openstax_accounts 1.0.0 → 2.0.0

data/lib/openstax/accounts/extend_builtins.rb

@@ -0,0 +1,37 @@
+ActionController::Base.class_exec do
+
+  helper_method :current_user, :signed_in?
+
+  # Returns the current user
+  def current_user
+    current_user_manager.current_user
+  end
+
+  # Returns the current account
+  def current_account
+    current_user_manager.current_account
+  end
+
+  # Returns true iff there is a user signed in
+  def signed_in?
+    current_user_manager.signed_in?
+  end
+
+  # Signs in the given account or user
+  def sign_in(user)
+    current_user_manager.sign_in(user)
+  end
+
+  # Signs out the current account and user
+  def sign_out!
+    current_user_manager.sign_out!
+  end
+
+  protected
+
+  def current_user_manager
+    @current_user_manager ||= OpenStax::Accounts::CurrentUserManager.new(
+                                request, session, cookies)
+  end
+
+end

data/lib/openstax/accounts/version.rb

@@ -1,5 +1,5 @@
 module OpenStax
   module Accounts
-    VERSION = "1.0.0"
+    VERSION = "2.0.0"
   end
 end

data/lib/openstax_accounts.rb

@@ -1,11 +1,9 @@
 require 'openstax/accounts/version'
 require 'openstax/accounts/engine'
-require 'openstax/accounts/route_helper'
-require 'openstax/accounts/action_list'
-require 'openstax/accounts/user_provider'
+require 'openstax/accounts/default_account_user_mapper'
 require 'openstax/accounts/current_user_manager'
-
 require 'openstax_utilities'
+
 require 'oauth2'
 require 'uri'
 
@@ -68,13 +66,17 @@ module OpenStax
         # Class to be used for security transgression exceptions
         attr_accessor :security_transgression_exception
 
-        # See the "user_provider" discussion in the README
-        attr_accessor :user_provider
+        # account_user_mapper
+        # This class teaches the gem how to convert between accounts and users
+        # See the "account_user_mapper" discussion in the README
+        attr_accessor :account_user_mapper
 
-        # The maximum number of users that can be returned in a call to SearchUsers
+        # max_matching_accounts
+        # The maximum number of accounts that can be returned
+        # in a call to SearchAccounts
         # If more would be returned, the result will be empty instead
-        # Can also be passed directly to SearchUsers
-        attr_accessor :max_matching_users
+        # Can also be passed directly to SearchAccounts
+        attr_accessor :max_matching_accounts
 
         def openstax_accounts_url=(url)
           url.gsub!(/https|http/,'https') if !(url =~ /localhost/)
@@ -92,8 +94,8 @@ module OpenStax
           @default_errors_html_id = 'openstax-accounts-attention'
           @default_errors_added_trigger = 'openstax-accounts-errors-added'
           @security_transgression_exception = SecurityTransgression
-          @user_provider = OpenStax::Accounts::UserProvider
-          @max_matching_users = 10
+          @account_user_mapper = OpenStax::Accounts::DefaultAccountUserMapper
+          @max_matching_accounts = 10
           super
         end
 
@@ -115,7 +117,9 @@ module OpenStax
         version = options.delete(:api_version)
         unless version.blank?
           options[:headers] ||= {}
-          options[:headers].merge!({ 'Accept' => "application/vnd.accounts.openstax.#{version.to_s}" })
+          options[:headers].merge!({
+            'Accept' => "application/vnd.accounts.openstax.#{version.to_s}"
+          })
         end
 
         token_string = options.delete(:access_token)
@@ -127,45 +131,62 @@ module OpenStax
         token.request(http_method, api_url, options)
       end
 
