osso 0.0.3.3 → 0.0.3.8

data/lib/osso/graphql/resolvers.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+    end
+  end
+end
+
+require_relative 'resolvers/enterprise_account'
+require_relative 'resolvers/enterprise_accounts'
+require_relative 'resolvers/oauth_clients'

data/lib/osso/graphql/resolvers/enterprise_account.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class EnterpriseAccount < ::GraphQL::Schema::Resolver
+        type Types::EnterpriseAccount, null: false
+
+        def resolve(args)
+          return unless admin? || enterprise_authorized?(args[:domain])
+
+          Osso::Models::EnterpriseAccount.find_by(domain: args[:domain])
+        end
+
+        def admin?
+          context[:scope] == :admin
+        end
+
+        def enterprise_authorized?(domain)
+          context[:scope] == domain
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers/enterprise_accounts.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class EnterpriseAccounts < ::GraphQL::Schema::Resolver
+        type [Types::EnterpriseAccount], null: true
+
+        def resolve
+          return Osso::Models::EnterpriseAccount.all if context[:scope] == :admin
+
+          Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope]))
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers/oauth_clients.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class OAuthClients < ::GraphQL::Schema::Resolver
+        type [Types::OAuthClient], null: true
+
+        def resolve
+          return Osso::Models::OauthClient.all if context[:scope] == :admin
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/schema.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'graphql'
+require_relative 'types'
+require_relative 'resolvers'
+require_relative 'mutation'
+require_relative 'query'
+
+GraphQL::Relay::BaseConnection.register_connection_implementation(
+  ActiveRecord::Relation,
+  GraphQL::Relay::RelationConnection,
+)
+
+module Osso
+  module GraphQL
+    class Schema < ::GraphQL::Schema
+      use ::GraphQL::Pagination::Connections
+      query Types::QueryType
+      mutation Types::MutationType
+
+      def self.id_from_object(object, _type_definition = nil, _query_ctx = nil)
+        GraphQL::Schema::UniqueWithinType.encode(object.class.name, object.id)
+      end
+
+      def self.object_from_id(id, _query_ctx = nil)
+        class_name, item_id = GraphQL::Schema::UniqueWithinType.decode(id)
+        Object.const_get(class_name).find(item_id)
+      end
+
+      def self.resolve_type(_type, obj, _ctx)
+        case obj
+        when Osso::Models::EnterpriseAccount
+          Types::EnterpriseAccount
+        when Osso::Models::IdentityProvider
+          Types::IdentityProvider
+        else
+          raise("Unexpected object: #{obj}")
+        end
+      end
+
+      def self.unauthorized_object(error)
+        raise ::GraphQL::ExecutionError, "An object of type #{error.type.graphql_name} was hidden due to permissions"
+      end
+    end
+  end
+end

data/lib/osso/graphql/types.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Osso
+  module Types
+  end
+end
+
+require_relative 'types/base_object'
+require_relative 'types/base_enum'
+require_relative 'types/base_input_object'
+require_relative 'types/identity_provider_service'
+require_relative 'types/identity_provider_status'
+require_relative 'types/identity_provider'
+require_relative 'types/enterprise_account'
+require_relative 'types/oauth_client'
+require_relative 'types/user'

