osso 0.0.5.pre.lambda → 0.0.6

data/spec/spec_helper.rb

@@ -15,9 +15,9 @@ require 'webmock/rspec'
 ENV['RACK_ENV'] = 'test'
 ENV['SESSION_SECRET'] = 'supersecret'
 ENV['BASE_URL'] = 'https://example.com'
+ENV['RODAUTH_VIEWS'] = "#{File.dirname(__FILE__)}/support/views"
 
 require File.expand_path '../lib/osso.rb', __dir__
-
 require File.expand_path 'support/spec_app', __dir__
 
 module RSpecMixin
@@ -47,11 +47,11 @@ module RSpecMixin
   end
 
   def spec_views
-    File.dirname(__FILE__) + '/support/views'
+    "#{File.dirname(__FILE__)}/support/views"
   end
 
   def valid_x509_pem
-    raw = File.read(File.dirname(__FILE__) + '/support/fixtures/test.pem')
+    raw = File.read("#{File.dirname(__FILE__)}/support/fixtures/test.pem")
     OpenSSL::X509::Certificate.new(raw).to_pem
   end
 

data/spec/support/views/layout.erb

@@ -0,0 +1 @@
+<%= yield %>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.5.pre.lambda
+  version: 0.0.6
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-01 00:00:00.000000000 Z
+date: 2020-11-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 6.0.3.2
+- !ruby/object:Gem::Dependency
+  name: bcrypt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.1.13
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.1.13
 - !ruby/object:Gem::Dependency
   name: graphql
   requirement: !ruby/object:Gem::Requirement
@@ -52,6 +66,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: mail
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.7.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.7.1
 - !ruby/object:Gem::Dependency
   name: omniauth-multi-provider
   requirement: !ruby/object:Gem::Requirement
@@ -136,6 +164,54 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rodauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.6.0
+- !ruby/object:Gem::Dependency
+  name: sequel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.37.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.37.0
+- !ruby/object:Gem::Dependency
+  name: sequel-activerecord_connection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: sinatra
   requirement: !ruby/object:Gem::Requirement
@@ -235,6 +311,8 @@ files:
 - ".buildkite/hooks/pre-command"
 - ".buildkite/pipeline.yml"
 - ".buildkite/template.yml"
+- ".github/dependabot.yml"
+- ".github/workflows/automerge.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
@@ -274,6 +352,12 @@ files:
 - lib/osso/db/migrate/20200913154919_add_one_login_to_identity_provider_service_enum.rb
 - lib/osso/db/migrate/20200916125543_add_google_to_identity_provider_service_enum.rb
 - lib/osso/db/migrate/20200929154117_add_users_count_to_identity_providers_and_enterprise_accounts.rb
+- lib/osso/db/migrate/20201023142158_add_rodauth_tables.rb
+- lib/osso/db/migrate/20201105122026_add_token_index_to_access_tokens.rb
+- lib/osso/db/migrate/20201106154936_add_requested_to_authorization_codes_and_access_tokens.rb
+- lib/osso/db/migrate/20201109160851_add_sso_issuer_to_identity_providers.rb
+- lib/osso/db/migrate/20201110190754_remove_oauth_client_id_from_enterprise_accounts.rb
+- lib/osso/db/migrate/20201112160120_add_ping_to_identity_provider_service_enum.rb
 - lib/osso/error/account_configuration_error.rb
 - lib/osso/error/error.rb
 - lib/osso/error/missing_saml_attribute_error.rb
@@ -290,6 +374,7 @@ files:
 - lib/osso/graphql/mutations/delete_enterprise_account.rb
 - lib/osso/graphql/mutations/delete_identity_provider.rb
 - lib/osso/graphql/mutations/delete_oauth_client.rb
+- lib/osso/graphql/mutations/invite_admin_user.rb
 - lib/osso/graphql/mutations/regenerate_oauth_credentials.rb
 - lib/osso/graphql/mutations/set_redirect_uris.rb
 - lib/osso/graphql/mutations/update_app_config.rb
@@ -315,13 +400,12 @@ files:
 - lib/osso/graphql/types/oauth_client.rb
 - lib/osso/graphql/types/redirect_uri.rb
 - lib/osso/graphql/types/redirect_uri_input.rb
-- lib/osso/helpers/auth.rb
-- lib/osso/helpers/helpers.rb
 - lib/osso/lib/app_config.rb
 - lib/osso/lib/oauth2_token.rb
 - lib/osso/lib/route_map.rb
 - lib/osso/lib/saml_handler.rb
 - lib/osso/models/access_token.rb
+- lib/osso/models/account.rb
 - lib/osso/models/app_config.rb
 - lib/osso/models/authorization_code.rb
 - lib/osso/models/enterprise_account.rb
@@ -336,8 +420,14 @@ files:
 - lib/osso/routes/oauth.rb
 - lib/osso/routes/routes.rb
 - lib/osso/version.rb
+- lib/osso/views/admin.erb
+- lib/osso/views/error.erb
+- lib/osso/views/layout.erb
+- lib/osso/views/multiple_providers.erb
+- lib/osso/views/welcome.erb
 - lib/tasks/bootstrap.rake
 - osso-rb.gemspec
+- spec/factories/account.rb
 - spec/factories/authorization_code.rb
 - spec/factories/enterprise_account.rb
 - spec/factories/identity_providers.rb
@@ -354,8 +444,8 @@ files:
 - spec/graphql/query/enterprise_accounts_spec.rb
 - spec/graphql/query/identity_provider_spec.rb
 - spec/graphql/query/oauth_clients_spec.rb
-- spec/helpers/auth_spec.rb
 - spec/lib/saml_handler_spec.rb
+- spec/models/enterprise_account_spec.rb
 - spec/models/identity_provider_spec.rb
 - spec/routes/admin_spec.rb
 - spec/routes/app_spec.rb
@@ -366,6 +456,7 @@ files:
 - spec/support/spec_app.rb
 - spec/support/views/admin.erb
 - spec/support/views/error.erb
+- spec/support/views/layout.erb
 - spec/support/views/multiple_providers.erb
 homepage: https://github.com/enterprise-oss/osso-rb
 licenses:
@@ -382,9 +473,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.0.3
 signing_key: 

