osso 0.0.3.4 → 0.0.3.9

data/lib/osso/models/authorization_code.rb

@@ -12,3 +12,23 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: authorization_codes
+#
+#  id              :uuid             not null, primary key
+#  token           :string
+#  redirect_uri    :string
+#  expires_at      :datetime
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#  user_id         :uuid
+#  oauth_client_id :uuid
+#
+# Indexes
+#
+#  index_authorization_codes_on_oauth_client_id  (oauth_client_id)
+#  index_authorization_codes_on_token            (token) UNIQUE
+#  index_authorization_codes_on_user_id          (user_id)
+#

data/lib/osso/models/enterprise_account.rb

@@ -10,19 +10,39 @@ module Osso
     class EnterpriseAccount < ActiveRecord::Base
       belongs_to :oauth_client
       has_many :users
-      has_many :saml_providers
+      has_many :identity_providers
 
       def single_provider?
-        saml_providers.one?
+        identity_providers.one?
       end
 
       def provider
         return nil unless single_provider?
 
-        saml_providers.first
+        identity_providers.first
       end
 
-      alias saml_provider provider
+      alias identity_provider provider
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: enterprise_accounts
+#
+#  id              :uuid             not null, primary key
+#  domain          :string           not null
+#  external_uuid   :uuid
+#  external_int_id :integer
+#  external_id     :string
+#  oauth_client_id :uuid
+#  name            :string           not null
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#
+# Indexes
+#
+#  index_enterprise_accounts_on_domain           (domain) UNIQUE
+#  index_enterprise_accounts_on_oauth_client_id  (oauth_client_id)
+#

data/lib/osso/models/identity_provider.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Base class for SAML Providers
+    class IdentityProvider < ActiveRecord::Base
+      NAME_FORMAT = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+      belongs_to :enterprise_account
+      belongs_to :oauth_client
+      has_many :users
+      before_save :set_status
+
+      def name
+        service.titlecase
+        # raise(
+        #   NoMethodError,
+        #   '#name must be defined on each provider specific subclass',
+        # )
+      end
+
+      def saml_options
+        attributes.slice(
+          'domain',
+          'idp_cert',
+          'idp_sso_target_url',
+        ).symbolize_keys
+      end
+
+      # def saml_options
+      #   raise(
+      #     NoMethodError,
+      #     '#saml_options must be defined on each provider specific subclass',
+      #   )
+      # end
+
+      def assertion_consumer_service_url
+        [
+          ENV.fetch('BASE_URL'),
+          'auth',
+          'saml',
+          id,
+          'callback',
+        ].join('/')
+      end
+
+      alias acs_url assertion_consumer_service_url
+
+      def set_status
+        return if status != 'PENDING'
+
+        self.status = 'CONFIGURED' if sso_url && sso_cert
+      end
+    end
+  end
+end
+
+# == Schema Information
+#
+# Table name: identity_providers
+#
+#  id                    :uuid             not null, primary key
+#  service               :string
+#  domain                :string           not null
+#  sso_url               :string
+#  sso_cert              :text
+#  enterprise_account_id :uuid
+#  oauth_client_id       :uuid
+#  status                :enum             default("PENDING")
+#  created_at            :datetime
+#  updated_at            :datetime
+#
+# Indexes
+#
+#  index_identity_providers_on_domain                 (domain)
+#  index_identity_providers_on_enterprise_account_id  (enterprise_account_id)
+#  index_identity_providers_on_oauth_client_id        (oauth_client_id)
+#

data/lib/osso/models/models.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# -*- SkipSchemaAnnotations
+
 require 'sinatra/activerecord'
 
 module Osso
@@ -12,5 +14,5 @@ require_relative 'authorization_code'
 require_relative 'enterprise_account'
 require_relative 'oauth_client'
 require_relative 'redirect_uri'
-require_relative 'saml_provider'
+require_relative 'identity_provider'
 require_relative 'user'

data/lib/osso/models/oauth_client.rb

@@ -6,7 +6,7 @@ module Osso
     class OauthClient < ActiveRecord::Base
       has_many :access_tokens
       has_many :refresh_tokens
-      has_many :saml_providers
+      has_many :identity_providers
       has_many :redirect_uris
 
       before_validation :setup, on: :create
@@ -25,8 +25,24 @@ module Osso
 
       def setup
         self.identifier = SecureRandom.hex(16)
-        self.secret = SecureRandom.hex(64)
+        self.secret = SecureRandom.hex(32)
       end
     end
   end
-end
+end
+
+# == Schema Information
+#
+# Table name: oauth_clients
+#
+#  id         :uuid             not null, primary key
+#  name       :string           not null
+#  secret     :string           not null
+#  identifier :string           not null
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#
+# Indexes
+#
+#  index_oauth_clients_on_identifier  (identifier) UNIQUE
+#

