full_metal_body 0.1.0

data/lib/full_metal_body/input_key_utils.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module FullMetalBody
+  module InputKeyUtils
+
+    extend ActiveSupport::Concern
+
+    private
+
+    # Check if key is a numeric.
+    # @param [String,Integer] key
+    # @return [Boolean] (true, false)
+    def key_numeric?(key)
+      key.to_i.to_s == key || key.is_a?(Numeric)
+    end
+
+    # Divide the keys by the number representing the array.
+    # @param [Array<String,Symbol>] keys
+    # @return [Array<Array>] parent_keys and child_keys
+    def separate_by_array_key(keys)
+      idx = keys.find_index { |k| key_numeric?(k) }
+      parent_keys, child_keys = keys.partition.with_index { |_, i| i <= idx }
+      parent_keys.delete_at(-1) # parent_keys.last is unnecessary.
+      return parent_keys, child_keys
+    end
+
+  end
+
+end

data/lib/full_metal_body/input_validation.rb

@@ -0,0 +1,148 @@
+# frozen_string_literal: true
+
+require 'full_metal_body/input_key_utils'
+require 'full_metal_body/internal/input_file_validator'
+require 'full_metal_body/internal/input_string_validator'
+require 'full_metal_body/internal/reasonable_boolean_validator'
+require 'full_metal_body/internal/reasonable_date_validator'
+
+module FullMetalBody
+  class InputValidation
+
+    include InputKeyUtils
+    include ActiveModel::Validations
+
+    attr_accessor :key, :value, :key_type
+
+    validates :key, "full_metal_body/internal/input_string": true, if: :check_key?
+
+    # @param [Array<String, Symbol>] key
+    # @param [Object] value
+    # @param [Hash] whitelist
+    def initialize(key, value, whitelist)
+      @key = key
+      @value = value
+      set_key_type(whitelist)
+      if value_validate
+        class_eval %(
+        validates :value, #{value_validate} # validates :value, input_string: true
+      ), __FILE__, __LINE__ - 2
+      end
+    end
+
+    private
+
+    # Whether to validate the key
+    #
+    # @return [Boolean] (true, false)
+    def check_key?
+      !@key_type
+    end
+
+    # Which validator to validate the value with
+    #
+    # @return [String] validator type
+    def value_validate
+      if @key_type.nil?
+        if @value.is_a?(ActionDispatch::Http::UploadedFile)
+          return "'full_metal_body/internal/input_file': true"
+        end
+
+        return "'full_metal_body/internal/input_string': true"
+      end
+
+      case @key_type['type']
+      when 'string'
+        options = @key_type['options']&.symbolize_keys || true
+        "'full_metal_body/internal/input_string': #{options}"
+      when 'number'
+        options = @key_type['options']&.symbolize_keys || { allow_blank: true }
+        if @value.is_a?(Numeric)
+          "numericality: #{options}"
+        else
+          "'full_metal_body/internal/input_string': true, numericality: #{options}"
+        end
+      when 'date'
+        if @value.is_a?(Date)
+          "'full_metal_body/internal/reasonable_date': true"
+        else
+          "'full_metal_body/internal/input_string': true, 'full_metal_body/internal/reasonable_date': true"
+        end
+      when 'file'
+        options = @key_type['options']&.symbolize_keys || true
+        "'full_metal_body/internal/input_file': #{options}"
+      when 'boolean'
+        options = @key_type['options']&.symbolize_keys || true
+        if [TrueClass, FalseClass].any? { |klass| @value.is_a?(klass) }
+          "'full_metal_body/internal/reasonable_boolean': #{options}"
+        else
+          "'full_metal_body/internal/input_string': true, 'full_metal_body/internal/reasonable_boolean': #{options}"
+        end
+      end
+    end
+
+    # Set type-definition to @key_type
+    #
+    # @param [Hash] whitelist
+    def set_key_type(whitelist)
+      return @key_type = nil if whitelist.nil?
+
+      # When ype-definition by key is exists in whitelist
+      return @key_type = whitelist.dig(*@key) if has_type?(whitelist.dig(*@key))
+
+      # When @key has the index number of the array
+      if @key.find_index { |k| key_numeric?(k) }
+        result = get_key_type_recursively(@key, whitelist)
+        return @key_type = result if has_type?(result)
+      end
+
+      # When no type-definition by key in whitelist
+      @key_type = nil
+    end
+
+    # Search type-definition by key recursively from whitelist
+    #
+    # @param [Array<String>] keys
+    # @param [Hash] whitelist
+    #
+    # @return [Hash, NilClass] type-definition by key
+    def get_key_type_recursively(keys, whitelist)
+      parent_keys, child_keys = separate_by_array_key(keys)
+      parent = parent_keys.empty? ? whitelist : whitelist.dig(*parent_keys)
+
+      if parent['type'] == 'array'
+        if child_keys.empty?
+          # { type: array, properties: { type: string } }
+          parent['properties']
+        elsif parent['properties'].dig(*child_keys)
+          # { type: array, properties: { hoge: { type: string } } }
+          parent['properties'].dig(*child_keys)
+        elsif parent.dig('properties', 'type') == 'array'
+          # { type: array, properties: { type: array, properties: { ... } } }
+          get_key_type_recursively(child_keys, parent['properties'])
+        elsif parent.dig('properties', child_keys.first, 'type') == 'array'
+          # { type: array, properties: { hoge: { type: array, properties: { ... } } } }
+          first_key = child_keys.shift
+          get_key_type_recursively(child_keys, parent.dig('properties', first_key))
+        else
+          nil
+        end
+      else
+        nil
+      end
+    end
+
+    # Whether or not the item has a type attribute.
+    #
+    # @param [Object] item
+    #
+    # @return [Boolean] (true, false)
+    def has_type?(item)
+      return false unless item.is_a?(Hash)
+
+      %w(string number date file boolean).include?(item['type'])
+    end
+
+  end
+
+end