data/lib/osso/helpers/auth.rb

@@ -1,94 +0,0 @@
-# frozen_string_literal: true
-
-module Osso
-  module Helpers
-    module Auth
-      END_USER_SCOPE = 'end-user'
-      INTERNAL_SCOPE = 'internal'
-      ADMIN_SCOPE    = 'admin'
-
-      attr_accessor :current_user
-
-      def token_protected!
-        decode(token)
-      rescue JWT::DecodeError
-        halt 401
-      end
-
-      def enterprise_protected!(domain = nil)
-        return if admin_authorized?
-        return if internal_authorized?
-        return if enterprise_authorized?(domain)
-
-        halt 401 if request.post?
-
-        redirect ENV['JWT_URL']
-      end
-
-      def internal_protected!
-        return if admin_authorized?
-        return if internal_authorized?
-
-        redirect ENV['JWT_URL']
-      end
-
-      def admin_protected!
-        return true if admin_authorized?
-
-        redirect ENV['JWT_URL']
-      end
-
-      private
-
-      def enterprise_authorized?(domain)
-        decode(token)
-
-        @current_user[:scope] == END_USER_SCOPE &&
-          @current_user[:email].split('@')[1] == domain
-      rescue JWT::DecodeError
-        false
-      end
-
-      def internal_authorized?
-        decode(token)
-
-        @current_user[:scope] == INTERNAL_SCOPE
-      rescue JWT::DecodeError
-        false
-      end
-
-      def admin_authorized?
-        decode(token)
-
-        @current_user[:scope] == ADMIN_SCOPE
-      rescue JWT::DecodeError
-        false
-      end
-
-      def token
-        session['admin_token'] || request.env['HTTP_AUTHORIZATION'] || request.params['admin_token']
-      end
-
-      def chomp_token
-        return unless request['admin_token'].present?
-
-        session['admin_token'] = request['admin_token']
-
-        return if request.post?
-
-        redirect request.path
-      end
-
-      def decode(token)
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
-
-        @current_user = payload.symbolize_keys
-      end
-    end
-  end
-end

data/lib/osso/helpers/helpers.rb

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-
-module Osso
-  module Helpers
-  end
-end
-
-require_relative 'auth'

data/spec/helpers/auth_spec.rb

@@ -1,269 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe Osso::Helpers::Auth do
-  before do
-    ENV['JWT_HMAC_SECRET'] = 'super-secret'
-  end
-
-  subject(:app) do
-    Class.new { 
-      include Osso::Helpers::Auth
-    }
-  end
-
-  describe 'with the token as a header' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: { 'HTTP_AUTHORIZATION' => token }, post?: false)
-      end
-
-      allow_any_instance_of(subject).to receive(:session) do
-        {
-          admin_token: nil
-        }
-      end
-
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-    end
-
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-
-  describe 'with the token as a parameter' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: {}, params: { 'admin_token' => token }, post?: false)
-      end
-
-      allow_any_instance_of(subject).to receive(:session) do
-        {
-          admin_token: nil
-        }
-      end
-
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-    end
-
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-
-  describe 'with the token in session' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: {}, params: {}, post?: false)
-      end
-    
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-
-      allow_any_instance_of(subject).to receive(:session).and_return(
-        {admin_token: token}.with_indifferent_access
-      )
-
-    end
-
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-      
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-
-  def encode(payload)
-    JWT.encode(
-      payload,
-      ENV['JWT_HMAC_SECRET'],
-      'HS256',
-    )
-  end
-end