osso 0.0.5.pre.lambda → 0.0.6

Sign up to get free protection for your applications and to get access to all the features.
Files changed (70) hide show
  1. checksums.yaml +4 -4
  2. data/.buildkite/pipeline.yml +6 -4
  3. data/.github/dependabot.yml +8 -0
  4. data/.github/workflows/automerge.yml +19 -0
  5. data/.rubocop.yml +4 -1
  6. data/Gemfile +1 -1
  7. data/Gemfile.lock +48 -27
  8. data/bin/annotate +3 -1
  9. data/db/schema.rb +40 -3
  10. data/lib/osso.rb +0 -1
  11. data/lib/osso/db/migrate/20201023142158_add_rodauth_tables.rb +47 -0
  12. data/lib/osso/db/migrate/20201105122026_add_token_index_to_access_tokens.rb +5 -0
  13. data/lib/osso/db/migrate/20201106154936_add_requested_to_authorization_codes_and_access_tokens.rb +6 -0
  14. data/lib/osso/db/migrate/20201109160851_add_sso_issuer_to_identity_providers.rb +12 -0
  15. data/lib/osso/db/migrate/20201110190754_remove_oauth_client_id_from_enterprise_accounts.rb +9 -0
  16. data/lib/osso/db/migrate/20201112160120_add_ping_to_identity_provider_service_enum.rb +28 -0
  17. data/lib/osso/error/account_configuration_error.rb +1 -0
  18. data/lib/osso/error/oauth_error.rb +6 -3
  19. data/lib/osso/graphql/mutation.rb +1 -0
  20. data/lib/osso/graphql/mutations.rb +1 -0
  21. data/lib/osso/graphql/mutations/create_enterprise_account.rb +0 -7
  22. data/lib/osso/graphql/mutations/create_identity_provider.rb +7 -6
  23. data/lib/osso/graphql/mutations/invite_admin_user.rb +43 -0
  24. data/lib/osso/graphql/query.rb +8 -0
  25. data/lib/osso/graphql/resolvers/enterprise_accounts.rb +2 -2
  26. data/lib/osso/graphql/types.rb +2 -2
  27. data/lib/osso/graphql/types/admin_user.rb +9 -0
  28. data/lib/osso/graphql/types/base_object.rb +1 -1
  29. data/lib/osso/graphql/types/identity_provider.rb +2 -0
  30. data/lib/osso/graphql/types/identity_provider_service.rb +2 -1
  31. data/lib/osso/lib/app_config.rb +1 -1
  32. data/lib/osso/lib/route_map.rb +0 -16
  33. data/lib/osso/lib/saml_handler.rb +5 -0
  34. data/lib/osso/models/access_token.rb +4 -2
  35. data/lib/osso/models/account.rb +34 -0
  36. data/lib/osso/models/authorization_code.rb +2 -1
  37. data/lib/osso/models/enterprise_account.rb +3 -1
  38. data/lib/osso/models/identity_provider.rb +18 -4
  39. data/lib/osso/models/models.rb +1 -0
  40. data/lib/osso/models/oauth_client.rb +0 -1
  41. data/lib/osso/routes/admin.rb +39 -33
  42. data/lib/osso/routes/auth.rb +9 -9
  43. data/lib/osso/routes/oauth.rb +34 -16
  44. data/lib/osso/version.rb +1 -1
  45. data/lib/osso/views/admin.erb +5 -0
  46. data/lib/osso/views/error.erb +1 -0
  47. data/lib/osso/views/layout.erb +0 -0
  48. data/lib/osso/views/multiple_providers.erb +1 -0
  49. data/lib/osso/views/welcome.erb +0 -0
  50. data/lib/tasks/bootstrap.rake +25 -4
  51. data/osso-rb.gemspec +5 -0
  52. data/spec/factories/account.rb +24 -0
  53. data/spec/factories/enterprise_account.rb +11 -3
  54. data/spec/factories/identity_providers.rb +10 -2
  55. data/spec/factories/user.rb +4 -0
  56. data/spec/graphql/mutations/configure_identity_provider_spec.rb +1 -1
  57. data/spec/graphql/mutations/create_enterprise_account_spec.rb +0 -14
  58. data/spec/graphql/mutations/create_identity_provider_spec.rb +59 -8
  59. data/spec/graphql/query/identity_provider_spec.rb +2 -2
  60. data/spec/models/enterprise_account_spec.rb +18 -0
