osso 0.0.3.7

data/lib/osso/db/migrate/20200413132407_add_oauth_clients.rb

@@ -0,0 +1,13 @@
+class AddOauthClients < ActiveRecord::Migration[6.0]
+  def change
+    create_table :oauth_clients, id: :uuid do |t|
+      t.string :name, null: false
+      t.string :secret, null: false
+      t.string :identifier, null: false
+      t.jsonb :redirect_uris, default: [], null: false
+    end
+
+    add_index :oauth_clients, :redirect_uris, using: :gin
+    add_index :oauth_clients, :identifier, unique: true
+  end
+end

data/lib/osso/db/migrate/20200413142511_create_authorization_codes.rb

@@ -0,0 +1,15 @@
+class CreateAuthorizationCodes < ActiveRecord::Migration[6.0]
+  def change
+    create_table :authorization_codes, id: :uuid do |t|
+      t.string :token
+      t.string :redirect_uri
+      t.datetime :expires_at
+
+      t.timestamps
+    end
+
+    add_index :authorization_codes, :token, unique: true
+    add_reference :authorization_codes, :user, type: :uuid, index: true
+    add_reference :authorization_codes, :oauth_client, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20200413163451_create_access_tokens.rb

@@ -0,0 +1,13 @@
+class CreateAccessTokens < ActiveRecord::Migration[6.0]
+  def change
+    create_table :access_tokens, id: :uuid do |t|
+      t.string :token
+      t.datetime :expires_at
+
+      t.timestamps
+    end
+
+    add_reference :access_tokens, :user, type: :uuid, index: true
+    add_reference :access_tokens, :oauth_client, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20200502120616_create_redirect_uris_and_drop_from_oauth_clients.rb

@@ -0,0 +1,13 @@
+class CreateRedirectUrisAndDropFromOauthClients < ActiveRecord::Migration[6.0]
+  def change
+    remove_column :oauth_clients, :redirect_uris
+
+    create_table :redirect_uris, id: :uuid do |t|
+      t.string :uri, null: false
+      t.boolean :primary, default: false, null: false
+    end
+
+    add_index :redirect_uris, [:uri, :primary], unique: true
+    add_reference :redirect_uris, :oauth_client, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20200502135008_add_oauth_client_id_to_enterprise_accounts_and_identity_providers.rb

@@ -0,0 +1,6 @@
+class AddOauthClientIdToEnterpriseAccountsAndIdentityProviders < ActiveRecord::Migration[6.0]
+  def change
+    add_reference :enterprise_accounts, :oauth_client, type: :uuid, index: true
+    add_reference :identity_providers, :oauth_client, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20200714223226_add_identity_provider_service_enum.rb

@@ -0,0 +1,17 @@
+class AddIdentityProviderServiceEnum < ActiveRecord::Migration[6.0]
+  def change
+    def up
+      execute <<-SQL
+        CREATE TYPE identity_provider_service AS ENUM ('OKTA', 'AZURE');
+      SQL
+      chnage_column :identity_providers, :service, :identity_provider_service
+    end
+  
+    def down
+      chnage_column :identity_providers, :service, :text
+      execute <<-SQL
+        DROP TYPE identity_provider_service;
+      SQL
+    end
+  end
+end

data/lib/osso/db/migrate/20200715154211_rename_idp_fields_on_identity_provider_to_sso.rb

@@ -0,0 +1,6 @@
+class RenameIdpFieldsOnIdentityProviderToSso < ActiveRecord::Migration[6.0]
+  def change
+    rename_column :identity_providers, :idp_cert, :sso_cert
+    rename_column :identity_providers, :idp_sso_target_url, :sso_url
+  end
+end

data/lib/osso/db/migrate/20200715205801_add_name_to_enterprise_account.rb

@@ -0,0 +1,5 @@
+class AddNameToEnterpriseAccount < ActiveRecord::Migration[6.0]
+  def change
+    add_column :enterprise_accounts, :name, :string, null: false
+  end
+end

