osso 0.0.5.pre.zeta → 0.0.8

Sign up to get free protection for your applications and to get access to all the features.
Files changed (79) hide show
  1. checksums.yaml +4 -4
  2. data/.buildkite/pipeline.yml +6 -4
  3. data/.github/dependabot.yml +8 -0
  4. data/.github/workflows/automerge.yml +19 -0
  5. data/.rubocop.yml +4 -1
  6. data/Gemfile +2 -2
  7. data/Gemfile.lock +69 -51
  8. data/LICENSE +21 -23
  9. data/Rakefile +2 -0
  10. data/bin/annotate +3 -1
  11. data/db/schema.rb +41 -3
  12. data/lib/osso.rb +0 -1
  13. data/lib/osso/db/migrate/20200929154117_add_users_count_to_identity_providers_and_enterprise_accounts.rb +6 -0
  14. data/lib/osso/db/migrate/20201023142158_add_rodauth_tables.rb +47 -0
  15. data/lib/osso/db/migrate/20201105122026_add_token_index_to_access_tokens.rb +5 -0
  16. data/lib/osso/db/migrate/20201106154936_add_requested_to_authorization_codes_and_access_tokens.rb +6 -0
  17. data/lib/osso/db/migrate/20201109160851_add_sso_issuer_to_identity_providers.rb +12 -0
  18. data/lib/osso/db/migrate/20201110190754_remove_oauth_client_id_from_enterprise_accounts.rb +9 -0
  19. data/lib/osso/db/migrate/20201112160120_add_ping_to_identity_provider_service_enum.rb +28 -0
  20. data/lib/osso/db/migrate/20201125143501_add_salesforce_to_provider_service_enum.rb +28 -0
  21. data/lib/osso/error/account_configuration_error.rb +1 -0
  22. data/lib/osso/error/oauth_error.rb +6 -3
  23. data/lib/osso/graphql/mutation.rb +2 -0
  24. data/lib/osso/graphql/mutations.rb +2 -0
  25. data/lib/osso/graphql/mutations/create_enterprise_account.rb +0 -7
  26. data/lib/osso/graphql/mutations/create_identity_provider.rb +7 -6
  27. data/lib/osso/graphql/mutations/delete_identity_provider.rb +24 -0
  28. data/lib/osso/graphql/mutations/invite_admin_user.rb +43 -0
  29. data/lib/osso/graphql/query.rb +8 -0
  30. data/lib/osso/graphql/resolvers/enterprise_accounts.rb +3 -3
  31. data/lib/osso/graphql/types.rb +2 -2
  32. data/lib/osso/graphql/types/admin_user.rb +9 -0
  33. data/lib/osso/graphql/types/base_object.rb +1 -1
  34. data/lib/osso/graphql/types/enterprise_account.rb +1 -0
  35. data/lib/osso/graphql/types/identity_provider.rb +3 -0
  36. data/lib/osso/graphql/types/identity_provider_service.rb +3 -1
  37. data/lib/osso/lib/app_config.rb +1 -1
  38. data/lib/osso/lib/route_map.rb +0 -15
  39. data/lib/osso/lib/saml_handler.rb +5 -0
  40. data/lib/osso/models/access_token.rb +4 -2
  41. data/lib/osso/models/account.rb +34 -0
  42. data/lib/osso/models/authorization_code.rb +2 -1
  43. data/lib/osso/models/enterprise_account.rb +3 -1
  44. data/lib/osso/models/identity_provider.rb +24 -5
  45. data/lib/osso/models/models.rb +1 -0
  46. data/lib/osso/models/oauth_client.rb +0 -1
  47. data/lib/osso/models/user.rb +2 -2
  48. data/lib/osso/routes/admin.rb +39 -33
  49. data/lib/osso/routes/auth.rb +9 -9
  50. data/lib/osso/routes/oauth.rb +42 -18
  51. data/lib/osso/version.rb +1 -1
  52. data/lib/osso/views/admin.erb +5 -0
  53. data/lib/osso/views/error.erb +1 -0
  54. data/lib/osso/views/layout.erb +0 -0
  55. data/lib/osso/views/multiple_providers.erb +1 -0
  56. data/lib/osso/views/welcome.erb +0 -0
  57. data/lib/tasks/bootstrap.rake +25 -4
  58. data/osso-rb.gemspec +5 -0
  59. data/spec/factories/account.rb +24 -0
  60. data/spec/factories/enterprise_account.rb +11 -3
  61. data/spec/factories/identity_providers.rb +10 -2
  62. data/spec/factories/user.rb +4 -0
  63. data/spec/graphql/mutations/configure_identity_provider_spec.rb +1 -1
  64. data/spec/graphql/mutations/create_enterprise_account_spec.rb +0 -14
  65. data/spec/graphql/mutations/create_identity_provider_spec.rb +59 -8
  66. data/spec/graphql/query/identity_provider_spec.rb +3 -2
  67. data/spec/models/enterprise_account_spec.rb +18 -0
  68. data/spec/models/identity_provider_spec.rb +36 -1
  69. data/spec/routes/admin_spec.rb +7 -41
  70. data/spec/routes/auth_spec.rb +17 -18
  71. data/spec/routes/oauth_spec.rb +102 -5
  72. data/spec/spec_helper.rb +3 -3
  73. data/spec/support/views/hosted_login.erb +1 -0
  74. data/spec/support/views/layout.erb +1 -0
  75. data/spec/support/views/multiple_providers.erb +1 -0
  76. metadata +108 -7
  77. data/lib/osso/helpers/auth.rb +0 -94
  78. data/lib/osso/helpers/helpers.rb +0 -8
  79. data/spec/helpers/auth_spec.rb +0 -97
data/lib/osso/helpers/auth.rb DELETED
@@ -1,94 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- module Osso
4
- module Helpers
5
- module Auth
6
- END_USER_SCOPE = 'end-user'
7
- INTERNAL_SCOPE = 'internal'
8
- ADMIN_SCOPE = 'admin'
9
-
10
- attr_accessor :current_user
11
-
12
- def token_protected!
