dscf-core 0.2.8 → 0.2.9

data/app/models/dscf/core/user.rb

@@ -14,6 +14,62 @@ module Dscf
 
       before_create :set_default_temp_password
 
+      # --- RBAC Helper Methods ---
+
+      # rubocop:disable Naming/PredicateName
+      def has_role?(role_code)
+        active_role_codes.include?(role_code.to_s.upcase)
+      end
+
+      def has_permission?(permission_code)
+        return true if super_admin?
+
+        active_permissions.include?(permission_code.to_s)
+      end
+
+      alias can? has_permission?
+
+      def has_all_permissions?(*permission_codes)
+        permission_codes.flatten.all? { |code| has_permission?(code) }
+      end
+
+      def has_any_permission?(*permission_codes)
+        permission_codes.flatten.any? { |code| has_permission?(code) }
+      end
+      # rubocop:enable Naming/PredicateName
+
+      def super_admin?
+        active_role_codes.include?("SUPER_ADMIN")
+      end
+
+      def active_permissions
+        @active_permissions ||= Set.new(
+          Permission
+            .joins(role_permissions: {role: :user_roles})
+            .where(
+              dscf_core_user_roles: {user_id: id},
+              dscf_core_roles: {active: true},
+              dscf_core_permissions: {active: true}
+            )
+            .where("dscf_core_user_roles.expires_at IS NULL OR dscf_core_user_roles.expires_at > ?", Time.current)
+            .pluck("dscf_core_permissions.code")
+        )
+      end
+
+      def active_role_codes
+        @active_role_codes ||= roles
+                               .where(active: true)
+                               .joins(:user_roles)
+                               .where(dscf_core_user_roles: {user_id: id})
+                               .where("dscf_core_user_roles.expires_at IS NULL OR dscf_core_user_roles.expires_at > ?", Time.current)
+                               .pluck("dscf_core_roles.code")
+      end
+
+      def clear_permission_cache!
+        @active_permissions = nil
+        @active_role_codes = nil
+      end
+
       def self.ransackable_attributes(_auth_object = nil)
         %w[id email phone verified_at created_at updated_at]
       end

data/app/models/dscf/core/user_role.rb

@@ -1,10 +1,30 @@
 module Dscf
   module Core
     class UserRole < ApplicationRecord
-      belongs_to :user
-      belongs_to :role
+      belongs_to :user, class_name: "Dscf::Core::User"
+      belongs_to :role, class_name: "Dscf::Core::Role"
+      belongs_to :assigned_by, class_name: "Dscf::Core::User", foreign_key: :assigned_by_id, optional: true
 
-      validates_uniqueness_of :user_id, scope: :role_id
+      validates :user_id, uniqueness: {scope: :role_id}
+
+      scope :active, -> { where("expires_at IS NULL OR expires_at > ?", Time.current) }
+      scope :expired, -> { where("expires_at IS NOT NULL AND expires_at <= ?", Time.current) }
+
+      def expired?
+        expires_at.present? && expires_at <= Time.current
+      end
+
+      def active?
+        !expired?
+      end
+
+      def self.ransackable_attributes(_auth_object = nil)
+        %w[id user_id role_id assigned_by_id expires_at created_at updated_at]
+      end
+
+      def self.ransackable_associations(_auth_object = nil)
+        %w[user role assigned_by]
+      end
     end
   end
 end

