api_guardian 0.1.0.pre

data/lib/api_guardian/errors/invalid_content_type_error.rb

@@ -0,0 +1,6 @@
+module ApiGuardian
+  module Errors
+    class InvalidContentTypeError < StandardError
+    end
+  end
+end

data/lib/api_guardian/errors/invalid_permission_name_error.rb

@@ -0,0 +1,6 @@
+module ApiGuardian
+  module Errors
+    class InvalidPermissionNameError < StandardError
+    end
+  end
+end

data/lib/api_guardian/errors/invalid_request_body_error.rb

@@ -0,0 +1,6 @@
+module ApiGuardian
+  module Errors
+    class InvalidRequestBodyError < StandardError
+    end
+  end
+end

data/lib/api_guardian/errors/invalid_request_resource_id_error.rb

@@ -0,0 +1,6 @@
+module ApiGuardian
+  module Errors
+    class InvalidRequestResourceIdError < StandardError
+    end
+  end
+end

data/lib/api_guardian/errors/invalid_request_resource_type_error.rb

@@ -0,0 +1,6 @@
+module ApiGuardian
+  module Errors
+    class InvalidRequestResourceTypeError < StandardError
+    end
+  end
+end

data/lib/api_guardian/errors/invalid_update_action_error.rb

@@ -0,0 +1,6 @@
+module ApiGuardian
+  module Errors
+    class InvalidUpdateActionError < StandardError
+    end
+  end
+end

data/lib/api_guardian/errors/reset_token_expired_error.rb

@@ -0,0 +1,6 @@
+module ApiGuardian
+  module Errors
+    class ResetTokenExpiredError < StandardError
+    end
+  end
+end

data/lib/api_guardian/errors/reset_token_user_mismatch_error.rb

@@ -0,0 +1,6 @@
+module ApiGuardian
+  module Errors
+    class ResetTokenUserMismatchError < StandardError
+    end
+  end
+end

data/lib/api_guardian/policies/application_policy.rb

@@ -0,0 +1,65 @@
+module ApiGuardian
+  module Policies
+    class ApplicationPolicy
+      attr_reader :user, :record
+
+      def initialize(user, record)
+        @user = user
+        @record = record
+      end
+
+      def index?
+        false
+      end
+
+      def show?
+        user.can?(["#{resource_name}:read", "#{resource_name}:manage"])
+      end
+
+      def create?
+        user.can?(["#{resource_name}:create", "#{resource_name}:manage"])
+      end
+
+      def new?
+        create?
+      end
+
+      def update?
+        user.can?(["#{resource_name}:update", "#{resource_name}:manage"])
+      end
+
+      def edit?
+        update?
+      end
+
+      def destroy?
+        user.can?(["#{resource_name}:delete", "#{resource_name}:manage"])
+      end
+
+      def scope
+        Pundit.policy_scope!(user, record.class)
+      end
+
+      class Scope
+        attr_reader :user, :scope
+
+        def initialize(user, scope)
+          @user = user
+          @scope = scope
+        end
+
+        def resolve
+          scope
+        end
+      end
+
+      protected
+
+      def resource_name
+        return record.new.class.name.demodulize.downcase if record.respond_to? :new
+
+        record.class.name.demodulize.downcase
+      end
+    end
+  end
+end

data/lib/api_guardian/policies/permission_policy.rb

@@ -0,0 +1,15 @@
+module ApiGuardian
+  module Policies
+    class PermissionPolicy < ApplicationPolicy
+      class Scope < Scope
+        def resolve
+          if user.can?(['permission:read', 'permission:manage'])
+            scope
+          else
+            fail Pundit::NotAuthorizedError
+          end
+        end
+      end
+    end
+  end
+end

data/lib/api_guardian/policies/role_policy.rb

@@ -0,0 +1,15 @@
+module ApiGuardian
+  module Policies
+    class RolePolicy < ApplicationPolicy
+      class Scope < Scope
+        def resolve
+          if user.can?(['role:read', 'role:manage'])
+            scope
+          else
+            fail Pundit::NotAuthorizedError
+          end
+        end
+      end
+    end
+  end
+end

data/lib/api_guardian/policies/user_policy.rb

@@ -0,0 +1,23 @@
+module ApiGuardian
+  module Policies
+    class UserPolicy < ApplicationPolicy
+      class Scope < Scope
+        def resolve
+          if user.can?(['user:read', 'user:manage'])
+            scope.includes(role: [role_permissions: [:permission]])
+          else
+            fail Pundit::NotAuthorizedError
+          end
+        end
+      end
+
+      def show?
+        user.can?(['user:read', 'user:manage']) || record.id == user.id
+      end
+
+      def update?
+        user.can?(['user:update', 'user:manage']) || record.id == user.id
+      end
+    end
+  end
+end