data/lib/osso/models/redirect_uri.rb

@@ -18,3 +18,20 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: redirect_uris
+#
+#  id              :uuid             not null, primary key
+#  uri             :string           not null
+#  primary         :boolean          default(FALSE), not null
+#  oauth_client_id :uuid
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#
+# Indexes
+#
+#  index_redirect_uris_on_oauth_client_id  (oauth_client_id)
+#  index_redirect_uris_on_uri_and_primary  (uri,primary) UNIQUE
+#

data/lib/osso/models/user.rb

@@ -4,21 +4,43 @@ module Osso
   module Models
     class User < ActiveRecord::Base
       belongs_to :enterprise_account
-      belongs_to :saml_provider
+      belongs_to :identity_provider
       has_many :authorization_codes, dependent: :delete_all
       has_many :access_tokens, dependent: :delete_all
 
       def oauth_client
-        saml_provider.oauth_client
+        identity_provider.oauth_client
       end
 
       def as_json(*)
         {
           email: email,
           id: id,
-          idp: saml_provider.name,
+          idp: identity_provider.name,
         }
       end
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: users
+#
+#  id                    :uuid             not null, primary key
+#  email                 :string           not null
+#  idp_id                :string           not null
+#  identity_provider_id  :uuid
+#  enterprise_account_id :uuid
+#  created_at            :datetime         not null
+#  updated_at            :datetime         not null
+#
+# Indexes
+#
+#  index_users_on_email_and_idp_id       (email,idp_id) UNIQUE
+#  index_users_on_enterprise_account_id  (enterprise_account_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (identity_provider_id => identity_providers.id)
+#

data/lib/osso/routes/admin.rb

@@ -6,33 +6,36 @@ module Osso
   class Admin < Sinatra::Base
     include AppConfig
     helpers Helpers::Auth
+    register Sinatra::Namespace
 
     before do
       chomp_token
     end
 
-    get '/' do
-      admin_protected!
+    namespace '/admin' do
+      get '' do
+        admin_protected!
 
-      erb :admin
-    end
+        erb :admin
+      end
 
-    get '/enterprise' do
-      admin_protected!
+      get '/enterprise' do
+        admin_protected!
 
-      erb :admin
-    end
+        erb :admin
+      end
 
-    get '/enterprise/:domain' do
-      enterprise_protected!(params[:domain])
+      get '/enterprise/:domain' do
+        enterprise_protected!(params[:domain])
 
-      erb :admin
-    end
+        erb :admin
+      end
 
-    get '/config' do
-      admin_protected!
+      get '/config' do
+        admin_protected!
 
-      erb :admin
+        erb :admin
+      end
     end
   end
 end

data/lib/osso/routes/auth.rb

@@ -8,6 +8,7 @@ require 'omniauth-saml'
 module Osso
   class Auth < Sinatra::Base
     include AppConfig
+    register Sinatra::Namespace
 
     UUID_REGEXP =
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
@@ -24,41 +25,43 @@ module Osso
         identity_provider_id_regex: UUID_REGEXP,
         path_prefix: '/saml',
         callback_suffix: 'callback',
-      ) do |saml_provider_id, _env|
-        provider = Models::SamlProvider.find(saml_provider_id)
+      ) do |identity_provider_id, _env|
+        provider = Models::IdentityProvider.find(identity_provider_id)
         provider.saml_options
       end
     end
 
-    # Enterprise users are sent here after authenticating against
-    # their Identity Provider. We find or create a user record,
-    # and then create an authorization code for that user. The user
-    # is redirected back to your application with this code
-    # as a URL query param, which you then exhange for an access token
-    post '/saml/:id/callback' do
-      provider = Models::SamlProvider.find(params[:id])
-      oauth_client = provider.oauth_client
-      redirect_uri = env['redirect_uri'] || oauth_client.default_redirect_uri.uri
+    namespace '/auth' do
+      # Enterprise users are sent here after authenticating against
+      # their Identity Provider. We find or create a user record,
+      # and then create an authorization code for that user. The user
+      # is redirected back to your application with this code
+      # as a URL query param, which you then exhange for an access token
+      post '/saml/:id/callback' do
+        provider = Models::IdentityProvider.find(params[:id])
+        oauth_client = provider.oauth_client
+        redirect_uri = env['redirect_uri'] || oauth_client.default_redirect_uri.uri
 
-      attributes = env['omniauth.auth']&.
-        extra&.
-        response_object&.
-        attributes
+        attributes = env['omniauth.auth']&.
+          extra&.
+          response_object&.
+          attributes
 
