decision_agent 0.3.0 → 1.0.1

data/spec/web/middleware/auth_middleware_spec.rb

@@ -1,133 +0,0 @@
-require "spec_helper"
-require "rack/test"
-require_relative "../../../lib/decision_agent/web/middleware/auth_middleware"
-
-RSpec.describe DecisionAgent::Web::Middleware::AuthMiddleware do
-  include Rack::Test::Methods
-
-  let(:authenticator) { double("Authenticator") }
-  let(:access_audit_logger) { double("AccessAuditLogger") }
-  let(:app) { ->(_env) { [200, {}, ["OK"]] } }
-  let(:middleware) { described_class.new(app, authenticator: authenticator, access_audit_logger: access_audit_logger) }
-
-  describe "#initialize" do
-    it "initializes with app and authenticator" do
-      expect(middleware.instance_variable_get(:@app)).to eq(app)
-      expect(middleware.instance_variable_get(:@authenticator)).to eq(authenticator)
-      expect(middleware.instance_variable_get(:@access_audit_logger)).to eq(access_audit_logger)
-    end
-
-    it "initializes without access_audit_logger" do
-      middleware = described_class.new(app, authenticator: authenticator)
-      expect(middleware.instance_variable_get(:@access_audit_logger)).to be_nil
-    end
-  end
-
-  describe "#call" do
-    context "with Authorization header" do
-      it "extracts token from Bearer header" do
-        user = double("User", id: "user1")
-        session = double("Session", token: "token123")
-        auth_result = { user: user, session: session }
-
-        allow(authenticator).to receive(:authenticate).with("token123").and_return(auth_result)
-
-        env = Rack::MockRequest.env_for("/", "HTTP_AUTHORIZATION" => "Bearer token123")
-        status, = middleware.call(env)
-
-        expect(status).to eq(200)
-        expect(env["decision_agent.user"]).to eq(user)
-        expect(env["decision_agent.session"]).to eq(session)
-      end
-
-      it "handles missing Bearer prefix" do
-        env = Rack::MockRequest.env_for("/", "HTTP_AUTHORIZATION" => "token123")
-        status, = middleware.call(env)
-
-        expect(status).to eq(200)
-        expect(env["decision_agent.user"]).to be_nil
-      end
-    end
-
-    context "with session cookie" do
-      it "extracts token from cookie" do
-        user = double("User", id: "user1")
-        session = double("Session", token: "cookie_token")
-        auth_result = { user: user, session: session }
-
-        allow(authenticator).to receive(:authenticate).with("cookie_token").and_return(auth_result)
-
-        env = Rack::MockRequest.env_for("/")
-        request = Rack::Request.new(env)
-        allow(request).to receive(:cookies).and_return("decision_agent_session" => "cookie_token")
-        allow(Rack::Request).to receive(:new).and_return(request)
-
-        status, = middleware.call(env)
-
-        expect(status).to eq(200)
-        expect(env["decision_agent.user"]).to eq(user)
-      end
-    end
-
-    context "with query parameter" do
-      it "extracts token from query parameter" do
-        user = double("User", id: "user1")
-        session = double("Session", token: "query_token")
-        auth_result = { user: user, session: session }
-
-        allow(authenticator).to receive(:authenticate).with("query_token").and_return(auth_result)
-
-        env = Rack::MockRequest.env_for("/?token=query_token")
-        status, = middleware.call(env)
-
-        expect(status).to eq(200)
-        expect(env["decision_agent.user"]).to eq(user)
-      end
-    end
-
-    context "without token" do
-      it "calls app without setting user" do
-        env = Rack::MockRequest.env_for("/")
-        status, = middleware.call(env)
-
-        expect(status).to eq(200)
-        expect(env["decision_agent.user"]).to be_nil
-        expect(env["decision_agent.session"]).to be_nil
-      end
-    end
-
-    context "with invalid token" do
-      it "calls app without setting user when authentication fails" do
-        allow(authenticator).to receive(:authenticate).with("invalid_token").and_return(nil)
-
-        env = Rack::MockRequest.env_for("/", "HTTP_AUTHORIZATION" => "Bearer invalid_token")
-        status, = middleware.call(env)
-
-        expect(status).to eq(200)
-        expect(env["decision_agent.user"]).to be_nil
-        expect(env["decision_agent.session"]).to be_nil
-      end
-    end
-
-    context "token priority" do
-      it "prefers Authorization header over cookie" do
-        user_header = double("User", id: "header_user")
-        user_cookie = double("User", id: "cookie_user")
-        session_header = double("Session")
-        session_cookie = double("Session")
-
-        allow(authenticator).to receive(:authenticate).with("header_token").and_return({ user: user_header, session: session_header })
-        allow(authenticator).to receive(:authenticate).with("cookie_token").and_return({ user: user_cookie, session: session_cookie })
-
-        env = Rack::MockRequest.env_for("/?token=cookie_token", "HTTP_AUTHORIZATION" => "Bearer header_token")
-        request = Rack::Request.new(env)