-      # Performs an ApplicationUser search in Accounts for the configured app.
+      # Performs an account search in the Accounts server.
+      # Results are limited to 10 accounts maximum.
+      # Takes a query parameter and an optional API version parameter.
+      # API version currently defaults to :v1 (may change in the future).
+      # On failure, throws an Exception, just like api_call.
+      # On success, returns an OAuth2::Response object.
+      def search_accounts(query, version = DEFAULT_API_VERSION)
+        options = {:params => {:q => query},
+                   :api_version => version}
+        api_call(:get, 'users', options)
+      end
+
+      # Performs an account search in the Accounts server.
+      # Results are limited to accounts that have used the current app.
       # Takes a query parameter and an optional API version parameter.
       # API version currently defaults to :v1 (may change in the future).
       # On failure, throws an Exception, just like api_call.
       # On success, returns an OAuth2::Response object.
-      def application_users_index(query, version = DEFAULT_API_VERSION)
+      def search_application_accounts(query, version = DEFAULT_API_VERSION)
         options = {:params => {:q => query},
                    :api_version => version}
         api_call(:get, 'application_users', options)
       end
 
-      # Retrieves information about ApplicationUsers that have been recently updated.
+      # Retrieves information about accounts that have been
+      # recently updated.
+      # Results are limited to accounts that have used the current app.
       # On failure, throws an Exception, just like api_call.
       # On success, returns an OAuth2::Response object.
-      def application_users_updates(version = DEFAULT_API_VERSION)
+      def get_application_account_updates(version = DEFAULT_API_VERSION)
         options = {:api_version => version}
         api_call(:get, 'application_users/updates', options)
       end
 
-      # Marks ApplicationUser updates as "read".
-      # The app_users parameter is a hash that maps ApplicationUser
-      # openstax_uid's to the value of the last received unread_updates.
+      # Marks account updates as "read".
+      # The uid_map parameter is a hash that maps account openstax_uid's
+      # to the value of the last received unread_updates for that uid.
+      # Can only be called for accounts that have used the current app.
       # On failure, throws an Exception, just like api_call.
       # On success, returns an OAuth2::Response object.
-      def application_users_updated(app_users, version = DEFAULT_API_VERSION)
+      def mark_updates_as_read(uid_map, version = DEFAULT_API_VERSION)
         options = {:api_version => version,
-                   :body => {:application_users => app_users}}
+                   :body => {:application_users => uid_map}}
         api_call(:put, 'application_users/updated', options)
       end
 
-      # Updates an OpenStax::Accounts::User in Accounts for the configured app.
+      # Updates the current account in the Accounts server.
+      # The current account is determined by the OAuth access token.
       # Also takes an optional API version parameter.
       # API version currently defaults to :v1 (may change in the future).
       # On failure, throws an Exception, just like api_call.
       # On success, returns an OAuth2::Response object.
-      def user_update(user, version = DEFAULT_API_VERSION)
-        options = {:access_token => user.access_token,
+      def update_account(account, version = DEFAULT_API_VERSION)
+        options = {:access_token => account.access_token,
                    :api_version => version,
-                   :body => user.attributes.slice('username', 'first_name',
+                   :body => account.attributes.slice('username', 'first_name',
                               'last_name', 'full_name', 'title').to_json}
         api_call(:put, 'user', options)
       end

data/spec/controllers/openstax/accounts/dev/accounts_controller_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+module OpenStax::Accounts
+  module Dev
+    describe AccountsController do
+      routes { Engine.routes }
+
+      let!(:account) { FactoryGirl.create :openstax_accounts_account,
+                                          username: 'some_user',
+                                          openstax_uid: 10 }
+
+      it 'should allow users not in production to become other users' do
+        expect(controller.current_account).to eq(AnonymousAccount.instance)
+        expect(controller.current_account.is_anonymous?).to eq(true)
+        post :become, id: account.id
+        expect(controller.current_account).to eq(account)
+        expect(controller.current_account.is_anonymous?).to eq(false)
+      end
+    end
+  end
+end

data/spec/controllers/openstax/accounts/sessions_controller_spec.rb

@@ -2,14 +2,17 @@ require 'spec_helper'
 
 module OpenStax::Accounts
   describe SessionsController do
-    routes { OpenStax::Accounts::Engine.routes }
+    routes { Engine.routes }
 