-      user = Models::User.where(
-        email: attributes[:email],
-        idp_id: attributes[:id],
-      ).first_or_create! do |new_user|
-        new_user.enterprise_account_id = provider.enterprise_account_id
-        new_user.saml_provider_id = provider.id
-      end
+        user = Models::User.where(
+          email: attributes[:email],
+          idp_id: attributes[:id],
+        ).first_or_create! do |new_user|
+          new_user.enterprise_account_id = provider.enterprise_account_id
+          new_user.identity_provider_id = provider.id
+        end
 
-      authorization_code = user.authorization_codes.create!(
-        oauth_client: oauth_client,
-        redirect_uri: redirect_uri,
-      )
+        authorization_code = user.authorization_codes.create!(
+          oauth_client: oauth_client,
+          redirect_uri: redirect_uri,
+        )
 
-      redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+      end
     end
   end
 end

data/lib/osso/routes/oauth.rb

@@ -5,54 +5,59 @@ require 'rack/oauth2'
 module Osso
   class Oauth < Sinatra::Base
     include AppConfig
-    # Send your users here in order to being an authentication
-    # flow. This flow follows the authorization grant oauth
-    # spec with one exception - you must also pass the domain
-    # of the user who wants to sign in.
-    get '/authorize' do
-      @enterprise = Models::EnterpriseAccount.
-        includes(:saml_providers).
-        find_by!(domain: params[:domain])
-
-      Rack::OAuth2::Server::Authorize.new do |req, _res|
-        client = Models::OauthClient.find_by!(identifier: req.client_id)
-        req.verify_redirect_uri!(client.redirect_uri_values)
-      end.call(env)
-
-      if @enterprise.single_provider?
-        session[:oauth_state] = params[:state]
-        redirect "/auth/saml/#{@enterprise.provider.id}"
+    register Sinatra::Namespace
+    # rubocop:disable Metrics/BlockLength
+    namespace '/oauth' do
+      # Send your users here in order to being an authentication
+      # flow. This flow follows the authorization grant oauth
+      # spec with one exception - you must also pass the domain
+      # of the user who wants to sign in.
+      get '/authorize' do
+        @enterprise = Models::EnterpriseAccount.
+          includes(:identity_providers).
+          find_by!(domain: params[:domain])
+
+        Rack::OAuth2::Server::Authorize.new do |req, _res|
+          client = Models::OauthClient.find_by!(identifier: req.client_id)
+          req.verify_redirect_uri!(client.redirect_uri_values)
+        end.call(env)
+
+        if @enterprise.single_provider?
+          session[:oauth_state] = params[:state]
+          redirect "/auth/saml/#{@enterprise.provider.id}"
+        end
+
+        # TODO: multiple provider support
+        # erb :multiple_providers
+
+      rescue Rack::OAuth2::Server::Authorize::BadRequest => e
+        @error = e
+        return erb :error
       end
 
-      # TODO: multiple provider support
-      # erb :multiple_providers
-
-    rescue Rack::OAuth2::Server::Authorize::BadRequest => e
-      @error = e
-      return erb :error
-    end
-
-    # Exchange an authorization code token for an access token.
-    # In addition to the token, you must include all paramaters
-    # required by Oauth spec: redirect_uri, client ID, and client secret
-    post '/token' do
-      Rack::OAuth2::Server::Token.new do |req, res|
-        code = Models::AuthorizationCode.
-          find_by_token!(params[:code])
-        client = Models::OauthClient.find_by!(identifier: req.client_id)
-        req.invalid_client! if client.secret != req.client_secret
-        req.invalid_grant! if code.redirect_uri != req.redirect_uri
-        res.access_token = code.access_token.to_bearer_token
-      end.call(env)
-    end
+      # Exchange an authorization code token for an access token.
+      # In addition to the token, you must include all paramaters
+      # required by Oauth spec: redirect_uri, client ID, and client secret
+      post '/token' do
+        Rack::OAuth2::Server::Token.new do |req, res|
+          code = Models::AuthorizationCode.
+            find_by_token!(params[:code])
+          client = Models::OauthClient.find_by!(identifier: req.client_id)
+          req.invalid_client! if client.secret != req.client_secret
+          req.invalid_grant! if code.redirect_uri != req.redirect_uri
+          res.access_token = code.access_token.to_bearer_token
+        end.call(env)
+      end
 
-    # Use the access token to request a user profile
-    get '/me' do
-      json Models::AccessToken.
-        includes(:user).
-        valid.
-        find_by_token!(params[:access_token]).
-        user
+      # Use the access token to request a user profile
+      get '/me' do
+        json Models::AccessToken.
+          includes(:user).
+          valid.
+          find_by_token!(params[:access_token]).
+          user
+      end
     end
   end
 end
+# rubocop:enable Metrics/BlockLength