  61. data/spec/models/identity_provider_spec.rb +24 -3
  62. data/spec/routes/admin_spec.rb +7 -41
  63. data/spec/routes/auth_spec.rb +17 -18
  64. data/spec/routes/oauth_spec.rb +87 -5
  65. data/spec/spec_helper.rb +3 -3
  66. data/spec/support/views/layout.erb +1 -0
  67. metadata +98 -7
  68. data/lib/osso/helpers/auth.rb +0 -94
  69. data/lib/osso/helpers/helpers.rb +0 -8
  70. data/spec/helpers/auth_spec.rb +0 -269
@@ -15,9 +15,9 @@ require 'webmock/rspec'
15
15
  ENV['RACK_ENV'] = 'test'
16
16
  ENV['SESSION_SECRET'] = 'supersecret'
17
17
  ENV['BASE_URL'] = 'https://example.com'
18
+ ENV['RODAUTH_VIEWS'] = "#{File.dirname(__FILE__)}/support/views"
18
19
 
19
20
  require File.expand_path '../lib/osso.rb', __dir__
20
-
21
21
  require File.expand_path 'support/spec_app', __dir__
22
22
 
23
23
  module RSpecMixin
@@ -47,11 +47,11 @@ module RSpecMixin
47
47
  end
48
48
 
49
49
  def spec_views
50
- File.dirname(__FILE__) + '/support/views'
50
+ "#{File.dirname(__FILE__)}/support/views"
51
51
  end
52
52
 
53
53
  def valid_x509_pem
54
- raw = File.read(File.dirname(__FILE__) + '/support/fixtures/test.pem')
54
+ raw = File.read("#{File.dirname(__FILE__)}/support/fixtures/test.pem")
55
55
  OpenSSL::X509::Certificate.new(raw).to_pem
56
56
  end
57
57
 
@@ -0,0 +1 @@
1
+ <%= yield %>
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: osso
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.5.pre.lambda
4
+ version: 0.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sam Bauch
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-10-01 00:00:00.000000000 Z
11
+ date: 2020-11-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -24,6 +24,20 @@ dependencies:
24
24
  - - ">="
25
25
  - !ruby/object:Gem::Version
26
26
  version: 6.0.3.2
27
+ - !ruby/object:Gem::Dependency
28
+ name: bcrypt
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: 3.1.13
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: 3.1.13
27
41
  - !ruby/object:Gem::Dependency
28
42
  name: graphql
29
43
  requirement: !ruby/object:Gem::Requirement
@@ -52,6 +66,20 @@ dependencies:
52
66
  - - ">="
53
67
  - !ruby/object:Gem::Version
54
68
  version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: mail
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - "~>"
74
+ - !ruby/object:Gem::Version
75
+ version: 2.7.1
76
+ type: :runtime
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - "~>"
81
+ - !ruby/object:Gem::Version
82
+ version: 2.7.1
55
83
  - !ruby/object:Gem::Dependency
56
84
  name: omniauth-multi-provider
57
85
  requirement: !ruby/object:Gem::Requirement
@@ -136,6 +164,54 @@ dependencies:
136
164
  - - ">="
137
165
  - !ruby/object:Gem::Version
138
166
  version: '0'
167
+ - !ruby/object:Gem::Dependency
168
+ name: rodauth
169
+ requirement: !ruby/object:Gem::Requirement
170
+ requirements:
171
+ - - "~>"
172
+ - !ruby/object:Gem::Version
173
+ version: 2.6.0
174
+ type: :runtime
175
+ prerelease: false
176
+ version_requirements: !ruby/object:Gem::Requirement
177
+ requirements:
178
+ - - "~>"
179
+ - !ruby/object:Gem::Version
180
+ version: 2.6.0
181
+ - !ruby/object:Gem::Dependency
182
+ name: sequel
183
+ requirement: !ruby/object:Gem::Requirement
184
+ requirements:
185
+ - - "~>"
186
+ - !ruby/object:Gem::Version
187
+ version: 5.37.0
