forest_liana 7.8.0 → 8.0.0.beta.2

data/app/services/forest_liana/ability/permission.rb

@@ -0,0 +1,148 @@
+require 'digest'
+require 'deepsort'
+
+module ForestLiana
+  module Ability
+    module Permission
+      include Fetch
+
+      TTL = (ENV['FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS'] || 1).to_i.second
+
+      def is_crud_authorized?(action, user, collection)
+        return true unless has_permission_system?
+
+        user_data = get_user_data(user['id'])
+        collections_data = get_collections_permissions_data
+
+        begin
+          is_allowed = collections_data[collection.name][action].include? user_data['roleId']
+          # re-fetch if user permission is not allowed (may have been changed)
+          unless is_allowed
+            collections_data = get_collections_permissions_data(true)
+            is_allowed = collections_data[collection.name][action].include? user_data['roleId']
+          end
+
+          is_allowed
+        rescue
+          raise ForestLiana::Errors::ExpectedError.new(409, :conflict, "The collection #{collection} doesn't exist", 'collection not found')
+        end
+      end
+
+      def is_smart_action_authorized?(user, collection, parameters, endpoint, http_method)
+        user_data = get_user_data(user['id'])
+        collections_data = get_collections_permissions_data
+        begin
+          action = find_action_from_endpoint(collection.name, endpoint, http_method).name
+
+          smart_action_approval = SmartActionChecker.new(parameters, collection, collections_data[collection.name][:actions][action], user_data)
+          smart_action_approval.can_execute?
+        rescue
+          raise ForestLiana::Errors::ExpectedError.new(409, :conflict, "The collection #{collection} doesn't exist", 'collection not found')
+        end
+      end
+
+      def is_chart_authorized?(user, parameters)
+        parameters = parameters.to_h
+        parameters.delete('timezone')
+        parameters.delete('controller')
+        parameters.delete('action')
+        parameters.delete('collection')
+        parameters.delete('contextVariables')
+
+
+        hash_request = "#{parameters['type']}:#{Digest::SHA1.hexdigest(parameters.deep_sort.to_s)}"
+        allowed = get_chart_data(user['rendering_id']).to_s.include? hash_request
+
+        unless allowed
+          allowed = get_chart_data(user['rendering_id'], true).to_s.include? hash_request
+        end
+
+        allowed
+      end
+
+      private
+
+      def get_user_data(user_id)
+        cache = Rails.cache.fetch('forest.users', expires_in: TTL) do
+          users = {}
+          get_permissions('/liana/v4/permissions/users').each do |user|
+            users[user['id'].to_s] = user
+          end
+
+          users
+        end
+
+        cache[user_id.to_s]
+      end
+
+      def get_collections_permissions_data(force_fetch = false)
+        Rails.cache.delete('forest.collections') if force_fetch == true
+        cache = Rails.cache.fetch('forest.collections', expires_in: TTL) do
+          collections = {}
+          get_permissions('/liana/v4/permissions/environment')['collections'].each do |name, collection|
+            collections[name] = format_collection_crud_permission(collection).merge!(format_collection_action_permission(collection))
+          end
+
+          collections
+        end
+
+        cache
+      end
+
+      def get_chart_data(rendering_id, force_fetch = false)
+        Rails.cache.delete('forest.stats') if force_fetch == true
+        Rails.cache.fetch('forest.stats', expires_in: TTL) do
+          stat_hash = []
+          get_permissions('/liana/v4/permissions/renderings/' + rendering_id)['stats'].each do |stat|
+            stat_hash << "#{stat['type']}:#{Digest::SHA1.hexdigest(stat.sort.to_h.to_s)}"
+          end
+
+          stat_hash
+        end
+      end
+
+      def has_permission_system?
+        Rails.cache.fetch('forest.has_permission') do
+          (get_permissions('/liana/v4/permissions/environment') == true) ? false : true
+        end
+      end
+
+      def format_collection_crud_permission(collection)
+        {
+          'browse'  => collection['collection']['browseEnabled']['roles'],
+          'read'    => collection['collection']['readEnabled']['roles'],
+          'edit'    => collection['collection']['editEnabled']['roles'],
+          'add'     => collection['collection']['addEnabled']['roles'],
+          'delete'  => collection['collection']['deleteEnabled']['roles'],
+          'export'  => collection['collection']['exportEnabled']['roles'],
+        }
+      end
+
+      def format_collection_action_permission(collection)
+        actions = {}
+        actions[:actions] = {}
+        collection['actions'].each do |id, action|
+          actions[:actions][id] = {
+            'triggerEnabled'              => action['triggerEnabled']['roles'],
+            'triggerConditions'           => action['triggerConditions'],
+            'approvalRequired'            => action['approvalRequired']['roles'],
+            'approvalRequiredConditions'  => action['approvalRequiredConditions'],
+            'userApprovalEnabled'         => action['userApprovalEnabled']['roles'],
+            'userApprovalConditions'      => action['userApprovalConditions'],
+            'selfApprovalEnabled'         => action['selfApprovalEnabled']['roles'],
+          }
+        end
+
+        actions
+      end
+
+      def find_action_from_endpoint(collection_name, endpoint, http_method)
+        collection = ForestLiana.apimap.find { |collection| collection.name.to_s == collection_name }
+
+        return nil unless collection
+
+        collection.actions.find { |action| (action.endpoint == endpoint || "/#{action.endpoint}" == endpoint) && action.http_method == http_method }
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability.rb

