osso 0.0.3.4 → 0.0.3.9

data/lib/osso/graphql/mutations/create_enterprise_account.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class CreateEnterpriseAccount < BaseMutation
+        null false
+
+        argument :domain, String, required: true
+        argument :name, String, required: true
+
+        field :enterprise_account, Types::EnterpriseAccount, null: false
+        field :errors, [String], null: false
+
+        def resolve(**args)
+          enterprise_account = Osso::Models::EnterpriseAccount.new(args)
+
+          return response_data(enterprise_account: enterprise_account) if enterprise_account.save
+
+          response_error(errors: enterprise_account.errors.full_messages)
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/create_identity_provider.rb

@@ -5,22 +5,24 @@ module Osso
     module Mutations
       class CreateIdentityProvider < BaseMutation
         null false
+
         argument :enterprise_account_id, ID, required: true
-        argument :provider_service, Types::IdentityProviderService, required: true
+        argument :service, Types::IdentityProviderService, required: false
 
         field :identity_provider, Types::IdentityProvider, null: false
         field :errors, [String], null: false
 
-        def resolve(enterprise_account_id:, provider_service:)
+        def resolve(enterprise_account_id:, service: nil)
           enterprise_account = Osso::Models::EnterpriseAccount.find(enterprise_account_id)
-          identity_provider = enterprise_account.saml_providers.create!(
-            provider: provider_service || 'OKTA',
+          identity_provider = enterprise_account.identity_providers.build(
+            enterprise_account_id: enterprise_account_id,
+            service: service,
             domain: enterprise_account.domain,
           )
 
-          return_data(identity_provider: identity_provider)
-        rescue StandardError => e
-          return_error(errors: e.full_message)
+          return response_data(identity_provider: identity_provider) if identity_provider.save
+
+          response_error(errors: identity_provider.errors.full_messages)
         end
       end
     end

data/lib/osso/graphql/mutations/create_oauth_client.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class CreateOauthClient < BaseMutation
+        null false
+
+        argument :name, String, required: true
+
+        field :oauth_client, Types::OauthClient, null: false
+        field :errors, [String], null: false
+
+        def resolve(**args)
+          oauth_client = Osso::Models::OauthClient.new(args)
+
+          return response_data(oauth_client: oauth_client) if oauth_client.save
+
+          response_error(errors: oauth_client.errors.full_messages)
+        end
+
+        def ready?(*)
+          return true if context[:scope] == :admin
+
+          raise ::GraphQL::ExecutionError, 'Only admin users may mutate OauthClients'
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/delete_enterprise_account.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class DeleteEnterpriseAccount < BaseMutation
+        null false
+
+        argument :id, ID, required: true
+
+        field :enterprise_account, Types::EnterpriseAccount, null: true
+        field :errors, [String], null: false
+
+        def resolve(id:)
+          enterprise_account = Osso::Models::EnterpriseAccount.find(id)
+
+          return response_data(enterprise_account: nil) if enterprise_account.destroy
+
+          response_error(errors: enterprise_account.errors.full_messages)
+        end
+
+        def ready?(id:)
+          return true if context[:scope] == :admin
+
+          domain = account_domain(id)
+
+          return true if domain == context[:scope]
+
+          raise ::GraphQL::ExecutionError, "This user lacks the scope to mutate records belonging to #{domain}"
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/delete_oauth_client.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class DeleteOauthClient < BaseMutation
+        null false
+
+        argument :id, ID, required: true
+
+        field :oauth_client, Types::OauthClient, null: true
+        field :errors, [String], null: false
+
+        def resolve(id:)
+          oauth_client = Osso::Models::OauthClient.find(id)
+
+          return response_data(oauth_client: nil) if oauth_client.destroy
+
+          response_error(errors: oauth_client.errors.full_messages)
+        end
+
+        def ready?(*)
+          return true if context[:scope] == :admin
+
+          raise ::GraphQL::ExecutionError, 'Only admin users may mutate OauthClients'
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/query.rb