-        allow(request).to receive(:cookies).and_return("decision_agent_session" => "cookie_token")
-        allow(Rack::Request).to receive(:new).and_return(request)
-
-        middleware.call(env)
-
-        expect(env["decision_agent.user"]).to eq(user_header)
-      end
-    end
-  end
-end

data/spec/web/middleware/permission_middleware_spec.rb

@@ -1,247 +0,0 @@
-require "spec_helper"
-require "rack/test"
-require_relative "../../../lib/decision_agent/web/middleware/permission_middleware"
-
-RSpec.describe DecisionAgent::Web::Middleware::PermissionMiddleware do
-  include Rack::Test::Methods
-
-  let(:permission_checker) { double("PermissionChecker") }
-  let(:access_audit_logger) { double("AccessAuditLogger") }
-  let(:app) { ->(_env) { [200, {}, ["OK"]] } }
-  let(:user) { double("User", id: "user1", email: "user@example.com") }
-
-  describe "#initialize" do
-    it "initializes with app and permission_checker" do
-      middleware = described_class.new(app, permission_checker: permission_checker)
-      expect(middleware.instance_variable_get(:@app)).to eq(app)
-      expect(middleware.instance_variable_get(:@permission_checker)).to eq(permission_checker)
-      expect(middleware.instance_variable_get(:@required_permission)).to be_nil
-    end
-
-    it "initializes with required_permission" do
-      middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :write)
-      expect(middleware.instance_variable_get(:@required_permission)).to eq(:write)
-    end
-
-    it "initializes with access_audit_logger" do
-      middleware = described_class.new(app, permission_checker: permission_checker, access_audit_logger: access_audit_logger)
-      expect(middleware.instance_variable_get(:@access_audit_logger)).to eq(access_audit_logger)
-    end
-  end
-
-  describe "#call" do
-    context "without user" do
-      it "returns 401 when user is not authenticated" do
-        middleware = described_class.new(app, permission_checker: permission_checker)
-        env = Rack::MockRequest.env_for("/")
-
-        status, headers, body = middleware.call(env)
-
-        expect(status).to eq(401)
-        expect(headers["Content-Type"]).to include("application/json")
-        body_text = body.first
-        expect(JSON.parse(body_text)["error"]).to eq("Authentication required")
-      end
-    end
-
-    context "with inactive user" do
-      it "returns 403 when user is not active" do
-        middleware = described_class.new(app, permission_checker: permission_checker)
-        env = Rack::MockRequest.env_for("/")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:active?).with(user).and_return(false)
-
-        status, _, body = middleware.call(env)
-
-        expect(status).to eq(403)
-        body_text = body.first
-        expect(JSON.parse(body_text)["error"]).to eq("User account is not active")
-      end
-    end
-
-    context "without required permission" do
-      it "calls app when no permission required" do
-        middleware = described_class.new(app, permission_checker: permission_checker)
-        env = Rack::MockRequest.env_for("/")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:active?).with(user).and_return(true)
-
-        status, _, body = middleware.call(env)
-
-        expect(status).to eq(200)
-        expect(body.first).to eq("OK")
-      end
-    end
-
-    context "with required permission" do
-      let(:middleware) { described_class.new(app, permission_checker: permission_checker, required_permission: :write, access_audit_logger: access_audit_logger) }
-
-      before do
-        allow(permission_checker).to receive(:active?).with(user).and_return(true)
-      end
-
-      it "calls app when permission is granted" do
-        env = Rack::MockRequest.env_for("/api/rules/123")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:can?).with(user, :write, nil).and_return(true)
-        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
-        allow(access_audit_logger).to receive(:log_permission_check)
-
-        status, _, body = middleware.call(env)
-
-        expect(status).to eq(200)
-        expect(body.first).to eq("OK")
-      end
-
-      it "returns 403 when permission is denied" do
-        env = Rack::MockRequest.env_for("/api/rules/123")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:can?).with(user, :write, nil).and_return(false)
-        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
-        allow(access_audit_logger).to receive(:log_permission_check)
-
-        status, _, body = middleware.call(env)
-
-        expect(status).to eq(403)
-        body_text = body.first
-        expect(JSON.parse(body_text)["error"]).to eq("Permission denied: write")
-      end
-
-      it "logs permission check when access_audit_logger is provided" do
-        env = Rack::MockRequest.env_for("/api/rules/123")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:can?).with(user, :write, nil).and_return(true)
-        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
