api_guardian 0.1.0.pre

data/spec/models/user_spec.rb

@@ -0,0 +1,44 @@
+RSpec.describe ApiGuardian::User, type: :model do
+  subject { create(:user) }
+
+  # Relations
+  context 'relations' do
+    it { should belong_to(:role) }
+  end
+
+  # Validations
+  context 'validations' do
+    it { should validate_presence_of :email }
+    it { should validate_uniqueness_of :email }
+    it { should validate_length_of :password }
+  end
+
+  # Delegates
+  describe 'delegates' do
+    it { should delegate_method(:can?).to(:role) }
+    it { should delegate_method(:cannot?).to(:role) }
+  end
+
+  # Scopes
+  describe 'scopes' do
+  end
+
+  # Methods
+  context 'methods' do
+    describe '#reset_password_token_valid?' do
+      let!(:user) { create(:user) }
+
+      it 'is invalid if token was sent more than 24 hours ago' do
+        expect(user.reset_password_token_valid?).to be false
+
+        user.reset_password_sent_at = 30.hours.ago
+
+        expect(user.reset_password_token_valid?).to be false
+
+        user.reset_password_sent_at = 8.hours.ago
+
+        expect(user.reset_password_token_valid?).to be true
+      end
+    end
+  end
+end

data/spec/policies/application_policy_spec.rb

@@ -0,0 +1,118 @@
+describe ApiGuardian::Policies::ApplicationPolicy do
+  before(:each) do
+    FactoryGirl.create(:permission, name: 'user:create')
+    FactoryGirl.create(:permission, name: 'user:read')
+    FactoryGirl.create(:permission, name: 'user:update')
+    FactoryGirl.create(:permission, name: 'user:delete')
+    FactoryGirl.create(:permission, name: 'user:manage')
+  end
+
+  let(:current_user) { FactoryGirl.create(:user) }
+
+  subject { described_class }
+
+  context 'defaults to disallowing' do
+    let(:record) { FactoryGirl.create(:user) }
+
+    permissions :index? do
+      it { is_expected.not_to permit(current_user, record) }
+    end
+  end
+
+  context 'current_user has no permissions during' do
+    let(:record) { FactoryGirl.create(:user) }
+
+    permissions :show?, :create?, :new?, :update?, :edit?, :destroy? do
+      it { is_expected.not_to permit(current_user, record) }
+    end
+  end
+
+  context 'current_user has read permissions during' do
+    let(:record) { FactoryGirl.create(:user) }
+
+    permissions :show? do
+      it { is_expected.not_to permit(current_user, record) }
+    end
+
+    permissions :show? do
+      let(:current_user) do
+        user = FactoryGirl.create(:user)
+        user.role.add_permission('user:read')
+        user
+      end
+      it { is_expected.to permit(current_user, record) }
+    end
+  end
+
+  context 'current_user has create permissions during' do
+    let(:record) { FactoryGirl.create(:user) }
+
+    permissions :create? do
+      it { is_expected.not_to permit(current_user, record) }
+    end
+
+    permissions :create? do
+      let(:current_user) do
+        user = FactoryGirl.create(:user)
+        user.role.add_permission('user:create')
+        user
+      end
+      it { is_expected.to permit(current_user, record) }
+    end
+  end
+
+  context 'current_user has update permissions during' do
+    let(:record) { FactoryGirl.create(:user) }
+
+    permissions :update? do
+      it { is_expected.not_to permit(current_user, record) }
+    end
+
+    permissions :update? do
+      let(:current_user) do
+        user = FactoryGirl.create(:user)
+        user.role.add_permission('user:update')
+        user
+      end
+      it { is_expected.to permit(current_user, record) }
+    end
+  end
+
+  context 'current_user has delete permissions during' do
+    let(:record) { FactoryGirl.create(:user) }
+
+    permissions :destroy? do
+      it { is_expected.not_to permit(current_user, record) }
+    end
+
+    permissions :destroy? do
+      let(:current_user) do
+        user = FactoryGirl.create(:user)
+        user.role.add_permission('user:delete')
+        user
+      end
+      it { is_expected.to permit(current_user, record) }
+    end
+  end
+
+  context 'current_user has manage permissions during' do
+    let(:record) { FactoryGirl.create(:user) }
+
+    permissions :show? do
+      it { is_expected.not_to permit(current_user, record) }
+    end
+
+    permissions :show?, :create?, :new?, :update?, :edit?, :destroy? do
+      let(:current_user) do
+        user = FactoryGirl.create(:user)
+        user.role.add_permission('user:manage')
+        user
+      end
+      it { is_expected.to permit(current_user, record) }
+    end
+  end
+
+  # permissions '.scope' do
+  #   pending 'add some examples to (or delete) #{__FILE__}'
+  # end
+end

