osso 0.0.5.pre.eta → 0.0.5.pre.gamma

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 914a99a42c898e69186b33f4c51069f8c6f4ceddd7c300ce4158f560cc9d7937
-  data.tar.gz: 75ece89829bdb5a756340e9c9ff63e414ec093f402d725783a8668459ea32665
+  metadata.gz: f8349ed4f80afe46d642e3e1e7aaa9b9d0f90ece6e0fd6b8e0db416f74cc54f1
+  data.tar.gz: 9aa776d8e26b04570e4123baf232404c3e9059c66bcb1fe39f2ac337c59e7edd
 SHA512:
-  metadata.gz: 4117bbe85a6f88e7703eaf22464d2b343ac4517ec5e6d4a473a7f758ee1733a6b1f65504f13105ec9f823ae2e1f21db0129f0e9aab98ac260175decc5710aaec
-  data.tar.gz: 05ed7bea73e54d8ce07b8d6b494724b0cc2dc9e06cee78ba2977e249a983c3b579fe847a9ae731806b94ad94b765bf1d2d8c8b9e763245acdf6e783d40d8bbcf
+  metadata.gz: aa38f696f541aa36893252c26aa1ffea8b6ac33b05b3bb130ecf7b1b71094042a7546984d67857ba8002c47744c47a1c813e7d972f38068be6c50f35a11aa9b7
+  data.tar.gz: 515be1591f3d5ce752057483cfa8e7d94d1665a7534fe1112c5c607f7ec2417ff650367826d7eec71d64086d735994c4f1b7ac322756df103adbdb6c4958bec2

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.5.pre.eta)
+    osso (0.0.5.pre.gamma)
       activesupport (>= 6.0.3.2)
       graphql
       jwt
@@ -18,12 +18,12 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (6.0.3.3)
-      activesupport (= 6.0.3.3)
-    activerecord (6.0.3.3)
-      activemodel (= 6.0.3.3)
-      activesupport (= 6.0.3.3)
-    activesupport (6.0.3.3)
+    activemodel (6.0.3.2)
+      activesupport (= 6.0.3.2)
+    activerecord (6.0.3.2)
+      activemodel (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
+    activesupport (6.0.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -39,23 +39,24 @@ GEM
     attr_required (1.0.1)
     bindata (2.4.8)
     coderay (1.1.3)
-    concurrent-ruby (1.1.7)
-    crack (0.4.4)
+    concurrent-ruby (1.1.6)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
     database_cleaner (1.8.5)
     database_cleaner-active_record (1.8.0)
       activerecord
       database_cleaner (~> 1.8.0)
     diff-lcs (1.4.4)
     docile (1.3.2)
-    factory_bot (6.1.0)
+    factory_bot (6.0.2)
       activesupport (>= 5.0.0)
-    faker (2.14.0)
+    faker (2.13.0)
       i18n (>= 1.6, < 2)
     graphql (1.11.4)
     hashdiff (1.0.1)
     hashie (4.1.0)
     httpclient (2.8.3)
-    i18n (1.8.5)
+    i18n (1.8.3)
       concurrent-ruby (~> 1.0)
     json (2.3.1)
     json-jwt (1.13.0)
@@ -65,7 +66,7 @@ GEM
     jwt (2.2.2)
     method_source (1.0.0)
     mini_portile2 (2.4.0)
-    minitest (5.14.2)
+    minitest (5.14.1)
     multi_json (1.15.0)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
@@ -86,7 +87,7 @@ GEM
     pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (4.0.6)
+    public_suffix (4.0.5)
     rack (2.2.3)
     rack-contrib (2.2.0)
       rack (~> 2.0)
@@ -102,7 +103,7 @@ GEM
       rack (>= 1.0, < 3)
     rainbow (3.0.0)
     rake (13.0.1)
-    regexp_parser (1.8.0)
+    regexp_parser (1.7.1)
     rexml (3.2.4)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
@@ -117,21 +118,22 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-support (3.9.3)
-    rubocop (0.91.0)
+    rubocop (0.86.0)
       parallel (~> 1.10)
-      parser (>= 2.7.1.1)
+      parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.7)
       rexml
-      rubocop-ast (>= 0.4.0, < 1.0)
+      rubocop-ast (>= 0.0.3, < 1.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (0.4.2)
-      parser (>= 2.7.1.4)
+    rubocop-ast (0.1.0)
+      parser (>= 2.7.0.1)
     ruby-progressbar (1.10.1)
     ruby-saml (1.11.0)
       nokogiri (>= 1.5.10)
     ruby2_keywords (0.0.2)
+    safe_yaml (1.0.5)
     simplecov (0.17.0)
       docile (~> 1.1)
       json (>= 1.8, < 3)
@@ -156,11 +158,11 @@ GEM
     tzinfo (1.2.7)
       thread_safe (~> 0.1)
     unicode-display_width (1.7.0)
-    webmock (3.9.1)
+    webmock (3.8.3)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    zeitwerk (2.4.0)
+    zeitwerk (2.3.1)
 
