osso 0.0.5.pre.zeta → 0.0.8

data/lib/osso/graphql/types/identity_provider_service.rb

@@ -5,9 +5,11 @@ module Osso
     module Types
       class IdentityProviderService < BaseEnum
         value('AZURE', 'Microsoft Azure Identity Provider', value: 'AZURE')
+        value('GOOGLE', 'Google SAML Identity Provider', value: 'GOOGLE')
         value('OKTA', 'Okta Identity Provider', value: 'OKTA')
         value('ONELOGIN', 'OneLogin Identity Provider', value: 'ONELOGIN')
-        value('GOOGLE', 'Google SAML Identity Provider', value: 'GOOGLE')
+        value('PING', 'PingID Identity Provider', value: 'PING')
+        value('SALESFORCE', 'Salesforce Identity Provider', value: 'SALESFORCE')
       end
     end
   end

data/lib/osso/lib/app_config.rb

@@ -7,7 +7,7 @@ module Osso
     def self.included(klass)
       klass.class_eval do
         use Rack::JSONBodyParser
-        use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
+        use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
 
         error ActiveRecord::RecordNotFound do
           status 404

data/lib/osso/lib/route_map.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-# rubocop:disable Metrics/MethodLength
-
 module Osso
   module RouteMap
     def self.included(klass)
@@ -9,20 +7,7 @@ module Osso
         use Osso::Admin
         use Osso::Auth
         use Osso::Oauth
-
-        post '/graphql' do
-          token_protected!
-
-          result = Osso::GraphQL::Schema.execute(
-            params[:query],
-            variables: params[:variables],
-            context: current_user.symbolize_keys,
-          )
-
-          json result
-        end
       end
     end
   end
 end
-# rubocop:enable Metrics/MethodLength

data/lib/osso/lib/saml_handler.rb

@@ -55,6 +55,7 @@ module Osso
       @authorization_code ||= user.authorization_codes.create!(
         oauth_client: provider.oauth_client,
         redirect_uri: redirect_uri_base,
+        requested: requested_param,
       )
     end
 
@@ -81,5 +82,9 @@ module Osso
     def valid_idp_initiated_flow
       !session[:osso_oauth_redirect_uri] && !session[:osso_oauth_state]
     end
+
+    def requested_param
+      @session.delete(:osso_oauth_requested)
+    end
   end
 end

data/lib/osso/models/access_token.rb

@@ -39,9 +39,11 @@ end
 #  updated_at      :datetime         not null
 #  user_id         :uuid
 #  oauth_client_id :uuid
+#  requested       :jsonb
 #
 # Indexes
 #
-#  index_access_tokens_on_oauth_client_id  (oauth_client_id)
-#  index_access_tokens_on_user_id          (user_id)
+#  index_access_tokens_on_oauth_client_id       (oauth_client_id)
+#  index_access_tokens_on_token_and_expires_at  (token,expires_at) UNIQUE
+#  index_access_tokens_on_user_id               (user_id)
 #

data/lib/osso/models/account.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class Account < ::ActiveRecord::Base
+      enum status_id: { 1 => :Unverified, 2 => :Verified, 3 => :Closed }
+
+      def context
+        {
+          email: email,
+          id: id,
+          scope: role,
+          oauth_client_id: oauth_client_id,
+        }
+      end
+    end
+  end
+end
+
+# == Schema Information
+#
+# Table name: accounts
+#
+#  id              :uuid             not null, primary key
+#  email           :citext           not null
+#  status_id       :integer          default(NULL), not null
+#  role            :string           default("admin"), not null
+#  oauth_client_id :string
+#
+# Indexes
+#
+#  index_accounts_on_email            (email) UNIQUE WHERE (status_id = ANY (ARRAY[1, 2]))
+#  index_accounts_on_oauth_client_id  (oauth_client_id)
+#

data/lib/osso/models/authorization_code.rb

@@ -7,7 +7,7 @@ module Osso
 
       def access_token
         @access_token ||= expired! &&
-          user.access_tokens.create(oauth_client: oauth_client)
+          user.access_tokens.create(oauth_client: oauth_client, requested: requested)
       end
     end
   end
@@ -25,6 +25,7 @@ end
 #  updated_at      :datetime         not null
 #  user_id         :uuid
 #  oauth_client_id :uuid
+#  requested       :jsonb
 #
 # Indexes
 #

data/lib/osso/models/enterprise_account.rb

@@ -8,10 +8,11 @@ module Osso
     # includes fields for external IDs such that you can persist
     # your ID for an account in your Osso instance.
     class EnterpriseAccount < ActiveRecord::Base
-      belongs_to :oauth_client
       has_many :users
       has_many :identity_providers
 