data/app/policies/dscf/core/application_policy.rb

@@ -0,0 +1,62 @@
+module Dscf
+  module Core
+    class ApplicationPolicy
+      attr_reader :user, :record
+
+      def initialize(user, record)
+        @user = user
+        @record = record
+      end
+
+      def index?
+        user.has_permission?(permission_code(:index))
+      end
+
+      def show?
+        user.has_permission?(permission_code(:show))
+      end
+
+      def create?
+        user.has_permission?(permission_code(:create))
+      end
+
+      def update?
+        user.has_permission?(permission_code(:update))
+      end
+
+      def destroy?
+        user.has_permission?(permission_code(:destroy))
+      end
+
+      class Scope
+        attr_reader :user, :scope
+
+        def initialize(user, scope)
+          @user = user
+          @scope = scope
+        end
+
+        def resolve
+          return scope.all if user.super_admin?
+          return scope.none unless user.has_permission?(index_permission_code)
+
+          scope.all
+        end
+
+        private
+
+        def index_permission_code
+          resource_name = scope.name.demodulize.underscore.pluralize
+          "#{resource_name}.index"
+        end
+      end
+
+      private
+
+      def permission_code(action)
+        resource_name = record.class.name.demodulize.underscore.pluralize
+        "#{resource_name}.#{action}"
+      end
+    end
+  end
+end

data/app/policies/dscf/core/business_policy.rb

@@ -0,0 +1,29 @@
+module Dscf
+  module Core
+    class BusinessPolicy < ApplicationPolicy
+      def submit?
+        user.has_permission?("businesses.submit")
+      end
+
+      def approve?
+        user.has_permission?("businesses.approve")
+      end
+
+      def reject?
+        user.has_permission?("businesses.reject")
+      end
+
+      def request_modification?
+        user.has_permission?("businesses.request_modification")
+      end
+
+      def resubmit?
+        user.has_permission?("businesses.resubmit")
+      end
+
+      def my_business?
+        user.has_permission?("businesses.index")
+      end
+    end
+  end
+end

data/app/policies/dscf/core/business_type_policy.rb

@@ -0,0 +1,6 @@
+module Dscf
+  module Core
+    class BusinessTypePolicy < ApplicationPolicy
+    end
+  end
+end

data/app/policies/dscf/core/permission_policy.rb

@@ -0,0 +1,6 @@
+module Dscf
+  module Core
+    class PermissionPolicy < ApplicationPolicy
+    end
+  end
+end

data/app/policies/dscf/core/role_policy.rb

@@ -0,0 +1,25 @@
+module Dscf
+  module Core
+    class RolePolicy < ApplicationPolicy
+      def submit?
+        false
+      end
+
+      def approve?
+        false
+      end
+
+      def reject?
+        false
+      end
+
+      def request_modification?
+        false
+      end
+
+      def resubmit?
+        false
+      end
+    end
+  end
+end

data/app/serializers/dscf/core/attachment_serializer.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Dscf
+  module Core
+    class AttachmentSerializer < ActiveModel::Serializer
+      attributes :file_key, :filename, :content_type, :size,
+                 :human_size, :extension, :is_image, :is_pdf, :url
+
+      def human_size
+        object.human_size
+      end
+
+      def extension
+        object.extension
+      end
+
+      def is_image
+        object.image?
+      end
+
+      def is_pdf
+        object.pdf?
+      end
+
+      def url
+        object.url
+      end
+    end
+  end
+end

data/app/serializers/dscf/core/permission_serializer.rb

@@ -0,0 +1,7 @@
+module Dscf
+  module Core
+    class PermissionSerializer < ActiveModel::Serializer
+      attributes :id, :code, :resource, :action, :engine, :description, :active
+    end
+  end
+end

data/app/serializers/dscf/core/role_light_serializer.rb

@@ -0,0 +1,7 @@
+module Dscf
+  module Core
+    class RoleLightSerializer < ActiveModel::Serializer
+      attributes :id, :code, :name, :description, :active
+    end
+  end
+end

data/app/serializers/dscf/core/role_permission_serializer.rb

@@ -0,0 +1,9 @@
+module Dscf
+  module Core
+    class RolePermissionSerializer < ActiveModel::Serializer
+      attributes :id, :role_id, :permission_id, :created_at
+
+      belongs_to :permission, serializer: Dscf::Core::PermissionSerializer
+    end
+  end
+end

data/app/serializers/dscf/core/role_serializer.rb

@@ -1,9 +1,9 @@
 module Dscf
   module Core
     class RoleSerializer < ActiveModel::Serializer
-      attributes :id, :code, :name, :created_at, :updated_at
+      attributes :id, :code, :name, :description, :active, :created_at, :updated_at
 
