osso 0.0.3.7 → 0.0.3.12

data/lib/osso/graphql/mutations/mark_redirect_uri_primary.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class MarkRedirectUriPrimary < BaseMutation
+        null false
+
+        argument :id, ID, required: true
+
+        field :oauth_client, Types::OauthClient, null: true
+        field :errors, [String], null: false
+
+        def resolve(id:)
+          redirect_uri = Osso::Models::RedirectUri.find(id)
+          oauth_client = redirect_uri.oauth_client
+
+          oauth_client.redirect_uris.update(primary: false)
+          redirect_uri.update(primary: true)
+
+          response_data(oauth_client: oauth_client.reload)
+        rescue StandardError => e
+          response_error(errors: e.message)
+        end
+
+        def ready?(*)
+          return true if context[:scope] == :admin
+
+          raise ::GraphQL::ExecutionError, 'Only admin users may mutate OauthClients'
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/regenerate_oauth_credentials.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class RegenerateOauthCredentials < BaseMutation
+        null false
+
+        argument :id, ID, required: true
+
+        field :oauth_client, Types::OauthClient, null: false
+        field :errors, [String], null: false
+
+        def resolve(id:)
+          oauth_client = Osso::Models::OauthClient.find(id)
+          oauth_client.generate_secrets
+          
+          return response_data(oauth_client: oauth_client) if oauth_client.save
+        
+          response_error(errors: oauth_client.errors.full_messages)
+        end
+
+        def ready?(*)
+          return true if context[:scope] == :admin
+
+          raise ::GraphQL::ExecutionError, 'Only admin users may mutate OauthClients'
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/query.rb

@@ -4,13 +4,17 @@ module Osso
   module GraphQL
     module Types
       class QueryType < ::GraphQL::Schema::Object
-        field :enterprise_accounts, null: true, resolver: Resolvers::EnterpriseAccounts
-        field :oauth_clients, null: true, resolver: Resolvers::OAuthClients
+        field :enterprise_accounts, null: true, resolver: Resolvers::EnterpriseAccounts do
+          argument :sort_column, String, required: false
+          argument :sort_order, String, required: false
+        end
 
         field :enterprise_account, null: true, resolver: Resolvers::EnterpriseAccount do
           argument :domain, String, required: true
         end
 
+        field :oauth_clients, null: true, resolver: Resolvers::OAuthClients
+
         field(
           :identity_provider,
           Types::IdentityProvider,
@@ -19,6 +23,15 @@ module Osso
         ) do
           argument :id, ID, required: true
         end
+
+        field(
+          :oauth_client,
+          Types::OauthClient,
+          null: true,
+          resolve: ->(_obj, args, _context) { Osso::Models::OauthClient.find(args[:id]) },
+        ) do
+          argument :id, ID, required: true
+        end
       end
     end
   end

data/lib/osso/graphql/resolvers/enterprise_accounts.rb

@@ -4,12 +4,20 @@ module Osso
   module GraphQL
     module Resolvers
       class EnterpriseAccounts < ::GraphQL::Schema::Resolver
-        type [Types::EnterpriseAccount], null: true
+        type Types::EnterpriseAccount.connection_type, null: true
 
-        def resolve
-          return Osso::Models::EnterpriseAccount.all if context[:scope] == :admin
+        def resolve(sort_column: nil, sort_order: nil)
+          return Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope])) if context[:scope] != :admin
 
-          Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope]))
+          accounts = Osso::Models::EnterpriseAccount
+
+          accounts = accounts.order(sort_column => sort_order_sym(sort_order)) if sort_column && sort_order
+
+          accounts.all
+        end
+
+        def sort_order_sym(order_string)
+          order_string == 'ascend' ? :asc : :desc
         end
       end
     end

data/lib/osso/graphql/resolvers/oauth_clients.rb

@@ -4,7 +4,7 @@ module Osso
   module GraphQL
     module Resolvers
       class OAuthClients < ::GraphQL::Schema::Resolver
-        type [Types::OAuthClient], null: true
+        type [Types::OauthClient], null: true
 
