decision_agent 0.1.4 → 0.1.7

data/spec/auth/password_reset_spec.rb

@@ -0,0 +1,294 @@
+require "spec_helper"
+
+RSpec.describe DecisionAgent::Auth::PasswordResetToken do
+  describe "#initialize" do
+    it "creates a token with user_id" do
+      token = DecisionAgent::Auth::PasswordResetToken.new(user_id: "user123")
+      expect(token.user_id).to eq("user123")
+      expect(token.token).to be_a(String)
+      expect(token.token.length).to eq(64) # 32 bytes hex = 64 chars
+    end
+
+    it "sets expiration time" do
+      token = DecisionAgent::Auth::PasswordResetToken.new(user_id: "user123", expires_in: 1800)
+      expect(token.expires_at).to be > Time.now.utc
+      expect(token.expires_at).to be <= Time.now.utc + 1801
+    end
+  end
+
+  describe "#expired?" do
+    it "returns false for valid token" do
+      token = DecisionAgent::Auth::PasswordResetToken.new(user_id: "user123", expires_in: 3600)
+      expect(token.expired?).to be false
+    end
+
+    it "returns true for expired token" do
+      token = DecisionAgent::Auth::PasswordResetToken.new(user_id: "user123", expires_in: -1)
+      expect(token.expired?).to be true
+    end
+  end
+
+  describe "#valid?" do
+    it "returns true for non-expired token" do
+      token = DecisionAgent::Auth::PasswordResetToken.new(user_id: "user123", expires_in: 3600)
+      expect(token.valid?).to be true
+    end
+
+    it "returns false for expired token" do
+      token = DecisionAgent::Auth::PasswordResetToken.new(user_id: "user123", expires_in: -1)
+      expect(token.valid?).to be false
+    end
+  end
+end
+
+RSpec.describe DecisionAgent::Auth::PasswordResetManager do
+  let(:manager) { DecisionAgent::Auth::PasswordResetManager.new }
+
+  describe "#create_token" do
+    it "creates a new reset token" do
+      token = manager.create_token("user123")
+      expect(token).to be_a(DecisionAgent::Auth::PasswordResetToken)
+      expect(token.user_id).to eq("user123")
+    end
+
+    it "stores the token" do
+      token = manager.create_token("user123")
+      retrieved = manager.get_token(token.token)
+      expect(retrieved).to eq(token)
+    end
+  end
+
+  describe "#get_token" do
+    it "returns token for valid token string" do
+      token = manager.create_token("user123")
+      retrieved = manager.get_token(token.token)
+      expect(retrieved).to eq(token)
+    end
+
+    it "returns nil for invalid token" do
+      expect(manager.get_token("invalid_token")).to be_nil
+    end
+
+    it "returns nil for expired token" do
+      token = manager.create_token("user123", expires_in: -1)
+      expect(manager.get_token(token.token)).to be_nil
+    end
+  end
+
+  describe "#delete_token" do
+    it "deletes a token" do
+      token = manager.create_token("user123")
+      manager.delete_token(token.token)
+      expect(manager.get_token(token.token)).to be_nil
+    end
+  end
+
+  describe "#delete_user_tokens" do
+    it "deletes all tokens for a user" do
+      token1 = manager.create_token("user123")
+      token2 = manager.create_token("user123")
+      token3 = manager.create_token("user456")
+
+      manager.delete_user_tokens("user123")
+
+      expect(manager.get_token(token1.token)).to be_nil
+      expect(manager.get_token(token2.token)).to be_nil
+      expect(manager.get_token(token3.token)).to eq(token3) # Other user's token still exists
+    end
+  end
+
+  describe "#count" do
+    it "returns zero initially" do
+      expect(manager.count).to eq(0)
+    end
+
+    it "returns correct count after creating tokens" do
+      manager.create_token("user123")
+      expect(manager.count).to eq(1)
+
+      manager.create_token("user123")
+      expect(manager.count).to eq(2)
+
+      manager.create_token("user456")
+      expect(manager.count).to eq(3)
+    end
+
+    it "reflects deletions" do