 PLATFORMS
   ruby

data/lib/osso/graphql/types/identity_provider_status.rb

@@ -4,10 +4,10 @@ module Osso
   module GraphQL
     module Types
       class IdentityProviderStatus < BaseEnum
-        value('Pending', value: 'pending')
-        value('Configured', value: 'configured')
-        value('Active', value: 'active')
-        value('Error', value: 'error')
+        value('Pending', value: 'PENDING')
+        value('Configured', value: 'CONFIGURED')
+        value('Active', value: 'ACTIVE')
+        value('Error', value: 'ERROR')
       end
     end
   end

data/lib/osso/helpers/auth.rb

@@ -66,7 +66,7 @@ module Osso
       end
 
       def token
-        session['admin_token'] || request.env['HTTP_AUTHORIZATION'] || request.params['admin_token']
+        request.env['admin_token'] || session['admin_token'] || request['admin_token']
       end
 
       def chomp_token

data/lib/osso/lib/route_map.rb

@@ -6,7 +6,6 @@ module Osso
   module RouteMap
     def self.included(klass)
       klass.class_eval do
-
         use Osso::Admin
         use Osso::Auth
         use Osso::Oauth

data/lib/osso/models/enterprise_account.rb

@@ -13,7 +13,7 @@ module Osso
       has_many :identity_providers
 
       def single_provider?
-        identity_providers.not_pending.one?
+        identity_providers.one?
       end
 
       def provider

data/lib/osso/models/identity_provider.rb

@@ -10,8 +10,6 @@ module Osso
       before_save :set_status
       validate :sso_cert_valid
 
-      enum status: { pending: "PENDING", configured: 'CONFIGURED', active: "ACTIVE", error: "ERROR"}
-
       PEM_HEADER = "-----BEGIN CERTIFICATE-----\n"
       PEM_FOOTER = "\n-----END CERTIFICATE-----"
 
@@ -41,15 +39,17 @@ module Osso
       alias acs_url assertion_consumer_service_url
 
       def set_status
-        self.status = 'configured' if sso_url && sso_cert && pending?
+        return if status != 'PENDING'
+
+        self.status = 'CONFIGURED' if sso_url && sso_cert
       end
 
       def active!
-        update(status: 'active')
+        update(status: 'ACTIVE')
       end
 
       def error!
-        update(status: 'error')
+        update(status: 'ERROR')
       end
 
       def root_url

data/lib/osso/routes/admin.rb

@@ -16,37 +16,37 @@ module Osso
       get '/login' do
         token_protected!
 
-        erb :admin, layout: false
+        erb :admin
       end
 
       get '' do
         internal_protected!
 
-        erb :admin, layout: false
+        erb :admin
       end
 
       get '/enterprise' do
         token_protected!
 
-        erb :admin, layout: false
+        erb :admin
       end
 
       get '/enterprise/:domain' do
         enterprise_protected!(params[:domain])
 
-        erb :admin, layout: false
+        erb :admin
       end
 
       get '/config' do
         admin_protected!
 
