osso 0.0.5.pre.epsilon → 0.0.5.pre.lambda

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 82bd613a1b8d5eb4f9c549d9d855c629698a120d2ee99bf3a52f6911fa4d080a
-  data.tar.gz: a67aec622f76bcc42cc16065d11a795c09893caa1115759b5739fa384108f6f2
+  metadata.gz: f54c05ff3a991d49e4a47e036573d65f0bb2222371d73b10e665d02169d4a891
+  data.tar.gz: 24c4ea3adf0e1c599c315c48cb9700b7ae3d0e8b3c782c564c71692f5287e858
 SHA512:
-  metadata.gz: c2a1ba5df34d2e175ed7a3ab7e61dcb573b5eb9a636753f7159860f817e6b61515b9350b63a1ac1ffece994f27a7f17d61d2de05e5f6a0468168cfb7a268f879
-  data.tar.gz: 475eba77f824e32701ff9eae95bef4663f2e0de8d43c9d542846f6ecaec55edb1242251cb4ed50b9cb1db627252293cf406a633cc8c0c63fb7f419e10dc95e3c
+  metadata.gz: abd1565c7e9cdea79782176a8fde22e71a734c78fba6bde102066a5913eec4e97207295c1f1fe5dd1acfb2bc91bdb8842a72ec0cbea15a90faf3187e216a366d
+  data.tar.gz: 43e39d4a5738b59187a4ff9dc583292450815c0ceb6d4bfae29becc7ee0de9d8ddc4d34cd4b2c1e3d577a19690fbda81c5d0dff6f2aaf71527e3b9f9d9578dd8

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.5.pre.epsilon)
+    osso (0.0.5.pre.lambda)
       activesupport (>= 6.0.3.2)
       graphql
       jwt
@@ -18,12 +18,12 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (6.0.3.2)
-      activesupport (= 6.0.3.2)
-    activerecord (6.0.3.2)
-      activemodel (= 6.0.3.2)
-      activesupport (= 6.0.3.2)
-    activesupport (6.0.3.2)
+    activemodel (6.0.3.3)
+      activesupport (= 6.0.3.3)
+    activerecord (6.0.3.3)
+      activemodel (= 6.0.3.3)
+      activesupport (= 6.0.3.3)
+    activesupport (6.0.3.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -39,24 +39,23 @@ GEM
     attr_required (1.0.1)
     bindata (2.4.8)
     coderay (1.1.3)
-    concurrent-ruby (1.1.6)
-    crack (0.4.3)
-      safe_yaml (~> 1.0.0)
+    concurrent-ruby (1.1.7)
+    crack (0.4.4)
     database_cleaner (1.8.5)
     database_cleaner-active_record (1.8.0)
       activerecord
       database_cleaner (~> 1.8.0)
     diff-lcs (1.4.4)
     docile (1.3.2)
-    factory_bot (6.0.2)
+    factory_bot (6.1.0)
       activesupport (>= 5.0.0)
-    faker (2.13.0)
+    faker (2.14.0)
       i18n (>= 1.6, < 2)
-    graphql (1.11.4)
+    graphql (1.11.5)
     hashdiff (1.0.1)
     hashie (4.1.0)
     httpclient (2.8.3)
-    i18n (1.8.3)
+    i18n (1.8.5)
       concurrent-ruby (~> 1.0)
     json (2.3.1)
     json-jwt (1.13.0)
@@ -66,7 +65,7 @@ GEM
     jwt (2.2.2)
     method_source (1.0.0)
     mini_portile2 (2.4.0)
-    minitest (5.14.1)
+    minitest (5.14.2)
     multi_json (1.15.0)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
@@ -87,7 +86,7 @@ GEM
     pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (4.0.5)
+    public_suffix (4.0.6)
     rack (2.2.3)
     rack-contrib (2.2.0)
       rack (~> 2.0)
@@ -103,7 +102,7 @@ GEM
       rack (>= 1.0, < 3)
     rainbow (3.0.0)
     rake (13.0.1)
-    regexp_parser (1.7.1)
+    regexp_parser (1.8.0)
     rexml (3.2.4)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
@@ -118,22 +117,21 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-support (3.9.3)
-    rubocop (0.86.0)
+    rubocop (0.91.0)
       parallel (~> 1.10)
-      parser (>= 2.7.0.1)
+      parser (>= 2.7.1.1)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.7)
       rexml
-      rubocop-ast (>= 0.0.3, < 1.0)
+      rubocop-ast (>= 0.4.0, < 1.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (0.1.0)
-      parser (>= 2.7.0.1)
+    rubocop-ast (0.4.2)
+      parser (>= 2.7.1.4)
     ruby-progressbar (1.10.1)
     ruby-saml (1.11.0)
       nokogiri (>= 1.5.10)
     ruby2_keywords (0.0.2)
-    safe_yaml (1.0.5)
     simplecov (0.17.0)
       docile (~> 1.1)
       json (>= 1.8, < 3)
@@ -158,11 +156,11 @@ GEM
     tzinfo (1.2.7)
       thread_safe (~> 0.1)
     unicode-display_width (1.7.0)
-    webmock (3.8.3)
+    webmock (3.9.1)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    zeitwerk (2.3.1)
+    zeitwerk (2.4.0)
 
