active_storage_encryption 0.1.0

data/lib/active_storage_encryption/overrides.rb

@@ -0,0 +1,201 @@
+# frozen_string_literal: true
+
+module ActiveStorageEncryption
+  module Overrides
+    module EncryptedBlobClassMethods
+      def self.included base
+        base.class_eval do
+          encrypts :encryption_key
+          validates :encryption_key, presence: {message: "must be present for this service"}, if: :service_encrypted?
+
+          class << self
+            ENCRYPTION_KEY_LENGTH_BYTES = 16 + 32 # So we have enough
+
+            def service_encrypted?(service_name)
+              return false unless service_name
+
+              service = ActiveStorage::Blob.services.fetch(service_name) do
+                ActiveStorage::Blob.service
+              end
+
+              !!service&.try(:encrypted?)
+            end
+
+            def generate_random_encryption_key
+              SecureRandom.bytes(ENCRYPTION_KEY_LENGTH_BYTES)
+            end
+
+            def create_before_direct_upload!(filename:, byte_size:, checksum:, content_type: nil, metadata: nil, service_name: nil, record: nil, key: nil, encryption_key: nil)
+              encryption_key = service_encrypted?(service_name) ? (encryption_key || generate_random_encryption_key) : nil
+              create!(key: key, filename: filename, byte_size: byte_size, checksum: checksum, content_type: content_type, metadata: metadata, service_name: service_name, encryption_key: encryption_key)
+            end
+
+            def create_and_upload!(io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil, key: nil, encryption_key: nil)
+              create_after_unfurling!(key: key, io: io, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name, identify: identify, encryption_key:).tap do |blob|
+                blob.upload_without_unfurling(io)
+              end
+            end
+
+            def build_after_unfurling(io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil, key: nil, encryption_key: nil)
+              new(key: key, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name, encryption_key:).tap do |blob|
+                blob.unfurl(io, identify: identify)
+                blob.encryption_key ||= service_encrypted?(service_name) ? (encryption_key || generate_random_encryption_key) : nil
+              end
+            end
+
+            def create_after_unfurling!(io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil, key: nil, encryption_key: nil)
+              build_after_unfurling(key: key, io: io, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name, identify: identify, encryption_key:).tap(&:save!)
+            end
+
+            # Concatenate multiple blobs into a single "composed" blob.
+            def compose(blobs, filename:, content_type: nil, metadata: nil, key: nil, service_name: nil, encryption_key: nil)
+              raise ActiveRecord::RecordNotSaved, "All blobs must be persisted." if blobs.any?(&:new_record?)
+
+              content_type ||= blobs.pluck(:content_type).compact.first
+
+              new(key: key, filename: filename, content_type: content_type, metadata: metadata, byte_size: blobs.sum(&:byte_size), service_name:, encryption_key:).tap do |combined_blob|
+                combined_blob.compose(blobs.pluck(:key))
+                combined_blob.save!
+              end
+            end
+          end
+        end
+      end
+    end
+
+    module EncryptedBlobInstanceMethods
+      def service_encrypted?
+        !!service&.try(:encrypted?)
+      end
+
+      def service_url_for_direct_upload(expires_in: ActiveStorage.service_urls_expire_in)
+        if service_encrypted?
+          raise "No encryption key present" unless encryption_key
+          service.url_for_direct_upload(key, expires_in: expires_in, content_type: content_type, content_length: byte_size, checksum: checksum, custom_metadata: custom_metadata, encryption_key: encryption_key)
+        else
+          super
+        end
+      end
+
+      def open(tmpdir: nil, &block)
+        service.open(
+          key,
+          encryption_key: encryption_key,
+          checksum: checksum,
+          verify: !composed,
+          name: ["ActiveStorage-#{id}-", filename.extension_with_delimiter],
+          tmpdir: tmpdir,
+          &block
+        )
+      end
+
+      def service_headers_for_direct_upload
+        if service_encrypted?
+          service.headers_for_direct_upload(key, filename: filename, content_type: content_type, content_length: byte_size, checksum: checksum, custom_metadata: custom_metadata, encryption_key: encryption_key)
+        else
+          super
+        end
+      end
+
+      def upload_without_unfurling(io)
+        if service_encrypted?
+          service.upload(key, io, checksum: checksum, encryption_key: encryption_key, **service_metadata)
+        else
+          super
+        end
+      end
+
+      # Downloads the file associated with this blob. If no block is given, the entire file is read into memory and returned.
+      # That'll use a lot of RAM for very large files. If a block is given, then the download is streamed and yielded in chunks.
+      def download(&block)
+        if service_encrypted?
+          service.download(key, encryption_key: encryption_key, &block)
+        else
+          super
+        end
+      end
+
+      def download_chunk(range)
+        if service_encrypted?
+          service.download_chunk(key, range, encryption_key: encryption_key)
+        else
+          super
+        end
+      end
+
+      def compose(keys)
+        if service_encrypted?
+          self.composed = true
+          service.compose(keys, key, encryption_key: encryption_key, **service_metadata)
+        else
+          super
+        end
+      end
+
+      def url(expires_in: ActiveStorage.service_urls_expire_in, disposition: :inline, filename: nil, **options)
+        if service_encrypted?
+          service.url(
+            key, expires_in: expires_in, filename: ActiveStorage::Filename.wrap(filename || self.filename),
+            encryption_key: encryption_key,
+            content_type: content_type_for_serving, disposition: forced_disposition_for_serving || disposition,
+            **options
+          )
+        else
+          super
+        end
+      end
+
+      # The encryption_key can be in binary and not serializabe to UTF-8 by to_json, thus we always want to
+      # leave it out. This is also to better mimic how native ActiveStorage handles it.
+      def serializable_hash(options = nil)
+        options = if options
+          options.merge(except: Array.wrap(options[:except]).concat([:encryption_key]).uniq)
+        else
+          {except: [:encryption_key]}
+        end
+        super
+      end
+    end
+
+    module BlobIdentifiableInstanceMethods
+      private
+
+      # Active storage attach() tries to identify the content_type of the file. For that it downloads a chunk.
+      # Since we have an encrypted disk service which needs an encryption_key on everything, every call to it needs the encryption_key passed too.
+      def download_identifiable_chunk
+        if service_encrypted?
+          if byte_size.positive?
+            service.download_chunk(key, 0...4.kilobytes, encryption_key: encryption_key)
+          else
+            "".b
+          end
+        else
+          super
+        end
+      end
+    end
+
+    module DownloaderInstanceMethods
+      def open(key, encryption_key: nil, checksum: nil, verify: true, name: "ActiveStorage-", tmpdir: nil, &blk)
+        open_tempfile(name, tmpdir) do |file|
+          download(key, file, encryption_key: encryption_key)
+          verify_integrity_of(file, checksum: checksum) if verify
+          yield file
+        end
+      end
+
+      private
+
+      def download(key, file, encryption_key: nil)
+        if service.respond_to?(:encrypted?) && service.encrypted?
+          file.binmode
+          service.download(key, encryption_key: encryption_key) { |chunk| file.write(chunk) }
+          file.flush
+          file.rewind
+        else
+          super(key, file)
+        end
+      end
+    end
+  end
+end