         def resolve
           return Osso::Models::OauthClient.all if context[:scope] == :admin

data/lib/osso/graphql/types.rb

@@ -5,11 +5,14 @@ module Osso
   end
 end
 
+require_relative 'types/base_connection'
 require_relative 'types/base_object'
 require_relative 'types/base_enum'
 require_relative 'types/base_input_object'
 require_relative 'types/identity_provider_service'
+require_relative 'types/identity_provider_status'
 require_relative 'types/identity_provider'
 require_relative 'types/enterprise_account'
+require_relative 'types/redirect_uri'
 require_relative 'types/oauth_client'
 require_relative 'types/user'

data/lib/osso/graphql/types/base_connection.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseConnection < ::GraphQL::Types::Relay::BaseConnection
+        field :total_count, Integer, null: false
+
+        def total_count
+          object.items&.count
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/base_object.rb

@@ -6,6 +6,10 @@ module Osso
   module GraphQL
     module Types
       class BaseObject < ::GraphQL::Schema::Object
+        connection_type_class GraphQL::Types::BaseConnection
+
+        field :created_at, ::GraphQL::Types::ISO8601DateTime, null: false
+        field :updated_at, ::GraphQL::Types::ISO8601DateTime, null: false
       end
     end
   end

data/lib/osso/graphql/types/identity_provider.rb

@@ -17,13 +17,9 @@ module Osso
         field :acs_url, String, null: false
         field :sso_url, String, null: true
         field :sso_cert, String, null: true
-        field :configured, Boolean, null: false
+        field :status, Types::IdentityProviderStatus, null: false
         field :documentation_pdf_url, String, null: true
 
-        def configured
-          !!(@object.sso_url && @object.sso_cert)
-        end
-
         def documentation_pdf_url
           ENV['BASE_URL'] + '/identity_provider/documentation/' + @object.id
         end

data/lib/osso/graphql/types/identity_provider_status.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class IdentityProviderStatus < BaseEnum
+        value('Pending', value: 'PENDING')
+        value('Configured', value: 'CONFIGURED')
+        value('Active', value: 'ACTIVE')
+        value('Error', value: 'ERROR')
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/oauth_client.rb

@@ -5,7 +5,7 @@ require 'graphql'
 module Osso
   module GraphQL
     module Types
-      class OAuthClient < Types::BaseObject
+      class OauthClient < Types::BaseObject
         description 'An OAuth client used to consume Osso SAML users'
         implements ::GraphQL::Types::Relay::Node
 
@@ -14,6 +14,19 @@ module Osso
         field :name, String, null: false
         field :client_id, String, null: false
         field :client_secret, String, null: false
+        field :redirect_uris, [Types::RedirectUri], null: true
+
+        def client_id
+          object.identifier
+        end
+
+        def client_secret
+          object.secret
+        end
+
+        def self.authorized?(object, context)
+          super && context[:scope] == :admin
+        end
       end
     end
   end

data/lib/osso/graphql/types/redirect_uri.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class RedirectUri < Types::BaseObject
+        description 'An allowed redirect URI for an OauthClient'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :uri, String, null: false
+        field :primary, Boolean, null: false
+
+        def self.authorized?(object, context)
+          super && context[:scope] == :admin
+        end
+      end
+    end
+  end
+end

data/lib/osso/helpers/auth.rb

@@ -14,13 +14,10 @@ module Osso
         redirect ENV['JWT_URL']
       end
 
+      # use client id in payload to restrict customer
+      # users from accessing dev?
       def enterprise_authorized?(_domain)
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
+        payload, _args = decode(token)
 
         @current_scope = payload['scope']
 
