apill 4.1.0 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 905997a468c58168a9f87fbae4df382ced3cc1fd
-  data.tar.gz: d354947d9ca949dadaad2d25969c5f7865b0652c
+  metadata.gz: cab5c932811642e80f8c28a2cd9bf132f2427e72
+  data.tar.gz: 9cb2a0d0e0b1a844c37e88eeab958a5952ee5d08
 SHA512:
-  metadata.gz: a8576261ae11512401546d1b2e22b6e435921ab67ec2efce00e0ddeabcfff846522d1a2b918dbeff6c7175166004aee450db10eb6fed6cd136487c6c568b867e
-  data.tar.gz: fdd74cbe6f6245d3b6caa3b730487cbbf04bb0c80c08deecc5a5dab7b84f216fe403732142191d57892a0313d2a65515b30c18474e6a41d5b388b9b1a249192a
+  metadata.gz: e10c046dcd6bb020b106670cbe6ea39e3324dba4a4b870f03895d4e25a5124e1fdd9b0eb33fa904398c760c49c0417015775e913c2172cc3509ce736baefa05a
+  data.tar.gz: 0f2c1c2de41e550eaa5a66b1d7a779dd52ca5ae331c9736e34b27e97f71839724380fad56ac75e248af6aa34e59cc1515f00f8f1090166d255f2562764481dd6

data/lib/apill.rb

@@ -1,5 +1,10 @@
 require 'apill/version'
 
+require 'apill/authorizers/parameters'
+require 'apill/authorizers/parameters/filtering'
+require 'apill/authorizers/parameters/resource'
+require 'apill/authorizers/query'
+require 'apill/authorizers/scope'
 require 'apill/configuration'
 require 'apill/matchers/accept_header'
 require 'apill/matchers/subdomain'

data/lib/apill/authorizable_resource.rb

@@ -0,0 +1,160 @@
+require 'apill/resource/naming'
+require 'apill/resource/model'
+
+module  Apill
+module  AuthorizableResource
+  RESOURCE_COLLECTION_ACTIONS = %w{index}.freeze
+
+  module ClassMethods
+    def authorizer_prefix
+      @authorizer_prefix ||= name[Resource::Naming::CONTROLLER_RESOURCE_NAME_PATTERN, 2]
+    end
+
+    def authorizer_class
+      @authorizer_class ||= "#{authorizer_prefix}" \
+                            'Authorizers::' \
+                            "#{resource_class_name}".
+                            constantize
+    rescue NameError
+      'Apill::Authorizers::Query'.constantize
+    end
+
+    def authorizer_scope_class
+      @authorizer_scope_class ||= "#{authorizer_prefix}" \
+                                  'Authorizers::' \
+                                  "#{resource_class_name}" \
+                                  '::Scope'.
+                                  constantize
+    rescue NameError
+      'Apill::Authorizers::Scope'.constantize
+    end
+
+    def authorizer_resource_params_class
+      @authorizer_resource_params_class ||= "#{authorizer_prefix}" \
+                                            'Authorizers::' \
+                                            "#{resource_class_name}" \
+                                            '::ResourceParameters'.
+                                            constantize
+    rescue NameError
+      'Apill::Authorizers::Parameters::Resource'.constantize
+    end
+
+    def authorizer_filtering_params_class
+      @authorizer_filtering_params_class ||= "#{authorizer_prefix}" \
+                                             'Authorizers::' \
+                                             "#{resource_class_name}::" \
+                                             'FilteringParameters'.
+                                             constantize
+    rescue NameError
+      'Apill::Authorizers::Parameters::Filtering'.constantize
+    end
+  end
+
+  def self.included(base)
+    base.include Resource::Naming
+    base.extend  ClassMethods
+
+    base.before_action :authorize
+  end
+
+  private
+
+  def authorize
+    HumanError.raise(
+      'ForbiddenError',
+      resource_name: self.class.singular_resource_name,
+      resource_id:   [params[:id]],
+      action:        action_name,
+    ) unless authorizer.public_send(authorization_query)
+  end
+
+  def authorizer
+    @authorizer ||= self.
+                    class.
+                    authorizer_class.
+                    new(token:    token,
+                        user:     authorized_user,
+                        resource: authorized_resource)
+  end
+
+  def authorized_scope
+    @authorized_scope ||= self.
+                          class.
+                          authorizer_scope_class.
+                          new(token:          token,
+                              user:           authorized_user,
+                              scoped_user_id: scoped_user_id,
+                              params:         authorized_params,
+                              scope_root:     authorized_scope_root).
+                          call
+  end
+
+  def authorized_params
+    @authorized_params ||= authorizer_params_class.
+                           new(token:  token,
+                               user:   authorized_user,
+                               params: params).
+                           call
+  end
+
+  def authorized_resource
+    return nil if RESOURCE_COLLECTION_ACTIONS.include?(action_name)
+
+    @authorized_resource ||= public_send(self.class.singular_resource_name)
+  end
+
+  def authorized_collection
+    return nil unless RESOURCE_COLLECTION_ACTIONS.include?(action_name)
+
+    @authorized_collection ||= Resource::Model.
+      new(resource:   public_send(self.class.plural_resource_name),
+          parameters: authorized_params)
+  end
+
+  def authorizer_params_class
+    @authorizer_params_class ||= \
+      if RESOURCE_COLLECTION_ACTIONS.include?(action_name)
+        self.class.authorizer_filtering_params_class
+      else
+        self.class.authorizer_resource_params_class
+      end
+  end
+
+  def authorized_scope_root
+    @authorized_scope_root ||= "#{self.class.authorizer_prefix}" \
+                               "#{self.class.resource_class_name}".
+                               constantize
+  end
+
+  def scoped_user_id
+    @scoped_user_id ||= if requested_user_id.blank?
+                          nil
+                        else
+                          requested_user_id
+                        end
+  end
+
+  def requested_user_id
+    @requested_user_id ||= params.
+                           fetch(:filter, {}).
+                           fetch(authorized_user_underscored_class_name,
+                                 authorized_user.id)
+  end
+
+  def authorized_user
+    current_user
+  end
+
+  def authorized_user_underscored_class_name
+    @authorized_user_underscored_class_name ||= authorized_user.
+                                                class.
+                                                name[/([^:]+)\z/, 1].
+                                                underscore.
+                                                downcase
+  end
+
+  def authorization_query
+    @authorization_query ||= "able_to_#{action_name}?"
+  end
+end
+end