+      validates_format_of :domain, with: /\A[a-z0-9]+([\-.]{1}[a-z0-9]+)*\.[a-z]{2,5}\z/
+
       def single_provider?
         identity_providers.not_pending.one?
       end
@@ -40,6 +41,7 @@ end
 #  name            :string           not null
 #  created_at      :datetime         not null
 #  updated_at      :datetime         not null
+#  users_count     :integer          default(0)
 #
 # Indexes
 #

data/lib/osso/models/identity_provider.rb

@@ -6,15 +6,20 @@ module Osso
     class IdentityProvider < ActiveRecord::Base
       belongs_to :enterprise_account
       belongs_to :oauth_client
-      has_many :users
+      has_many :users, dependent: :delete_all
+      before_create :set_sso_issuer
       before_save :set_status
       validate :sso_cert_valid
 
-      enum status: { pending: "PENDING", configured: 'CONFIGURED', active: "ACTIVE", error: "ERROR"}
+      enum status: { pending: 'PENDING', configured: 'CONFIGURED', active: 'ACTIVE', error: 'ERROR' }
 
       PEM_HEADER = "-----BEGIN CERTIFICATE-----\n"
       PEM_FOOTER = "\n-----END CERTIFICATE-----"
 
+      ENTITY_ID_URI_REQUIRED = [
+        'PING',
+      ]
+
       def name
         service.titlecase
       end
@@ -24,7 +29,8 @@ module Osso
           domain: domain,
           idp_sso_target_url: sso_url,
           idp_cert: sso_cert,
-          issuer: domain,
+          issuer: sso_issuer,
+          name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
         }
       end
 
@@ -40,10 +46,22 @@ module Osso
 
       alias acs_url assertion_consumer_service_url
 
+      def acs_url_validator
+        Regexp.escape(acs_url)
+      end
+
       def set_status
         self.status = 'configured' if sso_url && sso_cert && pending?
       end
 
+      def set_sso_issuer
+        parts = [domain, oauth_client_id]
+        
+        parts.unshift('https:/') if ENTITY_ID_URI_REQUIRED.any?(service)
+
+        self.sso_issuer = parts.join('/')
+      end
+
       def active!
         update(status: 'active')
       end
@@ -81,15 +99,16 @@ end
 # Table name: identity_providers
 #
 #  id                    :uuid             not null, primary key
-#  service               :string
+#  service               :enum
 #  domain                :string           not null
 #  sso_url               :string
 #  sso_cert              :text
 #  enterprise_account_id :uuid
 #  oauth_client_id       :uuid
-#  status                :enum             default("PENDING")
+#  status                :enum             default("pending")
 #  created_at            :datetime
 #  updated_at            :datetime
+#  users_count           :integer          default(0)
 #
 # Indexes
 #

data/lib/osso/models/models.rb

@@ -10,6 +10,7 @@ module Osso
 end
 
 require_relative 'access_token'
+require_relative 'account'
 require_relative 'app_config'
 require_relative 'authorization_code'
 require_relative 'enterprise_account'

data/lib/osso/models/oauth_client.rb

@@ -5,7 +5,6 @@ module Osso
   module Models
     class OauthClient < ActiveRecord::Base
       has_many :access_tokens
-      has_many :enterprise_accounts
       has_many :refresh_tokens
       has_many :identity_providers
       has_many :redirect_uris

data/lib/osso/models/user.rb

@@ -3,8 +3,8 @@
 module Osso
   module Models
     class User < ActiveRecord::Base
-      belongs_to :enterprise_account
-      belongs_to :identity_provider
+      belongs_to :enterprise_account, counter_cache: true
+      belongs_to :identity_provider, counter_cache: true
       has_many :authorization_codes, dependent: :delete_all
       has_many :access_tokens, dependent: :delete_all
 

data/lib/osso/routes/admin.rb

@@ -1,53 +1,59 @@
 # frozen_string_literal: true
 
-require 'jwt'
+require 'roda'
+require 'sequel/core'
 