@@ -0,0 +1,24 @@
+module ForestLiana
+  module Ability
+    include ForestLiana::Ability::Permission
+
+    ALLOWED_PERMISSION_LEVELS = %w[admin editor developer].freeze
+
+    def forest_authorize!(action, user, collection, args = {})
+      case action
+      when 'browse', 'read', 'edit', 'add', 'delete', 'export'
+          raise ForestLiana::Ability::Exceptions::AccessDenied.new unless is_crud_authorized?(action, user, collection)
+      when 'chart'
+          if ALLOWED_PERMISSION_LEVELS.exclude?(user['permission_level'])
+            raise ForestLiana::Errors::HTTP422Error.new('The argument parameters is missing') if args[:parameters].nil?
+            raise ForestLiana::Ability::Exceptions::AccessDenied.new unless is_chart_authorized?(user, args[:parameters])
+          end
+      when 'action'
+          raise ForestLiana::Errors::HTTP422Error.new('You must implement the arguments : parameters, endpoint & http_method') if args[:parameters].nil? || args[:endpoint].nil? || args[:http_method].nil?
+          is_smart_action_authorized?(user, collection, args[:parameters], args[:endpoint], args[:http_method])
+      else
+        raise ForestLiana::Ability::Exceptions::AccessDenied.new
+      end
+    end
+  end
+end

data/app/services/forest_liana/filters_parser.rb

@@ -2,13 +2,9 @@ module ForestLiana
   class FiltersParser
     AGGREGATOR_OPERATOR = %w(and or)
 
-    def initialize(filters, resource, timezone)
-      begin
-        @filters = JSON.parse(filters)
-      rescue JSON::ParserError
-        raise ForestLiana::Errors::HTTP422Error.new('Invalid filters JSON format')
-      end
-
+    def initialize(filters, resource, timezone, params = nil)
+      @filters = filters.instance_of?(ActionController::Parameters) ? filters.to_h : JSON.parse(filters)
+      @params = params
       @resource = resource
       @operator_date_parser = OperatorDateIntervalParser.new(timezone)
       @joins = []
@@ -91,6 +87,10 @@ module ForestLiana
       value = condition['value']
       field_name = condition['field']
 
