diff --git a/test/factories/user_session.rb b/test/factories/user_session.rb new file mode 100644 index 0000000000..d3f816e828 --- /dev/null +++ b/test/factories/user_session.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +FactoryBot.define do + factory :user_session do + association :user, factory: :user_with_account + end +end diff --git a/test/functional/developer_portal/admin/account/personal_details_controller_test.rb b/test/functional/developer_portal/admin/account/personal_details_controller_test.rb index 614299b210..8e9e7e1a5c 100644 --- a/test/functional/developer_portal/admin/account/personal_details_controller_test.rb +++ b/test/functional/developer_portal/admin/account/personal_details_controller_test.rb @@ -63,4 +63,24 @@ def setup assert_response :success assert_equal flash[:error], 'Current password is incorrect' end + + test 'changing password is audited' do + user = @buyer.admins.first + login_as user + + assert_difference(Audited.audit_class.method(:count)) do + User.with_synchronous_auditing do + put :update, params: { user: {current_password: 'supersecret', password: 'new_password', password_confirmation: 'new_password'} } + end + end + + expected = [Audited::Auditor::AuditedInstanceMethods::REDACTED] * 2 + assert_equal expected,user.audits.last.audited_changes['password_digest'] + end + + test 'failed password change creates an audit log' do + login_as @buyer.admins.first + AuditLogService.expects(:call).with { |msg| msg.start_with? "User tried to change password" } + put :update, params: { user: {current_password: 'wrong_password', password: 'new_password', password_confirmation: 'new_password'} } + end end diff --git a/test/functional/developer_portal/login_controller_test.rb b/test/functional/developer_portal/login_controller_test.rb index 4e3f877d58..43c1a8925d 100644 --- a/test/functional/developer_portal/login_controller_test.rb +++ b/test/functional/developer_portal/login_controller_test.rb @@ -122,6 +122,19 @@ class DeveloperPortal::LoginControllerTest < DeveloperPortal::ActionController:: assert_equal error, flash[:error] end + test 'login fail generates an audit log' do + buyer_account = FactoryBot.create :buyer_account + buyer_settings = buyer_account.settings + buyer_settings.authentication_strategy = 'internal' + buyer_settings.save! + user = buyer_account.admins.first + + AuditLogService.expects(:call).with { |msg| msg.start_with? "Login attempt failed" } + + host! buyer_account.provider_account.external_domain + post :create, params: { username: user.username, password: 'wrong_pass' } + end + def user @user ||= create_user_and_account end diff --git a/test/functional/provider/admin/user/personal_details_controller_test.rb b/test/functional/provider/admin/user/personal_details_controller_test.rb index 2860e63ddb..c65d307bc3 100644 --- a/test/functional/provider/admin/user/personal_details_controller_test.rb +++ b/test/functional/provider/admin/user/personal_details_controller_test.rb @@ -27,4 +27,20 @@ def setup assert_template 'edit' end + test 'changing password is audited' do + assert_difference(Audited.audit_class.method(:count)) do + User.with_synchronous_auditing do + put :update, params: { user: {current_password: 'supersecret', password: 'new_password', password_confirmation: 'new_password'} } + end + end + + expected = [Audited::Auditor::AuditedInstanceMethods::REDACTED] * 2 + assert_equal expected, @provider.first_admin.audits.last.audited_changes['password_digest'] + end + + test 'failed password change creates an audit log' do + AuditLogService.expects(:call).with { |msg| msg.start_with? "User tried to change password" } + put :update, params: { user: {current_password: 'wrong_password', password: 'new_password', password_confirmation: 'new_password'} } + end + end diff --git a/test/integration/provider/sessions_controller_test.rb b/test/integration/provider/sessions_controller_test.rb index 391dddb10d..da8d7f6f29 100644 --- a/test/integration/provider/sessions_controller_test.rb +++ b/test/integration/provider/sessions_controller_test.rb @@ -32,15 +32,22 @@ class Provider::SessionsControllerTest < ActionDispatch::IntegrationTest partner = FactoryBot.create(:partner, logout_url: "http://example.net/?") account = FactoryBot.create(:provider_account, partner: partner) - AuditLogService.expects(:call).with { |msg| msg.start_with? "Signed in: #{account.admins.first.id}/" } login! account - AuditLogService.expects(:call).with { |msg| msg.start_with? "Signed out: #{account.admins.first.id}/" } delete provider_sessions_path assert_redirected_to "http://example.net/?provider_id=#{account.id}&user_id=#{account.admin_user.id}" end + test 'failed login generates an audit log' do + partner = FactoryBot.create(:partner, logout_url: "http://example.net/?") + provider = FactoryBot.create(:provider_account, partner: partner) + AuditLogService.expects(:call).with { |msg| msg.start_with? 'Login attempt failed' } + + host! provider.external_admin_domain + provider_login_with provider.admins.first.username, 'wrong_pass' + end + test "does not redirect users to SSO even with enforce_sso and single provider" do @provider.settings.update_column(:enforce_sso, true) get new_provider_sessions_path diff --git a/test/unit/user_session_test.rb b/test/unit/user_session_test.rb index 6f335e6a4f..463c9a7342 100644 --- a/test/unit/user_session_test.rb +++ b/test/unit/user_session_test.rb @@ -83,4 +83,26 @@ def request assert_equal 3.weeks, UserSession.send(:ttl_value, 3.weeks.seconds.to_s) assert_raise(ApplicationConfigurationError) { UserSession.send(:ttl_value, "123p") } end + + test 'new session is audited' do + user = FactoryBot.create :user_with_account + session = FactoryBot.build :user_session, user: user + + assert_difference(Audited.audit_class.method(:count)) do + UserSession.with_synchronous_auditing do + session.save! + end + end + end + + test 'revoke session is audited' do + user = FactoryBot.create :user_with_account + session = FactoryBot.create :user_session, user: user + + assert_difference(Audited.audit_class.method(:count)) do + UserSession.with_synchronous_auditing do + session.revoke! + end + end + end end