osso 0.0.5.pre.zeta → 0.0.5

data/spec/factories/account.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+DB = Sequel.postgres(extensions: :activerecord_connection)
+
+FactoryBot.define do
+  factory :account, class: Osso::Models::Account do
+    id { SecureRandom.uuid }
+    email { Faker::Internet.email }
+  end
+
+  factory :verified_account, parent: :account do
+    transient do
+      password { SecureRandom.urlsafe_base64(8) }
+    end
+    status_id { 2 }
+
+    after :create do |account|
+      DB[:account_password_hashes].insert(
+        id: account.id,
+        password_hash: BCrypt::Password.create('secret', cost: BCrypt::Engine::MIN_COST).to_s,
+      )
+    end
+  end
+end

data/spec/factories/enterprise_account.rb

@@ -2,19 +2,22 @@
 
 FactoryBot.define do
   factory :enterprise_account, class: Osso::Models::EnterpriseAccount do
+    transient do
+      oauth_client { create(:oauth_client) }
+    end
     id { SecureRandom.uuid }
     name { Faker::Company.name }
     domain { Faker::Internet.domain_name }
-    oauth_client
   end
 
   factory :enterprise_with_okta, parent: :enterprise_account do
-    after :create do |enterprise|
+    after :create do |enterprise, evaluator|
       create(
         :configured_identity_provider,
         service: 'OKTA',
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
+        oauth_client: evaluator.oauth_client,
       )
     end
   end
@@ -31,12 +34,16 @@ FactoryBot.define do
   end
 
   factory :enterprise_with_multiple_providers, parent: :enterprise_account do
-    after :create do |enterprise|
+    transient do
+      oauth_client { nil }
+    end
+    after :create do |enterprise, evaluator|
       create(
         :configured_identity_provider,
         service: 'OKTA',
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
+        oauth_client: evaluator.oauth_client,
       )
 
       create(
@@ -44,6 +51,7 @@ FactoryBot.define do
         service: 'AZURE',
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
+        oauth_client: evaluator.oauth_client,
       )
     end
   end

data/spec/factories/identity_providers.rb

@@ -21,6 +21,13 @@ FactoryBot.define do
       end
     end
 
+    factory :ping_identity_provider, parent: :identity_provider do
+      service { 'PING' }
+      sso_url do
+        'https://auth.pingone.com/42cd503f-f0ba-47c7-a5b5-e69e9d8fab47/saml20/idp/sso'
+      end
+    end
+
     factory :configured_identity_provider, parent: :identity_provider do
       status { 'CONFIGURED' }
       sso_cert do
@@ -55,15 +62,16 @@ end
 # Table name: identity_providers
 #
 #  id                    :uuid             not null, primary key
-#  service               :string
+#  service               :enum
 #  domain                :string           not null
 #  sso_url               :string
 #  sso_cert              :text
 #  enterprise_account_id :uuid
 #  oauth_client_id       :uuid
-#  status                :enum             default("PENDING")
+#  status                :enum             default("pending")
 #  created_at            :datetime
 #  updated_at            :datetime
+#  users_count           :integer          default(0)
 #
 # Indexes
 #

data/spec/factories/user.rb

@@ -12,6 +12,10 @@ FactoryBot.define do
         :authorization_code,
         user: user,
         redirect_uri: user.oauth_client.redirect_uri_values.sample,
+        requested: [
+          { domain: user.email.split('@')[1], email: nil },
+          { domain: nil, email: user.email },
+        ].sample,
       )
     end
   end

data/spec/graphql/mutations/configure_identity_provider_spec.rb

@@ -81,7 +81,7 @@ describe Osso::GraphQL::Schema do
       end
 
       it 'does not configure an identity provider' do
-        expect(subject.dig('errors')).to_not be_empty
+        expect(subject['errors']).to_not be_empty
       end
     end
   end

data/spec/graphql/mutations/create_enterprise_account_spec.rb

@@ -47,7 +47,6 @@ describe Osso::GraphQL::Schema do
           input: {
             name: Faker::Company.name,
             domain: domain,
-            oauthClientId: oauth_client.id,
           },
         }
       end
@@ -57,10 +56,6 @@ describe Osso::GraphQL::Schema do
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
-
-      it 'attaches the Enterprise Account to the correct OAuth Client' do
-        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
-      end
     end
 
     describe 'for an internal scoped user' do
@@ -68,7 +63,6 @@ describe Osso::GraphQL::Schema do
         {
           scope: 'internal',
           email: 'user@saasco.com',
-          oauth_client_id: oauth_client.identifier,
         }
       end
 