 PLATFORMS
   ruby

data/LICENSE

@@ -2,33 +2,31 @@ Business Source License 1.1
 
 Parameters
 
-Licensor:             Samuel Bauch
+Licensor:             EnterpriseOSS, Inc.
 Licensed Work:        osso-rb
-                      The Licensed Work is (c) 2020 Samuel Bauch.
-Additional Use Grant: You may make use of the Licensed Work, provided that you do
-                      not use the Licensed Work in a Single Sign On Management
-                      Service.
-
-                      A "Single Sign On Management Service" is an offering
-                      (be it free or commercial) that uses the Licensed Work
-                      to allow third parties (other than your employees and 
-                      contractors) to access the functionality of the 
-                      Licensed Work such that any fourth parties directly 
-                      benefit from the authentication, configuration, or 
-                      documentation features of the Licensed Work.
-
-                      You thus may only use the Licensed Work in a manner 
-                      whereby parties who directly benefit from the 
-                      authentication, configuration, or documentation features 
-                      of the Licensed Work are yourself, your employees or 
-                      contractors, and your customers or partners.
-
-Change Date:          2023-05-01
+                      The Licensed Work is (c) 2020 EnterpriseOSS, Inc.
+
+Additional Use Grant: You and your Authorized Users may make use of the 
+                      Licensed Work for your internal business purposes, 
+                      provided that you do not (i) rent, lease, copy, transfer,
+                      resell, sublicense, lease, time-share, or otherwise provide 
+                      access to the Licensed Work to a third party (except 
+                      Authorized Users) or (ii) incorporate the Licensed Work 
+                      (or any portion of such) with, or use it with or to provide,
+                      any site, product, or service, other than on sites/applications 
+                      owned and operated by you.
+                      
+                      An “Authorized User” is defined as an individual person 
+                      (e.g. your employee, contractor, agent) who is registered and 
+                      permitted by you to use the Licensed Work subject to these 
+                      restrictions.
+
+Change Date:          2025-10-01
 
 Change License:       Apache License, Version 2.0
 
 For information about alternative licensing arrangements for the Software,
-contact: hello@enterprise-oss.dev
+contact: hello@enterpriseoss.dev
 
 Notice
 
@@ -108,4 +106,4 @@ other recipients of the licensed work to be provided by Licensor:
 
 3. To specify a Change Date.
 
-4. Not to modify this License in any other way.
+4. Not to modify this License in any other way.