+      if value.is_a?(String) && value.start_with?('{{')
+        value = @params[:contextVariables][value.gsub(/[{}]/, '')]
+      end
+
       if @operator_date_parser.is_date_operator?(operator)
         condition = @operator_date_parser.get_date_filter(operator, value)
         return "#{parse_field_name(field_name)} #{condition}"

data/app/services/forest_liana/leaderboard_stat_getter.rb

@@ -2,13 +2,13 @@ module ForestLiana
   class LeaderboardStatGetter < StatGetter
     def initialize(parent_model, params, forest_user)
       @scoped_parent_model = get_scoped_model(parent_model, forest_user, params[:timezone])
-      child_model = @scoped_parent_model.reflect_on_association(params[:relationship_field]).klass
+      child_model = @scoped_parent_model.reflect_on_association(params[:relationshipFieldName]).klass
       @scoped_child_model = get_scoped_model(child_model, forest_user, params[:timezone])
-      @label_field = params[:label_field]
-      @aggregate = params[:aggregate].downcase
-      @aggregate_field = params[:aggregate_field]
+      @label_field = params[:labelFieldName]
+      @aggregate = params[:aggregator].downcase
+      @aggregate_field = params[:aggregateFieldName]
       @limit = params[:limit]
-      @groub_by = "#{@scoped_parent_model.table_name}.#{@label_field}"
+      @group_by = "#{@scoped_parent_model.table_name}.#{@label_field}"
     end
 
     def perform
@@ -17,7 +17,7 @@ module ForestLiana
       result = @scoped_child_model
         .joins(includes)
         .where({ @scoped_parent_model.name.downcase.to_sym => @scoped_parent_model })
-        .group(@groub_by)
+        .group(@group_by)
         .order(order)
         .limit(@limit)
         .send(@aggregate, @aggregate_field)
@@ -31,7 +31,7 @@ module ForestLiana
 
       return model.unscoped if scope_filters.blank?
 
-      FiltersParser.new(scope_filters, model, timezone).apply_filters
+      FiltersParser.new(scope_filters, model, timezone, @params).apply_filters
     end
 
     def order

data/app/services/forest_liana/line_stat_getter.rb

@@ -10,7 +10,7 @@ module ForestLiana
     end
 
     def get_format
-      case @params[:time_range].try(:downcase)
+      case @params[:timeRange].try(:downcase)
         when 'day'
           '%d/%m/%Y'
         when 'week'
@@ -25,17 +25,17 @@ module ForestLiana
     def perform
       value = get_resource()
 
-      filters = ForestLiana::ScopeManager.append_scope_for_user(@params[:filters], @user, @resource.name)
+      filters = ForestLiana::ScopeManager.append_scope_for_user(@params[:filter], @user, @resource.name)
 
       unless filters.blank?
-        value = FiltersParser.new(filters, @resource, @params[:timezone]).apply_filters
+        value = FiltersParser.new(filters, @resource, @params[:timezone], @params).apply_filters
       end
 
       Groupdate.week_start = :monday
 
-      value = value.send(time_range, group_by_date_field, time_zone: client_timezone)
+      value = value.send(timeRange, group_by_date_field, time_zone: client_timezone)
 
-      value = value.send(@params[:aggregate].downcase, @params[:aggregate_field])
+      value = value.send(@params[:aggregator].downcase, @params[:aggregateFieldName])
         .map do |k, v|
           { label: k.strftime(get_format), values: { value: v }}
         end
@@ -46,11 +46,11 @@ module ForestLiana
     private
 
     def group_by_date_field
-      "#{@resource.table_name}.#{@params[:group_by_date_field]}"
+      "#{@resource.table_name}.#{@params[:groupByFieldName]}"
     end
 
-    def time_range
-      "group_by_#{@params[:time_range].try(:downcase) || 'month'}"
+    def timeRange
+      "group_by_#{@params[:timeRange].try(:downcase) || 'month'}"
     end
 
   end

data/app/services/forest_liana/pie_stat_getter.rb

@@ -3,30 +3,30 @@ module ForestLiana
     attr_accessor :record
 
     def perform
-      if @params[:group_by_field]
+      if @params[:groupByFieldName]
         timezone_offset = @params[:timezone].to_i
         resource = optimize_record_loading(@resource, get_resource)
 
