forest_admin_agent 1.0.0.pre.beta.21 → 1.0.0.pre.beta.23

data/lib/forest_admin_agent/routes/resources/show.rb

@@ -15,16 +15,18 @@ module ForestAdminAgent
 
         def handle_request(args = {})
           build(args)
+          @permissions.can?(:read, @collection)
+          scope = @permissions.get_scope(@collection)
           id = Utils::Id.unpack_id(@collection, args[:params]['id'], with_key: true)
-          caller = ForestAdminAgent::Utils::QueryStringParser.parse_caller(args)
           condition_tree = ConditionTree::ConditionTreeFactory.match_records(@collection, [id])
           filter = ForestAdminDatasourceToolkit::Components::Query::Filter.new(
-            condition_tree: condition_tree,
+            condition_tree: ConditionTree::ConditionTreeFactory.intersect([condition_tree, scope]),
             page: ForestAdminAgent::Utils::QueryStringParser.parse_pagination(args)
           )
+
           projection = ProjectionFactory.all(@collection)
 
-          records = @collection.list(caller, filter, projection)
+          records = @collection.list(@caller, filter, projection)
 
           raise Http::Exceptions::NotFoundError, 'Record does not exists' unless records.size.positive?
 

data/lib/forest_admin_agent/routes/resources/store.rb

@@ -15,6 +15,7 @@ module ForestAdminAgent
 
         def handle_request(args = {})
           build(args)
+          @permissions.can?(:add, @collection)
           data = format_attributes(args)
           record = @collection.create(@caller, data)
           link_one_to_one_relations(args, record)
@@ -32,17 +33,17 @@ module ForestAdminAgent
         def link_one_to_one_relations(args, record)
           args[:params][:data][:relationships]&.map do |field, value|
             schema = @collection.fields[field]
-            if schema.type == 'OneToOne'
-              id = Utils::Id.unpack_id(@collection, value['data']['id'], with_key: true)
-              foreign_collection = @datasource.collection(schema.foreign_collection)
-              # Load the value that will be used as origin_key
-              origin_value = record[schema.origin_key_target]
+            next unless schema.type == 'OneToOne'
 
-              # update new relation (may update zero or one records).
-              condition_tree = ConditionTree::ConditionTreeFactory.match_records(foreign_collection, [id])
-              filter = Filter.new(condition_tree: condition_tree)
-              foreign_collection.update(@caller, filter, { schema.origin_key => origin_value })
-            end
+            id = Utils::Id.unpack_id(@collection, value['data']['id'], with_key: true)
+            foreign_collection = @datasource.collection(schema.foreign_collection)
+            # Load the value that will be used as origin_key
+            origin_value = record[schema.origin_key_target]
+
+            # update new relation (may update zero or one records).
+            condition_tree = ConditionTree::ConditionTreeFactory.match_records(foreign_collection, [id])
+            filter = Filter.new(condition_tree: condition_tree)
+            foreign_collection.update(@caller, filter, { schema.origin_key => origin_value })
           end
         end
       end

data/lib/forest_admin_agent/routes/resources/update.rb

@@ -16,16 +16,17 @@ module ForestAdminAgent
 
         def handle_request(args = {})
           build(args)
+          @permissions.can?(:edit, @collection)
+          scope = @permissions.get_scope(@collection)
           id = Utils::Id.unpack_id(@collection, args[:params]['id'], with_key: true)
-          caller = ForestAdminAgent::Utils::QueryStringParser.parse_caller(args)
           condition_tree = ConditionTree::ConditionTreeFactory.match_records(@collection, [id])
           filter = ForestAdminDatasourceToolkit::Components::Query::Filter.new(
-            condition_tree: condition_tree,
+            condition_tree: ConditionTree::ConditionTreeFactory.intersect([condition_tree, scope]),
             page: ForestAdminAgent::Utils::QueryStringParser.parse_pagination(args)
           )
           data = format_attributes(args)
           @collection.update(@caller, filter, data)
-          records = @collection.list(caller, filter, ProjectionFactory.all(@collection))
+          records = @collection.list(@caller, filter, ProjectionFactory.all(@collection))
 