data/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_09_13_154919) do
+ActiveRecord::Schema.define(version: 2020_09_29_154117) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "pgcrypto"
@@ -57,6 +57,7 @@ ActiveRecord::Schema.define(version: 2020_09_13_154919) do
     t.string "name", null: false
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
+    t.integer "users_count", default: 0
     t.index ["domain"], name: "index_enterprise_accounts_on_domain", unique: true
     t.index ["oauth_client_id"], name: "index_enterprise_accounts_on_oauth_client_id"
   end

data/lib/osso/db/migrate/20200929154117_add_users_count_to_identity_providers_and_enterprise_accounts.rb

@@ -0,0 +1,6 @@
+class AddUsersCountToIdentityProvidersAndEnterpriseAccounts < ActiveRecord::Migration[6.0]
+  def change
+    add_column :enterprise_accounts, :users_count, :integer, default: 0
+    add_column :identity_providers, :users_count, :integer, default: 0
+  end
+end

data/lib/osso/error/account_configuration_error.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Osso
+  module Error
+    class AccountConfigurationError < Base; end
+
+    class MissingConfiguredIdentityProvider < AccountConfigurationError
+      def initialize(domain: 'The requested domain')
+        @domain = domain
+      end
+
+      def message
+        "#{@domain} has no configured Identity Provider. " \
+          'SAML configuartion must be finalized before a user ' \
+          'for this domain can sign in with SSO.'
+      end
+    end
+  end
+end

data/lib/osso/error/error.rb

@@ -2,9 +2,15 @@
 
 module Osso
   module Error
+    class Base < StandardError
+      def docs_url
+        nil
+      end
+    end
   end
 end
 
+require_relative 'account_configuration_error'
 require_relative 'missing_saml_attribute_error'
 require_relative 'oauth_error'
 require_relative 'saml_config_error'

data/lib/osso/error/missing_saml_attribute_error.rb

@@ -2,7 +2,7 @@
 
 module Osso
   module Error
-    class MissingSamlAttributeError < StandardError; end
+    class MissingSamlAttributeError < Base; end
 
     class MissingSamlEmailAttributeError < MissingSamlAttributeError
       def message

data/lib/osso/error/oauth_error.rb

@@ -2,27 +2,41 @@
 
 module Osso
   module Error
-    class OAuthError < StandardError; end
+    class OAuthError < Base
+      def docs_url
+        'https://ossoapp.com/docs/integration/oauth-consumption'
+      end
+    end
 
     class NoAccountForOAuthClientError < OAuthError
+      def initialize(domain: 'the requested domain')
+        @domain = domain
+      end
+
       def message
-        'No customer account exists for the requested domain and OAuth client pair.' \
-          "Review our OAuth documentation, and check you're using the correct OAuth client identifier"
+        "No customer account exists for #{@domain} and OAuth client pair. " \
+          "Review our OAuth documentation, and check you're using the correct OAuth client identifier. " \
+          'This usually suggests an engineering issue with your ENV variables.'
       end
     end
 
-    class InvalidOAuthClientIdentifier < MissingSamlAttributeError
+    class InvalidOAuthClientIdentifier < OAuthError
       def message
-        'No OAuth client exists for the requested OAuth client identifier.' \
-          "Review our OAuth documentation, and check you're using the correct OAuth client identifier"
+        'No OAuth client exists for the requested OAuth client identifier. ' \
+          "Review our OAuth documentation, and ensure you're using a valid OAuth client identifier. " \
+          'OAuth credentials may have been regenerated by your team.'
       end
     end
 
