RubyGems - osso - Versions diffs - 0.0.6.alpha → 0.0.11 - Mend

osso 0.0.6.alpha → 0.0.11

Files changed (38) hide show

checksums.yaml +4 -4
data/.buildkite/pipeline.yml +3 -2
data/.github/dependabot.yml +8 -0
data/.github/workflows/automerge.yml +19 -0
data/Gemfile +3 -3
data/Gemfile.lock +62 -56
data/Rakefile +3 -0
data/bin/console +3 -0
data/db/schema.rb +2 -2
data/lib/osso.rb +1 -1
data/lib/osso/db/migrate/20201125143501_add_salesforce_to_provider_service_enum.rb +28 -0
data/lib/osso/graphql/mutations/configure_identity_provider.rb +4 -1
data/lib/osso/graphql/mutations/create_enterprise_account.rb +4 -1
data/lib/osso/graphql/mutations/create_identity_provider.rb +6 -1
data/lib/osso/graphql/mutations/create_oauth_client.rb +4 -1
data/lib/osso/graphql/mutations/delete_enterprise_account.rb +5 -1
data/lib/osso/graphql/mutations/delete_identity_provider.rb +4 -1
data/lib/osso/graphql/mutations/delete_oauth_client.rb +4 -1
data/lib/osso/graphql/mutations/invite_admin_user.rb +6 -0
data/lib/osso/graphql/mutations/regenerate_oauth_credentials.rb +4 -1
data/lib/osso/graphql/mutations/set_redirect_uris.rb +2 -0
data/lib/osso/graphql/mutations/update_app_config.rb +4 -1
data/lib/osso/graphql/types/identity_provider_service.rb +1 -0
data/lib/osso/lib/analytics.rb +55 -0
data/lib/osso/lib/app_config.rb +1 -1
data/lib/osso/models/identity_provider.rb +1 -0
data/lib/osso/routes/admin.rb +39 -7
data/lib/osso/routes/oauth.rb +10 -4
data/lib/osso/version.rb +1 -1
data/osso-rb.gemspec +4 -3
data/spec/models/identity_provider_spec.rb +1 -0
data/spec/routes/admin_spec.rb +27 -9
data/spec/routes/oauth_spec.rb +14 -0
data/spec/support/views/hosted_login.erb +1 -0
metadata +51 -17
data/lib/osso/helpers/auth.rb +0 -94
data/lib/osso/helpers/helpers.rb +0 -8
data/spec/routes/app_spec.rb +0 -6

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e336bd3d2b66ba5530df382560eafc3800e4141d8f0f2ad3c09ddfcff4e89c5b
-  data.tar.gz: 833e3c5c353823e8591c836ec53a03405ad0870025fac4103350b525b32f5254
+  metadata.gz: f3def53429479fcc6f8174b8065830233e8437b3e6cd5e6a2647caa710622028
+  data.tar.gz: dbdaa671b3a6b2ca07e5d48ed247eefbdbe6bd06423247975821088aea097f45
 SHA512:
-  metadata.gz: 0745075df908207f91971faba07ade0a64d61347a96c07386b1ba97a1a2a6d63173184e1a59b859e256a4e43045f535f19fc27b6b7e9c67ebf7cfcd616da602d
-  data.tar.gz: ecb5eb7a7195f3f40563ec22972a697ad08d9ad259d69e37dc90fb59717d623c2b825d2776970911c8aa6c0284502d441bc145fde8542674c23ed3657b4fc4f9
+  metadata.gz: '0391fb57427e5f417ee19f2566cda5e432834bff640d14516abdf54a716c401c6ed42559ed5f366855936e2f6d976f86e1c64c1bfd497f9b3443f8a54f240485'
+  data.tar.gz: 1bdc64d6943502b18f7801003131d379879bad62265bc80f4f5cd5c9547604d7fb60b35a174ce9875a1d5b13ef673535bed4566d14d5888de1552b40a9c0d26b

data/.buildkite/pipeline.yml CHANGED

@@ -12,6 +12,7 @@ steps:
       - coverage/*
   - name: ":codeclimate:"
+    soft_fail: true
     plugins:
       - jobready/codeclimate-test-reporter#v2.0:
           artifact: "coverage/.resultset.json"
@@ -19,8 +20,8 @@ steps:
           prefix: '/var/lib/buildkite-agent/builds/enterprise-oss-bk-1/enterpriseoss/osso-rb/'
   - block: ":rubygems: Publish :red_button:"
-    branches: "main"
+    if: build.tag != null
   - name: "Push :rubygems:"
     commands: "./bin/publish"
-    branches: "main"
+    if: build.tag != null