data/lib/active_storage_encryption/private_url_policy.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module ActiveStorageEncryption::PrivateUrlPolicy
+  DEFAULT_POLICY = :stream
+
+  def initialize(private_url_policy: DEFAULT_POLICY, **any_other_options_for_service)
+    self.private_url_policy = private_url_policy.to_sym
+    super(**any_other_options_for_service)
+  end
+
+  def private_url_policy=(new_value)
+    allowed = [:disable, :require_headers, :stream]
+    raise ArgumentError, "private_url_policy: must be one of #{allowed.join(",")}" unless allowed.include?(new_value.to_sym)
+    @private_url_policy = new_value.to_sym
+  end
+
+  def private_url_policy
+    @private_url_policy
+  end
+
+  def private_url_for_streaming_via_controller(key, expires_in:, filename:, content_type:, disposition:, encryption_key:)
+    if private_url_policy == :disable
+      raise ActiveStorageEncryption::StreamingDisabled, <<~EOS
+        Requested a signed GET URL for #{key.inspect} on service #{name}. This service
+        has disabled presigned URLs (private_url_policy: disable), you have to use `Blob#download` instead.
+      EOS
+    end
+
+    content_disposition = content_disposition_with(type: disposition, filename: filename)
+    verified_key_with_expiration = ActiveStorageEncryption.token_encryptor.encrypt_and_sign(
+      {
+        key: key,
+        disposition: content_disposition,
+        encryption_key_sha256: Digest::SHA256.base64digest(encryption_key),
+        content_type: content_type,
+        service_name: name,
+        encryption_key: Base64.strict_encode64(encryption_key)
+      },
+      expires_in: expires_in,
+      purpose: :encrypted_get
+    )
+
+    # Both url_helpers and url_options are on the DiskService, but we need them here for other Services too
+    url_helpers = ActiveStorageEncryption::Engine.routes.url_helpers
+    url_options = ActiveStorage::Current.url_options
+
+    if url_options.blank?
+      raise ArgumentError, "Cannot generate URL for #{filename} because ActiveStorage::Current.url_options is not set"
+    end
+
+    url_helpers.encrypted_blob_streaming_get_url(verified_key_with_expiration, filename: filename, **url_options)
+  end
+end