-    let!(:user) { OpenStax::Accounts::User.create(username: 'some_user',
-                                                  openstax_uid: 1) }
+    let!(:account) { FactoryGirl.create :openstax_accounts_account,
+                                        username: 'some_user',
+                                        openstax_uid: 10 }
 
     it 'should redirect users to the login path' do
+      c = controller
       get :new
-      expect(response).to redirect_to RouteHelper.get_path(:login)
+      expect(response).to redirect_to(
+        c.send(:with_interceptor) { c.dev_accounts_path })
       expect(response.code).to eq('302')
     end
 
@@ -18,12 +21,12 @@ module OpenStax::Accounts
     end
 
     it 'should let users logout' do
-      controller.sign_in user
-      expect(controller.current_user).to eq(user)
-      expect(controller.current_user.is_anonymous?).to eq(false)
+      controller.sign_in account
+      expect(controller.current_account).to eq(account)
+      expect(controller.current_account.is_anonymous?).to eq(false)
       delete :destroy
-      expect(controller.current_user).to eq(OpenStax::Accounts::User.anonymous)
-      expect(controller.current_user.is_anonymous?).to eq(true)
+      expect(controller.current_account).to eq(AnonymousAccount.instance)
+      expect(controller.current_account.is_anonymous?).to eq(true)
     end
   end
 end

data/spec/dummy/app/controllers/api/application_users_controller.rb

@@ -4,10 +4,6 @@ module Api
       dummy(:index)
     end
 
-    def create
-      dummy(:create)
-    end
-
     def updates
       dummy(:updates)
     end

data/spec/dummy/app/controllers/api/users_controller.rb

@@ -0,0 +1,7 @@
+module Api
+  class UsersController < DummyController
+    def index
+      dummy(:index)
+    end
+  end
+end

data/spec/dummy/app/models/anonymous_user.rb

@@ -0,0 +1,48 @@
+require 'singleton'
+
+class AnonymousUser
+  include Singleton
+
+  def is_admin?
+    false
+  end
+
+  def is_anonymous?
+    true
+  end
+
+  def is_human?
+    true
+  end
+
+  def is_application?
+    false
+  end
+
+  def id
+    nil
+  end
+
+  def authentications 
+    []
+  end
+
+  def identity
+    nil
+  end
+
+  # Necessary if an anonymous user ever runs into an Exception
+  # or else the developer email doesn't work
+  def username
+    'anonymous'
+  end
+
+  def full_name
+    "Anonymous User"
+  end
+
+  def casual_name
+    full_name
+  end
+
+end

data/spec/dummy/app/models/user.rb

@@ -0,0 +1,26 @@
+class User < ActiveRecord::Base
+  belongs_to :openstax_accounts_account, 
+             class_name: "OpenStax::Accounts::Account",
+             dependent: :destroy
+
+  delegate :username, :first_name, :last_name, :full_name, :title,
+           :name, :casual_name, to: :openstax_accounts_account
+
+  def is_anonymous?
+    false
+  end
+
+  # OpenStax Accounts "account_user_mapper" methods
+
+  def self.account_to_user(account)
+    account.is_anonymous? ? \
+      AnonymousUser.instance : \
+      User.where(:openstax_accounts_account_id => account.id).first
+  end
+
+  def self.user_to_account(user)
+    user.is_anonymous? ? \
+      AnonymousAccount.instance : \
+      user.openstax_accounts_account
+  end
+end

data/spec/dummy/config/initializers/openstax_accounts.rb

@@ -7,6 +7,7 @@ OpenStax::Accounts.configure do |config|
   config.openstax_accounts_url = "http://localhost:#{CAPYBARA_SERVER.port}/"
   config.openstax_application_id = 'secret'
   config.openstax_application_secret = 'secret'
+  config.account_user_mapper = User
   config.logout_via = :delete
-  config.max_matching_users = 47
-end
+  config.max_matching_accounts = 47
+end

data/spec/dummy/config/routes.rb

@@ -1,4 +1,6 @@
 Rails.application.routes.draw do
+  root :to => 'application#index'
+
   mount OpenStax::Accounts::Engine => '/accounts'
 
   post 'oauth/token', :to => 'oauth#token'
@@ -6,13 +8,13 @@ Rails.application.routes.draw do
   namespace :api do
     post 'dummy', :to => 'dummy#dummy'
 
