aaf-gumboot 1.0.0.pre.alpha.2

data/lib/gumboot/shared_examples/database_schema.rb

@@ -0,0 +1,45 @@
+RSpec.shared_examples 'Database Schema' do
+  context 'AAF shared implementation' do
+    RSpec::Matchers.define :have_collation do |expected, name|
+      match { |actual| actual[:Collation] == expected }
+
+      failure_message do |actual|
+        "expected #{name} to use collation #{expected}, but was " \
+          "#{actual[:Collation]}"
+      end
+    end
+
+    before { expect(connection).to be_a(Mysql2::Client) }
+
+    def query(sql)
+      connection.query(sql, as: :hash, symbolize_keys: true)
+    end
+
+    it 'has the correct encoding set for the connection' do
+      expect(connection.query_options).to include(encoding: 'utf8')
+    end
+
+    it 'has the correct collation set for the connection' do
+      expect(connection.query_options).to include(collation: 'utf8_bin')
+    end
+
+    it 'has the correct collation' do
+      db_collation = query('SHOW VARIABLES LIKE "collation_database"')
+                     .first[:Value]
+      expect(db_collation).to eq('utf8_bin')
+
+      query('SHOW TABLE STATUS').each do |table|
+        table_name = table[:Name]
+        next if table_name == 'schema_migrations'
+        expect(table).to have_collation('utf8_bin', "`#{table_name}`")
+
+        query("SHOW FULL COLUMNS FROM #{table[:Name]}").each do |column|
+          next unless column[:Collation]
+          expect(column)
+            .to have_collation('utf8_bin',
+                               " `#{table_name}`.`#{column[:Field]}`")
+        end
+      end
+    end
+  end
+end

data/lib/gumboot/shared_examples/foreign_keys.rb

@@ -0,0 +1,65 @@
+RSpec.shared_examples 'Gumboot Foreign Keys' do
+  RSpec.shared_examples 'gumboot fk' do
+    let(:conn) do
+      ActiveRecord::Base.connection
+    end
+
+    let(:foreign_key) do
+      conn.foreign_keys(from_table).find do |key|
+        key.options[:column] == column
+      end
+    end
+
+    it 'has valid foreign key' do
+      if conn.supports_foreign_keys?
+        expect(foreign_key).to(be_truthy)
+        expect(foreign_key.to_table).to eql to_table
+      end
+    end
+  end
+
+  context 'Permission' do
+    context 'Roles' do
+      include_examples 'gumboot fk' do
+        let(:from_table) { 'permissions' }
+        let(:to_table) { 'roles' }
+        let(:column) { 'role_id' }
+      end
+    end
+  end
+
+  context 'API Subject' do
+    context 'Roles' do
+      include_examples 'gumboot fk' do
+        let(:from_table) { 'api_subject_roles' }
+        let(:to_table) { 'api_subjects' }
+        let(:column) { 'api_subject_id' }
+      end
+    end
+  end
+
+  context 'Subject' do
+    context 'Roles' do
+      include_examples 'gumboot fk' do
+        let(:from_table) { 'subject_roles' }
+        let(:to_table) { 'subjects' }
+        let(:column) { 'subject_id' }
+      end
+    end
+  end
+
+  context 'Roles' do
+    let(:to_table) { 'roles' }
+    let(:column) { 'role_id' }
+    context 'Subjects' do
+      include_examples 'gumboot fk' do
+        let(:from_table) { 'subject_roles' }
+      end
+    end
+    context 'API Subjects' do
+      include_examples 'gumboot fk' do
+        let(:from_table) { 'api_subject_roles' }
+      end
+    end
+  end
+end

data/lib/gumboot/shared_examples/permissions.rb

@@ -0,0 +1,45 @@
+RSpec.shared_examples 'Permissions' do
+  context 'AAF shared implementation' do
+    subject { build :permission }
+
+    it { is_expected.to be_valid }
+
+    it 'is invalid without a role' do
+      subject.role = nil
+      expect(subject).not_to be_valid
+    end
+
+    it 'is invalid without a value' do
+      subject.value = nil
+      expect(subject).not_to be_valid
+    end
+
+    it 'allows wildcard values' do
+      subject.value = '*'
+      expect(subject).to be_valid
+    end
+
+    it 'allows permission string values' do
+      subject.value = 'a:b:c:d'
+      expect(subject).to be_valid
+    end
+
+    it 'disallows invalid characters' do
+      subject.value = 'a:b:%'
+      expect(subject).not_to be_valid
+    end
+
+    it 'must have a unique value per role' do
+      other = create(:permission, role: subject.role, value: 'other')
+
+      expect { subject.value = other.value }
+        .to change { subject.valid? }.to(be_falsey)
+    end
+
+    it 'can have a value used in a different role' do
+      other = create(:permission, value: 'other')
+      subject.value = other.value
+      expect(subject).to be_valid
+    end
+  end
+end

