active_record_api-rest 0.0.2

data/lib/active_record_api-rest.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'active_record_api/rest/version'
+require 'active_support'
+require 'action_controller'
+require 'active_record'
+require 'cancancan'
+require 'active_model_serializers'
+require 'active_attr'
+
+module ActiveRecordApi
+  module Rest
+  end
+end
+
+require_relative 'active_record_api/rest/railtie'
+require_relative 'active_record_api/rest/request_url_generator'

data/lib/active_record_api/rest/concerns/graceful_errors.rb

@@ -0,0 +1,17 @@
+module ActiveRecordApi
+  module Rest
+    module GracefulErrors
+      extend ActiveSupport::Concern
+
+      included do
+        rescue_from ActiveRecord::RecordNotFound do |exception|
+          render status: :not_found, json: { base: exception.message }
+        end
+
+        rescue_from CanCan::AccessDenied do |exception|
+          render status: :forbidden, json: { base: "Access denied on #{exception.action} #{exception.subject.inspect}" }
+        end
+      end
+    end
+  end
+end

data/lib/active_record_api/rest/controller.rb

@@ -0,0 +1,63 @@
+require_relative 'index_controller'
+
+module ActiveRecordApi
+  module Rest
+    class Controller < IndexController
+      before_action :initialize_model, only: :create
+      before_action :only_valid_params, only: %i[create update]
+
+      def show
+        return unless stale?(last_modified: model.updated_at)
+        render json: model, serializer: serializer
+      end
+
+      def create
+        if model.save
+          redirect_to_model
+        else
+          render json: model.errors, status: :unprocessable_entity
+        end
+      end
+
+      def update
+        if model.update(resource_params)
+          redirect_to_model
+        else
+          render json: model.errors, status: :unprocessable_entity
+        end
+      end
+
+      def destroy
+        model.destroy!
+        head :no_content
+      end
+
+      protected
+
+      def redirect_to_model
+        host = RequestUrlGenerator.new(request: request).micro_service_url
+        relative_url = url_for(controller: controller_name, action: 'show', id: model.id, only_path: true)
+        redirect_to "#{host}#{relative_url}", status: :see_other
+      end
+
+      def only_valid_params
+        return unless not_allowed_params.present?
+        render json: { base: "Extra parameters are not allow: #{not_allowed_params.join(', ')}" }, status: :unprocessable_entity
+      end
+
+      def resource_params
+        @resource_params ||= filtered_params.reject do |column_name|
+          column_name == :id
+        end
+      end
+
+      def not_allowed_params
+        @not_allowed_params ||= ((params.keys.map(&:to_sym) - [:controller, :action, model_klass.name.underscore.to_sym]) - resource_params.keys.map(&:to_sym))
+      end
+
+      def initialize_model
+        instance_variable_set("@#{controller_name.singularize}", model_klass.new(filtered_params))
+      end
+    end
+  end
+end

data/lib/active_record_api/rest/index_controller.rb

@@ -0,0 +1,84 @@
+require_relative 'concerns/graceful_errors'
+
+module ActiveRecordApi
+  module Rest
+    class IndexController < ApplicationController
+      include CanCan::ControllerAdditions
+
+      include GracefulErrors
+
+      load_and_authorize_resource
+      before_action :load_models, only: :index
+
+      def index
+        response.headers['x-total'] = @total
+        response.headers['x-link-next'] = next_link
+        render json: models, each_serializer: serializer
+      end
+
+      protected
+
+      def next_link
+        return unless @remaining_count > limit
+        new_params = request.query_parameters.dup
+        new_params['previous_id'] = models.last.id
+        RequestUrlGenerator.new(request: request, new_params: new_params).url
+      end
+
+      def serializer
+        "#{model_klass.name}Serializer".safe_constantize
+      end
+
+      def allowed_params
+        @allowed_params ||= model_klass.column_names.map do |column_name|
+          column_name.to_s.gsub('encrypted_', '')
+        end.map(&:to_sym)
+      end
+
+      def filtered_params
+        @filtered_params ||= params.permit(allowed_params).to_h
+      end
+
+      def model
+        instance_variable_get("@#{controller_name.singularize}")
+      end
+
+      def load_models
+        filter_models
+        @total = models.count
+        page_models
+      end
+
+      def filter_models
+        models models.where(filtered_params)
+      end
+
+      def page_models
+        id_field = model_klass.arel_table[:id]
+        models models.order(:id).where(id_field.gt previous_id)
+        @remaining_count = models.count
+        models models.limit(limit)
+      end
+
+      def models(updated_models = nil)
+        if updated_models.nil?
+          instance_variable_get("@#{controller_name}")
+        else
+          instance_variable_set("@#{controller_name}", updated_models)
+        end
+      end
+
+      def model_klass
+        @model_klass ||= controller_name.classify.constantize
+      end
+
+      def limit
+        @limit ||= params[:limit]&.to_i || 50
+      end
+
+      def previous_id
+        @previous_id ||= params[:previous_id] || 0
+      end
+    end
+  end
+end

