osso 0.0.5.pre.lambda → 0.0.6

data/lib/osso/db/migrate/20201110190754_remove_oauth_client_id_from_enterprise_accounts.rb

@@ -0,0 +1,9 @@
+class RemoveOauthClientIdFromEnterpriseAccounts < ActiveRecord::Migration[6.0]
+  def up
+    remove_reference :enterprise_accounts, :oauth_client, index: true
+  end
+
+  def down
+    add_reference :enterprise_accounts, :oauth_client, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20201112160120_add_ping_to_identity_provider_service_enum.rb

@@ -0,0 +1,28 @@
+class AddPingToIdentityProviderServiceEnum < ActiveRecord::Migration[6.0]
+  disable_ddl_transaction!
+
+  def up
+    execute <<-SQL
+      ALTER TYPE identity_provider_service ADD VALUE 'PING';
+    SQL
+  end
+  
+  def down
+    execute <<~SQL
+      CREATE TYPE identity_provider_service_new AS ENUM ('AZURE', 'OKTA', 'ONELOGIN', 'GOOGLE');
+
+      -- Remove values that won't be compatible with new definition
+      DELETE FROM identity_providers WHERE service = 'PING';
+      
+      -- Convert to new type, casting via text representation
+      ALTER TABLE identity_providers 
+        ALTER COLUMN service TYPE identity_provider_service_new 
+          USING (service::text::identity_provider_service_new);
+      
+      -- and swap the types
+      DROP TYPE identity_provider_service;
+      
+      ALTER TYPE identity_provider_service_new RENAME TO identity_provider_service;
+    SQL
+  end
+end

data/lib/osso/error/account_configuration_error.rb

@@ -6,6 +6,7 @@ module Osso
 
     class MissingConfiguredIdentityProvider < AccountConfigurationError
       def initialize(domain: 'The requested domain')
+        super
         @domain = domain
       end
 

data/lib/osso/error/oauth_error.rb

@@ -10,6 +10,7 @@ module Osso
 
     class NoAccountForOAuthClientError < OAuthError
       def initialize(domain: 'the requested domain')
+        super
         @domain = domain
       end
 
@@ -30,13 +31,15 @@ module Osso
 
     class InvalidRedirectUri < OAuthError
       def initialize(redirect_uri:)
+        super
         @redirect_uri = redirect_uri
       end
 
       def message
-        "The requested redirect URI #{@redirect_uri} is not on the allow-list for the rquested OAuth client identifier. " \
-          "Review our OAuth documentation, check you're using the correct OAuth client identifier, " \
-          'and confirm your Redirect URI allow-list includes the appropriate URI(s).'
+        "The requested redirect URI #{@redirect_uri} is not on the allow-list for the rquested " \
+        'OAuth client identifier. Review our OAuth documentation, check you\'re using the correct ' \
+        'OAuth client identifier, and confirm your Redirect URI allow-list includes the ' \
+        'appropriate URI(s).'
       end
     end
   end

data/lib/osso/graphql/mutation.rb

@@ -13,6 +13,7 @@ module Osso
         field :delete_enterprise_account, mutation: Mutations::DeleteEnterpriseAccount
         field :delete_identity_provider, mutation: Mutations::DeleteIdentityProvider
         field :delete_oauth_client, mutation: Mutations::DeleteOauthClient
+        field :invite_admin_user, mutation: Mutations::InviteAdminUser
         field :set_redirect_uris, mutation: Mutations::SetRedirectUris
         field :regenerate_oauth_credentials, mutation: Mutations::RegenerateOauthCredentials
         field :update_app_config, mutation: Mutations::UpdateAppConfig

data/lib/osso/graphql/mutations.rb

@@ -13,6 +13,7 @@ require_relative 'mutations/create_oauth_client'
 require_relative 'mutations/delete_enterprise_account'
 require_relative 'mutations/delete_identity_provider'
 require_relative 'mutations/delete_oauth_client'
+require_relative 'mutations/invite_admin_user'
 require_relative 'mutations/regenerate_oauth_credentials'
 require_relative 'mutations/set_redirect_uris'
 require_relative 'mutations/update_app_config'

