From 87ba37dcfd5833da9a595478760ec5b4dd7071f9 Mon Sep 17 00:00:00 2001 From: filipefurtad0 Date: Mon, 18 Dec 2023 18:44:49 +0000 Subject: [PATCH] Replaces Stripe stubs with the account and customer IDs Adds STRIPE_ACCOUNT as sensitive data to VCR setup Rubocop fixes and re-recording of cassettes Adds bogus client_id to local test file - for CI to run --- .env.test | 2 + ...stroys_the_record_and_notifies_Bugsnag.yml | 125 ++++++++++++++++++ .../destroys_the_record.yml | 125 ++++++++++++++++++ spec/models/stripe_account_spec.rb | 25 ++-- spec/support/vcr_setup.rb | 1 + 5 files changed, 262 insertions(+), 16 deletions(-) create mode 100644 spec/fixtures/vcr_cassettes/Stripe-v10.3.0/StripeAccount/deauthorize_and_destroy/when_the_Stripe_API_disconnect_fails/destroys_the_record_and_notifies_Bugsnag.yml create mode 100644 spec/fixtures/vcr_cassettes/Stripe-v10.3.0/StripeAccount/deauthorize_and_destroy/when_the_Stripe_API_disconnect_succeeds/destroys_the_record.yml diff --git a/.env.test b/.env.test index e1d7d47cc2..afa4e58c1d 100644 --- a/.env.test +++ b/.env.test @@ -4,6 +4,8 @@ SECRET_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" STRIPE_SECRET_TEST_API_KEY="bogus_key" STRIPE_CUSTOMER="bogus_customer" +STRIPE_ACCOUNT="bogus_account" +STRIPE_CLIENT_ID="bogus_client_id" SITE_URL="test.host" diff --git a/spec/fixtures/vcr_cassettes/Stripe-v10.3.0/StripeAccount/deauthorize_and_destroy/when_the_Stripe_API_disconnect_fails/destroys_the_record_and_notifies_Bugsnag.yml b/spec/fixtures/vcr_cassettes/Stripe-v10.3.0/StripeAccount/deauthorize_and_destroy/when_the_Stripe_API_disconnect_fails/destroys_the_record_and_notifies_Bugsnag.yml new file mode 100644 index 0000000000..4808014362 --- /dev/null +++ b/spec/fixtures/vcr_cassettes/Stripe-v10.3.0/StripeAccount/deauthorize_and_destroy/when_the_Stripe_API_disconnect_fails/destroys_the_record_and_notifies_Bugsnag.yml @@ -0,0 +1,125 @@ +--- +http_interactions: +- request: + method: post + uri: https://connect.stripe.com/oauth/deauthorize + body: + encoding: UTF-8 + string: stripe_user_id=&client_id=bogus_client_id + headers: + User-Agent: + - Stripe/v1 RubyBindings/10.3.0 + Authorization: + - Bearer + Content-Type: + - application/x-www-form-urlencoded + Stripe-Version: + - '2023-10-16' + X-Stripe-Client-User-Agent: + - '{"bindings_version":"10.3.0","lang":"ruby","lang_version":"3.1.4 p223 (2023-03-30)","platform":"x86_64-linux","engine":"ruby","publisher":"stripe","uname":"Linux + version 6.2.0-39-generic (buildd@lcy02-amd64-045) (x86_64-linux-gnu-gcc-11 + (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) + #40~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 16 10:53:04 UTC 2","hostname":"ff-LAT"}' + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + response: + status: + code: 401 + message: Unauthorized + headers: + Server: + - nginx + Date: + - Tue, 19 Dec 2023 12:55:29 GMT + Content-Type: + - application/json; charset=utf-8 + Content-Length: + - '96' + Connection: + - keep-alive + Cache-Control: + - max-age=0, no-cache, no-store, must-revalidate + Content-Security-Policy: + - report-uri /csp-report?p=%2Foauth%2Fdeauthorize;block-all-mixed-content;default-src + 'none' 'report-sample';base-uri 