mno-enterprise-api 2.0.0

data/lib/mno_enterprise/concerns/controllers/provision_controller.rb

@@ -0,0 +1,71 @@
+module MnoEnterprise::Concerns::Controllers::ProvisionController
+  extend ActiveSupport::Concern
+
+  #==================================================================
+  # Included methods
+  #==================================================================
+  # 'included do' causes the included code to be evaluated in the
+  # context where it is included rather than being executed in the module's context
+  included do
+    before_filter :authenticate_user_or_signup!
+
+    protected
+    # The path used after purchased apps have been provisionned
+    def after_provision_path
+      # MySpace only defined in frontend
+      # This should be overriden by the main app when not loading frontend
+      if mno_enterprise.respond_to?(:myspace_path)
+        mno_enterprise.myspace_path(anchor: '/')
+      else
+        main_app.root_path
+      end
+    end
+
+    helper_method :after_provision_path # To use in the provision view
+  end
+
+  #==================================================================
+  # Class methods
+  #==================================================================
+  module ClassMethods
+    # def some_class_method
+    #   'some text'
+    # end
+  end
+
+  #==================================================================
+  # Instance methods
+  #==================================================================
+  # GET /provision/new?apps[]=vtiger&organization_id=1
+  # TODO: check organization accessibility via ability
+  def new
+    @apps = params[:apps]
+    @organizations = current_user.organizations.to_a
+    @organization = @organizations.find { |o| o.id && o.id.to_s == params[:organization_id].to_s }
+
+    unless @organization
+      @organization = @organizations.one? ? @organizations.first : nil
+    end
+    authorize! :manage_app_instances, @organization
+
+    # Redirect to dashboard if no applications
+    unless @apps && @apps.any?
+      redirect_to after_provision_path
+    end
+  end
+
+  # POST /provision
+  # TODO: check organization accessibility via ability
+  def create
+    @organization = current_user.organizations.to_a.find { |o| o.id && o.id.to_s == params[:organization_id].to_s }
+    authorize! :manage_app_instances, @organization
+
+    app_instances = []
+    params[:apps].each do |product_name|
+      app_instances << @organization.app_instances.create(product: product_name)
+    end
+
+    render json: app_instances.map(&:attributes).to_json, status: :created
+  end
+
+end