-        erb :admin, layout: false
+        erb :admin
       end
 
       get '/config/:id' do
         admin_protected!
 
-        erb :admin, layout: false
+        erb :admin
       end
     end
   end

data/lib/osso/routes/auth.rb

@@ -13,7 +13,7 @@ module Osso
     UUID_REGEXP =
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
         freeze
-    
+
     use OmniAuth::Builder do
       OmniAuth::MultiProvider.register(
         self,
@@ -22,39 +22,14 @@ module Osso
         path_prefix: '/auth/saml',
         callback_suffix: 'callback',
       ) do |identity_provider_id, _env|
-        Models::IdentityProvider.
-          not_pending.
-          find(identity_provider_id).
+        Models::IdentityProvider.find(identity_provider_id).
           saml_options
-      rescue
-        {}
       end
     end
 
-    OmniAuth.config.on_failure = proc do |env|
-      OmniAuth::FailureEndpoint.new(env).redirect_to_failure
-    end
-
-    namespace '/auth' do
+    namespace '/auth' do # rubocop:disable Metrics/BlockLength
       get '/failure' do
-        # ??? invalid ticket, warden throws, ugh
-        
-        # confirmed:
-        # - a valid but wrong cert will throw here 
-        #   (OneLogin::RubySaml::ValidationError, Fingerprint mismatch)
-        #   but an _invalid_ cert is not caught. we do validate certs on
-        #   configuration, so this may be ok
-        #
-        # - a valid but wrong ACS URL will throw here. the urls
-        #   are pretty complex, but it has come up
-        # 
-        # - specifying the wrong "recipient" in your IDP. Only OL so far
-        #   (OneLogin::RubySaml::ValidationError, The response was received
-        #    at vcardme.com instead of 
-        #    http://localhost:9292/auth/saml/e54a9a92-b4b5-4ea5-b0e3-b1423eb20b76/callback) 
-
-
-        @error = Osso::Error::SamlConfigError.new
+        @error = params[:message]
         erb :error
       end
       # Enterprise users are sent here after authenticating against
@@ -62,18 +37,48 @@ module Osso
       # and then create an authorization code for that user. The user
       # is redirected back to your application with this code
       # as a URL query param, which you then exchange for an access token.
-      post '/saml/:provider_id/callback' do
-        redirect_uri = SamlHandler.perform(
-          auth_hash: env['omniauth.auth'],
-          provider_id: params[:provider_id],
-          session: session,
+      post '/saml/:id/callback' do
+        provider = Models::IdentityProvider.find(params[:id])
+        @oauth_client = provider.oauth_client
+
+        # TODO: PORC for validating attributes
+        attributes = env['omniauth.auth']&.
+          extra&.
+          response_object&.
+          attributes
+
+        user = Models::User.where(
+          email: attributes[:email],
+          idp_id: attributes[:id] || attributes[:idp_id],
+        ).first_or_create! do |new_user|
+          new_user.enterprise_account_id = provider.enterprise_account_id
+          new_user.identity_provider_id = provider.id
+        end
+
+        authorization_code = user.authorization_codes.create!(
+          oauth_client: @oauth_client,
+          redirect_uri: redirect_uri,
         )
+        provider.active!
 
-        redirect(redirect_uri)
-      rescue Osso::Error::Base => e
-        @error = e
-        erb :error
-      end  
+        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{provider_state}")
+      end
+
+      def redirect_uri
+        return @oauth_client.primary_redirect_uri.uri if valid_idp_initiated_flow
+
+        session[:osso_oauth_redirect_uri]
+      end
+
+      def provider_state
+        return @provider_state = 'IDP_INITIATED' if valid_idp_initiated_flow
+
+        session.delete(:osso_oauth_state)
+      end
+
+      def valid_idp_initiated_flow
+        !session[:osso_oauth_redirect_uri] && !session[:osso_oauth_state]
+      end
     end
   end
 end

data/lib/osso/routes/oauth.rb

@@ -16,19 +16,28 @@ module Osso
       # Once they complete IdP login, they will be returned to the
       # redirect_uri with an authorization code parameter.
       get '/authorize' do
-        client = find_client(params[:client_id])
-        enterprise = find_account(domain: params[:domain], client_id: client.id)
+        Rack::OAuth2::Server::Authorize.new do |req, _res|
+          client = Models::OauthClient.find_by!(identifier: req.client_id)
+          session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
+          session[:osso_oauth_state] = params[:state]
+        end.call(env)
 