data/lib/full_metal_body/internal/input_file_validator.rb

@@ -0,0 +1,47 @@
+
+module FullMetalBody
+  module Internal
+    class InputFileValidator < ActiveModel::EachValidator
+
+      DEFAULT_CONTENT_TYPES = '*'.freeze
+      DEFAULT_FILE_SIZE = 100.megabytes
+
+      def check_validity!
+        if options[:content_type]
+          value = options[:content_type]
+          unless value.is_a?(String) || (value.is_a?(Array) && value.all?(String))
+            raise ArgumentError, ":content_type must be String or Array<String>"
+          end
+        end
+        if options[:file_size]
+          value = options[:file_size]
+          raise ArgumentError, ":file_size must be a non-negative Integer" unless value.is_a?(Integer) && value >= 0
+        end
+      end
+
+      def validate_each(record, attribute, value)
+        return if value.nil?
+
+        content_types = options[:content_type] || DEFAULT_CONTENT_TYPES
+        file_size = options[:file_size] || DEFAULT_FILE_SIZE
+
+        # type
+        unless value.is_a? ActionDispatch::Http::UploadedFile
+          return record.errors.add(attribute, :file_wrong_type, value: value)
+        end
+
+        # content type
+        if content_types != '*' && Array(content_types).exclude?(value.content_type)
+          return record.errors.add(attribute, :invalid_content_type)
+        end
+
+        # file size
+        if value.size > file_size
+          record.errors.add(attribute, :too_large_size)
+        end
+      end
+
+    end
+
+  end
+end

data/lib/full_metal_body/internal/input_string_validator.rb

@@ -0,0 +1,60 @@
+module FullMetalBody
+  module Internal
+
+    class InputStringValidator < ActiveModel::EachValidator
+
+      DEFAULT_MAX_LENGTH = 1024
+
+      def check_validity!
+        if options[:max_length]
+          value = options[:max_length]
+          raise ArgumentError, ":max_length must be a non-negative Integer" unless value.is_a?(Integer) && value >= 0
+        end
+      end
+
+      def validate_each(record, attribute, value)
+        return if value.nil?
+
+        if value.is_a?(Array)
+          value.each do |v|
+            validate_value(record, attribute, v.dup)
+          end
+        else
+          validate_value(record, attribute, value.dup)
+        end
+      end
+
+      def validate_value(record, attribute, value)
+        max_length = options[:max_length] || DEFAULT_MAX_LENGTH
+
+        # type
+        unless value.is_a? String
+          return record.errors.add(attribute, :wrong_type, value: value)
+        end
+
+        # length
+        if value.size > max_length
+          return record.errors.add(attribute, :too_long, value: byteslice(value), count: value.size)
+        end
+
+        # encoding
+        original_encoding = value.encoding.name
+        unless value.force_encoding('UTF-8').valid_encoding?
+          return record.errors.add(attribute, :wrong_encoding, value: byteslice(value), encoding: original_encoding)
+        end
+
+        # cntrl
+        # Replace and delete line feed codes and horizontal tabs (vertical tabs are not)
+        value = value.gsub(/\R|\t/, '')
+        if /[[:cntrl:]]/.match?(value)
+          record.errors.add(attribute, :include_cntrl, value: byteslice(value))
+        end
+      end
+
+      def byteslice(value)
+        value.byteslice(0, 1024)
+      end
+
+    end
+  end
+end

