api_models 0.1.0

data/lib/models/redis_configuration.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+#
+# Easily fetch the redis configuration from redis.yml in the config directory.
+# There are several formats to support
+#
+# URL with single server
+# development:
+#   url: 'redis://localhost:6379/0'
+#
+# Host/port combination for single server
+# development:
+#   host: localhost
+#   port: 6379
+#   db: 0
+#
+# Sentinel
+# development:
+#   master: production
+#   sentinels:
+#     - host1:6379
+#     - host2:6379
+#     - host3:6379
+#   role: master
+#
+# Available for all options
+#   connect_timeout: 0.2
+#   read_timeout: 0.2
+#   write_timeout: 0.2
+#   timeout: 1
+#
+class RedisConfiguration
+  #
+  # Methods are static
+  #
+  class << self
+    #
+    # Load the configuration using the given DB
+    #
+    # Trying first the URL, then host, then sentinel, then default method
+    #
+    def load(database = nil)
+      load_url(database) || load_host(database) || load_sentinel(database) || load_default(database)
+    end
+
+    private
+
+    #
+    # Load the base set of parameters from the config file
+    #
+    def load_base(raw_config)
+      base = {}
+      %i[connect_timeout namespace read_timeout write_timeout timeout].each do |key|
+        base[key] = raw_config[key.to_s] unless raw_config[key.to_s].nil?
+      end
+      base
+    end
+
+    #
+    # Load a default configuration with the given database
+    #
+    def load_default(database = 0)
+      { host: '127.0.0.1', port: 6_379, db: (database || 0) }
+    end
+
+    #
+    # Load the url
+    #
+    def load_url(database = 0)
+      raw_config = load_file
+      return if raw_config.nil? || raw_config['url'].nil?
+
+      config = load_base(raw_config)
+      config[:url] = raw_config['url']
+      config[:db] = (database || 0)
+      config
+    end
+
+    #
+    # Load the given host
+    #
+    def load_host(database = nil)
+      raw_config = load_file
+      return if raw_config.nil? || raw_config['host'].nil?
+
+      config = load_base(raw_config)
+      config[:host] = raw_config['host']
+      config[:port] = raw_config['port'] || 6_379
+      config[:db] = database || raw_config['db'] || 0
+      config
+    end
+
+    #
+    # Load the sentinel configuration
+    #
+    def load_sentinel(database = 0)
+      raw_config = load_file
+      return if raw_config.nil? || raw_config['master'].nil?
+
+      config = load_base(raw_config)
+      config[:url] = "redis://#{raw_config['master']}"
+      config[:sentinels] = raw_config['sentinels'].collect do |sentinel|
+        parts = sentinel.split(':')
+        host = parts.first
+        port = parts.count.eql?(2) ? parts.last : 26_379
+        { host: host, port: port }
+      end
+      config[:db] = database || 0
+      config[:role] = raw_config['role'] || 'master'
+      config
+    end
+
+    #
+    # Return the config file
+    #
+    def config_file_path
+      File.expand_path([ENV['APP_CONFIG_DIR'], 'config', 'redis.yml'].compact.join('/'))
+    end
+
+    #
+    # Load the config/redis.yml and return the environment name
+    #
+    def load_file
+      config = nil
+      file_path = config_file_path
+      if File.exist? file_path
+        yaml_data = YAML.load_file(file_path)
+        config = yaml_data[ENV['RACK_ENV']] if yaml_data
+      end
+
+      config
+    rescue StandardError => error
+      puts "Error loading #{config_file_path} file", error
+      nil # return nothing if there is an error
+    end
+  end
+end

data/lib/models/sso_ad_group.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+#
+# Active Directory Group
+#
+class SsoAdGroup < SsoDirectoryGroup
+end

data/lib/models/sso_ad_server.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+#
+# Connection to AD Server
+#
+class SsoAdServer < SsoDirectoryServer
+  #
+  # Return the AD Server display name.
+  #
+  def display_name
+    'AD Server'
+  end
+end

