command_tower 0.3.0

data/app/services/command_tower/inbox_service/message/send.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module CommandTower
+  module InboxService
+    module Message
+      class Send  < CommandTower::ServiceBase
+        validate :user, is_a: User, required: true
+        validate :text, is_a: String, required: true
+        validate :title, is_a: String, required: true
+        validate :message_blast, is_a: ::MessageBlast, required: false
+        validate :pushed, is_one: [true, false], default: false
+
+        def call
+          message = create_message!
+          context.message = message
+        end
+
+        def push_notification!
+          # TODO: Push notifications
+        end
+
+        def create_message!
+          ::Message.create!(
+            user:,
+            text: ,
+            title: ,
+            message_blast:,
+          )
+        end
+      end
+    end
+  end
+end

data/app/services/command_tower/jwt/authenticate_user.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+module CommandTower::Jwt
+  class AuthenticateUser < CommandTower::ServiceBase
+
+    validate :token, is_a: String, required: true, sensitive: true
+    validate :bypass_email_validation, is_one: [true, false], default: false
+    validate :with_reset, is_one: [true, false], default: false
+
+    def call
+      result = Decode.(token:)
+
+      if result.failure?
+        context.fail!(msg: "Unauthorized Access. Invalid Authorization token")
+      end
+      payload = result.payload
+
+      expires_at = validate_generated_at!(generated_at: payload[:generated_at])
+
+      user = User.find(payload[:user_id]) rescue nil
+      if user.nil?
+        log_warn("user_id [#{payload[:user_id]}] was not found. Cannot Continue")
+        context.fail!(msg: "Unauthorized Access. Invalid Authorization token")
+      end
+
+      if user.verifier_token == payload[:verifier_token]
+        context.user = user
+      else
+        context.fail!(msg: "Unauthorized Access. Token is no longer valid")
+      end
+
+      email_validation_required!(user:)
+
+      if with_reset
+        context.generated_token = CommandTower::Jwt::LoginCreate.(user:).token
+        expires_at = CommandTower.config.jwt.ttl.from_now.to_time
+      end
+
+      context.expires_at = expires_at.to_s
+    end
+
+    def validate_generated_at!(generated_at:)
+      if generated_at.nil?
+        log_warn("generated_at payload is missing from the JWT token. Cannot continue")
+        context.fail!(msg: "Unauthorized Access. Invalid Authorization token")
+      end
+
+      expires_time = begin
+        time = Time.at(generated_at)
+        time + CommandTower.config.jwt.ttl
+      rescue
+        nil
+      end
+
+      if expires_time.nil?
+        log_warn("generated_at payload cannot be parsed. Cannot continue")
+        context.fail!(msg: "Unauthorized Access. Invalid Authorization token")
+      end
+
+      if expires_time < Time.now
+        log_warn("generated_at is no longer valid. Must request new token")
+        context.fail!(msg: "Unauthorized Access. Invalid Authorization token")
+      end
+
+      expires_time
+    end
+
+    def email_validation_required!(user:)
+      return unless CommandTower.config.login.plain_text.email_verify?
+
+      if bypass_email_validation
+        log_info("Bypassing email validation without checking if user should be able to continue")
+        return
+      end
+
+      return if user.email_validated
+
+      log_info("User's email is not yet validated.")
+      result = CommandTower::LoginStrategy::PlainText::EmailVerification::Required.(user:)
+
+      if result.required
+        context.fail!(msg: "User's Email must be validated before they can continue")
+      end
+    end
+  end
+end

data/app/services/command_tower/jwt/decode.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "jwt"
+
+module CommandTower::Jwt
+  class Decode < CommandTower::ServiceBase
+
+    validate :token, is_a: String, required: true, sensitive: true
+
+    def call
+      data = JWT.decode(token, CommandTower.config.jwt.hmac_secret, true, { algorithm: "HS256" })
+
+      context.payload = data[0].with_indifferent_access
+      context.headers = data[1].with_indifferent_access
+    rescue JWT::DecodeError => e
+      log_error(e)
+
+      context.fail!(msg: "Invalid Token")
+    end
+  end
+end

data/app/services/command_tower/jwt/encode.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "jwt"
+
+module CommandTower::Jwt
+  class Encode < CommandTower::ServiceBase
+
+    validate :payload, is_a: Hash, required: true
+    validate :header, is_a: Hash, required: false
+
+    def call
+      context.token = JWT.encode(payload, CommandTower.config.jwt.hmac_secret, "HS256", header || {})
+    end
+  end
+end

data/app/services/command_tower/jwt/login_create.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module CommandTower::Jwt
+  class LoginCreate < CommandTower::ServiceBase
+    on_argument_validation :fail_early
+
+    validate :user, is_a: User, required: true
+
+    def call
+      context.token = Encode.(payload:).token
+    end
+
+    def payload
+      {
+        generated_at: Time.now.to_i,
+        user_id: user.id,
+        verifier_token: user.retreive_verifier_token!,
+      }
+    end
+  end
+end