-module Osso
-  class Admin < Sinatra::Base
-    include AppConfig
-    helpers Helpers::Auth
-    register Sinatra::Namespace
+DEFAULT_VIEWS_DIR = File.join(File.expand_path(Bundler.root), 'views/rodauth')
 
-    before do
-      chomp_token
+module Osso
+  class Admin < Roda
+    DB = Sequel.postgres(extensions: :activerecord_connection)
+    use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
+
+    plugin :middleware
+    plugin :render, engine: 'erb', views: ENV['RODAUTH_VIEWS'] || DEFAULT_VIEWS_DIR
+    plugin :route_csrf
+
+    plugin :rodauth do
+      enable :login, :verify_account
+      verify_account_set_password? true
+      already_logged_in { redirect login_redirect }
+      use_database_authentication_functions? false
+
+      before_create_account_route do
+        request.halt unless DB[:accounts].empty?
+      end
     end
 
-    namespace '/admin' do
-      get '/login' do
-        token_protected!
-
-        erb :admin, layout: false
-      end
+    alias erb render
 
-      get '' do
-        internal_protected!
+    route do |r|
+      r.rodauth
 
-        erb :admin, layout: false
+      def current_account
+        Osso::Models::Account.find(rodauth.session['account_id']).
+          context.
+          merge({ rodauth: rodauth })
       end
 
-      get '/enterprise' do
-        token_protected!
-
+      r.on 'admin' do
+        rodauth.require_authentication
         erb :admin, layout: false
       end
 
-      get '/enterprise/:domain' do
-        enterprise_protected!(params[:domain])
+      r.post 'graphql' do
+        rodauth.require_authentication
 
-        erb :admin, layout: false
-      end
+        result = Osso::GraphQL::Schema.execute(
+          r.params['query'],
+          variables: r.params['variables'],
+          context: current_account,
+        )
 
-      get '/config' do
-        admin_protected!
-
-        erb :admin, layout: false
+        result.to_json
       end
 
-      get '/config/:id' do
-        admin_protected!
-
-        erb :admin, layout: false
-      end
+      env['rodauth'] = rodauth
     end
   end
 end

data/lib/osso/routes/auth.rb

@@ -13,7 +13,7 @@ module Osso
     UUID_REGEXP =
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
         freeze
-    
+
     use OmniAuth::Builder do
       OmniAuth::MultiProvider.register(
         self,
@@ -26,7 +26,8 @@ module Osso
           not_pending.
           find(identity_provider_id).
           saml_options
-      rescue
+      rescue StandardError => e
+        Raven.capture_exception(e) if defined?(Raven)
         {}
       end
     end
@@ -38,21 +39,20 @@ module Osso
     namespace '/auth' do
       get '/failure' do
         # ??? invalid ticket, warden throws, ugh
-        
+
         # confirmed:
-        # - a valid but wrong cert will throw here 
+        # - a valid but wrong cert will throw here
         #   (OneLogin::RubySaml::ValidationError, Fingerprint mismatch)
         #   but an _invalid_ cert is not caught. we do validate certs on
         #   configuration, so this may be ok
         #
         # - a valid but wrong ACS URL will throw here. the urls
         #   are pretty complex, but it has come up
-        # 
+        #
         # - specifying the wrong "recipient" in your IDP. Only OL so far
         #   (OneLogin::RubySaml::ValidationError, The response was received
-        #    at vcardme.com instead of 
-        #    http://localhost:9292/auth/saml/e54a9a92-b4b5-4ea5-b0e3-b1423eb20b76/callback) 
-
+        #    at vcardme.com instead of
+        #    http://localhost:9292/auth/saml/e54a9a92-b4b5-4ea5-b0e3-b1423eb20b76/callback)
 