data/.github/dependabot.yml ADDED

@@ -0,0 +1,8 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+  labels:
+    - "dependencies"

data/.github/workflows/automerge.yml ADDED

@@ -0,0 +1,19 @@
+name: auto-merge
+on:
+  pull_request:
+jobs:
+  auto-approve:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ahmadnassri/action-dependabot-auto-merge@v2
+        with:
+          target: minor
+          github-token: ${{ secrets.TOKEN }}
+      - uses: hmarr/auto-approve-action@v2.0.0
+        if: github.actor == 'dependabot[bot]'
+        with:
+          github-token: "${{ secrets.TOKEN }}"

data/Gemfile CHANGED

@@ -10,10 +10,10 @@ group :test do
   gem 'faker'
   gem 'pg'
   gem 'rack-test'
-  gem 'rspec', '~> 3.2'
+  gem 'rspec', '~> 3.10'
   gem 'rubocop'
-  gem 'simplecov', '= 0.17', require: false
-  gem 'webmock', '~> 3.0'
+  gem 'simplecov', '0.21.1', require: false
+  gem 'webmock', '~> 3.11'
 end
 gemspec

data/Gemfile.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.6.alpha)
+    osso (0.0.11)
       activesupport (>= 6.0.3.2)
       bcrypt (~> 3.1.13)
       graphql
@@ -9,13 +9,14 @@ PATH
       mail (~> 2.7.1)
       omniauth-multi-provider
       omniauth-saml
+      posthog-ruby
       rack (>= 2.1.4)
       rack-contrib
       rack-oauth2
       rake
-      rodauth (~> 2.6.0)
-      sequel (~> 5.37.0)
-      sequel-activerecord_connection (~> 0.3)
+      rodauth (>= 2.6, < 2.8)
+      sequel (>= 5.37, < 5.41)
+      sequel-activerecord_connection (>= 0.3, < 2.0)
       sinatra
       sinatra-activerecord
       sinatra-contrib
@@ -23,20 +24,22 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (6.0.3.4)
-      activesupport (= 6.0.3.4)
-    activerecord (6.0.3.4)
-      activemodel (= 6.0.3.4)
-      activesupport (= 6.0.3.4)
-    activesupport (6.0.3.4)
+    activemodel (6.1.0)
+      activesupport (= 6.1.0)
+    activerecord (6.1.0)
+      activemodel (= 6.1.0)
+      activesupport (= 6.1.0)
+    activesupport (6.1.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     aes_key_wrap (1.1.0)
+    after_commit_everywhere (0.1.5)
+      activerecord (>= 4.2)
     annotate (3.1.1)
       activerecord (>= 3.2, < 7.0)
       rake (>= 10.4, < 14.0)
@@ -52,10 +55,10 @@ GEM
       activerecord
       database_cleaner (~> 1.8.0)
     diff-lcs (1.4.4)
-    docile (1.3.2)
+    docile (1.3.4)
     factory_bot (6.1.0)
       activesupport (>= 5.0.0)
-    faker (2.14.0)
+    faker (2.15.1)
       i18n (>= 1.6, < 2)
     graphql (1.11.6)
     hashdiff (1.0.1)
@@ -63,7 +66,6 @@ GEM
     httpclient (2.8.3)
     i18n (1.8.5)
       concurrent-ruby (~> 1.0)
-    json (2.3.1)
     json-jwt (1.13.0)
       activesupport (>= 4.2)
       aes_key_wrap
@@ -73,13 +75,14 @@ GEM
       mini_mime (>= 0.1.1)
     method_source (1.0.0)
     mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
+    mini_portile2 (2.5.0)
     minitest (5.14.2)
     multi_json (1.15.0)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
-    nokogiri (1.10.10)
-      mini_portile2 (~> 2.4.0)
+    nokogiri (1.11.1)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
     omniauth (1.9.1)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
@@ -88,16 +91,18 @@ GEM
     omniauth-saml (1.10.3)
       omniauth (~> 1.3, >= 1.3.2)
       ruby-saml (~> 1.9)
-    parallel (1.19.2)
-    parser (2.7.2.0)
+    parallel (1.20.1)
+    parser (3.0.0.0)
       ast (~> 2.4.1)
     pg (1.2.3)
+    posthog-ruby (1.1.0)
     pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.6)
+    racc (1.5.2)
     rack (2.2.3)
-    rack-contrib (2.2.0)
+    rack-contrib (2.3.0)
       rack (~> 2.0)
     rack-oauth2 (1.16.0)
       activesupport
@@ -110,51 +115,53 @@ GEM
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rainbow (3.0.0)