data/lib/mno_enterprise/concerns/controllers/webhook/o_auth_controller.rb

@@ -0,0 +1,107 @@
+module MnoEnterprise::Concerns::Controllers::Webhook::OAuthController
+  extend ActiveSupport::Concern
+
+  #==================================================================
+  # Included methods
+  #==================================================================
+  # 'included do' causes the included code to be evaluated in the
+  # context where it is included rather than being executed in the module's context
+  included do
+    before_filter :authenticate_user!, only: [:authorize, :disconnect, :sync]
+    before_filter :redirect_to_lounge_if_unconfirmed
+    before_filter :check_permissions, only: [:authorize, :disconnect, :sync]
+
+    PROVIDERS_WITH_OPTIONS = ['xero','myob']
+
+    private
+      def app_instance
+        @app_instance ||= MnoEnterprise::AppInstance.where(uid: params[:id]).first
+      end
+
+      # Redirect with an error if user is unauthorized
+      def check_permissions
+        unless can?(:manage_app_instances, app_instance.owner)
+          redirect_to mnoe_home_path, alert: "You are not authorized to perform this action"
+          return false
+        end
+        true
+      end
+
+      # Return a hash of extra parameters that were passed along with
+      # the request
+      def extra_params
+        params.reject { |k,v|  [:controller,:action,:id, :perform].include?(k.to_sym) }
+      end
+
+      # Current user web token
+      def wtk
+        MnoEnterprise.jwt(user_id: current_user.uid)
+      end
+
+      # Append params to the fragment part of an existing url String
+      #   add_param("/#/platform/accounts", 'foo', 'bar')
+      #     => "/#/platform/accounts?foo=bar"
+      #   add_param("/#/platform/dashboard/he/43?en=690", 'foo', 'bar')
+      #     => "/#/platform/dashboard/he/43?en=690&foo=bar"
+      def add_param_to_fragment(url, param_name, param_value)
+        uri = URI(url)
+        fragment = URI(uri.fragment || "")
+        params = URI.decode_www_form(fragment.query || "") << [param_name, param_value]
+        fragment.query = URI.encode_www_form(params)
+        uri.fragment = fragment.to_s
+        uri.to_s
+      end
+
+      def error_message(error_key)
+        case error_key.to_sym
+          when :bad_relinking
+            %{A different account "#{app_instance.oauth_company}" was previously linked to this application, please re-link the same account.}
+          when :unauthorized
+            'We could not validate your credentials, please try again'
+          else
+            error_key
+        end
+      end
+  end
+
+  #==================================================================
+  # Instance methods
+  #==================================================================
+  # GET /mnoe/webhook/oauth/:id/authorize
+  def authorize
+    if params[:redirect_path].present?
+      session[:redirect_path] = params[:redirect_path]
+    end
+
+    # Certain providers require options to be selected
+    if !params[:perform] && app_instance.app && PROVIDERS_WITH_OPTIONS.include?(app_instance.app.nid.to_s)
+      render "mno_enterprise/webhook/o_auth/providers/#{app_instance.app.nid}"
+      return
+    end
+
+    @redirect_to = MnoEnterprise.router.authorize_oauth_url(params[:id], extra_params.merge(wtk: wtk))
+  end
+
+  # GET /mnoe/webhook/oauth/:id/callback
+  def callback
+    path = session.delete(:redirect_path).presence || mnoe_home_path
+
+    if error_key = params.fetch(:oauth, {})[:error]
+
+      path = add_param_to_fragment(path.to_s, 'flash', [{msg: error_message(error_key),  type: :error}.to_json])
+    end
+
+    redirect_to path
+  end
+
+  # GET /mnoe/webhook/oauth/:id/disconnect
+  def disconnect
+    redirect_to MnoEnterprise.router.disconnect_oauth_url(params[:id], extra_params.merge(wtk: wtk))
+  end
+
+  # GET /mnoe/webhook/oauth/:id/sync
+  def sync
+    redirect_to MnoEnterprise.router.sync_oauth_url(params[:id], extra_params.merge(wtk: wtk))
+  end
+
+end

