RubyGems - osso - Versions diffs - 0.0.5.pre.theta → 0.0.7 - Mend

osso 0.0.5.pre.theta → 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

checksums.yaml +4 -4
data/.buildkite/pipeline.yml +6 -4
data/.github/dependabot.yml +8 -0
data/.github/workflows/automerge.yml +19 -0
data/.rubocop.yml +4 -1
data/Gemfile +2 -2
data/Gemfile.lock +58 -37
data/LICENSE +21 -23
data/Rakefile +2 -0
data/bin/annotate +3 -1
data/db/schema.rb +41 -3
data/lib/osso.rb +0 -1
data/lib/osso/db/migrate/20200929154117_add_users_count_to_identity_providers_and_enterprise_accounts.rb +6 -0
data/lib/osso/db/migrate/20201023142158_add_rodauth_tables.rb +47 -0
data/lib/osso/db/migrate/20201105122026_add_token_index_to_access_tokens.rb +5 -0
data/lib/osso/db/migrate/20201106154936_add_requested_to_authorization_codes_and_access_tokens.rb +6 -0
data/lib/osso/db/migrate/20201109160851_add_sso_issuer_to_identity_providers.rb +12 -0
data/lib/osso/db/migrate/20201110190754_remove_oauth_client_id_from_enterprise_accounts.rb +9 -0
data/lib/osso/db/migrate/20201112160120_add_ping_to_identity_provider_service_enum.rb +28 -0
data/lib/osso/db/migrate/20201125143501_add_salesforce_to_provider_service_enum.rb +28 -0
data/lib/osso/error/account_configuration_error.rb +1 -0
data/lib/osso/error/oauth_error.rb +6 -3
data/lib/osso/graphql/mutation.rb +2 -0
data/lib/osso/graphql/mutations.rb +2 -0
data/lib/osso/graphql/mutations/create_enterprise_account.rb +0 -7
data/lib/osso/graphql/mutations/create_identity_provider.rb +7 -6
data/lib/osso/graphql/mutations/delete_identity_provider.rb +24 -0
data/lib/osso/graphql/mutations/invite_admin_user.rb +43 -0
data/lib/osso/graphql/query.rb +8 -0
data/lib/osso/graphql/resolvers/enterprise_accounts.rb +3 -3
data/lib/osso/graphql/types.rb +2 -2
data/lib/osso/graphql/types/admin_user.rb +9 -0
data/lib/osso/graphql/types/base_object.rb +1 -1
data/lib/osso/graphql/types/enterprise_account.rb +1 -0
data/lib/osso/graphql/types/identity_provider.rb +2 -0
data/lib/osso/graphql/types/identity_provider_service.rb +3 -1
data/lib/osso/lib/app_config.rb +1 -1
data/lib/osso/lib/route_map.rb +0 -16
data/lib/osso/lib/saml_handler.rb +5 -0
data/lib/osso/models/access_token.rb +4 -2
data/lib/osso/models/account.rb +34 -0
data/lib/osso/models/authorization_code.rb +2 -1
data/lib/osso/models/enterprise_account.rb +3 -1
data/lib/osso/models/identity_provider.rb +19 -5
data/lib/osso/models/models.rb +1 -0
data/lib/osso/models/oauth_client.rb +0 -1
data/lib/osso/models/user.rb +2 -2
data/lib/osso/routes/admin.rb +39 -33
data/lib/osso/routes/auth.rb +9 -9
data/lib/osso/routes/oauth.rb +35 -17
data/lib/osso/version.rb +1 -1
data/lib/osso/views/admin.erb +5 -0
data/lib/osso/views/error.erb +1 -0
data/lib/osso/views/layout.erb +0 -0
data/lib/osso/views/multiple_providers.erb +1 -0
data/lib/osso/views/welcome.erb +0 -0
data/lib/tasks/bootstrap.rake +25 -4
data/osso-rb.gemspec +5 -0
data/spec/factories/account.rb +24 -0
data/spec/factories/enterprise_account.rb +11 -3
data/spec/factories/identity_providers.rb +10 -2
data/spec/factories/user.rb +4 -0
data/spec/graphql/mutations/configure_identity_provider_spec.rb +1 -1
data/spec/graphql/mutations/create_enterprise_account_spec.rb +0 -14
data/spec/graphql/mutations/create_identity_provider_spec.rb +59 -8
data/spec/graphql/query/identity_provider_spec.rb +2 -2
data/spec/models/enterprise_account_spec.rb +18 -0
data/spec/models/identity_provider_spec.rb +24 -3
data/spec/routes/admin_spec.rb +7 -41
data/spec/routes/auth_spec.rb +17 -18
data/spec/routes/oauth_spec.rb +88 -5
data/spec/spec_helper.rb +3 -3
data/spec/support/views/layout.erb +1 -0
data/spec/support/views/multiple_providers.erb +1 -0
metadata +107 -7
data/lib/osso/helpers/auth.rb +0 -94
data/lib/osso/helpers/helpers.rb +0 -8
data/spec/helpers/auth_spec.rb +0 -269