-        validate_oauth_request(env)
+        enterprise = Models::EnterpriseAccount.
+          includes(:identity_providers).
+          find_by!(domain: params[:domain])
 
         redirect "/auth/saml/#{enterprise.provider.id}" if enterprise.single_provider?
 
-        @providers = enterprise.identity_providers.not_pending
-        erb :multiple_providers if @providers.count > 1
+        @providers = enterprise.identity_providers
+        erb :multiple_providers
 
-        raise Osso::Error::MissingConfiguredIdentityProvider.new(domain: params[:domain])
-      rescue Osso::Error::Base => e
+      rescue Rack::OAuth2::Server::Authorize::BadRequest => e
+        @error = e
+        erb :error
+      rescue ActiveRecord::RecordNotFound => e
         @error = e
+        @error = 'No OAuth Client exists for the provided client_id' if e.model == 'Osso::Models::OauthClient'
+        @error = "No Customer exists with the domain #{params[:domain]}" if e.model == 'Osso::Models::EnterpriseAccount'
         erb :error
       end
 
@@ -57,31 +66,5 @@ module Osso
           user
       end
     end
-
-    private
-
-    def find_account(domain:, client_id:)
-      Models::EnterpriseAccount.
-        includes(:identity_providers).
-        find_by!(domain: domain, oauth_client_id: client_id)
-    rescue ActiveRecord::RecordNotFound
-      raise Osso::Error::NoAccountForOAuthClientError.new(domain: params[:domain])
-    end
-
-    def find_client(identifier)
-      @client ||= Models::OauthClient.find_by!(identifier: identifier)
-    rescue ActiveRecord::RecordNotFound
-      raise Osso::Error::InvalidOAuthClientIdentifier
-    end
-
-    def validate_oauth_request(env)
-      Rack::OAuth2::Server::Authorize.new do |req, _res|
-        client = find_client(req[:client_id])
-        session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
-        session[:osso_oauth_state] = params[:state]
-      end.call(env)
-    rescue Rack::OAuth2::Server::Authorize::BadRequest
-      raise Osso::Error::InvalidRedirectUri.new(redirect_uri: params[:redirect_uri])
-    end
   end
 end

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.5-eta'
+  VERSION = '0.0.5-gamma'
 end

data/lib/osso.rb

@@ -1,12 +1,10 @@
 # frozen_string_literal: true
 
 module Osso
-  require_relative 'osso/error/error'
   require_relative 'osso/helpers/helpers'
   require_relative 'osso/lib/app_config'
   require_relative 'osso/lib/oauth2_token'
   require_relative 'osso/lib/route_map'
-  require_relative 'osso/lib/saml_handler'
   require_relative 'osso/models/models'
   require_relative 'osso/routes/routes'
   require_relative 'osso/graphql/schema'

data/spec/factories/enterprise_account.rb

@@ -11,8 +11,7 @@ FactoryBot.define do
   factory :enterprise_with_okta, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :configured_identity_provider,
-        service: 'OKTA',
+        :okta_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
@@ -22,8 +21,7 @@ FactoryBot.define do
   factory :enterprise_with_azure, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :configured_identity_provider,
-        service: 'AZURE',
+        :azure_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
@@ -33,15 +31,13 @@ FactoryBot.define do
   factory :enterprise_with_multiple_providers, parent: :enterprise_account do
     after :create do |enterprise|
       create(
-        :configured_identity_provider,
-        service: 'OKTA',
+        :okta_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )
 
