Add tests for sessions audit

3scale · Sep 19, 2024 · d09a4dd · d09a4dd
1 parent b3802b7
commit d09a4dd
Show file tree

Hide file tree

Showing 6 changed files with 87 additions and 2 deletions.
diff --git a/test/factories/user_session.rb b/test/factories/user_session.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :user_session do
+    association :user, factory: :user_with_account
+  end
+end
diff --git a/test/functional/developer_portal/admin/account/personal_details_controller_test.rb b/test/functional/developer_portal/admin/account/personal_details_controller_test.rb
@@ -63,4 +63,24 @@ def setup
     assert_response :success
     assert_equal flash[:error], 'Current password is incorrect'
   end
+
+  test 'changing password is audited' do
+    user = @buyer.admins.first
+    login_as user
+
+    assert_difference(Audited.audit_class.method(:count)) do
+      User.with_synchronous_auditing do
+        put :update, params: { user: {current_password: 'supersecret', password: 'new_password', password_confirmation: 'new_password'} }
+      end
+    end
+
+    expected = [Audited::Auditor::AuditedInstanceMethods::REDACTED] * 2
+    assert_equal expected,user.audits.last.audited_changes['password_digest']
+  end
+
+  test 'failed password change creates an audit log' do
+    login_as @buyer.admins.first
+    AuditLogService.expects(:call).with { |msg| msg.start_with? "User tried to change password" }
+    put :update, params: { user: {current_password: 'wrong_password', password: 'new_password', password_confirmation: 'new_password'} }
+  end
 end
diff --git a/test/functional/developer_portal/login_controller_test.rb b/test/functional/developer_portal/login_controller_test.rb
@@ -122,6 +122,19 @@ class DeveloperPortal::LoginControllerTest < DeveloperPortal::ActionController::
     assert_equal error, flash[:error]
   end
 
+  test 'login fail generates an audit log' do
+    buyer_account = FactoryBot.create :buyer_account
+    buyer_settings = buyer_account.settings
+    buyer_settings.authentication_strategy = 'internal'
+    buyer_settings.save!
+    user = buyer_account.admins.first
+
+    AuditLogService.expects(:call).with { |msg| msg.start_with? "Login attempt failed" }
+
+    host! buyer_account.provider_account.external_domain
+    post :create, params: { username: user.username, password: 'wrong_pass' }
+  end
+
   def user
     @user ||= create_user_and_account
   end

diff --git a/test/functional/provider/admin/user/personal_details_controller_test.rb b/test/functional/provider/admin/user/personal_details_controller_test.rb
@@ -27,4 +27,20 @@ def setup
     assert_template 'edit'
   end
 
+  test 'changing password is audited' do
+    assert_difference(Audited.audit_class.method(:count)) do
+      User.with_synchronous_auditing do
+        put :update, params: { user: {current_password: 'supersecret', password: 'new_password', password_confirmation: 'new_password'} }
+      end
+    end
+
+    expected = [Audited::Auditor::AuditedInstanceMethods::REDACTED] * 2
+    assert_equal expected, @provider.first_admin.audits.last.audited_changes['password_digest']
+  end
+
+  test 'failed password change creates an audit log' do
+    AuditLogService.expects(:call).with { |msg| msg.start_with? "User tried to change password" }
+    put :update, params: { user: {current_password: 'wrong_password', password: 'new_password', password_confirmation: 'new_password'} }
+  end
+
 end
diff --git a/test/integration/provider/sessions_controller_test.rb b/test/integration/provider/sessions_controller_test.rb
@@ -32,15 +32,22 @@ class Provider::SessionsControllerTest < ActionDispatch::IntegrationTest
     partner = FactoryBot.create(:partner, logout_url: "http://example.net/?")
     account = FactoryBot.create(:provider_account, partner: partner)
 
-    AuditLogService.expects(:call).with { |msg| msg.start_with? "Signed in: #{account.admins.first.id}/" }
     login! account
 
-    AuditLogService.expects(:call).with { |msg| msg.start_with? "Signed out: #{account.admins.first.id}/" }
     delete provider_sessions_path
 
     assert_redirected_to "http://example.net/?provider_id=#{account.id}&user_id=#{account.admin_user.id}"
   end
 
+  test 'failed login generates an audit log' do
+    partner = FactoryBot.create(:partner, logout_url: "http://example.net/?")
+    provider = FactoryBot.create(:provider_account, partner: partner)
+    AuditLogService.expects(:call).with { |msg| msg.start_with? 'Login attempt failed' }
+
+    host! provider.external_admin_domain
+    provider_login_with provider.admins.first.username, 'wrong_pass'
+  end
+
   test "does not redirect users to SSO even with enforce_sso and single provider" do
     @provider.settings.update_column(:enforce_sso, true)
     get new_provider_sessions_path

diff --git a/test/unit/user_session_test.rb b/test/unit/user_session_test.rb
@@ -83,4 +83,26 @@ def request
     assert_equal 3.weeks, UserSession.send(:ttl_value, 3.weeks.seconds.to_s)
     assert_raise(ApplicationConfigurationError) { UserSession.send(:ttl_value, "123p") }
   end
+
+  test 'new session is audited' do
+    user = FactoryBot.create :user_with_account
+    session = FactoryBot.build :user_session, user: user
+
+    assert_difference(Audited.audit_class.method(:count)) do
+      UserSession.with_synchronous_auditing do
+        session.save!
+      end
+    end
+  end
+
+  test 'revoke session is audited' do
+    user = FactoryBot.create :user_with_account
+    session = FactoryBot.create :user_session, user: user
+
+    assert_difference(Audited.audit_class.method(:count)) do
+      UserSession.with_synchronous_auditing do
+        session.revoke!
+      end
+    end
+  end
 end