188
+ type: :runtime
189
+ prerelease: false
190
+ version_requirements: !ruby/object:Gem::Requirement
191
+ requirements:
192
+ - - "~>"
193
+ - !ruby/object:Gem::Version
194
+ version: 5.37.0
195
+ - !ruby/object:Gem::Dependency
196
+ name: sequel-activerecord_connection
197
+ requirement: !ruby/object:Gem::Requirement
198
+ requirements:
199
+ - - ">="
200
+ - !ruby/object:Gem::Version
201
+ version: '0.3'
202
+ - - "<"
203
+ - !ruby/object:Gem::Version
204
+ version: '2.0'
205
+ type: :runtime
206
+ prerelease: false
207
+ version_requirements: !ruby/object:Gem::Requirement
208
+ requirements:
209
+ - - ">="
210
+ - !ruby/object:Gem::Version
211
+ version: '0.3'
212
+ - - "<"
213
+ - !ruby/object:Gem::Version
214
+ version: '2.0'
139
215
  - !ruby/object:Gem::Dependency
140
216
  name: sinatra
141
217
  requirement: !ruby/object:Gem::Requirement
@@ -235,6 +311,8 @@ files:
235
311
  - ".buildkite/hooks/pre-command"
236
312
  - ".buildkite/pipeline.yml"
237
313
  - ".buildkite/template.yml"
314
+ - ".github/dependabot.yml"
315
+ - ".github/workflows/automerge.yml"
238
316
  - ".gitignore"
239
317
  - ".rspec"
240
318
  - ".rubocop.yml"
@@ -274,6 +352,12 @@ files:
274
352
  - lib/osso/db/migrate/20200913154919_add_one_login_to_identity_provider_service_enum.rb
275
353
  - lib/osso/db/migrate/20200916125543_add_google_to_identity_provider_service_enum.rb
276
354
  - lib/osso/db/migrate/20200929154117_add_users_count_to_identity_providers_and_enterprise_accounts.rb
355
+ - lib/osso/db/migrate/20201023142158_add_rodauth_tables.rb
356
+ - lib/osso/db/migrate/20201105122026_add_token_index_to_access_tokens.rb
357
+ - lib/osso/db/migrate/20201106154936_add_requested_to_authorization_codes_and_access_tokens.rb
358
+ - lib/osso/db/migrate/20201109160851_add_sso_issuer_to_identity_providers.rb
359
+ - lib/osso/db/migrate/20201110190754_remove_oauth_client_id_from_enterprise_accounts.rb
360
+ - lib/osso/db/migrate/20201112160120_add_ping_to_identity_provider_service_enum.rb
277
361
  - lib/osso/error/account_configuration_error.rb
278
362
  - lib/osso/error/error.rb
279
363
  - lib/osso/error/missing_saml_attribute_error.rb
@@ -290,6 +374,7 @@ files:
290
374
  - lib/osso/graphql/mutations/delete_enterprise_account.rb
291
375
  - lib/osso/graphql/mutations/delete_identity_provider.rb
292
376
  - lib/osso/graphql/mutations/delete_oauth_client.rb
377
+ - lib/osso/graphql/mutations/invite_admin_user.rb
293
378
  - lib/osso/graphql/mutations/regenerate_oauth_credentials.rb
294
379
  - lib/osso/graphql/mutations/set_redirect_uris.rb
295
380
  - lib/osso/graphql/mutations/update_app_config.rb
@@ -315,13 +400,12 @@ files:
315
400
  - lib/osso/graphql/types/oauth_client.rb
316
401
  - lib/osso/graphql/types/redirect_uri.rb
317
402
  - lib/osso/graphql/types/redirect_uri_input.rb
318
- - lib/osso/helpers/auth.rb
319
- - lib/osso/helpers/helpers.rb
320
403
  - lib/osso/lib/app_config.rb
321
404
  - lib/osso/lib/oauth2_token.rb
322
405
  - lib/osso/lib/route_map.rb
323
406
  - lib/osso/lib/saml_handler.rb
324
407
  - lib/osso/models/access_token.rb
408
+ - lib/osso/models/account.rb
325
409
  - lib/osso/models/app_config.rb
326
410
  - lib/osso/models/authorization_code.rb
327
411
  - lib/osso/models/enterprise_account.rb
@@ -336,8 +420,14 @@ files:
336
420
  - lib/osso/routes/oauth.rb