data/lib/osso/graphql/mutation.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require_relative 'mutations'
+
+module Osso
+  module GraphQL
+    module Types
+      class MutationType < BaseObject
+        field :configure_identity_provider, mutation: Mutations::ConfigureIdentityProvider, null: true
+        field :create_identity_provider, mutation: Mutations::CreateIdentityProvider
+        field :create_enterprise_account, mutation: Mutations::CreateEnterpriseAccount
+        field :set_identity_provider, mutation: Mutations::SetSamlProvider
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Osso
+  module Mutations
+  end
+end
+
+require_relative 'mutations/base_mutation'
+require_relative 'mutations/configure_identity_provider'
+require_relative 'mutations/create_identity_provider'
+require_relative 'mutations/create_enterprise_account'
+require_relative 'mutations/set_identity_provider'

data/lib/osso/graphql/mutations/base_mutation.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class BaseMutation < ::GraphQL::Schema::RelayClassicMutation
+        object_class Types::BaseObject
+        input_object_class Types::BaseInputObject
+
+        def response_data(data)
+          data.merge(errors: [])
+        end
+
+        def response_error(error)
+          error.merge(data: nil)
+        end
+
+        def ready?(enterprise_account_id: nil, domain: nil, identity_provider_id: nil, **args)
+          return true if context[:scope] == :admin
+
+          domain ||= account_domain(enterprise_account_id) || provider_domain(identity_provider_id)
+          return true if domain == context[:scope]
+
+          raise ::GraphQL::ExecutionError, "This user lacks the scope to mutate records belonging to #{args[:domain]}"
+        end
+
+        def account_domain(id)
+          return false unless id
+
+          Osso::Models::EnterpriseAccount.find(id)&.domain
+        end
+
+        def provider_domain(id)
+          return false unless id
+
+          Osso::Models::IdentityProvider.find(id)&.domain
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/configure_identity_provider.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class ConfigureIdentityProvider < BaseMutation
+        null false
+        argument :id, ID, required: true
+        argument :service, Types::IdentityProviderService, required: false
+        argument :sso_url, String, required: false
+        argument :sso_cert, String, required: false
+
+        field :identity_provider, Types::IdentityProvider, null: false
+        field :errors, [String], null: false
+
+        def resolve(id:, **args)
+          provider = Osso::Models::IdentityProvider.find(id)
+
+          return response_data(identity_provider: provider) if provider.update(args)
+
+          response_error(errors: provder.errors.messages)
+        end
+
+        def ready?(id:, **args)
+          return true if context[:scope] == :admin
+
+          domain = Osso::Models::IdentityProvider.find(id)&.domain
+
+          return true if domain == context[:scope]
+
+          raise ::GraphQL::ExecutionError, "This user lacks the scope to mutate records belonging to #{domain}"
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/create_enterprise_account.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class CreateEnterpriseAccount < BaseMutation
+        null false
+
+        argument :domain, String, required: true
+        argument :name, String, required: true
+
+        field :enterprise_account, Types::EnterpriseAccount, null: false
+        field :errors, [String], null: false
+
+        def resolve(**args)
+          enterprise_account = Osso::Models::EnterpriseAccount.new(args)
+
+          return response_data(enterprise_account: enterprise_account) if enterprise_account.save
+
+          response_error(errors: enterprise_account.errors.full_messages)
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/create_identity_provider.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class CreateIdentityProvider < BaseMutation
+        null false
+
+        argument :enterprise_account_id, ID, required: true
+        argument :service, Types::IdentityProviderService, required: false
+
+        field :identity_provider, Types::IdentityProvider, null: false
+        field :errors, [String], null: false
+
+        def resolve(enterprise_account_id:, service: nil)
+          enterprise_account = Osso::Models::EnterpriseAccount.find(enterprise_account_id)
+          identity_provider = enterprise_account.identity_providers.build(
+            enterprise_account_id: enterprise_account_id,
+            service: service,
+            domain: enterprise_account.domain,
+          )
+
+          return response_data(identity_provider: identity_provider) if identity_provider.save
+
+          response_error(errors: identity_provider.errors.full_messages)
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/set_identity_provider.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class SetSamlProvider < BaseMutation
+        null false
+
+        argument :provider, Types::IdentityProviderService, required: true
+        argument :id, ID, required: true
+
+        field :identity_provider, Types::IdentityProvider, null: false
+        field :errors, [String], null: false
+
+        def resolve(provider:, id:)
+          identity_provider = Osso::Models::IdentityProvider.find(id)
+          identity_provider.service = provider
+          identity_provider.save!
+          {
+            identity_provider: identity_provider,
+            errors: [],
+          }
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/query.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class QueryType < ::GraphQL::Schema::Object
+        field :enterprise_accounts, null: true, resolver: Resolvers::EnterpriseAccounts
+        field :oauth_clients, null: true, resolver: Resolvers::OAuthClients
+
+        field :enterprise_account, null: true, resolver: Resolvers::EnterpriseAccount do
+          argument :domain, String, required: true
+        end
+
+        field(
+          :identity_provider,
+          Types::IdentityProvider,
+          null: true,
+          resolve: ->(_obj, args, _context) { Osso::Models::IdentityProvider.find(args[:id]) },
+        ) do
+          argument :id, ID, required: true
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+    end
+  end
+end
+
+require_relative 'resolvers/enterprise_account'
+require_relative 'resolvers/enterprise_accounts'
+require_relative 'resolvers/oauth_clients'