data/lib/gumboot/shared_examples/roles.rb

@@ -0,0 +1,15 @@
+RSpec.shared_examples 'Roles' do
+  context 'AAF shared implementation' do
+    subject { build :role }
+
+    it { is_expected.to be_valid }
+    it { is_expected.to respond_to(:api_subjects) }
+    it { is_expected.to respond_to(:subjects) }
+    it { is_expected.to respond_to(:permissions) }
+
+    it 'is invalid without a name' do
+      subject.name = nil
+      expect(subject).not_to be_valid
+    end
+  end
+end

data/lib/gumboot/shared_examples/subjects.rb

@@ -0,0 +1,29 @@
+RSpec.shared_examples 'Subjects' do
+  context 'AAF shared implementation' do
+    subject { build :subject }
+
+    it { is_expected.to be_valid }
+    it { is_expected.to be_an(Accession::Principal) }
+    it { is_expected.to respond_to(:roles) }
+    it { is_expected.to respond_to(:permissions) }
+    it { is_expected.to respond_to(:permits?) }
+    it { is_expected.to respond_to(:functioning?) }
+
+    it 'is invalid without a name' do
+      subject.name = nil
+      expect(subject).not_to be_valid
+    end
+    it 'is invalid without mail' do
+      subject.mail = nil
+      expect(subject).not_to be_valid
+    end
+    it 'is invalid without an enabled state' do
+      subject.enabled = nil
+      expect(subject).not_to be_valid
+    end
+    it 'is invalid without a complete state' do
+      subject.complete = nil
+      expect(subject).not_to be_valid
+    end
+  end
+end

data/lib/gumboot/strap.rb

@@ -0,0 +1,121 @@
+require 'yaml'
+require 'active_support/core_ext/hash/deep_merge'
+
+module Gumboot
+  module Strap
+    def client
+      file = File.expand_path('~/.my.cnf')
+      @client ||= Mysql2::Client.new(default_file: file,
+                                     default_group: 'client',
+                                     host: '127.0.0.1')
+    end
+
+    def ensure_activerecord_databases(environments)
+      environments.each do |env|
+        message "Preparing #{env} database"
+
+        db = ActiveRecord::Base.configurations[env]
+
+        ensure_database(db)
+        ensure_database_user(db)
+      end
+    end
+
+    def ensure_database(db)
+      adapter, database = db.values_at('adapter', 'database')
+      raise('Only supports mysql2 adapter') unless adapter == 'mysql2'
+
+      puts "Ensuring database `#{database}` exists"
+      client.query("CREATE DATABASE IF NOT EXISTS `#{database}` " \
+                   'CHARACTER SET utf8 COLLATE utf8_bin')
+    end
+
+    def ensure_database_user(db)
+      adapter, database, username, password =
+        db.values_at('adapter', 'database', 'username', 'password')
+
+      raise('Only supports mysql2 adapter') unless adapter == 'mysql2'
+
+      puts "Ensuring access to `#{database}` for #{username} user is granted"
+      client.query("GRANT ALL PRIVILEGES ON `#{database}`.* " \
+                   "TO '#{client.escape(username)}'@'localhost' " \
+                   "IDENTIFIED BY '#{client.escape(password)}'")
+    end
+
+    def maintain_activerecord_schema
+      message 'Loading database schema'
+
+      if ActiveRecord::Base.connection.execute('SHOW TABLES').count.zero?
+        puts 'No tables exist yet, loading schema'
+        system 'rake db:schema:load'
+      end
+
+      puts 'Running migrations'
+      system 'rake db:migrate'
+    end
+
+    def load_seeds
+      message 'Loading seeds'
+
+      system 'rake db:seed'
+    end
+
+    def clean_logs
+      message 'Removing old tempfiles'
+      system 'rm -f log/*'
+    end
+
+    def clean_tempfiles
+      message 'Removing old tempfiles'
+      system 'rm -rf tmp/cache'
+    end
+
+    def link_global_configuration(files)
+      files.each do |file|
+        src = File.expand_path("~/.aaf/#{file}")
+        raise("Missing global config file: #{src}") unless File.exist?(src)
+
+        dest =  "config/#{file}"
+        next if File.exist?(dest)
+        FileUtils.ln_s(src, dest)
+      end
+    end
+
+    def update_local_configuration(files)
+      files.each do |file|
+        src = "config/#{file}.dist"
+        raise("Not a .yml file: #{file}") unless file.end_with?('.yml')
+        raise("Missing dist config file: #{src}") unless File.exist?(src)
+
+        merge_config(src, "config/#{file}")
+      end
+    end
+
+    def install_dist_template(files)
+      files.each do |file|
+        src = "config/#{file}.dist"
+        dest = "config/#{file}"
+
+        raise("Missing dist config file: #{src}") unless File.exist?(src)
+
+        next if File.exist?(dest)
+        FileUtils.copy(src, dest)
+      end
+    end
+
+    private
+
+    def message(msg)
+      puts "\n== #{msg} =="
+    end
+
+    def merge_config(src, dest)
+      new_config = YAML.load(File.read(src))
+      old_config = File.exist?(dest) ? YAML.load(File.read(dest)) : {}
+
+      File.open(dest, 'w') do |f|
+        f.write(YAML.dump(new_config.deep_merge(old_config)))
+      end
+    end
+  end
+end

