command_tower 0.3.0

data/app/services/command_tower/user_attributes/modify.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module CommandTower::UserAttributes
+  class Modify < CommandTower::ServiceBase
+    on_argument_validation :fail_early
+    DEFAULT = {
+      verifier_token: [true, false]
+    }
+    validate :user, is_a: User, required: true
+    validate :admin_user, is_a: User, required: false
+
+    # Gets assigned during configuration phase via
+    # lib/command_tower/configuration/user/config.rb
+    def self.assign!
+      attributes = CommandTower.config.user.default_attributes_for_change + CommandTower.config.user.additional_attributes_for_change
+      one_of(:modify_attribute, required: true) do
+        attributes.uniq.each do |attribute|
+          if metadata = User.attribute_to_type_mapping[attribute]
+            arguments = {}
+            if default = DEFAULT[attribute.to_sym]
+              arguments[:is_one] = default
+            else
+              if allowed_types = metadata[:allowed_types]
+                arguments[:is_one] = allowed_types
+              else
+                arguments[:is_a] = metadata[:ruby_type]
+              end
+            end
+
+            validate(attribute, **arguments)
+          end
+        end
+      end
+    end
+
+    def call
+      case modify_attribute_key
+      when :email
+        unless email =~ URI::MailTo::EMAIL_REGEXP
+          inline_argument_failure!(errors: { email: "Invalid email address" })
+        end
+      when :username
+        username_validity = CommandTower::Username::Available.(username:)
+        unless username_validity.valid
+          inline_argument_failure!(errors: { username: "Username is invalid. #{CommandTower.config.username.username_failure_message}" })
+        end
+      when :verifier_token
+        if verifier_token
+          verifier_token!
+        else
+          inline_argument_failure!(errors: { verifier_token: "verifier_token is invalid. Expected [true] when value present" })
+        end
+
+        return
+      end
+
+      update!
+    end
+
+    def verifier_token!
+      user.reset_verifier_token!
+    end
+
+    def update!
+      user.update!(modify_attribute_key => modify_attribute)
+    end
+  end
+end

data/app/services/command_tower/user_attributes/roles.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module CommandTower::UserAttributes
+  class Roles < CommandTower::ServiceBase
+    on_argument_validation :fail_early
+
+    validate :user, is_a: User, required: true
+    validate :admin_user, is_a: User, required: true
+    validate :roles, is_a: Array, required: true
+
+    def call
+      if valid_roles?
+        user.update!(roles:)
+        return true
+      end
+
+      inline_argument_failure!(errors: { roles: "Invalid roles provided" })
+    end
+
+    def valid_roles?
+      return true if roles.empty?
+
+      available_roles = CommandTower::Authorization::Role.roles.keys
+      roles.all? { available_roles.include?(_1) }
+    end
+  end
+end

data/app/services/command_tower/username/available.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module CommandTower::Username
+  class Available < CommandTower::ServiceBase
+    on_argument_validation :fail_early
+
+    REFRESH_KEY = "username.refresh_after"
+
+    validate :username, is_a: String, required: true
+    validate :force_query, is_a: [TrueClass, FalseClass]
+
+    def initialize(*)
+      super
+
+      @mutex = Mutex.new
+    end
+
+    def call
+      populate_local_cache! if refresh?
+
+      context.available = available?
+      context.valid = valid?
+    end
+
+    def valid?
+      return false if username.length < CommandTower.config.username.username_length_min
+      return false if username.length > CommandTower.config.username.username_length_max
+
+      !!username[CommandTower.config.username.username_regex]
+    end
+
+    def available?
+      !realtime.local_cache.exist?(username)
+    end
+
+    # this is a very terrible cache design at scale
+    # If we can use Redis, a bloom filter would be great
+    def populate_local_cache!
+      @mutex.synchronize do
+        values = User.pluck(:username).map { [_1, 1] }.to_h rescue {}
+        realtime.local_cache.write_multi(values)
+        realtime.local_cache.write(REFRESH_KEY, realtime.local_cache_ttl.from_now)
+
+        values
+      end
+    end
+
+    def refresh?
+      return true if force_query
+
+      refresh_by = realtime.local_cache.read(REFRESH_KEY)
+      return true if refresh_by.nil?
+
+      time = Time.at(refresh_by) rescue nil
+      return true if time.nil?
+
+      time < Time.now
+    end
+
+    def realtime
+      CommandTower.config.username.realtime_username_check
+    end
+  end
+end