data/lib/apill/authorizers/parameters.rb

@@ -0,0 +1,23 @@
+module  Apill
+module  Authorizers
+class   Parameters
+  attr_accessor :token,
+                :user,
+                :params
+
+  def initialize(token:, user:, params:, **other)
+    self.token  = token
+    self.user   = user
+    self.params = params
+
+    other.each do |name, value|
+      public_send("#{name}=", value)
+    end
+  end
+
+  def call
+    params
+  end
+end
+end
+end

data/lib/apill/authorizers/parameters/filtering.rb

@@ -0,0 +1,49 @@
+require 'apill/authorizers/parameters'
+
+module  Apill
+module  Authorizers
+class   Parameters
+class   Filtering < Authorizers::Parameters
+  def call
+    params.permit(*authorized_params)
+  end
+
+  private
+
+  def authorized_params
+    @authorized_params ||= [
+      :sort,
+      page:   %i{
+        number
+        size
+        offset
+        limit
+        cursor
+      },
+      filter: [
+        :query,
+        {},
+      ],
+    ]
+  end
+
+  def add_filterable_parameter(name)
+    param = params.fetch(:filter, {}).
+                   fetch(name,    nil)
+
+    if param.class == Array
+      authorized_params[1][:filter][1][name] = []
+    else
+      authorized_params[1][:filter] << name
+    end
+  end
+
+  def add_filterable_parameters(*names)
+    names.each do |name|
+      add_filterable_parameter(name)
+    end
+  end
+end
+end
+end
+end

data/lib/apill/authorizers/parameters/resource.rb

@@ -0,0 +1,10 @@
+require 'apill/authorizers/parameters'
+
+module  Apill
+module  Authorizers
+class   Parameters
+class   Resource < Authorizers::Parameters
+end
+end
+end
+end

data/lib/apill/authorizers/query.rb

@@ -0,0 +1,39 @@
+module  Apill
+module  Authorizers
+class   Query
+  attr_accessor :token,
+                :user,
+                :resource
+
+  def initialize(token:, user:, resource:, **other)
+    self.token    = token
+    self.user     = user
+    self.resource = resource
+
+    other.each do |name, value|
+      public_send("#{name}=", value)
+    end
+  end
+
+  def able_to_index?
+    true
+  end
+
+  def able_to_show?
+    false
+  end
+
+  def able_to_create?
+    false
+  end
+
+  def able_to_update?
+    false
+  end
+
+  def able_to_destroy?
+    false
+  end
+end
+end
+end