-    rake (13.0.1)
-    regexp_parser (1.8.2)
+    rake (13.0.3)
+    regexp_parser (2.0.2)
     rexml (3.2.4)
-    roda (3.38.0)
+    roda (3.39.0)
       rack
-    rodauth (2.6.0)
+    rodauth (2.7.0)
       roda (>= 2.6.0)
       sequel (>= 4)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.3)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.3)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.0)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.4)
-    rubocop (1.1.0)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.0)
+    rubocop (1.7.0)
       parallel (~> 1.10)
       parser (>= 2.7.1.5)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8)
+      regexp_parser (>= 1.8, < 3.0)
       rexml
-      rubocop-ast (>= 1.0.1)
+      rubocop-ast (>= 1.2.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (1.1.0)
+    rubocop-ast (1.3.0)
       parser (>= 2.7.1.5)
     ruby-progressbar (1.10.1)
     ruby-saml (1.11.0)
       nokogiri (>= 1.5.10)
     ruby2_keywords (0.0.2)
-    sequel (5.37.0)
-    sequel-activerecord_connection (0.4.1)
+    sequel (5.39.0)
+    sequel-activerecord_connection (1.2.0)
       activerecord (>= 4.2, < 7)
+      after_commit_everywhere (~> 0.1.5)
       sequel (~> 5.16)
-    simplecov (0.17.0)
+    simplecov (0.21.1)
       docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.2)
     sinatra (2.1.0)
       mustermann (~> 1.0)
       rack (~> 2.2)
@@ -169,16 +176,15 @@ GEM
       rack-protection (= 2.1.0)
       sinatra (= 2.1.0)
       tilt (~> 2.0)
-    thread_safe (0.3.6)
     tilt (2.0.10)
-    tzinfo (1.2.7)
-      thread_safe (~> 0.1)
+    tzinfo (2.0.3)
+      concurrent-ruby (~> 1.0)
     unicode-display_width (1.7.0)
-    webmock (3.9.3)
+    webmock (3.11.0)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    zeitwerk (2.4.1)
+    zeitwerk (2.4.2)
 PLATFORMS
   ruby
@@ -193,10 +199,10 @@ DEPENDENCIES
   pg
   pry
   rack-test
-  rspec (~> 3.2)
+  rspec (~> 3.10)
   rubocop
-  simplecov (= 0.17)
-  webmock (~> 3.0)
+  simplecov (= 0.21.1)
+  webmock (~> 3.11)
 BUNDLED WITH
    2.1.4

data/Rakefile CHANGED

@@ -4,6 +4,9 @@
 # to tell ActiveRecord where to find the database
 # schema and migrations
+ENV['SESSION_SECRET'] ||= 'rake-secret'
+ENV['BASE_URL'] ||= 'https://example.com'
 require 'bundler/gem_tasks'
 require 'sinatra/activerecord/rake'
 require './lib/osso'

data/bin/console CHANGED

@@ -1,6 +1,9 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
+ENV['SESSION_SECRET'] ||= 'irb-secret'
+ENV['BASE_URL'] ||= 'https://example.com'
 require 'bundler/setup'
 require 'osso'

data/db/schema.rb CHANGED

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema.define(version: 2020_11_12_160120) do
+ActiveRecord::Schema.define(version: 2020_11_25_143501) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "citext"
@@ -57,7 +57,7 @@ ActiveRecord::Schema.define(version: 2020_11_12_160120) do
     t.citext "email", null: false
     t.integer "status_id", default: 1, null: false
     t.string "role", default: "admin", null: false
-    t.uuid "oauth_client_id"
+    t.string "oauth_client_id"
     t.index ["email"], name: "index_accounts_on_email", unique: true, where: "(status_id = ANY (ARRAY[1, 2]))"
     t.index ["oauth_client_id"], name: "index_accounts_on_oauth_client_id"
   end

data/lib/osso.rb CHANGED

@@ -2,7 +2,7 @@
 module Osso
   require_relative 'osso/error/error'
-  require_relative 'osso/helpers/helpers'
+  require_relative 'osso/lib/analytics'
   require_relative 'osso/lib/app_config'
   require_relative 'osso/lib/oauth2_token'
   require_relative 'osso/lib/route_map'

data/lib/osso/db/migrate/20201125143501_add_salesforce_to_provider_service_enum.rb ADDED

