From 6253e80a708d9d45d2d38de6ed9b241a14d602a3 Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete.matsy@gmail.com>
Date: Sat, 20 Jan 2024 23:53:14 +0200
Subject: [PATCH] add testing environment

---
 Gemfile                                       |  1 +
 Gemfile.lock                                  |  3 ++
 app/controllers/api/api_base_controller.rb    |  2 ++
 app/controllers/application_controller.rb     | 13 ++++++-
 .../console_redirect_controller.rb            |  4 +--
 .../testing_accounts_controller.rb            | 20 +++++++++++
 .../testing_api_settings_controller.rb        | 12 +++++++
 app/models/account.rb                         | 14 ++++++++
 app/models/account_linked_account.rb          | 36 +++++++++++++++++++
 app/views/accounts/show.html.erb              |  2 +-
 app/views/api_settings/index.html.erb         |  5 ++-
 app/views/icons/_api.html.erb                 |  7 ++++
 app/views/icons/_code_circle.html.erb         |  7 ++++
 app/views/shared/_navbar_buttons.html.erb     |  4 +++
 app/views/shared/_settings_nav.html.erb       | 22 +++++++++---
 app/views/shared/_test_alert.html.erb         | 17 +++++++++
 app/views/shared/_test_mode_toggle.html.erb   | 10 ++++++
 app/views/testing_api_settings/index.html.erb | 18 ++++++++++
 app/views/webhook_settings/show.html.erb      |  5 ++-
 config/routes.rb                              |  8 ++---
 ...20192055_create_account_linked_accounts.rb | 15 ++++++++
 db/schema.rb                                  | 15 +++++++-
 lib/accounts.rb                               | 23 +++++++++++-
 23 files changed, 246 insertions(+), 17 deletions(-)
 create mode 100644 app/controllers/testing_accounts_controller.rb
 create mode 100644 app/controllers/testing_api_settings_controller.rb
 create mode 100644 app/models/account_linked_account.rb
 create mode 100644 app/views/icons/_api.html.erb
 create mode 100644 app/views/icons/_code_circle.html.erb
 create mode 100644 app/views/shared/_test_alert.html.erb
 create mode 100644 app/views/shared/_test_mode_toggle.html.erb
 create mode 100644 app/views/testing_api_settings/index.html.erb
 create mode 100644 db/migrate/20240120192055_create_account_linked_accounts.rb

diff --git a/Gemfile b/Gemfile
index 61eae029..d4983509 100644
--- a/Gemfile
+++ b/Gemfile
@@ -26,6 +26,7 @@ gem 'pagy'
 gem 'pdf-reader'
 gem 'pg', require: false
 gem 'premailer-rails'
+gem 'pretender'
 gem 'puma'
 gem 'rack'
 gem 'rails'
diff --git a/Gemfile.lock b/Gemfile.lock
index 66882014..19cb2e0a 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -354,6 +354,8 @@ GEM
       actionmailer (>= 3)
       net-smtp
       premailer (~> 1.7, >= 1.7.9)
+    pretender (0.5.0)
+      actionpack (>= 6.1)
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
@@ -596,6 +598,7 @@ DEPENDENCIES
   pdf-reader
   pg
   premailer-rails
+  pretender
   pry-rails
   puma
   rack
diff --git a/app/controllers/api/api_base_controller.rb b/app/controllers/api/api_base_controller.rb
index 6232e3dc..60963b8d 100644
--- a/app/controllers/api/api_base_controller.rb
+++ b/app/controllers/api/api_base_controller.rb
@@ -8,6 +8,8 @@ module Api
     DEFAULT_LIMIT = 10
     MAX_LIMIT = 100
 
+    impersonates :user, with: ->(uuid) { User.find_by(uuid:) }
+
     wrap_parameters false
 
     before_action :authenticate_user!
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 30e0a488..d7aa782a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -16,6 +16,8 @@ class ApplicationController < ActionController::Base
                 :current_account,
                 :svg_icon
 
+  impersonates :user, with: ->(uuid) { User.find_by(uuid:) }
+
   rescue_from Pagy::OverflowError do
     redirect_to request.path
   end
@@ -24,7 +26,7 @@ class ApplicationController < ActionController::Base
     rescue_from CanCan::AccessDenied do |e|
       Rollbar.error(e) if defined?(Rollbar)
 
-      redirect_back(fallback_location: root_path, alert: e.message)
+      redirect_to root_path, alert: e.message
     end
   end
 