-    class InvalidRedirectUri < MissingSamlAttributeError
+    class InvalidRedirectUri < OAuthError
+      def initialize(redirect_uri:)
+        @redirect_uri = redirect_uri
+      end
+
       def message
-        'Invalid Redirect URI for the requested OAuth client identifier.' \
-          "Review our OAuth documentation, check you're using the correct OAuth client identifier " \
-          'and confirm your Redirect URI allow list.'
+        "The requested redirect URI #{@redirect_uri} is not on the allow-list for the rquested OAuth client identifier. " \
+          "Review our OAuth documentation, check you're using the correct OAuth client identifier, " \
+          'and confirm your Redirect URI allow-list includes the appropriate URI(s).'
       end
     end
   end

data/lib/osso/error/saml_config_error.rb

@@ -2,7 +2,11 @@
 
 module Osso
   module Error
-    class SamlConfigError < StandardError; end
+    class SamlConfigError < Base
+      def message
+        'Something went wrong with your SAML configuration.'
+      end
+    end
 
     class InvalidACSURLError < SamlConfigError
       def message

data/lib/osso/graphql/mutation.rb

@@ -11,6 +11,7 @@ module Osso
         field :create_enterprise_account, mutation: Mutations::CreateEnterpriseAccount
         field :create_oauth_client, mutation: Mutations::CreateOauthClient
         field :delete_enterprise_account, mutation: Mutations::DeleteEnterpriseAccount
+        field :delete_identity_provider, mutation: Mutations::DeleteIdentityProvider
         field :delete_oauth_client, mutation: Mutations::DeleteOauthClient
         field :set_redirect_uris, mutation: Mutations::SetRedirectUris
         field :regenerate_oauth_credentials, mutation: Mutations::RegenerateOauthCredentials

data/lib/osso/graphql/mutations.rb

@@ -11,6 +11,7 @@ require_relative 'mutations/create_identity_provider'
 require_relative 'mutations/create_enterprise_account'
 require_relative 'mutations/create_oauth_client'
 require_relative 'mutations/delete_enterprise_account'
+require_relative 'mutations/delete_identity_provider'
 require_relative 'mutations/delete_oauth_client'
 require_relative 'mutations/regenerate_oauth_credentials'
 require_relative 'mutations/set_redirect_uris'

data/lib/osso/graphql/mutations/delete_identity_provider.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class DeleteIdentityProvider < BaseMutation
+        null false
+
+        argument :id, ID, required: true
+
+        field :identity_provider, Types::IdentityProvider, null: true
+        field :errors, [String], null: false
+
+        def resolve(id:)
+          identity_provider = Osso::Models::IdentityProvider.find(id)
+
+          return response_data(identity_provider: nil) if identity_provider.destroy
+
+          response_error(identity_provider.errors)
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers/enterprise_accounts.rb

@@ -11,7 +11,7 @@ module Osso
 
           accounts = Osso::Models::EnterpriseAccount
 
-          accounts = accounts.order(sort_column => sort_order_sym(sort_order)) if sort_column && sort_order
+          accounts = accounts.order(sort_column.underscore => sort_order_sym(sort_order)) if sort_column && sort_order
 
           accounts.all
         end

data/lib/osso/graphql/types/enterprise_account.rb

@@ -14,6 +14,7 @@ module Osso
         field :domain, String, null: false
         field :identity_providers, [Types::IdentityProvider], null: true
         field :status, String, null: false
+        field :users_count, Integer, null: false
 
         def status
           'active'

data/lib/osso/graphql/types/identity_provider.rb

@@ -16,6 +16,7 @@ module Osso
         field :sso_url, String, null: true
         field :sso_cert, String, null: true
         field :status, Types::IdentityProviderStatus, null: false
+        field :acs_url_validator, String, null: false
       end
     end
   end

data/lib/osso/graphql/types/identity_provider_status.rb

@@ -4,10 +4,10 @@ module Osso
   module GraphQL
     module Types
       class IdentityProviderStatus < BaseEnum
-        value('Pending', value: 'PENDING')
-        value('Configured', value: 'CONFIGURED')
-        value('Active', value: 'ACTIVE')
-        value('Error', value: 'ERROR')
+        value('Pending', value: 'pending')
+        value('Configured', value: 'configured')
+        value('Active', value: 'active')
+        value('Error', value: 'error')
       end
     end
   end