+      token1 = manager.create_token("user123")
+      manager.create_token("user123")
+      expect(manager.count).to eq(2)
+
+      manager.delete_token(token1.token)
+      expect(manager.count).to eq(1)
+
+      manager.delete_user_tokens("user123")
+      expect(manager.count).to eq(0)
+    end
+  end
+
+  describe "#cleanup_expired_tokens" do
+    it "removes expired tokens" do
+      # Create expired token
+      expired_token = manager.create_token("user123", expires_in: -1)
+      # Create valid token
+      valid_token = manager.create_token("user456", expires_in: 3600)
+
+      expect(manager.count).to eq(2)
+
+      # Force cleanup by calling it directly (it's called during create_token, but we can test it)
+      # We'll create another token to trigger cleanup
+      manager.create_token("user789", expires_in: 3600)
+
+      # Expired token should be cleaned up
+      expect(manager.get_token(expired_token.token)).to be_nil
+      expect(manager.get_token(valid_token.token)).to eq(valid_token)
+    end
+
+    it "only runs cleanup after cleanup_interval" do
+      manager = DecisionAgent::Auth::PasswordResetManager.new
+
+      # Create an expired token
+      expired_token = manager.create_token("user123", expires_in: -1)
+      expect(manager.count).to eq(1)
+
+      # Create another token immediately - cleanup should not run yet if interval not passed
+      # But since we use -1 expires_in, the token is already expired, so get_token will return nil
+      # The cleanup_expired_tokens is called during create_token, but it checks the interval
+      # Let's test by manually setting last_cleanup to far in the past
+      manager.instance_variable_set(:@last_cleanup, Time.now - 400) # More than 300 seconds
+      manager.create_token("user456", expires_in: 3600)
+
+      # The expired token should be cleaned up now
+      expect(manager.get_token(expired_token.token)).to be_nil
+    end
+  end
+end
+
+RSpec.describe DecisionAgent::Auth::Authenticator do
+  let(:authenticator) { DecisionAgent::Auth::Authenticator.new }
+
+  describe "#request_password_reset" do
+    before do
+      authenticator.create_user(
+        email: "test@example.com",
+        password: "password123"
+      )
+    end
+
+    it "returns a token for valid user" do
+      token = authenticator.request_password_reset("test@example.com")
+      expect(token).to be_a(DecisionAgent::Auth::PasswordResetToken)
+      expect(token.user_id).to be_a(String)
+    end
+
+    it "returns nil for non-existent user" do
+      token = authenticator.request_password_reset("nonexistent@example.com")
+      expect(token).to be_nil
+    end
+
+    it "returns nil for inactive user" do
+      user = authenticator.find_user_by_email("test@example.com")
+      user.active = false
+
+      token = authenticator.request_password_reset("test@example.com")
+      expect(token).to be_nil
+    end
+
+    it "deletes existing tokens when creating new one" do
+      token1 = authenticator.request_password_reset("test@example.com")
+      token2 = authenticator.request_password_reset("test@example.com")
+
+      expect(authenticator.password_reset_manager.get_token(token1.token)).to be_nil
+      expect(authenticator.password_reset_manager.get_token(token2.token)).to eq(token2)
+    end
+  end
+
+  describe "#reset_password" do
+    before do
+      authenticator.create_user(
+        email: "test@example.com",
+        password: "oldpassword"
+      )
+    end
+
+    it "resets password with valid token" do
+      token = authenticator.request_password_reset("test@example.com")
+      user = authenticator.reset_password(token.token, "newpassword123")
+
+      expect(user).to be_a(DecisionAgent::Auth::User)
+      expect(user.authenticate("newpassword123")).to be true
+      expect(user.authenticate("oldpassword")).to be false
+    end
+