@@ -36,12 +33,7 @@ module Osso
       end
 
       def admin_authorized?
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
+        payload, _args = decode(token)
 
         if payload['scope'] == 'admin'
           @current_scope = :admin
@@ -66,6 +58,15 @@ module Osso
 
         redirect request.path
       end
+
+      def decode(token)
+        JWT.decode(
+          token,
+          ENV['JWT_HMAC_SECRET'],
+          true,
+          { algorithm: 'HS256' },
+        )
+      end
     end
   end
 end

data/lib/osso/models/access_token.rb

@@ -27,3 +27,21 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: access_tokens
+#
+#  id              :uuid             not null, primary key
+#  token           :string
+#  expires_at      :datetime
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#  user_id         :uuid
+#  oauth_client_id :uuid
+#
+# Indexes
+#
+#  index_access_tokens_on_oauth_client_id  (oauth_client_id)
+#  index_access_tokens_on_user_id          (user_id)
+#

data/lib/osso/models/authorization_code.rb

@@ -12,3 +12,23 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: authorization_codes
+#
+#  id              :uuid             not null, primary key
+#  token           :string
+#  redirect_uri    :string
+#  expires_at      :datetime
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#  user_id         :uuid
+#  oauth_client_id :uuid
+#
+# Indexes
+#
+#  index_authorization_codes_on_oauth_client_id  (oauth_client_id)
+#  index_authorization_codes_on_token            (token) UNIQUE
+#  index_authorization_codes_on_user_id          (user_id)
+#

data/lib/osso/models/enterprise_account.rb

@@ -26,3 +26,23 @@ module Osso
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: enterprise_accounts
+#
+#  id              :uuid             not null, primary key
+#  domain          :string           not null
+#  external_uuid   :uuid
+#  external_int_id :integer
+#  external_id     :string
+#  oauth_client_id :uuid
+#  name            :string           not null
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#
+# Indexes
+#
+#  index_enterprise_accounts_on_domain           (domain) UNIQUE
+#  index_enterprise_accounts_on_oauth_client_id  (oauth_client_id)
+#

data/lib/osso/models/identity_provider.rb

@@ -8,6 +8,7 @@ module Osso
       belongs_to :enterprise_account
       belongs_to :oauth_client
       has_many :users
+      before_save :set_status
 
       def name
         service.titlecase
@@ -43,6 +44,34 @@ module Osso
       end
 
       alias acs_url assertion_consumer_service_url
+
+      def set_status
+        return if status != 'PENDING'
+
+        self.status = 'CONFIGURED' if sso_url && sso_cert
+      end
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: identity_providers
+#
+#  id                    :uuid             not null, primary key
+#  service               :string
+#  domain                :string           not null
+#  sso_url               :string
+#  sso_cert              :text
+#  enterprise_account_id :uuid
+#  oauth_client_id       :uuid
+#  status                :enum             default("PENDING")
+#  created_at            :datetime
+#  updated_at            :datetime
+#
+# Indexes
+#
+#  index_identity_providers_on_domain                 (domain)
+#  index_identity_providers_on_enterprise_account_id  (enterprise_account_id)
+#  index_identity_providers_on_oauth_client_id        (oauth_client_id)
+#

data/lib/osso/models/models.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# -*- SkipSchemaAnnotations
+
 require 'sinatra/activerecord'
 
 module Osso

data/lib/osso/models/oauth_client.rb

@@ -9,24 +9,34 @@ module Osso
       has_many :identity_providers
       has_many :redirect_uris
 
-      before_validation :setup, on: :create
+      before_validation :generate_secrets, on: :create
       validates :name, :secret, presence: true
       validates :identifier, presence: true, uniqueness: true
 
-      def default_redirect_uri
+      def primary_redirect_uri
         redirect_uris.find(&:primary)
       end
 
-      def redirect_uri_values
-        redirect_uris.map(&:uri)
-      end
-
-      private
-
-      def setup
+      def generate_secrets
         self.identifier = SecureRandom.hex(16)
-        self.secret = SecureRandom.hex(64)
+        self.secret = SecureRandom.hex(32)
       end
     end
   end
 end
+
+# == Schema Information
+#
+# Table name: oauth_clients
+#
+#  id         :uuid             not null, primary key
+#  name       :string           not null
+#  secret     :string           not null
+#  identifier :string           not null
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#
+# Indexes
+#
+#  index_oauth_clients_on_identifier  (identifier) UNIQUE
+#