Add Stripe subplat saml mapping support

README.md

@@ -77,6 +77,18 @@ Please note that for any large change (i.e. anything but a single rule change),
 12. During change window, merge the PR. Now you have to manually run the Codebuild job `auth0-deploy-prod` which will deploy the rules to the Auth0 production instance. You can do this using the AWS cli running `aws codebuild start-build --project-name auth0-deploy-prod`, or using the AWS UI console navigating to Codebuild, choosing 'auth0-deploy-prod', pressing 'Start build' and pressing again 'Start build' in the next screen. Once the job finish successfully, all the rules should be uploaded to Auth0 prod.
 13. [Test in prod](https://mana.mozilla.org/wiki/display/SECURITY/Auth0+manual+testing) to make sure everything works and rollback if it doesn't.  
 
+## Testing
+
+To run the automated tests on the rules first setup your testing environment. This is a one time step
+
+* `cd tests`
+* `npm install`
+
+Next run the tests
+
+* `cd tests`
+* `npm run tests` 
+
 ## Known Issues
 
 ### Auth0 Rule Web UI jshint configuration

rules/SAML-configuration-mapping.js

@@ -1,7 +1,8 @@
 function (user, context, callback) {
   const CLIENTS = {
-    'wgh8S9GaE7sJ4i0QrAzeMxFXgWZYtB0l': 'sage-intacct',  // Sage Intacct
-    'R4djNlyXSl3i8N2KXWkfylghDa9kFQ84': 'thinksmart',    // mozilla.tap.thinksmart.com
+    'wgh8S9GaE7sJ4i0QrAzeMxFXgWZYtB0l': 'sage-intacct',    // Sage Intacct
+    'R4djNlyXSl3i8N2KXWkfylghDa9kFQ84': 'thinksmart',      // mozilla.tap.thinksmart.com
+    'cEfnJekrSStxxxBascTjNEDAZVUPAIU2': 'stripe-subplat',  // Stripe - subplat
   };
   const client = CLIENTS[context.clientID];
 
@@ -21,7 +22,7 @@ function (user, context, callback) {
       context.samlConfiguration.mappings = {
         'Company Name': 'company_name',
         'emailAddress': 'email',
-        'name':         'name',
+        'name': 'name',
       };
 
       break;
@@ -32,6 +33,26 @@ function (user, context, callback) {
         'lastName': 'family_name',
       };
 
+      break;
+    case 'stripe-subplat':
+      // https://bugzilla.mozilla.org/show_bug.cgi?id=1637117
+      const groupToStripeRoleMap = {
+        //  LDAP group name          stripe_role_name           stripe_account_id
+        'stripe_subplat_admin': [{'role': 'admin', 'account': 'acct_1EJOaaJNcmPzuWtR'}],
+        'stripe_subplat_developer': [{'role': 'developer', 'account': 'acct_1EJOaaJNcmPzuWtR'}],
+        'stripe_subplat_supportsp': [{'role': 'support_specialist', 'account': 'acct_1EJOaaJNcmPzuWtR'}],
+        'stripe_subplat_analyst': [{'role': 'analyst', 'account': 'acct_1EJOaaJNcmPzuWtR'}],
+        'stripe_subplat_viewonly': [{'role': 'view_only', 'account': 'acct_1EJOaaJNcmPzuWtR'}]
+      };
+      context.samlConfiguration.mappings = context.samlConfiguration.mappings || {};
+      Object.keys(groupToStripeRoleMap).forEach((groupName) => {
+        if (user.hasOwnProperty('groups') && user.groups.includes(groupName)) {
+          groupToStripeRoleMap[groupName].forEach((roleInfo) => {
+            user.app_metadata[roleInfo.account] = roleInfo.role;
+            context.samlConfiguration.mappings[`Stripe-Role-${roleInfo.account}`] = `app_metadata.${roleInfo.account}`;
+          });
+        }
+      });
       break;
   }
 

tests/SAML-configuration-mapping.test.js

@@ -47,3 +47,30 @@ test('Thinksmart', () => {
     'lastName': 'family_name',
   });
 });
+
+test('stripe-subplat admin has admin rights', () => {
+  _context.clientID = 'cEfnJekrSStxxxBascTjNEDAZVUPAIU2';
+  _user.groups = [..._user.groups, 'stripe_subplat_admin'];
+  output = rule(_user, _context, configuration, Global);
+  expect(output.context.samlConfiguration.mappings).toEqual({
+    'Stripe-Role-acct_1EJOaaJNcmPzuWtR': 'app_metadata.acct_1EJOaaJNcmPzuWtR',
+  });
+  expect(output.user.app_metadata.acct_1EJOaaJNcmPzuWtR).toEqual('admin');
+});
+
+test('stripe-subplat analyst has analyst rights', () => {
+  _context.clientID = 'cEfnJekrSStxxxBascTjNEDAZVUPAIU2';
+  _user.groups = [..._user.groups, 'stripe_subplat_analyst'];
+  output = rule(_user, _context, configuration, Global);
+  expect(output.context.samlConfiguration.mappings).toEqual({
+    'Stripe-Role-acct_1EJOaaJNcmPzuWtR': 'app_metadata.acct_1EJOaaJNcmPzuWtR',
+  });
+  expect(output.user.app_metadata.acct_1EJOaaJNcmPzuWtR).toEqual('analyst');
+});
+
+test('stripe-subplat grants no rights to anyone else', () => {
+  _context.clientID = 'cEfnJekrSStxxxBascTjNEDAZVUPAIU2';
+  output = rule(_user, _context, configuration, Global);
+  expect(output.context.samlConfiguration.mappings).toEqual({});
+  expect(output.user.app_metadata).not.toHaveProperty('acct_1EJOaaJNcmPzuWtR');
+});