data/app/views/command_tower/email_verification_mailer/verify_email.html.erb

@@ -0,0 +1,26 @@
+<p>Hello <%= @user.full_name %>!</p>
+
+<p>
+  Welcome to <%= CommandTower.config.app.communication_name %>.
+</p>
+<p>
+  Please provide the following verification code to confirm your email address.
+</p>
+<p></p>
+<p></p>
+<p>
+  <h1>
+    <%= @code %>
+  </h1>
+</p>
+
+<p></p>
+<p></p>
+
+<p>
+  Best wishes, <%= CommandTower.config.app.communication_name %> team
+</p>
+<p></p>
+<p></p>
+
+Visit us at <a href="<%= CommandTower.config.app.composed_url %>" target="_blank"><%= CommandTower.config.app.composed_url %></a>

data/config/routes.rb

@@ -0,0 +1,55 @@
+Rails.application.routes.draw do
+  append_to_ass = "command_tower"
+
+  constraints(->(_req) { CommandTower.config.username.realtime_username_check? }) do
+    scope "username" do
+      get "/available/:username", to: "command_tower/username#username_availability", as: :"#{append_to_ass}_username_availability_get"
+    end
+  end
+
+  scope "auth" do
+    constraints(->(_req) { CommandTower.config.login.plain_text.enable? }) do
+      post "/login", to: "command_tower/auth/plain_text#login_post", as: :"#{append_to_ass}_auth_login_post"
+      post "/create", to: "command_tower/auth/plain_text#create_post", as: :"#{append_to_ass}_auth_create_post"
+
+      constraints(->(_req) { CommandTower.config.login.plain_text.email_verify? }) do
+        scope "email" do
+          post "/verify", to: "command_tower/auth/plain_text#email_verify_post", as: :"#{append_to_ass}_auth_email_verification"
+          post "/send", to: "command_tower/auth/plain_text#email_verify_resend_post", as: :"#{append_to_ass}_auth_email_verification_send"
+        end
+      end
+    end
+  end
+
+  scope "user" do
+    get "/", to: "command_tower/user#show", as: :"#{append_to_ass}_user_show_get"
+    post "/modify", to: "command_tower/user#modify", as: :"#{append_to_ass}_user_modify_post"
+  end
+
+  scope "inbox" do
+    scope "messages" do
+      get "/", to: "command_tower/inbox/message#metadata", as: :"#{append_to_ass}_inbox_metadata"
+
+      get "/:id", to: "command_tower/inbox/message#message", as: :"#{append_to_ass}_inbox_message"
+      delete "/:id", to: "command_tower/inbox/message#delete", as: :"#{append_to_ass}_inbox_message_del"
+
+      post "/ack", to: "command_tower/inbox/message#ack", as: :"#{append_to_ass}_inbox_ack"
+      post "/delete", to: "command_tower/inbox/message#delete", as: :"#{append_to_ass}_inbox_delete"
+    end
+
+    scope "blast" do
+      get "/", to: "command_tower/inbox/message_blast#metadata", as: :"#{append_to_ass}_blast_metadata"
+      post "/", to: "command_tower/inbox/message_blast#create", as: :"#{append_to_ass}_blast_create"
+
+      get "/:id", to: "command_tower/inbox/message_blast#blast", as: :"#{append_to_ass}_blast_blast"
+      patch "/:id", to: "command_tower/inbox/message_blast#modify", as: :"#{append_to_ass}_blast_modify"
+      delete "/:id", to: "command_tower/inbox/message_blast#delete", as: :"#{append_to_ass}_blast_delete"
+    end
+  end
+
+  scope "admin" do
+    get "/", to: "command_tower/admin#show", as: :"#{append_to_ass}_admin_show_get"
+    post "/modify", to: "command_tower/admin#modify", as: :"#{append_to_ass}_admin_modify_post"
+    post "/modify/role", to: "command_tower/admin#modify_role", as: :"#{append_to_ass}_admin_modify_role_post"
+  end
+end