data/lib/active_storage_encryption/resumable_gcs_upload.rb

@@ -0,0 +1,194 @@
+# frozen_string_literal: true
+
+# Unlike the AWS SDKs, the Ruby GCP SDKs do not have a built-in resumable upload feature, while that
+# feature is well-supported by GCP (and has been supported for a long while). This module provides
+# resumable uploads in an IO-like package, giving you an object you can write to.
+#
+#  file = @bucket.file("upload.bin", skip_lookup: true)
+#  upload = ActiveStorageEncryption::ResumableGCSUpload.new(file)
+#  upload.stream do |io|
+#     io.write("Hello resumable")
+#     20.times { io.write(Random.bytes(1.megabyte)) }
+#  end
+#
+# Note that to perform the resumable upload your IAM identity or machine identity must have either
+# a correct key for accessing Cloud Storage, or - alternatively - run under a service account
+# that is permitted to sign blobs. This maps to the "iam.serviceAccountTokenCreator" role -
+# see https://github.com/googleapis/google-cloud-ruby/issues/13307 and https://cloud.google.com/iam/docs/service-account-permissions
+class ActiveStorageEncryption::ResumableGCSUpload
+  # AWS recommend 5MB as the default part size for multipart uploads. GCP recommend doing "less requests"
+  # in general, and they mandate that all parts except last are a multile of 256*1024. Knowing that we will
+  # need to hold a buffer of that size, let's just assume that the 5MB that AWS uses is a good number for part size.
+  CHUNK_SIZE_FOR_UPLOADS = 5 * 1024 * 1024
+
+  # When doing GCP uploads the chunks need to be sized to 256KB increments, and the output
+  # that we generate is not guaranteed to be chopped up this way. Also the upload for the last
+  # chunk is done slightly different than the preceding chunks. It is convenient to have a
+  # way to "chop up" an arbitrary streaming output into evenly sized chunks.
+  class ByteChunker
+    # @param chunk_size[Integer] the chunk size that all the chunks except the last one must have
+    # @delivery_proc the proc that will receive the bytes and the `is_last` boolean to indicate the last chunk
+    def initialize(chunk_size: 256 * 1024, &delivery_proc)
+      @chunk_size = chunk_size.to_i
+      # Use a fixed-capacity String instead of a StringIO since there are some advantages
+      # to mutable strings, if a string can be reused this saves memory
+      @buf_str = String.new(encoding: Encoding::BINARY, capacity: @chunk_size * 2)
+      @delivery_proc = delivery_proc.to_proc
+    end
+
+    # Appends data to the buffer. Once the size of the chunk has been exceeded, a precisely-sized
+    # chunk will be passed to the `delivery_proc`
+    #
+    # @param bin_str[String] string in binary encoding
+    # @return self
+    def <<(bin_str)
+      @buf_str << bin_str.b
+      deliver_buf_in_chunks
+      self
+    end
+
+    # Appends data to the buffer. Once the size of the chunk has been exceeded, a precisely-sized
+    # chunk will be passed to the `delivery_proc`
+    #
+    # @param bin_str[String] string in binary encoding
+    # @return [Integer] number of bytes appended to the buffer
+    def write(bin_str)
+      self << bin_str
+      bin_str.bytesize
+    end
+
+    # Sends the last chunk to the `delivery_proc` even if there is nothing output -
+    # the last request will usually be needed to close the file
+    #
+    # @return void
+    def finish
+      deliver_buf_in_chunks
+      @delivery_proc.call(@buf_str, _is_last_chunk = true)
+      nil
+    end
+
+    private def deliver_buf_in_chunks
+      while @buf_str.bytesize > @chunk_size
+        @delivery_proc.call(@buf_str[0...@chunk_size], _is_last_chunk = false)
+        @buf_str.replace(@buf_str[@chunk_size..])
+      end
+    end
+  end
+
+  # Largely inspired by https://gist.github.com/frankyn/9a5344d1b19ed50ebbf9f15f0ff92032
+  # Acts like a writable object that you send data into. The object will split the data
+  # you send into chunks and send it to GCP cloud storage, you do not need to indicate
+  # the size of the output in advance. You do need to close the object to deliver the
+  # last chunk
+  class RangedPutIO
+    extend Forwardable
+    def_delegators :@chunker, :write, :finish, :<<
+
+    # The chunks have to be sized in multiples of 256 kibibytes or 262,144 bytes
+    CHUNK_SIZE_UNIT = 256 * 1024
+
+    def initialize(put_url, chunk_size:, content_type: "binary/octet-stream")
+      raise ArgumentError, "chunk_size of #{chunk_size} is not a multiple of #{CHUNK_SIZE_UNIT}" unless (chunk_size % CHUNK_SIZE_UNIT).zero?
+
+      @put_uri = URI(put_url)