data/lib/mno_enterprise/concerns/mailers/system_notification_mailer.rb

@@ -0,0 +1,158 @@
+module MnoEnterprise::Concerns::Mailers::SystemNotificationMailer
+  extend ActiveSupport::Concern
+
+  #==================================================================
+  # Included methods
+  #==================================================================
+  # 'included do' causes the included code to be evaluated in the
+  # context where it is included rather than being executed in the module's context
+  included do
+    helper :application
+    DEFAULT_SENDER = { name: MnoEnterprise.default_sender_name, email: MnoEnterprise.default_sender_email }
+  end
+
+  #==================================================================
+  # Instance methods
+  #==================================================================
+
+  # Default email sender
+  # Override to allow dynamic sender
+  def default_sender
+    DEFAULT_SENDER
+  end
+
+  # ==> Devise Email
+  # Description:
+  #   Email asking users to confirm their email
+  #
+  # Mandrill vars:
+  #   :first_name
+  #   :last_name
+  #   :full_name
+  #   :confirmation_link
+  #
+  def confirmation_instructions(record, token, opts={})
+    template = record.confirmed? && record.unconfirmed_email? ? 'reconfirmation-instructions' : 'confirmation-instructions'
+    MandrillClient.deliver(template,
+      default_sender,
+      recipient(record),
+      user_vars(record).merge(confirmation_link: user_confirmation_url(confirmation_token: token))
+    )
+  end
+
+  # ==> Devise Email
+  # Description:
+  #   Email providing instructions + link to reset password
+  #
+  # Mandrill vars:
+  #   :first_name
+  #   :last_name
+  #   :full_name
+  #   :reset_password_link
+  #
+  def reset_password_instructions(record, token, opts={})
+    MandrillClient.deliver('reset-password-instructions',
+      default_sender,
+      recipient(record),
+      user_vars(record).merge(reset_password_link: edit_user_password_url(reset_password_token: token))
+    )
+  end
+
+  # ==> Devise Email
+  # Description:
+  #   Email providing instructions + link to unlock a user account after too many failed attempts
+  #
+  # Mandrill vars:
+  #   :first_name
+  #   :last_name
+  #   :full_name
+  #   :unlock_link
+  #
+  def unlock_instructions(record, token, opts={})
+    MandrillClient.deliver('unlock-instructions',
+      default_sender,
+      recipient(record),
+      user_vars(record).merge(unlock_link: user_unlock_url(unlock_token: token))
+    )
+  end
+
+  # Description:
+  #   Send an email inviting the user to join an existing organization. If the user
+  #   is already confirmed it is directed to the organization invite page where he
+  #   can accept or decline the invite
+  #   If the user is not confirmed yet then it is considered a new user and will be directed
+  #   to the confirmation page
+  #
+  # Mandrill vars:
+  #   :organization
+  #   :team
+  #   :ref_first_name
+  #   :ref_last_name
+  #   :ref_full_name
+  #   :ref_email
+  #   :invitee_first_name
+  #   :invitee_last_name
+  #   :invitee_full_name
+  #   :invitee_email
+  #   :confirmation_link
+  #
+  def organization_invite(org_invite)
+    new_user = !org_invite.user.confirmed?
+    confirmation_link = new_user ? user_confirmation_url(confirmation_token: org_invite.user.confirmation_token) : org_invite_url(org_invite, token: org_invite.token)
+    email_template = new_user ? 'organization-invite-new-user' : 'organization-invite-existing-user'
+
+    MandrillClient.deliver(email_template,
+      default_sender,
+      recipient(org_invite.user,new_user),
+      invite_vars(org_invite,new_user).merge(confirmation_link: confirmation_link)
+    )
+  end
+
+  # Description:
+  #   Email providing instructions + link to initiate the account termination
+  #   process.
+  #
+  # Mandrill vars:
+  #   :first_name
+  #   :last_name
+  #   :full_name
+  #   :terminate_account_link
+  def deletion_request_instructions(record, deletion_request)
+    MandrillClient.deliver('deletion-request-instructions',
+      default_sender,
+      recipient(record),
+      user_vars(record).merge(terminate_account_link: deletion_request_url(deletion_request))
+    )
+  end
+
+  protected
+
+  def recipient(record, new_user = false)
+    hash = { email: record.email }
+    hash[:name] = "#{record.name} #{record.surname}".strip unless new_user
+    hash
+  end
+
+  def user_vars(record)
+    {
+      first_name: record.name,
+      last_name: record.surname,
+      full_name: "#{record.name} #{record.surname}".strip
+    }
+  end
+
+  def invite_vars(org_invite, new_user = true)
+    {
+      organization: org_invite.organization.name,
+      team: org_invite.team.present? ? org_invite.team.name : nil,
+      ref_first_name: org_invite.referrer.name,
+      ref_last_name: org_invite.referrer.surname,
+      ref_full_name: "#{org_invite.referrer.name} #{org_invite.referrer.surname}".strip,
+      ref_email: org_invite.referrer.email,
+      invitee_first_name: new_user ? nil : org_invite.user.name,
+      invitee_last_name: new_user ? nil : org_invite.user.surname,
+      invitee_full_name: new_user ? nil : "#{org_invite.user.name} #{org_invite.user.surname}".strip,
+      invitee_email: org_invite.user.email,
+    }
+  end
+end

