ezcater_rubocop 6.0.3 → 6.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 144220e45db4ba03e7754c0f656cafe7650da1669157b65396c818762e7d9185
-  data.tar.gz: b1e19818de9418e2a822ef0d1a3c067870ed36d26c7addb6d831776b4590a25d
+  metadata.gz: ae4de56eb716caa74ed16c478e3b727fe7a6d4b8bd5d2cdf3ff69900a270b22b
+  data.tar.gz: acc031ba45d8fd09ec70dd131ad8e6948d31cd187b39819ce5923c8462fde004
 SHA512:
-  metadata.gz: 6da4228e123e62619f9ac2e66f53e766cd8a15160f6362fc7e33009b39749028a6e1dd4d835caa8fa101afe71dc743f6947622e43d2d3530b1ee23b3e539fadc
-  data.tar.gz: 6cbe86a738c2567d5829b58b18cc23e13f05125b4c19ebd7ad41ddbcc5945cc08774740353708488e9c88235bdf85dc5f317f7654322255c8e9bcc10c4489076
+  metadata.gz: 4031f298709b7870fac309511a37a0e00ec5da5fa722188aac31550137b6d313335f7f8b8f569b0b4e80251a8b1ac0efc9870585f982e098f5277875552229e8
+  data.tar.gz: c2cf80f65849d0a01dc2a0ccb8ff8bea65ecaecff167aefa6c4102adc5d956d6ca557583575905169b5c10004bf2c72455e22e73be27660c0b4bdb180118926c

data/CHANGELOG.md

@@ -6,6 +6,11 @@ This gem is moving onto its own [Semantic Versioning](https://semver.org/) schem
 
 Prior to v1.0.0 this gem was versioned based on the `MAJOR`.`MINOR` version of RuboCop. The first release of the ezcater_rubocop gem was `v0.49.0`.
 
+## 6.1.0
+
+- Add `Ezcater/GraphQL/NotAuthorizedScalarField` Cop which enforces the use
+  of authorization for scalar GraphQL fields. Not enforced by default.
+
 ## 6.0.3
 - Fix `FeatureFlagActive` cop so that it allows feature flag names to be constants and dot method calls in addition to strings.
 

data/README.md

@@ -81,6 +81,9 @@ not add cops with `enabled: false` unless you want that cop to always be disable
 
 * [FeatureFlagActive](https://github.com/ezcater/ezcater_rubocop/blob/main/lib/rubocop/cop/ezcater/feature_flag_active.rb) - Enforce the proper arguments are given to `EzcaterFeatureFlag.active?`
 * [FeatureFlagNameValid](https://github.com/ezcater/ezcater_rubocop/blob/main/lib/rubocop/cop/ezcater/feature_flag_name_valid.rb) - Enforce correct flag name format is being used.
+* [GraphQL/NotAuthorizedScalarField] - Enforces the use of
+  authorization (pundit or, optionally, the guard pattern) for scalar
+  fields. See examples within class comment for additional configuration.
 * [RailsConfiguration](https://github.com/ezcater/ezcater_rubocop/blob/main/lib/rubocop/cop/ezcater/rails_configuration.rb) - Enforce use of `Rails.configuration` instead of `Rails.application.config`.
 * [RequireGqlErrorHelpers](https://github.com/ezcater/ezcater_rubocop/blob/main/lib/rubocop/cop/ezcater/require_gql_error_helpers.rb) - Use the helpers provided by `GQLErrors` instead of raising `GraphQL::ExecutionError` directly.
 * [RspecDotNotSelfDot](https://github.com/ezcater/ezcater_rubocop/blob/main/lib/rubocop/cop/ezcater/rspec_dot_not_self_dot.rb) - Enforce ".<class method>" instead of "self.<class method>" and "::<class method>" for example group description.
@@ -90,6 +93,8 @@ not add cops with `enabled: false` unless you want that cop to always be disable
 * [RspecRequireHttpStatusMatcher](https://github.com/ezcater/ezcater_rubocop/blob/main/lib/rubocop/cop/ezcater/rspec_require_http_status_matcher.rb) - Use the HTTP status code matcher, like `expect(response).to have_http_status :bad_request`, rather than `expect(response.code).to eq 400`
 * [StyleDig](https://github.com/ezcater/ezcater_rubocop/blob/main/lib/rubocop/cop/ezcater/style_dig.rb) - Recommend `dig` for deeply nested access.
 
+[GraphQL/NotAuthorizedScalarField]: https://github.com/ezcater/ezcater_rubocop/blob/main/lib/rubocop/cop/ezcater/graphql/not_authorized_scalar_field.rb)
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
@@ -104,6 +109,47 @@ To release a new version, update the version number in `version.rb`, merge your
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/ezcater/ezcater_rubocop.
 