data/spec/policies/permission_policy_spec.rb

@@ -0,0 +1,28 @@
+# require 'spec_helper'
+#
+# describe PermissionPolicy do
+#
+#   let(:user) { User.new }
+#
+#   subject { described_class }
+#
+#   permissions ".scope" do
+#     pending "add some examples to (or delete) #{__FILE__}"
+#   end
+#
+#   permissions :show? do
+#     pending "add some examples to (or delete) #{__FILE__}"
+#   end
+#
+#   permissions :create? do
+#     pending "add some examples to (or delete) #{__FILE__}"
+#   end
+#
+#   permissions :update? do
+#     pending "add some examples to (or delete) #{__FILE__}"
+#   end
+#
+#   permissions :destroy? do
+#     pending "add some examples to (or delete) #{__FILE__}"
+#   end
+# end

data/spec/policies/role_policy_spec.rb

@@ -0,0 +1,28 @@
+# require 'spec_helper'
+#
+# describe RolePolicy do
+#
+#   let(:user) { User.new }
+#
+#   subject { described_class }
+#
+#   permissions ".scope" do
+#     pending "add some examples to (or delete) #{__FILE__}"
+#   end
+#
+#   permissions :show? do
+#     pending "add some examples to (or delete) #{__FILE__}"
+#   end
+#
+#   permissions :create? do
+#     pending "add some examples to (or delete) #{__FILE__}"
+#   end
+#
+#   permissions :update? do
+#     pending "add some examples to (or delete) #{__FILE__}"
+#   end
+#
+#   permissions :destroy? do
+#     pending "add some examples to (or delete) #{__FILE__}"
+#   end
+# end

data/spec/policies/user_policy_spec.rb

@@ -0,0 +1,29 @@
+describe ApiGuardian::Policies::UserPolicy do
+  before(:each) do
+    FactoryGirl.create(:permission, name: 'user:create')
+    FactoryGirl.create(:permission, name: 'user:read')
+    FactoryGirl.create(:permission, name: 'user:update')
+    FactoryGirl.create(:permission, name: 'user:delete')
+    FactoryGirl.create(:permission, name: 'user:manage')
+  end
+
+  let(:current_user) { FactoryGirl.create(:user) }
+
+  subject { described_class }
+
+  context 'when current_user and user match for' do
+    permissions :show?, :update?, :edit? do
+      let(:record) { current_user }
+      it { is_expected.to permit(current_user, record) }
+    end
+
+    permissions :create?, :new?, :destroy? do
+      let(:record) { current_user }
+      it { is_expected.not_to permit(current_user, record) }
+    end
+  end
+
+  # permissions '.scope' do
+  #   pending 'add some examples to (or delete) #{__FILE__}'
+  # end
+end

data/spec/requests/permissions_controller_spec.rb

@@ -0,0 +1,19 @@
+describe 'ApiGuardian::PermissionsController' do
+  # Authentication and permissions are tested elsewhere
+  before(:each) { @routes = ApiGuardian::Engine.routes }
+  before(:each) { seed_permissions('permission') }
+  before(:each) { auth_user }
+  after(:each) { destroy_user }
+
+  describe 'RESOURCE /permissions' do
+    describe 'GET /' do
+      it 'returns a list of permissions' do
+        add_user_permission('permission:read')
+
+        get '/permissions', {}, get_headers
+
+        expect(response).to have_http_status(:ok)
+      end
+    end
+  end
+end

