osso 0.0.5.pre.iota → 0.0.5

data/spec/factories/user.rb

@@ -12,6 +12,10 @@ FactoryBot.define do
         :authorization_code,
         user: user,
         redirect_uri: user.oauth_client.redirect_uri_values.sample,
+        requested: [
+          { domain: user.email.split('@')[1], email: nil },
+          { domain: nil, email: user.email },
+        ].sample,
       )
     end
   end

data/spec/graphql/mutations/configure_identity_provider_spec.rb

@@ -81,7 +81,7 @@ describe Osso::GraphQL::Schema do
       end
 
       it 'does not configure an identity provider' do
-        expect(subject.dig('errors')).to_not be_empty
+        expect(subject['errors']).to_not be_empty
       end
     end
   end

data/spec/graphql/mutations/create_enterprise_account_spec.rb

@@ -47,7 +47,6 @@ describe Osso::GraphQL::Schema do
           input: {
             name: Faker::Company.name,
             domain: domain,
-            oauthClientId: oauth_client.id,
           },
         }
       end
@@ -57,10 +56,6 @@ describe Osso::GraphQL::Schema do
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
-
-      it 'attaches the Enterprise Account to the correct OAuth Client' do
-        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
-      end
     end
 
     describe 'for an internal scoped user' do
@@ -68,7 +63,6 @@ describe Osso::GraphQL::Schema do
         {
           scope: 'internal',
           email: 'user@saasco.com',
-          oauth_client_id: oauth_client.identifier,
         }
       end
 
@@ -77,10 +71,6 @@ describe Osso::GraphQL::Schema do
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
-
-      it 'attaches the Enterprise Account to the correct OAuth Client' do
-        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
-      end
     end
 
     describe 'for an email scoped user' do
@@ -97,10 +87,6 @@ describe Osso::GraphQL::Schema do
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
-
-      it 'attaches the Enterprise Account to the correct OAuth Client' do
-        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
-      end
     end
     describe 'for the wrong email scoped user' do
       let(:current_context) do

data/spec/graphql/mutations/create_identity_provider_spec.rb

@@ -5,6 +5,7 @@ require 'spec_helper'
 describe Osso::GraphQL::Schema do
   describe 'CreateIdentityProvider' do
     let(:enterprise_account) { create(:enterprise_account) }
+    let(:oauth_client) { create(:oauth_client) }
     let(:mutation) do
       <<~GRAPHQL
          mutation CreateIdentityProvider($input: CreateIdentityProviderInput!) {
@@ -34,7 +35,15 @@ describe Osso::GraphQL::Schema do
         { scope: 'admin' }
       end
       describe 'without a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
 
         it 'creates an identity provider' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
@@ -44,8 +53,16 @@ describe Osso::GraphQL::Schema do
       end
 
       describe 'with a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id, service: 'OKTA' } } }
-
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                service: 'OKTA',
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
         it 'creates an identity provider for given service ' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
           expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'service')).
@@ -65,8 +82,16 @@ describe Osso::GraphQL::Schema do
       let(:enterprise_account) { create(:enterprise_account, domain: domain) }
 
       describe 'without a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id } } }
-
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
+        
         it 'creates an identity provider' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
           expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'domain')).
@@ -75,7 +100,16 @@ describe Osso::GraphQL::Schema do
       end
 
       describe 'with a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id, service: 'OKTA' } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                oauthClientId: oauth_client.id,
+                service: 'OKTA',
+              },
+          }
+        end
 
         it 'creates an identity provider for given service ' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
@@ -97,7 +131,15 @@ describe Osso::GraphQL::Schema do
       let(:target_account) { create(:enterprise_account) }
 
       describe 'without a service' do
-        let(:variables) { { input: { enterpriseAccountId: target_account.id, domain: domain } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: target_account.id,
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
 
         it 'does not creates a identity provider' do
           expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })
@@ -105,7 +147,16 @@ describe Osso::GraphQL::Schema do
       end
 
       describe 'with a service' do
-        let(:variables) { { input: { enterpriseAccountId: target_account.id, service: 'OKTA', domain: domain } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: target_account.id,
+                service: 'OKTA',
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
 
         it 'does not creates a identity provider' do
           expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })

data/spec/graphql/query/identity_provider_spec.rb

@@ -8,9 +8,9 @@ describe Osso::GraphQL::Schema do
     let(:domain) { Faker::Internet.domain_name }
     let(:variables) { { id: id } }
     let(:query) do
-      <<~GRAPHQL
+      <<-GRAPHQL
         query IdentityProvider($id: ID!) {
-          identityProvider(id: $id) {            
+          identityProvider(id: $id) {
             id
             service
             domain

