Add support for CDDO SSO

alphagov · Jun 30, 2023 · a818fdd · a818fdd
1 parent f22c7a9
commit a818fdd
Show file tree

Hide file tree

Showing 7 changed files with 133 additions and 0 deletions.
diff --git a/app/controllers/authentication_controller.rb b/app/controllers/authentication_controller.rb
@@ -60,6 +60,14 @@ def auth0_sign_out_url
     URI::HTTPS.build(host: Settings.auth0.domain, path: "/v2/logout", query: request_params.to_query).to_s
   end
 
+  def cddo_sso_sign_out_url
+    request_params = {
+      from_app: Settings.cddo_sso.identifier,
+    }
+
+    URI::HTTPS.build(host: "sso.service.security.gov.uk", path: "/sign-out", query: request_params.to_query).to_s
+  end
+
   def mock_gds_sso_sign_out_url
     "https://signon.integration.publishing.service.gov.uk/users/sign_out"
   end

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -70,6 +70,10 @@ def header_component_options(user:, can_manage_users:)
         user_profile_link: nil,
         signout_link: sign_out_path,
       },
+      cddo_sso: {
+        user_profile_link: "https://sso.service.security.gov.uk/profile",
+        signout_link: sign_out_path,
+      },
       gds: {
         user_profile_link: GDS::SSO::Config.oauth_root_url,
         signout_link: gds_sign_out_path,

diff --git a/config/initializers/authentication.rb b/config/initializers/authentication.rb
@@ -12,6 +12,21 @@
     },
   )
 
+  # add CDDO SSO provider
+  Rails.application.config.app_middleware.use(
+    OmniAuth::Strategies::OpenIDConnect,
+    name: :cddo_sso,
+    issuer: "https://sso.service.security.gov.uk",
+    discovery: true,
+    require_state: true,
+
+    scope: %i[openid email profile],
+    client_options: {
+      identifier: Settings.cddo_sso.identifier,
+      secret: Settings.cddo_sso.secret,
+    },
+  )
+
   # Configure Warden session management middleware
   # swap out the Warden::Manager installed by `gds-sso` gem
   Rails.application.config.app_middleware.swap Warden::Manager, Warden::Manager do |warden|

diff --git a/config/initializers/warden/strategies/cddo_sso.rb b/config/initializers/warden/strategies/cddo_sso.rb
@@ -0,0 +1,16 @@
+require "warden/strategies/omniauth"
+
+Warden::Strategies.add(:cddo_sso) do
+  include Warden::Strategies::OmniAuth
+
+private
+
+  def prep_user(auth_hash)
+    User.find_for_auth(
+      provider: auth_hash[:provider],
+      uid: auth_hash[:uid],
+      email: auth_hash[:info][:email],
+      name: auth_hash[:info][:name],
+    )
+  end
+end
diff --git a/config/settings.yml b/config/settings.yml
@@ -47,4 +47,9 @@ basic_auth:
     slug: gds-user-research
     govuk_content_id: "00000000-0000-0000-0000-000000000000"
 
+# CDDO SSO at sso.service.security.gov.uk via OpenID Connect
+cddo_sso:
+  identifier: changeme
+  secret:
+
 forms_env: local
diff --git a/spec/controller/application_controller_spec.rb b/spec/controller/application_controller_spec.rb
@@ -37,6 +37,7 @@ def index
     %w[
       auth0
       basic_auth
+      cddo_sso
       gds_sso
     ].each do |provider|
       context "when #{provider} auth is enabled" do

diff --git a/spec/integration/cddo_sso_spec.rb b/spec/integration/cddo_sso_spec.rb
@@ -0,0 +1,84 @@
+require "rails_helper"
+
+RSpec.describe "usage of cddo_sso auth provider" do
+  let(:omniauth_hash) do
+    OmniAuth::AuthHash.new({
+      provider: "cddo_sso",
+      uid: "123456",
+      info: {
+        email: "[email protected]",
+        name: "Test User",
+      },
+    })
+  end
+
+  before do
+    allow(Settings).to receive(:auth_provider).and_return("cddo_sso")
+
+    OmniAuth.config.test_mode = true
+    OmniAuth.config.mock_auth[:cddo_sso] = nil
+  end
+
+  after do
+    OmniAuth.config.test_mode = false
+  end
+
+  describe "authentication" do
+    it "redirects to OmniAuth when no user is logged in" do
+      logout
+
+      get root_path
+
+      expect(response).to redirect_to("/auth/cddo_sso")
+    end
+
+    it "authenticates with OmniAuth and Warden" do
+      OmniAuth.config.mock_auth[:cddo_sso] = omniauth_hash
+
+      get "/auth/cddo_sso"
+
+      expect(response).to redirect_to("/auth/cddo_sso/callback")
+
+      get "/auth/cddo_sso/callback"
+
+      expect(request.env["warden"].authenticated?).to be true
+    end
+  end
+
+  describe "signing out" do
+    before do
+      OmniAuth.config.mock_auth[:cddo_sso] = omniauth_hash
+      get "/auth/cddo_sso"
+      get "/auth/cddo_sso/callback"
+    end
+
+    it "signs the user out of sso.service.security.gov.uk" do
+      allow(Settings.cddo_sso).to receive(:identifier).and_return("baz")
+
+      get sign_out_path
+
+      expect(response).to redirect_to("https://sso.service.security.gov.uk/sign-out?from_app=baz")
+    end
+  end
+
+  describe User do
+    describe ".find_for_auth" do
+      it "is called by the cddo_sso Warden strategy" do
+        allow(described_class).to receive(:find_for_auth).and_call_original
+
+        OmniAuth.config.mock_auth[:cddo_sso] = omniauth_hash
+        get "/auth/cddo_sso"
+        get "/auth/cddo_sso/callback"
+
+        expect(described_class).to have_received(:find_for_auth).with(
+          provider: "cddo_sso",
+          uid: "123456",
+          email: "[email protected]",
+          name: "Test User",
+        )
+
+        expect(request.env["warden"].winning_strategy.successful?).to be true
+      end
+    end
+  end
+end