quo_vadis 2.0.0 → 2.0.1

data/test/mailers/mailer_test.rb

@@ -0,0 +1,200 @@
+require 'test_helper'
+
+class MailerTest < ActionMailer::TestCase
+
+  tests QuoVadis::Mailer
+
+  setup do
+    QuoVadis.mail_headers({from: 'Bar <bar@example.com>'})
+  end
+
+
+  test 'reset_password' do
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      url: 'http://example.com/pwd-reset/123abc'
+    ).reset_password
+
+    assert_emails 1 do
+      email.deliver_now
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Change your password', email.subject
+    assert_equal read_fixture('reset_password.text').join, email.body.to_s
+  end
+
+
+  test 'account_confirmation' do
+    email = QuoVadis::Mailer.with(
+      email: 'Foo <foo@example.com>',
+      url: 'http://example.com/confirm/123abc'
+    ).account_confirmation
+
+    assert_emails 1 do
+      email.deliver_now
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Please confirm your account', email.subject
+    assert_equal read_fixture('account_confirmation.text').join, email.body.to_s
+  end
+
+
+  test 'email change notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').email_change_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Your email address has been changed', email.subject
+    assert_equal with_timestamp(read_fixture('email_change_notification.text').join), email.body.to_s
+  end
+
+
+  test 'identifier change notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>', identifier: 'email').identifier_change_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Your email has been changed', email.subject
+    assert_equal with_timestamp(read_fixture('identifier_change_notification.text').join), email.body.to_s
+  end
+
+
+  test 'password change notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').password_change_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Your password has been changed', email.subject
+    assert_equal with_timestamp(read_fixture('password_change_notification.text').join), email.body.to_s
+  end
+
+
+  test 'password reset notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').password_reset_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Your password has been reset', email.subject
+    assert_equal with_timestamp(read_fixture('password_reset_notification.text').join), email.body.to_s
+  end
+
+
+  test 'totp setup notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').totp_setup_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Two-factor authentication was set up just now', email.subject
+    assert_equal with_timestamp(read_fixture('totp_setup_notification.text').join), email.body.to_s
+  end
+
+
+  test 'totp reuse notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').totp_reuse_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Your two-factor authentication code was reused just now', email.subject
+    assert_equal with_timestamp(read_fixture('totp_reuse_notification.text').join), email.body.to_s
+  end
+
+
+  test '2fa deactivated notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').twofa_deactivated_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Two-factor authentication was deactivated just now', email.subject
+    assert_equal with_timestamp(read_fixture('twofa_deactivated_notification.text').join), email.body.to_s
+  end
+
+
+  test 'recovery codes generation notification' do
+    email = QuoVadis::Mailer.with(email: 'Foo <foo@example.com>').recovery_codes_generation_notification
+
+    # freeze_time
+
+    assert_emails 1 do
+      QuoVadis::CurrentRequestDetails.set(ip: '1.2.3.4') do
+        email.deliver_now
+      end
+    end
+
+    assert_equal ['foo@example.com'], email.to
+    assert_equal ['bar@example.com'], email.from
+    assert_equal 'Recovery codes have been generated for your account', email.subject
+    assert_equal with_timestamp(read_fixture('recovery_codes_generation_notification.text').join), email.body.to_s
+  end
+
+
+  private
+
+  def read_fixture(action)
+    IO.readlines(File.join(__dir__, '..', 'fixtures', self.class.mailer_class.name.underscore, action))
+  end
+
+  def with_timestamp(str)
+    str.sub 'TIMESTAMP', Time.now.strftime('%e %B at %H:%M (%Z)')
+  end
+
+end

data/test/models/account_test.rb

@@ -0,0 +1,34 @@
+require 'test_helper'
+
+class AccountTest < ActiveSupport::TestCase
+  include ActionMailer::TestHelper
+
+  test 'confirmed?' do
+    account = QuoVadis::Account.new
+    refute account.confirmed?
+
+    account.confirmed_at = Time.now
+    assert account.confirmed?
+  end
+
+
+  test 'notifies on identifier change when notifier is not email' do
+    p = Person.create! username: 'bob', email: 'bob@example.com', password: 'secretsecret'
+    assert_enqueued_email_with QuoVadis::Mailer, :identifier_change_notification, args: {email: 'bob@example.com', identifier: 'username'} do
+      assert_enqueued_emails 1 do
+        p.update username: 'robert@example.com'
+      end
+    end
+  end
+
+
+  test 'does not notify on identifier change when notifier is email' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    assert_enqueued_email_with QuoVadis::Mailer, :email_change_notification, args: {email: 'bob@example.com'} do
+      assert_enqueued_emails 1 do
+        u.update email: 'robert@example.com'
+      end
+    end
+  end
+
+end