-      has_many :user_roles, serializer: Dscf::Core::UserRoleSerializer
+      has_many :permissions, serializer: Dscf::Core::PermissionSerializer
     end
   end
 end

data/app/serializers/dscf/core/user_auth_serializer.rb

@@ -1,10 +1,14 @@
 module Dscf
   module Core
     class UserAuthSerializer < ActiveModel::Serializer
-      attributes :id, :email, :phone, :verified_at
+      attributes :id, :email, :phone, :verified_at, :permissions
 
       has_one :user_profile, serializer: Dscf::Core::UserProfileSerializer
-      has_many :roles, serializer: Dscf::Core::RoleSerializer
+      has_many :roles, serializer: Dscf::Core::RoleLightSerializer
+
+      def permissions
+        object.active_permissions.to_a
+      end
     end
   end
 end

data/app/serializers/dscf/core/user_role_serializer.rb

@@ -1,10 +1,9 @@
 module Dscf
   module Core
     class UserRoleSerializer < ActiveModel::Serializer
-      attributes :id, :created_at, :updated_at
+      attributes :id, :user_id, :role_id, :assigned_by_id, :expires_at, :created_at
 
-      belongs_to :user, serializer: UserSerializer
-      belongs_to :role, serializer: RoleSerializer
+      belongs_to :role, serializer: Dscf::Core::RoleSerializer
     end
   end
 end

