keygen-sh
diff --git a/‎app/models/token.rb‎
Lines changed: 2 additions & 1 deletion b/‎app/models/token.rb‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/policies/environments/token_policy.rb‎
Lines changed: 2 additions & 2 deletions b/‎app/policies/environments/token_policy.rb‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/policies/products/token_policy.rb‎
Lines changed: 2 additions & 2 deletions b/‎app/policies/products/token_policy.rb‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/policies/token_policy.rb‎
Lines changed: 25 additions & 10 deletions b/‎app/policies/token_policy.rb‎
Lines changed: 25 additions & 10 deletions
diff --git a/‎features/api/v1/tokens/generate.feature‎
Lines changed: 251 additions & 0 deletions b/‎features/api/v1/tokens/generate.feature‎
Lines changed: 251 additions & 0 deletions
@@ -356,11 +356,12 @@ def user_token?
     bearer.has_role? :user
   end
 
-  def activation_token?
+  def license_token?
     return false if orphaned_token?
 
     bearer.has_role? :license
   end
+  alias :activation_token? :license_token?
 
   def kind
     case
 
@@ -11,8 +11,8 @@ def index?
       case bearer
       in role: Role(:admin | :developer | :sales_agent | :support_agent | :read_only)
         allow!
-      in role: Role(:environment) if environment == bearer
-        record.all? { _1 in bearer_type: ^(Environment.name), bearer_id: ^(bearer.id) }
+      in role: Role(:environment), id: bearer_id if environment == bearer
+        record.all? { _1 in bearer_type: 'Environment', bearer_id: ^bearer_id }
       else
         deny!
       end
 
@@ -13,8 +13,8 @@ def index?
       case bearer
       in role: Role(:admin | :developer | :sales_agent | :support_agent | :read_only | :environment)
         allow!
-      in role: Role(:product) if product == bearer
-        record.all? { _1 in bearer_type: ^(Product.name), bearer_id: ^(bearer.id) }
+      in role: Role(:product), id: bearer_id if product == bearer
+        record.all? { _1 in bearer_type: 'Product', bearer_id: ^bearer_id }
       else
         deny!
       end
 
@@ -10,13 +10,12 @@ def index?
     case bearer
     in role: Role(:admin | :developer | :sales_agent | :support_agent | :read_only | :environment)
       allow!
-    in role: Role(:product)
-      record.all? { _1 in { bearer_type: ^(Product.name), bearer_id: ^(bearer.id) } |
-                          { bearer_type: ^(License.name) | ^(User.name) } }
-    in role: Role(:license)
-      record.all? { _1 in { bearer_type: ^(License.name), bearer_id: ^(bearer.id) } }
-    in role: Role(:user)
-      record.all? { _1 in { bearer_type: ^(User.name), bearer_id: ^(bearer.id) } }
+    in role: Role(:product), id: bearer_id
+      record.all? { _1 in { bearer_type: 'Product', bearer_id: ^bearer_id } | { bearer_type: 'License' | 'User' } }
+    in role: Role(:license), id: bearer_id
+      record.all? { _1 in { bearer_type: 'License', bearer_id: ^bearer_id } }
+    in role: Role(:user), id: bearer_id
+      record.all? { _1 in { bearer_type: 'User', bearer_id: ^bearer_id } }
     else
       deny!
     end
@@ -31,6 +30,10 @@ def show?
     case bearer
     in role: Role(:admin | :developer | :sales_agent | :support_agent | :read_only | :environment)
       allow!
+    in role: Role(:product) if record.user_token? && record.bearer.products.exists?(bearer.id)
+      allow!
+    in role: Role(:product) if record.license_token? && record.bearer.product == bearer
+      allow!
     else
       record.bearer == bearer
     end
@@ -47,7 +50,11 @@ def generate?
     case bearer
     in role: Role(:admin | :developer | :sales_agent | :support_agent | :read_only | :environment) if record.bearer == bearer
       allow!
-    in role: Role(:admin | :developer | :environment) if record.bearer.user?
+    in role: Role(:admin | :developer | :environment) if record.user_token?
+      allow!
+    in role: Role(:product) if record.user_token? && record.bearer.products.exists?(bearer.id)
+      allow!
+    in role: Role(:product) if record.license_token? && record.bearer.product == bearer
       allow!
     in role: Role(:user) if record.bearer == bearer
       deny! 'user is banned' if
@@ -64,9 +71,13 @@ def regenerate?
     verify_environment!
 