@@ -0,0 +1,28 @@
+class AddSalesforceToProviderServiceEnum < ActiveRecord::Migration[6.0]
+  disable_ddl_transaction!
+  def up
+    execute <<-SQL
+      ALTER TYPE identity_provider_service ADD VALUE 'SALESFORCE';
+    SQL
+  end
+  def down
+    execute <<~SQL
+      CREATE TYPE identity_provider_service_new AS ENUM ('AZURE', 'OKTA', 'ONELOGIN', 'GOOGLE', 'PING');
+      -- Remove values that won't be compatible with new definition
+      DELETE FROM identity_providers WHERE service = 'SALESFORCE';
+      -- Convert to new type, casting via text representation
+      ALTER TABLE identity_providers
+        ALTER COLUMN service TYPE identity_provider_service_new
+          USING (service::text::identity_provider_service_new);
+      -- and swap the types
+      DROP TYPE identity_provider_service;
+      ALTER TYPE identity_provider_service_new RENAME TO identity_provider_service;
+    SQL
+  end
+end

data/lib/osso/graphql/mutations/configure_identity_provider.rb CHANGED

@@ -15,7 +15,10 @@ module Osso
         def resolve(**args)
           provider = identity_provider(**args)
-          return response_data(identity_provider: provider) if provider.update(args)
+          if provider.update(args)
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(identity_provider: provider)
+          end
           response_error(provider.errors)
         end

data/lib/osso/graphql/mutations/create_enterprise_account.rb CHANGED

@@ -15,7 +15,10 @@ module Osso
         def resolve(**args)
           enterprise_account = Osso::Models::EnterpriseAccount.new(args)
-          return response_data(enterprise_account: enterprise_account) if enterprise_account.save
+          if enterprise_account.save
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(enterprise_account: enterprise_account)
+          end
           response_error(enterprise_account.errors)
         end

data/lib/osso/graphql/mutations/create_identity_provider.rb CHANGED

@@ -22,7 +22,12 @@ module Osso
             oauth_client_id: oauth_client_id,
           )
-          return response_data(identity_provider: identity_provider) if identity_provider.save
+          if identity_provider.save
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: {
+              service: service, enterprise_account_id: enterprise_account_id, oauth_client_id: oauth_client_id
+            })
+            return response_data(identity_provider: identity_provider)
+          end
           response_error(identity_provider.errors)
         end

data/lib/osso/graphql/mutations/create_oauth_client.rb CHANGED

@@ -14,7 +14,10 @@ module Osso
         def resolve(**args)
           oauth_client = Osso::Models::OauthClient.new(args)
-          return response_data(oauth_client: oauth_client) if oauth_client.save
+          if oauth_client.save
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(oauth_client: oauth_client)
+          end
           response_error(oauth_client.errors)
         end

data/lib/osso/graphql/mutations/delete_enterprise_account.rb CHANGED

@@ -18,7 +18,11 @@ module Osso
         def resolve(**args)
           customer = enterprise_account(**args)
-          return response_data(enterprise_account: nil) if customer.destroy
+          if customer.destroy
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(enterprise_account: nil)
+          end
           response_error(customer.errors)
         end

data/lib/osso/graphql/mutations/delete_identity_provider.rb CHANGED

@@ -14,7 +14,10 @@ module Osso
         def resolve(id:)
           identity_provider = Osso::Models::IdentityProvider.find(id)
-          return response_data(identity_provider: nil) if identity_provider.destroy
+          if identity_provider.destroy
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: { id: id })
+            return response_data(identity_provider: nil)
+          end
           response_error(identity_provider.errors)
         end

