osso 0.0.3.6 → 0.0.3.11

data/lib/osso/graphql/schema.rb

@@ -37,6 +37,10 @@ module Osso
           raise("Unexpected object: #{obj}")
         end
       end
+
+      def self.unauthorized_object(error)
+        raise ::GraphQL::ExecutionError, "An object of type #{error.type.graphql_name} was hidden due to permissions"
+      end
     end
   end
 end

data/lib/osso/graphql/types.rb

@@ -5,10 +5,12 @@ module Osso
   end
 end
 
+require_relative 'types/base_connection'
 require_relative 'types/base_object'
 require_relative 'types/base_enum'
 require_relative 'types/base_input_object'
 require_relative 'types/identity_provider_service'
+require_relative 'types/identity_provider_status'
 require_relative 'types/identity_provider'
 require_relative 'types/enterprise_account'
 require_relative 'types/oauth_client'

data/lib/osso/graphql/types/base_connection.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseConnection < ::GraphQL::Types::Relay::BaseConnection
+        field :total_count, Integer, null: false
+
+        def total_count
+          object.items&.count
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/base_object.rb

@@ -6,6 +6,10 @@ module Osso
   module GraphQL
     module Types
       class BaseObject < ::GraphQL::Schema::Object
+        connection_type_class GraphQL::Types::BaseConnection
+
+        field :created_at, ::GraphQL::Types::ISO8601DateTime, null: false
+        field :updated_at, ::GraphQL::Types::ISO8601DateTime, null: false
       end
     end
   end

data/lib/osso/graphql/types/enterprise_account.rb

@@ -23,6 +23,10 @@ module Osso
         def identity_providers
           object.identity_providers
         end
+
+        def self.authorized?(object, context)
+          super && (context[:scope] == :admin || object.domain == context[:scope])
+        end
       end
     end
   end

data/lib/osso/graphql/types/identity_provider.rb

@@ -17,10 +17,15 @@ module Osso
         field :acs_url, String, null: false
         field :sso_url, String, null: true
         field :sso_cert, String, null: true
-        field :configured, Boolean, null: false
+        field :status, Types::IdentityProviderStatus, null: false
+        field :documentation_pdf_url, String, null: true
 
-        def configured
-          !!(@object.sso_url && @object.sso_cert)
+        def documentation_pdf_url
+          ENV['BASE_URL'] + '/identity_provider/documentation/' + @object.id
+        end
+
+        def self.authorized?(object, context)
+          super && (context[:scope] == :admin || object.domain == context[:scope])
         end
       end
     end

data/lib/osso/graphql/types/identity_provider_status.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class IdentityProviderStatus < BaseEnum
+        value('Pending', value: 'PENDING')
+        value('Configured', value: 'CONFIGURED')
+        value('Active', value: 'ACTIVE')
+        value('Error', value: 'ERROR')
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/oauth_client.rb

@@ -5,7 +5,7 @@ require 'graphql'
 module Osso
   module GraphQL
     module Types
-      class OAuthClient < Types::BaseObject
+      class OauthClient < Types::BaseObject
         description 'An OAuth client used to consume Osso SAML users'
         implements ::GraphQL::Types::Relay::Node
 
@@ -14,6 +14,18 @@ module Osso
         field :name, String, null: false
         field :client_id, String, null: false
         field :client_secret, String, null: false
+
+        def client_id
+          object.identifier
+        end
+
+        def client_secret
+          object.secret
+        end
+
+        def self.authorized?(object, context)
+          super && context[:scope] == :admin
+        end
       end
     end
   end

data/lib/osso/helpers/auth.rb

@@ -15,12 +15,7 @@ module Osso
       end
 
       def enterprise_authorized?(_domain)
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
+        payload, _args = decode(token)
 
         @current_scope = payload['scope']
 
@@ -36,12 +31,7 @@ module Osso
       end
 
       def admin_authorized?
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
+        payload, _args = decode(token)
 
         if payload['scope'] == 'admin'
           @current_scope = :admin
@@ -66,6 +56,15 @@ module Osso
 
         redirect request.path
       end
+
+      def decode(token)
+        JWT.decode(
+          token,
+          ENV['JWT_HMAC_SECRET'],
+          true,
+          { algorithm: 'HS256' },
+        )
+      end
     end
   end
 end

data/lib/osso/models/access_token.rb

@@ -27,3 +27,21 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: access_tokens
+#
+#  id              :uuid             not null, primary key
+#  token           :string
+#  expires_at      :datetime
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#  user_id         :uuid
+#  oauth_client_id :uuid
+#
+# Indexes
+#
+#  index_access_tokens_on_oauth_client_id  (oauth_client_id)
+#  index_access_tokens_on_user_id          (user_id)
+#

data/lib/osso/models/authorization_code.rb

@@ -12,3 +12,23 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: authorization_codes
+#
+#  id              :uuid             not null, primary key
+#  token           :string
+#  redirect_uri    :string
+#  expires_at      :datetime
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#  user_id         :uuid
+#  oauth_client_id :uuid
+#
+# Indexes
+#
+#  index_authorization_codes_on_oauth_client_id  (oauth_client_id)
+#  index_authorization_codes_on_token            (token) UNIQUE
+#  index_authorization_codes_on_user_id          (user_id)
+#

data/lib/osso/models/enterprise_account.rb

@@ -26,3 +26,23 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: enterprise_accounts
+#
+#  id              :uuid             not null, primary key
+#  domain          :string           not null
+#  external_uuid   :uuid
+#  external_int_id :integer
+#  external_id     :string
+#  oauth_client_id :uuid
+#  name            :string           not null
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#
+# Indexes
+#
+#  index_enterprise_accounts_on_domain           (domain) UNIQUE
+#  index_enterprise_accounts_on_oauth_client_id  (oauth_client_id)
+#