data/app/services/dscf/core/file_storage/client.rb

@@ -0,0 +1,210 @@
+# frozen_string_literal: true
+
+module Dscf
+  module Core
+    module FileStorage
+      # Low-level HTTP client for MinIO service
+      # This is an internal class - other engines should NOT use this directly
+      class Client
+        include HTTParty
+
+        class UploadError < StandardError; end
+        class DownloadError < StandardError; end
+        class ConfigurationError < StandardError; end
+
+        def initialize(app_name: nil, record_class: nil)
+          @base_uri = ENV.fetch("MINIO_SERVICE_URL", "http://localhost:3001")
+          @record_class = record_class
+          @api_key = resolve_api_key(app_name)
+          validate_configuration!
+        end
+
+        # Upload a file to MinIO
+        # @param file [ActionDispatch::Http::UploadedFile, File, IO] the file to upload
+        # @param filename [String] optional custom filename
+        # @return [Hash] { file_key:, filename:, size:, content_type: }
+        def upload(file, filename: nil)
+          prepared = prepare_file(file, filename)
+
+          response = self.class.post(
+            "#{@base_uri}/upload",
+            headers: auth_headers,
+            body: {file: prepared[:io]},
+            multipart: true,
+            timeout: 60
+          )
+
+          handle_upload_response(response, prepared)
+        end
+
+        # Download a file from MinIO
+        # @param file_key [String] the file key/name in MinIO
+        # @return [Hash] { data:, filename:, content_type: }
+        def download(file_key)
+          response = self.class.get(
+            "#{@base_uri}/download/#{URI.encode_www_form_component(file_key)}",
+            headers: auth_headers,
+            timeout: 60
+          )
+
+          handle_download_response(response, file_key)
+        end
+
+        # Check if file exists
+        # @param file_key [String] the file key/name in MinIO
+        # @return [Boolean]
+        def exists?(file_key)
+          response = self.class.head(
+            "#{@base_uri}/download/#{URI.encode_www_form_component(file_key)}",
+            headers: auth_headers,
+            timeout: 10
+          )
+          response.success?
+        rescue StandardError
+          false
+        end
+
+        # Delete a file from MinIO
+        # @param file_key [String] the file key/name in MinIO
+        # @return [Boolean]
+        def delete(file_key)
+          response = self.class.delete(
+            "#{@base_uri}/delete/#{URI.encode_www_form_component(file_key)}",
+            headers: auth_headers,
+            timeout: 30
+          )
+          response.success?
+        rescue StandardError => e
+          Rails.logger.error("FileStorage::Client delete error: #{e.message}")
+          false
+        end
+
+        private
+
+        def resolve_api_key(app_name)
+          # Priority: explicit app name -> engine-specific -> default
+          key_name = app_name&.upcase&.gsub("-", "_") || detect_engine_name
+
+          # Check all possible env var keys
+          possible_keys = [
+            "MINIO_API_KEY_DSCF_#{key_name}",
+            "MINIO_API_KEY_#{key_name}",
+            "MINIO_API_KEY"
+          ]
+
+          api_key = possible_keys.find { |k| ENV[k].present? }.then { |k| ENV[k] }
+
+          Rails.logger.debug("MinIO API Key lookup: key_name=#{key_name}, tried=#{possible_keys.inspect}, found=#{api_key.present?}")
+          Rails.logger.debug("Available MINIO env vars: #{ENV.select { |k, _v| k.start_with?('MINIO_') }.keys.inspect}")
+
+          api_key
+        end
+
+        def detect_engine_name
+          # First try to detect from record class namespace
+          if @record_class
+            namespace = @record_class.name.split("::")[1] # Dscf::Credit::Bank -> Credit
+            if namespace && namespace != "Core"
+              Rails.logger.debug("MinIO engine detection: from record_class=#{@record_class.name}, detected=#{namespace.upcase}")
+              return namespace.upcase
+            end
+          end
+
+          # Fallback: Auto-detect engine based on caller (skip dscf_core since storage is in core)
+          caller_paths = caller.select { |c| c.include?("/dscf_") && !c.include?("/dscf_core/") }
+
+          caller_path = caller_paths.first
+          return "CORE" unless caller_path
+
+          match = caller_path.match(%r{/dscf_(\w+)/})
+          detected = match ? match[1].upcase : "CORE"
+
+          Rails.logger.debug("MinIO engine detection: caller_path=#{caller_path}, detected=#{detected}")
+          detected
+        end
+
+        def validate_configuration!
+          raise ConfigurationError, "MINIO_SERVICE_URL is not configured" if @base_uri.blank?
+
+          return unless @api_key.blank?
+
+          detected = detect_engine_name
+          raise ConfigurationError,
+                "MINIO_API_KEY is not configured. Looked for: MINIO_API_KEY_DSCF_#{detected}, MINIO_API_KEY_#{detected}, MINIO_API_KEY"
+        end
+
+        def auth_headers
+          {"x-api-key" => @api_key}
+        end
+
+        def prepare_file(file, custom_filename)
+          # Use duck typing for better test compatibility
+          if file.respond_to?(:tempfile) && file.respond_to?(:original_filename)
+            # ActionDispatch::Http::UploadedFile or similar
+            {
+              io: file.tempfile,
+              filename: custom_filename || file.original_filename,
+              content_type: file.content_type,
+              size: file.size
+            }
+          elsif file.is_a?(File)
+            {
+              io: file,
+              filename: custom_filename || File.basename(file.path),
+              content_type: Marcel::MimeType.for(file),
+              size: file.size
+            }
+          elsif file.is_a?(Hash)
+            # Support { io:, filename:, content_type: } format
+            {
+              io: file[:io],
+              filename: custom_filename || file[:filename],
+              content_type: file[:content_type],
+              size: file[:io].respond_to?(:size) ? file[:io].size : nil
+            }
+          else
+            raise ArgumentError, "Unsupported file type: #{file.class}"
+          end
+        end
+
+        def handle_upload_response(response, prepared)
+          unless response.success?
+            error_message = response.parsed_response&.dig("message") || "Upload failed"
+            raise UploadError, "#{error_message} (HTTP #{response.code})"
+          end
+
+          body = response.parsed_response
+          {
+            file_key: body["fileName"],
+            filename: prepared[:filename],
+            size: body["size"] || prepared[:size],
+            content_type: body["mimeType"] || prepared[:content_type]
+          }
+        end
+
+        def handle_download_response(response, file_key)
+          unless response.success?
+            error_message = response.parsed_response&.dig("message") || "Download failed"
+            raise DownloadError, "#{error_message} (HTTP #{response.code})"
+          end
+
+          content_disposition = response.headers["content-disposition"]
+          filename = extract_filename(content_disposition) || file_key
+
+          {
+            data: response.body,
+            filename: filename,
+            content_type: response.headers["content-type"] || "application/octet-stream"
+          }
+        end
+
+        def extract_filename(content_disposition)
+          return nil unless content_disposition
+
+          match = content_disposition.match(/filename="?([^";\s]+)"?/)
+          match&.[](1)
+        end
+      end
+    end
+  end
+end