+### Adding New Cops
+
+New cops can be generated via the `new_cop` rake task which generates
+the cop, the spec, updates imports, and adds configuration. Example:
+
+``` shell
+rake 'new_cop[Ezcater/foo_bar]'
+```
+
+Follow the instructions after the task executes and update code as
+necessary for consistency.
+
+
+In addition, you need to:
+
+1. Add the cop to the "Custom Cops" section of this README
+2. Bump the version.
+3. Add a CHANGELOG entry.
+
+
+### Version Bumps & Changelog Entries
+
+The version for this gem follows [Semantic Versioning]:
+
+1. Bump the MAJOR version for breaking changes. Example: new cop,
+   enabled by default and which cannot be safely autofixed.
+
+2. Bump the MINOR version for new functionality which will not disrupt
+   projects which depend on this gem. Example: new cop, not enabled by
+   default or which can safely be autofixed.
+
+3. Bump the PATCH version for backwards compatible bugfixes.
+
+[Semantic Versioning]: https://semver.org/
+
+The version does not need to be bumped and the changelog does not need
+to be updated for chores which do not affect users of this
+gem. Example: updating CI. Omitting these details helps keep the
+signal-to-noise ratio high for people upgrading the gem as these types
+of changes will not affect them.
+
 ## License
 
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/config/default.yml

@@ -18,6 +18,14 @@ Ezcater/FeatureFlagNameValid:
   Description: "Enforce correct flag name format is being used."
   Enabled: true
 
+Ezcater/GraphQL/NotAuthorizedScalarField:
+  Description: 'Enforce the use of authorization for scalar GraphQL fields.'
+  Include:
+    - 'app/graphql/**/*.rb'
+    - 'packs/**/graphql/**/*.rb'
+  Enabled: false
+  VersionAdded: '6.1.0'
+
 Ezcater/RspecDotNotSelfDot:
   Description: 'Enforce ".<class method>" instead of "self.<class method>" for example group description.'
   Enabled: true

data/lib/ezcater_rubocop/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module EzcaterRubocop
-  VERSION = "6.0.3"
+  VERSION = "6.1.0"
 end

data/lib/ezcater_rubocop.rb

@@ -19,6 +19,7 @@ RuboCop::ConfigLoader.instance_variable_set(:@default_configuration, config)
 require "rubocop/cop/ezcater/direct_env_check"
 require "rubocop/cop/ezcater/feature_flag_active"
 require "rubocop/cop/ezcater/feature_flag_name_valid"
+require "rubocop/cop/ezcater/graphql/not_authorized_scalar_field"
 require "rubocop/cop/ezcater/rails_configuration"
 require "rubocop/cop/ezcater/rails_env"
 require "rubocop/cop/ezcater/ruby_timeout"