+    it "returns nil for invalid token" do
+      user = authenticator.reset_password("invalid_token", "newpassword123")
+      expect(user).to be_nil
+    end
+
+    it "returns nil for expired token" do
+      token = authenticator.request_password_reset("test@example.com")
+      # Manually expire the token
+      token.instance_variable_set(:@expires_at, Time.now.utc - 1)
+
+      user = authenticator.reset_password(token.token, "newpassword123")
+      expect(user).to be_nil
+    end
+
+    it "invalidates all user sessions after password reset" do
+      session1 = authenticator.login("test@example.com", "oldpassword")
+      session2 = authenticator.login("test@example.com", "oldpassword")
+
+      token = authenticator.request_password_reset("test@example.com")
+      authenticator.reset_password(token.token, "newpassword123")
+
+      expect(authenticator.authenticate(session1.token)).to be_nil
+      expect(authenticator.authenticate(session2.token)).to be_nil
+    end
+
+    it "deletes the token after use" do
+      token = authenticator.request_password_reset("test@example.com")
+      authenticator.reset_password(token.token, "newpassword123")
+
+      expect(authenticator.password_reset_manager.get_token(token.token)).to be_nil
+    end
+
+    it "deletes all tokens for user after reset" do
+      token1 = authenticator.request_password_reset("test@example.com")
+      token2 = authenticator.request_password_reset("test@example.com")
+
+      authenticator.reset_password(token2.token, "newpassword123")
+
+      expect(authenticator.password_reset_manager.get_token(token1.token)).to be_nil
+      expect(authenticator.password_reset_manager.get_token(token2.token)).to be_nil
+    end
+  end
+end
+
+RSpec.describe DecisionAgent::Auth::User do
+  describe "#update_password" do
+    it "updates the password" do
+      user = DecisionAgent::Auth::User.new(
+        email: "test@example.com",
+        password: "oldpassword"
+      )
+
+      user.update_password("newpassword123")
+
+      expect(user.authenticate("newpassword123")).to be true
+      expect(user.authenticate("oldpassword")).to be false
+    end
+
+    it "updates the updated_at timestamp" do
+      user = DecisionAgent::Auth::User.new(
+        email: "test@example.com",
+        password: "oldpassword"
+      )
+
+      original_updated_at = user.updated_at
+      sleep(0.01) # Small delay to ensure timestamp difference
+      user.update_password("newpassword123")
+
+      expect(user.updated_at).to be > original_updated_at
+    end
+  end
+end

data/spec/auth/permission_checker_spec.rb

@@ -0,0 +1,207 @@
+require "spec_helper"
+
+RSpec.describe DecisionAgent::Auth::PermissionChecker do
+  let(:checker) { DecisionAgent::Auth::PermissionChecker.new }
+
+  describe "#can?" do
+    let(:admin_user) do
+      DecisionAgent::Auth::User.new(
+        email: "admin@example.com",
+        password: "password123",
+        roles: [:admin]
+      )
+    end
+
+    let(:editor_user) do
+      DecisionAgent::Auth::User.new(
+        email: "editor@example.com",
+        password: "password123",
+        roles: [:editor]
+      )
+    end
+
+    let(:viewer_user) do
+      DecisionAgent::Auth::User.new(
+        email: "viewer@example.com",
+        password: "password123",
+        roles: [:viewer]
+      )
+    end
+
+    it "returns true if user has permission" do
+      expect(checker.can?(admin_user, :write)).to be true
+      expect(checker.can?(editor_user, :write)).to be true
+      expect(checker.can?(viewer_user, :read)).to be true
+    end
+
+    it "returns false if user lacks permission" do
+      expect(checker.can?(viewer_user, :write)).to be false
+      expect(checker.can?(editor_user, :delete)).to be false
+    end
+
+    it "returns false for nil user" do
+      expect(checker.can?(nil, :read)).to be false