data/lib/osso/helpers/auth.rb

@@ -66,7 +66,7 @@ module Osso
       end
 
       def token
-        request.env['admin_token'] || session['admin_token'] || request['admin_token']
+        session['admin_token'] || request.env['HTTP_AUTHORIZATION'] || request.params['admin_token']
       end
 
       def chomp_token

data/lib/osso/lib/route_map.rb

@@ -6,6 +6,7 @@ module Osso
   module RouteMap
     def self.included(klass)
       klass.class_eval do
+
         use Osso::Admin
         use Osso::Auth
         use Osso::Oauth

data/lib/osso/models/enterprise_account.rb

@@ -13,7 +13,7 @@ module Osso
       has_many :identity_providers
 
       def single_provider?
-        identity_providers.one?
+        identity_providers.not_pending.one?
       end
 
       def provider

data/lib/osso/models/identity_provider.rb

@@ -6,10 +6,12 @@ module Osso
     class IdentityProvider < ActiveRecord::Base
       belongs_to :enterprise_account
       belongs_to :oauth_client
-      has_many :users
+      has_many :users, dependent: :delete_all
       before_save :set_status
       validate :sso_cert_valid
 
+      enum status: { pending: "PENDING", configured: 'CONFIGURED', active: "ACTIVE", error: "ERROR"}
+
       PEM_HEADER = "-----BEGIN CERTIFICATE-----\n"
       PEM_FOOTER = "\n-----END CERTIFICATE-----"
 
@@ -38,18 +40,20 @@ module Osso
 
       alias acs_url assertion_consumer_service_url
 
-      def set_status
-        return if status != 'PENDING'
+      def acs_url_validator
+        Regexp.escape(acs_url)
+      end
 
-        self.status = 'CONFIGURED' if sso_url && sso_cert
+      def set_status
+        self.status = 'configured' if sso_url && sso_cert && pending?
       end
 
       def active!
-        update(status: 'ACTIVE')
+        update(status: 'active')
       end
 
       def error!
-        update(status: 'ERROR')
+        update(status: 'error')
       end
 
       def root_url

data/lib/osso/models/user.rb

@@ -3,8 +3,8 @@
 module Osso
   module Models
     class User < ActiveRecord::Base
-      belongs_to :enterprise_account
-      belongs_to :identity_provider
+      belongs_to :enterprise_account, counter_cache: true
+      belongs_to :identity_provider, counter_cache: true
       has_many :authorization_codes, dependent: :delete_all
       has_many :access_tokens, dependent: :delete_all
 

data/lib/osso/routes/auth.rb

@@ -13,7 +13,7 @@ module Osso
     UUID_REGEXP =
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
         freeze
-
+    
     use OmniAuth::Builder do
       OmniAuth::MultiProvider.register(
         self,
@@ -22,8 +22,12 @@ module Osso
         path_prefix: '/auth/saml',
         callback_suffix: 'callback',
       ) do |identity_provider_id, _env|
-        Models::IdentityProvider.find(identity_provider_id).
+        Models::IdentityProvider.
+          not_pending.
+          find(identity_provider_id).
           saml_options
+      rescue
+        {}
       end
     end
 
@@ -31,12 +35,26 @@ module Osso
       OmniAuth::FailureEndpoint.new(env).redirect_to_failure
     end
 
