RubyGems - osso - Versions diffs - 0.0.5.pre.theta → 0.0.7 - Mend

osso 0.0.5.pre.theta → 0.0.7

Files changed (78) hide show

checksums.yaml +4 -4
data/.buildkite/pipeline.yml +6 -4
data/.github/dependabot.yml +8 -0
data/.github/workflows/automerge.yml +19 -0
data/.rubocop.yml +4 -1
data/Gemfile +2 -2
data/Gemfile.lock +58 -37
data/LICENSE +21 -23
data/Rakefile +2 -0
data/bin/annotate +3 -1
data/db/schema.rb +41 -3
data/lib/osso.rb +0 -1
data/lib/osso/db/migrate/20200929154117_add_users_count_to_identity_providers_and_enterprise_accounts.rb +6 -0
data/lib/osso/db/migrate/20201023142158_add_rodauth_tables.rb +47 -0
data/lib/osso/db/migrate/20201105122026_add_token_index_to_access_tokens.rb +5 -0
data/lib/osso/db/migrate/20201106154936_add_requested_to_authorization_codes_and_access_tokens.rb +6 -0
data/lib/osso/db/migrate/20201109160851_add_sso_issuer_to_identity_providers.rb +12 -0
data/lib/osso/db/migrate/20201110190754_remove_oauth_client_id_from_enterprise_accounts.rb +9 -0
data/lib/osso/db/migrate/20201112160120_add_ping_to_identity_provider_service_enum.rb +28 -0
data/lib/osso/db/migrate/20201125143501_add_salesforce_to_provider_service_enum.rb +28 -0
data/lib/osso/error/account_configuration_error.rb +1 -0
data/lib/osso/error/oauth_error.rb +6 -3
data/lib/osso/graphql/mutation.rb +2 -0
data/lib/osso/graphql/mutations.rb +2 -0
data/lib/osso/graphql/mutations/create_enterprise_account.rb +0 -7
data/lib/osso/graphql/mutations/create_identity_provider.rb +7 -6
data/lib/osso/graphql/mutations/delete_identity_provider.rb +24 -0
data/lib/osso/graphql/mutations/invite_admin_user.rb +43 -0
data/lib/osso/graphql/query.rb +8 -0
data/lib/osso/graphql/resolvers/enterprise_accounts.rb +3 -3
data/lib/osso/graphql/types.rb +2 -2
data/lib/osso/graphql/types/admin_user.rb +9 -0
data/lib/osso/graphql/types/base_object.rb +1 -1
data/lib/osso/graphql/types/enterprise_account.rb +1 -0
data/lib/osso/graphql/types/identity_provider.rb +2 -0
data/lib/osso/graphql/types/identity_provider_service.rb +3 -1
data/lib/osso/lib/app_config.rb +1 -1
data/lib/osso/lib/route_map.rb +0 -16
data/lib/osso/lib/saml_handler.rb +5 -0
data/lib/osso/models/access_token.rb +4 -2
data/lib/osso/models/account.rb +34 -0
data/lib/osso/models/authorization_code.rb +2 -1
data/lib/osso/models/enterprise_account.rb +3 -1
data/lib/osso/models/identity_provider.rb +19 -5
data/lib/osso/models/models.rb +1 -0
data/lib/osso/models/oauth_client.rb +0 -1
data/lib/osso/models/user.rb +2 -2
data/lib/osso/routes/admin.rb +39 -33
data/lib/osso/routes/auth.rb +9 -9
data/lib/osso/routes/oauth.rb +35 -17
data/lib/osso/version.rb +1 -1
data/lib/osso/views/admin.erb +5 -0
data/lib/osso/views/error.erb +1 -0
data/lib/osso/views/layout.erb +0 -0
data/lib/osso/views/multiple_providers.erb +1 -0
data/lib/osso/views/welcome.erb +0 -0
data/lib/tasks/bootstrap.rake +25 -4
data/osso-rb.gemspec +5 -0
data/spec/factories/account.rb +24 -0
data/spec/factories/enterprise_account.rb +11 -3
data/spec/factories/identity_providers.rb +10 -2
data/spec/factories/user.rb +4 -0
data/spec/graphql/mutations/configure_identity_provider_spec.rb +1 -1
data/spec/graphql/mutations/create_enterprise_account_spec.rb +0 -14
data/spec/graphql/mutations/create_identity_provider_spec.rb +59 -8
data/spec/graphql/query/identity_provider_spec.rb +2 -2
data/spec/models/enterprise_account_spec.rb +18 -0
data/spec/models/identity_provider_spec.rb +24 -3
data/spec/routes/admin_spec.rb +7 -41
data/spec/routes/auth_spec.rb +17 -18
data/spec/routes/oauth_spec.rb +88 -5
data/spec/spec_helper.rb +3 -3
data/spec/support/views/layout.erb +1 -0
data/spec/support/views/multiple_providers.erb +1 -0
metadata +107 -7
data/lib/osso/helpers/auth.rb +0 -94
data/lib/osso/helpers/helpers.rb +0 -8
data/spec/helpers/auth_spec.rb +0 -269