data/lib/osso/graphql/mutations/create_enterprise_account.rb

@@ -8,24 +8,17 @@ module Osso
 
         argument :domain, String, required: true
         argument :name, String, required: true
-        argument :oauth_client_id, String, required: false
 
         field :enterprise_account, Types::EnterpriseAccount, null: false
         field :errors, [String], null: false
 
         def resolve(**args)
           enterprise_account = Osso::Models::EnterpriseAccount.new(args)
-          enterprise_account.oauth_client_id ||= find_client_db_id(context[:oauth_client_id])
 
           return response_data(enterprise_account: enterprise_account) if enterprise_account.save
 
           response_error(enterprise_account.errors)
         end
-
-        def find_client_db_id(oauth_client_identifier)
-          Osso::Models::OauthClient.find_by(identifier: oauth_client_identifier).
-            id
-        end
       end
     end
   end

data/lib/osso/graphql/mutations/create_identity_provider.rb

@@ -8,17 +8,18 @@ module Osso
 
         argument :enterprise_account_id, ID, required: true
         argument :service, Types::IdentityProviderService, required: false
+        argument :oauth_client_id, String, required: true
 
         field :identity_provider, Types::IdentityProvider, null: false
         field :errors, [String], null: false
 
-        def resolve(service: nil, **args)
-          customer = enterprise_account(**args)
+        def resolve(service: nil, enterprise_account_id:, oauth_client_id:)
+          customer = enterprise_account(enterprise_account_id: enterprise_account_id)
 
           identity_provider = customer.identity_providers.build(
             service: service,
             domain: customer.domain,
-            oauth_client_id: customer.oauth_client_id,
+            oauth_client_id: oauth_client_id,
           )
 
           return response_data(identity_provider: identity_provider) if identity_provider.save
@@ -26,11 +27,11 @@ module Osso
           response_error(identity_provider.errors)
         end
 
-        def domain(**args)
-          enterprise_account(**args)&.domain
+        def domain(enterprise_account_id:, **args)
+          enterprise_account(enterprise_account_id: enterprise_account_id)&.domain
         end
 
-        def enterprise_account(enterprise_account_id:, **_args)
+        def enterprise_account(enterprise_account_id:)
           @enterprise_account ||= Osso::Models::EnterpriseAccount.find(enterprise_account_id)
         end
       end

data/lib/osso/graphql/mutations/invite_admin_user.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class InviteAdminUser < BaseMutation
+        null false
+
+        argument :email, String, required: true
+        argument :oauth_client_id, ID, required: false
+        argument :role, String, required: true
+
+        field :admin_user, Types::AdminUser, null: true
+        field :errors, [String], null: false
+
+        def resolve(email:, role:, oauth_client_id: nil)
+          admin_user = Osso::Models::Account.new(
+            email: email,
+            role: role,
+            oauth_client_id: oauth_client_id,
+          )
+
+          if admin_user.save
+            verify_user(email)
+
+            return response_data(admin_user: admin_user)
+          end
+
+          response_error(admin_user.errors)
+        end
+
+        def ready?(*)
+          admin_ready?
+        end
+
+        def verify_user(email)
+          context[:rodauth].account_from_login(email)
+          context[:rodauth].setup_account_verification
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/query.rb

@@ -5,6 +5,7 @@ module Osso
     module Types
       class QueryType < ::GraphQL::Schema::Object
         field :enterprise_accounts, null: true, resolver: Resolvers::EnterpriseAccounts do
+          argument :search, String, required: false
           argument :sort_column, String, required: false
           argument :sort_order, String, required: false
         end
@@ -40,6 +41,13 @@ module Osso
           argument :id, ID, required: true
         end
 