data/lib/active_record_api/rest/railtie.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'rails'
+
+#:nocov:#
+module ActiveRecordApi
+  module Rest
+    class Railtie < Rails::Railtie
+      initializer 'load order fix for application controller' do
+        require_relative 'controller'
+      end
+    end
+  end
+end
+#:nocov:#

data/lib/active_record_api/rest/request_url_generator.rb

@@ -0,0 +1,29 @@
+module ActiveRecordApi
+  module Rest
+    class RequestUrlGenerator
+      include ActiveAttr::Model
+
+      attribute :request
+      attribute :new_params, default: {}
+
+      delegate :host, :path, to: :request, prefix: true
+
+      def url
+        "#{micro_service_url}#{request_path}?#{new_params.to_param}"
+      end
+
+      def micro_service_url
+        "#{protocol}#{request_host}/api/#{micro_service_name}"
+      end
+
+      def micro_service_name
+        Rails.application.class.parent.to_s.underscore.tr('_', '-')
+      end
+
+      def protocol
+        return 'http://' if Rails.env.development?
+        'https://'
+      end
+    end
+  end
+end

data/lib/active_record_api/rest/spec.rb

@@ -0,0 +1,3 @@
+require 'active_record_api-rest'
+
+require_relative 'spec/rest_controller_shared_example'