'none';form-action 'none';style-src 'unsafe-inline';frame-ancestors + 'self';connect-src 'self';img-src 'self' https://b.stripecdn.com + Cross-Origin-Opener-Policy-Report-Only: + - same-origin; report-to=https://q.stripe.com/coop-report + Expires: + - '0' + Pragma: + - no-cache + Referrer-Policy: + - strict-origin-when-cross-origin + Request-Id: + - req_1v8IG0ihHAhDnR + Set-Cookie: + - __Host-session=; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT; + secure; SameSite=None + - __stripe_orig_props=%7B%22referrer%22%3A%22%22%2C%22landing%22%3A%22https%3A%2F%2Fconnect.stripe.com%2Foauth%2Fdeauthorize%22%7D; + domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:29 GMT; secure; + HttpOnly; SameSite=Lax + - machine_identifier=nsadMhesm4x1GYVPmQcxGxkwOEHT0uGESxaoxop6tgOLhu%2BvkqpSkkKcxxRvqqlpa%2BQ%3D; + domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:29 GMT; secure; + HttpOnly; SameSite=Lax + - private_machine_identifier=5MctxMzB3oEJsWQPiwovzvt6vy1pHt5g4lYzkFr0hY3jCZZPQz%2F6jU71Ye8gqtUCUkE%3D; + domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:29 GMT; secure; + HttpOnly; SameSite=None + - site-auth=; domain=stripe.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 + 00:00:00 GMT; secure + - stripe.csrf=ivC9DH1gR7jYwuuHUpqqkApanZ79wswQZMBVKfzfaLr1n5rf_HwKb4sv66YdBNDs03Zq1H_JeHyOjBZ1rENh4jw-AYTZVJxQjKfvlBDZNhjvEvPk5QdyiiBil-k2Op8FixB9Mw4lkg%3D%3D; + domain=stripe.com; path=/; secure; HttpOnly; SameSite=None + Strict-Transport-Security: + - max-age=63072000; includeSubDomains; preload + - max-age=63072000; includeSubDomains; preload + Stripe-Kill-Route: + - "[]" + Stripe-Parent-Id: + - '0000000000000000' + Stripe-Span-Id: + - 1317edffcd8f0941 + Www-Authenticate: + - Bearer realm="Stripe" + X-Apiori-Intentional-Latency: + - 0s + X-Apiori-Reqid: + - dub2DISD22ogqObCRqkyYRE + X-Apiori-Server-Duration-Ms: + - '126' + X-Apiori-Upstream-Duration: + - 126.447763ms + X-Apiori-Upstream-Name: + - manage-srv + X-Apiori-Upstream-Region: + - northwest + X-Content-Type-Options: + - nosniff + X-Envoy-Attempt-Count: + - '1' + X-Envoy-Upstream-Service-Time: + - '248' + X-Robots-Tag: + - none + X-Stripe-Bg-Intended-Route-Color: + - green + X-Stripe-C-Cost: + - '2' + X-Stripe-Client-Envoy-Start-Time-Us: + - '1702990529582694' + X-Stripe-Rpc-C-Cost-Report: + - Cg0IARIJY2VsbF8wMDA3Cg8IARILZ2xvYmFsX2NlbGw= + X-Stripe-Server-Envoy-Start-Time-Us: + - '1702990529583695' + X-Stripe-Server-Envoy-Upstream-Service-Time-Ms: + - '123' + body: + encoding: UTF-8 + string: |- + { + "error": "invalid_client", + "error_description": "No such application: 'bogus_client_id'" + } + recorded_at: Tue, 19 Dec 2023 12:55:29 GMT +recorded_with: VCR 6.2.0 diff --git a/spec/fixtures/vcr_cassettes/Stripe-v10.3.0/StripeAccount/deauthorize_and_destroy/when_the_Stripe_API_disconnect_succeeds/destroys_the_record.yml b/spec/fixtures/vcr_cassettes/Stripe-v10.3.0/StripeAccount/deauthorize_and_destroy/when_the_Stripe_API_disconnect_succeeds/destroys_the_record.yml new file mode 100644 index 0000000000..0c8489a0f3 --- /dev/null +++ b/spec/fixtures/vcr_cassettes/Stripe-v10.3.0/StripeAccount/deauthorize_and_destroy/when_the_Stripe_API_disconnect_succeeds/destroys_the_record.yml @@ -0,0 +1,125 @@ +--- +http_interactions: +- request: + method: post + uri: https://connect.stripe.com/oauth/deauthorize + body: + encoding: UTF-8 + string: stripe_user_id=&client_id=ca_MzG1xs6tZFDztUlak7uFxoUM36G6307W + headers: + User-Agent: + - Stripe/v1 RubyBindings/10.3.0 + Authorization: + - Bearer + Content-Type: + - application/x-www-form-urlencoded + Stripe-Version: + - '2023-10-16' + X-Stripe-Client-User-Agent: + - '{"bindings_version":"10.3.0","lang":"ruby","lang_version":"3.1.4 p223 (2023-03-30)","platform":"x86_64-linux","engine":"ruby","publisher":"stripe","uname":"Linux + version 6.2.0-39-generic (buildd@lcy02-amd64-045) (x86_64-linux-gnu-gcc-11 + (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) + #40~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 16 10:53:04 UTC 2","hostname":"ff-LAT"}' + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + response: + status: + code: 401 + message: Unauthorized + headers: + Server: + - nginx + Date: + - Tue, 19 Dec 2023 12:55:30 GMT + Content-Type: + - application/json; charset=utf-8 + Content-Length: + - '164' + Connection: + - keep-alive + Cache-Control: + - max-age=0, no-cache, no-store, must-revalidate + Content-Security-Policy: + - report-uri /csp-report?p=%2Foauth%2Fdeauthorize;block-all-mixed-content;default-src + 'none' 'report-sample';base-uri 'none';form-action 'none';style-src 'unsafe-inline';frame-ancestors + 'self';connect-src 'self';img-src 'self' https://b.stripecdn.com + Cross-Origin-Opener-Policy-Report-Only: + - same-origin; report-to=https://q.stripe.com/coop-report + Expires: + - '0' + Pragma: + - no-cache + Referrer-Policy: + - strict-origin-when-cross-origin + Request-Id: + - req_pGBBuPOXb6xMly + Set-Cookie: + - __Host-session=; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT; + secure; SameSite=None + - __stripe_orig_props=%7B%22referrer%22%3A%22%22%2C%22landing%22%3A%22https%3A%2F%2Fconnect.stripe.com%2Foauth%2Fdeauthorize%22%7D; + domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:30 GMT; secure; + HttpOnly; SameSite=Lax + - machine_identifier=JJUOdPN1UTC9yKxG3Cief9mNanXTKM9y3VmUcEzfmFXEB%2FViV5jXpnxq0kFsEjoKyyg%3D; + domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:30 GMT; secure; + HttpOnly; SameSite=Lax + - private_machine_identifier=qnLLWHsR2kIkVnuEZbUabBmPGOMmgoa%2B2t%2Bt82Sn41uVMChBI%2FF%2FmVlhmFtmb9%2Fnd70%3D; + domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:30 GMT; secure; + HttpOnly; SameSite=None + - site-auth=; domain=stripe.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 + 00:00:00 GMT; secure + - stripe.csrf=aIL_e_YV7LaxFPnsyZHeK9DsuQ7sm4bYeawhyIBlivow1bC0KAoKCaoR0E-WklLxlvDMXwX1_tY7Aa5l_gJ-zzw-AYTZVJwtl69iWowmC5Gcjqp-_ni03g1Mcx1Hbz6xqEXSGCKfKg%3D%3D; + domain=stripe.com; path=/; secure; HttpOnly; SameSite=None + Strict-Transport-Security: + - max-age=63072000; includeSubDomains; preload + - max-age=63072000; includeSubDomains; preload + Stripe-Kill-Route: + - "[]" + Stripe-Parent-Id: + - '0000000000000000' + Stripe-Span-Id: + - abaf119f94aa71c4 + Www-Authenticate: + - Bearer realm="Stripe" + X-Apiori-Intentional-Latency: + - 0s + X-Apiori-Reqid: + - dub1DISD299L0WxB0Akf1uq + X-Apiori-Server-Duration-Ms: + - '138' + X-Apiori-Upstream-Duration: + - 137.918128ms + X-Apiori-Upstream-Name: + - manage-srv + X-Apiori-Upstream-Region: + - northwest + X-Content-Type-Options: + - nosniff + X-Envoy-Attempt-Count: + - '1' + X-Envoy-Upstream-Service-Time: + - '257' + X-Robots-Tag: + - none + X-Stripe-Bg-Intended-Route-Color: + - green + X-Stripe-C-Cost: + - '4' + X-Stripe-Client-Envoy-Start-Time-Us: + - '1702990530466139' + X-Stripe-Rpc-C-Cost-Report: + - Cg0IAxIJY2VsbF8wMDA3Cg8IARILZ2xvYmFsX2NlbGw= + X-Stripe-Server-Envoy-Start-Time-Us: + - '1702990530466931' + X-Stripe-Server-Envoy-Upstream-Service-Time-Ms: + - '135' + body: + encoding: UTF-8 + string: |- + { + "error": "invalid_client", + "error_description": "This application is not connected to stripe account , or that account does not exist." + } + recorded_at: Tue, 19 Dec 2023 12:55:30 GMT +recorded_with: VCR 6.2.0 diff --git a/spec/models/stripe_account_spec.rb b/spec/models/stripe_account_spec.rb index f798cbc56a..4aae9c5a9e 100644 --- a/spec/models/stripe_account_spec.rb +++ b/spec/models/stripe_account_spec.rb @@ -4,27 +4,24 @@ require 'spec_helper' require 'stripe/oauth' describe StripeAccount do - describe "deauthorize_and_destroy" do + describe "deauthorize_and_destroy", :vcr, :stripe_version do let!(:enterprise) { create(:enterprise) } let!(:enterprise2) { create(:enterprise) } - let(:client_id) { 'ca_abc123' } - let(:stripe_user_id) { 'acct_abc123' } + let(:client_id) { ENV.fetch('STRIPE_CLIENT_ID', nil) } + let(:stripe_user_id) { ENV.fetch('STRIPE_ACCOUNT', nil) } + let!(:stripe_account) { create(:stripe_account, enterprise:, stripe_user_id:) } + let(:secret) { ENV.fetch('STRIPE_SECRET_TEST_API_KEY', nil) } + before do - Stripe.api_key = "sk_test_12345" - Stripe.client_id = client_id + Stripe.api_key = secret end context "when the Stripe API disconnect fails" do - before do - stub_request(:post, "https://connect.stripe.com/oauth/deauthorize"). - with(body: { "client_id" => client_id, "stripe_user_id" => stripe_user_id }). - to_return(status: 400, body: JSON.generate(error: 'invalid_grant', - error_description: "Some Message")) - end + before { Stripe.client_id = "bogus_client_id" } it "destroys the record and notifies Bugsnag" do expect(Bugsnag).to receive(:notify) @@ -34,11 +31,7 @@ describe StripeAccount do end context "when the Stripe API disconnect succeeds" do - before do - stub_request(:post, "https://connect.stripe.com/oauth/deauthorize"). - with(body: { "client_id" => client_id, "stripe_user_id" => stripe_user_id }). - to_return(status: 200, body: JSON.generate(stripe_user_id:)) - end + before { Stripe.client_id = client_id } it "destroys the record" do stripe_account.deauthorize_and_destroy diff --git a/spec/support/vcr_setup.rb b/spec/support/vcr_setup.rb index 7cb9d1b63d..2f944fb235 100644 --- a/spec/support/vcr_setup.rb +++ b/spec/support/vcr_setup.rb @@ -9,5 +9,6 @@ VCR.configure do |config| config.configure_rspec_metadata! config.filter_sensitive_data('') { ENV.fetch('STRIPE_SECRET_TEST_API_KEY', nil) } config.filter_sensitive_data('') { ENV.fetch('STRIPE_CUSTOMER', nil) } + config.filter_sensitive_data('') { ENV.fetch('STRIPE_ACCOUNT', nil) } config.ignore_hosts('localhost', '127.0.0.1', '0.0.0.0', 'api.knapsackpro.com') end