data/test/models/crypt_test.rb

@@ -0,0 +1,22 @@
+require 'test_helper'
+
+class CryptTest < ActiveSupport::TestCase
+
+  setup do
+    @crypt = QuoVadis::Crypt
+  end
+
+  test 'round trip' do
+    plaintext = 'the quick brown fox'
+    ciphertext = @crypt.encrypt plaintext
+    refute_equal plaintext, ciphertext
+    assert_equal plaintext, @crypt.decrypt(ciphertext)
+  end
+
+  test 'same plaintext encrypts to different ciphertexts' do
+    plaintext = 'the quick brown fox'
+    ciphertext = @crypt.encrypt plaintext
+    refute_equal ciphertext, @crypt.encrypt(plaintext)
+  end
+
+end

data/test/models/log_test.rb

@@ -0,0 +1,16 @@
+require 'test_helper'
+
+class LogTest < ActiveSupport::TestCase
+
+  test 'smoke' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    account = user.qv_account
+
+    log = account.logs.create! action: QuoVadis::Log::LOGIN_SUCCESS, ip: '1.2.3.4', metadata: {foo: 'bar'}
+
+    assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
+    assert_equal '1.2.3.4', log.ip
+    assert_equal 'bar', log.metadata['foo']
+  end
+
+end

data/test/models/mask_ip_test.rb

@@ -0,0 +1,27 @@
+require 'test_helper'
+
+class MaskIpTest < ActiveSupport::TestCase
+
+  setup do
+    @masking = QuoVadis.mask_ips
+  end
+
+  teardown do
+    QuoVadis.mask_ips @masking
+  end
+
+
+  test 'mask ips' do
+    [ QuoVadis::Log, QuoVadis::Session ].each do |klass|
+      QuoVadis.mask_ips false
+      instance = klass.new(ip: '1.2.3.4')
+      instance.valid?
+      assert_equal '1.2.3.4', instance.ip
+
+      QuoVadis.mask_ips true
+      instance.valid?
+      assert_equal '1.2.3.0', instance.ip
+    end
+  end
+
+end

data/test/models/model_test.rb

@@ -0,0 +1,66 @@
+require 'test_helper'
+
+class ModelTest < ActiveSupport::TestCase
+  include ActionMailer::TestHelper
+
+  test 'responds to' do
+    assert_respond_to User, :authenticates
+    u = User.new
+    assert_respond_to u, :password
+    assert_respond_to u, :password=
+    assert_respond_to u, :password_confirmation
+    assert_respond_to u, :password_confirmation=
+  end
+
+
+  test 'creates account' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    assert u.persisted?
+    assert u.qv_account.persisted?
+  end
+
+
+  test 'destroys account' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    ac = u.qv_account
+    u.destroy
+    assert ac.destroyed?
+  end
+
+
+  test 'copies model identifier to account' do
+    email = 'bob@example.com'
+    u = User.create! name: 'bob', email: email, password: '123456789abc'
+    assert_equal email, u.qv_account.identifier
+
+    email = 'b@foo.com'
+    u.update email: email
+    u.qv_account.reload
+    assert_equal email, u.qv_account.identifier
+
+    u.update name: nil, email: 'xyz'  # nil name is invalid
+    u.qv_account.reload
+    refute_equal 'xyz', u.qv_account.identifier
+  end
+
+
+  test 'ensures uniqueness validation on identifier' do
+    Foo = Class.new ActiveRecord::Base
+    assert_raises NotImplementedError, 'missing uniqueness validation on ModelTest::Foo#email.  Try adding: `validates :email, uniqueness: true`' do
+      Foo.instance_eval 'authenticates'
+    end
+
+    Bar = Class.new ActiveRecord::Base
+    Bar.instance_eval 'validates :email, uniqueness: true'
+    Bar.instance_eval 'authenticates'
+    # no error raised
+  end
+
+
+  test 'notifies on email change' do
+    u = User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
+    assert_enqueued_email_with QuoVadis::Mailer, :email_change_notification, args: {email: 'bob@example.com'} do
+      u.update email: 'robert@example.com'
+    end
+  end
+end