-        filters = ForestLiana::ScopeManager.append_scope_for_user(@params[:filters], @user, @resource.name)
+        filters = ForestLiana::ScopeManager.append_scope_for_user(@params[:filter], @user, @resource.name)
 
         unless filters.blank?
-          resource = FiltersParser.new(filters, resource, @params[:timezone]).apply_filters
+          resource = FiltersParser.new(filters, resource, @params[:timezone], @params).apply_filters
         end
 
         result = resource
-          .group(group_by_field)
+          .group(groupByFieldName)
           .order(order)
-          .send(@params[:aggregate].downcase, @params[:aggregate_field])
+          .send(@params[:aggregator].downcase, @params[:aggregateFieldName])
           .map do |key, value|
             # NOTICE: Display the enum name instead of an integer if it is an
             #         "Enum" field type on old Rails version (before Rails
             #         5.1.3).
             if @resource.respond_to?(:defined_enums) &&
-              @resource.defined_enums.has_key?(@params[:group_by_field]) &&
+              @resource.defined_enums.has_key?(@params[:groupByFieldName]) &&
               key.is_a?(Integer)
-              key = @resource.defined_enums[@params[:group_by_field]].invert[key]
-            elsif @resource.columns_hash[@params[:group_by_field]] &&
-              @resource.columns_hash[@params[:group_by_field]].type == :datetime
+              key = @resource.defined_enums[@params[:groupByFieldName]].invert[key]
+            elsif @resource.columns_hash[@params[:groupByFieldName]] &&
+              @resource.columns_hash[@params[:groupByFieldName]].type == :datetime
               key = (key + timezone_offset.hours).strftime('%d/%m/%Y %T')
             end
 
@@ -37,13 +37,13 @@ module ForestLiana
       end
     end
 
-    def group_by_field
-      if @params[:group_by_field].include? ':'
-        association, field = @params[:group_by_field].split ':'
+    def groupByFieldName
+      if @params[:groupByFieldName].include? ':'
+        association, field = @params[:groupByFieldName].split ':'
         resource = @resource.reflect_on_association(association.to_sym)
         "#{resource.table_name}.#{field}"
       else
-        "#{@resource.table_name}.#{@params[:group_by_field]}"
+        "#{@resource.table_name}.#{@params[:groupByFieldName]}"
       end
     end
 
@@ -51,14 +51,14 @@ module ForestLiana
       order = 'DESC'
 
       # NOTICE: The generated alias for a count is "count_all", for a sum the
-      #         alias looks like "sum_#{aggregate_field}"
-      if @params[:aggregate].downcase == 'sum'
-        field = @params[:aggregate_field].downcase
+      #         alias looks like "sum_#{aggregateFieldName}"
+      if @params[:aggregator].downcase == 'sum'
+        field = @params[:aggregateFieldName].downcase
       else
         # `count_id` is required only for rails v5
         field = Rails::VERSION::MAJOR == 5 || @includes.size > 0 ? 'id' : 'all'
       end
-      "#{@params[:aggregate].downcase}_#{field} #{order}"
+      "#{@params[:aggregator].downcase}_#{field} #{order}"
     end
 
   end

data/app/services/forest_liana/stat_getter.rb

@@ -6,13 +6,12 @@ module ForestLiana
       @resource = resource
       @params = params
       @user = forest_user
-      compute_includes()
+      compute_includes
     end
 
     def get_resource
       super
       @resource.reorder('')
     end
-
   end
 end

data/app/services/forest_liana/value_stat_getter.rb

@@ -3,13 +3,13 @@ module ForestLiana
     attr_accessor :record
 
     def perform
-      return if @params[:aggregate].blank?
+      return if @params[:aggregator].blank?
       resource = optimize_record_loading(@resource, get_resource)
 
-      filters = ForestLiana::ScopeManager.append_scope_for_user(@params[:filters], @user, @resource.name)
+      filters = ForestLiana::ScopeManager.append_scope_for_user(@params[:filter], @user, @resource.name)
 
       unless filters.blank?
-        filter_parser = FiltersParser.new(filters, resource, @params[:timezone])
+        filter_parser = FiltersParser.new(filters, resource, @params[:timezone], @params)
         resource = filter_parser.apply_filters
         raw_previous_interval = filter_parser.get_previous_interval_condition
 
