grape-security 0.8.0

data/lib/grape/route.rb

@@ -0,0 +1,27 @@
+module Grape
+  # A compiled route for inspection.
+  class Route
+    def initialize(options = {})
+      @options = options || {}
+    end
+
+    def method_missing(method_id, *arguments)
+      match = /route_([_a-zA-Z]\w*)/.match(method_id.to_s)
+      if match
+        @options[match.captures.last.to_sym]
+      else
+        super
+      end
+    end
+
+    def to_s
+      "version=#{route_version}, method=#{route_method}, path=#{route_path}"
+    end
+
+    private
+
+    def to_ary
+      nil
+    end
+  end
+end

data/lib/grape/util/content_types.rb

@@ -0,0 +1,18 @@
+module Grape
+  module ContentTypes
+    # Content types are listed in order of preference.
+    CONTENT_TYPES = ActiveSupport::OrderedHash[
+      :xml,  'application/xml',
+      :serializable_hash, 'application/json',
+      :json, 'application/json',
+      :jsonapi, 'application/vnd.api+json',
+      :atom, 'application/atom+xml',
+      :rss,  'application/rss+xml',
+      :txt,  'text/plain',
+   ]
+
+    def self.content_types_for(from_settings)
+      from_settings || Grape::ContentTypes::CONTENT_TYPES
+    end
+  end
+end

data/lib/grape/util/deep_merge.rb

@@ -0,0 +1,23 @@
+class Hash
+  # deep_merge from rails
+  # activesupport/lib/active_support/core_ext/hash/deep_merge.rb
+  # Returns a new hash with +self+ and +other_hash+ merged recursively.
+  #
+  #     h1 = {x: {y: [4,5,6]}, z: [7,8,9]}
+  #     h2 = {x: {y: [7,8,9]}, z: "xyz"}
+  #
+  #     h1.deep_merge(h2) #=> { x: {y: [7, 8, 9]}, z: "xyz" }
+  #     h2.deep_merge(h1) #=> { x: {y: [4, 5, 6]}, z: [7, 8, 9] }
+  def deep_merge(other_hash)
+    dup.deep_merge!(other_hash)
+  end
+
+  # Same as +deep_merge+, but modifies +self+.
+  def deep_merge!(other_hash)
+    other_hash.each_pair do |k, v|
+      tv = self[k]
+      self[k] = tv.is_a?(Hash) && v.is_a?(Hash) ? tv.deep_merge(v) : v
+    end
+    self
+  end
+end

data/lib/grape/util/hash_stack.rb

@@ -0,0 +1,120 @@
+module Grape
+  module Util
+    # HashStack is a stack of hashes. When retrieving a value, keys of the top
+    # hash on the stack take precendent over the lower keys.
+    class HashStack
+      # Unmerged array of hashes to represent the stack.
+      # The top of the stack is the last element.
+      attr_reader :stack
+
+      # TODO: handle aggregates
+      def initialize
+        @stack = [{}]
+      end
+
+      # Returns the top hash on the stack
+      def peek
+        @stack.last
+      end
+
+      # Add a new hash to the top of the stack.
+      #
+      # @param hash [Hash] optional hash to be pushed. Defaults to empty hash
+      # @return [HashStack]
+      def push(hash = {})
+        @stack.push(hash)
+        self
+      end
+
+      def pop
+        @stack.pop
+      end
+
+      # Looks through the stack for the first frame that matches :key
+      #
+      # @param key [Symbol] key to look for in hash frames
+      # @return value of given key after merging the stack
+      def get(key)
+        (@stack.length - 1).downto(0).each do |i|
+          return @stack[i][key] if @stack[i].key? key
+        end
+        nil
+      end
+      alias_method :[], :get
+
+      # Looks through the stack for the first frame that matches :key
+      #
+      # @param key [Symbol] key to look for in hash frames
+      # @return true if key exists, false otherwise
+      def key?(key)
+        (@stack.length - 1).downto(0).each do |i|
+          return true if @stack[i].key? key
+        end
+        false
+      end
+
+      # Replace a value on the top hash of the stack.
+      #
+      # @param key [Symbol] The key to set.
+      # @param value [Object] The value to set.
+      def set(key, value)
+        peek[key.to_sym] = value
+      end
+      alias_method :[]=, :set
+
+      # Replace multiple values on the top hash of the stack.
+      #
+      # @param hash [Hash] Hash of values to be merged in.
+      def update(hash)
+        peek.merge!(hash)
+        self
+      end
+
+      # Adds addition value into the top hash of the stack
+      def imbue(key, value)
+        current = peek[key.to_sym]
+        if current.is_a?(Array)
+          current.concat(value)
+        elsif current.is_a?(Hash)
+          current.merge!(value)
+        else
+          set(key, value)
+        end
+      end
+
+      # Prepend another HashStack's to self
+      def prepend(hash_stack)
+        @stack.unshift(*hash_stack.stack)
+        self
+      end
+
+      # Concatenate another HashStack's to self
+      def concat(hash_stack)
+        @stack.concat hash_stack.stack
+        self
+      end
+
+      # Looks through the stack for all instances of a given key and returns
+      # them as a flat Array.
+      #
+      # @param key [Symbol] The key to gather
+      # @return [Array]
+      def gather(key)
+        stack.flat_map { |s| s[key] }.compact.uniq
+      end
+
+      def to_s
+        @stack.to_s
+      end
+
+      def clone
+        new_stack = HashStack.new
+        stack.each do |frame|
+          new_stack.push frame.clone
+        end
+        new_stack.stack.shift
+        new_stack
+      end
+    end
+  end
+end

