Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
BACKPORT: FEATURE: consume CIS webhook and refresh profiles
- Loading branch information
Showing
7 changed files
with
220 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
module MozillaIAM | ||
class NotificationController < ActionController::Base | ||
|
||
def notification | ||
unless ["update", "delete"].include? params[:operation] | ||
return render body: "Unsupported operation", status: 200 | ||
end | ||
begin | ||
token = request.headers["Authorization"].sub("Bearer ","") | ||
JWT.decode( | ||
token, | ||
aud: SiteSetting.mozilla_iam_notification_aud | ||
) | ||
rescue => e | ||
return render body: "Invalid JWT", status: 400 | ||
end | ||
|
||
uid = params[:id] | ||
profile = Profile.find_by_uid(uid) | ||
profile&.force_refresh | ||
Rails.logger.info <<~EOF.gsub(/\n/, ", ") | ||
Mozilla IAM: Successfully refreshed profile for #{uid} | ||
operation: #{params[:operation]}, time: #{params[:time]} | ||
refresh time: #{Time.now.to_i} | ||
EOF | ||
render body: nil, status: 200 | ||
end | ||
|
||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
165 changes: 165 additions & 0 deletions
165
spec/controllers/mozilla_iam/notification_controller_spec.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
require_relative '../../iam_helper' | ||
|
||
describe MozillaIAM::NotificationController, type: :request do | ||
describe "#notification" do | ||
|
||
let(:user) { Fabricate(:user) } | ||
|
||
before do | ||
stub_jwks_request | ||
end | ||
|
||
shared_context "no JWT" do | ||
let(:headers) do | ||
{ "Content-Type": "application/json" } | ||
end | ||
end | ||
|
||
shared_context "invalid JWT" do | ||
let(:jwt) do | ||
create_jwt({ | ||
iss: 'https://auth.mozilla.auth0.com/', | ||
aud: 'nope', | ||
exp: Time.now.to_i + 7.days, | ||
iat: Time.now.to_i, | ||
}, { | ||
kid: 'the_best_key' | ||
}) | ||
end | ||
let(:headers) do | ||
{ | ||
"Content-Type": "application/json", | ||
"Authorization": "Bearer #{jwt}" | ||
} | ||
end | ||
end | ||
|
||
shared_context "valid JWT" do | ||
let(:jwt) do | ||
create_jwt({ | ||
iss: 'https://auth.mozilla.auth0.com/', | ||
aud: 'hook.prod.sso.mozilla.com', | ||
exp: Time.now.to_i + 7.days, | ||
iat: Time.now.to_i, | ||
}, { | ||
kid: 'the_best_key' | ||
}) | ||
end | ||
let(:headers) do | ||
{ | ||
"Content-Type": "application/json", | ||
"Authorization": "Bearer #{jwt}" | ||
} | ||
end | ||
end | ||
|
||
shared_examples "does nothing" do | ||
it "does nothing" do | ||
MozillaIAM::Profile.any_instance.expects(:force_refresh).never | ||
post "/mozilla_iam/notification", params: notification.to_json, headers: headers | ||
expect(response.status).to eq 200 | ||
end | ||
end | ||
|
||
shared_examples "error" do | ||
context "with no JWT" do | ||
include_context "no JWT" | ||
|
||
it "errors out" do | ||
post "/mozilla_iam/notification", params: notification.to_json, headers: headers | ||
expect(response.status).to eq 400 | ||
expect(response.body).to eq "Invalid JWT" | ||
end | ||
end | ||
|
||
context "with an invalid JWT" do | ||
include_context "invalid JWT" | ||
|
||
it "errors out" do | ||
post "/mozilla_iam/notification", params: notification.to_json, headers: headers | ||
expect(response.status).to eq 400 | ||
expect(response.body).to eq "Invalid JWT" | ||
end | ||
end | ||
end | ||
|
||
shared_examples "success" do | ||
context "with a valid JWT" do | ||
include_context "valid JWT" | ||
|
||
context "with a user_id which doesn't exist" do | ||
include_examples "does nothing" | ||
end | ||
|
||
context "with a user_id which exists" do | ||
before do | ||
user.custom_fields["mozilla_iam_uid"] = notification[:id] | ||
user.save_custom_fields | ||
end | ||
|
||
it "refreshes user" do | ||
MozillaIAM::Profile.any_instance.expects(:force_refresh) | ||
post "/mozilla_iam/notification", params: notification.to_json, headers: headers | ||
expect(response.status).to eq 200 | ||
end | ||
end | ||
|
||
end | ||
end | ||
|
||
context "with an update notification" do | ||
let(:notification) do | ||
{ | ||
operation: "update", | ||
id: "ad|Mozilla-LDAP|dinomcvouch", | ||
time: Time.now | ||
} | ||
end | ||
|
||
include_examples "error" | ||
include_examples "success" | ||
|
||
end | ||
|
||
context "with a delete notification" do | ||
let(:notification) do | ||
{ | ||
operation: "delete", | ||
id: "ad|Mozilla-LDAP|dinomcvouch", | ||
time: Time.now | ||
} | ||
end | ||
|
||
include_examples "error" | ||
include_examples "success" | ||
|
||
end | ||
|
||
context "with a create notification" do | ||
let(:notification) do | ||
{ | ||
operation: "create", | ||
id: "ad|Mozilla-LDAP|dinomcvouch", | ||
time: Time.now | ||
} | ||
end | ||
|
||
context "with no JWT" do | ||
include_context "no JWT" | ||
include_examples "does nothing" | ||
end | ||
|
||
context "with invalid JWT" do | ||
include_context "invalid JWT" | ||
include_examples "does nothing" | ||
end | ||
|
||
context "with valid JWT" do | ||
include_context "valid JWT" | ||
include_examples "does nothing" | ||
end | ||
|
||
end | ||
|
||
end | ||
end |