data/lib/mno_enterprise/event_logger.rb

@@ -0,0 +1,32 @@
+require 'httparty'
+
+module MnoEnterprise
+  class EventLogger
+    include HTTParty
+    base_uri "#{MnoEnterprise.mno_api_private_host || MnoEnterprise.mno_api_host}/api/mnoe/v1/audit_events"
+    read_timeout 0.1
+    basic_auth MnoEnterprise.tenant_id, MnoEnterprise.tenant_key
+
+    def self.info(key, current_user_id, description, metadata, object)
+      post('', body: {
+          data: {
+              key: key,
+              user_id: current_user_id,
+              description: description,
+              metadata: format_metadata(metadata, object),
+              subject_type: object.class.name,
+              subject_id: object.id
+          }})
+    rescue Net::ReadTimeout
+      # Meant to fail
+    end
+
+    def self.format_metadata(metadata, object)
+      if metadata.blank? && object.respond_to?(:to_audit_event)
+        object.to_audit_event
+      else
+        metadata
+      end
+    end
+  end
+end

data/spec/controllers/mno_enterprise/auth/confirmation_controller_spec.rb

@@ -0,0 +1,68 @@
+require 'rails_helper'
+
+module MnoEnterprise
+  describe Auth::ConfirmationsController, type: :controller do
+    routes { MnoEnterprise::Engine.routes }
+
+    before { @request.env['devise.mapping'] = Devise.mappings[:user] }
+
+    let(:unconfirmed_user) { build(:user, :unconfirmed, organizations: [])}
+    let(:confirmed_user) { build(:user, organizations: [])}
+
+
+    describe 'GET #show' do
+      subject { get :show, confirmation_token: user.confirmation_token }
+
+      before do
+        allow(MnoEnterprise::User).to receive(:find_for_confirmation) { user }
+        allow(user).to receive(:save)
+      end
+
+      context 'unconfirmed user' do
+        let(:user) { unconfirmed_user }
+
+        it 'does not sign in the user' do
+          subject
+          expect(controller.current_user).to be_nil
+        end
+
+        it 'render the template' do
+          expect(subject).to render_template('show')
+        end
+      end
+
+      context 'confirmed user' do
+        let(:user) { confirmed_user }
+
+        context 'with a new email' do
+          let(:email) { 'unconfirmed@example.com' }
+
+          before do
+            user.unconfirmed_email = email
+
+            api_stub_for(get: "/users?filter[email]=#{email}&limit=1", response: from_api(nil))
+            api_stub_for(get: "/org_invites?filter[user_email]=#{email}", response: from_api(nil))
+          end
+
+          it 'sign in the user' do
+            subject
+            expect(controller.current_user).to eq(user)
+          end
+
+          it 'redirects to the dashboard' do
+            expect(subject).to redirect_to(controller.signed_in_root_path(user))
+          end
+        end
+
+        it 'does not sign in the user' do
+          subject
+          expect(controller.current_user).to be_nil
+        end
+
+        it 'returns an error' do
+          expect(subject).to render_template("new")
+        end
+      end
+    end
+  end
+end

