osso 0.0.3.5 → 0.0.3.6

data/lib/osso/graphql/schema.rb

@@ -31,7 +31,7 @@ module Osso
         case obj
         when Osso::Models::EnterpriseAccount
           Types::EnterpriseAccount
-        when Osso::Models::SamlProvider
+        when Osso::Models::IdentityProvider
           Types::IdentityProvider
         else
           raise("Unexpected object: #{obj}")

data/lib/osso/graphql/types.rb

@@ -7,6 +7,7 @@ end
 
 require_relative 'types/base_object'
 require_relative 'types/base_enum'
+require_relative 'types/base_input_object'
 require_relative 'types/identity_provider_service'
 require_relative 'types/identity_provider'
 require_relative 'types/enterprise_account'

data/lib/osso/graphql/types/base_input_object.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseInputObject < ::GraphQL::Schema::InputObject
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/enterprise_account.rb

@@ -16,16 +16,12 @@ module Osso
         field :identity_providers, [Types::IdentityProvider], null: true
         field :status, String, null: false
 
-        def name
-          object.domain.gsub('.com', '')
-        end
-
         def status
           'active'
         end
 
         def identity_providers
-          object.saml_providers
+          object.identity_providers
         end
       end
     end

data/lib/osso/graphql/types/identity_provider.rb

@@ -19,20 +19,8 @@ module Osso
         field :sso_cert, String, null: true
         field :configured, Boolean, null: false
 
-        def service
-          @object.provider
-        end
-
         def configured
-          @object.idp_sso_target_url && @object.idp_cert
-        end
-
-        def sso_cert
-          @object.idp_cert
-        end
-
-        def sso_url
-          @object.idp_sso_target_url
+          !!(@object.sso_url && @object.sso_cert)
         end
       end
     end

data/lib/osso/lib/app_config.rb

@@ -7,7 +7,7 @@ module Osso
     def self.included(klass)
       klass.class_eval do
         use Rack::JSONBodyParser
-        use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
+        use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
 
         error ActiveRecord::RecordNotFound do
           status 404

data/lib/osso/models/enterprise_account.rb

@@ -10,19 +10,19 @@ module Osso
     class EnterpriseAccount < ActiveRecord::Base
       belongs_to :oauth_client
       has_many :users
-      has_many :saml_providers
+      has_many :identity_providers
 
       def single_provider?
-        saml_providers.one?
+        identity_providers.one?
       end
 
       def provider
         return nil unless single_provider?
 
-        saml_providers.first
+        identity_providers.first
       end
 
-      alias saml_provider provider
+      alias identity_provider provider
     end
   end
 end

data/lib/osso/models/identity_provider.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Base class for SAML Providers
+    class IdentityProvider < ActiveRecord::Base
+      NAME_FORMAT = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+      belongs_to :enterprise_account
+      belongs_to :oauth_client
+      has_many :users
+
+      def name
+        service.titlecase
+        # raise(
+        #   NoMethodError,
+        #   '#name must be defined on each provider specific subclass',
+        # )
+      end
+
+      def saml_options
+        attributes.slice(
+          'domain',
+          'idp_cert',
+          'idp_sso_target_url',
+        ).symbolize_keys
+      end
+
+      # def saml_options
+      #   raise(
+      #     NoMethodError,
+      #     '#saml_options must be defined on each provider specific subclass',
+      #   )
+      # end
+
+      def assertion_consumer_service_url
+        [
+          ENV.fetch('BASE_URL'),
+          'auth',
+          'saml',
+          id,
+          'callback',
+        ].join('/')
+      end
+
+      alias acs_url assertion_consumer_service_url
+    end
+  end
+end

data/lib/osso/models/models.rb

@@ -12,5 +12,5 @@ require_relative 'authorization_code'
 require_relative 'enterprise_account'
 require_relative 'oauth_client'
 require_relative 'redirect_uri'
-require_relative 'saml_provider'
+require_relative 'identity_provider'
 require_relative 'user'

data/lib/osso/models/oauth_client.rb

@@ -6,7 +6,7 @@ module Osso
     class OauthClient < ActiveRecord::Base
       has_many :access_tokens
       has_many :refresh_tokens
-      has_many :saml_providers
+      has_many :identity_providers
       has_many :redirect_uris
 
       before_validation :setup, on: :create

data/lib/osso/models/saml_provider.rb

@@ -3,28 +3,27 @@
 module Osso
   module Models
     # Base class for SAML Providers
-    class SamlProvider < ActiveRecord::Base
+    class IdentityProvider < ActiveRecord::Base
       NAME_FORMAT = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
-      self.inheritance_column = :provider
       belongs_to :enterprise_account
       belongs_to :oauth_client
       has_many :users
 
       before_create :create_enterprise_account
 
-      def name
-        raise(
-          NoMethodError,
-          '#name must be defined on each provider specific subclass',
-        )
-      end
+      # def name
+      #   raise(
+      #     NoMethodError,
+      #     '#name must be defined on each provider specific subclass',
+      #   )
+      # end
 