+        field(
+          :admin_users,
+          [Types::AdminUser],
+          null: false,
+          resolve: ->(_obj, _args, _context) { Osso::Models::Account.all },
+        )
+
         field(
           :current_user,
           Types::AdminUser,

data/lib/osso/graphql/resolvers/enterprise_accounts.rb

@@ -6,11 +6,11 @@ module Osso
       class EnterpriseAccounts < BaseResolver
         type Types::EnterpriseAccount.connection_type, null: true
 
-        def resolve(sort_column: nil, sort_order: nil)
+        def resolve(sort_column: nil, sort_order: nil, search: nil)
           return Array(Osso::Models::EnterpriseAccount.find_by(domain: context_domain)) unless internal_authorized?
 
           accounts = Osso::Models::EnterpriseAccount
-
+          accounts = accounts.where('domain ilike ? OR name ilike ?', "%#{search}%", "%#{search}%") if search
           accounts = accounts.order(sort_column.underscore => sort_order_sym(sort_order)) if sort_column && sort_order
 
           accounts.all

data/lib/osso/graphql/types.rb

@@ -14,8 +14,8 @@ require_relative 'types/app_config'
 require_relative 'types/error'
 require_relative 'types/identity_provider_service'
 require_relative 'types/identity_provider_status'
+require_relative 'types/redirect_uri'
+require_relative 'types/oauth_client'
 require_relative 'types/identity_provider'
 require_relative 'types/enterprise_account'
-require_relative 'types/redirect_uri'
 require_relative 'types/redirect_uri_input'
-require_relative 'types/oauth_client'

data/lib/osso/graphql/types/admin_user.rb

@@ -11,11 +11,20 @@ module Osso
         field :id, ID, null: false
         field :email, String, null: false
         field :scope, String, null: false
+        field :role, String, null: false
         field :oauth_client_id, ID, null: true
 
         def self.authorized?(_object, _context)
           true
         end
+
+        def created_at
+          12.hours.ago
+        end
+
+        def updated_at
+          12.hours.ago
+        end
       end
     end
   end

data/lib/osso/graphql/types/base_object.rb

@@ -28,7 +28,7 @@ module Osso
         def self.authorized?(object, context)
           # we first receive the payload object as a hash, but can depend on the
           # return type to hide the actual objects non-admins shouldn't see
-          return true if object.class == Hash
+          return true if object.instance_of?(Hash)
 
           internal_authorized?(context) || enterprise_authorized?(context, object&.domain)
         end

data/lib/osso/graphql/types/identity_provider.rb

@@ -13,10 +13,12 @@ module Osso
         field :service, Types::IdentityProviderService, null: true
         field :domain, String, null: false
         field :acs_url, String, null: false
+        field :sso_issuer, String, null: false
         field :sso_url, String, null: true
         field :sso_cert, String, null: true
         field :status, Types::IdentityProviderStatus, null: false
         field :acs_url_validator, String, null: false
+        field :oauth_client, Types::OauthClient, null: false
       end
     end
   end

data/lib/osso/graphql/types/identity_provider_service.rb

@@ -5,9 +5,10 @@ module Osso
     module Types
       class IdentityProviderService < BaseEnum
         value('AZURE', 'Microsoft Azure Identity Provider', value: 'AZURE')
+        value('GOOGLE', 'Google SAML Identity Provider', value: 'GOOGLE')
         value('OKTA', 'Okta Identity Provider', value: 'OKTA')
         value('ONELOGIN', 'OneLogin Identity Provider', value: 'ONELOGIN')
-        value('GOOGLE', 'Google SAML Identity Provider', value: 'GOOGLE')
+        value('PING', 'PingID Identity Provider', value: 'PING')
       end
     end
   end

data/lib/osso/lib/app_config.rb

@@ -7,7 +7,7 @@ module Osso
     def self.included(klass)
       klass.class_eval do
         use Rack::JSONBodyParser
-        use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
+        use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
 