data/test/models/password_test.rb

@@ -0,0 +1,163 @@
+require 'test_helper'
+
+class PasswordTest < ActiveSupport::TestCase
+
+  VALID_PASSWORD = '123456789abc'
+  SIXTY_FOUR_CHARS = '1234567890123456789012345678901234567890123456789012345678901234'
+
+  test 'validations' do
+    pw = QuoVadis::Password.new
+    pw.valid?
+    refute_empty pw.errors[:password]
+
+    pw.password = nil
+    pw.valid?
+    refute_empty pw.errors[:password]
+
+    pw.password = ''
+    pw.valid?
+    refute_empty pw.errors[:password]
+
+    pw.password = 'x'
+    pw.valid?
+    refute_empty pw.errors[:password]
+
+    pw.password = VALID_PASSWORD
+    pw.valid?
+    assert_empty pw.errors[:password]
+  end
+
+
+  test 'confirmation' do
+    pw = QuoVadis::Password.new password: VALID_PASSWORD, password_confirmation: nil
+    pw.valid?
+    assert_empty pw.errors[:password_confirmation]
+
+    pw = QuoVadis::Password.new password: VALID_PASSWORD, password_confirmation: ''
+    pw.valid?
+    refute_empty pw.errors[:password_confirmation]
+
+    pw.password_confirmation = VALID_PASSWORD
+    pw.valid?
+    assert_empty pw.errors[:password_confirmation]
+    assert_empty pw.errors[:password]
+  end
+
+
+  test 'model passes through password to quo_vadis' do
+    user = User.new name: 'bob', email: 'bob@example.com'
+    refute user.valid?
+    refute_empty user.errors[:password]
+
+    user.password = 'x'
+    refute user.valid?
+    refute_empty user.errors[:password]
+
+    user.password = VALID_PASSWORD
+    assert user.save
+
+    _user = User.last
+    assert _user.valid?
+
+    _pw = _user.qv_account.password
+    assert _pw.valid?
+  end
+
+
+  test 'model passes through password confirmation to quo_vadis' do
+    user = User.new name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD, password_confirmation: 'x'
+    refute user.valid?
+    refute_empty user.errors[:password_confirmation]
+
+    user.password_confirmation = VALID_PASSWORD
+    assert user.valid?
+  end
+
+
+  test 'change' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    pw = user.qv_account.password
+
+    refute pw.change('wrong', '', '')
+    assert_equal ['is incorrect'], pw.errors[:password]
+
+    pw = QuoVadis::Password.find pw.id
+    refute pw.change(VALID_PASSWORD, '', '')
+    assert_equal ["can't be blank"], pw.errors[:new_password]
+
+    pw = QuoVadis::Password.find pw.id
+    refute pw.change(VALID_PASSWORD, 'x', 'x')
+    assert_equal ["is too short (minimum is #{QuoVadis.password_minimum_length} characters)"], pw.errors[:new_password]
+
+    pw = QuoVadis::Password.find pw.id
+    refute pw.change(VALID_PASSWORD, 'xxxxxxxxxxxx', 'yyyyyyyyyyyy')
+    assert_equal ["doesn't match Password"], pw.errors[:new_password_confirmation]
+
+    pw = QuoVadis::Password.find pw.id
+    assert pw.change(VALID_PASSWORD, 'xxxxxxxxxxxx', 'xxxxxxxxxxxx')
+    assert pw.authenticate 'xxxxxxxxxxxx'
+  end
+
+
+  test 'reset' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    pw = user.qv_account.password
+
+    refute pw.reset('', '')
+    assert_equal ["can't be blank"], pw.errors[:password]
+
+    refute pw.reset('x', 'x')
+    assert_equal ["is too short (minimum is #{QuoVadis.password_minimum_length} characters)"], pw.errors[:password]
+
+    refute pw.reset('xxxxxxxxxxxx', 'yyyyyyyyyyyy')
+    assert_equal ["doesn't match Password"], pw.errors[:password_confirmation]
+
+    assert pw.reset('xxxxxxxxxxxx', 'xxxxxxxxxxxx')
+    assert pw.authenticate 'xxxxxxxxxxxx'
+  end
+
+
+  test 'cascade destroy' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+    assert user.qv_account.persisted?
+    assert user.qv_account.password.persisted?
+
+    user.destroy
+    assert user.qv_account.destroyed?
+    assert user.qv_account.password.destroyed?
+  end
+
+
+  test 'cannot override existing password' do
+    user = User.create! name: 'bob', email: 'bob@example.com', password: VALID_PASSWORD
+
+    assert_raises QuoVadis::PasswordExistsError do
+      user.password = 'cba987654321'
+    end
+  end
+
+
+  test 'passwords may be 64 characters or longer' do
+    pw = QuoVadis::Password.new password: SIXTY_FOUR_CHARS
+    pw.valid?
+    assert_empty pw.errors[:password]
+
+    pw.password = "#{SIXTY_FOUR_CHARS}abc"
+    pw.valid?
+    assert_empty pw.errors[:password]
+  end
+
+  test 'passwords may contain spaces, no truncation' do
+    pw = QuoVadis::Password.new password: '            '
+    pw.valid?
+    assert_empty pw.errors[:password]
+  end
+
+  test 'passwords may contain unicode characters' do
+    pw = QuoVadis::Password.new password: '★ ★ ★ ★ ★ ★ '
+    pw.valid?
+    assert_empty pw.errors[:password]
+  end
+
+
+end