osso 0.0.5.pre.zeta → 0.0.8

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.5-zeta'
+  VERSION = '0.0.8'
 end

data/lib/osso/views/admin.erb

@@ -0,0 +1,5 @@
+<%# 
+    NB: this file exists so that the admin routes have something to render in spec.
+    In real-world usage, those routes render an index.html file that includes the
+    React app.
+ %>

data/lib/osso/views/error.erb

@@ -0,0 +1 @@
+<%= @error %>

data/lib/osso/views/multiple_providers.erb

@@ -0,0 +1 @@
+MULITPLE PROVIDERS

data/lib/tasks/bootstrap.rake

@@ -7,12 +7,33 @@ require 'osso'
 namespace :osso do
   desc 'Bootstrap Osso data for a deployment'
   task :bootstrap do
-    %w[Production Staging Development].each do |environement|
+    %w[Production Staging Development].each do |environment|
       Osso::Models::OauthClient.create!(
-        name: environement,
-      )
+        name: environment,
+      ) unless Osso::Models::OauthClient.find_by_name(environment)
     end
 
-    Osso::Models::AppConfig.create!
+    Osso::Models::AppConfig.create
+
+    admin_email = ENV['ADMIN_EMAIL']
+
+    if admin_email
+      admin = Osso::Models::Account.create(
+        email: admin_email,
+        status_id: 1,
+        role: 'admin',
+      )
+
+      base_uri = URI.parse(ENV['BASE_URL'])
+
+      rodauth = Osso::Admin.rodauth.new(Osso::Admin.new({
+        'HTTP_HOST' => base_uri.host,
+        'SERVER_NAME' => base_uri.to_s,
+        'rack.url_scheme' => base_uri.scheme
+      }))
+
+      account = rodauth.account_from_login(admin_email)
+      rodauth.setup_account_verification
+    end
   end
 end

data/osso-rb.gemspec

@@ -16,14 +16,19 @@ Gem::Specification.new do |spec|
   spec.license = 'MIT'
 
   spec.add_runtime_dependency 'activesupport', '>= 6.0.3.2'
+  spec.add_runtime_dependency 'bcrypt', '~> 3.1.13'
   spec.add_runtime_dependency 'graphql'
   spec.add_runtime_dependency 'jwt'
+  spec.add_runtime_dependency 'mail', '~> 2.7.1'
   spec.add_runtime_dependency 'omniauth-multi-provider'
   spec.add_runtime_dependency 'omniauth-saml'
   spec.add_runtime_dependency 'rack', '>= 2.1.4'
   spec.add_runtime_dependency 'rack-contrib'
   spec.add_runtime_dependency 'rack-oauth2'
   spec.add_runtime_dependency 'rake'
+  spec.add_runtime_dependency 'rodauth', '~> 2.6.0'
+  spec.add_runtime_dependency 'sequel', '>= 5.37', '< 5.40'
+  spec.add_runtime_dependency 'sequel-activerecord_connection', '>= 0.3', '< 2.0'
   spec.add_runtime_dependency 'sinatra'
   spec.add_runtime_dependency 'sinatra-activerecord'
   spec.add_runtime_dependency 'sinatra-contrib'

data/spec/factories/account.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+DB = Sequel.postgres(extensions: :activerecord_connection)
+
+FactoryBot.define do
+  factory :account, class: Osso::Models::Account do
+    id { SecureRandom.uuid }
+    email { Faker::Internet.email }
+  end
+
+  factory :verified_account, parent: :account do
+    transient do
+      password { SecureRandom.urlsafe_base64(8) }
+    end
+    status_id { 2 }
+
+    after :create do |account|
+      DB[:account_password_hashes].insert(
+        id: account.id,
+        password_hash: BCrypt::Password.create('secret', cost: BCrypt::Engine::MIN_COST).to_s,
+      )
+    end
+  end
+end

data/spec/factories/enterprise_account.rb

@@ -2,19 +2,22 @@
 
 FactoryBot.define do
   factory :enterprise_account, class: Osso::Models::EnterpriseAccount do
+    transient do
+      oauth_client { create(:oauth_client) }
+    end
     id { SecureRandom.uuid }
     name { Faker::Company.name }
     domain { Faker::Internet.domain_name }
-    oauth_client
   end
 
   factory :enterprise_with_okta, parent: :enterprise_account do
-    after :create do |enterprise|
+    after :create do |enterprise, evaluator|
       create(
         :configured_identity_provider,
         service: 'OKTA',
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
+        oauth_client: evaluator.oauth_client,
       )
     end
   end
@@ -31,12 +34,16 @@ FactoryBot.define do
   end
 