data/lib/apill/authorizers/scope.rb

@@ -0,0 +1,29 @@
+module  Apill
+module  Authorizers
+class   Scope
+  attr_accessor :token,
+                :user,
+                :scoped_user_id,
+                :params,
+                :scope_root
+
+  # rubocop:disable Metrics/ParameterLists
+  def initialize(token:, user:, params:, scoped_user_id:, scope_root:, **other)
+    self.token          = token
+    self.user           = user
+    self.params         = params
+    self.scoped_user_id = scoped_user_id
+    self.scope_root     = scope_root
+
+    other.each do |name, value|
+      public_send("#{name}=", value)
+    end
+  end
+  # rubocop:enable Metrics/ParameterLists
+
+  def call
+    scope_root.none
+  end
+end
+end
+end

data/lib/apill/requests/base.rb

@@ -92,9 +92,9 @@ class   Base
   def authorization_token_from_header
     case raw_authorization_header
     when JSON_WEB_TOKEN_HEADER_PATTERN
-      Tokens::JsonWebToken.convert(
-        token_private_key: token_private_key,
-        raw_token:         raw_authorization_header[JSON_WEB_TOKEN_HEADER_PATTERN, 1])
+      Tokens::JsonWebToken.from_jwe(
+        raw_authorization_header[JSON_WEB_TOKEN_HEADER_PATTERN, 1],
+        private_key: token_private_key)
     when BASE64_TOKEN_HEADER_PATTERN
       Tokens::Base64.convert(
         raw_token: raw_authorization_header[BASE64_TOKEN_HEADER_PATTERN, 1])

data/lib/apill/requests/rack.rb

@@ -14,10 +14,9 @@ class   Rack < Base
   def authorization_token_from_params
     case request['QUERY_STRING']
     when JSON_WEB_TOKEN_PARAM_PATTERN
-      Tokens::JsonWebToken.convert(
-        token_private_key: token_private_key,
-        raw_token:         request['QUERY_STRING'][JSON_WEB_TOKEN_PARAM_PATTERN, 1] || '',
-      )
+      Tokens::JsonWebToken.from_jwe(
+        request['QUERY_STRING'][JSON_WEB_TOKEN_PARAM_PATTERN, 1] || '',
+        private_key: token_private_key)
     when BASE64_TOKEN_PARAM_PATTERN
       base64_token = request['QUERY_STRING'][BASE64_TOKEN_PARAM_PATTERN, 1]
 

data/lib/apill/requests/rails.rb

@@ -10,9 +10,9 @@ class   Rails < Base
   def authorization_token_from_params
     case
     when request.params.key?(JSON_WEB_TOKEN_PARAM_NAME)
-      Tokens::JsonWebToken.convert(
-        token_private_key: token_private_key,
-        raw_token:         request.params[JSON_WEB_TOKEN_PARAM_NAME] || '')
+      Tokens::JsonWebToken.from_jwe(
+        request.params[JSON_WEB_TOKEN_PARAM_NAME] || '',
+        private_key: token_private_key)
     when request.params.key?(BASE64_TOKEN_PARAM_NAME)
       Tokens::Base64.convert(raw_token: request.params[BASE64_TOKEN_PARAM_NAME] || '')
     else

data/lib/apill/resource.rb

@@ -1,13 +1,13 @@
-require 'apill/processable_resource'
+require 'apill/authorizable_resource'
 require 'human_error/rescuable_resource'
 require 'human_error/verifiable_resource'
 
 module  Apill
 module  Resource
   def self.included(base)
-    base.include Apill::ProcessableResource
     base.include HumanError::RescuableResource
     base.include HumanError::VerifiableResource
+    base.include Apill::AuthorizableResource
   end
 end
 end

data/lib/apill/resource/naming.rb

@@ -0,0 +1,32 @@
+module  Apill
+module  Resource
+module  Naming
+  CONTROLLER_RESOURCE_NAME_PATTERN = /\A((.*?::)?.*?)(\w+)Controller\z/
+
+  module ClassMethods
+    def plural_resource_name
+      @plural_resource_name ||= name[CONTROLLER_RESOURCE_NAME_PATTERN, 3].
+                                underscore.
+                                pluralize.
+                                downcase
+    end
+
+    def singular_resource_name
+      @singular_resource_name ||= name[CONTROLLER_RESOURCE_NAME_PATTERN, 3].
+                                  underscore.
+                                  singularize.
+                                  downcase
+    end
+
+    def resource_class_name
+      @resource_class_name ||= singular_resource_name.
+                               camelize
+    end
+  end
+
+  def self.included(base)
+    base.extend ClassMethods
+  end
+end
+end
+end