@@ -7,7 +7,7 @@ module Osso
         field :enterprise_accounts, null: true, resolver: Resolvers::EnterpriseAccounts
         field :oauth_clients, null: true, resolver: Resolvers::OAuthClients
 
-        field :enterprise_account, null: false, resolver: Resolvers::EnterpriseAccount do
+        field :enterprise_account, null: true, resolver: Resolvers::EnterpriseAccount do
           argument :domain, String, required: true
         end
 
@@ -15,7 +15,7 @@ module Osso
           :identity_provider,
           Types::IdentityProvider,
           null: true,
-          resolve: ->(_obj, args, _context) { Osso::Models::SamlProvider.find(args[:id]) },
+          resolve: ->(_obj, args, _context) { Osso::Models::IdentityProvider.find(args[:id]) },
         ) do
           argument :id, ID, required: true
         end

data/lib/osso/graphql/resolvers/oauth_clients.rb

@@ -4,10 +4,10 @@ module Osso
   module GraphQL
     module Resolvers
       class OAuthClients < ::GraphQL::Schema::Resolver
-        type [Types::OAuthClient], null: true
+        type [Types::OauthClient], null: true
 
         def resolve
-          return Osso::Models::OAuthClient.all if context[:scope] == :admin
+          return Osso::Models::OauthClient.all if context[:scope] == :admin
         end
       end
     end

data/lib/osso/graphql/schema.rb

@@ -31,12 +31,16 @@ module Osso
         case obj
         when Osso::Models::EnterpriseAccount
           Types::EnterpriseAccount
-        when Osso::Models::SamlProvider
+        when Osso::Models::IdentityProvider
           Types::IdentityProvider
         else
           raise("Unexpected object: #{obj}")
         end
       end
+
+      def self.unauthorized_object(error)
+        raise ::GraphQL::ExecutionError, "An object of type #{error.type.graphql_name} was hidden due to permissions"
+      end
     end
   end
 end

data/lib/osso/graphql/types.rb

@@ -7,7 +7,9 @@ end
 
 require_relative 'types/base_object'
 require_relative 'types/base_enum'
+require_relative 'types/base_input_object'
 require_relative 'types/identity_provider_service'
+require_relative 'types/identity_provider_status'
 require_relative 'types/identity_provider'
 require_relative 'types/enterprise_account'
 require_relative 'types/oauth_client'

data/lib/osso/graphql/types/base_input_object.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseInputObject < ::GraphQL::Schema::InputObject
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/base_object.rb

@@ -6,6 +6,8 @@ module Osso
   module GraphQL
     module Types
       class BaseObject < ::GraphQL::Schema::Object
+        field :created_at, ::GraphQL::Types::ISO8601DateTime, null: false
+        field :updated_at, ::GraphQL::Types::ISO8601DateTime, null: false
       end
     end
   end

data/lib/osso/graphql/types/enterprise_account.rb

@@ -16,16 +16,16 @@ module Osso
         field :identity_providers, [Types::IdentityProvider], null: true
         field :status, String, null: false
 
-        def name
-          object.domain.gsub('.com', '')
-        end
-
         def status
           'active'
         end
 
         def identity_providers
-          object.saml_providers
+          object.identity_providers
+        end
+
+        def self.authorized?(object, context)
+          super && (context[:scope] == :admin || object.domain == context[:scope])
         end
       end
     end

data/lib/osso/graphql/types/identity_provider.rb

@@ -17,22 +17,15 @@ module Osso
         field :acs_url, String, null: false
         field :sso_url, String, null: true
         field :sso_cert, String, null: true
-        field :configured, Boolean, null: false
+        field :status, Types::IdentityProviderStatus, null: false
+        field :documentation_pdf_url, String, null: true
 
-        def service
-          @object.provider
+        def documentation_pdf_url
+          ENV['BASE_URL'] + '/identity_provider/documentation/' + @object.id
         end
 