data/lib/osso/graphql/mutations/delete_oauth_client.rb CHANGED

@@ -14,7 +14,10 @@ module Osso
         def resolve(id:)
           oauth_client = Osso::Models::OauthClient.find(id)
-          return response_data(oauth_client: nil) if oauth_client.destroy
+          if oauth_client.destroy
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: { id: id })
+            return response_data(oauth_client: nil)
+          end
           response_error(oauth_client.errors)
         end

data/lib/osso/graphql/mutations/invite_admin_user.rb CHANGED

@@ -23,6 +23,12 @@ module Osso
           if admin_user.save
             verify_user(email)
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: {
+              invited_email: email,
+              invited_role: role,
+              invited_oauth_client_id: oauth_client_id,
+            })
             return response_data(admin_user: admin_user)
           end

data/lib/osso/graphql/mutations/regenerate_oauth_credentials.rb CHANGED

@@ -15,7 +15,10 @@ module Osso
           oauth_client = Osso::Models::OauthClient.find(id)
           oauth_client.regenerate_secrets!
-          return response_data(oauth_client: oauth_client) if oauth_client.save
+          if oauth_client.save
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: { oauth_client_id: id })
+            return response_data(oauth_client: oauth_client)
+          end
           response_error(oauth_client.errors)
         end

data/lib/osso/graphql/mutations/set_redirect_uris.rb CHANGED

@@ -18,6 +18,8 @@ module Osso
           update_existing(oauth_client, redirect_uris)
           create_new(oauth_client, redirect_uris)
+          Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: redirect_uris)
           response_data(oauth_client: oauth_client.reload)
         rescue StandardError => e
           response_error(e)

data/lib/osso/graphql/mutations/update_app_config.rb CHANGED

@@ -15,7 +15,10 @@ module Osso
         def resolve(**args)
           app_config = Osso::Models::AppConfig.find
-          return response_data(app_config: app_config) if app_config.update(**args)
+          if app_config.update(**args)
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(app_config: app_config)
+          end
           response_error(app_config.errors)
         end

data/lib/osso/graphql/types/identity_provider_service.rb CHANGED

@@ -9,6 +9,7 @@ module Osso
         value('OKTA', 'Okta Identity Provider', value: 'OKTA')
         value('ONELOGIN', 'OneLogin Identity Provider', value: 'ONELOGIN')
         value('PING', 'PingID Identity Provider', value: 'PING')
+        value('SALESFORCE', 'Salesforce Identity Provider', value: 'SALESFORCE')
       end
     end
   end

data/lib/osso/lib/analytics.rb ADDED

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+require 'posthog-ruby'
+module Osso
+  # Osso::Analytics provides an interface to track product analytics for any provider.
+  # Osso recommends PostHog as an open source solution for your product analytics needs.
+  # If you want to use another product analytics provider, you can patch the Osso::Analytics
+  # class yourself in your parent application. Be sure to implement the public
+  # .identify and .capture class methods with the required method signatures and require
+  # your class after requiring Osso.
+  class Analytics
+    class << self
+      def identify(email:, properties: {})
+        return unless configured?
+        client.identify({
+          distinct_id: email,
+          properties: properties.merge(instance_properties),
+        })
+      end
+      def capture(email:, event:, properties: {})
+        return unless configured?
+        client.capture(
+          distinct_id: email,
+          event: event,
+          properties: properties.merge(instance_properties),
+        )
+      end
+      private
+      def configured?
+        ENV['POSTHOG_API_KEY'].present?
+      end
+      def client
+        @client ||= PostHog::Client.new({
+          api_key: ENV['POSTHOG_API_KEY'],
+          api_host: ENV['POSTHOG_HOST'],
+          on_error: Proc.new { |status, msg| print msg }
+        })
+      end
+      def instance_properties
+        {
+          instance_url: ENV['BASE_URL'],
+          osso_plan: ENV['OSSO_PLAN'],
+        }
+      end
+    end
+  end
+end

data/lib/osso/lib/app_config.rb CHANGED

@@ -7,7 +7,7 @@ module Osso
     def self.included(klass)
       klass.class_eval do
         use Rack::JSONBodyParser
-        use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
+        use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
         error ActiveRecord::RecordNotFound do
           status 404

data/lib/osso/models/identity_provider.rb CHANGED

@@ -30,6 +30,7 @@ module Osso
           idp_sso_target_url: sso_url,
           idp_cert: sso_cert,
           issuer: sso_issuer,
+          name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
         }
       end