data/spec/requests/registration_controller_spec.rb

@@ -0,0 +1,151 @@
+describe 'Registration' do
+  before(:each) do
+    create(:default_role)
+  end
+
+  let(:headers) { { 'Accept' => 'application/json', 'Content-Type' => 'application/json' } }
+
+  describe 'POST /register' do
+    it 'registers a user' do
+      expect(ApiGuardian::Stores::UserStore).to receive(:register).and_return(true)
+
+      post '/register', {}, headers
+
+      expect(response).to have_http_status(:created)
+      # TODO: Validate JSON output
+    end
+
+    # it 'fails on invalid email' do
+    #   data = {password: 'password', password_confirmation: 'password' }
+    #
+    #   post '/register', data.to_json, headers
+    #
+    #   validate_unprocessable_entity(
+    #     [{field: 'email', detail: 'can\'t be blank' }]
+    #   )
+    # end
+    #
+    # it 'fails on duplicate email' do
+    #   email = Faker::Internet.email
+    #   create(:user, email: email)
+    #   data = { email: email, password: 'password', password_confirmation: 'password' }
+    #
+    #   post '/register', data.to_json, headers
+    #
+    #   validate_unprocessable_entity(
+    #     [{field: 'email', detail: 'has already been taken' }]
+    #   )
+    # end
+    #
+    # it 'fails on password mismatch' do
+    #   data = { email: Faker::Internet.email, password: 'password', password_confirmation: 'password1' }
+    #
+    #   post '/register', data.to_json, headers
+    #
+    #   validate_unprocessable_entity(
+    #     [{field: 'password_confirmation', detail: 'doesn\'t match Password' }]
+    #   )
+    # end
+    #
+    # it 'fails on password length error' do
+    #   data = { email: Faker::Internet.email, password: 'pass', password_confirmation: 'pass' }
+    #
+    #   post '/register', data.to_json, headers
+    #
+    #   validate_unprocessable_entity(
+    #     [{field: 'password', detail: 'is too short (minimum is 8 characters)' }]
+    #   )
+    # end
+  end
+
+  describe 'POST /reset-password' do
+    it 'resets a users password' do
+      # TODO: don't skip params
+      allow_any_instance_of(ActionController::Parameters).to receive(:fetch).and_return({})
+      expect(ApiGuardian::Stores::UserStore).to receive(:reset_password).and_return(true)
+
+      post '/reset-password', {}, headers
+
+      expect(response).to have_http_status(:no_content)
+    end
+
+    it 'renders not found when user is missing' do
+      # TODO: don't skip params
+      allow_any_instance_of(ActionController::Parameters).to receive(:fetch).and_return({})
+      expect(ApiGuardian::Stores::UserStore).to receive(:reset_password).and_return(false)
+
+      post '/reset-password', {}, headers
+
+      validate_not_found '/reset-password'
+    end
+  end
+
+  describe 'POST /complete-reset-password' do
+    it 'completes the password reset process' do
+      expect(ApiGuardian::Stores::UserStore).to receive(:complete_reset_password).and_return(true)
+
+      post '/complete-reset-password', {}, headers
+
+      expect(response).to have_http_status(:no_content)
+    end
+
+    it 'renders not found when user is missing' do
+      expect(ApiGuardian::Stores::UserStore).to receive(:complete_reset_password).and_return(false)
+
+      post '/complete-reset-password', {}, headers
+
+      validate_not_found '/complete-reset-password'
+    end
+
+    # it 'fails when token mismatches user' do
+    #   user = create(:user, email: Faker::Internet.email)
+    #   user.reset_password_token = SecureRandom.hex(64)
+    #   user.reset_password_sent_at = DateTime.now.utc
+    #   user.save
+    #
+    #   data = { email: Faker::Internet.email, token: user.reset_password_token, password: 'password', password_confirmatin: 'password' }
+    #
+    #   post '/complete-reset-password', data.to_json, headers
+    #
+    #   validate_api_error(
+    #     status: 403,
+    #     code: 'reset_token_mismatch',
+    #     title: 'Reset Token Mismatch',
+    #     detail: 'Reset token is not valid for the supplied email address.'
+    #   )
+    # end
+
+    # it 'fails when token is expired' do
+    #   user = create(:user, email: Faker::Internet.email)
+    #   user.reset_password_token = SecureRandom.hex(64)
+    #   user.reset_password_sent_at = 36.hours.ago.utc
+    #   user.save
+    #
+    #   data = { email: user.email, token: user.reset_password_token, password: 'password', password_confirmatin: 'password' }
+    #
+    #   post '/complete-reset-password', data.to_json, headers
+    #
+    #   validate_api_error(
+    #     status: 403,
+    #     code: 'reset_token_expired',
+    #     title: 'Reset Token Expired',
+    #     detail: 'This reset token has expired. Tokens are valid for 24 hours.'
+    #   )
+    # end
+    #
+    # it 'fails when the password is blank' do
+    #   user = create(:user, email: Faker::Internet.email)
+    #   user.reset_password_token = SecureRandom.hex(64)
+    #   user.reset_password_sent_at = DateTime.now.utc
+    #   user.save
+    #
+    #   data = { email: user.email, token: user.reset_password_token}
+    #
+    #   post '/complete-reset-password', data.to_json, headers
+    #
+    #   validate_unprocessable_entity(
+    #     [{field: 'password', detail: 'can\'t be blank'}]
+    #   )
+    # end
+  end
+end