           {
             name: args[:params]['collection_name'],

data/lib/forest_admin_agent/serializer/forest_chart_serializer.rb

@@ -0,0 +1,19 @@
+require 'securerandom'
+
+module ForestAdminAgent
+  module Serializer
+    class ForestChartSerializer
+      def self.serialize(chart)
+        {
+          data: {
+            id: SecureRandom.uuid,
+            type: 'stats',
+            attributes: {
+              value: chart.serialize
+            }
+          }
+        }
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/services/permissions.rb

@@ -0,0 +1,268 @@
+require 'filecache'
+require 'deepsort'
+
+module ForestAdminAgent
+  module Services
+    class Permissions
+      include ForestAdminAgent::Http::Exceptions
+      include ForestAdminAgent::Utils
+      include ForestAdminDatasourceToolkit::Exceptions
+      include ForestAdminDatasourceToolkit::Components::Query::ConditionTree
+
+      attr_reader :caller, :forest_api, :cache
+
+      def initialize(caller)
+        @caller = caller
+        @forest_api = ForestAdminAgent::Http::ForestAdminApiRequester.new
+        @cache = FileCache.new(
+          'permissions',
+          Facades::Container.config_from_cache[:cache_dir].to_s,
+          Facades::Container.config_from_cache[:permission_expiration]
+        )
+      end
+
+      def self.invalidate_cache(id_cache = nil)
+        cache = FileCache.new(
+          'permissions',
+          Facades::Container.config_from_cache[:cache_dir].to_s,
+          Facades::Container.config_from_cache[:permission_expiration]
+        )
+
+        cache.clear if id_cache.nil?
+
+        cache.delete(id_cache) unless cache.get(id_cache).nil?
+
+        # TODO: HANDLE LOGGER
+        # logger.debug("Invalidating #{id_cache} cache..")
+      end
+
+      def can?(action, collection, allow_fetch: false)
+        return true unless permission_system?
+
+        user_data = get_user_data(caller.id)
+        collections_data = get_collections_permissions_data(force_fetch: allow_fetch)
+
+        is_allowed = collections_data.key?(collection.name.to_sym) && collections_data[collection.name.to_sym][action].include?(user_data[:roleId])
+
+        # Refetch
+        unless is_allowed
+          collections_data = get_collections_permissions_data(force_fetch: true)
+          is_allowed = collections_data[collection.name.to_sym][action].include?(user_data[:roleId])
+        end
+
+        # still not allowed - throw forbidden message
+        raise ForbiddenError, "You don't have permission to #{action} this collection." unless is_allowed
+
+        is_allowed
+      end
+
+      def can_chart?(parameters)
+        attributes = sanitize_chart_parameters(parameters.deep_symbolize_keys)
+        hash_request = "#{attributes[:type]}:#{array_hash(attributes)}"
+        is_allowed = get_chart_data(caller.rendering_id).include?(hash_request)
+
+        # Refetch
+        is_allowed ||= get_chart_data(caller.rendering_id, force_fetch: true).include?(hash_request)
+
+        # still not allowed - throw forbidden message
+        unless is_allowed
+          # TODO: HANDLE LOGGER
+          # logger.debug("User #{caller.id} cannot retrieve chart on rendering #{caller.rendering_id}")
+          raise ForbiddenError, "You don't have permission to access this collection."
+        end
+
+        # TODO: HANDLE LOGGER
+        # logger.debug("User #{caller.id} can retrieve chart on rendering #{caller.rendering_id}")
+
+        is_allowed
+      end
+
+      def can_smart_action?(request, collection, filter, allow_fetch: true)
+        return true unless permission_system?
+
+        user_data = get_user_data(caller.id)
+        collections_data = get_collections_permissions_data(force_fetch: allow_fetch)
+        action = find_action_from_endpoint(collection.name, request[:headers]['REQUEST_PATH'], request[:headers]['REQUEST_METHOD'])
+        smart_action_approval = SmartActionChecker.new(
+          request[:params],
+          collection,
+          collections_data[collection.name.to_sym][:actions][action[:name]],
+          caller,
+          user_data[:roleId],
+          filter
+        )
+
+        smart_action_approval.can_execute?
+        # TODO: HANDLE LOGGER
+        # logger.debug("User #{user_data[:roleId]} is #{is_allowed ? '' : 'not'} allowed to perform #{action['name']}")
+      end
+
+      def get_scope(collection)
+        permissions = get_scope_and_team_data(caller.rendering_id)
+        scope = permissions[:scopes][collection.name.to_sym]
+
+        return nil if scope.nil?
+
+        context_variables = ContextVariables.new(team, user)
+
+        ContextVariablesInjector.inject_context_in_filter(scope, context_variables)
+      end
+
+      def get_user_data(user_id)
+        cache.get_or_set('forest.users') do
+          response = fetch('/liana/v4/permissions/users')
+          users = {}
+
+          response.each do |user|
+            users[user[:id].to_s] = user
+          end
+
+          # TODO: HANDLE LOGGER
+          # logger.debug('Refreshing user permissions cache')