@@ -1,94 +0,0 @@
-# frozen_string_literal: true
-module Osso
-  module Helpers
-    module Auth
-      END_USER_SCOPE = 'end-user'
-      INTERNAL_SCOPE = 'internal'
-      ADMIN_SCOPE    = 'admin'
-      attr_accessor :current_user
-      def token_protected!
-        decode(token)
-      rescue JWT::DecodeError
-        halt 401
-      end
-      def enterprise_protected!(domain = nil)
-        return if admin_authorized?
-        return if internal_authorized?
-        return if enterprise_authorized?(domain)
-        halt 401 if request.post?
-        redirect ENV['JWT_URL']
-      end
-      def internal_protected!
-        return if admin_authorized?
-        return if internal_authorized?
-        redirect ENV['JWT_URL']
-      end
-      def admin_protected!
-        return true if admin_authorized?
-        redirect ENV['JWT_URL']
-      end
-      private
-      def enterprise_authorized?(domain)
-        decode(token)
-        @current_user[:scope] == END_USER_SCOPE &&
-          @current_user[:email].split('@')[1] == domain
-      rescue JWT::DecodeError
-        false
-      end
-      def internal_authorized?
-        decode(token)
-        @current_user[:scope] == INTERNAL_SCOPE
-      rescue JWT::DecodeError
-        false
-      end
-      def admin_authorized?
-        decode(token)
-        @current_user[:scope] == ADMIN_SCOPE
-      rescue JWT::DecodeError
-        false
-      end
-      def token
-        session['admin_token'] || request.env['HTTP_AUTHORIZATION'] || request.params['admin_token']
-      end
-      def chomp_token
-        return unless request['admin_token'].present?
-        session['admin_token'] = request['admin_token']
-        return if request.post?
-        redirect request.path
-      end
-      def decode(token)
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
-        @current_user = payload.symbolize_keys
-      end
-    end
-  end
-end

data/lib/osso/helpers/helpers.rb DELETED

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-module Osso
-  module Helpers
-  end
-end
-require_relative 'auth'

data/spec/helpers/auth_spec.rb DELETED

@@ -1,269 +0,0 @@
-# frozen_string_literal: true
-require 'spec_helper'
-describe Osso::Helpers::Auth do
-  before do
-    ENV['JWT_HMAC_SECRET'] = 'super-secret'
-  end
-  subject(:app) do
-    Class.new {
-      include Osso::Helpers::Auth
-    }
-  end
-  describe 'with the token as a header' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: { 'HTTP_AUTHORIZATION' => token }, post?: false)
-      end
-      allow_any_instance_of(subject).to receive(:session) do
-        {
-          admin_token: nil
-        }
-      end
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-    end
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-  describe 'with the token as a parameter' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: {}, params: { 'admin_token' => token }, post?: false)
-      end
-      allow_any_instance_of(subject).to receive(:session) do
-        {
-          admin_token: nil
-        }
-      end
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-    end
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-  describe 'with the token in session' do
-    before do
-      allow_any_instance_of(subject).to receive(:request) do
-        double('Request', env: {}, params: {}, post?: false)
-      end
-      allow_any_instance_of(subject).to receive(:redirect) do
-        false
-      end
-      allow_any_instance_of(subject).to receive(:session).and_return(
-        {admin_token: token}.with_indifferent_access
-      )
-    end
-    describe 'with an admin token' do
-      let(:token) { encode({ scope: 'admin' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to_not be(false)
-      end
-    end
-    describe 'with an internal token' do
-      let(:token) { encode({ scope: 'internal' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods' do
-        expect(subject.new.enterprise_protected!).to_not be(false)
-      end
-      it 'allows #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to_not be(false)
-      end
-      it 'allows #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-    describe 'with an end-user token' do
-      let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
-      it 'allows #token_protected! methods' do
-        expect(subject.new.token_protected!).to_not be(false)
-      end
-      it 'allows #enterprise_protected! methods for the scoped domain' do
-        expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
-      end
-      it 'halts #enterprise_protected! methods for the wrong scoped domain' do
-        expect(subject.new.enterprise_protected!('foo.com')).to be(false)
-      end
-      it 'halts #internal_protected! methods' do
-        expect(subject.new.internal_protected!).to be(false)
-      end
-      it 'halts #admin_protected! methods' do
-        expect(subject.new.admin_protected!).to be(false)
-      end
-    end
-  end
-  def encode(payload)
-    JWT.encode(
-      payload,
-      ENV['JWT_HMAC_SECRET'],
-      'HS256',
-    )
-  end
-end