data/lib/osso/graphql/types/base_enum.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseEnum < ::GraphQL::Schema::Enum
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/base_input_object.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseInputObject < ::GraphQL::Schema::InputObject
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/base_object.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseObject < ::GraphQL::Schema::Object
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/enterprise_account.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class EnterpriseAccount < Types::BaseObject
+        description 'An Account for a company that wishes to use SAML via Osso'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :name, String, null: false
+        field :domain, String, null: false
+        field :identity_providers, [Types::IdentityProvider], null: true
+        field :status, String, null: false
+
+        def status
+          'active'
+        end
+
+        def identity_providers
+          object.identity_providers
+        end
+
+        def self.authorized?(object, context)
+          super && (context[:scope] == :admin || object.domain == context[:scope])
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/identity_provider.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class IdentityProvider < Types::BaseObject
+        description 'Represents a SAML based IDP instance for an EnterpriseAccount'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :enterprise_account_id, ID, null: false
+        field :service, Types::IdentityProviderService, null: true
+        field :domain, String, null: false
+        field :acs_url, String, null: false
+        field :sso_url, String, null: true
+        field :sso_cert, String, null: true
+        field :status, Types::IdentityProviderStatus, null: false
+        field :documentation_pdf_url, String, null: true
+
+        def documentation_pdf_url
+          ENV['BASE_URL'] + '/identity_provider/documentation/' + @object.id
+        end
+
+        def self.authorized?(object, context)
+          super && (context[:scope] == :admin || object.domain == context[:scope])
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/identity_provider_service.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class IdentityProviderService < BaseEnum
+        value('AZURE', 'Microsoft Azure Identity Provider', value: 'Osso::Models::AzureSamlProvider')
+        value('OKTA', 'Okta Identity Provider', value: 'Osso::Models::OktaSamlProvider')
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/identity_provider_status.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class IdentityProviderStatus < BaseEnum
+        value('Pending', value: 'PENDING')
+        value('Configured', value: 'CONFIGURED')
+        value('Active', value: 'ACTIVE')
+        value('Error', value: 'ERROR')
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/oauth_client.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class OAuthClient < Types::BaseObject
+        description 'An OAuth client used to consume Osso SAML users'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :name, String, null: false
+        field :client_id, String, null: false
+        field :client_secret, String, null: false
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/user.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'graphql'
+require_relative 'base_object'
+
+module Osso
+  module GraphQL
+    module Types
+      class User < Types::BaseObject
+        description 'A User of the application'
+
+        field :id, ID, null: false
+        field :name, String, null: true
+      end
+    end
+  end
+end

data/lib/osso/helpers/auth.rb

@@ -1,67 +1,71 @@
 # frozen_string_literal: true
 
-module Helpers
-  module Auth
-    attr_accessor :current_scope
-    
-    def enterprise_protected!(domain = nil)
-      return if admin_authorized?
-      return if enterprise_authorized?(domain)
-
-      redirect ENV['JWT_URL']
-    end
+module Osso
+  module Helpers
+    module Auth
+      attr_accessor :current_scope
 
-    def enterprise_authorized?(domain)
-      payload, _args = JWT.decode(
-        token,
-        ENV['JWT_HMAC_SECRET'],
-        true,
-        { algorithm: 'HS256' },
-      )
+      def enterprise_protected!(domain = nil)
+        return if admin_authorized?
+        return if enterprise_authorized?(domain)
 
-      @current_scope = payload['scope']
+        halt 401 if request.post?
 
-      true
-    rescue JWT::DecodeError
-      false
-    end
+        redirect ENV['JWT_URL']
+      end
 
-    def admin_protected!
-      return if admin_authorized?
+      def enterprise_authorized?(_domain)
+        payload, _args = JWT.decode(
+          token,
+          ENV['JWT_HMAC_SECRET'],
+          true,
+          { algorithm: 'HS256' },
+        )
 
-      redirect ENV['JWT_URL']
-    end
+        @current_scope = payload['scope']
 
-    def admin_authorized?
-      payload, _args = JWT.decode(
-        token,
-        ENV['JWT_HMAC_SECRET'],
-        true,
-        { algorithm: 'HS256' },
-      )
-
-      if payload['scope'] == 'admin'
-        @current_scope = :admin
-        return true
+        true
+      rescue JWT::DecodeError
+        false
       end
 
-      false
-    rescue JWT::DecodeError
-      false
-    end
+      def admin_protected!
+        return if admin_authorized?
 
-    def token
-      request.env['admin_token'] || session['admin_token'] || request['admin_token']
-    end
+        redirect ENV['JWT_URL']
+      end
 
-    def chomp_token
-      return unless request['admin_token'].present?
+      def admin_authorized?
+        payload, _args = JWT.decode(
+          token,
+          ENV['JWT_HMAC_SECRET'],
+          true,
+          { algorithm: 'HS256' },
+        )
 
-      session['admin_token'] = request['admin_token']
+        if payload['scope'] == 'admin'
+          @current_scope = :admin
+          return true
+        end
 
-      return if request.post?
+        false
+      rescue JWT::DecodeError
+        false
+      end
+
+      def token
+        request.env['admin_token'] || session['admin_token'] || request['admin_token']
+      end
+
+      def chomp_token
+        return unless request['admin_token'].present?
 
-      redirect request.path
+        session['admin_token'] = request['admin_token']
+
+        return if request.post?
+
+        redirect request.path
+      end
     end
   end
 end

data/lib/osso/helpers/helpers.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
-module Helpers
+module Osso
+  module Helpers
+  end
 end
 
 require_relative 'auth'