osso 0.0.3.7

data/spec/graphql/query/enterprise_accounts_spec.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::GraphQL::Schema do
+  describe 'EnterpriseAccounts' do
+    describe 'for an admin user' do
+      let(:current_scope) { :admin }
+
+      it 'returns Enterprise Accounts' do
+        create_list(:enterprise_account, 2)
+
+        query = <<~GRAPHQL
+          query EnterpriseAccounts {
+            enterpriseAccounts {
+              domain
+              id
+              identityProviders {
+                id
+                service
+                domain
+                acsUrl
+                ssoCert
+                ssoUrl
+                configured
+              }
+              name
+              status
+            }
+          }
+        GRAPHQL
+
+        response = described_class.execute(
+          query,
+          variables: nil,
+          context: { scope: current_scope },
+        )
+
+        expect(response['errors']).to be_nil
+        expect(response.dig('data', 'enterpriseAccounts').count).to eq(2)
+      end
+    end
+  end
+end

data/spec/graphql/query/identity_provider_spec.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::GraphQL::Schema do
+  describe 'Identity Provider' do
+    let(:id) { Faker::Internet.uuid }
+    let(:domain) { Faker::Internet.domain_name }
+    let(:variables) { { id: id } }
+    let(:query) do
+      <<~GRAPHQL
+        query IdentityProvider($id: ID!) {
+          identityProvider(id: $id) {            
+            id
+            service
+            domain
+            acsUrl
+            ssoCert
+            ssoUrl
+            configured
+          }
+        }
+      GRAPHQL
+    end
+
+    before do
+      create(:identity_provider)
+      create(:identity_provider, id: id, domain: domain)
+    end
+
+    subject do
+      described_class.execute(
+        query,
+        variables: variables,
+        context: { scope: current_scope },
+      )
+    end
+
+    describe 'for an admin user' do
+      let(:current_scope) { :admin }
+      it 'returns Identity Provider for id' do
+        expect(subject['errors']).to be_nil
+        expect(subject.dig('data', 'identityProvider', 'id')).to eq(id)
+      end
+    end
+
+    describe 'for an email scoped user' do
+      let(:current_scope) { domain }
+
+      it 'returns Enterprise Account for domain' do
+        expect(subject['errors']).to be_nil
+        expect(subject.dig('data', 'identityProvider', 'domain')).to eq(domain)
+      end
+    end
+
+    describe 'for the wrong email scoped user' do
+      let(:current_scope) { 'bar.com' }
+      
+      it 'returns Enterprise Account for domain' do
+        expect(subject['errors']).to_not be_empty
+        expect(subject.dig('data', 'enterpriseAccount')).to be_nil
+      end
+    end
+  end
+end

data/spec/graphql/query/oauth_clients_account_spec.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::GraphQL::Schema do
+  describe 'OAuthClients' do
+    let(:query) do
+      <<~GRAPHQL
+        query OAuthClients {
+          oauthClients {
+            name
+            id
+          }
+        }
+      GRAPHQL
+    end
+
+    before do
+      create_list(:oauth_client, 2)
+    end
+
+    subject do
+      described_class.execute(
+        query,
+        variables: nil,
+        context: { scope: current_scope },
+      )
+    end
+
+    describe 'for an admin user' do
+      let(:current_scope) { :admin }
+
+      it 'returns Oauth Clients' do
+        expect(subject['errors']).to be_nil
+        expect(subject.dig('data', 'oauthClients').count).to eq(2)
+      end
+    end
+
+    describe 'for an email scoped user' do
+      let(:current_scope) { 'foo.com' }
+
+      it 'returns Oauth Clients' do
+        expect(subject['errors']).to be_nil
+        expect(subject.dig('data', 'oauthClients')).to be_nil
+      end
+    end
+  end
+end

data/spec/models/azure_saml_provider_spec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+# describe Osso::Models::AzureSamlProvider do
+#   subject { create(:azure_identity_provider) }
+
+#   describe '#saml_options' do
+#     it 'returns the required args' do
+#       expect(subject.saml_options).
+#         to match(
+#           domain: subject.domain,
+#           idp_cert: subject.idp_cert,
+#           idp_sso_target_url: subject.idp_sso_target_url,
+#           issuer: "id:#{subject.id}",
+#         )
+#     end
+#   end
+# end