data/lib/full_metal_body/internal/reasonable_boolean_validator.rb

@@ -0,0 +1,16 @@
+module FullMetalBody
+  module Internal
+    class ReasonableBooleanValidator < ActiveModel::EachValidator
+
+      TRUE_VALUES = [true, "1", "t", "T", "true", "TRUE", "on", "ON"].to_set.freeze
+      FALSE_VALUES = [false, "0", "f", "F", "false", "FALSE", "off", "OFF"].to_set.freeze
+
+      def validate_each(record, attribute, value)
+        unless [TRUE_VALUES, FALSE_VALUES].any? { |b| b.include?(value) }
+          record.errors.add(attribute, :not_reasonable_boolean, value: value)
+        end
+      end
+
+    end
+  end
+end

data/lib/full_metal_body/internal/reasonable_date_validator.rb

@@ -0,0 +1,27 @@
+module FullMetalBody
+  module Internal
+
+    class ReasonableDateValidator < ActiveModel::EachValidator
+
+      def validate_each(record, attribute, value)
+        return if value.blank? || value.is_a?(Date)
+
+        unless date_valid?(value)
+          record.errors.add(attribute, :not_reasonable_date, value: value)
+        end
+      end
+
+      def date_valid?(str)
+        # Allow only slash and hyphen separators
+        unless str.match?(%r{^\d{4}/\d{1,2}/\d{1,2}$|^\d{4}-\d{1,2}-\d{1,2}$})
+          return false
+        end
+
+        !!Date.parse(str)
+      rescue
+        false
+      end
+
+    end
+  end
+end

data/lib/full_metal_body/models/blocked_action.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module FullMetalBody
+  class BlockedAction < ActiveRecord::Base
+
+    has_many :blocked_keys, dependent: :destroy
+
+    validates :controller, presence: true, uniqueness: { scope: :action }
+    validates :action, presence: true
+
+  end
+end

data/lib/full_metal_body/models/blocked_key.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module FullMetalBody
+  class BlockedKey < ActiveRecord::Base
+
+    belongs_to :blocked_action
+
+    validates :blocked_key, presence: true
+    validates :blocked_action, uniqueness: { scope: :blocked_key }
+
+  end
+end

data/lib/full_metal_body/railtie.rb

@@ -0,0 +1,4 @@
+module FullMetalBody
+  class Railtie < ::Rails::Railtie
+  end
+end

data/lib/full_metal_body/services/save_blocked_keys_service.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module FullMetalBody
+  class SaveBlockedKeysService
+
+    class << self
+
+      # Save blocked_keys to the database using bulk insert.
+      #
+      # @param [String] controller_path
+      # @param [String] action_name
+      # @param [Array<Array<String>>] blocked_keys
+      # @return [ActiveRecord::Result]
+      def execute!(controller_path, action_name, blocked_keys)
+        ApplicationRecord.transaction do
+          blocked_action = BlockedAction.find_or_create_by!(controller: controller_path, action: action_name)
+          now = Time.zone.now
+          if rails_6_1_and_up?
+            attributes = blocked_keys.map { |key| { blocked_key: key } }
+            blocked_action.blocked_keys.create_with(
+              created_at: now,
+              updated_at: now,
+              ).insert_all(attributes, returning: [:id], unique_by: [:blocked_action_id, :blocked_key])
+          elsif rails_6_0?
+            attributes = blocked_keys.map do |key|
+              {
+                blocked_action_id: blocked_action.id,
+                blocked_key: key,
+                created_at: now,
+                updated_at: now,
+              }
+            end
+            blocked_action.blocked_keys.insert_all(
+              attributes,
+              returning: [:id],
+              unique_by: [:blocked_action_id, :blocked_key],
+              )
+          else
+            blocked_keys.each { |key| blocked_action.blocked_keys.find_or_create_by(blocked_key: key) }
+          end
+        end
+      end
+
+      private
+
+      def rails_6_1_and_up?
+        Gem::Version.new(Rails.version) >= Gem::Version.new("6.1.0")
+      end
+
+      def rails_6_0?
+        Rails::VERSION::MAJOR == 6 && Rails::VERSION::MINOR == 0
+      end
+    end
+  end
+end