data/lib/models/sso_ad_user.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+#
+# Active Directory (AD) User
+#
+class SsoAdUser < SsoUser
+  #
+  # Fields
+  #
+  field :dn, type: String
+  field :user_id, type: String
+  field :last_synchronized_at, type: DateTime
+end

data/lib/models/sso_azure_server.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+#
+# Azure SSO Server
+#
+class SsoAzureServer < SsoOauthServer
+  #
+  # Fields
+  #
+  field :tenant_id, type: String
+
+  #
+  # Google Server SSO name
+  #
+  def display_name
+    'Azure OAuth 2.0'
+  end
+end

data/lib/models/sso_directory_group.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+#
+# Base class for SSO directory (AD/LDAP) group
+#
+class SsoDirectoryGroup < Group
+  #
+  # Fields
+  #
+  field :dn, type: String
+  field :synchronize, type: Boolean, default: false
+  field :auto_approve_devices, type: Boolean, default: true
+end

data/lib/models/sso_directory_server.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+#
+# Base class for SSO Directory servers, i.e., AD and LDAP
+#
+class SsoDirectoryServer < SsoServer
+  # fields
+  field :ssl, type: Boolean, default: false
+  field :currently_syncing, type: Boolean, default: false
+  field :server_name, type: String
+  field :port, type: String, default: '389'
+  field :username, type: String
+  field :password, type: String
+  field :frequency, type: String, default: '24'
+  field :last_sync_time, type: DateTime
+  field :last_sync_message, type: String
+  field :treebase, type: String
+  field :user_identifier, type: String
+  # relationships
+  has_many :groups, inverse_of: :sso_server, dependent: :nullify
+end

data/lib/models/sso_google_server.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+#
+# Google OAuth 2.0
+#
+class SsoGoogleServer < SsoOauthServer
+  #
+  # Google Server SSO name
+  #
+  def display_name
+    'Google OAuth 2.0'
+  end
+end

data/lib/models/sso_ldap_group.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+#
+# Light Weight Active Directory Group
+#
+class SsoLdapGroup < SsoDirectoryGroup
+  # Marker class for now
+end

data/lib/models/sso_ldap_rest_server.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+#
+# Interact with the Ldap Restful API for authentication
+#
+class SsoLdapRestServer < SsoServer
+  #
+  # Fields
+  #
+  field :auth_url, type: String
+  field :auth_bearer_token, type: String
+  field :auth_params, type: String
+  field :search_url, type: String
+  field :search_bearer_token, type: String
+  field :search_key_name, type: String, default: 'staff_id'
+  field :image_url, type: String
+  field :image_bearer_token, type: String
+  field :image_api_key, type: String
+
+  #
+  # Display name for this server, should be overriden by concrete implementations.
+  #
+  def display_name
+    'LDAP Rest API Server'
+  end
+
+  #
+  # Using the appropriate SSO server configuration obtain the
+  # the user profile address
+  #
+  def user_profile(user_id)
+    account.users.find(user_id)
+  end
+end

data/lib/models/sso_ldap_server.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+#
+# Hold the configuration for LDAP synchronization, Using the ad_configuration logic to sync with server
+#
+class SsoLdapServer < SsoDirectoryServer
+  #
+  # Fields
+  #
+  field :user_filter, type: String, default: 'ou=users'
+  field :group_filter, type: String, default: 'ou=groups'
+  field :group_identifier, type: String, default: 'gidNumber'
+  #
+  # Return the display name for this server type
+  #
+  def display_name
+    'LDAP Server'
+  end
+end

data/lib/models/sso_ldap_user.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+#
+# Light Weight Directory Access Protocol (LDAP) User
+#
+class SsoLdapUser < SsoAdUser
+end

data/lib/models/sso_oauth_server.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+#
+# OAuth 2.0 Server
+#
+class SsoOauthServer < SsoServer
+  # Fields
+  field :server_url, type: String
+  field :auth_url, type: String
+  field :token_url, type: String
+  field :profile_url, type: String
+  field :redirect_path, type: String, default: 'eas/auth/oauth'
+  field :client_id, type: String
+  field :client_secret, type: String
+  field :scopes, type: String
+end

