forest_liana 6.0.5 → 6.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 95b8a3f6be7165cf4debb95a67e676c4846cd53dd5226ef6550b0f4a9ccab656
-  data.tar.gz: eb8b01c7bd02b0c828fd5aa7e27ee8677ff5b1711fab9dc96512d607f5562fac
+  metadata.gz: de6de5cae6e0ce03e49a351ee0ec5ead80b6ac45fc7f56a6b6912b663c7b85c3
+  data.tar.gz: 03d99b9f6ef599ec4c18446c50f9f4c7b24c09771e626954cdfb800ec25a55ff
 SHA512:
-  metadata.gz: fbdf538274940ded194b63d76426557241122eb3ac5e1f6704e37fa295d4a3eece921d0f0c28546e919c454f580733ab9778960d21a1d758cb19f84ef4bd0771
-  data.tar.gz: 2540d9a5c6289e23ac9d9d383c2d99f86883c2f493e32e5df5de0c659957696d329ff8f60a9339e7136d783ce3cae04e1d4499f418699e70901e65241a0116b4
+  metadata.gz: ea5e991a8476f95d7571ff1bf5e9dfef006c119c67857d18967f80810417db15122f2b64e922906e95d1401b5e71df099705718f431ec481de5a9da6c0d7310f
+  data.tar.gz: 7fde6b7720bdf881a3fc5bfcab28d4ca05092fe7a45a5dc8d3c40d4576ff4b0bb6c423eb500b4bc485181840ef8685b5167ab92501aa1533adbbda7e3f28ac5f

data/app/controllers/forest_liana/stats_controller.rb

@@ -1,9 +1,21 @@
 module ForestLiana
   class StatsController < ForestLiana::ApplicationController
     if Rails::VERSION::MAJOR < 4
-      before_filter :find_resource, except: [:get_with_live_query]
+      before_filter only: [:get] do
+        find_resource()
+        check_permission('statWithParameters')
+      end
+      before_filter only: [:get_with_live_query] do
+        check_permission('liveQueries')
+      end
     else
-      before_action :find_resource, except: [:get_with_live_query]
+      before_action only: [:get] do
+        find_resource()
+        check_permission('statWithParameters')
+      end
+      before_action only: [:get_with_live_query] do
+        check_permission('liveQueries')
+      end
     end
 
     CHART_TYPE_VALUE = 'Value'
@@ -64,5 +76,38 @@ module ForestLiana
         render json: {status: 404}, status: :not_found, serializer: nil
       end
     end
+
+    def get_live_query_request_info
+      params['query']
+    end
+
+    def get_stat_parameter_request_info
+      parameters = Rails::VERSION::MAJOR < 5 ? params.dup : params.permit(params.keys).to_h;
+
+      # Notice: Removes useless properties
+      parameters.delete('timezone');
+      parameters.delete('controller');
+      parameters.delete('action');
+
+      return parameters;
+    end
+
+    def check_permission(permission_name)
+      begin
+        query_request = permission_name == 'liveQueries' ? get_live_query_request_info : get_stat_parameter_request_info;
+        checker = ForestLiana::PermissionsChecker.new(
+          nil,
+          permission_name,
+          @rendering_id,
+          user_id: forest_user['id'],
+          query_request_info: query_request
+        )
+
+        return head :forbidden unless checker.is_authorized?
+      rescue => error
+        FOREST_LOGGER.error "Stats execution error: #{error}"
+        render serializer: nil, json: { status: 400 }, status: :bad_request
+      end
+    end
   end
 end

data/app/services/forest_liana/permissions_checker.rb

@@ -6,13 +6,16 @@ module ForestLiana
     # TODO: handle cache scopes per rendering
     @@expiration_in_seconds = (ENV['FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS'] || 3600).to_i
 
-    def initialize(resource, permission_name, rendering_id, user_id:, smart_action_request_info: nil, collection_list_parameters: nil)
-      @user_id = user_id
-      @collection_name = ForestLiana.name_for(resource)
+    def initialize(resource, permission_name, rendering_id, user_id: nil, smart_action_request_info: nil, collection_list_parameters: nil, query_request_info: nil)
+      
+      @collection_name = resource.present? ? ForestLiana.name_for(resource) : nil
       @permission_name = permission_name
       @rendering_id = rendering_id
+
+      @user_id = user_id
       @smart_action_request_info = smart_action_request_info
       @collection_list_parameters = collection_list_parameters
+      @query_request_info = query_request_info
     end
 
     def is_authorized?
@@ -48,6 +51,16 @@ module ForestLiana
 
     def is_allowed
       permissions = get_permissions_content
+
+      # NOTICE: check liveQueries permissions
+      if @permission_name === 'liveQueries'
+        return live_query_allowed?
+      elsif @permission_name === 'statWithParameters'
+        return stat_with_parameters_allowed?
+      end
+
+      
+
       if permissions && permissions[@collection_name] &&
         permissions[@collection_name]['collection']
         if @permission_name === 'actions'
@@ -98,6 +111,16 @@ module ForestLiana
       permissions && permissions['data'] && permissions['data']['collections']
     end
 