data/spec/models/enterprise_account_spec.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Models::EnterpriseAccount do
+  describe 'validates_domain' do
+    it 'it returns false for an invalid domain' do
+      customer = described_class.new(
+        name: 'foo',
+        domain: ' foo.com',
+      )
+
+      customer.save
+
+      expect(customer.errors[:domain]).to include('is invalid')
+    end
+  end
+end

data/spec/models/identity_provider_spec.rb

@@ -27,15 +27,36 @@ describe Osso::Models::IdentityProvider do
   describe '#acs_url_validator' do
     it 'returns a regex escaped string' do
       allow(subject).to receive(:acs_url).and_return(
-        'https://foo.com/auth/saml/callback'
+        'https://foo.com/auth/saml/callback',
       )
 
       expect(subject.acs_url_validator).to eq(
-        'https://foo\\.com/auth/saml/callback'
+        'https://foo\\.com/auth/saml/callback',
       )
     end
   end
 
+  describe '#sso_issuer' do
+    it 'returns a url unique to self' do
+      ENV['HEROKU_APP_NAME'] = nil
+      ENV['BASE_URL'] = 'https://example.com'
+
+      expect(subject.sso_issuer).to eq(
+        "#{subject.domain}/#{subject.oauth_client_id}",
+      )
+    end
+
+    it 'returns a uri with protocol when required' do
+      ENV['HEROKU_APP_NAME'] = nil
+      ENV['BASE_URL'] = 'https://example.com'
+
+      idp = create(:ping_identity_provider)
+
+      expect(idp.sso_issuer).to eq(
+        "https://#{idp.domain}/#{idp.oauth_client_id}",
+      )
+    end
+  end
 
   describe '#saml_options' do
     it 'returns the required args' do
@@ -44,7 +65,7 @@ describe Osso::Models::IdentityProvider do
           domain: subject.domain,
           idp_cert: subject.sso_cert,
           idp_sso_target_url: subject.sso_url,
-          issuer: subject.domain,
+          issuer: subject.sso_issuer,
         )
     end
   end

data/spec/routes/admin_spec.rb

@@ -3,56 +3,22 @@
 require 'spec_helper'
 
 describe Osso::Admin do
-  let(:jwt_url) { 'https://foo.com/jwt' }
-  let(:jwt_hmac_secret) { SecureRandom.hex(32) }
-
-  before do
-    ENV['JWT_URL'] = jwt_url
-    ENV['JWT_HMAC_SECRET'] = jwt_hmac_secret
-    described_class.set(:views, spec_views)
-  end
-
   describe 'get /admin' do
-    it 'redirects to JWT_URL without a session or token' do
+    it 'redirects to /login without a session' do
       get('/admin')
 
       expect(last_response).to be_redirect
       follow_redirect!
-      expect(last_request.url).to eq(jwt_url)
-    end
-
-    it 'redirects to JWT_URL with an invalid token' do
-      get('/admin', token: SecureRandom.hex(32))
-
-      expect(last_response).to be_redirect
-
-      follow_redirect!
-
-      expect(last_request.url).to eq(jwt_url)
+      expect(last_request.url).to match('/login')
     end
 
-    it 'chomps the token and redirects to request path with valid token' do
-      token = JWT.encode(
-        { email: 'admin@saas.com', scope: 'admin' },
-        jwt_hmac_secret,
-        'HS256',
-      )
-
-      get('/admin', { admin_token: token })
-
-      expect(last_response).to be_redirect
-      follow_redirect!
-      expect(last_request.url).to match('/admin')
-    end
+    xit 'renders the admin page for a valid session token' do
+      password = SecureRandom.urlsafe_base64(16)
+      account = create(:verified_account, password: password)
 
-    it 'renders the admin page for a valid session token' do
-      token = JWT.encode(
-        { email: 'admin@saas.com', scope: 'admin' },
-        jwt_hmac_secret,
-        'HS256',
-      )
+      post('/login', { email: account.email, password: password })
 
-      get('/admin', {}, 'rack.session' => { admin_token: token })
+      get('/admin')
 
       expect(last_response).to be_ok
     end

data/spec/routes/auth_spec.rb

@@ -182,29 +182,28 @@ describe Osso::Auth do
       it 'raises an error when email is missing' do
         mock_saml_omniauth(email: nil, id: SecureRandom.uuid)
 