+    end
+
+    it "returns false for inactive user" do
+      admin_user.active = false
+      expect(checker.can?(admin_user, :read)).to be false
+    end
+  end
+
+  describe "#require_permission!" do
+    let(:user) do
+      DecisionAgent::Auth::User.new(
+        email: "user@example.com",
+        password: "password123",
+        roles: [:viewer]
+      )
+    end
+
+    it "does not raise if user has permission" do
+      expect do
+        checker.require_permission!(user, :read)
+      end.not_to raise_error
+    end
+
+    it "raises PermissionDeniedError if user lacks permission" do
+      expect do
+        checker.require_permission!(user, :write)
+      end.to raise_error(DecisionAgent::PermissionDeniedError)
+    end
+  end
+
+  describe "#has_role?" do
+    let(:user) do
+      DecisionAgent::Auth::User.new(
+        email: "user@example.com",
+        password: "password123",
+        roles: [:editor]
+      )
+    end
+
+    it "returns true if user has role" do
+      expect(checker.has_role?(user, :editor)).to be true
+    end
+
+    it "returns false if user lacks role" do
+      expect(checker.has_role?(user, :admin)).to be false
+    end
+
+    it "returns false for nil user" do
+      expect(checker.has_role?(nil, :editor)).to be false
+    end
+  end
+
+  describe "#require_role!" do
+    let(:user) do
+      DecisionAgent::Auth::User.new(
+        email: "user@example.com",
+        password: "password123",
+        roles: [:editor]
+      )
+    end
+
+    it "does not raise if user has role" do
+      expect do
+        checker.require_role!(user, :editor)
+      end.not_to raise_error
+    end
+
+    it "returns true if user has role" do
+      result = checker.require_role!(user, :editor)
+      expect(result).to be true
+    end
+
+    it "raises PermissionDeniedError if user lacks role" do
+      expect do
+        checker.require_role!(user, :admin)
+      end.to raise_error(DecisionAgent::PermissionDeniedError, /User does not have role: admin/)
+    end
+  end
+
+  describe "#active?" do
+    let(:user) do
+      DecisionAgent::Auth::User.new(
+        email: "user@example.com",
+        password: "password123"
+      )
+    end
+
+    it "returns true for active user" do
+      user.active = true
+      expect(checker.active?(user)).to be true
+    end
+
+    it "returns false for inactive user" do
+      user.active = false
+      expect(checker.active?(user)).to be false
+    end
+
+    it "returns true for user without active attribute" do
+      user = double("User", id: "123", email: "test@example.com")
+      expect(checker.active?(user)).to be true
+    end
+
+    it "returns false for nil user" do
+      expect(checker.active?(nil)).to be false
+    end
+  end
+
+  describe "#user_id" do
+    let(:user) do
+      DecisionAgent::Auth::User.new(
+        email: "user@example.com",
+        password: "password123"
+      )
+    end
+
+    it "returns user id" do
+      expect(checker.user_id(user)).to eq(user.id)
+    end
+
+    it "returns nil for nil user" do
+      expect(checker.user_id(nil)).to be_nil
+    end
+
+    it "handles user without id method" do
+      user = double("User", to_s: "user_string")
+      expect(checker.user_id(user)).to eq("user_string")
+    end
+  end
+
+  describe "#user_email" do
+    let(:user) do
+      DecisionAgent::Auth::User.new(
+        email: "user@example.com",
+        password: "password123"
+      )
+    end
+
+    it "returns user email" do
+      expect(checker.user_email(user)).to eq("user@example.com")
+    end
+
+    it "returns nil for nil user" do
+      expect(checker.user_email(nil)).to be_nil
+    end
+
+    it "returns nil for user without email method" do
+      user = double("User", id: "123")
+      expect(checker.user_email(user)).to be_nil
+    end
+  end
+
+  describe "#adapter" do