+      @last_byte = 0
+      @total_bytes = 0
+      @content_type = content_type
+      @chunker = ByteChunker.new(chunk_size: chunk_size) { |bytes, is_last| upload_chunk(bytes, is_last) }
+    end
+
+    private
+
+    def upload_chunk(chunk, is_last)
+      @total_bytes += chunk.bytesize
+      content_range = if is_last
+        "bytes #{@last_byte}-#{@last_byte + chunk.bytesize - 1}/#{@total_bytes}"
+      else
+        "bytes #{@last_byte}-#{@last_byte + chunk.bytesize - 1}/*"
+      end
+      @last_byte += chunk.bytesize
+
+      headers = {
+        "Content-Length" => chunk.bytesize.to_s,
+        "Content-Range" => content_range,
+        "Content-Type" => @content_type,
+        "Content-MD5" => Digest::MD5.base64digest(chunk) # This is to early flag bugs like the one mentioned below with httpx
+      }
+
+      # Use plain old Net::HTTP here since currently version 1.4.0 of HTTPX (which is used by Faraday in our env) mangles up the file bytes before upload.
+      # when passing a File object directly.
+      # See https://cheddar-me.slack.com/archives/C01FEPX7PA9/p1739290056637849
+      # and https://gitlab.com/os85/httpx/-/issues/338
+      put_response = Net::HTTP.put(@put_uri, chunk, headers)
+
+      # This is weird (from https://cloud.google.com/storage/docs/performing-resumable-uploads#resume-upload):
+      #   Repeat the above steps for each remaining chunk of data that you want to upload, using the upper
+      #   value contained in the Range header of each response to determine where to start each successive
+      #   chunk; you should not assume that the server received all bytes sent in any given request.
+      # So in theory we must check that the "Range:" header in the response is "bytes=0-{@last_byte + chunk.bytesize - 1}"
+      # and we will add that soon.
+      #
+      # 308 means "intermediate chunk uploaded", 200 means "last chunk uploaded"
+      return if [308, 200].include?(put_response.code.to_i)
+
+      raise "The PUT for the resumable upload responded with status #{put_response.code}, headers #{put_response.to_hash.inspect}"
+    end
+  end
+
+  # @param [Google::Cloud::Storage::File]
+  def initialize(file, content_type: "binary/octet-stream", **signed_url_options)
+    @file = file
+    @content_type = content_type
+    @signed_url_options = url_issuer_and_signer.merge(signed_url_options)
+  end
+
+  # @yields writable[IO] an IO-ish object that responds to `#write`
+  def stream(&blk)
+    session_start_url = @file.signed_url(method: "POST", content_type: @content_type, headers: {"x-goog-resumable": "start"}, **@signed_url_options)
+    response = Net::HTTP.post(URI(session_start_url), "", {"content-type" => @content_type, "x-goog-resumable" => "start"})
+    raise "Expected HTTP status code to be 201, got #{response.code}" unless response.code.to_i == 201
+
+    resumable_upload_session_put_url = response["location"]
+    writable = RangedPutIO.new(resumable_upload_session_put_url, content_type: @content_type, chunk_size: CHUNK_SIZE_FOR_UPLOADS)
+    yield(writable)
+    writable.finish
+  end
+
+  private
+
+  # This is gnarly. It is needed to allow service accounts (workload identity) to sign
+  # blobs - which is needed to sign a presigned POST URL. The presigned POST URL allows us
+  # to initiate a resumable upload.
+  #
+  # Comes from here:
+  # https://github.com/googleapis/google-cloud-ruby/issues/13307#issuecomment-1894546343
+  def url_issuer_and_signer
+    env = Google::Cloud.env
+    if env.compute_engine?
+      # Issuer is the service account email that the Signed URL will be signed with
+      # and any permission granted in the Signed URL must be granted to the
+      # Google Service Account.
+      issuer = env.lookup_metadata "instance", "service-accounts/default/email"
+
+      # Create a lambda that accepts the string_to_sign
+      signer = lambda do |string_to_sign|
+        iam_client = Google::Apis::IamcredentialsV1::IAMCredentialsService.new
+
+        # Get the environment configured authorization
+        scopes = ["https://www.googleapis.com/auth/iam"]
+        iam_client.authorization = Google::Auth.get_application_default scopes
+
+        request = Google::Apis::IamcredentialsV1::SignBlobRequest.new(
+          payload: string_to_sign
+        )
+        resource = "projects/-/serviceAccounts/#{issuer}"
+        response = iam_client.sign_service_account_blob(resource, request)
+        response.signed_blob
+      end
+
+      {issuer:, signer:}
+    else
+      {}
+    end
+  end
+end