-    error do
-      erb :error
-    end
-
     namespace '/auth' do
       get '/failure' do
+        # ??? invalid ticket, warden throws, ugh
+        
+        # confirmed:
+        # - a valid but wrong cert will throw here 
+        #   (OneLogin::RubySaml::ValidationError, Fingerprint mismatch)
+        #   but an _invalid_ cert is not caught. we do validate certs on
+        #   configuration, so this may be ok
+        #
+        # - a valid but wrong ACS URL will throw here. the urls
+        #   are pretty complex, but it has come up
+        # 
+        # - specifying the wrong "recipient" in your IDP. Only OL so far
+        #   (OneLogin::RubySaml::ValidationError, The response was received
+        #    at vcardme.com instead of 
+        #    http://localhost:9292/auth/saml/e54a9a92-b4b5-4ea5-b0e3-b1423eb20b76/callback) 
+
+
+        @error = Osso::Error::SamlConfigError.new
         erb :error
       end
       # Enterprise users are sent here after authenticating against
@@ -52,10 +70,10 @@ module Osso
         )
 
         redirect(redirect_uri)
-      rescue Osso::Error::InvalidACSURLError => e
+      rescue Osso::Error::Base => e
         @error = e
         erb :error
-      end
+      end  
     end
   end
 end

data/lib/osso/routes/oauth.rb

@@ -23,10 +23,11 @@ module Osso
 
         redirect "/auth/saml/#{enterprise.provider.id}" if enterprise.single_provider?
 
-        @providers = enterprise.identity_providers
-        erb :multiple_providers
+        @providers = enterprise.identity_providers.not_pending
+        return erb :multiple_providers if @providers.count > 1
 
-      rescue Osso::Error::OAuthError => e
+        raise Osso::Error::MissingConfiguredIdentityProvider.new(domain: params[:domain])
+      rescue Osso::Error::Base => e
         @error = e
         erb :error
       end
@@ -64,7 +65,7 @@ module Osso
         includes(:identity_providers).
         find_by!(domain: domain, oauth_client_id: client_id)
     rescue ActiveRecord::RecordNotFound
-      raise Osso::Error::NoAccountForOAuthClientError
+      raise Osso::Error::NoAccountForOAuthClientError.new(domain: params[:domain])
     end
 
     def find_client(identifier)
@@ -80,7 +81,7 @@ module Osso
         session[:osso_oauth_state] = params[:state]
       end.call(env)
     rescue Rack::OAuth2::Server::Authorize::BadRequest
-      raise Osso::Error::InvalidRedirectUri
+      raise Osso::Error::InvalidRedirectUri.new(redirect_uri: params[:redirect_uri])
     end
   end
 end

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.5-epsilon'
+  VERSION = '0.0.5-lambda'
 end

data/spec/factories/enterprise_account.rb

@@ -11,7 +11,8 @@ FactoryBot.define do
   factory :enterprise_with_okta, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :okta_identity_provider,
+        :configured_identity_provider,
+        service: 'OKTA',
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
@@ -21,7 +22,8 @@ FactoryBot.define do
   factory :enterprise_with_azure, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :azure_identity_provider,
+        :configured_identity_provider,
+        service: 'AZURE',
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
@@ -31,13 +33,15 @@ FactoryBot.define do
   factory :enterprise_with_multiple_providers, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :okta_identity_provider,
+        :configured_identity_provider,
+        service: 'OKTA',
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
 
       create(
-        :azure_identity_provider,
+        :configured_identity_provider,
+        service: 'AZURE',
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )

data/spec/graphql/query/identity_provider_spec.rb

@@ -15,6 +15,7 @@ describe Osso::GraphQL::Schema do
             service
             domain
             acsUrl
+            acsUrlValidator
             ssoCert
             ssoUrl
             status

data/spec/helpers/auth_spec.rb

@@ -8,13 +8,21 @@ describe Osso::Helpers::Auth do
   end
 
   subject(:app) do
-    Class.new { include Osso::Helpers::Auth }
+    Class.new { 
+      include Osso::Helpers::Auth
+    }
   end
 
   describe 'with the token as a header' do
     before do
       allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: { 'admin_token' => token }, post?: false)
+        double('Request', env: { 'HTTP_AUTHORIZATION' => token }, post?: false)
+      end
+
+      allow_any_instance_of(subject).to receive(:session) do
+        {
+          admin_token: nil
+        }
       end
 
       allow_any_instance_of(subject).to receive(:redirect) do
@@ -87,6 +95,170 @@ describe Osso::Helpers::Auth do
     end
   end
 