data/app/services/command_tower/jwt/time_delay_token.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module CommandTower::Jwt
+  class TimeDelayToken < CommandTower::ServiceBase
+    on_argument_validation :fail_early
+
+    validate :expires_in, is_a: ActiveSupport::Duration, required: true
+
+    def call
+      context.token = Encode.(payload:).token
+    end
+
+    def payload
+      { expires_in: expires_in }
+    end
+  end
+end

data/app/services/command_tower/login_strategy/plain_text/create.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module CommandTower::LoginStrategy::PlainText
+  class Create < CommandTower::ServiceBase
+    on_argument_validation :fail_early
+
+    EASY_GETTER = CommandTower.config.login.plain_text
+
+    validate :first_name, is_a: String, required: true
+    validate :last_name, is_a: String, required: true
+    validate :username, is_a: String, required: true
+    validate :email, length: true, lt: EASY_GETTER.email_length_max, gt: EASY_GETTER.email_length_min, is_a: String, required: true, sensitive: true
+    validate :password, length: true, lt: EASY_GETTER.password_length_max, gt: EASY_GETTER.password_length_min, is_a: String, required: true, sensitive: true
+    validate :password_confirmation, is_a: String, required: true, sensitive: true
+
+    def call
+      unless email =~ URI::MailTo::EMAIL_REGEXP
+        inline_argument_failure!(errors: { email: "Invalid email address" })
+      end
+
+      username_validity = CommandTower::Username::Available.(username:)
+      if !username_validity.valid
+        inline_argument_failure!(errors: { username: "Username is invalid. #{CommandTower.config.username.username_failure_message}" })
+      end
+
+      user = User.new(
+        first_name:,
+        last_name:,
+        username:,
+        email:,
+        password:,
+        password_confirmation:,
+      )
+
+      if user.save
+        context.user = user
+        CommandTower::InboxService::Blast::NewUserBlaster.(user:)
+      else
+        inline_argument_failure!(errors: user.errors)
+      end
+    end
+  end
+end

data/app/services/command_tower/login_strategy/plain_text/email_verification/generate.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CommandTower::LoginStrategy::PlainText::EmailVerification
+  class Generate < CommandTower::ServiceBase
+    validate :user, is_a: User, required: true
+
+    def call
+      result = CommandTower::Secrets::Generate.(
+        user:,
+        secret_length: email_verify.verify_code_length,
+        reason: CommandTower::Secrets::EMAIL_VERIFICIATION,
+        use_count_max: 1,
+        death_time: email_verify.verify_code_link_valid_for,
+        type: CommandTower::Secrets::NUMERIC,
+        cleanse: true,
+      )
+
+      if result.failure?
+        context.fail!(msg: "Secret Generation is not available at this time")
+      end
+
+      context.secret = result.secret
+    end
+
+    def email_verify
+      CommandTower.config.login.plain_text.email_verify
+    end
+  end
+end

data/app/services/command_tower/login_strategy/plain_text/email_verification/required.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module CommandTower::LoginStrategy::PlainText::EmailVerification
+  class Required < CommandTower::ServiceBase
+    validate :user, is_a: User, required: true
+
+    def call
+      context.reqired_after_time = reqired_after_time
+      context.required = Time.now > reqired_after_time
+    end
+
+    def reqired_after_time
+      user.created_at + email_verify.verify_email_required_within
+    end
+
+    def email_verify
+      CommandTower.config.login.plain_text.email_verify
+    end
+  end
+end

data/app/services/command_tower/login_strategy/plain_text/email_verification/send.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module CommandTower::LoginStrategy::PlainText::EmailVerification
+  class Send < CommandTower::ServiceBase
+    on_argument_validation :fail_early
+
+    validate :user, is_a: User, required: true
+
+    def call
+      result = Generate.(user:)
+      if result.failure?
+        context.fail!(msg: result.msg)
+      end
+
+      begin
+        CommandTower::EmailVerificationMailer.verify_email(user.email, user, result.secret).deliver
+      rescue StandardError => e
+        log_error("Failed to send message to [#{user.id}]: #{e.message}")
+        context.fail!(msg: "Unable to send email. Please try again later", status: 500)
+      end
+    end
+  end
+end