+    def get_live_query_permissions_content
+      permissions = get_permissions
+      permissions && permissions['stats'] && permissions['stats']['queries']
+    end
+    
+    def get_stat_with_parameters_content(statPermissionType)
+      permissions = get_permissions
+      permissions && permissions['stats'] && permissions['stats'][statPermissionType]
+    end
+
     def get_last_fetch
       permissions = get_permissions
       permissions && permissions['last_fetch']
@@ -138,6 +161,32 @@ module ForestLiana
       ).is_scope_in_request?(@collection_list_parameters)
     end
 
+    def live_query_allowed?
+      live_queries_permissions = get_live_query_permissions_content
+
+      return false unless live_queries_permissions
+
+      # NOTICE: @query_request_info matching an existing live query 
+      return live_queries_permissions.include? @query_request_info
+    end
+
+    def stat_with_parameters_allowed?
+      permissionType = @query_request_info['type'].downcase + 's'
+      pool_permissions = get_stat_with_parameters_content(permissionType)
+
+      return false unless pool_permissions
+
+      # NOTICE: equivalent to Object.values in js
+      array_query_request_info = @query_request_info.values
+
+      # NOTICE: pool_permissions contains the @query_request_info
+      #   we use the intersection between statPermission and @query_request_info
+      return pool_permissions.any? {
+        |statPermission|
+          (array_query_request_info & statPermission.values) == array_query_request_info;
+      }
+    end
+
     def date_difference_in_seconds(date1, date2)
       (date1 - date2).to_i
     end

data/lib/forest_liana/version.rb

@@ -1,3 +1,3 @@
 module ForestLiana
-  VERSION = "6.0.5"
+  VERSION = "6.1.0"
 end

data/spec/requests/stats_spec.rb

@@ -0,0 +1,114 @@
+require 'rails_helper'
+require 'json'
+
+describe "Stats", type: :request do
+
+  token = JWT.encode({
+    id: 38,
+    email: 'michael.kelso@that70.show',
+    first_name: 'Michael',
+    last_name: 'Kelso',
+    team: 'Operations',
+    rendering_id: 16,
+    exp: Time.now.to_i + 2.weeks.to_i
+  }, ForestLiana.auth_secret, 'HS256')
+
+  headers = {
+    'Accept' => 'application/json',
+    'Content-Type' => 'application/json',
+    'Authorization' => "Bearer #{token}"
+  }
+
+  let(:schema) {
+    [
+      ForestLiana::Model::Collection.new({
+        name: 'Products',
+        fields: [],
+        actions: []
+      })
+    ]
+  }
+
+  before do
+    allow(ForestLiana).to receive(:apimap).and_return(schema)
+  end
+
+  before(:each) do
+    allow(ForestLiana::IpWhitelist).to receive(:retrieve) { true }
+    allow(ForestLiana::IpWhitelist).to receive(:is_ip_whitelist_retrieved) { true }
+    allow(ForestLiana::IpWhitelist).to receive(:is_ip_valid) { true }
+    
+    allow_any_instance_of(ForestLiana::PermissionsChecker).to receive(:is_authorized?) { true }
+
+    allow_any_instance_of(ForestLiana::ValueStatGetter).to receive(:perform) { true }
+    allow_any_instance_of(ForestLiana::QueryStatGetter).to receive(:perform) { true }
+  end
+
+
+
+  describe 'POST /stats/:collection' do
+    params = { type: 'Value', collection: 'User', aggregate: 'Count' }
+
+    it 'should respond 200' do
+      data = ForestLiana::Model::Stat.new(value: { countCurrent: 0, countPrevious: 0 })
+      allow_any_instance_of(ForestLiana::ValueStatGetter).to receive(:record) { data }
+      # NOTICE: bypass : find_resource error
+      allow_any_instance_of(ForestLiana::StatsController).to receive(:find_resource) { true }
+      allow(ForestLiana::QueryHelper).to receive(:get_one_association_names_symbol) { true }
+
+      post '/forest/stats/Products', params: JSON.dump(params), headers: headers
+      expect(response.status).to eq(200)
+    end
+
+    it 'should respond 401 with no headers' do
+      post '/forest/stats/Products', params: JSON.dump(params)
+      expect(response.status).to eq(401)
+    end
+
+    it 'should respond 404 with non existing collection' do
+      allow_any_instance_of(ForestLiana::ValueStatGetter).to receive(:record) { nil }
+
+      post '/forest/stats/NoCollection', params: {}, headers: headers
+      expect(response.status).to eq(404)
+    end
+
+    # it 'should respond 403 Forbidden' do
+    #   allow_any_instance_of(ForestLiana::PermissionsChecker).to receive(:is_authorized?) { false }
+
+    #   post '/forest/stats/Products', params: JSON.dump(params), headers: headers
+    #   expect(response.status).to eq(403)
+    # end
+  end
+  
+  describe 'POST /stats' do
+    params = { query: 'SELECT COUNT(*) AS value FROM products;' }
+
+    it 'should respond 200' do
+      data = ForestLiana::Model::Stat.new(value: { value: 0, objective: 0 })
+      allow_any_instance_of(ForestLiana::QueryStatGetter).to receive(:record) { data }
+
+      post '/forest/stats', params: JSON.dump(params), headers: headers
+      expect(response.status).to eq(200)
+    end
+
+    it 'should respond 401 with no headers' do
+      post '/forest/stats', params: JSON.dump(params)
+      expect(response.status).to eq(401)
+    end
+
+    it 'should respond 403 Forbidden' do
+      allow_any_instance_of(ForestLiana::PermissionsChecker).to receive(:is_authorized?) { false }
+
+      post '/forest/stats', params: JSON.dump(params), headers: headers
+      expect(response.status).to eq(403)
+    end
+
+    it 'should respond 422 with unprocessable query' do
+      allow_any_instance_of(ForestLiana::QueryStatGetter).to receive(:perform) { raise ForestLiana::Errors::LiveQueryError.new }
+      
+      post '/forest/stats', params: JSON.dump(params), headers: headers
+      expect(response.status).to eq(422)
+    end
+  end
+
+end