data/lib/models/sso_saml_v2_server.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+#
+# SSO SAML V2 Server
+#
+class SsoSamlV2Server < SsoServer
+  #
+  # Fields
+  #
+  field :idp_url, type: String
+  field :idp_xml, type: String
+  field :xml_last_fetched_at, type: Time, default: Time.now.utc
+  field :xml_cache_days, type: Integer, default: 365
+  field :name_identifier_format, type: String, default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+  field :name_attribute_key, type: String
+  field :email_attribute_key, type: String
+  field :groups_attribute_key, type: String
+
+  #
+  # Display name for this server, should be overriden by concrete implementations.
+  #
+  def display_name
+    'SAML V2 Server'
+  end
+end

data/lib/models/sso_server.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+#
+# Base server container for an account which can have 0..N sso servers configured.
+#
+class SsoServer
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include App47Logger
+  #
+  # fields
+  #
+  field :active, type: Boolean, default: false
+  field :external_authentication, type: Boolean, default: false
+  field :name, type: String
+  field :default_user_invitation_message, type: String
+  #
+  # relationships
+  #
+  belongs_to :account, inverse_of: :sso_servers
+  has_many :users, inverse_of: :sso_server, dependent: :nullify, class_name: 'SsoUser'
+  has_many :groups, inverse_of: :sso_server, class_name: 'Group'
+
+  #
+  # Display name for this server, should be overriden by concrete implementations.
+  #
+  def display_name
+    'SSO Server'
+  end
+
+  #
+  # Using the appropriate SSO server configuration obtain the
+  # the user profile address, this should be implemented by the child class.
+  #
+  def user_profile(_code)
+    raise 'Failed to retrieve user profile from provider'
+  end
+end

data/lib/models/sso_user.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+#
+# Base class for a SSO User
+#
+class SsoUser < User
+  field :session_hours_length, type: Integer, default: 24
+  field :last_code, type: String
+  #
+  # Relationships
+  #
+  belongs_to :sso_server, class_name: 'SsoServer', inverse_of: :users
+end

data/lib/models/system_configuration.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+#
+# The System configuration. Various configuration items that can be updated/defined at run time instead
+# of AppConfiguration that is defining things statically in code.
+#
+# In hindsight (being 20/20) this should have been named stack_configuration as now the stack UI is
+# what allows the administrator to update/configure this information.
+#
+# Use of this class allows you to simply ask for the configuration parameter directly without
+# first having to get an instance of it.
+#
+# SystemConfiguration.queue_impl #=> 'RedisQueue'
+#
+# This method only is allowed for accessors, you should NEVER set values on the SystemConfiguration
+# unless you are updating via the Admin or Stack UI, or during testing to setup a specific configuration
+# for that.
+#
+class SystemConfiguration
+  include Mongoid::Document
+  include Mongoid::Timestamps
+
+  field :environment, type: String, default: 'test'
+  # Queue Implementation
+  field :queue_impl, type: String, default: 'DelayedJob'
+  field :queue_base, type: String, default: 'test'
+  # AWS
+  field :aws_access_key_id, type: String
+  field :aws_secret_access_key, type: String
+  field :s3_bucket_name, type: String
+  field :cdn_url, type: String
+  # Redis
+  field :redis_queue_url, type: String, default: 'redis://localhost:6379/10'
+  # URLs
+  field :webui_url, type: String, default: 'https://cirrus.app47.com'
+  field :api_url, type: String, default: 'https://api.app47.mobi'
+  field :slack_api_url, type: String
+  field :company_name, type: String, default: 'App47'
+  field :api_version, type: String, default: '3.0'
+  #
+  # Validations
+  #
+  validates :environment, presence: true, uniqueness: true
+  #
+  # Call backs
+  #
+  after_save :clear_cache
+
+  class << self
+    #
+    # Fetch the system configuration based on environment name. First try the rails cache
+    # if not there, then go to the database.
+    #
+    # Also, if an argument error is thrown, then just fetch from the database.
+    #
+    def configuration
+      cache_key = "SystemConfiguration::#{ENV['RACK_ENV']}"
+
+      begin
+        config = App47Cache.get(cache_key) || SystemConfiguration.where(environment: ENV['RACK_ENV']).first
+      rescue ArgumentError
+        # This seems to happen in testing relative to Country, when it does, remove
+        # ourselves from the cache and return the DB entry.
+        App47Cache.delete cache_key
+        config = SystemConfiguration.where(environment: ENV['RACK_ENV']).first
+      end
+      if config.nil?
+        SystemConfiguration.create
+      else
+        App47Cache.set(cache_key, config, 300)
+        config
+      end
+    end
+
+    def method_missing(method, *_args)
+      configuration.send method
+    end
+
+    def respond_to_missing?(method_name, _include_private = false)
+      SystemConfiguration.fields.include?(method_name.to_sym)
+    end
+  end
+
+  private
+
+  #
+  # Clear the cache when the object is saved
+  #
+  def clear_cache
+    App47Cache.delete "SystemConfiguration::#{ENV['RACK_ENV']}"
+  end
+end