data/app/services/command_tower/login_strategy/plain_text/email_verification/verify.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module CommandTower::LoginStrategy::PlainText::EmailVerification
+  class Verify < CommandTower::ServiceBase
+    on_argument_validation :fail_early
+
+    validate :user, is_a: User, required: true
+    validate :code, is_a: String, required: true
+
+    def call
+      result = CommandTower::Secrets::Verify.(secret: code, reason: CommandTower::Secrets::EMAIL_VERIFICIATION)
+      if result.failure?
+        inline_argument_failure!(errors: { code:  "Incorrect verification code provided" })
+      end
+
+      if result.user != user
+        log_warn("Yikes! The logged in user does not match the correct code. Kick them back out and do not verify")
+        inline_argument_failure!(errors: { code:  "Incorrect verification code provided" })
+      end
+
+      user.update(email_validated: true)
+    end
+  end
+end

data/app/services/command_tower/login_strategy/plain_text/login.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module CommandTower::LoginStrategy::PlainText
+  class Login < CommandTower::ServiceBase
+    on_argument_validation :fail_early
+
+    one_of(:login_key, required: true) do
+      validate :username, is_a: String, sensitive: true
+      validate :email, is_a: String, sensitive: true
+    end
+    validate :password, is_a: String, required: true, sensitive: true
+
+    def call
+      if user.nil?
+        log_warn("Login attempted with [#{login_key_key}] => [#{login_key}]. Resource not found")
+        credential_mismatch!
+      end
+
+      if user.authenticate(password)
+        user.successful_login += 1
+        user.password_consecutive_fail = 0
+        user.save
+      else
+        user.password_consecutive_fail += 1
+        user.save
+        log_warn("Valid #{login_key_key}. Incorrect password. Consecutive Password failures: #{user.password_consecutive_fail}")
+        credential_mismatch!
+      end
+
+      context.user = user
+
+      result = CommandTower::Jwt::LoginCreate.(user:)
+      if result.failure?
+        context.fail!(msg: "Failed to generate Authorization. Please Try again")
+        return
+      end
+
+      context.token = result.token
+    end
+
+    def credential_mismatch!
+      msg = "Unauthorized Access. Incorrect Credentials"
+      inline_argument_failure!(errors: { login_key_key => msg, password: msg })
+    end
+
+    def user
+      @user ||= User.where(login_key_key => login_key).first
+    end
+  end
+end

data/app/services/command_tower/secrets/cleanse.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module CommandTower::Secrets
+  class Cleanse < CommandTower::ServiceBase
+    validate :user, is_a: User, required: true
+    validate :reason, is_one: ALLOWED_SECRET_REASONS, required: true
+
+    def call
+      secrets = UserSecret.where(user:, reason:)
+      count = secrets.delete_all
+      log_info("Cleansed #{count} #{reason} secret(s) from the store for user [#{user.id}]")
+    end
+  end
+end

data/app/services/command_tower/secrets/generate.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module CommandTower::Secrets
+  class Generate < CommandTower::ServiceBase
+    MAX_RETRY = 10
+
+    validate :user, is_a: User, required: true
+    validate :secret_length, is_a: Integer, gte: 4, lte: 64, required: true
+    validate :reason, is_one: ALLOWED_SECRET_REASONS, required: true
+    validate :type, is_one: ALLOWED_SECRET_TYPES, default: DEFAULT_SECRET_TYPE
+    validate :extra, is_a: String, length: true, lt: 256
+    validate :cleanse, is_one: [true, false], default: false
+    at_least_one(:death, required: true) do
+      validate :death_time, is_a: ActiveSupport::Duration, gte: 10.seconds
+      validate :use_count_max, is_a: Integer, gte: 1
+    end
+
+    def call
+      if cleanse && @attempts.nil?
+        # if this fails ... so be it
+        Cleanse.(user:, reason:)
+      end
+
+      @attempts ||= 1
+      record = UserSecret.create!(**db_params)
+
+      context.record = record
+      context.secret = record.secret
+    rescue ActiveRecord::RecordNotUnique => e
+      if @attempts < MAX_RETRY
+        @attempts += 1
+        log_warn("Duplicate Secret was generated. Attempting to retry: #{@attempts} of #{MAX_RETRY}")
+        retry
+      else
+        log_error("Duplicate Secret was generated. Exhausted Max attempts of #{MAX_RETRY}.")
+        context.fail!(msg: "Failed to generate Secret. Cannot Continue")
+      end
+    end
+
+    def db_params
+      {
+        death_time: death_time&.from_now,
+        use_count_max:,
+        extra:,
+        reason:,
+        secret: generate_secret,
+        user:,
+      }.compact
+    end
+
+    def generate_secret
+      case type
+      when :numeric
+        secret_length.times.map { SecureRandom.rand(0...10) }.join
+      when :alphanumeric, :hex
+        SecureRandom.public_send(type, secret_length)
+      when :uuid
+        SecureRandom.public_send(type)
+      end
+    end
+  end
+end