         error ActiveRecord::RecordNotFound do
           status 404

data/lib/osso/lib/route_map.rb

@@ -1,29 +1,13 @@
 # frozen_string_literal: true
 
-# rubocop:disable Metrics/MethodLength
-
 module Osso
   module RouteMap
     def self.included(klass)
       klass.class_eval do
-
         use Osso::Admin
         use Osso::Auth
         use Osso::Oauth
-
-        post '/graphql' do
-          token_protected!
-
-          result = Osso::GraphQL::Schema.execute(
-            params[:query],
-            variables: params[:variables],
-            context: current_user.symbolize_keys,
-          )
-
-          json result
-        end
       end
     end
   end
 end
-# rubocop:enable Metrics/MethodLength

data/lib/osso/lib/saml_handler.rb

@@ -55,6 +55,7 @@ module Osso
       @authorization_code ||= user.authorization_codes.create!(
         oauth_client: provider.oauth_client,
         redirect_uri: redirect_uri_base,
+        requested: requested_param,
       )
     end
 
@@ -81,5 +82,9 @@ module Osso
     def valid_idp_initiated_flow
       !session[:osso_oauth_redirect_uri] && !session[:osso_oauth_state]
     end
+
+    def requested_param
+      @session.delete(:osso_oauth_requested)
+    end
   end
 end

data/lib/osso/models/access_token.rb

@@ -39,9 +39,11 @@ end
 #  updated_at      :datetime         not null
 #  user_id         :uuid
 #  oauth_client_id :uuid
+#  requested       :jsonb
 #
 # Indexes
 #
-#  index_access_tokens_on_oauth_client_id  (oauth_client_id)
-#  index_access_tokens_on_user_id          (user_id)
+#  index_access_tokens_on_oauth_client_id       (oauth_client_id)
+#  index_access_tokens_on_token_and_expires_at  (token,expires_at) UNIQUE
+#  index_access_tokens_on_user_id               (user_id)
 #

data/lib/osso/models/account.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class Account < ::ActiveRecord::Base
+      enum status_id: { 1 => :Unverified, 2 => :Verified, 3 => :Closed }
+
+      def context
+        {
+          email: email,
+          id: id,
+          scope: role,
+          oauth_client_id: oauth_client_id,
+        }
+      end
+    end
+  end
+end
+
+# == Schema Information
+#
+# Table name: accounts
+#
+#  id              :uuid             not null, primary key
+#  email           :citext           not null
+#  status_id       :integer          default(NULL), not null
+#  role            :string           default("admin"), not null
+#  oauth_client_id :string
+#
+# Indexes
+#
+#  index_accounts_on_email            (email) UNIQUE WHERE (status_id = ANY (ARRAY[1, 2]))
+#  index_accounts_on_oauth_client_id  (oauth_client_id)
+#

data/lib/osso/models/authorization_code.rb

@@ -7,7 +7,7 @@ module Osso
 
       def access_token
         @access_token ||= expired! &&
-          user.access_tokens.create(oauth_client: oauth_client)
+          user.access_tokens.create(oauth_client: oauth_client, requested: requested)
       end
     end
   end
@@ -25,6 +25,7 @@ end
 #  updated_at      :datetime         not null
 #  user_id         :uuid
 #  oauth_client_id :uuid
+#  requested       :jsonb
 #
 # Indexes
 #

data/lib/osso/models/enterprise_account.rb

@@ -8,10 +8,11 @@ module Osso
     # includes fields for external IDs such that you can persist
     # your ID for an account in your Osso instance.
     class EnterpriseAccount < ActiveRecord::Base
-      belongs_to :oauth_client
       has_many :users
       has_many :identity_providers
 
+      validates_format_of :domain, with: /\A[a-z0-9]+([\-.]{1}[a-z0-9]+)*\.[a-z]{2,5}\z/
+
       def single_provider?
         identity_providers.not_pending.one?
       end
@@ -40,6 +41,7 @@ end
 #  name            :string           not null
 #  created_at      :datetime         not null
 #  updated_at      :datetime         not null
+#  users_count     :integer          default(0)
 #
 # Indexes
 #