@@ -32,6 +34,15 @@ class ApplicationController < ActionController::Base
     Docuseal.default_url_options
   end
 
+  def impersonate_user(user)
+    raise ArgumentError unless user
+    raise Pretender::Error unless true_user
+
+    @impersonated_user = user
+
+    request.session[:impersonated_user_id] = user.uuid
+  end
+
   private
 
   def with_browser_locale(&)
diff --git a/app/controllers/console_redirect_controller.rb b/app/controllers/console_redirect_controller.rb
index 5c4b037d..f6042225 100644
--- a/app/controllers/console_redirect_controller.rb
+++ b/app/controllers/console_redirect_controller.rb
@@ -5,9 +5,9 @@ class ConsoleRedirectController < ApplicationController
   skip_authorization_check
 
   def index
-    return redirect_to(new_user_session_path({ redir: params[:redir] }.compact)) if current_user.blank?
+    return redirect_to(new_user_session_path({ redir: params[:redir] }.compact)) if true_user.blank?
 
-    auth = JsonWebToken.encode(uuid: current_user.uuid,
+    auth = JsonWebToken.encode(uuid: true_user.uuid,
                                scope: :console,
                                exp: 1.minute.from_now.to_i)
 
diff --git a/app/controllers/testing_accounts_controller.rb b/app/controllers/testing_accounts_controller.rb
new file mode 100644
index 00000000..1bce910e
--- /dev/null
+++ b/app/controllers/testing_accounts_controller.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class TestingAccountsController < ApplicationController
+  skip_authorization_check only: :destroy
+
+  def show
+    authorize!(:manage, current_account)
+    authorize!(:manage, current_user)
+
+    impersonate_user(Accounts.find_or_create_testing_user(current_account))
+
+    redirect_back(fallback_location: root_path)
+  end
+
+  def destroy
+    stop_impersonating_user
+
+    redirect_back(fallback_location: root_path)
+  end
+end
diff --git a/app/controllers/testing_api_settings_controller.rb b/app/controllers/testing_api_settings_controller.rb
new file mode 100644
index 00000000..5eade647
--- /dev/null
+++ b/app/controllers/testing_api_settings_controller.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class TestingApiSettingsController < ApplicationController
+  def index
+    authorize!(:manage, current_user.access_token)
+
+    @webhook_config =
+      current_account.encrypted_configs.find_or_initialize_by(key: EncryptedConfig::WEBHOOK_URL_KEY)
+
+    authorize!(:manage, @webhook_config)
+  end
+end
diff --git a/app/models/account.rb b/app/models/account.rb
index 8c2792e9..2689bd1c 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -22,12 +22,26 @@ class Account < ApplicationRecord
           class_name: 'TemplateFolder', dependent: :destroy, inverse_of: :account
   has_many :submissions, through: :templates
   has_many :submitters, through: :submissions
+  has_many :account_linked_accounts, dependent: :destroy
+  has_many :account_testing_accounts, -> { testing }, dependent: :destroy,
+                                                      class_name: 'AccountLinkedAccount',
+                                                      inverse_of: :account
+  has_one :linked_account_account, dependent: :destroy,
+                                   foreign_key: :linked_account_id,
+                                   class_name: 'AccountLinkedAccount',
+                                   inverse_of: :linked_account
+  has_many :linked_accounts, through: :account_linked_accounts
+  has_many :testing_accounts, through: :account_testing_accounts, source: :linked_account
   has_many :active_users, -> { active }, dependent: :destroy,
                                          inverse_of: :account, class_name: 'User'
 
   attribute :timezone, :string, default: 'UTC'
   attribute :locale, :string, default: 'en-US'
 