data/app/services/command_tower/secrets/verify.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module CommandTower::Secrets
+  class Verify < CommandTower::ServiceBase
+    validate :secret, is_a: String, required: true, sensitive: true
+    validate :reason, is_one: ALLOWED_SECRET_REASONS, required: true
+    validate :access_count, is_one: [true, false], default: false
+
+    def call
+      record = UserSecret.find_record(secret:, reason:, access_count:)
+
+      if record[:found] == false
+        context.fail!(record:, msg: "Secret not found")
+      end
+
+      if record[:valid] == false
+        if CommandTower.config.delete_secret_after_invalid
+          record[:record].destroy
+        end
+
+        context.fail!(record:, msg: "Secret is invalid. #{record[:record].invalid_reason.join(" ")}")
+      end
+
+      context.user = record[:user]
+    end
+  end
+end

data/app/services/command_tower/secrets.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module CommandTower::Secrets
+  ALLOWED_SECRET_REASONS = [
+    EMAIL_VERIFICIATION = :email_verification,
+    SSO = :sso,
+  ]
+
+  ALLOWED_SECRET_TYPES = [
+    DEFAULT_SECRET_TYPE = ALPHANUMERIC = :alphanumeric,
+    HEX = :hex,
+    NUMERIC = :numeric,
+    UUID = :uuid,
+  ]
+end

data/app/services/command_tower/service_base.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require "interactor"
+
+class CommandTower::ServiceBase
+  class ServiceBaseError < CommandTower::Error; end;
+  class ValidationError < ServiceBaseError; end;
+  class ConfigurationError < ServiceBaseError; end;
+
+  class NameConflictError < CommandTower::Error; end
+  class DefaultValueError < CommandTower::Error; end
+  class OneOfError < CommandTower::Error; end
+  class NestedOneOfError < CommandTower::Error; end
+  class ArgumentValidationError < CommandTower::Error; end
+
+  class KeyValidationError < CommandTower::ServiceBase::ValidationError; end
+  class CompositionValidationError < CommandTower::ServiceBase::ValidationError; end
+
+  include Interactor
+  include CommandTower::ServiceLogging
+  include CommandTower::ArgumentValidation
+
+  ON_ARGUMENT_VALIDATION = [
+    DEFAULT_VALIDATION = :raise,
+    :fail_early,
+    :log,
+  ]
+
+  def self.inherited(subclass)
+    # Add the base logging to the subclass.
+    # Since this is done at inheritance time it should always be the first and last hook to run.
+    subclass.around(:service_base_logging)
+    subclass.around(:internal_validate)
+    subclass.after(:sanitize_params)
+  end
+
+  def validate!
+    # overload from child
+  end
+
+  def internal_validate(interactor)
+    # call validate that is overridden from child
+    begin
+      validate! # custom validations defined on the child class
+      run_validations! # ArgumentValidation's based on defined settings on child
+    rescue StandardError => e
+      log_error("Error during validation. #{e.message}")
+      raise
+    end
+
+    # call interactor
+    interactor.call
+  end
+
+  def service_base_logging(interactor)
+    beginning_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+
+    # Pre processing stats
+    log_info("Start")
+
+    # Run the job!
+    interactor.call
+
+    # Set status for use in ensure block
+    status = :complete
+
+  # Capture Interactor::Failure for logging purposes, then reraise
+  rescue ::Interactor::Failure
+    # set status for use in ensure block
+    status = :failure
+
+    # Re-raise to let the core Interactor handle this
+    raise
+  # Capture exception explicitly for logging purposes, then reraise
+  rescue ::Exception => e
+    # set status for use in ensure block
+    status = :error
+
+    # Log error
+    log_error("Error #{e.class.name}")
+
+    raise
+  ensure
+    # Always log how long it took along with a status
+    finished_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+    elapsed = ((finished_time - beginning_time) * 1000).round(2)
+    log_info("Finished with [#{status}]...elapsed #{elapsed}ms")
+  end
+end

data/app/services/command_tower/service_logging.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module CommandTower::ServiceLogging
+  def log_info(msg)
+    log(level: :info, msg:)
+  end
+
+  def log_warn(msg)
+    log(level: :warn, msg:)
+  end
+
+  def log_error(msg)
+    log(level: :error, msg:)
+  end
+
+  def log(level:, msg:)
+    logger.public_send(level, aletered_message(msg))
+  rescue StandardError
+    Rails.logger.public_send(level, aletered_message(msg))
+  end
+
+  def aletered_message(msg)
+    "#{log_prefix}: #{msg}"
+  end
+
+  def logger
+    defined?(context) ? context.logger : Rails.logger
+  end
+
+  def log_prefix
+    "[#{class_name}-#{service_id}]"
+  end
+
+  def class_name
+    self.class.name
+  end
+
+  def service_id
+    @service_id ||= SecureRandom.alphanumeric(10)
+  end
+end