data/app/services/dscf/core/file_storage/uploader.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+module Dscf
+  module Core
+    module FileStorage
+      # Handles file uploads with validation
+      class Uploader
+        DEFAULT_MAX_SIZE = 5.megabytes
+        DEFAULT_ALLOWED_TYPES = %w[
+          application/pdf
+          image/png
+          image/jpeg
+          image/webp
+        ].freeze
+
+        attr_reader :errors
+
+        def initialize(options = {})
+          @max_size = options[:max_size] || DEFAULT_MAX_SIZE
+          @allowed_types = options[:allowed_types] || DEFAULT_ALLOWED_TYPES
+          @record_class = options[:record_class]
+          @client = options[:client] || Client.new(record_class: @record_class)
+          @errors = []
+        end
+
+        # Upload a single file
+        # @param file [ActionDispatch::Http::UploadedFile, File, IO, Hash]
+        # @param options [Hash] additional options (filename, metadata)
+        # @return [Hash, nil] hash with file_key, filename, content_type, size, metadata
+        def upload(file, **options)
+          @errors = []
+
+          return nil unless validate_file(file)
+
+          result = @client.upload(file, filename: options[:filename])
+
+          {
+            file_key: result[:file_key],
+            filename: result[:filename],
+            content_type: result[:content_type],
+            size: result[:size],
+            metadata: options[:metadata] || {}
+          }
+        rescue Client::UploadError => e
+          @errors << e.message
+          nil
+        rescue StandardError => e
+          Rails.logger.error("FileStorage::Uploader error: #{e.message}")
+          @errors << "An unexpected error occurred during upload"
+          nil
+        end
+
+        # Upload multiple files
+        # @param files [Array<ActionDispatch::Http::UploadedFile>]
+        # @param options [Hash] additional options
+        # @return [Array<Hash>] array of hashes with file info
+        def upload_many(files, **options)
+          Array(files).filter_map do |file|
+            upload(file, **options)
+          end
+        end
+
+        # Check if last upload was successful
+        def success?
+          @errors.empty?
+        end
+
+        private
+
+        def validate_file(file)
+          validate_presence(file) &&
+            validate_size(file) &&
+            validate_type(file)
+        end
+
+        def validate_presence(file)
+          if file.blank?
+            @errors << "No file provided"
+            return false
+          end
+          true
+        end
+
+        def validate_size(file)
+          size = extract_size(file)
+          return true if size.nil? # Can't validate if size unknown
+
+          if size > @max_size
+            max_human = ActiveSupport::NumberHelper.number_to_human_size(@max_size)
+            @errors << "File size exceeds maximum allowed (#{max_human})"
+            return false
+          end
+          true
+        end
+
+        def validate_type(file)
+          content_type = extract_content_type(file)
+          return true if content_type.nil? # Can't validate if type unknown
+
+          unless @allowed_types.include?(content_type)
+            @errors << "File type '#{content_type}' is not allowed. Allowed: #{@allowed_types.join(', ')}"
+            return false
+          end
+          true
+        end
+
+        def extract_size(file)
+          if file.respond_to?(:size)
+            file.size
+          elsif file.is_a?(Hash) && file[:io].respond_to?(:size)
+            file[:io].size
+          end
+        end
+
+        def extract_content_type(file)
+          if file.respond_to?(:content_type)
+            file.content_type
+          elsif file.is_a?(Hash)
+            file[:content_type]
+          elsif file.is_a?(File)
+            Marcel::MimeType.for(file)
+          end
+        end
+      end
+    end
+  end
+end