data/db/migrate/20241117043720_create_command_tower_users.rb

@@ -0,0 +1,42 @@
+class CreateCommandTowerUsers < ActiveRecord::Migration[7.2]
+  def change
+    create_table :users do |t|
+      t.string :first_name, null: false, default: ""
+      t.string :last_name, null: false, default: ""
+      t.string :username
+
+      t.string :last_known_timezone
+      t.timestamp :last_known_timezone_update
+
+      t.integer :successful_login, default: 0
+      t.string :last_login_strategy
+      t.datetime :last_login
+
+      t.string :roles, default: ""
+
+      ###
+      # Database token to verify JWT
+      # Token will allow JWT values to expire/reset all devices
+      t.string :verifier_token
+      t.datetime :verifier_token_last_reset
+
+      # Login Strategy: PlainText
+      t.string :email, null: false, default: ""
+      t.boolean :email_validated, default: false
+      t.integer :password_consecutive_fail, default: 0
+      t.string :password_digest, null: false, default: ""
+      t.string :recovery_password_digest, null: false, default: ""
+
+      # OTP strategy
+      # t.string :otp_secret
+      # t.string :otp_temp_secret
+      # t.integer :otp_consumed_timestep
+      # t.boolean :otp_enabled, default: false
+      # t.text :otp_backup_codes
+
+      t.timestamps
+    end
+
+    add_index :users, :username, unique: true
+  end
+end

data/db/migrate/20241204065708_create_command_tower_user_secrets.rb

@@ -0,0 +1,16 @@
+class CreateCommandTowerUserSecrets < ActiveRecord::Migration[7.2]
+  def change
+    create_table :user_secrets do |t|
+      t.references :user, null: false, foreign_key: true
+      t.integer :use_count, default: 0
+      t.integer :use_count_max
+      t.string :reason
+      t.string :extra
+      t.string :secret
+      t.datetime :death_time
+
+      t.timestamps
+    end
+    add_index :user_secrets, :secret, unique: true
+  end
+end

data/db/migrate/20250223023306_create_command_tower_messages.rb

@@ -0,0 +1,12 @@
+class CreateCommandTowerMessages < ActiveRecord::Migration[7.2]
+  def change
+    create_table :messages do |t|
+      t.timestamps
+      t.references :user, null: false, foreign_key: true # Required
+      t.text :text
+      t.string :title
+      t.boolean :viewed, default: false
+      t.boolean :pushed, default: false
+    end
+  end
+end

data/db/migrate/20250223023313_create_command_tower_message_blasts.rb

@@ -0,0 +1,14 @@
+class CreateCommandTowerMessageBlasts < ActiveRecord::Migration[7.2]
+  def change
+    create_table :message_blasts do |t|
+      t.timestamps
+      t.references :user, null: false, foreign_key: true # Required
+      t.text :text
+      t.string :title
+      t.boolean :existing_users, default: false
+      t.boolean :new_users, default: false
+    end
+
+    add_reference :messages, :message_blast, foreign_key: true, null: true
+  end
+end

data/lib/command_tower/authorization/default.yml

@@ -0,0 +1,42 @@
+---
+groups:
+  owner:
+    description: The owner of the application will have full access to all components
+    entities: true
+  admin:
+    description: |
+      This group defines permissions for Admin Read and Write operations. Users with this role will have
+      the ability to view and update other users states.
+    entities:
+      - admin
+      - message-blast
+  admin-without-impersonation:
+    description: |
+      This group defines permissions for Admin Read and Write operations. Users with this role will have
+      the ability to view and update other users states. However, impersonation is not permitted with this role
+    entities:
+      - admin-without-impersonate
+      - message-blast
+  admin-read-only:
+    description: |
+      This group defines permissions for Admin Read interface only.
+    entities:
+      - read-admin
+      - message-blast-read-only
+entities:
+  - name: message-blast
+    controller: CommandTower::Inbox::MessageBlastController
+  - name: message-blast-read-only
+    controller: CommandTower::Inbox::MessageBlastController
+    only: metadata
+  - name: read-admin
+    controller: CommandTower::AdminController
+    only: show
+  - name: admin
+    controller: CommandTower::AdminController
+  - name: admin-without-impersonate
+    controller: CommandTower::AdminController
+    except: impersonate
+
+
+