data/lib/active_storage_encryption/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ActiveStorageEncryption
+  VERSION = "0.1.0"
+end

data/lib/active_storage_encryption.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require "active_storage_encryption/version"
+require "active_storage_encryption/engine"
+
+module ActiveStorageEncryption
+  autoload :PrivateUrlPolicy, __dir__ + "/active_storage_encryption/private_url_policy.rb"
+  autoload :EncryptedBlobsController, __dir__ + "/active_storage_encryption/encrypted_blobs_controller.rb"
+  autoload :EncryptedDiskService, __dir__ + "/active_storage_encryption/encrypted_disk_service.rb"
+  autoload :EncryptedMirrorService, __dir__ + "/active_storage_encryption/encrypted_mirror_service.rb"
+  autoload :EncryptedS3Service, __dir__ + "/active_storage_encryption/encrypted_s3_service.rb"
+  autoload :Overrides, __dir__ + "/active_storage_encryption/overrides.rb"
+
+  class IncorrectEncryptionKey < ArgumentError
+  end
+
+  class StreamingDisabled < ArgumentError
+  end
+
+  class StreamingTokenInvalidOrExpired < ActiveSupport::MessageEncryptor::InvalidMessage
+  end
+
+  # Unlike MessageVerifier#verify, MessageEncryptor#decrypt_and_verify does not raise an exception if
+  # the message decrypts, but has expired or was signed for a different purpose. We want an exception
+  # to remove the annoying nil checks.
+  class TokenEncryptor < ActiveSupport::MessageEncryptor
+    def decrypt_and_verify(value, **options)
+      super.tap do |message_or_nil|
+        raise StreamingTokenInvalidOrExpired if message_or_nil.nil?
+      end
+    end
+  end
+
+  # Returns the ActiveSupport::MessageEncryptor which is used for encrypting the
+  # streaming download URLs. These URLs need to contain the encryption key which
+  # we do not want to reveal to the consumer. Note that this encryptor _is not_
+  # used to encrypt the file data itself - ActiveSupport::MessageEncryptor is not
+  # fit for streaming and not designed for file encryption use cases. We just use
+  # this encryptor to encrypt the tokens in URLs (which is something the MessageEncryptor)
+  # is actually good at.
+  #
+  # The encryptor gets configured using a key derived from the Rails secrets, in a similar
+  # manner to the MessageVerifier provided for your Rails app by the Rails bootstrapping code.
+  #
+  # @return [ActiveSupport::MessageEncryptor] the configured encryptor.
+  def self.token_encryptor
+    # Rails has a per-app message verifier, which is used for different purposes:
+    #
+    # Rails.application.message_verifier('sensitive_data')
+    #
+    # The ActiveStorage verifier (`ActiveStorage.verifier`) is actually just:
+    #
+    # Rails.application.message_verifier('ActiveStorage')
+    #
+    # Sadly, unlike the verifier, a Rails app does not have a similar centrally
+    # set-up `message_encryptor`, specifying a sane configuration (secret, encryption
+    # scheme et cetera).
+    #
+    # The initialization code for the Rails-wide verifiers (it is plural since Rails initializes
+    # verifiers according to the argument you pass to `message_verifier(purpose_or_name_of_using_module)`:
+    #   ActiveSupport::MessageVerifiers.new do |salt, secret_key_base: self.secret_key_base|
+    #     key_generator(secret_key_base).generate_key(salt)
+    #   end.rotate_defaults
+    #
+    # The same API is actually supported by ActiveSupport::MessageEncryptors, see
+    # https://api.rubyonrails.org/classes/ActiveSupport/MessageEncryptors.html
+    # but we do not need multiple encryptors - one will do :-)
+    secret_key_base = Rails.application.secret_key_base
+    raise ArgumentError, "secret_key_base must be present on Rails.application" unless secret_key_base
+
+    len = TokenEncryptor.key_len
+    salt = Digest::SHA2.digest("ActiveStorageEncryption")
+    raise "Salt must be the same length as the key" unless salt.bytesize == len
+    key = ActiveSupport::KeyGenerator.new(secret_key_base).generate_key(salt, len)
+
+    # We need an URL-safe serializer, since the tokens are used in a path in URLs
+    TokenEncryptor.new(key, url_safe: true)
+  end
+end