-      def saml_options
-        raise(
-          NoMethodError,
-          '#saml_options must be defined on each provider specific subclass',
-        )
-      end
+      # def saml_options
+      #   raise(
+      #     NoMethodError,
+      #     '#saml_options must be defined on each provider specific subclass',
+      #   )
+      # end
 
       def assertion_consumer_service_url
         [
@@ -48,5 +47,3 @@ module Osso
     end
   end
 end
-require_relative 'saml_providers/azure_saml_provider'
-require_relative 'saml_providers/okta_saml_provider'

data/lib/osso/models/saml_providers/azure_saml_provider.rb

@@ -3,7 +3,7 @@
 module Osso
   module Models
     # Subclass for Azure / ADFS IDP instances
-    class AzureSamlProvider < Models::SamlProvider
+    class AzureSamlProvider < Models::IdentityProvider
       def name
         'Azure'
       end

data/lib/osso/models/saml_providers/okta_saml_provider.rb

@@ -3,7 +3,7 @@
 module Osso
   module Models
     # Subclass for Okta IDP instances
-    class OktaSamlProvider < Models::SamlProvider
+    class OktaSamlProvider < Models::IdentityProvider
       def name
         'Okta'
       end

data/lib/osso/models/user.rb

@@ -4,19 +4,19 @@ module Osso
   module Models
     class User < ActiveRecord::Base
       belongs_to :enterprise_account
-      belongs_to :saml_provider
+      belongs_to :identity_provider
       has_many :authorization_codes, dependent: :delete_all
       has_many :access_tokens, dependent: :delete_all
 
       def oauth_client
-        saml_provider.oauth_client
+        identity_provider.oauth_client
       end
 
       def as_json(*)
         {
           email: email,
           id: id,
-          idp: saml_provider.name,
+          idp: identity_provider.name,
         }
       end
     end

data/lib/osso/routes/auth.rb

@@ -25,8 +25,8 @@ module Osso
         identity_provider_id_regex: UUID_REGEXP,
         path_prefix: '/saml',
         callback_suffix: 'callback',
-      ) do |saml_provider_id, _env|
-        provider = Models::SamlProvider.find(saml_provider_id)
+      ) do |identity_provider_id, _env|
+        provider = Models::IdentityProvider.find(identity_provider_id)
         provider.saml_options
       end
     end
@@ -38,7 +38,7 @@ module Osso
       # is redirected back to your application with this code
       # as a URL query param, which you then exhange for an access token
       post '/saml/:id/callback' do
-        provider = Models::SamlProvider.find(params[:id])
+        provider = Models::IdentityProvider.find(params[:id])
         oauth_client = provider.oauth_client
         redirect_uri = env['redirect_uri'] || oauth_client.default_redirect_uri.uri
 
@@ -52,7 +52,7 @@ module Osso
           idp_id: attributes[:id],
         ).first_or_create! do |new_user|
           new_user.enterprise_account_id = provider.enterprise_account_id
-          new_user.saml_provider_id = provider.id
+          new_user.identity_provider_id = provider.id
         end
 
         authorization_code = user.authorization_codes.create!(

data/lib/osso/routes/oauth.rb

@@ -14,7 +14,7 @@ module Osso
       # of the user who wants to sign in.
       get '/authorize' do
         @enterprise = Models::EnterpriseAccount.
-          includes(:saml_providers).
+          includes(:identity_providers).
           find_by!(domain: params[:domain])
 
         Rack::OAuth2::Server::Authorize.new do |req, _res|

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3.5'
+  VERSION = '0.0.3.6'
 end

data/spec/factories/enterprise_account.rb

@@ -3,6 +3,7 @@
 FactoryBot.define do
   factory :enterprise_account, class: Osso::Models::EnterpriseAccount do
     id { SecureRandom.uuid }
+    name { Faker::Company.name }
     domain { Faker::Internet.domain_name }
     oauth_client
   end
@@ -10,7 +11,7 @@ FactoryBot.define do
   factory :enterprise_with_okta, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :okta_saml_provider,
+        :okta_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
@@ -20,7 +21,7 @@ FactoryBot.define do
   factory :enterprise_with_azure, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :azure_saml_provider,
+        :azure_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
@@ -30,13 +31,13 @@ FactoryBot.define do
   factory :enterprise_with_multiple_providers, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :okta_saml_provider,
+        :okta_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
 
       create(
-        :azure_saml_provider,
+        :azure_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )

data/spec/factories/identity_providers.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :identity_provider, class: Osso::Models::IdentityProvider do
+    id { SecureRandom.uuid }
+    domain { Faker::Internet.domain_name }
+    oauth_client
+
+    factory :okta_identity_provider, parent: :identity_provider do
+      service { 'OKTA' }
+      sso_url do
+        'https://dev-162024.okta.com/app/vcardmedev162024_rubydemo2_1/exk51326b3U1941Hf4x6/sso/saml'
+      end
+    end
+
+    factory :azure_identity_provider, parent: :identity_provider do
+      service { 'AZURE' }
+      sso_url do
+        'https://login.microsoftonline.com/0af6c610-c40c-4683-9ea4-f25e509b8172/saml2'
+      end
+    end
+
+    factory :configured_identity_provider, parent: :identity_provider do
+      sso_cert do
+        <<~CERT
+          -----BEGIN CERTIFICATE-----
+          MIIDpDCCAoygAwIBAgIGAXEiD4LlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
+          A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+          MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0xNjIwMjQxHDAaBgkqhkiG9w0BCQEW
+          DWluZm9Ab2t0YS5jb20wHhcNMjAwMzI4MTY1MTU0WhcNMzAwMzI4MTY1MjU0WjCBkjELMAkGA1UE
+          BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
+          BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMTYyMDI0MRwwGgYJ
+          KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+          wsnP4UTfv3bxR5Jh0at51Dqjj+fKxFznzFW3XA5NbF2SlRLjeYcvj3+47TC0eP6xOsLWfnvdnx4v
+          dd9Ufn7jDCo5pL3JykMVEh2I0szF3RLC+a532ArcwgU9Px48+rWVwPkASS7l4NHAM4+gOBHJMQt2
+          AMohPT0kU41P8BEPzfwhNyiEXR66JNZIJUE8fM3Vpgnxm/VSwYzJf0NfOyfxv8JczF0zkDbpE7Tk
+          3Ww/PFFLoMxWzanWGJQ+blnhv6UV6H4fcfAbcwAplOdIVHjS2ghYBvYNGahuFxjia0+6csyZGrt8
+          H4XmR5Dr+jXY5K1b1VOA0k19/FCnHHN/smn25wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBgD9NE
+          4OCuR1+vucV8S1T6XXIL2hB7bXBAZEVHZ1aErRzktgXAMgVwG267vIkD5VOXBiTy9yNU5LK6G3k2
+          zewU190sL1dMfyPnoVZyn94nvwe9A+on0tmZdmk00xirKk3FJdacnZNE9Dl/afIrcNf6xAm0WsU9
+          kbMiRwwvjO4TAiygDQzbrRC8ZfmT3hpBa3aTUzAccrvEQcgarLk4r7UjXP7a2mCN3UIIh+snN2Ms
+          vXHL0r6fM3xbniz+5lleWtPFw73yySBc8znkWZ4Tn8Lh0r6o5nCRYbr2REUB7ZIfiIyBbZxIp4kv
+          a+habbnQDFiNVzEd8OPXHh4EqLxOPDRW
+          -----END CERTIFICATE-----
+        CERT
+      end
+    end
+  end
+end

data/spec/factories/user.rb

@@ -5,7 +5,7 @@ FactoryBot.define do
     id { SecureRandom.uuid }
     email { Faker::Internet.email }
     idp_id { SecureRandom.hex(32) }
-    saml_provider { create(:okta_saml_provider) }
+    identity_provider { create(:okta_identity_provider) }
     enterprise_account
     after(:create) do |user|
       create(

data/spec/graphql/mutations/configure_identity_provider_spec.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::GraphQL::Schema do
+  describe 'ConfigureIdentityProvider' do
+    let(:enterprise_account) { create(:enterprise_account) }
+    let(:identity_provider) { create(:identity_provider, enterprise_account: enterprise_account) }
+    let(:variables) do
+      {
+        input: {
+          id: identity_provider.id,
+          service: 'OKTA',
+          ssoUrl: 'https://example.com',
+          ssoCert: 'BEGIN_CERTIFICATE',
+        },
+      }
+    end
+    let(:mutation) do
+      <<~GRAPHQL
+         mutation ConfigureIdentityProvider($input: ConfigureIdentityProviderInput!) {
+          configureIdentityProvider(input: $input) {
+            identityProvider {
+              id
+              domain
+              configured
+              enterpriseAccountId
+              service
+              acsUrl
+              ssoCert
+              ssoUrl
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    subject do
+      described_class.execute(
+        mutation,
+        variables: variables,
+        context: { scope: current_scope },
+      )
+    end
+
+    describe 'for an admin user' do
+      let(:current_scope) { :admin }
+      it 'configures an identity provider' do
+        expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'configured')).
+          to be true
+      end
+    end
+
+    describe 'for an email scoped user' do
+      let(:domain) { Faker::Internet.domain_name }
+      let(:current_scope) { domain }
+      let(:enterprise_account) { create(:enterprise_account, domain: domain) }
+
+      it 'creates an identity provider' do
+        expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'domain')).
+          to eq(domain)
+      end
+    end
+  end
+end