+  def testing?
+    linked_account_account&.testing?
+  end
+
   def default_template_folder
     super || build_default_template_folder(name: TemplateFolder::DEFAULT_NAME,
                                            author_id: users.minimum(:id)).tap(&:save!)
diff --git a/app/models/account_linked_account.rb b/app/models/account_linked_account.rb
new file mode 100644
index 00000000..3d68aea7
--- /dev/null
+++ b/app/models/account_linked_account.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# == Schema Information
+#
+# Table name: account_linked_accounts
+#
+#  id                :bigint           not null, primary key
+#  account_type      :text             not null
+#  created_at        :datetime         not null
+#  updated_at        :datetime         not null
+#  account_id        :bigint           not null
+#  linked_account_id :bigint           not null
+#
+# Indexes
+#
+#  idx_on_account_id_linked_account_id_48ab9f79d2      (account_id,linked_account_id) UNIQUE
+#  index_account_linked_accounts_on_account_id         (account_id)
+#  index_account_linked_accounts_on_linked_account_id  (linked_account_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (account_id => accounts.id)
+#  fk_rails_...  (linked_account_id => accounts.id)
+#
+class AccountLinkedAccount < ApplicationRecord
+  belongs_to :account
+  belongs_to :linked_account, class_name: 'Account'
+
+  attribute :account_type, :string, default: 'testing'
+
+  scope :testing, -> { where(account_type: :testing) }
+
+  def testing?
+    account_type == 'testing'
+  end
+end
diff --git a/app/views/accounts/show.html.erb b/app/views/accounts/show.html.erb
index 7e570f67..06c86853 100644
--- a/app/views/accounts/show.html.erb
+++ b/app/views/accounts/show.html.erb
@@ -22,7 +22,7 @@
         </div>
       <% end %>
       <% encrypted_config = @encrypted_config || EncryptedConfig.find_or_initialize_by(account: current_account, key: EncryptedConfig::APP_URL_KEY) %>
-      <% if !Docuseal.multitenant? && can?(:manage, encrypted_config) %>
+      <% if !Docuseal.multitenant? && can?(:manage, encrypted_config) && !current_account.testing? %>
         <%= f.fields_for encrypted_config do |ff| %>
           <div class="form-control">
             <%= ff.label :value, 'App URL', class: 'label' %>
diff --git a/app/views/api_settings/index.html.erb b/app/views/api_settings/index.html.erb
index cae10942..e91bbe47 100644
--- a/app/views/api_settings/index.html.erb
+++ b/app/views/api_settings/index.html.erb
@@ -1,7 +1,10 @@
 <div class="flex flex-wrap space-y-4 md:flex-nowrap md:space-y-0 md:space-x-10">
   <%= render 'shared/settings_nav' %>
   <div class="flex-grow">
-    <h1 class="text-4xl font-bold mb-4">API</h1>
+    <div class="flex justify-between">
+      <h1 class="text-4xl font-bold mb-4">API</h1>
+      <%= render 'shared/test_mode_toggle' %>
+    </div>
     <div class="card bg-base-200">
       <div class="card-body p-6">
         <label for="api_key" class="text-sm font-semibold">X-Auth-Token</label>
diff --git a/app/views/icons/_api.html.erb b/app/views/icons/_api.html.erb
new file mode 100644
index 00000000..2d83a288
--- /dev/null
+++ b/app/views/icons/_api.html.erb
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg" class="<%= local_assigns[:class] %>" width="44" height="44" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+  <path stroke="none" d="M0 0h24v24H0z" fill="none" />
+  <path d="M4 13h5" />
+  <path d="M12 16v-8h3a2 2 0 0 1 2 2v1a2 2 0 0 1 -2 2h-3" />
+  <path d="M20 8v8" />
+  <path d="M9 16v-5.5a2.5 2.5 0 0 0 -5 0v5.5" />
+</svg>
diff --git a/app/views/icons/_code_circle.html.erb b/app/views/icons/_code_circle.html.erb
new file mode 100644
index 00000000..5a55acba
--- /dev/null
+++ b/app/views/icons/_code_circle.html.erb
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg" class="<%= local_assigns[:class] %>" width="44" height="44" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+  <path stroke="none" d="M0 0h24v24H0z" fill="none" />
+  <path d="M8.5 13.5l-1.5 -1.5l1.5 -1.5" />
+  <path d="M15.5 10.5l1.5 1.5l-1.5 1.5" />
+  <path d="M12 12m-9 0a9 9 0 1 0 18 0a9 9 0 1 0 -18 0" />
+  <path d="M13 9.5l-2 5.5" />
+</svg>
diff --git a/app/views/shared/_navbar_buttons.html.erb b/app/views/shared/_navbar_buttons.html.erb
index a0a246de..7670205f 100644
--- a/app/views/shared/_navbar_buttons.html.erb
+++ b/app/views/shared/_navbar_buttons.html.erb
@@ -1,4 +1,8 @@
 <%= link_to Docuseal.multitenant? ? console_redirect_index_path(redir: "#{Docuseal::CONSOLE_URL}/plans") : "#{Docuseal::CONSOLE_URL}/on_premise", class: 'hidden md:inline-flex btn btn-warning btn-sm', data: { prefetch: false } do %>
   Upgrade
 <% end %>
+<% if signed_in? && current_user != true_user %>
+  <span class="hidden md:inline-flex h-3 border-r border-base-content"></span>
+  <%= render 'shared/test_alert' %>
+<% end %>
 <span class="hidden md:inline-flex h-3 border-r border-base-content"></span>
diff --git a/app/views/shared/_settings_nav.html.erb b/app/views/shared/_settings_nav.html.erb
index 9ca17b66..12da5ce1 100644
--- a/app/views/shared/_settings_nav.html.erb
+++ b/app/views/shared/_settings_nav.html.erb
@@ -11,17 +11,17 @@
         <%= link_to 'Account', settings_account_path, class: 'text-base hover:bg-base-300' %>
       </li>
       <% unless Docuseal.multitenant? %>
-        <% if can?(:read, EncryptedConfig.new(key: EncryptedConfig::EMAIL_SMTP_KEY, account: current_account)) && ENV['SMTP_ADDRESS'].blank? %>
+        <% if can?(:read, EncryptedConfig.new(key: EncryptedConfig::EMAIL_SMTP_KEY, account: current_account)) && ENV['SMTP_ADDRESS'].blank? &&  true_user == current_user %>
           <li>
             <%= link_to 'Email', settings_email_index_path, class: 'text-base hover:bg-base-300' %>
           </li>
         <% end %>
-        <% if can?(:read, EncryptedConfig.new(key: EncryptedConfig::FILES_STORAGE_KEY, account: current_account)) %>
+        <% if can?(:read, EncryptedConfig.new(key: EncryptedConfig::FILES_STORAGE_KEY, account: current_account)) && true_user == current_user %>
           <li>
             <%= link_to 'Storage', settings_storage_index_path, class: 'text-base hover:bg-base-300' %>
           </li>
         <% end %>
-        <% if can?(:read, EncryptedConfig.new(key: 'submitter_invitation_sms', account: current_account)) %>
+        <% if can?(:read, EncryptedConfig.new(key: 'submitter_invitation_sms', account: current_account)) && true_user == current_user %>
           <li>
             <%= link_to 'SMS', settings_sms_path, class: 'text-base hover:bg-base-300' %>
           </li>
@@ -43,7 +43,7 @@
         </li>
       <% end %>
       <% unless Docuseal.multitenant? %>
-        <% if can?(:read, EncryptedConfig.new(key: 'saml_configs', account: current_account)) %>
+        <% if can?(:read, EncryptedConfig.new(key: 'saml_configs', account: current_account)) && true_user == current_user %>
           <li>
             <%= link_to 'SSO', settings_sso_index_path, class: 'text-base hover:bg-base-300' %>
           </li>
@@ -88,10 +88,22 @@
             <% end %>
           </li>
         <% end %>
+        <% if (can?(:manage, EncryptedConfig) && current_user == true_user) || (current_user != true_user && current_account.testing?) %>
