGLE', 'Google SAML Identity Provider', value: 'GOOGLE')
       end
     end
   end

data/lib/osso/lib/saml_handler.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module Osso
+  class SamlHandler
+    attr_accessor :session, :provider, :attributes
+
+    def self.perform(**attrs)
+      new(attrs).perform
+    end
+
+    def initialize(auth_hash:, provider_id:, session:)
+      find_provider(provider_id)
+      @attributes = auth_hash&.extra&.response_object&.attributes
+      @session = session
+    end
+
+    def perform
+      validate_attributes
+      provider.active!
+      redirect_uri
+    end
+
+    private
+
+    def find_provider(id)
+      @provider ||= Models::IdentityProvider.find(id)
+    rescue ActiveRecord::RecordNotFound
+      raise Osso::Error::InvalidACSURLError
+    end
+
+    def validate_attributes
+      raise Osso::Error::MissingSamlIdAttributeError unless id_attribute
+      raise Osso::Error::MissingSamlEmailAttributeError unless email_attribute
+    end
+
+    def id_attribute
+      @id_attribute ||= attributes[:id] || attributes[:idp_id]
+    end
+
+    def email_attribute
+      attributes[:email]
+    end
+
+    def user
+      @user ||= Models::User.where(
+        email: email_attribute,
+        idp_id: id_attribute,
+      ).first_or_create! do |new_user|
+        new_user.enterprise_account_id = provider.enterprise_account_id
+        new_user.identity_provider_id = provider.id
+      end
+    end
+
+    def authorization_code
+      @authorization_code ||= user.authorization_codes.create!(
+        oauth_client: provider.oauth_client,
+        redirect_uri: redirect_uri_base,
+      )
+    end
+
+    def redirect_uri
+      redirect_uri_base + redirect_uri_querystring
+    end
+
+    def redirect_uri_base
+      return provider.oauth_client.primary_redirect_uri.uri if valid_idp_initiated_flow
+
+      session[:osso_oauth_redirect_uri]
+    end
+
+    def redirect_uri_querystring
+      "?code=#{CGI.escape(authorization_code.token)}&state=#{provider_state}"
+    end
+
+    def provider_state
+      return 'IDP_INITIATED' if valid_idp_initiated_flow
+
+      session.delete(:osso_oauth_state)
+    end
+
+    def valid_idp_initiated_flow
+      !session[:osso_oauth_redirect_uri] && !session[:osso_oauth_state]
+    end
+  end
+end

data/lib/osso/models/identity_provider.rb

@@ -69,7 +69,6 @@ module Osso
         else
           OpenSSL::X509::Certificate.new([PEM_HEADER, sso_cert, PEM_FOOTER].join)
         end
-
       rescue OpenSSL::X509::CertificateError
         errors.add(:sso_cert, 'x509 Certificate is malformed')
       end

data/lib/osso/routes/admin.rb

@@ -16,37 +16,37 @@ module Osso
       get '/login' do
         token_protected!
 
-        erb :admin
+        erb :admin, layout: false
       end
 
       get '' do
         internal_protected!
 
-        erb :admin
+        erb :admin, layout: false
       end
 
       get '/enterprise' do
         token_protected!
 
-        erb :admin
+        erb :admin, layout: false
       end
 
       get '/enterprise/:domain' do
         enterprise_protected!(params[:domain])
 
-        erb :admin
+        erb :admin, layout: false
       end
 
       get '/config' do
         admin_protected!
 
-        erb :admin
+        erb :admin, layout: false
       end
 
       get '/config/:id' do
         admin_protected!
 
-        erb :admin
+        erb :admin, layout: false
       end
     end
   end

data/lib/osso/routes/auth.rb

@@ -27,9 +27,16 @@ module Osso
       end
     end
 
-    namespace '/auth' do # rubocop:disable Metrics/BlockLength
+    OmniAuth.config.on_failure = proc do |env|
+      OmniAuth::FailureEndpoint.new(env).redirect_to_failure
+    end
+
+    error do
+      erb :error
+    end
+
+    namespace '/auth' do
       get '/failure' do
-        @error = params[:message]
         erb :error
       end
       # Enterprise users are sent here after authenticating against
@@ -37,47 +44,17 @@ module Osso
       # and then create an authorization code for that user. The user
       # is redirected back to your application with this code
       # as a URL query param, which you then exchange for an access token.
-      post '/saml/:id/callback' do
-        provider = Models::IdentityProvider.find(params[:id])
-        @oauth_client = provider.oauth_client
-
-        # TODO: PORC for validating attributes
-        attributes = env['omniauth.auth']&.
-          extra&.
-          response_object&.
-          attributes
-
-        user = Models::User.where(
-          email: attributes[:email],
-          idp_id: attributes[:id],
-        ).first_or_create! do |new_user|
-          new_user.enterprise_account_id = provider.enterprise_account_id
-          new_user.identity_provider_id = provider.id
-        end
-
-        authorization_code = user.authorization_codes.create!(
-          oauth_client: @oauth_client,
-          redirect_uri: redirect_uri,
+      post '/saml/:provider_id/callback' do
+        redirect_uri = SamlHandler.perform(
+          auth_hash: env['omniauth.auth'],
+          provider_id: params[:provider_id],
+          session: session,
         )
-        provider.active!
-
-        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{provider_state}")
-      end
-
-      def redirect_uri
-        return @oauth_client.primary_redirect_uri.uri if valid_idp_initiated_flow
-
-        session[:osso_oauth_redirect_uri]
-      end
 