data/lib/command_tower/authorization/entity.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module CommandTower
+  module Authorization
+    class Entity
+      class << self
+        def create_entity(name:, controller:, only: nil, except: nil)
+          if entities[name]
+            Rails.logger.warn("Warning: Authorization entity #{name} duplicated. Only the most recent one will persist")
+          end
+
+          entities[name] = new(name:, controller:, only:, except:)
+
+          entities[name]
+        end
+
+        def entities
+          @entities ||= ActiveSupport::HashWithIndifferentAccess.new
+        end
+
+        def entities_reset!
+          @entities = ActiveSupport::HashWithIndifferentAccess.new
+        end
+      end
+
+      attr_reader :name, :controller, :only, :except
+      def initialize(name:, controller:, only: nil, except: nil)
+        @controller = controller
+        @except = except.nil? ? nil : Array(except).map(&:to_sym)
+        @only = only.nil? ? nil : Array(only).map(&:to_sym)
+
+        validate!
+      end
+
+      def humanize
+        "name:[#{name}]; controller:[#{controller}]; only:[#{only}]; except:[#{except}]"
+      end
+
+      # controller will be the class object
+      # method will be the string of the route method
+      def matches?(controller:, method:)
+        # Return early if the controller does not match the existing entity controller
+        return nil if @controller != controller
+
+        # We are in the correct controller
+
+        # if inclusions are not present, the check is on the entire contoller and we can return true
+        if only.nil? && except.nil?
+          return true
+        end
+
+        ## `only` or `except` is present at this point
+        if only
+          # If method is included in only, accept otherwise return reject
+          return only.include?(method.to_sym)
+        else
+          # If method is included in except, reject otherwise return accept
+          return !except.include?(method.to_sym)
+        end
+      end
+
+      # This is a custom method that can get overridden by a child class for custom
+      # authorization logic beyond grouping
+      def authorized?(user:)
+        true
+      end
+
+      private
+
+      def validate!
+        if @only && @except
+          raise Error, "kwargs `only` and `except` passed in. At most 1 can be passed in."
+        end
+
+        validate_controller!
+        validate_methods!(@only, :only)
+        validate_methods!(@except, :except)
+      end
+
+      def validate_controller!
+        return true if Class === @controller
+
+        @controller = @controller.constantize
+      rescue NameError => e
+        raise Error, "Controller [#{@controller}] was not found. Please validate spelling or ensure it is loaded earlier"
+      end
+
+      def validate_methods!(array_of_methods, string)
+        return if array_of_methods.nil?
+
+        missing_methods = array_of_methods.select do |method|
+          !@controller.instance_methods.include?(method)
+        end
+
+        return true if missing_methods.empty?
+
+        raise Error, "#{string} parameter is invalid. Controller [#{@controller}] is missing methods:[#{missing_methods}]"
+      end
+    end
+  end
+end

data/lib/command_tower/authorization/role.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module CommandTower
+  module Authorization
+    class Role
+      class << self
+        def create_role(name:, description:, entities: nil, allow_everything: false)
+          if roles[name]
+            raise Error, "Role [#{name}] already exists. Must use different name"
+          end
+
+          if allow_everything
+            Rails.logger.info { "Authorization Role: #{name} is granted authorization to all roles" }
+          else
+            unless Array(entities).all? { Entity === _1 }
+              raise Error, "Parameter :entities must include objects of or inherited by CommandTower::Authorization::Entity"
+            end
+          end
+
+          roles[name] = new(name:, description:, entities:, allow_everything:)
+          # A role is `intended` to be immutable (attr_reader)
+          # Once the role is defined it will not get changed
+          # After it is created, add the mapping to the source of truth list of mapped method names to their controllers
+          CommandTower::Authorization.add_mapping!(role: roles[name])
+
+          roles[name]
+        end
+
+        def roles
+          @roles ||= ActiveSupport::HashWithIndifferentAccess.new
+        end
+
+        def roles_reset!
+          @roles = ActiveSupport::HashWithIndifferentAccess.new
+        end
+      end
+
+      attr_reader :entities, :name, :description, :allow_everything
+      def initialize(name:, description:, entities:, allow_everything: false)
+        @name = name
+        @entities = Array(entities)
+        @description = description
+        @allow_everything = allow_everything
+      end
+
+      def authorized?(controller:, method:, user:)
+        return_value = { role: name, description: }
+        return return_value.merge(authorized: true, reason: "#{name} allows all authorizations") if allow_everything
+
+        matched_controllers = controller_entity_mapping[controller]
+        # if Role does not match any of the controllers
+        # explicitly return nil here to ensure upstream knows this role does not care about the route
+        return return_value.merge(authorized: nil, reason: "#{name} does not match") if matched_controllers.nil?
+
+        rejected_entities = matched_controllers.map do |entity|
+          case entity.matches?(controller:, method:)
+          when false, nil
+            { authorized: false, entity: entity.name, controller:, readable: entity.humanize, status: "Rejected by inclusion" }
+          when true
+            # Entity matches all inclusions
+            if entity.authorized?(user:)
+              # Do nothing! Entity has authorized the user
+            else
+              { authorized: false, entity: entity.name, controller:, readable: entity.humanize, status: "Rejected via custom Entity Authorization" }
+            end
+          end
+        end.compact
+
+        # If there were no entities that rejected authorization, return authorized
+        return return_value.merge(authorized: true, reason: "All entities approve authorization") if rejected_entities.empty?
+
+        return_value.merge(authorized: false, reason: "Subset of Entities Rejected authorization", rejected_entities:)
+      end
+
+      def guards
+        mapping = {}
+        controller_entity_mapping.each do |controller, entities|
+          mapping[controller] ||= []
+          entities.map do |entity|
+            if entity.only
+              # We only care about these methods on the controller
+              mapping[controller] += entity.only
+            elsif entity.except
+              # We care about all methods on the controller except these
+              mapping[controller] += controller.instance_methods(false) - entity.except
+            else
+              # We care about all methods on the controller
+              mapping[controller] += controller.instance_methods(false)
+            end
+          end
+        end
+
+        mapping
+      end
+
+      def controller_entity_mapping
+        @controller_entity_mapping ||= @entities.group_by(&:controller)
+      end
+    end
+  end
+end