data/lib/models/time_bomb_policy.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+#
+# Time Bomb policy for this app
+#
+class TimeBombPolicy < AppPolicy
+  #
+  # Constants
+  #
+  OPTION_KILL = 'kill' unless defined? OPTION_KILL
+  OPTION_WIPE = 'wipe' unless defined? OPTION_WIPE
+  BOMB_OPTIONS = [OPTION_KILL, OPTION_WIPE].freeze unless defined? BOMB_OPTIONS
+  OPTION_AM = 'am' unless defined? OPTION_AM
+  OPTION_PM = 'pm' unless defined? OPTION_PM
+  TIME_OPTIONS = [OPTION_AM, OPTION_PM].freeze unless defined? TIME_OPTIONS
+  HOURS_TO_MS = 60 * 60 * 1000
+  UNIT_HOURS = 'hours' unless defined? UNIT_HOURS
+  UNIT_DAYS = 'days' unless defined? UNIT_DAYS
+  UNIT_WEEKS = 'weeks' unless defined? UNIT_WEEKS
+  UNIT_MONTHS = 'months' unless defined? UNIT_MONTHS
+  ALL_UNITS = [UNIT_HOURS, UNIT_DAYS, UNIT_WEEKS, UNIT_MONTHS].freeze unless defined? ALL_UNITS
+  #
+  # fields
+  #
+  field :expire_at, type: Integer
+  field :expiration_type, type: String, default: OPTION_KILL
+  field :expiration_message, type: String, default: 'The application has expired'
+  field :expiration_time_zone, type: String, default: 'local'
+  # field :kill_after_hours, type: Integer
+  field :kill_after_interval, type: Integer
+  field :kill_after_unit, type: String
+  field :wipe_after_interval, type: Integer
+  field :wipe_after_unit, type: String
+  # field :wipe_after_hours, type: Integer
+  field :inactivity_message, type: String, default: 'The application has been inactive for too long a period'
+  field :start_time, type: String
+  field :end_time, type: String
+  field :time_window_time_zone, type: String, default: 'local'
+  field :days, type: String, default: 'MTWHFSU'
+  field :time_window_message, type: String, default: 'The application is trying to run outside of the allowed time'
+  field :time_window_active, type: Boolean, default: false
+  field :expiration_active, type: Boolean, default: false
+  field :check_in_active, type: Boolean, default: false
+
+  #
+  # return the policy hash for this agent
+  #
+  def enforce_policy(agent)
+    policy = super.merge(enforce_time_bomb: 0)
+    return policy unless active?
+
+    time_bomb_policies = expiration_policy.merge(check_in_policy).merge(time_window_policy)
+
+    if time_bomb_policies.present?
+      policy[:time_bomb] = time_bomb_policies
+      policy[:enforce_time_bomb] = 1
+    end
+
+    policy
+  rescue StandardError => error
+    log_error("Unable to build time bomb policy for agent: #{agent.inspect} - #{inspect}", error)
+    # Return the default policy
+    { enforce_time_bomb: 0 }
+  end
+
+  #
+  # Determine if we should enforce time of day policy
+  #
+  def time_window_policy
+    return {} unless time_window_active?
+
+    {
+      time_window:
+        { start_time: start_time,
+          end_time: end_time,
+          time_zone: time_window_time_zone,
+          days: days,
+          message: time_window_message }
+    }
+  rescue StandardError => error
+    log_error("Unable to build time bomb time window policy: #{inspect}", error)
+    {}
+  end
+
+  #
+  # determine if we should enforce the expire at policy
+  #
+  def expiration_policy
+    return {} unless expiration_active? && expire_at.present?
+
+    {
+      expire:
+        {
+          expiration_after: expire_at,
+          time_zone: expiration_time_zone,
+          type: expiration_type,
+          message: expiration_message
+        }
+    }
+  rescue StandardError => error
+    log_error("Unable to build time bomb expire at policy: #{inspect}", error)
+    {}
+  end
+
+  #
+  # Determine if the check in, or "Time bomb" policy should be enforced
+  #
+  def check_in_policy
+    return {} unless check_in_active
+
+    policy = { message: inactivity_message }
+    policy[:kill_after] = check_in_milliseconds(:kill) if kill_after_interval.present?
+    policy[:wipe_after] = check_in_milliseconds(:wipe) if wipe_after_interval.present?
+    { check_in: policy }
+  rescue StandardError => error
+    log_error("Unable to build time bomb check in policy: #{inspect}", error)
+    {}
+  end
+
+  #
+  # Return the number of milli seconds between check ins
+  #
+  def check_in_milliseconds(type)
+    interval = send("#{type}_after_interval").to_i
+    case send "#{type}_after_unit"
+    when UNIT_HOURS
+      interval * HOURS_TO_MS
+    when UNIT_DAYS
+      24 * interval * HOURS_TO_MS
+    when UNIT_WEEKS
+      7 * 24 * interval * HOURS_TO_MS
+    when UNIT_MONTHS
+      30 * 24 * interval * HOURS_TO_MS
+    else
+      raise "Unknown unit: #{type}"
+    end
+  end
+end