data/lib/osso/models/identity_provider.rb

@@ -8,6 +8,7 @@ module Osso
       belongs_to :enterprise_account
       belongs_to :oauth_client
       has_many :users
+      before_save :set_status
 
       def name
         service.titlecase
@@ -43,6 +44,34 @@ module Osso
       end
 
       alias acs_url assertion_consumer_service_url
+
+      def set_status
+        return if status != 'PENDING'
+
+        self.status = 'CONFIGURED' if sso_url && sso_cert
+      end
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: identity_providers
+#
+#  id                    :uuid             not null, primary key
+#  service               :string
+#  domain                :string           not null
+#  sso_url               :string
+#  sso_cert              :text
+#  enterprise_account_id :uuid
+#  oauth_client_id       :uuid
+#  status                :enum             default("PENDING")
+#  created_at            :datetime
+#  updated_at            :datetime
+#
+# Indexes
+#
+#  index_identity_providers_on_domain                 (domain)
+#  index_identity_providers_on_enterprise_account_id  (enterprise_account_id)
+#  index_identity_providers_on_oauth_client_id        (oauth_client_id)
+#

data/lib/osso/models/models.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# -*- SkipSchemaAnnotations
+
 require 'sinatra/activerecord'
 
 module Osso

data/lib/osso/models/oauth_client.rb

@@ -25,8 +25,24 @@ module Osso
 
       def setup
         self.identifier = SecureRandom.hex(16)
-        self.secret = SecureRandom.hex(64)
+        self.secret = SecureRandom.hex(32)
       end
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: oauth_clients
+#
+#  id         :uuid             not null, primary key
+#  name       :string           not null
+#  secret     :string           not null
+#  identifier :string           not null
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#
+# Indexes
+#
+#  index_oauth_clients_on_identifier  (identifier) UNIQUE
+#

data/lib/osso/models/redirect_uri.rb

@@ -18,3 +18,20 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: redirect_uris
+#
+#  id              :uuid             not null, primary key
+#  uri             :string           not null
+#  primary         :boolean          default(FALSE), not null
+#  oauth_client_id :uuid
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#
+# Indexes
+#
+#  index_redirect_uris_on_oauth_client_id  (oauth_client_id)
+#  index_redirect_uris_on_uri_and_primary  (uri,primary) UNIQUE
+#

data/lib/osso/models/user.rb

@@ -22,3 +22,25 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: users
+#
+#  id                    :uuid             not null, primary key
+#  email                 :string           not null
+#  idp_id                :string           not null
+#  identity_provider_id  :uuid
+#  enterprise_account_id :uuid
+#  created_at            :datetime         not null
+#  updated_at            :datetime         not null
+#
+# Indexes
+#
+#  index_users_on_email_and_idp_id       (email,idp_id) UNIQUE
+#  index_users_on_enterprise_account_id  (enterprise_account_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (identity_provider_id => identity_providers.id)
+#

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3.6'
+  VERSION = '0.0.3.11'
 end

data/osso-rb.gemspec

@@ -28,6 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'sinatra-activerecord'
   spec.add_runtime_dependency 'sinatra-contrib'
 
+  spec.add_development_dependency 'annotate', '~> 3.1'
   spec.add_development_dependency 'bundler', '~> 2.1'
   spec.add_development_dependency 'pry'
 

data/spec/factories/identity_providers.rb

@@ -47,3 +47,25 @@ FactoryBot.define do
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: identity_providers
+#
+#  id                    :uuid             not null, primary key
+#  service               :string
+#  domain                :string           not null
+#  sso_url               :string
+#  sso_cert              :text
+#  enterprise_account_id :uuid
+#  oauth_client_id       :uuid
+#  status                :enum             default("PENDING")
+#  created_at            :datetime
+#  updated_at            :datetime
+#
+# Indexes
+#
+#  index_identity_providers_on_domain                 (domain)
+#  index_identity_providers_on_enterprise_account_id  (enterprise_account_id)
+#  index_identity_providers_on_oauth_client_id        (oauth_client_id)
+#

data/spec/graphql/mutations/configure_identity_provider_spec.rb

@@ -23,7 +23,7 @@ describe Osso::GraphQL::Schema do
             identityProvider {
               id
               domain
-              configured
+              status
               enterpriseAccountId
               service
               acsUrl
@@ -46,8 +46,8 @@ describe Osso::GraphQL::Schema do
     describe 'for an admin user' do
       let(:current_scope) { :admin }
       it 'configures an identity provider' do
-        expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'configured')).
-          to be true
+        expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'status')).
+          to eq('Configured')
       end
     end
 
@@ -55,11 +55,21 @@ describe Osso::GraphQL::Schema do
       let(:domain) { Faker::Internet.domain_name }
       let(:current_scope) { domain }
       let(:enterprise_account) { create(:enterprise_account, domain: domain) }
+      let(:identity_provider) { create(:identity_provider, enterprise_account: enterprise_account, domain: domain) }
 
-      it 'creates an identity provider' do
+      it 'configures an identity provider' do
         expect(subject.dig('data', 'configureIdentityProvider', 'identityProvider', 'domain')).
           to eq(domain)
       end
     end
+
+    describe 'for the wrong email scoped user' do
+      let(:domain) { Faker::Internet.domain_name }
+      let(:current_scope) { domain }
+
+      it 'does not configure an identity provider' do
+        expect(subject.dig('errors')).to_not be_empty
+      end
+    end
   end
 end