+  describe 'with the token as a parameter' do
+    before do
+      allow_any_instance_of(subject).to receive(:request) do
+        double('Request', env: {}, params: { 'admin_token' => token }, post?: false)
+      end
+
+      allow_any_instance_of(subject).to receive(:session) do
+        {
+          admin_token: nil
+        }
+      end
+
+      allow_any_instance_of(subject).to receive(:redirect) do
+        false
+      end
+    end
+
+    describe 'with an admin token' do
+      let(:token) { encode({ scope: 'admin' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods' do
+        expect(subject.new.enterprise_protected!).to_not be(false)
+      end
+
+      it 'allows #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to_not be(false)
+      end
+
+      it 'allows #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to_not be(false)
+      end
+    end
+
+    describe 'with an internal token' do
+      let(:token) { encode({ scope: 'internal' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods' do
+        expect(subject.new.enterprise_protected!).to_not be(false)
+      end
+
+      it 'allows #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to_not be(false)
+      end
+
+      it 'allows #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to be(false)
+      end
+    end
+
+    describe 'with an end-user token' do
+      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods for the scoped domain' do
+        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
+      end
+
+      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
+        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
+      end
+
+      it 'halts #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to be(false)
+      end
+
+      it 'halts #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to be(false)
+      end
+    end
+  end
+
+  describe 'with the token in session' do
+    before do
+      allow_any_instance_of(subject).to receive(:request) do
+        double('Request', env: {}, params: {}, post?: false)
+      end
+    
+      allow_any_instance_of(subject).to receive(:redirect) do
+        false
+      end
+
+      allow_any_instance_of(subject).to receive(:session).and_return(
+        {admin_token: token}.with_indifferent_access
+      )
+
+    end
+
+    describe 'with an admin token' do
+      let(:token) { encode({ scope: 'admin' }) }
+      
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods' do
+        expect(subject.new.enterprise_protected!).to_not be(false)
+      end
+
+      it 'allows #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to_not be(false)
+      end
+
+      it 'allows #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to_not be(false)
+      end
+    end
+
+    describe 'with an internal token' do
+      let(:token) { encode({ scope: 'internal' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods' do
+        expect(subject.new.enterprise_protected!).to_not be(false)
+      end
+
+      it 'allows #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to_not be(false)
+      end
+
+      it 'allows #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to be(false)
+      end
+    end
+
+    describe 'with an end-user token' do
+      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
+
+      it 'allows #token_protected! methods' do
+        expect(subject.new.token_protected!).to_not be(false)
+      end
+
+      it 'allows #enterprise_protected! methods for the scoped domain' do
+        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
+      end
+
+      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
+        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
+      end
+
+      it 'halts #internal_protected! methods' do
+        expect(subject.new.internal_protected!).to be(false)
+      end
+
+      it 'halts #admin_protected! methods' do
+        expect(subject.new.admin_protected!).to be(false)
+      end
+    end
+  end
+
   def encode(payload)
     JWT.encode(
       payload,

data/spec/models/identity_provider_spec.rb

@@ -24,6 +24,19 @@ describe Osso::Models::IdentityProvider do
     end
   end
 
+  describe '#acs_url_validator' do
+    it 'returns a regex escaped string' do
+      allow(subject).to receive(:acs_url).and_return(
+        'https://foo.com/auth/saml/callback'
+      )
+
+      expect(subject.acs_url_validator).to eq(
+        'https://foo\\.com/auth/saml/callback'
+      )
+    end
+  end
+
+
   describe '#saml_options' do
     it 'returns the required args' do
       expect(subject.saml_options).