data/lib/osso/helpers/auth.rb DELETED

@@ -1,94 +0,0 @@
-# frozen_string_literal: true
-module Osso
-  module Helpers
-    module Auth
-      END_USER_SCOPE = 'end-user'
-      INTERNAL_SCOPE = 'internal'
-      ADMIN_SCOPE    = 'admin'
-      attr_accessor :current_user
-      def token_protected!
-        decode(token)
-      rescue JWT::DecodeError
-        halt 401
-      end
-      def enterprise_protected!(domain = nil)
-        return if admin_authorized?
-        return if internal_authorized?
-        return if enterprise_authorized?(domain)
-        halt 401 if request.post?
-        redirect ENV['JWT_URL']
-      end
-      def internal_protected!
-        return if admin_authorized?
-        return if internal_authorized?
-        redirect ENV['JWT_URL']
-      end
-      def admin_protected!
-        return true if admin_authorized?
-        redirect ENV['JWT_URL']
-      end
-      private
-      def enterprise_authorized?(domain)
-        decode(token)
-        @current_user[:scope] == END_USER_SCOPE &&
-          @current_user[:email].split('@')[1] == domain
-      rescue JWT::DecodeError
-        false
-      end
-      def internal_authorized?
-        decode(token)
-        @current_user[:scope] == INTERNAL_SCOPE
-      rescue JWT::DecodeError
-        false
-      end
-      def admin_authorized?
-        decode(token)
-        @current_user[:scope] == ADMIN_SCOPE
-      rescue JWT::DecodeError
-        false
-      end
-      def token
-        session['admin_token'] || request.env['HTTP_AUTHORIZATION'] || request.params['admin_token']
-      end
-      def chomp_token
-        return unless request['admin_token'].present?
-        session['admin_token'] = request['admin_token']
-        return if request.post?
-        redirect request.path
-      end
-      def decode(token)
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
-        @current_user = payload.symbolize_keys
-      end
-    end
-  end
-end

data/lib/osso/helpers/helpers.rb DELETED

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-module Osso
-  module Helpers
-  end
-end
-require_relative 'auth'

data/spec/helpers/auth_spec.rb DELETED

@@ -1,269 +0,0 @@
-# frozen_string_literal: true
-require 'spec_helper'
-describe Osso::Helpers::Auth do
-  before do
-    ENV['JWT_HMAC_SECRET'] = 'super-secret'
-  end
-  subject(:app) do
-    Class.new {
-      include Osso::Helpers::Auth
-    }
-  end
-  describe 'with the token as a header' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: { 'HTTP_AUTHORIZATION' => token }, post?: false)
-      end
-      allow_any_instance_of(subject).to receive(:session) do
-        {
-          admin_token: nil
-        }
-      end
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-    end
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-  describe 'with the token as a parameter' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: {}, params: { 'admin_token' => token }, post?: false)
-      end
-      allow_any_instance_of(subject).to receive(:session) do
-        {
-          admin_token: nil
-        }
-      end
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-    end
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-  describe 'with the token in session' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: {}, params: {}, post?: false)
-      end
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-      allow_any_instance_of(subject).to receive(:session).and_return(
-        {admin_token: token}.with_indifferent_access
-      )
-    end
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-  def encode(payload)
-    JWT.encode(
-      payload,
-      ENV['JWT_HMAC_SECRET'],
-      'HS256',
-    )
-  end
-end