+
+          users
+        end[user_id.to_s]
+      end
+
+      def get_team(rendering_id)
+        permissions = get_scope_and_team_data(rendering_id)
+
+        permissions[:team]
+      end
+
+      private
+
+      def get_collections_permissions_data(force_fetch: false)
+        self.class.invalidate_cache('forest.collections') if force_fetch == true
+
+        cache.get_or_set('forest.collections') do
+          response = fetch('/liana/v4/permissions/environment')
+          collections = {}
+
+          response[:collections].each do |name, collection|
+            collections[name] = decode_crud_permissions(collection).merge(decode_action_permissions(collection))
+          end
+
+          # TODO: HANDLE LOGGER
+          # logger.debug('Fetching environment permissions')
+
+          collections
+        end
+      end
+
+      def get_chart_data(rendering_id, force_fetch: false)
+        self.class.invalidate_cache('forest.stats') if force_fetch == true
+
+        cache.get_or_set('forest.stats') do
+          response = fetch("/liana/v4/permissions/renderings/#{rendering_id}")
+          stat_hash = []
+          response[:stats].each do |stat|
+            stat = stat.select { |_, value| !value.nil? && value != '' }
+            stat_hash << "#{stat[:type]}:#{array_hash(stat)}"
+          end
+
+          # TODO: HANDLE LOGGER
+          # logger.debug("Loading rendering permissions for rendering #{rendering_id}")
+
+          stat_hash
+        end
+      end
+
+      def sanitize_chart_parameters(parameters)
+        parameters.delete(:timezone)
+        parameters.delete(:collection)
+        parameters.delete(:contextVariables)
+        # rails
+        parameters.delete(:route_alias)
+        parameters.delete(:controller)
+        parameters.delete(:action)
+        parameters.delete(:collection_name)
+        parameters.delete(:forest)
+
+        parameters.select { |_, value| !value.nil? && value != '' }
+      end
+
+      def array_hash(data)
+        Digest::SHA1.hexdigest(data.deep_sort.to_h.to_s)
+      end
+
+      def get_scope_and_team_data(rendering_id)
+        cache.get_or_set('forest.scopes') do
+          data = {}
+          response = fetch("/liana/v4/permissions/renderings/#{rendering_id}")
+
+          data[:scopes] = decode_scope_permissions(response[:collections])
+          data[:team] = response[:team]
+
+          data
+        end
+      end
+
+      def permission_system?
+        cache.get_or_set('forest.has_permission') do
+          response = fetch('/liana/v4/permissions/environment')
+          { enable: response != true }
+        end[:enable]
+      end
+
+      def find_action_from_endpoint(collection_name, endpoint, http_method)
+        schema_file = JSON.parse(File.read(Facades::Container.config_from_cache[:schema_path]))
+        actions = schema_file['collections']&.select { |collection| collection['name'] == collection_name }&.first&.dig('actions')
+
+        return nil if actions.nil? || actions.empty?
+
+        action = actions.find { |a| a['endpoint'] == endpoint && a['http_method'].casecmp(http_method).zero? }
+
+        raise ForestException, "The collection #{collection_name} does not have this smart action" if action.nil?
+
+        action
+      end
+
+      def decode_crud_permissions(collection)
+        {
+          browse: collection[:collection][:browseEnabled][:roles],
+          read: collection[:collection][:readEnabled][:roles],
+          edit: collection[:collection][:editEnabled][:roles],
+          add: collection[:collection][:addEnabled][:roles],
+          delete: collection[:collection][:deleteEnabled][:roles],
+          export: collection[:collection][:exportEnabled][:roles]
+        }
+      end
+
+      def decode_action_permissions(collection)
+        actions = {}
+        actions[:actions] = {}
+        collection[:actions].each do |id, action|
+          actions[:actions][id] = {
+            triggerEnabled: action[:triggerEnabled][:roles],
+            triggerConditions: action[:triggerConditions],
+            approvalRequired: action[:approvalRequired][:roles],
+            approvalRequiredConditions: action[:approvalRequiredConditions],
+            userApprovalEnabled: action[:userApprovalEnabled][:roles],
+            userApprovalConditions: action[:userApprovalConditions],
+            selfApprovalEnabled: action[:selfApprovalEnabled][:roles]
+          }
+        end
+
+        actions
+      end
+
+      def decode_scope_permissions(raw_permissions)
+        scopes = {}
+        raw_permissions.each do |collection_name, value|
+          scopes[collection_name] = ConditionTreeFactory.from_plain_object(value[:scope]) unless value[:scope].nil?
+        end
+
+        scopes
+      end
+
+      def fetch(url)
+        response = forest_api.get(url)
+
+        JSON.parse(response.body, symbolize_names: true)
+      rescue StandardError => e
+        forest_api.handle_response_error(e)
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/services/smart_action_checker.rb