data/spec/routes/auth_spec.rb

@@ -3,6 +3,9 @@
 require 'spec_helper'
 
 describe Osso::Auth do
+  before do
+    described_class.set(:views, spec_views)
+  end
   describe 'get /auth/saml/:uuid' do
     describe 'for an Okta SAML provider' do
       let(:enterprise) { create(:enterprise_with_okta) }
@@ -108,7 +111,7 @@ describe Osso::Auth do
               'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
             },
           )
-          expect(okta_provider.reload.status).to eq('ACTIVE')
+          expect(okta_provider.reload.status).to eq('active')
         end
       end
     end
@@ -143,7 +146,7 @@ describe Osso::Auth do
             },
           )
 
-          expect(azure_provider.reload.status).to eq('ACTIVE')
+          expect(azure_provider.reload.status).to eq('active')
         end
       end
 
@@ -179,29 +182,30 @@ describe Osso::Auth do
       it 'raises an error when email is missing' do
         mock_saml_omniauth(email: nil, id: SecureRandom.uuid)
 
-        expect do
-          post(
+        
+          response = post(
             "/auth/saml/#{azure_provider.id}/callback",
             nil,
             {
               'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
             },
           )
-        end.to raise_error(Osso::Error::MissingSamlEmailAttributeError)
-      end
+
+          expect(response.body).to eq('Osso::Error::MissingSamlEmailAttributeError')
+        end
 
       it 'raises an error when id is missing' do
         mock_saml_omniauth(email: Faker::Internet.email, id: nil)
 
-        expect do
-          post(
+        response = post(
             "/auth/saml/#{azure_provider.id}/callback",
             nil,
             {
               'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
             },
           )
-        end.to raise_error(Osso::Error::MissingSamlIdAttributeError)
+        
+        expect(response.body).to eq('Osso::Error::MissingSamlIdAttributeError')
       end
     end
   end

data/spec/routes/oauth_spec.rb

@@ -48,7 +48,7 @@ describe Osso::Oauth do
 
       describe 'for an enterprise domain with multiple SAML providers' do
         it 'renders the multiple providers screen' do
-          enterprise = create(:enterprise_with_multiple_providers)
+          enterprise = create(:enterprise_with_multiple_providers, oauth_client: client)
 
           get(
             '/oauth/authorize',
@@ -59,6 +59,7 @@ describe Osso::Oauth do
           )
 
           expect(last_response).to be_ok
+          expect(last_response.body).to eq("MULITPLE PROVIDERS")
         end
       end
     end

data/spec/support/views/error.erb

@@ -0,0 +1 @@
+<%= @error %>

data/spec/support/views/multiple_providers.erb

@@ -0,0 +1 @@
+MULITPLE PROVIDERS

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.5.pre.epsilon
+  version: 0.0.5.pre.lambda
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-19 00:00:00.000000000 Z
+date: 2020-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -273,6 +273,8 @@ files:
 - lib/osso/db/migrate/20200826201852_create_app_config.rb
 - lib/osso/db/migrate/20200913154919_add_one_login_to_identity_provider_service_enum.rb
 - lib/osso/db/migrate/20200916125543_add_google_to_identity_provider_service_enum.rb
+- lib/osso/db/migrate/20200929154117_add_users_count_to_identity_providers_and_enterprise_accounts.rb
+- lib/osso/error/account_configuration_error.rb
 - lib/osso/error/error.rb
 - lib/osso/error/missing_saml_attribute_error.rb
 - lib/osso/error/oauth_error.rb
@@ -286,6 +288,7 @@ files:
 - lib/osso/graphql/mutations/create_identity_provider.rb
 - lib/osso/graphql/mutations/create_oauth_client.rb
 - lib/osso/graphql/mutations/delete_enterprise_account.rb
+- lib/osso/graphql/mutations/delete_identity_provider.rb
 - lib/osso/graphql/mutations/delete_oauth_client.rb
 - lib/osso/graphql/mutations/regenerate_oauth_credentials.rb
 - lib/osso/graphql/mutations/set_redirect_uris.rb