       create(
-        :configured_identity_provider,
-        service: 'AZURE',
+        :azure_identity_provider,
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
       )

data/spec/helpers/auth_spec.rb

@@ -8,21 +8,13 @@ describe Osso::Helpers::Auth do
   end
 
   subject(:app) do
-    Class.new { 
-      include Osso::Helpers::Auth
-    }
+    Class.new { include Osso::Helpers::Auth }
   end
 
   describe 'with the token as a header' do
     before do
       allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: { 'HTTP_AUTHORIZATION' => token }, post?: false)
-      end
-
-      allow_any_instance_of(subject).to receive(:session) do
-        {
-          admin_token: nil
-        }
+        double('Request', env: { 'admin_token' => token }, post?: false)
       end
 
       allow_any_instance_of(subject).to receive(:redirect) do
@@ -95,170 +87,6 @@ describe Osso::Helpers::Auth do
     end
   end
 
-  describe 'with the token as a parameter' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: {}, params: { 'admin_token' => token }, post?: false)
-      end
-
-      allow_any_instance_of(subject).to receive(:session) do
-        {
-          admin_token: nil
-        }
-      end
-
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-    end
-
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-
-  describe 'with the token in session' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: {}, params: {}, post?: false)
-      end
-    
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-
-      allow_any_instance_of(subject).to receive(:session).and_return(
-        {admin_token: token}.with_indifferent_access
-      )
-
-    end
-
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-      
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-
   def encode(payload)
     JWT.encode(
       payload,

data/spec/routes/auth_spec.rb

@@ -3,9 +3,6 @@
 require 'spec_helper'
 
 describe Osso::Auth do
-  before do
-    described_class.set(:views, spec_views)
-  end
   describe 'get /auth/saml/:uuid' do
     describe 'for an Okta SAML provider' do
       let(:enterprise) { create(:enterprise_with_okta) }
@@ -46,6 +43,7 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => okta_provider,
               },
             )
           end.to change { Osso::Models::User.count }.by(1)
@@ -60,6 +58,7 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => okta_provider,
               },
             )
           end.to change { Osso::Models::AuthorizationCode.count }.by(1)
@@ -74,6 +73,7 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => okta_provider,
               },
             )
             expect(last_response).to be_redirect
@@ -99,6 +99,7 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => okta_provider,
               },
             )
           end.to_not(change { Osso::Models::User.count })
@@ -109,9 +110,10 @@ describe Osso::Auth do
             nil,
             {
               'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+              'identity_provider' => okta_provider,
             },
           )
-          expect(okta_provider.reload.status).to eq('active')
+          expect(okta_provider.reload.status).to eq('ACTIVE')
         end
       end
     end
@@ -130,6 +132,7 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => azure_provider,
               },
             )
           end.to change { Osso::Models::User.count }.by(1)
@@ -143,10 +146,11 @@ describe Osso::Auth do
             nil,
             {
               'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+              'identity_provider' => azure_provider,
             },
           )
 
-          expect(azure_provider.reload.status).to eq('active')
+          expect(azure_provider.reload.status).to eq('ACTIVE')
         end
       end
 
@@ -166,6 +170,7 @@ describe Osso::Auth do
               nil,
               {
                 'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+                'identity_provider' => azure_provider,
               },
             )
           end.to_not(change { Osso::Models::User.count })
@@ -173,40 +178,4 @@ describe Osso::Auth do
       end
     end
   end
-
-  context 'with an invalid SAML response' do
-    describe 'post /auth/saml/:uuid/callback' do
-      let!(:enterprise) { create(:enterprise_with_azure) }
-      let!(:azure_provider) { enterprise.provider }
-
-      it 'raises an error when email is missing' do
-        mock_saml_omniauth(email: nil, id: SecureRandom.uuid)
-
-        
-          response = post(
-            "/auth/saml/#{azure_provider.id}/callback",
-            nil,
-            {
-              'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-            },
-          )
-
-          expect(response.body).to eq('Osso::Error::MissingSamlEmailAttributeError')
-        end
-
-      it 'raises an error when id is missing' do
-        mock_saml_omniauth(email: Faker::Internet.email, id: nil)
-
-        response = post(
-            "/auth/saml/#{azure_provider.id}/callback",
-            nil,
-            {
-              'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-            },
-          )
-        
-        expect(response.body).to eq('Osso::Error::MissingSamlIdAttributeError')
-      end
-    end
-  end
 end