+          <li>
+            <%= form_for '', url: testing_account_path, method: current_account.testing? ? :delete : :get, html: { class: 'flex w-full' } do |f| %>
+              <label class="flex items-center text-base hover:bg-base-300 w-full justify-between" for="testing_toggle">
+                <span class="mr-2 w-full">
+                  Test Environment
+                </span>
+                <%= f.check_box :testing_toggle, class: 'toggle toggle-sm', checked: current_account.testing?, onchange: 'this.form.requestSubmit()' %>
+              </label>
+            <% end %>
+          </li>
+        <% end %>
       <% end %>
     </ul>
   </menu-active>
-  <% if !can?(:manage, :tenants) %>
+  <% if Docuseal.multitenant? || cannot?(:manage, :tenants) %>
     <div class="mx-4 border-t border-base-300 hidden md:block">
       <div class="text-sm mt-3">
         Need help? Ask a question:
diff --git a/app/views/shared/_test_alert.html.erb b/app/views/shared/_test_alert.html.erb
new file mode 100644
index 00000000..13e9876c
--- /dev/null
+++ b/app/views/shared/_test_alert.html.erb
@@ -0,0 +1,17 @@
+<% if signed_in? && current_user != true_user && current_account.testing? %>
+  <div class="alert py-1 text-sm font-medium gap-x-2">
+    <a href="<%= testing_api_settings_path %>" data-turbo-frame="modal" class="link font-semibold flex">
+      <%= svg_icon('code_circle', class: 'w-5 h-5 mr-1') %>Testing Environment
+    </a>
+    <span>
+      |
+    </span>
+    <%= button_to testing_account_path, method: :delete, class: 'inline flex' do %>
+      <% title = capture do %>
+        <span class="link">Exit</span>
+        <span>&times;</span>
+      <% end %>
+      <%= button_title(title:, disabled_with: 'Leave') %>
+    <% end %>
+  </div>
+<% end %>
diff --git a/app/views/shared/_test_mode_toggle.html.erb b/app/views/shared/_test_mode_toggle.html.erb
new file mode 100644
index 00000000..5c281ad6
--- /dev/null
+++ b/app/views/shared/_test_mode_toggle.html.erb
@@ -0,0 +1,10 @@
+<% if can?(:manage, EncryptedConfig) || (current_user != true_user && current_account.testing?) %>
+  <%= form_for '', url: testing_account_path, method: current_account.testing? ? :delete : :get, html: { class: 'flex' } do |f| %>
+    <label class="flex items-center justify-between py-2.5" for="testing_toggle">
+      <span class="mr-2 text-lg">
+        Test Environment
+      </span>
+      <%= f.check_box :testing_toggle, class: 'toggle', checked: current_account.testing?, onchange: 'this.form.requestSubmit()' %>
+    </label>
+  <% end %>
+<% end %>
diff --git a/app/views/testing_api_settings/index.html.erb b/app/views/testing_api_settings/index.html.erb
new file mode 100644
index 00000000..1ad3b46f
--- /dev/null
+++ b/app/views/testing_api_settings/index.html.erb
@@ -0,0 +1,18 @@
+<%= render 'shared/turbo_modal', title: 'Testing Environment' do %>
+  <div>
+    <label class="text-sm font-semibold" for="api_key">
+      x-Auth-Token
+    </label>
+    <div class="flex gap-2 mb-4 mt-2">
+      <input id="api_key" type="text" value="<%= current_user.access_token.token %>" class="base-input w-full" autocomplete="off" readonly>
+      <%= render 'shared/clipboard_copy', icon: 'copy', text: current_user.access_token.token, class: 'base-button', icon_class: 'w-6 h-6 text-white', copy_title: 'Copy', copied_title: 'Copied' %>
+    </div>
+  </div>
+  <%= form_for @webhook_config, url: settings_webhooks_path, method: :post, html: { autocomplete: 'off' }, data: { turbo_frame: :_top } do |f| %>
+    <%= f.label :value, 'Webhook URL', class: 'text-sm font-semibold' %>
+    <div class="space-y-2 md:flex-nowrap mt-2">
+      <%= f.url_field :value, class: 'base-input w-full', placeholder: 'https://example.com/hook' %>
+      <%= f.button button_title(title: 'Save', disabled_with: 'Saving'), class: 'base-button w-full' %>
+    </div>
+  <% end %>
+<% end %>
diff --git a/app/views/webhook_settings/show.html.erb b/app/views/webhook_settings/show.html.erb
index ca88c87f..34c76787 100644
--- a/app/views/webhook_settings/show.html.erb
+++ b/app/views/webhook_settings/show.html.erb
@@ -1,7 +1,10 @@
 <div class="flex flex-wrap space-y-4 md:flex-nowrap md:space-y-0 md:space-x-10">
   <%= render 'shared/settings_nav' %>
   <div class="flex-grow">
-    <h1 class="text-4xl font-bold mb-4">Webhooks</h1>
+    <div class="flex justify-between">
+      <h1 class="text-4xl font-bold mb-4">Webhooks</h1>
+      <%= render 'shared/test_mode_toggle' %>
+    </div>
     <div class="card bg-base-200">
       <div class="card-body p-6">
         <%= form_for @encrypted_config, url: settings_webhooks_path, method: :post, html: { autocomplete: 'off' } do |f| %>
diff --git a/config/routes.rb b/config/routes.rb
index 9efdc594..3d26f247 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -62,6 +62,8 @@ Rails.application.routes.draw do
   resource :user_signature, only: %i[edit update destroy]
   resources :submissions, only: %i[show destroy]
   resources :console_redirect, only: %i[index]
+  resource :testing_account, only: %i[show destroy]
+  resources :testing_api_settings, only: %i[index]
   resource :templates_upload, only: %i[create]
   authenticated do
     resource :templates_upload, only: %i[show], path: 'new'
@@ -112,10 +114,8 @@ Rails.application.routes.draw do
     resource :esign, only: %i[show create new update destroy], controller: 'esign_settings'
     resources :users, only: %i[index]
     resource :personalization, only: %i[show create], controller: 'personalization_settings'
-    if !Docuseal.multitenant? || Docuseal.demo?
-      resources :api, only: %i[index create], controller: 'api_settings'
-      resource :webhooks, only: %i[show create update], controller: 'webhook_settings'
-    end
+    resources :api, only: %i[index create], controller: 'api_settings'
+    resource :webhooks, only: %i[show create update], controller: 'webhook_settings'
     resource :account, only: %i[show update]
     resources :profile, only: %i[index] do
       collection do
diff --git a/db/migrate/20240120192055_create_account_linked_accounts.rb b/db/migrate/20240120192055_create_account_linked_accounts.rb
new file mode 100644
index 00000000..73dd84a5
--- /dev/null
+++ b/db/migrate/20240120192055_create_account_linked_accounts.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class CreateAccountLinkedAccounts < ActiveRecord::Migration[7.1]
+  def change
+    create_table :account_linked_accounts do |t|
+      t.references :account, null: false, foreign_key: true
+      t.references :linked_account, null: false, foreign_key: { to_table: :accounts }
+      t.text :account_type, null: false
+
+      t.index %i[account_id linked_account_id], unique: true
+
+      t.timestamps
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 0eac8bf9..7eeabae8 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2023_12_29_220819) do
+ActiveRecord::Schema[7.1].define(version: 2024_01_20_192055) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -34,6 +34,17 @@ ActiveRecord::Schema[7.1].define(version: 2023_12_29_220819) do
     t.index ["account_id"], name: "index_account_configs_on_account_id"
   end
 