data/lib/api_guardian/stores/base.rb

@@ -0,0 +1,53 @@
+module ApiGuardian
+  module Stores
+    class Base
+      @@instance = nil
+
+      delegate :new, to: :resource_class
+
+      def initialize(scope = nil)
+        @scope = scope
+        @@instance = self
+      end
+
+      def all
+        @scope.all
+      end
+
+      def paginate(page = 1, per_page = 25)
+        @scope.page(page).per(per_page)
+      end
+
+      def find(id)
+        record = resource_class.find(id)
+        fail ActiveRecord::RecordNotFound unless record
+        record
+      end
+
+      def save(resource)
+        resource.save!
+      end
+
+      def create(attributes)
+        resource = resource_class.new(attributes)
+        fail ActiveRecord::RecordInvalid.new(resource), '' unless resource.valid?
+        save(resource)
+        resource
+      end
+
+      def update(resource, attributes)
+        resource.update_attributes!(attributes)
+      end
+
+      def destroy(resource)
+        resource.destroy!
+      end
+
+      protected
+
+      def resource_class
+        @resource_class ||= self.class.name.gsub('Stores::', '').gsub('Store', '').classify.constantize
+      end
+    end
+  end
+end

data/lib/api_guardian/stores/permission_store.rb

@@ -0,0 +1,6 @@
+module ApiGuardian
+  module Stores
+    class PermissionStore < Base
+    end
+  end
+end

data/lib/api_guardian/stores/role_store.rb

@@ -0,0 +1,9 @@
+module ApiGuardian
+  module Stores
+    class RoleStore < Base
+      def self.default_role
+        Role.default_role
+      end
+    end
+  end
+end

data/lib/api_guardian/stores/user_store.rb

@@ -0,0 +1,86 @@
+# TODO: How can we remove dependency on .new?
+module ApiGuardian
+  module Stores
+    class UserStore < Base
+      def find_by_email(email)
+        User.find_by_email(email)
+      end
+
+      def find_by_reset_password_token(token)
+        User.find_by_reset_password_token(token)
+      end
+
+      def create(attributes)
+        attributes[:role_id] = ApiGuardian::Stores::RoleStore.default_role.id
+        attributes[:email_confirmed_at] = DateTime.now.utc
+        attributes[:active] = true
+        super attributes
+      end
+
+      def self.register(attributes)
+        instance = new(nil)
+
+        attributes[:role_id] = ApiGuardian::Stores::RoleStore.default_role.id
+        attributes[:active] = false
+
+        # create user
+        user = instance.new(attributes)
+        fail ActiveRecord::RecordInvalid.new(user), '' unless user.valid?
+        instance.save(user)
+
+        # TODO: put user created event onto queue
+
+        user
+      end
+
+      def self.reset_password(email)
+        instance = new(nil)
+
+        user = instance.find_by_email(email)
+
+        if user
+          user.reset_password_token = SecureRandom.hex(64)
+          user.reset_password_sent_at = DateTime.now.utc
+          user.save
+
+          # TODO: email password reset
+          return true
+        end
+
+        false
+      end
+
+      def self.complete_reset_password(attributes)
+        instance = new(nil)
+        # Find user by token
+        user = instance.find_by_reset_password_token(attributes[:token])
+
+        if user
+          # Validate submitted email matches token
+          fail ApiGuardian::Errors::ResetTokenUserMismatchError, attributes[:email] unless user.email == attributes[:email]
+
+          # Check that it hasn't expired
+          fail ApiGuardian::Errors::ResetTokenExpiredError, '' unless user.reset_password_token_valid?
+
+          # Validate password
+          if attributes.fetch(:password, nil).blank?
+            user.errors.add(:password, :blank)
+            fail ActiveRecord::RecordInvalid.new(user), ''
+          end
+          user.assign_attributes(attributes.slice(:password, :password_confirmation))
+          user.save! # This will fail if it is invalid
+
+          # Done
+          user.reset_password_token = nil
+          user.reset_password_sent_at = nil
+          user.save
+
+          # TODO: send password changed confirmation email
+
+          return true
+        end
+        false
+      end
+    end
+  end
+end

data/lib/api_guardian/version.rb

@@ -0,0 +1,3 @@
+module ApiGuardian
+  VERSION = "0.1.0.pre"
+end

data/lib/generators/api_guardian/install/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Explain the generator
+
+Example:
+    rails generate install Thing
+
+    This will create:
+        what/will/it/create

data/lib/generators/api_guardian/install/install_generator.rb

@@ -0,0 +1,19 @@
+module ApiGuardian
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path('../templates', __FILE__)
+
+    desc 'Creates an ApiGuardian initializer and copy locale files to your application.'
+
+    def copy_initializer
+      template 'api_guardian.rb', 'config/initializers/api_guardian.rb'
+    end
+
+    def add_routes
+      route 'mount ApiGuardian::Engine => \'/auth\''
+    end
+
+    def show_readme
+      readme 'README' if behavior == :invoke
+    end
+  end
+end

data/lib/generators/api_guardian/install/templates/README

@@ -0,0 +1 @@
+Do stuff with ApiGuardian

data/lib/generators/api_guardian/install/templates/api_guardian.rb

@@ -0,0 +1,5 @@
+ApiGuardian.setup do |config|
+  # In order to change the base user class, you'd need to uncomment this line and
+  # enter your own class name. Your class will need to extend ApiGuardian::User.
+  # config.user_class = 'User'
+end