data/spec/services/forest_liana/permissions_checker_acl_disabled_spec.rb

@@ -109,7 +109,7 @@ module ForestLiana
 
     describe 'handling cache' do
       let(:collection_name) { 'all_rights_collection' }
-      let(:fake_ressource) { nil }
+      let(:fake_ressource) { collection_name }
       let(:default_rendering_id) { 1 }
 
       context 'when calling twice the same permissions' do
@@ -191,7 +191,7 @@ module ForestLiana
 
 
     context 'scopes cache' do
-      let(:fake_ressource) { nil }
+      let(:fake_ressource) { collection_name }
       let(:rendering_id) { 1 }
       let(:collection_name) { 'custom' }
       let(:scope_permissions) { { rendering_id => { 'custom' => nil } } }
@@ -349,7 +349,7 @@ module ForestLiana
     describe '#is_authorized?' do
       # Resource is only used to retrieve the collection name as it's stubbed it does not
       # need to be defined
-      let(:fake_ressource) { nil }
+      let(:fake_ressource) { collection_name }
       let(:default_rendering_id) { nil }
       let(:api_permissions) { default_api_permissions }
       let(:collection_name) { 'all_rights_collection' }

data/spec/services/forest_liana/permissions_checker_acl_enabled_spec.rb

@@ -132,7 +132,7 @@ module ForestLiana
 
     describe 'handling cache' do
       let(:collection_name) { 'all_rights_collection_boolean' }
-      let(:fake_ressource) { nil }
+      let(:fake_ressource) { collection_name }
       let(:default_rendering_id) { 1 }
 
       context 'collections cache' do
@@ -396,7 +396,7 @@ module ForestLiana
     describe '#is_authorized?' do
       # Resource is only used to retrieve the collection name as it's stub it does not
       # need to be defined
-      let(:fake_ressource) { nil }
+      let(:fake_ressource) { collection_name }
       let(:default_rendering_id) { nil }
       let(:api_permissions) { default_api_permissions }
 