@@ -77,10 +71,6 @@ describe Osso::GraphQL::Schema do
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
-
-      it 'attaches the Enterprise Account to the correct OAuth Client' do
-        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
-      end
     end
 
     describe 'for an email scoped user' do
@@ -97,10 +87,6 @@ describe Osso::GraphQL::Schema do
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
-
-      it 'attaches the Enterprise Account to the correct OAuth Client' do
-        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
-      end
     end
     describe 'for the wrong email scoped user' do
       let(:current_context) do

data/spec/graphql/mutations/create_identity_provider_spec.rb

@@ -5,6 +5,7 @@ require 'spec_helper'
 describe Osso::GraphQL::Schema do
   describe 'CreateIdentityProvider' do
     let(:enterprise_account) { create(:enterprise_account) }
+    let(:oauth_client) { create(:oauth_client) }
     let(:mutation) do
       <<~GRAPHQL
          mutation CreateIdentityProvider($input: CreateIdentityProviderInput!) {
@@ -34,7 +35,15 @@ describe Osso::GraphQL::Schema do
         { scope: 'admin' }
       end
       describe 'without a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
 
         it 'creates an identity provider' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
@@ -44,8 +53,16 @@ describe Osso::GraphQL::Schema do
       end
 
       describe 'with a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id, service: 'OKTA' } } }
-
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                service: 'OKTA',
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
         it 'creates an identity provider for given service ' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
           expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'service')).
@@ -65,8 +82,16 @@ describe Osso::GraphQL::Schema do
       let(:enterprise_account) { create(:enterprise_account, domain: domain) }
 
       describe 'without a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id } } }
-
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
+        
         it 'creates an identity provider' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
           expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'domain')).
@@ -75,7 +100,16 @@ describe Osso::GraphQL::Schema do
       end
 
       describe 'with a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id, service: 'OKTA' } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                oauthClientId: oauth_client.id,
+                service: 'OKTA',
+              },
+          }
+        end
 
         it 'creates an identity provider for given service ' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
@@ -97,7 +131,15 @@ describe Osso::GraphQL::Schema do
       let(:target_account) { create(:enterprise_account) }
 
       describe 'without a service' do
-        let(:variables) { { input: { enterpriseAccountId: target_account.id, domain: domain } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: target_account.id,
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
 
         it 'does not creates a identity provider' do
           expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })
@@ -105,7 +147,16 @@ describe Osso::GraphQL::Schema do
       end
 
       describe 'with a service' do
-        let(:variables) { { input: { enterpriseAccountId: target_account.id, service: 'OKTA', domain: domain } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: target_account.id,
+                service: 'OKTA',
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
 
         it 'does not creates a identity provider' do
           expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })

data/spec/graphql/query/identity_provider_spec.rb

@@ -8,13 +8,14 @@ describe Osso::GraphQL::Schema do
     let(:domain) { Faker::Internet.domain_name }
     let(:variables) { { id: id } }
     let(:query) do
-      <<~GRAPHQL
+      <<-GRAPHQL
         query IdentityProvider($id: ID!) {
-          identityProvider(id: $id) {            
+          identityProvider(id: $id) {
             id
             service
             domain
             acsUrl
+            acsUrlValidator
             ssoCert
             ssoUrl
             status

data/spec/models/enterprise_account_spec.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Models::EnterpriseAccount do
+  describe 'validates_domain' do
+    it 'it returns false for an invalid domain' do
+      customer = described_class.new(
+        name: 'foo',
+        domain: ' foo.com',
+      )
+
+      customer.save
+
+      expect(customer.errors[:domain]).to include('is invalid')
+    end
+  end
+end