data/lib/osso/graphql/resolvers/enterprise_account.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class EnterpriseAccount < ::GraphQL::Schema::Resolver
+        type Types::EnterpriseAccount, null: false
+
+        def resolve(args)
+          return unless admin? || enterprise_authorized?(args[:domain])
+
+          Osso::Models::EnterpriseAccount.find_by(domain: args[:domain])
+        end
+
+        def admin?
+          context[:scope] == :admin
+        end
+
+        def enterprise_authorized?(domain)
+          context[:scope] == domain
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers/enterprise_accounts.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class EnterpriseAccounts < ::GraphQL::Schema::Resolver
+        type [Types::EnterpriseAccount], null: true
+
+        def resolve
+          return Osso::Models::EnterpriseAccount.all if context[:scope] == :admin
+
+          Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope]))
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers/oauth_clients.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class OAuthClients < ::GraphQL::Schema::Resolver
+        type [Types::OAuthClient], null: true
+
+        def resolve
+          return Osso::Models::OauthClient.all if context[:scope] == :admin
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/schema.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'graphql'
+require_relative 'types'
+require_relative 'resolvers'
+require_relative 'mutation'
+require_relative 'query'
+
+GraphQL::Relay::BaseConnection.register_connection_implementation(
+  ActiveRecord::Relation,
+  GraphQL::Relay::RelationConnection,
+)
+
+module Osso
+  module GraphQL
+    class Schema < ::GraphQL::Schema
+      use ::GraphQL::Pagination::Connections
+      query Types::QueryType
+      mutation Types::MutationType
+
+      def self.id_from_object(object, _type_definition = nil, _query_ctx = nil)
+        GraphQL::Schema::UniqueWithinType.encode(object.class.name, object.id)
+      end
+
+      def self.object_from_id(id, _query_ctx = nil)
+        class_name, item_id = GraphQL::Schema::UniqueWithinType.decode(id)
+        Object.const_get(class_name).find(item_id)
+      end
+
+      def self.resolve_type(_type, obj, _ctx)
+        case obj
+        when Osso::Models::EnterpriseAccount
+          Types::EnterpriseAccount
+        when Osso::Models::IdentityProvider
+          Types::IdentityProvider
+        else
+          raise("Unexpected object: #{obj}")
+        end
+      end
+
+      def self.unauthorized_object(error)
+        raise ::GraphQL::ExecutionError, "An object of type #{error.type.graphql_name} was hidden due to permissions"
+      end
+    end
+  end
+end