data/lib/tasks/api_guardian_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :api_guardian do
+#   # Task goes here
+# end

data/spec/concerns/api_errors/handler_spec.rb

@@ -0,0 +1,114 @@
+module Test
+  class Dummy
+    include ControllerConcernTestHelpers
+    include ApiGuardian::Concerns::ApiErrors::Handler
+  end
+end
+
+describe ApiGuardian::Concerns::ApiErrors::Handler, type: :request do
+  let(:dummy_class) { Test::Dummy.new }
+
+  # Methods
+  describe 'methods' do
+    describe '#doorkeeper_unauthorized_render_options' do
+      it 'returns an error hash' do
+        expect_any_instance_of(Test::Dummy).to receive(:construct_error).with(
+          401, 'not_authenticated', 'Not Authenticated', 'You must be logged in.'
+        ).and_return('foo')
+        result = dummy_class.doorkeeper_unauthorized_render_options ''
+
+        expect(result).to eq(json: { errors: ['foo'] })
+      end
+    end
+
+    describe '#api_error_handler' do
+      it 'handles Pundit::NotAuthorizedError' do
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          403, 'not_authorized', 'Not Authorized', 'You are not authorized to perform this action.'
+        )
+        expect { dummy_class.api_error_handler(Pundit::NotAuthorizedError.new) }.not_to raise_error
+      end
+
+      it 'handles ActionController::ParameterMissing' do
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          400, 'malformed_request', 'Malformed Request', 'param is missing or the value is empty: test'
+        )
+        expect { dummy_class.api_error_handler(ActionController::ParameterMissing.new('test')) }.not_to raise_error
+      end
+
+      it 'handles ActiveRecord::RecordInvalid' do
+      end
+
+      it 'handles ActiveRecord::RecordNotFound' do
+        allow_any_instance_of(ActionDispatch::Request).to receive(:original_url).and_return('test.com')
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          404, 'not_found', 'Not Found', 'Resource or endpoint missing: test.com'
+        )
+        expect { dummy_class.api_error_handler(ActiveRecord::RecordNotFound.new('test')) }.not_to raise_error
+      end
+
+      it 'handles InvalidContentTypeError' do
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          415, 'invalid_content_type', 'Invalid Content Type', 'Supported content types are: application/vnd.api+json'
+        )
+        expect { dummy_class.api_error_handler(ApiGuardian::Errors::InvalidContentTypeError.new('')) }.not_to raise_error
+      end
+
+      it 'handles InvalidRequestBodyError' do
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          400, 'invalid_request_body', 'Invalid Request Body', 'The \'test\' property is required.'
+        )
+        expect { dummy_class.api_error_handler(ApiGuardian::Errors::InvalidRequestBodyError.new('test')) }.not_to raise_error
+      end
+
+      it 'handles InvalidRequestResourceTypeError' do
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          400, 'invalid_request_resource_type', 'Invalid Request Resource Type',
+          'Expected \'type\' property to be \'test\' for this resource.'
+        )
+        expect { dummy_class.api_error_handler(ApiGuardian::Errors::InvalidRequestResourceTypeError.new('test')) }.not_to raise_error
+      end
+
+      it 'handles InvalidRequestResourceIdError' do
+        allow_any_instance_of(ActionController::Parameters).to receive(:fetch).with(:id, nil).and_return('test')
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          400, 'invalid_request_resource_id', 'Invalid Request Resource ID',
+          'Request \'id\' property does not match \'id\' of URI. Provided: value, Expected: test'
+        )
+        expect { dummy_class.api_error_handler(ApiGuardian::Errors::InvalidRequestResourceIdError.new('value')) }.not_to raise_error
+      end
+
+      it 'handles InvalidUpdateActionError' do
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          405, 'method_not_allowed', 'Method Not Allowed',
+          'Resource update action expects PATCH method.'
+        )
+        expect { dummy_class.api_error_handler(ApiGuardian::Errors::InvalidUpdateActionError.new('')) }.not_to raise_error
+      end
+
+      it 'handles ResetTokenUserMismatchError' do
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          403, 'reset_token_mismatch', 'Reset Token Mismatch',
+          'Reset token is not valid for the supplied email address.'
+        )
+        expect { dummy_class.api_error_handler(ApiGuardian::Errors::ResetTokenUserMismatchError.new('')) }.not_to raise_error
+      end
+
+      it 'handles ResetTokenExpiredError' do
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          403, 'reset_token_expired', 'Reset Token Expired',
+          'This reset token has expired. Tokens are valid for 24 hours.'
+        )
+        expect { dummy_class.api_error_handler(ApiGuardian::Errors::ResetTokenExpiredError.new('')) }.not_to raise_error
+      end
+
+      it 'handles generic errors' do
+        exception = StandardError.new('')
+        expect_any_instance_of(Test::Dummy).to receive(:render_error).with(
+          500, nil, nil, nil, exception
+        )
+        expect { dummy_class.api_error_handler(exception) }.not_to raise_error
+      end
+    end
+  end
+end