337
421
  - lib/osso/routes/routes.rb
338
422
  - lib/osso/version.rb
423
+ - lib/osso/views/admin.erb
424
+ - lib/osso/views/error.erb
425
+ - lib/osso/views/layout.erb
426
+ - lib/osso/views/multiple_providers.erb
427
+ - lib/osso/views/welcome.erb
339
428
  - lib/tasks/bootstrap.rake
340
429
  - osso-rb.gemspec
430
+ - spec/factories/account.rb
341
431
  - spec/factories/authorization_code.rb
342
432
  - spec/factories/enterprise_account.rb
343
433
  - spec/factories/identity_providers.rb
@@ -354,8 +444,8 @@ files:
354
444
  - spec/graphql/query/enterprise_accounts_spec.rb
355
445
  - spec/graphql/query/identity_provider_spec.rb
356
446
  - spec/graphql/query/oauth_clients_spec.rb
357
- - spec/helpers/auth_spec.rb
358
447
  - spec/lib/saml_handler_spec.rb
448
+ - spec/models/enterprise_account_spec.rb
359
449
  - spec/models/identity_provider_spec.rb
360
450
  - spec/routes/admin_spec.rb
361
451
  - spec/routes/app_spec.rb
@@ -366,6 +456,7 @@ files:
366
456
  - spec/support/spec_app.rb
367
457
  - spec/support/views/admin.erb
368
458
  - spec/support/views/error.erb
459
+ - spec/support/views/layout.erb
369
460
  - spec/support/views/multiple_providers.erb
370
461
  homepage: https://github.com/enterprise-oss/osso-rb
371
462
  licenses:
@@ -382,9 +473,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
382
473
  version: 2.3.0
383
474
  required_rubygems_version: !ruby/object:Gem::Requirement
384
475
  requirements:
385
- - - ">"
476
+ - - ">="
386
477
  - !ruby/object:Gem::Version
387
- version: 1.3.1
478
+ version: '0'
388
479
  requirements: []
389
480
  rubygems_version: 3.0.3
390
481
  signing_key:
@@ -1,94 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- module Osso
4
- module Helpers
5
- module Auth
6
- END_USER_SCOPE = 'end-user'
7
- INTERNAL_SCOPE = 'internal'
8
- ADMIN_SCOPE = 'admin'
9
-
10
- attr_accessor :current_user
11
-
12
- def token_protected!
13
- decode(token)
14
- rescue JWT::DecodeError
15
- halt 401
16
- end
17
-
18
- def enterprise_protected!(domain = nil)
19
- return if admin_authorized?
20
- return if internal_authorized?
21
- return if enterprise_authorized?(domain)
22
-
23
- halt 401 if request.post?
24
-
25
- redirect ENV['JWT_URL']
26
- end
27
-
28
- def internal_protected!
29
- return if admin_authorized?
30
- return if internal_authorized?
31
-
32
- redirect ENV['JWT_URL']
33
- end
34
-
35
- def admin_protected!
36
- return true if admin_authorized?
37
-
38
- redirect ENV['JWT_URL']
39
- end
40
-
41
- private
42
-
43
- def enterprise_authorized?(domain)
44
- decode(token)
45
-
46
- @current_user[:scope] == END_USER_SCOPE &&
47
- @current_user[:email].split('@')[1] == domain
48
- rescue JWT::DecodeError
49
- false
50
- end
51
-
52
- def internal_authorized?
53
- decode(token)
54
-
55
- @current_user[:scope] == INTERNAL_SCOPE
56
- rescue JWT::DecodeError
57
- false
58
- end
59
-
60
- def admin_authorized?
61
- decode(token)
62
-
63
- @current_user[:scope] == ADMIN_SCOPE
64
- rescue JWT::DecodeError
65
- false
66
- end
67
-
68
- def token
69
- session['admin_token'] || request.env['HTTP_AUTHORIZATION'] || request.params['admin_token']
70
- end
71
-
72
- def chomp_token
73
- return unless request['admin_token'].present?
74
-
75
- session['admin_token'] = request['admin_token']
76
-
77
- return if request.post?