     case bearer
-    in role: Role(:admin | :developer) if record.bearer == bearer || record.bearer.environment? || record.bearer.product? || record.bearer.license? || record.bearer.user?
+    in role: Role(:admin | :developer) if record.bearer == bearer || record.environment_token? || record.product_token? || record.license_token? || record.user_token?
       allow!
-    in role: Role(:environment) if record.bearer == bearer || record.bearer.product? || record.bearer.license? || record.bearer.user?
+    in role: Role(:environment) if record.bearer == bearer || record.product_token? || record.license_token? || record.user_token?
+      allow!
+    in role: Role(:product) if record.user_token? && record.bearer.products.exists?(bearer.id)
+      allow!
+    in role: Role(:product) if record.license_token? && record.bearer.product == bearer
       allow!
     else
       record.bearer == bearer
@@ -80,6 +91,10 @@ def revoke?
     case bearer
     in role: Role(:admin | :developer | :environment)
       allow!
+    in role: Role(:product) if record.user_token? && record.bearer.products.exists?(bearer.id)
+      allow!
+    in role: Role(:product) if record.license_token? && record.bearer.product == bearer
+      allow!
     else
       record.bearer == bearer
     end
 
@@ -1369,6 +1369,257 @@ Feature: Generate authentication token
     And sidekiq should have 1 "metric" job
     And sidekiq should have 1 "request-log" job
 