-        
-          response = post(
-            "/auth/saml/#{azure_provider.id}/callback",
-            nil,
-            {
-              'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-            },
-          )
-
-          expect(response.body).to eq('Osso::Error::MissingSamlEmailAttributeError')
-        end
+        response = post(
+          "/auth/saml/#{azure_provider.id}/callback",
+          nil,
+          {
+            'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+          },
+        )
+
+        expect(response.body).to eq('Osso::Error::MissingSamlEmailAttributeError')
+      end
 
       it 'raises an error when id is missing' do
         mock_saml_omniauth(email: Faker::Internet.email, id: nil)
 
         response = post(
-            "/auth/saml/#{azure_provider.id}/callback",
-            nil,
-            {
-              'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-            },
-          )
-        
+          "/auth/saml/#{azure_provider.id}/callback",
+          nil,
+          {
+            'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+          },
+        )
+
         expect(response.body).to eq('Osso::Error::MissingSamlIdAttributeError')
       end
     end

data/spec/routes/oauth_spec.rb

@@ -3,15 +3,16 @@
 require 'spec_helper'
 
 describe Osso::Oauth do
+  before do
+    described_class.set(:views, spec_views)
+  end
+
   let(:client) { create(:oauth_client) }
 
   describe 'get /oauth/authorize' do
     describe 'with a valid client ID and redirect URI' do
       describe 'for a domain that does not belong to an enterprise' do
-        # TODO: better error handling and test
         it 'renders an error page' do
-          described_class.set(:views, spec_views)
-
           create(:enterprise_with_okta, domain: 'foo.com')
 
           get(
@@ -48,7 +49,7 @@ describe Osso::Oauth do
 
       describe 'for an enterprise domain with multiple SAML providers' do
         it 'renders the multiple providers screen' do
-          enterprise = create(:enterprise_with_multiple_providers)
+          enterprise = create(:enterprise_with_multiple_providers, oauth_client: client)
 
           get(
             '/oauth/authorize',
@@ -59,6 +60,64 @@ describe Osso::Oauth do
           )
 
           expect(last_response).to be_ok
+          expect(last_response.body).to eq('MULITPLE PROVIDERS')
+        end
+      end
+
+      describe "for an existing user's email address" do
+        it 'redirects to /auth/saml/:provider_id' do
+          enterprise = create(:enterprise_with_okta, oauth_client: client)
+          provider_id = enterprise.identity_providers.first.id
+          user = create(:user, email: "user@#{enterprise.domain}", identity_provider_id: provider_id)
+
+          get(
+            '/oauth/authorize',
+            email: user.email,
+            client_id: client.identifier,
+            response_type: 'code',
+            redirect_uri: client.redirect_uri_values.sample,
+          )
+
+          expect(last_response).to be_redirect
+          follow_redirect!
+          expect(last_request.url).to match("auth/saml/#{provider_id}")
+        end
+      end
+
+      describe "for a new user's email address belonging to an enterprise with one SAML provider" do
+        it 'redirects to /auth/saml/:provider_id' do
+          enterprise = create(:enterprise_with_okta, oauth_client: client)
+
+          get(
+            '/oauth/authorize',
+            email: "user@#{enterprise.domain}",
+            client_id: client.identifier,
+            response_type: 'code',
+            redirect_uri: client.redirect_uri_values.sample,
+          )
+
+          provider_id = enterprise.identity_providers.first.id
+
+          expect(last_response).to be_redirect
+          follow_redirect!
+          expect(last_request.url).to match("auth/saml/#{provider_id}")
+        end
+      end
+
+      describe "for a new user's email address belonging to an enterprise with multiple SAML providers" do
+        it 'renders the multiple providers screen' do
+          enterprise = create(:enterprise_with_multiple_providers, oauth_client: client)
+
+          get(
+            '/oauth/authorize',
+            email: "user@#{enterprise.domain}",
+            client_id: client.identifier,
+            response_type: 'code',
+            redirect_uri: client.redirect_uri_values.sample,
+          )
+
+          expect(last_response).to be_ok
+          expect(last_response.body).to eq('MULITPLE PROVIDERS')
         end
       end
     end
@@ -90,7 +149,7 @@ describe Osso::Oauth do
   end
 
   describe 'get /oauth/me' do
-    describe 'with a valid unexpired access token' do
+    describe 'with a valid unexpired access token in params' do
       it 'returns the user' do
         user = create(:user)
         code = user.authorization_codes.valid.first
@@ -105,6 +164,30 @@ describe Osso::Oauth do
           email: user.email,
           id: user.id,
           idp: 'Okta',
+          requested: code.requested.symbolize_keys,
+        )
+      end
+    end
+
+    describe 'with a valid unexpired access token in headers' do
+      it 'returns the user' do
+        user = create(:user)
+        code = user.authorization_codes.valid.first
+
+        get(
+          '/oauth/me',
+          nil,
+          {
+            'HTTP_AUTHORIZATION' => "Bearer: #{code.access_token.to_bearer_token}",
+          },
+        )
+
+        expect(last_response.status).to eq(200)
+        expect(last_json_response).to eq(
+          email: user.email,
+          id: user.id,
+          idp: 'Okta',
+          requested: code.requested.symbolize_keys,
         )
       end
     end