data/spec/support/views/error.erb

@@ -1 +0,0 @@
-<%= @error %>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.5.pre.eta
+  version: 0.0.5.pre.gamma
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-22 00:00:00.000000000 Z
+date: 2020-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -273,11 +273,6 @@ files:
 - lib/osso/db/migrate/20200826201852_create_app_config.rb
 - lib/osso/db/migrate/20200913154919_add_one_login_to_identity_provider_service_enum.rb
 - lib/osso/db/migrate/20200916125543_add_google_to_identity_provider_service_enum.rb
-- lib/osso/error/account_configuration_error.rb
-- lib/osso/error/error.rb
-- lib/osso/error/missing_saml_attribute_error.rb
-- lib/osso/error/oauth_error.rb
-- lib/osso/error/saml_config_error.rb
 - lib/osso/graphql/.DS_Store
 - lib/osso/graphql/mutation.rb
 - lib/osso/graphql/mutations.rb
@@ -318,7 +313,6 @@ files:
 - lib/osso/lib/app_config.rb
 - lib/osso/lib/oauth2_token.rb
 - lib/osso/lib/route_map.rb
-- lib/osso/lib/saml_handler.rb
 - lib/osso/models/access_token.rb
 - lib/osso/models/app_config.rb
 - lib/osso/models/authorization_code.rb
@@ -353,7 +347,6 @@ files:
 - spec/graphql/query/identity_provider_spec.rb
 - spec/graphql/query/oauth_clients_spec.rb
 - spec/helpers/auth_spec.rb
-- spec/lib/saml_handler_spec.rb
 - spec/models/identity_provider_spec.rb
 - spec/routes/admin_spec.rb
 - spec/routes/app_spec.rb

data/lib/osso/error/account_configuration_error.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module Osso
-  module Error
-    class AccountConfigurationError < Base; end
-
-    class MissingConfiguredIdentityProvider < AccountConfigurationError
-      def initialize(domain: 'The requested domain')
-        @domain = domain
-      end
-
-      def message
-        "#{@domain} has no configured Identity Provider. " \
-          'SAML configuartion must be finalized before a user ' \
-          'for this domain can sign in with SSO.'
-      end
-    end
-  end
-end

data/lib/osso/error/error.rb

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-module Osso
-  module Error
-    class Base < StandardError
-      def docs_url
-        nil
-      end
-    end
-  end
-end
-
-require_relative 'account_configuration_error'
-require_relative 'missing_saml_attribute_error'
-require_relative 'oauth_error'
-require_relative 'saml_config_error'

data/lib/osso/error/missing_saml_attribute_error.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Osso
-  module Error
-    class MissingSamlAttributeError < Base; end
-
-    class MissingSamlEmailAttributeError < MissingSamlAttributeError
-      def message
-        'SAML response does not include the attribute `email`. ' \
-          "Review the setup guide and check the attributes you're sending from your Identity Provider."
-      end
-    end
-
-    class MissingSamlIdAttributeError < MissingSamlAttributeError
-      def message
-        'SAML response does not include the attribute `id` or `idp_id`.' \
-          "Review the setup guide and check the attributes you're sending from your Identity Provider."
-      end
-    end
-  end
-end