data/lib/gumboot/version.rb

@@ -0,0 +1,3 @@
+module Gumboot
+  VERSION = '1.0.0-alpha.2'.freeze
+end

data/spec/dummy/README.rdoc

@@ -0,0 +1,28 @@
+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.

data/spec/dummy/Rakefile

@@ -0,0 +1,3 @@
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/spec/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/spec/dummy/app/controllers/api/api_controller.rb

@@ -0,0 +1,78 @@
+require 'openssl'
+
+module API
+  class APIController < ActionController::Base
+    Forbidden = Class.new(StandardError)
+    private_constant :Forbidden
+    rescue_from Forbidden, with: :forbidden
+
+    Unauthorized = Class.new(StandardError)
+    private_constant :Unauthorized
+    rescue_from Unauthorized, with: :unauthorized
+
+    protect_from_forgery with: :null_session
+    before_action :ensure_authenticated
+    after_action :ensure_access_checked
+
+    attr_reader :subject
+
+    protected
+
+    def ensure_authenticated
+      # Ensure API subject exists and is functioning
+      @subject = APISubject.find_by(x509_cn: x509_cn)
+      raise(Unauthorized, 'Subject invalid') unless @subject
+      raise(Unauthorized, 'Subject not functional') unless @subject.functioning?
+    end
+
+    def ensure_access_checked
+      return if @access_checked
+
+      method = "#{self.class.name}##{params[:action]}"
+      raise("No access control performed by #{method}")
+    end
+
+    def x509_cn
+      # Verified DN pushed by nginx following successful client SSL verification
+      # nginx is always going to do a better job of terminating SSL then we can
+      raise(Unauthorized, 'Subject DN') if x509_dn.nil?
+
+      x509_dn_parsed = OpenSSL::X509::Name.parse(x509_dn)
+      x509_dn_hash = Hash[
+        x509_dn_parsed.to_a.map do |components|
+          components[0..1]
+        end
+      ]
+
+      x509_dn_hash['CN'] || raise(Unauthorized, 'Subject CN invalid')
+
+    rescue OpenSSL::X509::NameError
+      raise(Unauthorized, 'Subject DN invalid')
+    end
+
+    def x509_dn
+      x509_dn = request.headers['HTTP_X509_DN'].try(:force_encoding, 'UTF-8')
+      x509_dn == '(null)' ? nil : x509_dn
+    end
+
+    def check_access!(action)
+      raise(Forbidden) unless @subject.permits?(action)
+      @access_checked = true
+    end
+
+    def public_action
+      @access_checked = true
+    end
+
+    def unauthorized(exception)
+      message = 'SSL client failure.'
+      error = exception.message
+      render json: { message: message, error: error }, status: :unauthorized
+    end
+
+    def forbidden(_exception)
+      message = 'The request was understood but explicitly denied.'
+      render json: { message: message }, status: :forbidden
+    end
+  end
+end