data/spec/services/forest_liana/permissions_checker_live_queries_spec.rb

@@ -0,0 +1,131 @@
+module ForestLiana
+  describe PermissionsChecker do
+    before(:each) do
+      described_class.empty_cache
+    end
+
+    let(:user_id) { 1 }
+    let(:schema) {
+      [
+        ForestLiana::Model::Collection.new({
+          name: 'all_rights_collection_boolean',
+          fields: [],
+          actions: [
+            ForestLiana::Model::Action.new({
+              name: 'Test',
+              endpoint: 'forest/actions/Test',
+              http_method: 'POST'
+            })
+          ]
+        })
+      ]
+    }
+    let(:scope_permissions) { nil }
+    let(:default_api_permissions) {
+      {
+        "data" => {
+          'collections' => {
+            "all_rights_collection_boolean" => {
+              "collection" => {
+                "browseEnabled" => true,
+                "readEnabled" => true,
+                "editEnabled" => true,
+                "addEnabled" => true,
+                "deleteEnabled" => true,
+                "exportEnabled" => true
+              },
+              "actions" => {
+                "Test" => {
+                  "triggerEnabled" => true
+                },
+              }
+            },
+          },
+          'renderings' => scope_permissions
+        },
+        "meta" => {
+          "rolesACLActivated" => true
+        },
+        "stats" => {
+          "queries" => [
+          'SELECT COUNT(*) AS value FROM products;',
+          'SELECT COUNT(*) AS value FROM sometings;'
+          ],
+          "values" => [
+            {
+              "type" => "Value",
+              "collection" => "Product",
+              "aggregate" => "Count"
+            }
+          ],
+        },
+      }
+    }
+    let(:default_rendering_id) { 1 }
+
+    before do
+      allow(ForestLiana).to receive(:apimap).and_return(schema)
+    end
+
+    describe '#is_authorized?' do
+      # Resource is only used to retrieve the collection name as it's stub it does not
+      # need to be defined
+      let(:fake_ressource) { nil }
+      let(:default_rendering_id) { nil }
+      let(:api_permissions) { default_api_permissions }
+
+      before do
+        allow(ForestLiana::PermissionsGetter).to receive(:get_permissions_for_rendering).and_return(api_permissions)
+      end
+
+      context 'when permissions liveQueries' do
+        context 'contains the query' do
+          request_info = {
+            "type" => "Value",
+            "collection" => "Product",
+            "aggregate" => "Count"
+          };
+          subject { described_class.new(fake_ressource, 'liveQueries', default_rendering_id, user_id: user_id, query_request_info: 'SELECT COUNT(*) AS value FROM sometings;') }
+
+          it 'should be authorized' do
+            expect(subject.is_authorized?).to be true
+          end
+        end
+
+        context 'does not contains the query' do
+          subject { described_class.new(fake_ressource, 'liveQueries', default_rendering_id, user_id: user_id, query_request_info: 'SELECT * FROM products WHERE category = Gifts OR 1=1-- AND released = 1') }
+          it 'should NOT be authorized' do
+            expect(subject.is_authorized?).to be false
+          end
+        end
+      end
+
+      context 'when permissions statWithParameters' do
+        context 'contains the stat with the same parameters' do
+          request_info = {
+            "type" => "Value",
+            "collection" => "Product",
+            "aggregate" => "Count"
+          };
+          subject { described_class.new(fake_ressource, 'statWithParameters', default_rendering_id, user_id: user_id, query_request_info: request_info) }
+
+          it 'should be authorized' do
+            expect(subject.is_authorized?).to be true
+          end
+        end
+
+        context 'does not contains the stat with the same parameters' do
+          other_request_info = {
+            "type" => "Leaderboard",
+            "collection" => "Product",
+            "aggregate" => "Sum"
+          };
+          subject { described_class.new(fake_ressource, 'statWithParameters', default_rendering_id, user_id: user_id, query_request_info: other_request_info) }
+          it 'should NOT be authorized' do
+            expect(subject.is_authorized?).to be false
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: forest_liana
 version: !ruby/object:Gem::Version
-  version: 6.0.5
+  version: 6.1.0
 platform: ruby
 authors:
 - Sandro Munda
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-11 00:00:00.000000000 Z
+date: 2021-03-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -364,11 +364,13 @@ files:
 - spec/requests/actions_controller_spec.rb
 - spec/requests/authentications_spec.rb
 - spec/requests/resources_spec.rb
+- spec/requests/stats_spec.rb
 - spec/services/forest_liana/apimap_sorter_spec.rb
 - spec/services/forest_liana/filters_parser_spec.rb
 - spec/services/forest_liana/ip_whitelist_checker_spec.rb
 - spec/services/forest_liana/permissions_checker_acl_disabled_spec.rb
 - spec/services/forest_liana/permissions_checker_acl_enabled_spec.rb
+- spec/services/forest_liana/permissions_checker_live_queries_spec.rb
 - spec/services/forest_liana/permissions_formatter_spec.rb
 - spec/services/forest_liana/permissions_getter_spec.rb
 - spec/services/forest_liana/schema_adapter_spec.rb
@@ -625,8 +627,10 @@ test_files:
 - spec/requests/resources_spec.rb
 - spec/requests/authentications_spec.rb
 - spec/requests/actions_controller_spec.rb
+- spec/requests/stats_spec.rb
 - spec/spec_helper.rb
 - spec/services/forest_liana/filters_parser_spec.rb
+- spec/services/forest_liana/permissions_checker_live_queries_spec.rb
 - spec/services/forest_liana/permissions_checker_acl_disabled_spec.rb
 - spec/services/forest_liana/schema_adapter_spec.rb
 - spec/services/forest_liana/permissions_checker_acl_enabled_spec.rb