78
-
79
- redirect request.path
80
- end
81
-
82
- def decode(token)
83
- payload, _args = JWT.decode(
84
- token,
85
- ENV['JWT_HMAC_SECRET'],
86
- true,
87
- { algorithm: 'HS256' },
88
- )
89
-
90
- @current_user = payload.symbolize_keys
91
- end
92
- end
93
- end
94
- end
@@ -1,8 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- module Osso
4
- module Helpers
5
- end
6
- end
7
-
8
- require_relative 'auth'
@@ -1,269 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'spec_helper'
4
-
5
- describe Osso::Helpers::Auth do
6
- before do
7
- ENV['JWT_HMAC_SECRET'] = 'super-secret'
8
- end
9
-
10
- subject(:app) do
11
- Class.new {
12
- include Osso::Helpers::Auth
13
- }
14
- end
15
-
16
- describe 'with the token as a header' do
17
- before do
18
- allow_any_instance_of(subject).to receive(:request) do
19
- double('Request', env: { 'HTTP_AUTHORIZATION' => token }, post?: false)
20
- end
21
-
22
- allow_any_instance_of(subject).to receive(:session) do
23
- {
24
- admin_token: nil
25
- }
26
- end
27
-
28
- allow_any_instance_of(subject).to receive(:redirect) do
29
- false
30
- end
31
- end
32
-
33
- describe 'with an admin token' do
34
- let(:token) { encode({ scope: 'admin' }) }
35
-
36
- it 'allows #token_protected! methods' do
37
- expect(subject.new.token_protected!).to_not be(false)
38
- end
39
-
40
- it 'allows #enterprise_protected! methods' do
41
- expect(subject.new.enterprise_protected!).to_not be(false)
42
- end
43
-
44
- it 'allows #internal_protected! methods' do
45
- expect(subject.new.internal_protected!).to_not be(false)
46
- end
47
-
48
- it 'allows #admin_protected! methods' do
49
- expect(subject.new.admin_protected!).to_not be(false)
50
- end
51
- end
52
-
53
- describe 'with an internal token' do
54
- let(:token) { encode({ scope: 'internal' }) }
55
-
56
- it 'allows #token_protected! methods' do
57
- expect(subject.new.token_protected!).to_not be(false)
58
- end
59
-
60
- it 'allows #enterprise_protected! methods' do
61
- expect(subject.new.enterprise_protected!).to_not be(false)
62
- end
63
-
64
- it 'allows #internal_protected! methods' do
65
- expect(subject.new.internal_protected!).to_not be(false)
66
- end
67
-
68
- it 'allows #admin_protected! methods' do
69
- expect(subject.new.admin_protected!).to be(false)
70
- end
71
- end
72
-
73
- describe 'with an end-user token' do
74
- let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
75
-
76
- it 'allows #token_protected! methods' do
77
- expect(subject.new.token_protected!).to_not be(false)
78
- end
79
-
80
- it 'allows #enterprise_protected! methods for the scoped domain' do
81
- expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
82
- end
83
-
84
- it 'halts #enterprise_protected! methods for the wrong scoped domain' do
85
- expect(subject.new.enterprise_protected!('foo.com')).to be(false)
86
- end
87
-
88
- it 'halts #internal_protected! methods' do
89
- expect(subject.new.internal_protected!).to be(false)
90
- end
91
-
92
- it 'halts #admin_protected! methods' do
93
- expect(subject.new.admin_protected!).to be(false)
94
- end
95
- end
96
- end
97
-
98
- describe 'with the token as a parameter' do
99
- before do
100
- allow_any_instance_of(subject).to receive(:request) do
101
- double('Request', env: {}, params: { 'admin_token' => token }, post?: false)
102
- end
103
-
104
- allow_any_instance_of(subject).to receive(:session) do
105
- {
106
- admin_token: nil
107
- }
108
- end
109
-
110
- allow_any_instance_of(subject).to receive(:redirect) do
111
- false
112
- end
113
- end
114
-
115
- describe 'with an admin token' do
116
- let(:token) { encode({ scope: 'admin' }) }
117
-
118
- it 'allows #token_protected! methods' do
119
- expect(subject.new.token_protected!).to_not be(false)
120
- end
121
-
122
- it 'allows #enterprise_protected! methods' do
123
- expect(subject.new.enterprise_protected!).to_not be(false)
124
- end
125
-
126
- it 'allows #internal_protected! methods' do
127
- expect(subject.new.internal_protected!).to_not be(false)
128
- end
129
-
130
- it 'allows #admin_protected! methods' do
131
- expect(subject.new.admin_protected!).to_not be(false)