data/lib/command_tower/authorization.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require "yaml"
+require "set"
+require "command_tower/error"
+require "command_tower/authorization/entity"
+require "command_tower/authorization/role"
+
+module CommandTower
+  module Authorization
+    module_function
+
+    class Error < CommandTower::Error; end
+
+    def mapped_controllers
+      @mapped_controllers ||= {}
+    end
+
+    def add_mapping!(role:)
+      role.guards.each do |controller, methods|
+        mapped_controllers[controller] ||= Set.new
+        mapped_controllers[controller] += methods
+      end
+    end
+
+    def mapped_controllers_reset!
+      @mapped_controllers = {}
+    end
+
+    def default_defined!
+      provision_rbac_default!
+      provision_rbac_user_defined!
+    end
+
+    def provision_rbac_user_defined!
+      path = CommandTower.config.authorization.rbac_group_path
+      rbac_configuration = load_yaml(path)
+      provision_rbac_via_yaml(rbac_configuration)
+    end
+
+    def provision_rbac_default!
+      path = CommandTower::Engine.root.join("lib", "command_tower", "authorization", "default.yml")
+      rbac_configuration = load_yaml(path)
+      provision_rbac_via_yaml(rbac_configuration)
+    end
+
+    def load_yaml(path)
+      return nil unless File.exist?(path)
+
+      YAML.load_file(path)
+    end
+
+    def provision_rbac_via_yaml(rbac_configuration)
+      return if rbac_configuration.nil?
+
+      rbac_configuration["entities"].each do |entity|
+        CommandTower::Authorization::Entity.create_entity(
+          name: entity["name"],
+          controller: entity["controller"],
+          only: entity["only"],
+          except: entity["except"],
+        )
+      end
+
+      rbac_configuration["groups"].each do |name, metadata|
+        entities = nil
+        allow_everything = false
+        description = metadata["description"]
+
+        if metadata["entities"] == true
+          allow_everything =  true
+        else
+          entities = CommandTower::Authorization::Entity.entities.map { |k, v| v if metadata["entities"].include?(k) }.compact
+        end
+
+        CommandTower::Authorization::Role.create_role(
+          name:,
+          entities:,
+          description:,
+          allow_everything:,
+        )
+      end
+    end
+  end
+end

data/lib/command_tower/configuration/admin/config.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require "class_composer"
+
+module CommandTower
+  module Configuration
+    module Admin
+      class Config
+        include ClassComposer::Generator
+
+        add_composer :enable,
+          desc: "Allow Admin Capabilities for the application. By default, this is enabled",
+          allowed: [FalseClass, TrueClass],
+          default: true
+      end
+    end
+  end
+end