data/spec/requests/roles_controller_spec.rb

@@ -0,0 +1,75 @@
+describe 'ApiGuardian::RolesController' do
+  # Authentication and permissions are tested elsewhere
+  before(:each) { @routes = ApiGuardian::Engine.routes }
+  before(:each) { seed_permissions('role') }
+  before(:each) { auth_user }
+  after(:each) { destroy_user }
+
+  describe 'RESOURCE /roles' do
+    describe 'GET /' do
+      it 'returns a list of roles' do
+        add_user_permission('role:read')
+
+        get '/roles', {}, get_headers
+
+        expect(response).to have_http_status(:ok)
+      end
+    end
+
+    describe 'POST /' do
+      it 'creates a new role' do
+        add_user_permission('role:create')
+        role = create(:role)
+
+        allow_any_instance_of(ApiGuardian::Stores::RoleStore).to receive(:create).and_return(role)
+
+        data = { data: { type: 'roles', attributes: { name: '', default: false, permissions: [] } } }
+
+        post '/roles', data.to_json, get_headers
+
+        expect(response).to have_http_status(:created)
+      end
+    end
+
+    describe 'GET /{:role_id}' do
+      it 'gets a role by id' do
+        add_user_permission('role:read')
+        role = create(:role)
+
+        allow_any_instance_of(ApiGuardian::Stores::RoleStore).to receive(:find).and_return(role)
+
+        get "/roles/#{role.id}", {}, get_headers
+
+        expect(response).to have_http_status(:ok)
+      end
+    end
+
+    describe 'PATCH /{:role_id}' do
+      it 'updates a role by id' do
+        add_user_permission('role:update')
+        role = create(:role)
+
+        allow_any_instance_of(ApiGuardian::Stores::RoleStore).to receive(:update).and_return(role)
+
+        data = { data: { type: 'roles', id: "#{role.id}", attributes: { name: Faker::Lorem.word, default: false } } }
+
+        patch "/roles/#{role.id}", data.to_json, get_headers
+
+        expect(response).to have_http_status(:ok)
+      end
+    end
+
+    describe 'DELETE /{:role_id}' do
+      it 'deletes a role by id' do
+        add_user_permission('role:delete')
+        role = create(:role)
+
+        allow_any_instance_of(ApiGuardian::Stores::RoleStore).to receive(:destroy).and_return(role)
+
+        delete "/roles/#{role.id}", {}, get_headers
+
+        expect(response).to have_http_status(:no_content)
+      end
+    end
+  end
+end