13
- decode(token)
14
- rescue JWT::DecodeError
15
- halt 401
16
- end
17
-
18
- def enterprise_protected!(domain = nil)
19
- return if admin_authorized?
20
- return if internal_authorized?
21
- return if enterprise_authorized?(domain)
22
-
23
- halt 401 if request.post?
24
-
25
- redirect ENV['JWT_URL']
26
- end
27
-
28
- def internal_protected!
29
- return if admin_authorized?
30
- return if internal_authorized?
31
-
32
- redirect ENV['JWT_URL']
33
- end
34
-
35
- def admin_protected!
36
- return true if admin_authorized?
37
-
38
- redirect ENV['JWT_URL']
39
- end
40
-
41
- private
42
-
43
- def enterprise_authorized?(domain)
44
- decode(token)
45
-
46
- @current_user[:scope] == END_USER_SCOPE &&
47
- @current_user[:email].split('@')[1] == domain
48
- rescue JWT::DecodeError
49
- false
50
- end
51
-
52
- def internal_authorized?
53
- decode(token)
54
-
55
- @current_user[:scope] == INTERNAL_SCOPE
56
- rescue JWT::DecodeError
57
- false
58
- end
59
-
60
- def admin_authorized?
61
- decode(token)
62
-
63
- @current_user[:scope] == ADMIN_SCOPE
64
- rescue JWT::DecodeError
65
- false
66
- end
67
-
68
- def token
69
- request.env['admin_token'] || session['admin_token'] || request['admin_token']
70
- end
71
-
72
- def chomp_token
73
- return unless request['admin_token'].present?
74
-
75
- session['admin_token'] = request['admin_token']
76
-
77
- return if request.post?
78
-
79
- redirect request.path
80
- end
81
-
82
- def decode(token)
83
- payload, _args = JWT.decode(
84
- token,
85
- ENV['JWT_HMAC_SECRET'],
86
- true,
87
- { algorithm: 'HS256' },
88
- )
89
-
90
- @current_user = payload.symbolize_keys
91
- end
92
- end
93
- end
94
- end
data/lib/osso/helpers/helpers.rb DELETED
@@ -1,8 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- module Osso
4
- module Helpers
5
- end
6
- end
7
-
8
- require_relative 'auth'
data/spec/helpers/auth_spec.rb DELETED
@@ -1,97 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'spec_helper'
4
-
5
- describe Osso::Helpers::Auth do
6
- before do
7
- ENV['JWT_HMAC_SECRET'] = 'super-secret'
8
- end
9
-
10
- subject(:app) do
11
- Class.new { include Osso::Helpers::Auth }
12
- end
13
-
14
- describe 'with the token as a header' do
15
- before do
16
- allow_any_instance_of(subject).to receive(:request) do
17
- double('Request', env: { 'admin_token' => token }, post?: false)
18
- end
19
-
20
- allow_any_instance_of(subject).to receive(:redirect) do
21
- false
22
- end
23
- end
24
-
25
- describe 'with an admin token' do
26
- let(:token) { encode({ scope: 'admin' }) }
27
-
28
- it 'allows #token_protected! methods' do
29
- expect(subject.new.token_protected!).to_not be(false)
30
- end
31
-
32
- it 'allows #enterprise_protected! methods' do
33
- expect(subject.new.enterprise_protected!).to_not be(false)
34
- end
35
-
36
- it 'allows #internal_protected! methods' do
37
- expect(subject.new.internal_protected!).to_not be(false)
38
- end
39
-
40
- it 'allows #admin_protected! methods' do
41
- expect(subject.new.admin_protected!).to_not be(false)
42
- end
43
- end
44
-
45
- describe 'with an internal token' do
46
- let(:token) { encode({ scope: 'internal' }) }
47
-
48
- it 'allows #token_protected! methods' do
49
- expect(subject.new.token_protected!).to_not be(false)
50
- end
51
-
52
- it 'allows #enterprise_protected! methods' do
53
- expect(subject.new.enterprise_protected!).to_not be(false)
54
- end
55
-
56
- it 'allows #internal_protected! methods' do
57
- expect(subject.new.internal_protected!).to_not be(false)
58
- end
59
-
60
- it 'allows #admin_protected! methods' do
61
- expect(subject.new.admin_protected!).to be(false)
62
- end
63
- end
64
-
65
- describe 'with an end-user token' do
66
- let(:token) { encode({ scope: 'end-user', email: 'user@example.com' }) }
67
-
68
- it 'allows #token_protected! methods' do
69
- expect(subject.new.token_protected!).to_not be(false)
70
- end
71
-
72
- it 'allows #enterprise_protected! methods for the scoped domain' do
73
- expect(subject.new.enterprise_protected!('example.com')).to_not be(false)
74
- end
75
-
76
- it 'halts #enterprise_protected! methods for the wrong scoped domain' do
77
- expect(subject.new.enterprise_protected!('foo.com')).to be(false)
78
- end
79
-
80
- it 'halts #internal_protected! methods' do
81
- expect(subject.new.internal_protected!).to be(false)
82
- end
83
-
84
- it 'halts #admin_protected! methods' do
85
- expect(subject.new.admin_protected!).to be(false)
86
- end
87
- end
88
- end
89
-
90
- def encode(payload)
91
- JWT.encode(
92
- payload,
93
- ENV['JWT_HMAC_SECRET'],
94
- 'HS256',
95
- )
96
- end
97
- end