data/lib/osso/routes/admin.rb CHANGED

@@ -8,18 +8,47 @@ DEFAULT_VIEWS_DIR = File.join(File.expand_path(Bundler.root), 'views/rodauth')
 module Osso
   class Admin < Roda
     DB = Sequel.postgres(extensions: :activerecord_connection)
-    use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
+    use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
+    plugin :json
     plugin :middleware
     plugin :render, engine: 'erb', views: ENV['RODAUTH_VIEWS'] || DEFAULT_VIEWS_DIR
     plugin :route_csrf
     plugin :rodauth do
-      enable :login, :verify_account
+      enable :login, :verify_account, :jwt
+      base_uri = URI.parse(ENV.fetch('BASE_URL'))
+      base_url base_uri
+      domain base_uri.host
+      jwt_secret ENV.fetch('SESSION_SECRET')
+      only_json? false
+      email_from { "Osso <no-reply@#{domain}>" }
       verify_account_set_password? true
-      already_logged_in { redirect login_redirect }
       use_database_authentication_functions? false
+      after_login do
+        Osso::Analytics.identify(email: account[:email], properties: account)
+      end
+      verify_account_view do
+        render :admin
+      end
+      login_view do
+        render :admin
+      end
+      verify_account_email_subject do
+        DB[:accounts].one? ? 'Your Osso instance is ready' : 'You\'ve been invited to start using Osso'
+      end
+      verify_account_email_body do
+        DB[:accounts].one? ? render('verify-first-account-email') : render('verify-account-email')
+      end
       before_create_account_route do
         request.halt unless DB[:accounts].empty?
       end
@@ -31,13 +60,16 @@ module Osso
       r.rodauth
       def current_account
-        Osso::Models::Account.find(rodauth.session['account_id']).
-          context.
+        Osso::Models::Account.find(
+          rodauth.
+          session.
+          to_hash.
+          stringify_keys['account_id']
+        ).context.
           merge({ rodauth: rodauth })
       end
       r.on 'admin' do
-        rodauth.require_authentication
         erb :admin, layout: false
       end

data/lib/osso/routes/oauth.rb CHANGED

@@ -16,13 +16,14 @@ module Osso
       # Once they complete IdP login, they will be returned to the
       # redirect_uri with an authorization code parameter.
       get '/authorize' do
-        identity_providers = find_providers
         validate_oauth_request(env)
-        redirect "/auth/saml/#{identity_providers.first.id}" if identity_providers.one?
+        return erb :hosted_login if render_hosted_login?
+        @providers = find_providers
+        redirect "/auth/saml/#{@providers.first.id}" if @providers.one?
-        @providers = identity_providers.not_pending
         return erb :multiple_providers if @providers.count > 1
         raise Osso::Error::MissingConfiguredIdentityProvider.new(domain: params[:domain])
@@ -61,6 +62,10 @@ module Osso
     private
+    def render_hosted_login?
+      [params[:email], params[:domain]].all?(&:nil?)
+    end
     def find_providers
       if params[:email]
         user = Osso::Models::User.
@@ -71,6 +76,7 @@ module Osso
       Osso::Models::IdentityProvider.
         joins(:oauth_client).
+        not_pending.
         where(
           domain: domain_from_params,
           oauth_clients: { identifier: params[:client_id] },

data/lib/osso/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Osso
-  VERSION = '0.0.6.alpha'
+  VERSION = '0.0.11'
 end

data/osso-rb.gemspec CHANGED

@@ -22,13 +22,14 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'mail', '~> 2.7.1'
   spec.add_runtime_dependency 'omniauth-multi-provider'
   spec.add_runtime_dependency 'omniauth-saml'
+  spec.add_runtime_dependency 'posthog-ruby'
   spec.add_runtime_dependency 'rack', '>= 2.1.4'
   spec.add_runtime_dependency 'rack-contrib'
   spec.add_runtime_dependency 'rack-oauth2'
   spec.add_runtime_dependency 'rake'
-  spec.add_runtime_dependency 'rodauth', '~> 2.6.0'
-  spec.add_runtime_dependency 'sequel', '~> 5.37.0'
-  spec.add_runtime_dependency 'sequel-activerecord_connection', '~> 0.3'
+  spec.add_runtime_dependency 'rodauth', '>= 2.6', '< 2.8'
+  spec.add_runtime_dependency 'sequel', '>= 5.37', '< 5.41'
+  spec.add_runtime_dependency 'sequel-activerecord_connection', '>= 0.3', '< 2.0'
   spec.add_runtime_dependency 'sinatra'
   spec.add_runtime_dependency 'sinatra-activerecord'
   spec.add_runtime_dependency 'sinatra-contrib'