data/lib/apill/tokens/json_web_token.rb

@@ -6,10 +6,33 @@ require 'apill/tokens/json_web_tokens/null'
 module  Apill
 module  Tokens
 class   JsonWebToken
-  attr_accessor :token
+  TRANSFORMATION_EXCEPTIONS = [
+    JSON::JWT::Exception,
+    JSON::JWT::InvalidFormat,
+    JSON::JWT::VerificationFailed,
+    JSON::JWT::UnexpectedAlgorithm,
+    JWT::DecodeError,
+    JWT::VerificationError,
+    JWT::ExpiredSignature,
+    JWT::IncorrectAlgorithm,
+    JWT::ImmatureSignature,
+    JWT::InvalidIssuerError,
+    JWT::InvalidIatError,
+    JWT::InvalidAudError,
+    JWT::InvalidSubError,
+    JWT::InvalidJtiError,
+    OpenSSL::PKey::RSAError,
+    OpenSSL::Cipher::CipherError,
+  ].freeze
 
-  def initialize(token:)
-    self.token = token
+  attr_accessor :data,
+                :private_key
+
+  def initialize(data:,
+                 private_key: Apill.configuration.token_private_key)
+
+    self.data        = data
+    self.private_key = private_key
   end
 
   def valid?
@@ -21,40 +44,66 @@ class   JsonWebToken
   end
 
   def to_h
-    token
-  end
-
-  def self.convert(raw_token:, token_private_key: Apill.configuration.token_private_key)
-    return JsonWebTokens::Null.instance if raw_token.to_s == ''
-
-    decrypted_token = JSON::JWT.decode(raw_token, token_private_key).plain_text
-    decoded_token   = JWT.decode(decrypted_token,
-                                 token_private_key,
-                                 true,
-                                 algorithm:         'RS256',
-                                 verify_expiration: true,
-                                 verify_not_before: true,
-                                 verify_iat:        true,
-                                 leeway:            5,
-                                )
-
-    new(token: decoded_token)
-  rescue JSON::JWT::Exception,
-         JSON::JWT::InvalidFormat,
-         JSON::JWT::VerificationFailed,
-         JSON::JWT::UnexpectedAlgorithm,
-         JWT::DecodeError,
-         JWT::VerificationError,
-         JWT::ExpiredSignature,
-         JWT::IncorrectAlgorithm,
-         JWT::ImmatureSignature,
-         JWT::InvalidIssuerError,
-         JWT::InvalidIatError,
-         JWT::InvalidAudError,
-         JWT::InvalidSubError,
-         JWT::InvalidJtiError,
-         OpenSSL::PKey::RSAError
+    data
+  end
+
+  def to_jwt
+    @jwt ||= JSON::JWT.new(data)
+  end
+
+  def to_jwt_s
+    @jwt_s ||= to_jwt.to_s
+  end
+
+  def to_jws
+    @jws ||= to_jwt.sign(private_key,    'RS256')
+  end
+
+  def to_jws_s
+    @jws_s ||= to_jws.to_s
+  end
+
+  def to_jwe
+    @jwe ||= to_jws.encrypt(private_key, 'RSA-OAEP', 'A256GCM')
+  end
+
+  def to_jwe_s
+    @jwe_s ||= to_jwe.to_s
+  end
+
+  def self.from_jwe(encrypted_token,
+                    private_key: Apill.configuration.token_private_key)
+
+    return JsonWebTokens::Null.instance if encrypted_token.to_s == ''
+
+    decrypted_token = JSON::JWT.
+                        decode(encrypted_token, private_key).
+                        plain_text
+
+    from_jws(decrypted_token, private_key: private_key)
+  rescue *TRANSFORMATION_EXCEPTIONS
+    JsonWebTokens::Invalid.instance
+  end
+
+  def self.from_jws(signed_token,
+                    private_key: Apill.configuration.token_private_key)
+
+    return JsonWebTokens::Null.instance if signed_token.to_s == ''
+
+    data = JWT.decode(
+                       signed_token,
+                       private_key,
+                       true,
+                       algorithm:         'RS256',
+                       verify_expiration: true,
+                       verify_not_before: true,
+                       verify_iat:        true,
+                       leeway:            5,
+    )
 
+    new(data:        data,
+        private_key: private_key)
+  rescue *TRANSFORMATION_EXCEPTIONS
     JsonWebTokens::Invalid.instance
   end
 end