+  create_table "account_linked_accounts", force: :cascade do |t|
+    t.bigint "account_id", null: false
+    t.bigint "linked_account_id", null: false
+    t.text "account_type", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["account_id", "linked_account_id"], name: "idx_on_account_id_linked_account_id_48ab9f79d2", unique: true
+    t.index ["account_id"], name: "index_account_linked_accounts_on_account_id"
+    t.index ["linked_account_id"], name: "index_account_linked_accounts_on_linked_account_id"
+  end
+
   create_table "accounts", force: :cascade do |t|
     t.string "name", null: false
     t.string "timezone", null: false
@@ -242,6 +253,8 @@ ActiveRecord::Schema[7.1].define(version: 2023_12_29_220819) do
 
   add_foreign_key "access_tokens", "users"
   add_foreign_key "account_configs", "accounts"
+  add_foreign_key "account_linked_accounts", "accounts"
+  add_foreign_key "account_linked_accounts", "accounts", column: "linked_account_id"
   add_foreign_key "active_storage_attachments", "active_storage_blobs", column: "blob_id"
   add_foreign_key "active_storage_variant_records", "active_storage_blobs", column: "blob_id"
   add_foreign_key "document_generation_events", "submitters"
diff --git a/lib/accounts.rb b/lib/accounts.rb
index fd7e9684..588ceb28 100644
--- a/lib/accounts.rb
+++ b/lib/accounts.rb
@@ -31,6 +31,26 @@ module Accounts
     new_account
   end
 