data/spec/models/identity_provider_spec.rb CHANGED

@@ -66,6 +66,7 @@ describe Osso::Models::IdentityProvider do
           idp_cert: subject.sso_cert,
           idp_sso_target_url: subject.sso_url,
           issuer: subject.sso_issuer,
+          name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
         )
     end
   end

data/spec/routes/admin_spec.rb CHANGED

@@ -4,23 +4,41 @@ require 'spec_helper'
 describe Osso::Admin do
   describe 'get /admin' do
-    it 'redirects to /login without a session' do
+    it 'renders the admin layout' do
       get('/admin')
-      expect(last_response).to be_redirect
-      follow_redirect!
-      expect(last_request.url).to match('/login')
+      expect(last_response).to be_ok
     end
+  end
-    xit 'renders the admin page for a valid session token' do
-      password = SecureRandom.urlsafe_base64(16)
-      account = create(:verified_account, password: password)
+  describe 'post /graphql' do
+    let(:account) { create(:account) }
-      post('/login', { email: account.email, password: password })
+    it 'runs a GraphQL query with a valid jwt' do
+      allow_any_instance_of(described_class.rodauth).to receive(:logged_in?).and_return(true)
+      allow(Osso::Models::Account).to receive(:find).and_return(account)
+      allow(Osso::GraphQL::Schema).to receive(:execute).and_return({graphql: true})
-      get('/admin')
+      header 'Content-Type', 'application/json'
+      post("/graphql")
       expect(last_response).to be_ok
+      expect(last_json_response).to eq({graphql: true})
+    end
+    it 'returns a 400 for an invalid jwt' do
+      header 'Content-Type', 'application/json'
+      header 'Authorization', 'Bearer bad-token'
+      post("/graphql")
+      expect(last_response.status).to eq 400
+    end
+    it 'returns a 401 without a jwt' do
+      header 'Content-Type', 'application/json'
+      post("/graphql")
+      expect(last_response.status).to eq 401
     end
   end
 end

data/spec/routes/oauth_spec.rb CHANGED

@@ -27,6 +27,20 @@ describe Osso::Oauth do
         end
       end
+      describe 'for a request without email or domain' do
+        it 'redirects to /auth/saml/:provider_id' do
+          get(
+            '/oauth/authorize',
+            client_id: client.identifier,
+            response_type: 'code',
+            redirect_uri: client.redirect_uri_values.sample,
+          )
+          expect(last_response).to be_ok
+          expect(last_response.body).to eq('HOSTED LOGIN')
+        end
+      end
       describe 'for an enterprise domain with one SAML provider' do
         it 'redirects to /auth/saml/:provider_id' do
           enterprise = create(:enterprise_with_okta, oauth_client: client)