data/lib/active_record_api/rest/spec/rest_controller_shared_example.rb

@@ -0,0 +1,213 @@
+shared_examples 'all::rest::actions' do
+  let(:authorize_read) { mock_valid_auth(permission_name(model_klass, 'r'), model.organization_id) }
+  let(:unauthorize_read) { mock_valid_auth(permission_name(model_klass, ''), -1) }
+  let(:authorize_create) { mock_valid_auth(permission_name(model_klass, 'c'), model.organization_id) }
+  let(:unauthorize_create) { mock_valid_auth(permission_name(model_klass, ''), -1) }
+  let(:authorize_update) { mock_valid_auth(permission_name(model_klass, 'u'), model.organization_id) }
+  let(:unauthorize_update) { mock_valid_auth(permission_name(model_klass, ''), -1) }
+  let(:authorize_delete) { mock_valid_auth(permission_name(model_klass, 'd'), model.organization_id) }
+  let(:unauthorize_delete) { mock_valid_auth(permission_name(model_klass, ''), -1) }
+  let(:factory_symbol) { model_klass.to_s.underscore.to_sym }
+  let(:index_non_accessible_data) { create factory_symbol, organization_id: (model.organization_id + 1) }
+  let(:model_array) { [model] + create_list(factory_symbol, 4, organization_id: model.organization_id) }
+  describe 'All rest actions' do
+    let(:serializer) { ActiveModelSerializers::SerializableResource }
+    let(:model_klass) { described_class.controller_name.classify.constantize }
+    let(:model) { create model_klass.to_s.underscore.to_sym }
+    include_examples 'get::show'
+    include_examples 'get::index'
+    include_examples 'put::update'
+    include_examples 'post::create'
+    include_examples 'delete::delete'
+  end
+end
+
+shared_examples 'get::show' do
+  describe 'GET show' do
+    context 'when authorized' do
+      before(:each) do
+        authorize_read
+      end
+      context 'when valid' do
+        before(:each) do
+          get :show, params: { id: model.to_param }
+        end
+        it { expect(response.status).to eq 200 }
+        it { expect(response.body).to be_json_eql(serializer.new(model).to_json) }
+      end
+      context 'when not found' do
+        before(:each) do
+          get :show, params: { id: -1 }
+        end
+        it { expect(response.status).to eq 404 }
+        it { expect(JSON.parse(response.body)['base']).to include "Couldn't find #{model_klass} with 'id'=-1" }
+      end
+    end
+    context 'when not authorized' do
+      before(:each) do
+        unauthorize_read
+        get :show, params: { id: model.to_param }
+      end
+      it { expect(response.status).to eq 403 }
+      it { expect(JSON.parse(response.body)['base']).to include 'Access denied on show' }
+    end
+  end
+end
+
+shared_examples 'get::index' do
+  describe 'GET index' do
+    context 'when authorized' do
+      before(:each) do
+        authorize_read
+      end
+      context 'when one result' do
+        before(:each) do
+          model
+          get :index
+        end
+        it { expect(response.status).to eq 200 }
+        it { expect(response.headers['x-total']).to eq 1 }
+        it { expect(response.headers['x-link-next']).to be nil }
+      end
+
+      context 'when paged results' do
+        let(:previous_id) { model_klass.limit(1).pluck(:id).first }
+        let(:next_previous_id) { model_klass.where('id > ?', previous_id).limit(1).pluck(:id).last }
+        before(:each) do
+          model_array
+          get :index, params: { previous_id: previous_id, limit: 1 }
+        end
+        it { expect(response.status).to eq 200 }
+        it { expect(response.headers['x-total']).to eq model_array.length }
+        it { expect(response.headers['x-link-next']).to eq "https://test.host/api/#{Rails.application.class.parent.to_s.underscore}#{request.path}?limit=1&previous_id=#{next_previous_id}" }
+        it { expect(response.body).to be_json_eql model_klass.where('id > ?', previous_id).limit(1).map { |o| serializer.new(o) }.to_json }
+      end
+
+      context 'when only access some of the data' do
+        before(:each) do
+          index_non_accessible_data
+          get :index
+        end
+        it { expect(response.status).to eq 200 }
+        it { expect(response.headers['x-total']).to eq 1 }
+        it { expect(response.body).to be_json_eql [serializer.new(model)].to_json }
+      end
+    end
+    context 'when not authorized' do
+      before(:each) do
+        unauthorize_read
+      end
+      before(:each) do
+        get :index
+      end
+      it { expect(response.status).to eq 403 }
+      it { expect(JSON.parse(response.body)['base']).to include 'Access denied on index' }
+    end
+  end
+end
+
+shared_examples 'put::update' do
+  let(:payload) { model.clone.attributes }
+  let(:host) { ActiveRecordApi::Rest::RequestUrlGenerator.new(request: request).micro_service_url }
+  let(:relative_url) { Rails.application.routes.url_helpers.url_for(controller: model_klass.to_s.underscore.pluralize, action: 'show', id: model.id, only_path: true) }
+  describe 'PUT update' do
+    context 'when authorized' do
+      before(:each) do
+        authorize_update
+      end
+      context 'valid' do
+        before(:each) do
+          put :update, params: payload
+        end
+        it { expect(response.status).to eq 303 }
+        it { expect(response).to redirect_to "#{host}#{relative_url}" }
+      end
+      context 'when invalid param values provided' do
+        before(:each) do
+          put :update, params: update_invalid_model.attributes.merge(id: model.id)
+          expect(update_invalid_model.valid?).to be false
+        end
+        it { expect(response.status).to eq(422) }
+        it { expect(response.body).to be_json_eql(update_invalid_model.errors.to_json) }
+      end
+      context 'when invalid param keys provided' do
+        before(:each) do
+          put :update, params: model.attributes.merge('foobars' => 'stuff')
+        end
+        it { expect(response.status).to eq(422) }
+        it { expect(response.body).to be_json_eql({ base: 'Extra parameters are not allow: foobars' }.to_json) }
+      end
+    end
+    context 'when not authorized' do
+      before(:each) do
+        unauthorize_update
+        get :show, params: payload
+      end
+      it { expect(response.status).to eq 403 }
+      it { expect(JSON.parse(response.body)['base']).to include 'Access denied on show' }
+    end
+  end
+end
+
+shared_examples 'post::create' do
+  let(:new_attributes) { model.dup.attributes }
+  let(:model_id) { model.id }
+  let(:host) { ActiveRecordApi::Rest::RequestUrlGenerator.new(request: request).micro_service_url }
+  let(:relative_url) { Rails.application.routes.url_helpers.url_for(controller: model_klass.to_s.underscore.pluralize, action: 'show', id: model_klass.last.id, only_path: true) }
+  describe 'POST create' do
+    context 'when authorized' do
+      before(:each) do
+        authorize_create
+      end
+      context 'when invalid' do
+        before(:each) do
+          expect_any_instance_of(model_klass).to receive(:save).and_return(false)
+          post :create, params: new_attributes
+        end
+        it { expect(response.status).to eq 422 }
+      end
+      context 'when valid' do
+        it 'creates record with attributes' do
+          model.delete
+          expect {
+            post :create, params: new_attributes
+            expect(response).to redirect_to "#{host}#{relative_url}"
+          }.to change(model_klass, :count).by(1)
+          expect(model_klass.last.id).not_to eq model_id
+        end
+      end
+    end
+    context 'when not authorized' do
+      before(:each) do
+        unauthorize_create
+        post :create, params: new_attributes
+      end
+      it { expect(response.status).to eq 403 }
+      it { expect(JSON.parse(response.body)['base']).to include 'Access denied on create' }
+    end
+  end
+end
+
+shared_examples 'delete::delete' do
+  describe 'DELETE delete' do
+    context 'when authorized' do
+      before(:each) do
+        authorize_delete
+      end
+      it 'remove record' do
+        expect {
+          expect_any_instance_of(model_klass).to receive(:destroyed_bus_cleanup_message_publish) if model.respond_to? :destroyed_bus_cleanup_message_publish
+          delete :destroy, params: { id: model.id }
+        }.to change(model_klass, :count).by(-1)
+      end
+    end
+    context 'when not authorized' do
+      before(:each) do
+        unauthorize_delete
+        delete :destroy, params: { id: model.id }
+      end
+      it { expect(response.status).to eq 403 }
+      it { expect(JSON.parse(response.body)['base']).to include 'Access denied on destroy' }
+    end
+  end
+end