data/lib/full_metal_body/version.rb

@@ -0,0 +1,3 @@
+module FullMetalBody
+  VERSION = "0.1.0"
+end

data/lib/full_metal_body/whitelist_writer.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'full_metal_body/deep_sort'
+require 'full_metal_body/dynamic_whitelist_generator'
+using FullMetalBody::DeepSort
+
+module FullMetalBody
+
+  class WhitelistWriter
+
+    # @param [String] controller_path
+    # @param [String] action_name
+    def initialize(controller_path, action_name)
+      @controller_path = controller_path
+      @action_name = action_name
+      @data = {}
+    end
+
+    # @param [Array<Array>] blocked_keys
+    def write!(blocked_keys)
+      blocked_keys.each { |key| update_data!(key) }
+
+      dir = File.dirname(save_path)
+      FileUtils.mkdir_p(dir, mode: 0o777) unless Dir.exist?(dir)
+      if File.exist?(save_path)
+        whitelist = YAML.load_file(save_path)
+        @data.deep_merge!(whitelist)
+      end
+      @data.deep_sort!
+      File.open(save_path, "w") do |file|
+        YAML.dump(@data, file)
+      end
+      FileUtils.chmod(0o777, save_path)
+    end
+
+    # Return path to store the whitelist.
+    # @return [Pathname]
+    def save_path
+      @save_path ||= if Rails.env.test?
+                       Rails.root.join('tmp', "test#{ENV.fetch('TEST_ENV_NUMBER', '')}", 'whitelist', "#{@controller_path}.yml")
+                     else
+                       Rails.root.join('tmp', 'whitelist', "#{@controller_path}.yml")
+                     end
+    end
+
+    private
+
+    attr_reader :action_name
+
+    def controller_name
+      @controller_path.split('/').last
+    end
+
+    # Dynamically generate whitelist from keys.
+    # @param [Array] keys
+    def update_data!(keys)
+      whitelist = DynamicWhitelistGenerator.new(keys, 'string').execute!
+      @data.bury!([controller_name, action_name], whitelist.to_hash)
+    end
+
+  end
+
+end

data/lib/full_metal_body.rb

@@ -0,0 +1,9 @@
+require "full_metal_body/version"
+require "full_metal_body/railtie"
+require "bury"
+
+module FullMetalBody
+  require 'full_metal_body/models/blocked_action'
+  require 'full_metal_body/models/blocked_key'
+  require 'full_metal_body/controllers/concerns/input_validation_action'
+end

data/lib/generators/full_metal_body/install/install_generator.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module FullMetalBody
+  class InstallGenerator < ::Rails::Generators::Base
+    include ::Rails::Generators::Migration
+
+    source_root File.expand_path('templates', __dir__)
+
+    def self.next_migration_number(_path)
+      Time.now.utc.strftime('%Y%m%d%H%M%S')
+    end
+
+    def create_migration_file
+      template = 'create_blocked_actions'
+      migration_dir = File.expand_path('db/migrate')
+      migration_template(
+        "#{template}.rb.erb",
+        "db/migrate/#{template}.rb",
+        migration_version: migration_version,
+      )
+    end
+
+    def create_whitelist_dir
+      empty_directory('config/whitelist')
+    end
+
+    private
+
+    def migration_version
+      "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]" if over_rails5?
+    end
+
+    def over_rails5?
+      Rails::VERSION::MAJOR >= 5
+    end
+  end
+end

data/lib/generators/full_metal_body/install/templates/create_blocked_actions.rb.erb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class CreateBlockedActions < ActiveRecord::Migration<%= migration_version %>
+
+  def change
+    create_table :blocked_actions do |t|
+      t.string :controller, null: false
+      t.string :action, null: false
+
+      t.timestamps
+    end
+    add_index :blocked_actions, [:controller, :action], unique: true
+
+    create_table :blocked_keys do |t|
+      t.references :blocked_action, foreign_key: true, null: false
+      t.string :blocked_key, array: true, null: false
+
+      t.timestamps
+    end
+    add_index :blocked_keys, [:blocked_action_id, :blocked_key], unique: true
+  end
+end

data/lib/tasks/full_metal_body_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :full_metal_body do
+#   # Task goes here
+# end