-      def provider_state
-        return @provider_state = 'IDP_INITIATED' if valid_idp_initiated_flow
-
-        session.delete(:osso_oauth_state)
-      end
-
-      def valid_idp_initiated_flow
-        !session[:osso_oauth_redirect_uri] && !session[:osso_oauth_state]
+        redirect(redirect_uri)
+      rescue Osso::Error::InvalidACSURLError => e
+        @error = e
+        erb :error
       end
     end
   end

data/lib/osso/routes/oauth.rb

@@ -16,28 +16,18 @@ module Osso
       # Once they complete IdP login, they will be returned to the
       # redirect_uri with an authorization code parameter.
       get '/authorize' do
-        Rack::OAuth2::Server::Authorize.new do |req, _res|
-          client = Models::OauthClient.find_by!(identifier: req.client_id)
-          session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
-          session[:osso_oauth_state] = params[:state]
-        end.call(env)
+        client = find_client(params[:client_id])
+        enterprise = find_account(domain: params[:domain], client_id: client.id)
 
-        enterprise = Models::EnterpriseAccount.
-          includes(:identity_providers).
-          find_by!(domain: params[:domain])
+        validate_oauth_request(env)
 
         redirect "/auth/saml/#{enterprise.provider.id}" if enterprise.single_provider?
 
-        # TODO: multiple provider support
-        # erb :multiple_providers
+        @providers = enterprise.identity_providers
+        erb :multiple_providers
 
-      rescue Rack::OAuth2::Server::Authorize::BadRequest => e
-        @error = e
-        erb :error
-      rescue ActiveRecord::RecordNotFound => e
+      rescue Osso::Error::OAuthError => e
         @error = e
-        @error = 'No OAuth Client exists for the provided client_id' if e.model == 'Osso::Models::OauthClient'
-        @error = "No Customer exists with the domain #{params[:domain]}" if e.model == 'Osso::Models::EnterpriseAccount'
         erb :error
       end
 
@@ -66,5 +56,31 @@ module Osso
           user
       end
     end
+
+    private
+
+    def find_account(domain:, client_id:)
+      Models::EnterpriseAccount.
+        includes(:identity_providers).
+        find_by!(domain: domain, oauth_client_id: client_id)
+    rescue ActiveRecord::RecordNotFound
+      raise Osso::Error::NoAccountForOAuthClientError
+    end
+
+    def find_client(identifier)
+      @client ||= Models::OauthClient.find_by!(identifier: identifier)
+    rescue ActiveRecord::RecordNotFound
+      raise Osso::Error::InvalidOAuthClientIdentifier
+    end
+
+    def validate_oauth_request(env)
+      Rack::OAuth2::Server::Authorize.new do |req, _res|
+        client = find_client(req[:client_id])
+        session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
+        session[:osso_oauth_state] = params[:state]
+      end.call(env)
+    rescue Rack::OAuth2::Server::Authorize::BadRequest
+      raise Osso::Error::InvalidRedirectUri
+    end
   end
 end

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3.27'
+  VERSION = '0.0.5-epsilon'
 end

data/spec/lib/saml_handler_spec.rb

@@ -0,0 +1 @@
+

data/spec/models/identity_provider_spec.rb

@@ -35,7 +35,7 @@ describe Osso::Models::IdentityProvider do
         )
     end
   end
-  
+
   describe '#validate_sso_cert' do
     it 'rejects an invalid cert' do
       subject.update(sso_cert: 'bad-cert')