132
- end
133
- end
134
-
135
- describe 'with an internal token' do
136
- let(:token) { encode({ scope: 'internal' }) }
137
-
138
- it 'allows #token_protected! methods' do
139
- expect(subject.new.token_protected!).to_not be(false)
140
- end
141
-
142
- it 'allows #enterprise_protected! methods' do
143
- expect(subject.new.enterprise_protected!).to_not be(false)
144
- end
145
-
146
- it 'allows #internal_protected! methods' do
147
- expect(subject.new.internal_protected!).to_not be(false)
148
- end
149
-
150
- it 'allows #admin_protected! methods' do
151
- expect(subject.new.admin_protected!).to be(false)
152
- end
153
- end
154
-
155
- describe 'with an end-user token' do
156
- let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
157
-
158
- it 'allows #token_protected! methods' do
159
- expect(subject.new.token_protected!).to_not be(false)
160
- end
161
-
162
- it 'allows #enterprise_protected! methods for the scoped domain' do
163
- expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
164
- end
165
-
166
- it 'halts #enterprise_protected! methods for the wrong scoped domain' do
167
- expect(subject.new.enterprise_protected!('foo.com')).to be(false)
168
- end
169
-
170
- it 'halts #internal_protected! methods' do
171
- expect(subject.new.internal_protected!).to be(false)
172
- end
173
-
174
- it 'halts #admin_protected! methods' do
175
- expect(subject.new.admin_protected!).to be(false)
176
- end
177
- end
178
- end
179
-
180
- describe 'with the token in session' do
181
- before do
182
- allow_any_instance_of(subject).to receive(:request) do
183
- double('Request', env: {}, params: {}, post?: false)
184
- end
185
-
186
- allow_any_instance_of(subject).to receive(:redirect) do
187
- false
188
- end
189
-
190
- allow_any_instance_of(subject).to receive(:session).and_return(
191
- {admin_token: token}.with_indifferent_access
192
- )
193
-
194
- end
195
-
196
- describe 'with an admin token' do
197
- let(:token) { encode({ scope: 'admin' }) }
198
-
199
-
200
- it 'allows #token_protected! methods' do
201
- expect(subject.new.token_protected!).to_not be(false)
202
- end
203
-
204
- it 'allows #enterprise_protected! methods' do
205
- expect(subject.new.enterprise_protected!).to_not be(false)
206
- end
207
-
208
- it 'allows #internal_protected! methods' do
209
- expect(subject.new.internal_protected!).to_not be(false)
210
- end
211
-
212
- it 'allows #admin_protected! methods' do
213
- expect(subject.new.admin_protected!).to_not be(false)
214
- end
215
- end
216
-
217
- describe 'with an internal token' do
218
- let(:token) { encode({ scope: 'internal' }) }
219
-
220
- it 'allows #token_protected! methods' do
221
- expect(subject.new.token_protected!).to_not be(false)
222
- end
223
-
224
- it 'allows #enterprise_protected! methods' do
225
- expect(subject.new.enterprise_protected!).to_not be(false)
226
- end
227
-
228
- it 'allows #internal_protected! methods' do
229
- expect(subject.new.internal_protected!).to_not be(false)
230
- end
231
-
232
- it 'allows #admin_protected! methods' do
233
- expect(subject.new.admin_protected!).to be(false)
234
- end
235
- end
236
-
237
- describe 'with an end-user token' do
238
- let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
239
-
240
- it 'allows #token_protected! methods' do
241
- expect(subject.new.token_protected!).to_not be(false)
242
- end
243
-
244
- it 'allows #enterprise_protected! methods for the scoped domain' do
245
- expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
246
- end
247
-
248
- it 'halts #enterprise_protected! methods for the wrong scoped domain' do
249
- expect(subject.new.enterprise_protected!('foo.com')).to be(false)
250
- end
251
-
252
- it 'halts #internal_protected! methods' do
253
- expect(subject.new.internal_protected!).to be(false)
254
- end
255
-
256
- it 'halts #admin_protected! methods' do
257
- expect(subject.new.admin_protected!).to be(false)
258
- end
259
- end
260
- end
261
-
262
- def encode(payload)
263
- JWT.encode(
264
- payload,
265
- ENV['JWT_HMAC_SECRET'],
266
- 'HS256',
267
- )
268
- end
269
- end