         @error = Osso::Error::SamlConfigError.new
         erb :error
@@ -73,7 +73,7 @@ module Osso
       rescue Osso::Error::Base => e
         @error = e
         erb :error
-      end  
+      end
     end
   end
 end

data/lib/osso/routes/oauth.rb

@@ -16,15 +16,15 @@ module Osso
       # Once they complete IdP login, they will be returned to the
       # redirect_uri with an authorization code parameter.
       get '/authorize' do
-        client = find_client(params[:client_id])
-        enterprise = find_account(domain: params[:domain], client_id: client.id)
-
         validate_oauth_request(env)
 
-        redirect "/auth/saml/#{enterprise.provider.id}" if enterprise.single_provider?
+        return erb :hosted_login if render_hosted_login?
+
+        @providers = find_providers
 
-        @providers = enterprise.identity_providers.not_pending
-        erb :multiple_providers if @providers.count > 1
+        redirect "/auth/saml/#{@providers.first.id}" if @providers.one?
+
+        return erb :multiple_providers if @providers.count > 1
 
         raise Osso::Error::MissingConfiguredIdentityProvider.new(domain: params[:domain])
       rescue Osso::Error::Base => e
@@ -38,11 +38,12 @@ module Osso
       # and client secret
       post '/token' do
         Rack::OAuth2::Server::Token.new do |req, res|
-          code = Models::AuthorizationCode.
-            find_by_token!(params[:code])
           client = Models::OauthClient.find_by!(identifier: req.client_id)
           req.invalid_client! if client.secret != req.client_secret
+
+          code = Models::AuthorizationCode.find_by_token!(params[:code])
           req.invalid_grant! if code.redirect_uri != req.redirect_uri
+
           res.access_token = code.access_token.to_bearer_token
         end.call(env)
       end
@@ -50,22 +51,40 @@ module Osso
       # Use the access token to request a profile for the user who
       # just logged in. Access tokens are short-lived.
       get '/me' do
-        json Models::AccessToken.
+        token = Models::AccessToken.
           includes(:user).
           valid.
-          find_by_token!(params[:access_token]).
-          user
+          find_by_token!(access_token)
+
+        json token.user.as_json.merge(requested: token.requested)
       end
     end
 
     private
 
-    def find_account(domain:, client_id:)
-      Models::EnterpriseAccount.
-        includes(:identity_providers).
-        find_by!(domain: domain, oauth_client_id: client_id)
-    rescue ActiveRecord::RecordNotFound
-      raise Osso::Error::NoAccountForOAuthClientError.new(domain: params[:domain])
+    def render_hosted_login?
+      [params[:email], params[:domain]].all?(&:nil?)
+    end
+
+    def find_providers
+      if params[:email]
+        user = Osso::Models::User.
+          includes(:identity_provider).
+          find_by(email: params[:email])
+        return [user.identity_provider] if user
+      end
+
+      Osso::Models::IdentityProvider.
+        joins(:oauth_client).
+        not_pending.
+        where(
+          domain: domain_from_params,
+          oauth_clients: { identifier: params[:client_id] },
+        )
+    end
+
+    def domain_from_params
+      params[:domain] || params[:email].split('@')[1]
     end
 
     def find_client(identifier)
@@ -74,14 +93,19 @@ module Osso
       raise Osso::Error::InvalidOAuthClientIdentifier
     end
 
-    def validate_oauth_request(env)
+    def validate_oauth_request(env) # rubocop:disable Metrics/AbcSize
       Rack::OAuth2::Server::Authorize.new do |req, _res|
         client = find_client(req[:client_id])
         session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
         session[:osso_oauth_state] = params[:state]
+        session[:osso_oauth_requested] = { domain: req[:domain], email: req[:email] }
       end.call(env)
     rescue Rack::OAuth2::Server::Authorize::BadRequest
       raise Osso::Error::InvalidRedirectUri.new(redirect_uri: params[:redirect_uri])
     end
+
+    def access_token
+      params[:access_token] || env.fetch('HTTP_AUTHORIZATION', '').slice(-64..-1)
+    end
   end
 end