+  def find_or_create_testing_user(account)
+    user = User.find_by(account: account.testing_accounts)
+
+    return user if user
+
+    testing_account = account.dup.tap { |a| a.name = "Testing - #{a.name}" }
+
+    ApplicationRecord.transaction do
+      account.testing_accounts << testing_account
+
+      testing_account.users.create!(
+        email: account.users.order(:id).first.email.sub('@', '+test@'),
+        first_name: 'Testing',
+        last_name: 'Environment',
+        password: SecureRandom.hex,
+        role: :admin
+      )
+    end
+  end
+
   def create_default_template(account)
     template = Template.find(1)
 
@@ -61,7 +81,8 @@ module Accounts
       if Docuseal.multitenant?
         EncryptedConfig.find_by(account:, key: EncryptedConfig::ESIGN_CERTS_KEY)&.value || Docuseal::CERTS
       else
-        EncryptedConfig.find_by(key: EncryptedConfig::ESIGN_CERTS_KEY).value
+        EncryptedConfig.find_by(account:, key: EncryptedConfig::ESIGN_CERTS_KEY)&.value ||
+          EncryptedConfig.find_by(key: EncryptedConfig::ESIGN_CERTS_KEY).value
       end
 
     if (default_cert = cert_data['custom']&.find { |e| e['status'] == 'default' })