   factory :enterprise_with_multiple_providers, parent: :enterprise_account do
-    after :create do |enterprise|
+    transient do
+      oauth_client { nil }
+    end
+    after :create do |enterprise, evaluator|
       create(
         :configured_identity_provider,
         service: 'OKTA',
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
+        oauth_client: evaluator.oauth_client,
       )
 
       create(
@@ -44,6 +51,7 @@ FactoryBot.define do
         service: 'AZURE',
         domain: enterprise.domain,
         enterprise_account_id: enterprise.id,
+        oauth_client: evaluator.oauth_client,
       )
     end
   end

data/spec/factories/identity_providers.rb

@@ -21,6 +21,13 @@ FactoryBot.define do
       end
     end
 
+    factory :ping_identity_provider, parent: :identity_provider do
+      service { 'PING' }
+      sso_url do
+        'https://auth.pingone.com/42cd503f-f0ba-47c7-a5b5-e69e9d8fab47/saml20/idp/sso'
+      end
+    end
+
     factory :configured_identity_provider, parent: :identity_provider do
       status { 'CONFIGURED' }
       sso_cert do
@@ -55,15 +62,16 @@ end
 # Table name: identity_providers
 #
 #  id                    :uuid             not null, primary key
-#  service               :string
+#  service               :enum
 #  domain                :string           not null
 #  sso_url               :string
 #  sso_cert              :text
 #  enterprise_account_id :uuid
 #  oauth_client_id       :uuid
-#  status                :enum             default("PENDING")
+#  status                :enum             default("pending")
 #  created_at            :datetime
 #  updated_at            :datetime
+#  users_count           :integer          default(0)
 #
 # Indexes
 #

data/spec/factories/user.rb

@@ -12,6 +12,10 @@ FactoryBot.define do
         :authorization_code,
         user: user,
         redirect_uri: user.oauth_client.redirect_uri_values.sample,
+        requested: [
+          { domain: user.email.split('@')[1], email: nil },
+          { domain: nil, email: user.email },
+        ].sample,
       )
     end
   end

data/spec/graphql/mutations/configure_identity_provider_spec.rb

@@ -81,7 +81,7 @@ describe Osso::GraphQL::Schema do
       end
 
       it 'does not configure an identity provider' do
-        expect(subject.dig('errors')).to_not be_empty
+        expect(subject['errors']).to_not be_empty
       end
     end
   end

data/spec/graphql/mutations/create_enterprise_account_spec.rb

@@ -47,7 +47,6 @@ describe Osso::GraphQL::Schema do
           input: {
             name: Faker::Company.name,
             domain: domain,
-            oauthClientId: oauth_client.id,
           },
         }
       end
@@ -57,10 +56,6 @@ describe Osso::GraphQL::Schema do
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
-
-      it 'attaches the Enterprise Account to the correct OAuth Client' do
-        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
-      end
     end
 
     describe 'for an internal scoped user' do
@@ -68,7 +63,6 @@ describe Osso::GraphQL::Schema do
         {
           scope: 'internal',
           email: 'user@saasco.com',
-          oauth_client_id: oauth_client.identifier,
         }
       end
 
@@ -77,10 +71,6 @@ describe Osso::GraphQL::Schema do
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
-
-      it 'attaches the Enterprise Account to the correct OAuth Client' do
-        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
-      end
     end
 
     describe 'for an email scoped user' do
@@ -97,10 +87,6 @@ describe Osso::GraphQL::Schema do
         expect(subject.dig('data', 'createEnterpriseAccount', 'enterpriseAccount', 'domain')).
           to eq(domain)
       end
-
-      it 'attaches the Enterprise Account to the correct OAuth Client' do
-        expect { subject }.to change { oauth_client.enterprise_accounts.count }.by(1)
-      end
     end
     describe 'for the wrong email scoped user' do
       let(:current_context) do

data/spec/graphql/mutations/create_identity_provider_spec.rb

@@ -5,6 +5,7 @@ require 'spec_helper'
 describe Osso::GraphQL::Schema do
   describe 'CreateIdentityProvider' do
     let(:enterprise_account) { create(:enterprise_account) }
+    let(:oauth_client) { create(:oauth_client) }
     let(:mutation) do
       <<~GRAPHQL
          mutation CreateIdentityProvider($input: CreateIdentityProviderInput!) {
@@ -34,7 +35,15 @@ describe Osso::GraphQL::Schema do
         { scope: 'admin' }
       end
       describe 'without a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
 