-    resources :application_users, :only => [:index, :create] do
+    resources :users, :only => [:index]
+
+    resources :application_users, :only => [:index] do
       collection do
         get 'updates'
         put 'updated'
       end
     end
   end
-
-  root :to => 'application#index'
 end

data/spec/dummy/db/migrate/1_create_users.rb

@@ -0,0 +1,11 @@
+class CreateUsers < ActiveRecord::Migration
+  def change
+    create_table :users do |t|
+      t.integer :openstax_accounts_account_id
+
+      t.timestamps
+    end
+
+    add_index :users, :openstax_accounts_account_id, :unique => true
+  end
+end

data/spec/dummy/db/schema.rb

@@ -11,11 +11,11 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 0) do
+ActiveRecord::Schema.define(:version => 1) do
 
-  create_table "openstax_accounts_users", :force => true do |t|
-    t.integer  "openstax_uid"
-    t.string   "username"
+  create_table "openstax_accounts_accounts", :force => true do |t|
+    t.integer  "openstax_uid", :null => false
+    t.string   "username",     :null => false
     t.string   "first_name"
     t.string   "last_name"
     t.string   "full_name"
@@ -25,7 +25,19 @@ ActiveRecord::Schema.define(:version => 0) do
     t.datetime "updated_at",   :null => false
   end
 
-  add_index "openstax_accounts_users", ["openstax_uid"], :name => "index_openstax_accounts_users_on_openstax_uid", :unique => true
-  add_index "openstax_accounts_users", ["username"], :name => "index_openstax_accounts_users_on_username", :unique => true
+  add_index "openstax_accounts_accounts", ["access_token"], :name => "index_openstax_accounts_accounts_on_access_token", :unique => true
+  add_index "openstax_accounts_accounts", ["first_name"], :name => "index_openstax_accounts_accounts_on_first_name"
+  add_index "openstax_accounts_accounts", ["full_name"], :name => "index_openstax_accounts_accounts_on_full_name"
+  add_index "openstax_accounts_accounts", ["last_name"], :name => "index_openstax_accounts_accounts_on_last_name"
+  add_index "openstax_accounts_accounts", ["openstax_uid"], :name => "index_openstax_accounts_accounts_on_openstax_uid", :unique => true
+  add_index "openstax_accounts_accounts", ["username"], :name => "index_openstax_accounts_accounts_on_username", :unique => true
+
+  create_table "users", :force => true do |t|
+    t.integer  "openstax_accounts_account_id"
+    t.datetime "created_at",                   :null => false
+    t.datetime "updated_at",                   :null => false
+  end
+
+  add_index "users", ["openstax_accounts_account_id"], :name => "index_users_on_openstax_accounts_account_id", :unique => true
 
 end

data/spec/factories/openstax_accounts_account.rb

@@ -0,0 +1,6 @@
+FactoryGirl.define do
+  factory :openstax_accounts_account, :class => OpenStax::Accounts::Account do
+    sequence(:openstax_uid) { -SecureRandom.hex.to_i(16) }
+    sequence(:username) { SecureRandom.hex }
+  end
+end