data/lib/osso/error/oauth_error.rb

@@ -1,43 +0,0 @@
-# frozen_string_literal: true
-
-module Osso
-  module Error
-    class OAuthError < Base
-      def docs_url
-        'https://ossoapp.com/docs/integration/oauth-consumption'
-      end
-    end
-
-    class NoAccountForOAuthClientError < OAuthError
-      def initialize(domain: 'the requested domain')
-        @domain = domain
-      end
-
-      def message
-        "No customer account exists for #{@domain} and OAuth client pair. " \
-          "Review our OAuth documentation, and check you're using the correct OAuth client identifier. " \
-          'This usually suggests an engineering issue with your ENV variables.'
-      end
-    end
-
-    class InvalidOAuthClientIdentifier < OAuthError
-      def message
-        'No OAuth client exists for the requested OAuth client identifier. ' \
-          "Review our OAuth documentation, and ensure you're using a valid OAuth client identifier. " \
-          'OAuth credentials may have been regenerated by your team.'
-      end
-    end
-
-    class InvalidRedirectUri < OAuthError
-      def initialize(redirect_uri:)
-        @redirect_uri = redirect_uri
-      end
-
-      def message
-        "The requested redirect URI #{@redirect_uri} is not on the allow-list for the rquested OAuth client identifier. " \
-          "Review our OAuth documentation, check you're using the correct OAuth client identifier, " \
-          'and confirm your Redirect URI allow-list includes the appropriate URI(s).'
-      end
-    end
-  end
-end

data/lib/osso/error/saml_config_error.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-module Osso
-  module Error
-    class SamlConfigError < Base
-      def message
-        'Something went wrong with your SAML configuration.'
-      end
-    end
-
-    class InvalidACSURLError < SamlConfigError
-      def message
-        'The ACS URL specfied in your Identity Provider configuration is malformed.'
-      end
-    end
-  end
-end

data/lib/osso/lib/saml_handler.rb

@@ -1,85 +0,0 @@
-# frozen_string_literal: true
-
-module Osso
-  class SamlHandler
-    attr_accessor :session, :provider, :attributes
-
-    def self.perform(**attrs)
-      new(attrs).perform
-    end
-
-    def initialize(auth_hash:, provider_id:, session:)
-      find_provider(provider_id)
-      @attributes = auth_hash&.extra&.response_object&.attributes
-      @session = session
-    end
-
-    def perform
-      validate_attributes
-      provider.active!
-      redirect_uri
-    end
-
-    private
-
-    def find_provider(id)
-      @provider ||= Models::IdentityProvider.find(id)
-    rescue ActiveRecord::RecordNotFound
-      raise Osso::Error::InvalidACSURLError
-    end
-
-    def validate_attributes
-      raise Osso::Error::MissingSamlIdAttributeError unless id_attribute
-      raise Osso::Error::MissingSamlEmailAttributeError unless email_attribute
-    end
-
-    def id_attribute
-      @id_attribute ||= attributes[:id] || attributes[:idp_id]
-    end
-
-    def email_attribute
-      attributes[:email]
-    end
-
-    def user
-      @user ||= Models::User.where(
-        email: email_attribute,
-        idp_id: id_attribute,
-      ).first_or_create! do |new_user|
-        new_user.enterprise_account_id = provider.enterprise_account_id
-        new_user.identity_provider_id = provider.id
-      end
-    end
-
-    def authorization_code
-      @authorization_code ||= user.authorization_codes.create!(
-        oauth_client: provider.oauth_client,
-        redirect_uri: redirect_uri_base,
-      )
-    end
-
-    def redirect_uri
-      redirect_uri_base + redirect_uri_querystring
-    end
-
-    def redirect_uri_base
-      return provider.oauth_client.primary_redirect_uri.uri if valid_idp_initiated_flow
-
-      session[:osso_oauth_redirect_uri]
-    end
-
-    def redirect_uri_querystring
-      "?code=#{CGI.escape(authorization_code.token)}&state=#{provider_state}"
-    end
-
-    def provider_state
-      return 'IDP_INITIATED' if valid_idp_initiated_flow
-
-      session.delete(:osso_oauth_state)
-    end
-
-    def valid_idp_initiated_flow
-      !session[:osso_oauth_redirect_uri] && !session[:osso_oauth_state]
-    end
-  end
-end

data/spec/lib/saml_handler_spec.rb

@@ -1 +0,0 @@
-