         it 'creates an identity provider' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
@@ -44,8 +53,16 @@ describe Osso::GraphQL::Schema do
       end
 
       describe 'with a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id, service: 'OKTA' } } }
-
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                service: 'OKTA',
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
         it 'creates an identity provider for given service ' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
           expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'service')).
@@ -65,8 +82,16 @@ describe Osso::GraphQL::Schema do
       let(:enterprise_account) { create(:enterprise_account, domain: domain) }
 
       describe 'without a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id } } }
-
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
+        
         it 'creates an identity provider' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
           expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'domain')).
@@ -75,7 +100,16 @@ describe Osso::GraphQL::Schema do
       end
 
       describe 'with a service' do
-        let(:variables) { { input: { enterpriseAccountId: enterprise_account.id, service: 'OKTA' } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: enterprise_account.id,
+                oauthClientId: oauth_client.id,
+                service: 'OKTA',
+              },
+          }
+        end
 
         it 'creates an identity provider for given service ' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
@@ -97,7 +131,15 @@ describe Osso::GraphQL::Schema do
       let(:target_account) { create(:enterprise_account) }
 
       describe 'without a service' do
-        let(:variables) { { input: { enterpriseAccountId: target_account.id, domain: domain } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: target_account.id,
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
 
         it 'does not creates a identity provider' do
           expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })
@@ -105,7 +147,16 @@ describe Osso::GraphQL::Schema do
       end
 
       describe 'with a service' do
-        let(:variables) { { input: { enterpriseAccountId: target_account.id, service: 'OKTA', domain: domain } } }
+        let(:variables) do
+          {
+            input:
+              {
+                enterpriseAccountId: target_account.id,
+                service: 'OKTA',
+                oauthClientId: oauth_client.id,
+              },
+          }
+        end
 
         it 'does not creates a identity provider' do
           expect { subject }.to_not(change { Osso::Models::IdentityProvider.count })

data/spec/graphql/query/identity_provider_spec.rb

@@ -8,13 +8,14 @@ describe Osso::GraphQL::Schema do
     let(:domain) { Faker::Internet.domain_name }
     let(:variables) { { id: id } }
     let(:query) do
-      <<~GRAPHQL
+      <<-GRAPHQL
         query IdentityProvider($id: ID!) {
-          identityProvider(id: $id) {            
+          identityProvider(id: $id) {
             id
             service
             domain
             acsUrl
+            acsUrlValidator
             ssoCert
             ssoUrl
             status

data/spec/models/enterprise_account_spec.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Osso::Models::EnterpriseAccount do
+  describe 'validates_domain' do
+    it 'it returns false for an invalid domain' do
+      customer = described_class.new(
+        name: 'foo',
+        domain: ' foo.com',
+      )
+
+      customer.save
+
+      expect(customer.errors[:domain]).to include('is invalid')
+    end
+  end
+end

data/spec/models/identity_provider_spec.rb

@@ -24,6 +24,40 @@ describe Osso::Models::IdentityProvider do
     end
   end
 
+  describe '#acs_url_validator' do
+    it 'returns a regex escaped string' do
+      allow(subject).to receive(:acs_url).and_return(
+        'https://foo.com/auth/saml/callback',
+      )
+
+      expect(subject.acs_url_validator).to eq(
+        'https://foo\\.com/auth/saml/callback',
+      )
+    end
+  end
+
+  describe '#sso_issuer' do
+    it 'returns a url unique to self' do
+      ENV['HEROKU_APP_NAME'] = nil
+      ENV['BASE_URL'] = 'https://example.com'
+
+      expect(subject.sso_issuer).to eq(
+        "#{subject.domain}/#{subject.oauth_client_id}",
+      )
+    end
+
+    it 'returns a uri with protocol when required' do
+      ENV['HEROKU_APP_NAME'] = nil
+      ENV['BASE_URL'] = 'https://example.com'
+
+      idp = create(:ping_identity_provider)
+
+      expect(idp.sso_issuer).to eq(
+        "https://#{idp.domain}/#{idp.oauth_client_id}",
+      )
+    end
+  end
+
   describe '#saml_options' do
     it 'returns the required args' do
       expect(subject.saml_options).
@@ -31,7 +65,8 @@ describe Osso::Models::IdentityProvider do
           domain: subject.domain,
           idp_cert: subject.sso_cert,
           idp_sso_target_url: subject.sso_url,
-          issuer: subject.domain,
+          issuer: subject.sso_issuer,
+          name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
         )
     end
   end