+  Scenario: Admin generates a new token for an invalid product
+    Given the current account is "test1"
+    And I am an admin of account "test1"
+    And I authenticate with a token
+    When I send a POST request to "/accounts/test1/tokens" with the following:
+      """
+      {
+        "data": {
+          "type": "token",
+          "relationships": {
+            "bearer": {
+              "data": { "type": "product", "id": "2845d39b-050f-417a-8f06-a50f31c2b792" }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "403"
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 1 "request-log" job
+    And sidekiq should have 0 "event-log" jobs
+
+  Scenario: Product generates a new token for themselves
+    Given the current account is "test1"
+    And the current account has 1 "product"
+    And I am a product of account "test1"
+    And I authenticate with a token
+    When I send a POST request to "/accounts/test1/tokens"
+    Then the response status should be "403"
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 1 "request-log" job
+    And sidekiq should have 0 "event-log" jobs
+
+  Scenario: Product generates a new token for a product
+    Given the current account is "test1"
+    And the current account has 2 "products"
+    And I am a product of account "test1"
+    And I authenticate with a token
+    When I send a POST request to "/accounts/test1/tokens" with the following:
+      """
+      {
+        "data": {
+          "type": "token",
+          "relationships": {
+            "bearer": {
+              "data": { "type": "product", "id": "$products[1]" }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "403"
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 1 "request-log" job
+    And sidekiq should have 0 "event-log" jobs
+
+  Scenario: Product generates a new token for their license
+    Given the current account is "test1"
+    And the current account has 1 "product"
+    And the current account has 1 "policy" for the last "product"
+    And the current account has 1 "license" for the last "policy"
+    And I am a product of account "test1"
+    And I authenticate with a token
+    When I send a POST request to "/accounts/test1/tokens" with the following:
+      """
+      {
+        "data": {
+          "type": "token",
+          "relationships": {
+            "bearer": {
+              "data": { "type": "licenses", "id": "$licenses[0]" }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "201"
+    And the response body should be a "token" with the following relationships:
+      """
+      {
+        "bearer": {
+          "links": { "related": "/v1/accounts/$account/licenses/$licenses[0]" },
+          "data": { "type": "licenses", "id": "$licenses[0]" }
+        }
+      }
+      """
+    And the response body should be a "token" with the following attributes:
+      """
+      { "kind": "activation-token" }
+      """
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 1 "request-log" job
+    And sidekiq should have 1 "event-log" job
+
+  Scenario: Product generates a new token for a license
+    Given the current account is "test1"
+    And the current account has 1 "product"
+    And the current account has 1 "license"
+    And I am a product of account "test1"
+    And I authenticate with a token
+    When I send a POST request to "/accounts/test1/tokens" with the following:
+      """
+      {
+        "data": {
+          "type": "token",
+          "relationships": {
+            "bearer": {
+              "data": { "type": "licenses", "id": "$licenses[0]" }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "403"
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 1 "request-log" job
+    And sidekiq should have 0 "event-log" jobs
+
+  Scenario: Product generates a new token for an admin
+    Given the current account is "test1"
+    And the current account has 1 "product"
+    And the current account has 1 "admin"
+    And I am a product of account "test1"
+    And I authenticate with a token
+    When I send a POST request to "/accounts/test1/tokens" with the following:
+      """
+      {
+        "data": {
+          "type": "token",
+          "relationships": {
+            "bearer": {
+              "data": { "type": "users", "id": "$users[1]" }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "403"
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 1 "request-log" job
+    And sidekiq should have 0 "event-log" jobs
+
+  Scenario: Product generates a new token for their user
+    Given the current account is "test1"
+    And the current account has 1 "user"
+    And the current account has 1 "license" for the last "user" as "owner"
+    And I am a product of account "test1"
+    And I authenticate with a token
+    When I send a POST request to "/accounts/test1/tokens" with the following:
+      """
+      {
+        "data": {
+          "type": "token",
+          "relationships": {
+            "bearer": {
+              "data": { "type": "user", "id": "$users[1]" }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "201"
+    And the response body should be a "token" with the following relationships:
+      """
+      {
+        "bearer": {
+          "links": { "related": "/v1/accounts/$account/users/$users[1]" },
+          "data": { "type": "users", "id": "$users[1]" }
+        }
+      }
+      """
+    And the response body should be a "token" with the following attributes:
+      """
+      { "kind": "user-token" }
+      """
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 1 "request-log" job
+    And sidekiq should have 1 "event-log" job
+
+  Scenario: Product generates a new token for a user
+    Given the current account is "test1"
+    And the current account has 1 "product"
+    And the current account has 1 "user"
+    And I am a product of account "test1"
+    And I authenticate with a token
+    When I send a POST request to "/accounts/test1/tokens" with the following:
+      """
+      {
+        "data": {
+          "type": "token",
+          "relationships": {
+            "bearer": {
+              "data": { "type": "user", "id": "$users[1]" }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "403"
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 1 "request-log" job
+    And sidekiq should have 0 "event-log" jobs
+
+  Scenario: Product generates a new token for an invalid user
+    Given the current account is "test1"
+    And the current account has 1 "product"
+    And the current account has 1 "user"
+    And I am a product of account "test1"
+    And I authenticate with a token
+    When I send a POST request to "/accounts/test1/tokens" with the following:
+      """
+      {
+        "data": {
+          "type": "token",
+          "relationships": {
+            "bearer": {
+              "data": { "type": "user", "id": "0ea6a022-5fa1-42f2-9bf0-b0a3c5bbcc24" }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "403"
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 1 "request-log" job
+    And sidekiq should have 0 "event-log" jobs
+
+  Scenario: Product generates a new token for an environment
+    Given the current account is "test1"
+    And the current account has 1 "product"
+    And the current account has 1 "environment"
+    And I am a product of account "test1"
+    And I authenticate with a token
+    When I send a POST request to "/accounts/test1/tokens" with the following:
+      """
+      {
+        "data": {
+          "type": "token",
+          "relationships": {
+            "bearer": {
+              "data": { "type": "environment", "id": "$environments[0]" }
+            }
+          }
+        }
+      }
+      """
+    Then the response status should be "403"
+    And sidekiq should have 0 "webhook" jobs
+    And sidekiq should have 1 "request-log" job
+    And sidekiq should have 0 "event-log" jobs
+
   Scenario: User generates a new token via basic authentication
     Given the current account is "test1"
     And the current account has 1 "user"