data/spec/controllers/mno_enterprise/deletion_requests_controller_spec.rb

@@ -0,0 +1,141 @@
+require 'rails_helper'
+
+# TODO: DRY Specs with shared examples
+module MnoEnterprise
+  describe DeletionRequestsController, type: :controller do
+    render_views
+    routes { MnoEnterprise::Engine.routes }
+
+    # Stub controller ability
+    let!(:ability) { stub_ability }
+    before { allow(ability).to receive(:can?).with(any_args).and_return(true) }
+
+    # Stub model calls
+    let(:deletion_req) { build(:deletion_request) }
+    let(:user) { build(:user, deletion_request: deletion_req) }
+
+    before do
+      api_stub_for(get: "/users/#{user.id}", response: from_api(user))
+      api_stub_for(get: "/users/#{user.id}/deletion_request", response: from_api(user))
+    end
+
+    describe "GET #show'" do
+      before { sign_in user }
+      subject { get :show, id: deletion_req.token }
+
+      # TODO: use behavior
+      it_behaves_like "a navigatable protected user action"
+      # it_behaves_like "a user protected resource"
+
+      context 'when no current_request' do
+        let(:user) { build(:user, deletion_request: nil) }
+
+        it 'redirects to the root_path' do
+          subject
+          expect(response).to redirect_to(main_app.root_path)
+        end
+      end
+
+      context 'when not the current request' do
+        let(:new_deletion_req) { build(:deletion_request) }
+        let(:user) { build(:user, deletion_request: new_deletion_req) }
+
+        it 'redirects to the root_path' do
+          subject
+          expect(response).to redirect_to(main_app.root_path)
+        end
+      end
+    end
+
+    describe "PUT #freeze_account" do
+      # before { api_stub_for(get: "/deletion_requests/#{deletion_req.id}", response: from_api(deletion_req)) }
+      before { api_stub_for(put: "/deletion_requests/#{deletion_req.id}", response: from_api(deletion_req)) }
+
+      before { sign_in user }
+      subject { put :freeze_account, id: deletion_req.token }
+
+      # TODO: use behavior
+      it_behaves_like "a navigatable protected user action"
+
+      context 'when the request is pending' do
+        it 'freezes the account' do
+          expect(controller.current_user).to receive(:deletion_request).and_return(deletion_req)
+          expect(deletion_req).to receive(:freeze_account!)
+          subject
+        end
+
+        it 'redirects to the deletion request' do
+          subject
+          expect(response).to redirect_to(deletion_request_url(deletion_req))
+        end
+      end
+
+      context 'when the request is not pending' do
+        let(:deletion_req) { build(:deletion_request, status: 'account_frozen') }
+
+        it 'does not freezes the account' do
+          expect_any_instance_of(MnoEnterprise::DeletionRequest).not_to receive(:freeze_account!)
+          subject
+        end
+
+        it 'redirects to the deletion request' do
+          subject
+          expect(response).to redirect_to(deletion_request_url(deletion_req))
+        end
+
+        it 'displays an error message' do
+          subject
+          expect(flash[:alert]).to eq("Invalid action")
+        end
+      end
+
+      context 'when no valid request' do
+        let(:user) { build(:user, deletion_request: nil) }
+        it 'redirects to the root_path' do
+          subject
+          expect(response).to redirect_to(main_app.root_path)
+        end
+      end
+
+    end
+
+    describe "PUT #checkout" do
+      before { api_stub_for(put: "/deletion_requests/#{deletion_req.id}", response: from_api(deletion_req)) }
+
+      before { sign_in user }
+      subject { put :checkout, id: deletion_req.token }
+
+      # TODO: use behavior
+      it_behaves_like "a navigatable protected user action"
+
+      context 'when the request is not account_frozen' do
+        let(:deletion_req) { build(:deletion_request, status: 'pending') }
+
+        # it 'does not freezes the account' do
+        #   expect_any_instance_of(MnoEnterprise::DeletionRequest).not_to receive(:freeze_account!)
+        #   subject
+        # end
+
+        it 'redirects to the deletion request' do
+          subject
+          expect(response).to redirect_to(deletion_request_url(deletion_req))
+        end
+
+        it 'displays an error message' do
+          subject
+          expect(flash[:alert]).to eq("Invalid action")
+        end
+      end
+
+      context 'when no valid request' do
+        let(:user) { build(:user, deletion_request: nil) }
+        it 'redirects to the root_path' do
+          subject
+          expect(response).to redirect_to(main_app.root_path)
+        end
+      end
+    end
+
+    describe "PUT #terminate"
+  end
+end