data/lib/models/user.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+#
+# A user in the system is someone who has access to the enterprise app store
+#
+class User
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include App47EmailSendable
+  include App47Logger
+  include Searchable
+  #
+  # Fields
+  #
+  field :name, type: String
+  field :active, type: Boolean, default: true
+  field :pin_code, type: String
+  field :pin_code_locked, type: Boolean, default: false
+  #
+  # Relationships
+  #
+  belongs_to :account, inverse_of: :users
+  # has_and_belongs_to_many :groups, dependent: :nullify
+  has_and_belongs_to_many :allowed_apps, class_name: 'App', dependent: :nullify, inverse_of: :user_apps
+  has_and_belongs_to_many :test_apps, class_name: 'App', dependent: :nullify, inverse_of: :test_users
+  has_many :app_permissions, class_name: 'UserAppPermission', dependent: :destroy
+  has_many :devices, class_name: 'UserDevice'
+
+  #
+  # Return the unique set of application ids for this given user
+  #
+  def allowed_app_set
+    app_permissions.collect(&:app) + account.apps.distinct_all_users
+  end
+
+  #
+  # Find a user device by safely trying a number of approaches
+  # 1. By ID
+  # 2. By unique identifier
+  # 3. By app47 identifier
+  # 4. By token
+  #
+  def find_device_by(device_id)
+    raise 'Invalid ID' if device_id.blank?
+
+    devices.where(_id: device_id).first ||
+      devices.where(unique_identifier: device_id).first ||
+      devices.where(app47_identifier: device_id).first ||
+      devices.where(token: device_id).first
+  rescue StandardError
+    nil
+  end
+end