@@ -27,21 +27,21 @@ module ForestLiana
     private
 
     def count(value)
-      uniq = @params[:aggregate].downcase == 'count'
+      uniq = @params[:aggregator].downcase == 'count'
 
       if Rails::VERSION::MAJOR >= 4
         if uniq
           # NOTICE: uniq is deprecated since Rails 5.0
           value = Rails::VERSION::MAJOR >= 5 ? value.distinct : value.uniq
         end
-        value.send(@params[:aggregate].downcase, aggregate_field)
+        value.send(@params[:aggregator].downcase, aggregate_field)
       else
-        value.send(@params[:aggregate].downcase, aggregate_field, distinct: uniq)
+        value.send(@params[:aggregator].downcase, aggregate_field, distinct: uniq)
       end
     end
 
     def aggregate_field
-      @params[:aggregate_field] || @resource.primary_key
+      @params[:aggregateFieldName] || @resource.primary_key
     end
 
   end

data/lib/forest_liana/bootstrapper.rb

@@ -202,7 +202,7 @@ module ForestLiana
     def setup_forest_liana_meta
       ForestLiana.meta = {
         liana: 'forest-rails',
-        liana_version: ForestLiana::VERSION,
+        liana_version: ForestLiana::VERSION.sub!('.beta', '-beta'),
         stack: {
            database_type: database_type,
            orm_version: Gem.loaded_specs["activerecord"].version.version,

data/lib/forest_liana/version.rb

@@ -1,3 +1,3 @@
 module ForestLiana
-  VERSION = "7.8.0"
+  VERSION = "8.0.0.beta.2"
 end

data/spec/dummy/lib/forest_liana/collections/island.rb

@@ -3,5 +3,5 @@ class Forest::Island
 
   collection :Island
 
-  action 'Test'
+  action 'my_action'
 end

data/spec/requests/actions_controller_spec.rb

@@ -171,10 +171,9 @@ describe 'Requesting Actions routes', :type => :request  do
         expect(JSON.parse(response.body)).to eq({'fields' => [foo.merge({:value => nil}).transform_keys { |key| key.to_s.camelize(:lower) }.stringify_keys]})
       end
 
-      it 'should respond 500 with bad params' do
+      it 'should respond 422 with bad params' do
         post '/forest/actions/my_action/hooks/load', params: {}, headers: headers
-        expect(response.status).to eq(500)
-        expect(JSON.parse(response.body)).to eq({'error' => 'Error in smart action load hook: cannot retrieve action from collection'})
+        expect(response.status).to eq(422)
       end
 
       it 'should respond 500 with bad hook result type' do
@@ -315,7 +314,7 @@ describe 'Requesting Actions routes', :type => :request  do
 
   describe 'calling the action' do
     before(:each) do
-      allow_any_instance_of(ForestLiana::PermissionsChecker).to receive(:is_authorized?) { true }
+      allow_any_instance_of(ForestLiana::Ability).to receive(:forest_authorize!) { true }
     end
 
     let(:all_records) { false }

data/spec/requests/count_spec.rb

@@ -2,22 +2,18 @@ require 'rails_helper'
 
 describe 'Requesting Owner', :type => :request  do
   before(:each) do
+    Owner.destroy_all
+
     1.upto(10) do |i|
       owner = Owner.create(name: "Owner #{i}")
       Tree.create(name: "Tree #{i}", owner_id: owner.id)
     end
-  end
 
-  after(:each) do
-    Owner.destroy_all
-  end
-
-  before(:each) do
     allow(ForestLiana::IpWhitelist).to receive(:retrieve) { true }
     allow(ForestLiana::IpWhitelist).to receive(:is_ip_whitelist_retrieved) { true }
     allow(ForestLiana::IpWhitelist).to receive(:is_ip_valid) { true }
 