data/spec/support/views/hosted_login.erb ADDED

	@@ -0,0 +1 @@
1	+ HOSTED LOGIN

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.6.alpha
+  version: 0.0.11
 platform: ruby
 authors:
 - Sam Bauch
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-24 00:00:00.000000000 Z
+date: 2021-01-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -108,6 +108,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: posthog-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -168,44 +182,62 @@ dependencies:
   name: rodauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.6'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 2.6.0
+        version: '2.8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.6.0
+        version: '2.6'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.8'
 - !ruby/object:Gem::Dependency
   name: sequel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.37'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 5.37.0
+        version: '5.41'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 5.37.0
+        version: '5.37'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.41'
 - !ruby/object:Gem::Dependency
   name: sequel-activerecord_connection
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: sinatra
   requirement: !ruby/object:Gem::Requirement
@@ -305,6 +337,8 @@ files:
 - ".buildkite/hooks/pre-command"
 - ".buildkite/pipeline.yml"
 - ".buildkite/template.yml"
+- ".github/dependabot.yml"
+- ".github/workflows/automerge.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
@@ -350,6 +384,7 @@ files:
 - lib/osso/db/migrate/20201109160851_add_sso_issuer_to_identity_providers.rb
 - lib/osso/db/migrate/20201110190754_remove_oauth_client_id_from_enterprise_accounts.rb
 - lib/osso/db/migrate/20201112160120_add_ping_to_identity_provider_service_enum.rb
+- lib/osso/db/migrate/20201125143501_add_salesforce_to_provider_service_enum.rb
 - lib/osso/error/account_configuration_error.rb
 - lib/osso/error/error.rb
 - lib/osso/error/missing_saml_attribute_error.rb
@@ -392,8 +427,7 @@ files:
 - lib/osso/graphql/types/oauth_client.rb
 - lib/osso/graphql/types/redirect_uri.rb
 - lib/osso/graphql/types/redirect_uri_input.rb
-- lib/osso/helpers/auth.rb
-- lib/osso/helpers/helpers.rb
+- lib/osso/lib/analytics.rb
 - lib/osso/lib/app_config.rb
 - lib/osso/lib/oauth2_token.rb
 - lib/osso/lib/route_map.rb
@@ -442,7 +476,6 @@ files:
 - spec/models/enterprise_account_spec.rb
 - spec/models/identity_provider_spec.rb
 - spec/routes/admin_spec.rb
-- spec/routes/app_spec.rb
 - spec/routes/auth_spec.rb
 - spec/routes/oauth_spec.rb
 - spec/spec_helper.rb
@@ -450,6 +483,7 @@ files:
 - spec/support/spec_app.rb
 - spec/support/views/admin.erb
 - spec/support/views/error.erb
+- spec/support/views/hosted_login.erb
 - spec/support/views/layout.erb
 - spec/support/views/multiple_providers.erb
 homepage: https://github.com/enterprise-oss/osso-rb
@@ -467,9 +501,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.0.3
 signing_key:

data/lib/osso/helpers/auth.rb DELETED

@@ -1,94 +0,0 @@
-# frozen_string_literal: true
-module Osso
-  module Helpers
-    module Auth
-      END_USER_SCOPE = 'end-user'
-      INTERNAL_SCOPE = 'internal'
-      ADMIN_SCOPE    = 'admin'
-      attr_accessor :current_user
-      def token_protected!
-        decode(token)
-      rescue JWT::DecodeError
-        halt 401
-      end
-      def enterprise_protected!(domain = nil)
-        return if admin_authorized?
-        return if internal_authorized?
-        return if enterprise_authorized?(domain)
-        halt 401 if request.post?
-        redirect ENV['JWT_URL']
-      end
-      def internal_protected!
-        return if admin_authorized?
-        return if internal_authorized?
-        redirect ENV['JWT_URL']
-      end
-      def admin_protected!
-        return true if admin_authorized?
-        redirect ENV['JWT_URL']
-      end
-      private
-      def enterprise_authorized?(domain)
-        decode(token)
-        @current_user[:scope] == END_USER_SCOPE &&
-          @current_user[:email].split('@')[1] == domain
-      rescue JWT::DecodeError
-        false
-      end
-      def internal_authorized?
-        decode(token)
-        @current_user[:scope] == INTERNAL_SCOPE
-      rescue JWT::DecodeError
-        false
-      end
-      def admin_authorized?
-        decode(token)
-        @current_user[:scope] == ADMIN_SCOPE
-      rescue JWT::DecodeError
-        false
-      end
-      def token
-        session['admin_token'] || request.env['HTTP_AUTHORIZATION'] || request.params['admin_token']
-      end
-      def chomp_token
-        return unless request['admin_token'].present?
-        session['admin_token'] = request['admin_token']
-        return if request.post?
-        redirect request.path
-      end
-      def decode(token)
-        payload, _args = JWT.decode(
-          token,
-          ENV['JWT_HMAC_SECRET'],
-          true,
-          { algorithm: 'HS256' },
-        )
-        @current_user = payload.symbolize_keys
-      end
-    end
-  end
-end

data/lib/osso/helpers/helpers.rb DELETED

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-module Osso
-  module Helpers
-  end
-end
-require_relative 'auth'

data/spec/routes/app_spec.rb DELETED

@@ -1,6 +0,0 @@
-# frozen_string_literal: true
-require 'spec_helper'
-describe 'App' do
-end