@@ -0,0 +1,95 @@
+module ForestAdminAgent
+  module Services
+    class SmartActionChecker
+      include ForestAdminAgent::Http::Exceptions
+      include ForestAdminAgent::Utils
+      include ForestAdminDatasourceToolkit::Utils
+      include ForestAdminDatasourceToolkit::Components::Query
+      include ForestAdminDatasourceToolkit::Components::Query::ConditionTree
+
+      attr_reader :parameters, :collection, :smart_action, :caller, :role_id, :filter, :attributes
+
+      TRIGGER_FORBIDDEN_ERROR = 'CustomActionTriggerForbiddenError'.freeze
+
+      REQUIRE_APPROVAL_ERROR = 'CustomActionRequiresApprovalError'.freeze
+
+      INVALID_ACTION_CONDITION_ERROR = 'InvalidActionConditionError'.freeze
+
+      def initialize(parameters, collection, smart_action, caller, role_id, filter)
+        @parameters = parameters
+        @collection = collection
+        @smart_action = smart_action
+        @caller = caller
+        @role_id = role_id
+        @filter = filter
+        @attributes = parameters[:data][:attributes]
+      end
+
+      def can_execute?
+        if attributes[:signed_approval_request].nil?
+          can_trigger?
+        else
+          can_approve?
+        end
+      end
+
+      private
+
+      def can_approve?
+        if smart_action[:userApprovalEnabled].include?(role_id) &&
+           (smart_action[:userApprovalConditions].empty? || match_conditions(:userApprovalConditions)) &&
+           (attributes[:requester_id] != caller.id || smart_action[:selfApprovalEnabled].include?(role_id))
+          return true
+        end
+
+        raise ForbiddenError.new('You don\'t have the permission to trigger this action.', TRIGGER_FORBIDDEN_ERROR)
+      end
+
+      def can_trigger?
+        if smart_action[:triggerEnabled].include?(role_id) && !smart_action[:approvalRequired].include?(role_id)
+          return true if smart_action[:triggerConditions].empty? || match_conditions(:triggerConditions)
+        elsif smart_action[:approvalRequired].include?(role_id) && smart_action[:triggerEnabled].include?(role_id)
+          if smart_action[:approvalRequiredConditions].empty? || match_conditions(:approvalRequiredConditions)
+            raise RequireApproval.new(
+              'This action requires to be approved.',
+              REQUIRE_APPROVAL_ERROR,
+              smart_action[:userApprovalEnabled]
+            )
+          elsif smart_action[:triggerConditions].empty? || match_conditions(:triggerConditions)
+            return true
+          end
+        end
+
+        raise ForbiddenError.new('You don\'t have the permission to trigger this action.', TRIGGER_FORBIDDEN_ERROR)
+      end
+
+      def match_conditions(condition_name)
+        pk = Schema.primary_keys(collection)[0]
+        condition_filter = if attributes[:all_records]
+                             Nodes::ConditionTreeLeaf.new(pk, 'NOT_EQUAL', attributes[:all_records_ids_excluded])
+                           else
+                             Nodes::ConditionTreeLeaf.new(pk, 'IN', attributes[:ids])
+                           end
+
+        condition = smart_action[condition_name][0]['filter']
+        conditional_filter = filter.override(
+          condition_tree: ConditionTreeFactory.intersect(
+            [
+              ConditionTreeParser.from_plain_object(collection, condition),
+              filter.condition_tree,
+              condition_filter
+            ]
+          )
+        )
+        rows = collection.aggregate(caller, conditional_filter, Aggregation.new(operation: 'Count'))
+
+        (rows[0]['value'] || 0) == attributes[:ids].count
+      rescue StandardError
+        raise ConflictError.new(
+          'The conditions to trigger this action cannot be verified. Please contact an administrator.',
+          INVALID_ACTION_CONDITION_ERROR
+        )
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/services/sse_cache_invalidation.rb