data/spec/routes/auth_spec.rb

@@ -43,7 +43,6 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-                'identity_provider' => okta_provider,
               },
             )
           end.to change { Osso::Models::User.count }.by(1)
@@ -58,7 +57,6 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-                'identity_provider' => okta_provider,
               },
             )
           end.to change { Osso::Models::AuthorizationCode.count }.by(1)
@@ -73,7 +71,6 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-                'identity_provider' => okta_provider,
               },
             )
             expect(last_response).to be_redirect
@@ -99,7 +96,6 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-                'identity_provider' => okta_provider,
               },
             )
           end.to_not(change { Osso::Models::User.count })
@@ -110,7 +106,6 @@ describe Osso::Auth do
             nil,
             {
               'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-              'identity_provider' => okta_provider,
             },
           )
           expect(okta_provider.reload.status).to eq('ACTIVE')
@@ -132,7 +127,6 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-                'identity_provider' => azure_provider,
               },
             )
           end.to change { Osso::Models::User.count }.by(1)
@@ -146,7 +140,6 @@ describe Osso::Auth do
             nil,
             {
               'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-              'identity_provider' => azure_provider,
             },
           )
 
@@ -170,7 +163,6 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-                'identity_provider' => azure_provider,
               },
             )
           end.to_not(change { Osso::Models::User.count })
@@ -178,4 +170,39 @@ describe Osso::Auth do
       end
     end
   end
+
+  context 'with an invalid SAML response' do
+    describe 'post /auth/saml/:uuid/callback' do
+      let!(:enterprise) { create(:enterprise_with_azure) }
+      let!(:azure_provider) { enterprise.provider }
+
+      it 'raises an error when email is missing' do
+        mock_saml_omniauth(email: nil, id: SecureRandom.uuid)
+
+        expect do
+          post(
+            "/auth/saml/#{azure_provider.id}/callback",
+            nil,
+            {
+              'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+            },
+          )
+        end.to raise_error(Osso::Error::MissingSamlEmailAttributeError)
+      end
+
+      it 'raises an error when id is missing' do
+        mock_saml_omniauth(email: Faker::Internet.email, id: nil)
+
+        expect do
+          post(
+            "/auth/saml/#{azure_provider.id}/callback",
+            nil,
+            {
+              'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+            },
+          )
+        end.to raise_error(Osso::Error::MissingSamlIdAttributeError)
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.3.27
+  version: 0.0.5.pre.epsilon
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-02 00:00:00.000000000 Z
+date: 2020-09-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -238,6 +238,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
+- ".ruby-version"
 - CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
@@ -270,6 +271,12 @@ files:
 - lib/osso/db/migrate/20200723153750_add_missing_timestamps.rb
 - lib/osso/db/migrate/20200723162228_drop_unneeded_tables.rb
 - lib/osso/db/migrate/20200826201852_create_app_config.rb
+- lib/osso/db/migrate/20200913154919_add_one_login_to_identity_provider_service_enum.rb
+- lib/osso/db/migrate/20200916125543_add_google_to_identity_provider_service_enum.rb
+- lib/osso/error/error.rb
+- lib/osso/error/missing_saml_attribute_error.rb
+- lib/osso/error/oauth_error.rb
+- lib/osso/error/saml_config_error.rb
 - lib/osso/graphql/.DS_Store
 - lib/osso/graphql/mutation.rb
 - lib/osso/graphql/mutations.rb
@@ -310,6 +317,7 @@ files:
 - lib/osso/lib/app_config.rb
 - lib/osso/lib/oauth2_token.rb
 - lib/osso/lib/route_map.rb
+- lib/osso/lib/saml_handler.rb
 - lib/osso/models/access_token.rb
 - lib/osso/models/app_config.rb
 - lib/osso/models/authorization_code.rb
@@ -324,8 +332,6 @@ files:
 - lib/osso/routes/auth.rb
 - lib/osso/routes/oauth.rb
 - lib/osso/routes/routes.rb
-- lib/osso/routes/views/error.erb
-- lib/osso/routes/views/multiple_providers.erb
 - lib/osso/version.rb
 - lib/tasks/bootstrap.rake
 - osso-rb.gemspec
@@ -346,6 +352,7 @@ files:
 - spec/graphql/query/identity_provider_spec.rb
 - spec/graphql/query/oauth_clients_spec.rb
 - spec/helpers/auth_spec.rb
+- spec/lib/saml_handler_spec.rb
 - spec/models/identity_provider_spec.rb
 - spec/routes/admin_spec.rb
 - spec/routes/app_spec.rb
@@ -356,6 +363,7 @@ files:
 - spec/support/spec_app.rb
 - spec/support/views/admin.erb
 - spec/support/views/error.erb
+- spec/support/views/multiple_providers.erb
 homepage: https://github.com/enterprise-oss/osso-rb
 licenses:
 - MIT
@@ -371,9 +379,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.0.3
 signing_key: 

data/lib/osso/routes/views/error.erb

@@ -1 +0,0 @@
-<%= @error %>

data/lib/osso/routes/views/multiple_providers.erb

@@ -1 +0,0 @@
-multiple providers