-    allow_any_instance_of(ForestLiana::PermissionsChecker).to receive(:is_authorized?) { true }
+    allow_any_instance_of(ForestLiana::Ability).to receive(:forest_authorize!) { true }
 
     allow(ForestLiana::ScopeManager).to receive(:fetch_scopes).and_return({})
   end
@@ -68,12 +64,12 @@ describe 'Requesting Owner', :type => :request  do
     }
 
     it 'should respond 200' do
-      get '/forest/Owner/1/relationships/trees/count', params: params, headers: headers
+      get '/forest/Owner/5/relationships/trees/count', params: params, headers: headers
       expect(response.status).to eq(200)
     end
 
     it 'should equal to 1' do
-      get '/forest/Owner/1/relationships/trees/count', params: params, headers: headers
+      get '/forest/Owner/5/relationships/trees/count', params: params, headers: headers
       expect(response.body).to eq('{"count":1}')
     end
   end

data/spec/requests/resources_spec.rb

@@ -1,28 +1,42 @@
 require 'rails_helper'
 
 describe 'Requesting Tree resources', :type => :request  do
-  before(:each) do
+
+  before do
     user = User.create(name: 'Michel')
     tree = Tree.create(name: 'Lemon Tree', owner: user, cutter: user)
-  end
 
-  after(:each) do
-    User.destroy_all
-    Tree.destroy_all
-  end
+    Rails.cache.write('forest.users', {'1' => { 'id' => 1, 'roleId' => 1, 'rendering_id' => '1' }})
+    Rails.cache.write('forest.has_permission', true)
+    Rails.cache.write(
+      'forest.collections',
+      {
+        'Tree' => {
+          'browse'  => [1],
+          'read'    => [1],
+          'edit'    => [1],
+          'add'     => [1],
+          'delete'  => [1],
+          'export'  => [1],
+          'actions' => {}
+        }
+      }
+    )
 
-  before(:each) do
     allow(ForestLiana::IpWhitelist).to receive(:retrieve) { true }
     allow(ForestLiana::IpWhitelist).to receive(:is_ip_whitelist_retrieved) { true }
     allow(ForestLiana::IpWhitelist).to receive(:is_ip_valid) { true }
-
-    allow_any_instance_of(ForestLiana::PermissionsChecker).to receive(:is_authorized?) { true }
-
+    # allow_any_instance_of(ForestLiana::Ability).to receive(:forest_authorize!) { true }
     allow(ForestLiana::ScopeManager).to receive(:fetch_scopes).and_return({})
   end
 
+  after do
+    User.destroy_all
+    Tree.destroy_all
+  end
+
   token = JWT.encode({
-    id: 38,
+    id: 1,
     email: 'michael.kelso@that70.show',
     first_name: 'Michael',
     last_name: 'Kelso',
@@ -53,6 +67,36 @@ describe 'Requesting Tree resources', :type => :request  do
         expect(response.status).to eq(200)
       end
 
+      it 'should return 403 when user permission is not allowed' do
+        Rails.cache.delete('forest.users')
+        Rails.cache.write('forest.users', {'1' => { 'id' => 1, 'roleId' => 2, 'rendering_id' => '1' }})
+        allow_any_instance_of(ForestLiana::Ability::Fetch)
+          .to receive(:get_permissions)
+                .with('/liana/v4/permissions/environment')
+                .and_return(
+                  {
+                    "collections" => {
+                      "Tree" => {
+                        "collection" => {
+                          "browseEnabled" => { "roles" => [1] },
+                          "readEnabled" => { "roles" => [1] },
+                          "editEnabled" => { "roles" => [1] },
+                          "addEnabled" => { "roles" => [1] },
+                          "deleteEnabled" => { "roles" => [1] },
+                          "exportEnabled" => { "roles" => [1] }
+                        },
+                        "actions"=> {}
+                      }
+                    }
+                  }
+                )
+
+        get '/forest/Tree', params: params, headers: headers
+
+        expect(response.status).to eq(403)
+        expect(JSON.parse(response.body)['errors'][0]['detail']).to eq 'You don\'t have permission to access this resource'
+      end
+
       it 'should respond the tree data' do
         get '/forest/Tree', params: params, headers: headers
         expect(JSON.parse(response.body)).to eq({