@@ -0,0 +1,45 @@
+require 'ld-eventsource'
+
+module ForestAdminAgent
+  module Services
+    class SSECacheInvalidation
+      include ForestAdminDatasourceToolkit::Exceptions
+
+      MESSAGE_CACHE_KEYS = {
+        'refresh-users': %w[forest.users],
+        'refresh-roles': %w[forest.collections],
+        'refresh-renderings': %w[forest.collections forest.stats forest.scopes]
+        # TODO: add one for ip whitelist when server implement it
+      }.freeze
+
+      def self.run
+        uri = "#{Facades::Container.config_from_cache[:forest_server_url]}/liana/v4/subscribe-to-events"
+        headers = {
+          'forest-secret-key' => Facades::Container.config_from_cache[:env_secret],
+          'Accept' => 'text/event-stream'
+        }
+
+        begin
+          SSE::Client.new(uri, headers: headers) do |client|
+            client.on_event do |event|
+              next if event.type == :heartbeat
+
+              MESSAGE_CACHE_KEYS[event.type]&.each do |cache_key|
+                Permissions.invalidate_cache(cache_key)
+                # TODO: HANDLE LOGGER
+                # "info","invalidate cache {MESSAGE_CACHE_KEYS[event.type]} for event {event.type}"
+              end
+              # TODO: HANDLE LOGGER add else
+              # "info", "SSECacheInvalidation: unhandled message from server: {event.type}"
+            end
+          end
+        rescue StandardError
+          raise ForestException, 'Failed to reach SSE data from ForestAdmin server.'
+          # TODO: HANDLE LOGGER
+          # "debug", "SSE connection to forestadmin server due to ..."
+          # "warning", "SSE connection to forestadmin server closed unexpectedly, retrying."
+        end
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/utils/context_variables.rb