data/spec/models/identity_provider_spec.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Models::IdentityProvider do
+  subject { create(:okta_identity_provider) }
+
+  describe '#assertion_consumer_service_url' do
+    it 'returns the expected URI' do
+      ENV['BASE_URL'] = 'https://example.com'
+
+      expect(subject.assertion_consumer_service_url).to eq(
+        "https://example.com/auth/saml/#{subject.id}/callback",
+      )
+    end
+  end
+end

data/spec/models/okta_saml_provider_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+# describe Osso::Models::OktaSamlProvider do
+#   subject { create(:okta_identity_provider) }
+
+#   describe '#saml_options' do
+#     it 'returns the required args' do
+#       expect(subject.saml_options).
+#         to match(
+#           domain: subject.domain,
+#           idp_cert: subject.idp_cert,
+#           idp_sso_target_url: subject.idp_sso_target_url,
+#           issuer: subject.id,
+#           name_identifier_format: described_class::NAME_FORMAT,
+#         )
+#     end
+#   end
+# end

data/spec/routes/admin_spec.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Admin do
+  let(:jwt_url) { 'https://foo.com/jwt' }
+  let(:jwt_hmac_secret) { SecureRandom.hex(32) }
+
+  before do
+    ENV['JWT_URL'] = jwt_url
+    ENV['JWT_HMAC_SECRET'] = jwt_hmac_secret
+    described_class.set(:views, spec_views)
+  end
+
+  describe 'get /admin' do
+    it 'redirects to JWT_URL without a session or token' do
+      get('/admin')
+
+      expect(last_response).to be_redirect
+      follow_redirect!
+      expect(last_request.url).to eq(jwt_url)
+    end
+
+    it 'redirects to JWT_URL with an invalid token' do
+      get('/admin', token: SecureRandom.hex(32))
+
+      expect(last_response).to be_redirect
+
+      follow_redirect!
+
+      expect(last_request.url).to eq(jwt_url)
+    end
+
+    it 'chomps the token and redirects to request path with valid token' do
+      token = JWT.encode(
+        { email: 'admin@saas.com', scope: 'admin' },
+        jwt_hmac_secret,
+        'HS256',
+      )
+
+      get('/admin', { admin_token: token })
+
+      expect(last_response).to be_redirect
+      follow_redirect!
+      expect(last_request.url).to match('/admin')
+    end
+
+    it 'renders the admin page for a valid session token' do
+      token = JWT.encode(
+        { email: 'admin@saas.com', scope: 'admin' },
+        jwt_hmac_secret,
+        'HS256',
+      )
+
+      get('/admin', {}, 'rack.session' => { admin_token: token })
+
+      expect(last_response).to be_ok
+    end
+  end
+end

data/spec/routes/app_spec.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'App' do
+end

data/spec/routes/auth_spec.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Auth do
+  describe 'post /auth/saml/:uuid/callback' do
+    describe 'for an Okta SAML provider' do
+      let(:enterprise) { create(:enterprise_with_okta) }
+      let(:okta_provider) { enterprise.identity_providers.first }
+
+      describe "on the user's first authentication" do
+        it 'creates a user' do
+          mock_saml_omniauth
+
+          expect do
+            post(
+              "/auth/saml/#{okta_provider.id}/callback",
+              nil,
+              {
+                'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => okta_provider,
+              },
+            )
+          end.to change { Osso::Models::User.count }.by(1)
+        end
+
+        it 'creates an authorization_code' do
+          mock_saml_omniauth
+
+          expect do
+            post(
+              "/auth/saml/#{okta_provider.id}/callback",
+              nil,
+              {
+                'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => okta_provider,
+              },
+            )
+          end.to change { Osso::Models::AuthorizationCode.count }.by(1)
+        end
+      end
+
+      describe 'on subsequent authentications' do
+        let!(:enterprise) { create(:enterprise_with_okta) }
+        let!(:okta_provider) { enterprise.identity_providers.first }
+        let(:user) { create(:user, identity_provider_id: okta_provider.id) }
+
+        before do
+          mock_saml_omniauth(email: user.email, id: user.idp_id)
+        end
+
+        it 'creates a user' do
+          expect do
+            post(
+              "/auth/saml/#{okta_provider.id}/callback",
+              nil,
+              {
+                'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => okta_provider,
+              },
+            )
+          end.to_not(change { Osso::Models::User.count })
+        end
+      end
+    end
+
+    describe 'for an (Azure) ADFS SAML provider' do
+      let(:enterprise) { create(:enterprise_with_azure) }
+      let(:azure_provider) { enterprise.provider }
+
+      describe "on the user's first authentication" do
+        it 'creates a user' do
+          mock_saml_omniauth
+
+          expect do
+            post(
+              "/auth/saml/#{azure_provider.id}/callback",
+              nil,
+              {
+                'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => azure_provider,
+              },
+            )
+          end.to change { Osso::Models::User.count }.by(1)
+        end
+      end
+
+      describe 'on subsequent authentications' do
+        let!(:enterprise) { create(:enterprise_with_azure) }
+        let!(:azure_provider) { enterprise.provider }
+        let(:user) { create(:user, identity_provider_id: azure_provider.id) }
+
+        before do
+          mock_saml_omniauth(email: user.email, id: user.idp_id)
+        end
+
+        it 'creates a user' do
+          expect do
+            post(
+              "/auth/saml/#{azure_provider.id}/callback",
+              nil,
+              {
+                'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => azure_provider,
+              },
+            )
+          end.to_not(change { Osso::Models::User.count })
+        end
+      end
+    end
+  end
+end