data/lib/tasks/active_storage_encryption_tasks.rake

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+# desc "Explaining what the task does"
+# task :active_storage_encryption do
+#   # Task goes here
+# end

data/test/active_storage_encryption_test.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class ActiveStorageEncryptionTest < ActiveSupport::TestCase
+  test "it has a version number" do
+    assert ActiveStorageEncryption::VERSION
+  end
+end

data/test/dummy/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative "config/application"
+
+Rails.application.load_tasks

data/test/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1 @@
+/* Application styles */

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+class ApplicationController < ActionController::Base
+  # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
+  allow_browser versions: :modern
+end

data/test/dummy/app/helpers/application_helper.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+module ApplicationHelper
+end

data/test/dummy/app/models/application_record.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class ApplicationRecord < ActiveRecord::Base
+  primary_abstract_class
+end

data/test/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title><%= content_for(:title) || "Dummy" %></title>
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    <meta name="apple-mobile-web-app-capable" content="yes">
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+
+    <%= yield :head %>
+
+    <link rel="manifest" href="/manifest.json">
+    <link rel="icon" href="/icon.png" type="image/png">
+    <link rel="icon" href="/icon.svg" type="image/svg+xml">
+    <link rel="apple-touch-icon" href="/icon.png">
+    <%= stylesheet_link_tag "application" %>
+  </head>
+
+  <body>
+    <%= yield %>
+  </body>
+</html>

data/test/dummy/app/views/pwa/manifest.json.erb

@@ -0,0 +1,22 @@
+{
+  "name": "Dummy",
+  "icons": [
+    {
+      "src": "/icon.png",
+      "type": "image/png",
+      "sizes": "512x512"
+    },
+    {
+      "src": "/icon.png",
+      "type": "image/png",
+      "sizes": "512x512",
+      "purpose": "maskable"
+    }
+  ],
+  "start_url": "/",
+  "display": "standalone",
+  "scope": "/",
+  "description": "Dummy.",
+  "theme_color": "red",
+  "background_color": "red"
+}

data/test/dummy/app/views/pwa/service-worker.js

@@ -0,0 +1,26 @@
+// Add a service worker for processing Web Push notifications:
+//
+// self.addEventListener("push", async (event) => {
+//   const { title, options } = await event.data.json()
+//   event.waitUntil(self.registration.showNotification(title, options))
+// })
+//
+// self.addEventListener("notificationclick", function(event) {
+//   event.notification.close()
+//   event.waitUntil(
+//     clients.matchAll({ type: "window" }).then((clientList) => {
+//       for (let i = 0; i < clientList.length; i++) {
+//         let client = clientList[i]
+//         let clientPath = (new URL(client.url)).pathname
+//
+//         if (clientPath == event.notification.data.path && "focus" in client) {
+//           return client.focus()
+//         }
+//       }
+//
+//       if (clients.openWindow) {
+//         return clients.openWindow(event.notification.data.path)
+//       }
+//     })
+//   )
+// })

data/test/dummy/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path("../config/application", __dir__)
+require_relative "../config/boot"
+require "rails/commands"

data/test/dummy/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative "../config/boot"
+require "rake"
+Rake.application.run