data/lib/rubocop/cop/ezcater/graphql/not_authorized_scalar_field.rb

@@ -0,0 +1,198 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Ezcater
+      module GraphQL
+        # Enforces authorization for scalar GraphQL fields. It
+        # identifies scalar fields by matching against the standard
+        # [graphql-ruby scalar types] by default.
+        #
+        # [graphql-ruby scalar types]: https://graphql-ruby.org/type_definitions/scalars.html
+        #
+        # @safety
+        #   This cop is unable to autocorrect violations as decision making is
+        #   required on the part of the developer.
+        #
+        # @example AllowGuards: false (default)
+        #   # Requires that pundit authorization is used on scalar fields.
+        #   # @see https://graphql-ruby.org/authorization/pundit_integration.html#authorizing-fields
+        #
+        #   # bad
+        #   field :secret_name, String
+        #
+        #   # bad
+        #   field :secret_name, String
+        #
+        #   def secret_name
+        #     SecretNameGuard.new(context, object).guard do |person|
+        #       person.secret_name
+        #     end
+        #   end
+
+        #   # good
+        #   field :name, String, pundit_role: :owner
+        #
+        #   # good
+        #   field :name, String, pundit_role: :view, pundit_policy_class: "SecretNamePolicy"
+        #
+        # @example AllowGuards: true
+        #   # In addition to the pundit enforcement demonstrated in the previous
+        #   # example, guard-style authentication is allowed for scalar fields
+        #   # when a resolver is defined in the same class.
+        #
+        #   # bad
+        #   field :secret_name, String
+        #
+        #   def secret_name
+        #     "Rumplestiltskin"
+        #   end
+        #
+        #   # good
+        #   field :secret_name, String
+        #
+        #   def secret_name
+        #     SecretNameGuard.new(context, object).guard do |person|
+        #       person.secret_name
+        #     end
+        #   end
+        #
+        # @example AdditionalScalarTypes: [] (default)
+        #   # This option specifies additional scalar types for this cop to pay
+        #   # attention to. By default, this list is empty.
+        #
+        #   # bad
+        #   field :secret_id, ID
+        #
+        #   # good (i.e. the cop doesn't pay attention to UUID by default)
+        #   field :secret_id, UUID
+        #
+        # @example AdditionalScalarTypes: ["UUID"]
+        #   # This example adds UUID to the types to observe.
+        #
+        #   # bad
+        #   field :secret_id, UUID
+        #
+        #   # good
+        #   field :secret_id, pundit_role: owner
+        #
+        # @example IgnoredFieldNames: [] (default)
+        #   # This option specifies field names to ignore.
+        #
+        #   # bad (the field name is not in the ignore list)
+        #   field :id, ID
+        #
+        # @example IgnoredFieldNames: ["id"]
+        #   # This examples adds "id" to the list of ignored field names.
+        #
+        #   # good
+        #   field :id, ID
+        #
+        class NotAuthorizedScalarField < Base
+          include RuboCop::GraphQL::NodePattern
+
+          MSG = "Ezcater/GraphQL/NotAuthorizedScalarFields: must be authorized."
+
+          # https://graphql-ruby.org/type_definitions/scalars.html
+          STANDARD_SCALAR_TYPES = %w(BigInt Boolean Float Int ID ISO8601Date ISO8601DateTime ISO8601Duration JSON
+                                     String).freeze
+
+          # @!method field_type(node)
+          def_node_matcher :field_type, <<~PATTERN
+            (send nil? :field _ (:const nil? $_) ...)
+          PATTERN
+
+          # @!method field_with_body_type(node)
+          def_node_matcher :field_with_body_type, <<~PATTERN
+            (block (send nil? :field _ (:const nil? $_) ...) ...)
+          PATTERN
+
+          # @!method field_with_guard_in_body?(node)
+          def_node_matcher :field_with_guard_in_body?, <<~PATTERN
+            (block
+              (send nil? :field ...)
+              _?
+              (block
+                (send
+                  (send
+                    (:const ...) :new
+                    (send nil? :context)
+                    (send nil? :object)) :guard)
+                ...) ...)
+          PATTERN
+
+          # @!method field_with_pundit?(node)
+          def_node_matcher :field_with_pundit?, <<~PATTERN
+            (send nil? :field _ _ (hash <(pair (sym :pundit_role) _) ...>))
+          PATTERN
+
+          # @!method field_with_pundit_with_body?(node)
+          def_node_matcher :field_with_pundit_with_body?, <<~PATTERN
+            (block (send nil? :field _ _ (hash <(pair (sym :pundit_role) _) ...>)) ...)
+          PATTERN
+
+          # @!method contains_resolver_method_with_guard?(node)
+          def_node_search :contains_resolver_method_with_guard?, <<~PATTERN
+            (def %1
+              (args)
+              (block
+                (send
+                  (send
+                    (:const ...) :new
+                    (send nil? :context)
+                    (send nil? :object)) :guard)
+                ...) ...)
+          PATTERN
+
+          def on_class(node)
+            body = RuboCop::GraphQL::SchemaMember.new(node).body
+
+            each_field_node(body) do |field_node|
+              check_field_for_offense(field_node, node)
+            end
+          end
+
+          private
+
+          def allow_guards?
+            @_allow_guards ||= !!cop_config["AllowGuards"]
+          end
+
+          def check_field_for_offense(field, class_node)
+            return if field_with_pundit?(field.node) || field_with_pundit_with_body?(field.node)
+            return if ignored_field_names.include?(field.underscore_name)
+
+            type = field_type(field.node) || field_with_body_type(field.node)
+            return unless scalar_types.include?(type.to_s)
+
+            return if allow_guards? && (
+                        field_with_guard_in_body?(field.node) ||
+                        contains_resolver_method_with_guard?(class_node, field.underscore_name.to_sym)
+                      )
+
+            add_offense(field.node)
+          end
+
+          def each_field_node(body)
+            return unless body
+
+            body.each do |node|
+              yield RuboCop::GraphQL::Field.new(node) if field?(node)
+            end
+          end
+
+          def ignored_field_names
+            @_ignored_field_names ||= (cop_config["IgnoredFieldNames"] || []).to_set
+          end
+
+          def scalar_types
+            return @_scalar_types if defined?(@_scalar_types)
+
+            additional_scalar_types = cop_config["AdditionalScalarTypes"] || []
+            @_scalar_types = STANDARD_SCALAR_TYPES.to_set.merge(additional_scalar_types)
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ezcater_rubocop
 version: !ruby/object:Gem::Version
-  version: 6.0.3
+  version: 6.1.0
 platform: ruby
 authors:
 - ezCater, Inc
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-21 00:00:00.000000000 Z
+date: 2023-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -216,6 +216,7 @@ files:
 - lib/rubocop/cop/ezcater/direct_env_check.rb
 - lib/rubocop/cop/ezcater/feature_flag_active.rb
 - lib/rubocop/cop/ezcater/feature_flag_name_valid.rb
+- lib/rubocop/cop/ezcater/graphql/not_authorized_scalar_field.rb
 - lib/rubocop/cop/ezcater/rails_configuration.rb
 - lib/rubocop/cop/ezcater/rails_env.rb
 - lib/rubocop/cop/ezcater/rails_top_level_sql_execute.rb