-        def configured
-          @object.idp_sso_target_url && @object.idp_cert
-        end
-
-        def sso_cert
-          @object.idp_cert
-        end
-
-        def sso_url
-          @object.idp_sso_target_url
+        def self.authorized?(object, context)
+          super && (context[:scope] == :admin || object.domain == context[:scope])
         end
       end
     end

data/lib/osso/graphql/types/identity_provider_service.rb

@@ -9,4 +9,4 @@ module Osso
       end
     end
   end
-end
+end

data/lib/osso/graphql/types/identity_provider_status.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class IdentityProviderStatus < BaseEnum
+        value('Pending', value: 'PENDING')
+        value('Configured', value: 'CONFIGURED')
+        value('Active', value: 'ACTIVE')
+        value('Error', value: 'ERROR')
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/oauth_client.rb

@@ -5,7 +5,7 @@ require 'graphql'
 module Osso
   module GraphQL
     module Types
-      class OAuthClient < Types::BaseObject
+      class OauthClient < Types::BaseObject
         description 'An OAuth client used to consume Osso SAML users'
         implements ::GraphQL::Types::Relay::Node
 
@@ -14,6 +14,18 @@ module Osso
         field :name, String, null: false
         field :client_id, String, null: false
         field :client_secret, String, null: false
+
+        def client_id
+          object.identifier
+        end
+
+        def client_secret
+          object.secret
+        end
+
+        def self.authorized?(object, context)
+          super && context[:scope] == :admin
+        end
       end
     end
   end

data/lib/osso/helpers/auth.rb

@@ -4,21 +4,18 @@ module Osso
   module Helpers
     module Auth
       attr_accessor :current_scope
-      
+
       def enterprise_protected!(domain = nil)
         return if admin_authorized?
         return if enterprise_authorized?(domain)
 
+        halt 401 if request.post?
+
         redirect ENV['JWT_URL']
       end
 
-      def enterprise_authorized?(domain)
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
+      def enterprise_authorized?(_domain)
+        payload, _args = decode(token)
 
         @current_scope = payload['scope']
 
@@ -34,12 +31,7 @@ module Osso
       end
 
       def admin_authorized?
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
+        payload, _args = decode(token)
 
         if payload['scope'] == 'admin'
           @current_scope = :admin
@@ -64,6 +56,15 @@ module Osso
 
         redirect request.path
       end
+
+      def decode(token)
+        JWT.decode(
+          token,
+          ENV['JWT_HMAC_SECRET'],
+          true,
+          { algorithm: 'HS256' },
+        )
+      end
     end
   end
-end
+end

data/lib/osso/lib/app_config.rb

@@ -7,7 +7,7 @@ module Osso
     def self.included(klass)
       klass.class_eval do
         use Rack::JSONBodyParser
-        use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
+        use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
 
         error ActiveRecord::RecordNotFound do
           status 404

data/lib/osso/lib/route_map.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+# rubocop:disable Metrics/MethodLength
+
+module Osso
+  module RouteMap
+    def self.included(klass)
+      klass.class_eval do
+        use Osso::Admin
+        use Osso::Auth
+        use Osso::Oauth
+
+        post '/graphql' do
+          enterprise_protected!
+
+          result = Osso::GraphQL::Schema.execute(
+            params[:query],
+            variables: params[:variables],
+            context: { scope: current_scope },
+          )
+
+          json result
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/MethodLength

data/lib/osso/models/access_token.rb

@@ -27,3 +27,21 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: access_tokens
+#
+#  id              :uuid             not null, primary key
+#  token           :string
+#  expires_at      :datetime
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#  user_id         :uuid
+#  oauth_client_id :uuid
+#
+# Indexes
+#
+#  index_access_tokens_on_oauth_client_id  (oauth_client_id)
+#  index_access_tokens_on_user_id          (user_id)
+#