+    it "uses default adapter when none provided" do
+      checker = DecisionAgent::Auth::PermissionChecker.new
+      expect(checker.adapter).to be_a(DecisionAgent::Auth::DefaultAdapter)
+    end
+
+    it "uses provided adapter" do
+      custom_adapter = DecisionAgent::Auth::DefaultAdapter.new
+      checker = DecisionAgent::Auth::PermissionChecker.new(adapter: custom_adapter)
+      expect(checker.adapter).to eq(custom_adapter)
+    end
+  end
+end

data/spec/auth/permission_spec.rb

@@ -0,0 +1,73 @@
+require "spec_helper"
+
+RSpec.describe DecisionAgent::Auth::Permission do
+  describe ".all" do
+    it "returns all permission symbols" do
+      permissions = DecisionAgent::Auth::Permission.all
+      expect(permissions).to be_an(Array)
+      expect(permissions).to include(:read, :write, :delete, :approve, :deploy, :manage_users, :audit)
+    end
+
+    it "returns only symbol keys" do
+      permissions = DecisionAgent::Auth::Permission.all
+      expect(permissions.all? { |p| p.is_a?(Symbol) }).to be true
+    end
+  end
+
+  describe ".exists?" do
+    it "returns true for valid permissions" do
+      expect(DecisionAgent::Auth::Permission.exists?(:read)).to be true
+      expect(DecisionAgent::Auth::Permission.exists?(:write)).to be true
+      expect(DecisionAgent::Auth::Permission.exists?(:delete)).to be true
+      expect(DecisionAgent::Auth::Permission.exists?(:approve)).to be true
+      expect(DecisionAgent::Auth::Permission.exists?(:deploy)).to be true
+      expect(DecisionAgent::Auth::Permission.exists?(:manage_users)).to be true
+      expect(DecisionAgent::Auth::Permission.exists?(:audit)).to be true
+    end
+
+    it "converts string to symbol" do
+      expect(DecisionAgent::Auth::Permission.exists?("read")).to be true
+      expect(DecisionAgent::Auth::Permission.exists?("write")).to be true
+    end
+
+    it "returns false for invalid permissions" do
+      expect(DecisionAgent::Auth::Permission.exists?(:invalid)).to be false
+      expect(DecisionAgent::Auth::Permission.exists?("invalid")).to be false
+      expect(DecisionAgent::Auth::Permission.exists?(:unknown)).to be false
+    end
+
+    it "raises error for nil (not handled)" do
+      expect do
+        DecisionAgent::Auth::Permission.exists?(nil)
+      end.to raise_error(NoMethodError)
+    end
+  end
+
+  describe ".description_for" do
+    it "returns description for valid permissions" do
+      expect(DecisionAgent::Auth::Permission.description_for(:read)).to eq("Read access to rules and versions")
+      expect(DecisionAgent::Auth::Permission.description_for(:write)).to eq("Create and modify rules")
+      expect(DecisionAgent::Auth::Permission.description_for(:delete)).to eq("Delete rules and versions")
+      expect(DecisionAgent::Auth::Permission.description_for(:approve)).to eq("Approve rule changes")
+      expect(DecisionAgent::Auth::Permission.description_for(:deploy)).to eq("Deploy rule versions")
+      expect(DecisionAgent::Auth::Permission.description_for(:manage_users)).to eq("Manage users and roles")
+      expect(DecisionAgent::Auth::Permission.description_for(:audit)).to eq("Access audit logs")
+    end
+
+    it "converts string to symbol" do
+      expect(DecisionAgent::Auth::Permission.description_for("read")).to eq("Read access to rules and versions")
+      expect(DecisionAgent::Auth::Permission.description_for("write")).to eq("Create and modify rules")
+    end
+
+    it "returns nil for invalid permissions" do
+      expect(DecisionAgent::Auth::Permission.description_for(:invalid)).to be_nil
+      expect(DecisionAgent::Auth::Permission.description_for("invalid")).to be_nil
+    end
+
+    it "raises error for nil (not handled)" do
+      expect do
+        DecisionAgent::Auth::Permission.description_for(nil)
+      end.to raise_error(NoMethodError)
+    end
+  end
+end