data/spec/routes/oauth_spec.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Oauth do
+  let(:client) { create(:oauth_client) }
+
+  describe 'get /oauth/authorize' do
+    describe 'with a valid client ID and redirect URI' do
+      describe 'for a domain that does not belong to an enterprise' do
+        it '404s' do
+          create(:enterprise_with_okta, domain: 'foo.com')
+
+          get(
+            '/oauth/authorize',
+            domain: 'bar.org',
+            client_id: client.identifier,
+            response_type: 'code',
+            redirect_uri: client.redirect_uri_values.sample,
+          )
+
+          expect(last_response.status).to eq(404)
+        end
+      end
+
+      describe 'for an enterprise domain with one SAML provider' do
+        it 'redirects to /auth/saml/:provider_id' do
+          enterprise = create(:enterprise_with_okta, oauth_client: client)
+
+          get(
+            '/oauth/authorize',
+            domain: enterprise.domain,
+            client_id: client.identifier,
+            response_type: 'code',
+            redirect_uri: client.redirect_uri_values.sample,
+          )
+
+          provider_id = enterprise.identity_providers.first.id
+
+          expect(last_response).to be_redirect
+          follow_redirect!
+          expect(last_request.url).to match("auth/saml/#{provider_id}")
+        end
+      end
+
+      describe 'for an enterprise domain with multiple SAML providers' do
+        it 'renders the multiple providers screen' do
+          enterprise = create(:enterprise_with_multiple_providers)
+
+          get(
+            '/oauth/authorize',
+            domain: enterprise.domain,
+            client_id: client.identifier,
+            response_type: 'code',
+            redirect_uri: client.redirect_uri_values.sample,
+          )
+
+          expect(last_response).to be_ok
+        end
+      end
+    end
+  end
+
+  describe 'post /oauth/token' do
+    describe 'with a valid unexpired code, client secret, client ID and redirect URI' do
+      it 'returns an access token' do
+        user = create(:user)
+        code = user.authorization_codes.valid.first
+
+        post(
+          '/oauth/token',
+          client_id: client.identifier,
+          client_secret: client.secret,
+          grant_type: 'authorization_code',
+          redirect_uri: code.redirect_uri,
+          code: code.token,
+        )
+
+        expect(last_response.status).to eq(200)
+        expect(last_json_response.to_h).to match(
+          access_token: a_string_matching(/\w{64}/),
+          expires_in: an_instance_of(Integer),
+          token_type: 'bearer',
+        )
+      end
+    end
+  end
+
+  describe 'get /oauth/me' do
+    describe 'with a valid unexpired access token' do
+      it 'returns the user' do
+        user = create(:user)
+        code = user.authorization_codes.valid.first
+
+        get(
+          '/oauth/me',
+          access_token: code.access_token.to_bearer_token,
+        )
+
+        expect(last_response.status).to eq(200)
+        expect(last_json_response).to eq(
+          email: user.email,
+          id: user.id,
+          idp: 'Okta',
+        )
+      end
+    end
+
+    describe 'with an expired access token' do
+      it 'returns 404' do
+        code = create(:authorization_code)
+        code.access_token.expired!
+
+        get(
+          '/oauth/me',
+          access_token: code.access_token.to_bearer_token,
+        )
+
+        expect(last_response.status).to eq(404)
+      end
+    end
+
+    describe 'with an invalid access token' do
+      it 'returns 404' do
+        get(
+          '/oauth/me',
+          access_token: SecureRandom.hex(32),
+        )
+
+        expect(last_response.status).to eq(404)
+      end
+    end
+  end
+end