@@ -0,0 +1,39 @@
+module ForestAdminAgent
+  module Utils
+    class ContextVariables
+      attr_reader :team, :user, :request_context_variables
+
+      USER_VALUE_PREFIX = 'currentUser.'.freeze
+
+      USER_VALUE_TAG_PREFIX = 'currentUser.tags.'.freeze
+
+      USER_VALUE_TEAM_PREFIX = 'currentUser.team.'.freeze
+
+      def initialize(team, user, request_context_variables = nil)
+        @team = team.transform_keys(&:to_sym)
+        @user = user.transform_keys(&:to_sym)
+        @request_context_variables = request_context_variables
+      end
+
+      def get_value(context_variable_key)
+        return get_current_user_data(context_variable_key) if context_variable_key.start_with?(USER_VALUE_PREFIX)
+
+        request_context_variables[context_variable_key]
+      end
+
+      private
+
+      def get_current_user_data(context_variable_key)
+        if context_variable_key.start_with?(USER_VALUE_TEAM_PREFIX)
+          return team[context_variable_key[USER_VALUE_TEAM_PREFIX.length..].to_sym]
+        end
+
+        if context_variable_key.start_with?(USER_VALUE_TAG_PREFIX)
+          return user[:tags][context_variable_key[USER_VALUE_TAG_PREFIX.length..]]
+        end
+
+        user[context_variable_key[USER_VALUE_PREFIX.length..].to_sym]
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/utils/context_variables_injector.rb

@@ -0,0 +1,53 @@
+module ForestAdminAgent
+  module Utils
+    class ContextVariablesInjector
+      include ForestAdminDatasourceToolkit::Components::Query::ConditionTree::Nodes
+
+      def self.inject_context_in_value(value, context_variables)
+        inject_context_in_value_custom(value) do |context_variable_key|
+          context_variables.get_value(context_variable_key).to_s
+        end
+      end
+
+      def self.inject_context_in_value_custom(value)
+        return value unless value.is_a?(String)
+
+        value_with_context_variables_injected = value
+        regex = /{{([^}]+)}}/
+        encountered_variables = []
+
+        while (match = regex.match(value_with_context_variables_injected))
+          context_variable_key = match[1]
+
+          unless encountered_variables.include?(context_variable_key)
+            value_with_context_variables_injected.gsub!(
+              /{{#{context_variable_key}}}/,
+              yield(context_variable_key)
+            )
+          end
+
+          encountered_variables.push(context_variable_key)
+        end
+
+        value_with_context_variables_injected
+      end
+
+      def self.inject_context_in_filter(filter, context_variables)
+        return nil unless filter
+
+        if filter.is_a?(ConditionTreeBranch)
+          return ConditionTreeBranch.new(
+            filter.aggregator,
+            filter.conditions.map { |condition| inject_context_in_filter(condition, context_variables) }
+          )
+        end
+
+        ConditionTreeLeaf.new(
+          filter.field,
+          filter.operator,
+          inject_context_in_value(filter.value, context_variables)
+        )
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/utils/query_string_parser.rb

@@ -1,4 +1,5 @@
 require 'jwt'
+require 'active_support'
 require 'active_support/time'
 
 module ForestAdminAgent

data/lib/forest_admin_agent/utils/schema/schema_emitter.rb

@@ -7,7 +7,7 @@ module ForestAdminAgent
       class SchemaEmitter
         LIANA_NAME = "forest-rails"
 
-        LIANA_VERSION = "1.0.0-beta.21"
+        LIANA_VERSION = "1.0.0-beta.23"
 
         def self.get_serialized_schema(datasource)
           schema_path = Facades::Container.cache(:schema_path)

data/lib/forest_admin_agent/version.rb

@@ -1,3 +1,3 @@
 module ForestAdminAgent
-  VERSION = "1.0.0-beta.21"
+  VERSION = "1.0.0-beta.23"
 end

data/lib/forest_admin_agent.rb

@@ -3,6 +3,7 @@ require 'zeitwerk'
 
 loader = Zeitwerk::Loader.for_gem
 loader.inflector.inflect('oauth2' => 'OAuth2')
+loader.inflector.inflect('sse_cache_invalidation' => 'SSECacheInvalidation')
 loader.setup
 
 module ForestAdminAgent