-        allow(access_audit_logger).to receive(:log_permission_check)
-
-        middleware.call(env)
-
-        expect(access_audit_logger).to have_received(:log_permission_check).with(
-          user_id: "user1",
-          permission: :write,
-          resource_type: "rule",
-          resource_id: "123",
-          granted: true
-        )
-      end
-
-      it "does not log when access_audit_logger is not provided" do
-        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :write)
-        env = Rack::MockRequest.env_for("/api/rules/123")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:can?).with(user, :write, nil).and_return(true)
-
-        expect { middleware.call(env) }.not_to raise_error
-      end
-    end
-
-    describe "#extract_resource_type" do
-      it "extracts resource type from path" do
-        middleware = described_class.new(app, permission_checker: permission_checker)
-        env = Rack::MockRequest.env_for("/api/rules/123")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:active?).with(user).and_return(true)
-
-        middleware.call(env)
-
-        # Verify extraction happened (indirectly through logging)
-        expect(permission_checker).to have_received(:active?).with(user)
-      end
-
-      it "handles paths without /api/ prefix" do
-        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :read)
-        env = Rack::MockRequest.env_for("/other/path")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:active?).with(user).and_return(true)
-        allow(permission_checker).to receive(:can?).with(user, :read, nil).and_return(true)
-        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
-
-        status, = middleware.call(env)
-
-        expect(status).to eq(200)
-      end
-
-      it "singularizes resource type (removes trailing 's')" do
-        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :read, access_audit_logger: access_audit_logger)
-        env = Rack::MockRequest.env_for("/api/rules/123")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:active?).with(user).and_return(true)
-        allow(permission_checker).to receive(:can?).with(user, :read, nil).and_return(true)
-        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
-        allow(access_audit_logger).to receive(:log_permission_check)
-
-        middleware.call(env)
-
-        expect(access_audit_logger).to have_received(:log_permission_check).with(
-          user_id: "user1",
-          permission: :read,
-          resource_type: "rule",
-          resource_id: "123",
-          granted: true
-        )
-      end
-    end
-
-    describe "#extract_resource_id" do
-      it "extracts id from params" do
-        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :read, access_audit_logger: access_audit_logger)
-        env = Rack::MockRequest.env_for("/api/rules/123?id=456")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:active?).with(user).and_return(true)
-        allow(permission_checker).to receive(:can?).with(user, :read, nil).and_return(true)
-        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
-        allow(access_audit_logger).to receive(:log_permission_check)
-
-        middleware.call(env)
-
-        expect(access_audit_logger).to have_received(:log_permission_check) do |args|
-          expect(args[:resource_id]).to eq("456")
-        end
-      end
-
-      it "extracts rule_id from params" do
-        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :read, access_audit_logger: access_audit_logger)
-        env = Rack::MockRequest.env_for("/api/rules?rule_id=789")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:active?).with(user).and_return(true)
-        allow(permission_checker).to receive(:can?).with(user, :read, nil).and_return(true)
-        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
-        allow(access_audit_logger).to receive(:log_permission_check)
-
-        middleware.call(env)
-
-        expect(access_audit_logger).to have_received(:log_permission_check) do |args|
-          expect(args[:resource_id]).to eq("789")
-        end
-      end
-
-      it "extracts version_id from params" do
-        middleware = described_class.new(app, permission_checker: permission_checker, required_permission: :read, access_audit_logger: access_audit_logger)
-        env = Rack::MockRequest.env_for("/api/versions?version_id=999")
-        env["decision_agent.user"] = user
-
-        allow(permission_checker).to receive(:active?).with(user).and_return(true)
-        allow(permission_checker).to receive(:can?).with(user, :read, nil).and_return(true)
-        allow(permission_checker).to receive(:user_id).with(user).and_return("user1")
-        allow(access_audit_logger).to receive(:log_permission_check)
-
-        middleware.call(env)
-
-        expect(access_audit_logger).to have_received(:log_permission_check) do |args|
-          expect(args[:resource_id]).to eq("999")
-        end
-      end
-    end
-  end
-end