data/spec/lib/openstax/accounts/current_user_manager_spec.rb

@@ -0,0 +1,151 @@
+module OpenStax
+  module Accounts
+    describe CurrentUserManager do
+      let!(:account) { FactoryGirl.create(:openstax_accounts_account,
+                         username: 'some_user',
+                         openstax_uid: 1) }
+      let!(:user)    { User.create(:openstax_accounts_account => account) }
+
+      let!(:request) { double('request',
+                              :host => 'localhost',
+                              :ssl? => false) }
+
+      let!(:ssl_request) { double('request',
+                                  :host => 'localhost',
+                                  :ssl? => true) }
+
+      let!(:session) { {} }
+
+      let!(:cookies) { ActionDispatch::Cookies::CookieJar.new(
+                         SecureRandom.hex, 'localhost') }
+
+      let!(:current_user_manager) { CurrentUserManager.new(
+                                      request, session, cookies) }
+
+      context 'signing in' do
+
+        it 'signs in an account' do
+          expect(current_user_manager.signed_in?).to eq(false)
+          expect(current_user_manager.current_account).to(
+            eq(AnonymousAccount.instance))
+          expect(current_user_manager.current_user).to(
+            eq(AnonymousUser.instance))
+
+          current_user_manager.sign_in!(account)
+
+          expect(current_user_manager.signed_in?).to eq(true)
+          expect(current_user_manager.current_account).to eq(account)
+          expect(current_user_manager.current_user).to eq(user)
+        end
+
+        it 'signs in a user' do
+          expect(current_user_manager.signed_in?).to eq(false)
+          expect(current_user_manager.current_account).to(
+            eq(AnonymousAccount.instance))
+          expect(current_user_manager.current_user).to(
+            eq(AnonymousUser.instance))
+
+          current_user_manager.sign_in!(user)
+
+          expect(current_user_manager.signed_in?).to eq(true)
+          expect(current_user_manager.current_account).to eq(account)
+          expect(current_user_manager.current_user).to eq(user)
+        end
+
+      end
+
+      context 'from session' do
+
+        before(:each) do
+          current_user_manager.sign_in!(account)
+        end
+
+        it 'keeps a legitimate user signed in' do
+          expect(current_user_manager.signed_in?).to eq(true)
+          expect(current_user_manager.current_account).to eq(account)
+          expect(current_user_manager.current_user).to eq(user)
+
+          # Secure cookies are not sent with non-SSL requests
+          unsecure_cookies = ActionDispatch::Cookies::CookieJar.new(
+                               SecureRandom.hex, 'localhost')
+          unsecure_cookies[:account_id] = cookies[:account_id]
+
+          current_user_manager = CurrentUserManager.new(
+                                   request, session, unsecure_cookies)
+
+          expect(current_user_manager.signed_in?).to eq(true)
+          expect(current_user_manager.current_account).to eq(account)
+          expect(current_user_manager.current_user).to eq(user)
+
+          # But they are sent with SSL requests
+          current_user_manager = CurrentUserManager.new(
+                                   ssl_request, session, cookies)
+
+          expect(current_user_manager.signed_in?).to eq(true)
+          expect(current_user_manager.current_account).to eq(account)
+          expect(current_user_manager.current_user).to eq(user)
+        end
+
+        it 'signs out an attacker attempting to hijack the session' do
+          expect(current_user_manager.signed_in?).to eq(true)
+          expect(current_user_manager.current_account).to eq(account)
+          expect(current_user_manager.current_user).to eq(user)
+
+          # The protection relies on the attacker not being
+          # able to get the secure cookies
+          cookies.delete(:secure_account_id)
+
+          # The attacker can still access non-SSL pages
+          current_user_manager = CurrentUserManager.new(
+                                   request, session, cookies)
+
+          expect(current_user_manager.signed_in?).to eq(true)
+          expect(current_user_manager.current_account).to eq(account)
+          expect(current_user_manager.current_user).to eq(user)
+
+          # But not SSL pages
+          current_user_manager = CurrentUserManager.new(
+                                   ssl_request, session, cookies)
+
+          expect(current_user_manager.signed_in?).to eq(false)
+          expect(current_user_manager.current_account).to(
+            eq(AnonymousAccount.instance))
+          expect(current_user_manager.current_user).to(
+            eq(AnonymousUser.instance))
+
+          # And after they logout, that's it
+          current_user_manager = CurrentUserManager.new(
+                                   request, session, cookies)
+
+          expect(current_user_manager.signed_in?).to eq(false)
+          expect(current_user_manager.current_account).to(
+            eq(AnonymousAccount.instance))
+          expect(current_user_manager.current_user).to(
+            eq(AnonymousUser.instance))
+        end
+
+      end
+
+      context 'signing out' do
+
+        before(:each) { current_user_manager.sign_in!(account) }
+
+        it 'signs out users' do
+          expect(current_user_manager.signed_in?).to eq(true)
+          expect(current_user_manager.current_account).to eq(account)
+          expect(current_user_manager.current_user).to eq(user)
+
+          current_user_manager.sign_out!
+
+          expect(current_user_manager.signed_in?).to eq(false)
+          expect(current_user_manager.current_account).to(
+            eq(AnonymousAccount.instance))
+          expect(current_user_manager.current_user).to(
+            eq(AnonymousUser.instance))
+        end
+
+      end
+
+    end
+  end
+end