data/spec/models/identity_provider_spec.rb

@@ -24,6 +24,40 @@ describe Osso::Models::IdentityProvider do
     end
   end
 
+  describe '#acs_url_validator' do
+    it 'returns a regex escaped string' do
+      allow(subject).to receive(:acs_url).and_return(
+        'https://foo.com/auth/saml/callback',
+      )
+
+      expect(subject.acs_url_validator).to eq(
+        'https://foo\\.com/auth/saml/callback',
+      )
+    end
+  end
+
+  describe '#sso_issuer' do
+    it 'returns a url unique to self' do
+      ENV['HEROKU_APP_NAME'] = nil
+      ENV['BASE_URL'] = 'https://example.com'
+
+      expect(subject.sso_issuer).to eq(
+        "#{subject.domain}/#{subject.oauth_client_id}",
+      )
+    end
+
+    it 'returns a uri with protocol when required' do
+      ENV['HEROKU_APP_NAME'] = nil
+      ENV['BASE_URL'] = 'https://example.com'
+
+      idp = create(:ping_identity_provider)
+
+      expect(idp.sso_issuer).to eq(
+        "https://#{idp.domain}/#{idp.oauth_client_id}",
+      )
+    end
+  end
+
   describe '#saml_options' do
     it 'returns the required args' do
       expect(subject.saml_options).
@@ -31,7 +65,7 @@ describe Osso::Models::IdentityProvider do
           domain: subject.domain,
           idp_cert: subject.sso_cert,
           idp_sso_target_url: subject.sso_url,
-          issuer: subject.domain,
+          issuer: subject.sso_issuer,
         )
     end
   end

data/spec/routes/admin_spec.rb

@@ -3,56 +3,22 @@
 require 'spec_helper'
 
 describe Osso::Admin do
-  let(:jwt_url) { 'https://foo.com/jwt' }
-  let(:jwt_hmac_secret) { SecureRandom.hex(32) }
-
-  before do
-    ENV['JWT_URL'] = jwt_url
-    ENV['JWT_HMAC_SECRET'] = jwt_hmac_secret
-    described_class.set(:views, spec_views)
-  end
-
   describe 'get /admin' do
-    it 'redirects to JWT_URL without a session or token' do
+    it 'redirects to /login without a session' do
       get('/admin')
 
       expect(last_response).to be_redirect
       follow_redirect!
-      expect(last_request.url).to eq(jwt_url)
-    end
-
-    it 'redirects to JWT_URL with an invalid token' do
-      get('/admin', token: SecureRandom.hex(32))
-
-      expect(last_response).to be_redirect
-
-      follow_redirect!
-
-      expect(last_request.url).to eq(jwt_url)
+      expect(last_request.url).to match('/login')
     end
 
-    it 'chomps the token and redirects to request path with valid token' do
-      token = JWT.encode(
-        { email: 'admin@saas.com', scope: 'admin' },
-        jwt_hmac_secret,
-        'HS256',
-      )
-
-      get('/admin', { admin_token: token })
-
-      expect(last_response).to be_redirect
-      follow_redirect!
-      expect(last_request.url).to match('/admin')
-    end
+    xit 'renders the admin page for a valid session token' do
+      password = SecureRandom.urlsafe_base64(16)
+      account = create(:verified_account, password: password)
 
-    it 'renders the admin page for a valid session token' do
-      token = JWT.encode(
-        { email: 'admin@saas.com', scope: 'admin' },
-        jwt_hmac_secret,
-        'HS256',
-      )
+      post('/login', { email: account.email, password: password })
 
-      get('/admin', {}, 'rack.session' => { admin_token: token })
+      get('/admin')
 
       expect(last_response).to be_ok
     end

data/spec/routes/auth_spec.rb

@@ -182,29 +182,28 @@ describe Osso::Auth do
       it 'raises an error when email is missing' do
         mock_saml_omniauth(email: nil, id: SecureRandom.uuid)
 
-        
-          response = post(
-            "/auth/saml/#{azure_provider.id}/callback",
-            nil,
-            {
-              'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-            },
-          )
-
-          expect(response.body).to eq('Osso::Error::MissingSamlEmailAttributeError')
-        end
+        response = post(
+          "/auth/saml/#{azure_provider.id}/callback",
+          nil,
+          {
+            'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+          },
+        )
+
+        expect(response.body).to eq('Osso::Error::MissingSamlEmailAttributeError')
+      end
 
       it 'raises an error when id is missing' do
         mock_saml_omniauth(email: Faker::Internet.email, id: nil)
 
         response = post(
-            "/auth/saml/#{azure_provider.id}/callback",
-            nil,
-            {
-              'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
-            },
-          )
-        
+          "/auth/saml/#{azure_provider.id}/callback",
+          nil,
+          {
+            'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
+          },
+        )
+
         expect(response.body).to eq('Osso::Error::MissingSamlIdAttributeError')
       end
     end