data/spec/lib/openstax_accounts_spec.rb

@@ -1,8 +1,7 @@
 module OpenStax
   describe Accounts do
-    let!(:user) { OpenStax::Accounts::User.create(username: 'some_user',
-                                                  openstax_uid: 1,
-                                                  access_token: 'secret') }
+    let!(:account) { OpenStax::Accounts::Account.create(username: 'some_user',
+                       openstax_uid: 1, access_token: 'secret') }
 
     it 'makes api calls' do
       expect(Api::DummyController.last_action).to be_nil
@@ -12,26 +11,34 @@ module OpenStax
       expect(Api::DummyController.last_params).to include 'test' => 'true'
     end
 
-    it 'makes api call to application_user index' do
+    it 'makes api call to accounts (index)' do
+      Api::UsersController.last_action = nil
+      Api::UsersController.last_params = nil
+      Accounts.search_accounts('sth')
+      expect(Api::UsersController.last_action).to eq :index
+      expect(Api::UsersController.last_params).to include :q => 'sth'
+    end
+
+    it 'makes api call to application_accounts (index)' do
       Api::ApplicationUsersController.last_action = nil
       Api::ApplicationUsersController.last_params = nil
-      Accounts.application_users_index('sth')
+      Accounts.search_application_accounts('sth')
       expect(Api::ApplicationUsersController.last_action).to eq :index
       expect(Api::ApplicationUsersController.last_params).to include :q => 'sth'
     end
 
-    it 'makes api call to application_user updates' do
+    it 'makes api call to application_users_updates' do
       Api::ApplicationUsersController.last_action = nil
       Api::ApplicationUsersController.last_params = nil
-      Accounts.application_users_updates
+      Accounts.get_application_account_updates
       expect(Api::ApplicationUsersController.last_action).to eq :updates
       expect(Api::ApplicationUsersController.last_params).not_to be_nil
     end
 
-    it 'makes api call to application_user updated' do
+    it 'makes api call to application_users_updated' do
       Api::ApplicationUsersController.last_action = nil
       Api::ApplicationUsersController.last_params = nil
-      Accounts.application_users_updated({1 => 1})
+      Accounts.mark_updates_as_read({1 => 1})
       expect(Api::ApplicationUsersController.last_action).to eq :updated
       expect(Api::ApplicationUsersController.last_params[:application_users]).to include '1' => '1'
     end

data/spec/models/openstax/accounts/account_spec.rb

@@ -0,0 +1,9 @@
+require 'spec_helper'
+
+module OpenStax::Accounts
+  describe Account do
+    it 'is not anonymous' do
+      expect(Account.new.is_anonymous?).to be_false
+    end
+  end
+end

data/spec/models/openstax/accounts/anonymous_account_spec.rb

@@ -0,0 +1,9 @@
+require 'spec_helper'
+
+module OpenStax::Accounts
+  describe AnonymousAccount do
+    it 'is anonymous' do
+      expect(AnonymousAccount.instance.is_anonymous?).to be_true
+    end
+  end
+end