data/lib/grape/validations.rb

@@ -0,0 +1,322 @@
+module Grape
+  module Validations
+    ##
+    # All validators must inherit from this class.
+    #
+    class Validator
+      attr_reader :attrs
+
+      def initialize(attrs, options, required, scope)
+        @attrs = Array(attrs)
+        @required = required
+        @scope = scope
+
+        if options.is_a?(Hash) && !options.empty?
+          raise Grape::Exceptions.UnknownOptions.new(options.keys)
+        end
+      end
+
+      def validate!(params)
+        attributes = AttributesIterator.new(self, @scope, params)
+        attributes.each do |resource_params, attr_name|
+          if @required || resource_params.key?(attr_name)
+            validate_param!(attr_name, resource_params)
+          end
+        end
+      end
+
+      class AttributesIterator
+        include Enumerable
+
+        def initialize(validator, scope, params)
+          @attrs = validator.attrs
+          @params = scope.params(params)
+          @params = (@params.is_a?(Array) ? @params : [@params])
+        end
+
+        def each
+          @params.each do |resource_params|
+            @attrs.each do |attr_name|
+              yield resource_params, attr_name
+            end
+          end
+        end
+      end
+
+      def self.convert_to_short_name(klass)
+        ret = klass.name.gsub(/::/, '/')
+          .gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2')
+          .gsub(/([a-z\d])([A-Z])/, '\1_\2')
+          .tr("-", "_")
+          .downcase
+        File.basename(ret, '_validator')
+      end
+    end
+
+    ##
+    # Base class for all validators taking only one param.
+    class SingleOptionValidator < Validator
+      def initialize(attrs, options, required, scope)
+        @option = options
+        super
+      end
+    end
+
+    # We define Validator::inherited here so SingleOptionValidator
+    # will not be considered a validator.
+    class Validator
+      def self.inherited(klass)
+        short_name = convert_to_short_name(klass)
+        Validations.register_validator(short_name, klass)
+      end
+    end
+
+    class << self
+      attr_accessor :validators
+    end
+
+    self.validators = {}
+
+    def self.register_validator(short_name, klass)
+      validators[short_name] = klass
+    end
+
+    class ParamsScope
+      attr_accessor :element, :parent
+
+      def initialize(opts, &block)
+        @element  = opts[:element]
+        @parent   = opts[:parent]
+        @api      = opts[:api]
+        @optional = opts[:optional] || false
+        @type     = opts[:type]
+        @declared_params = []
+
+        instance_eval(&block)
+
+        configure_declared_params
+      end
+
+      def should_validate?(parameters)
+        return false if @optional && params(parameters).respond_to?(:all?) && params(parameters).all?(&:blank?)
+        return true if parent.nil?
+        parent.should_validate?(parameters)
+      end
+
+      def requires(*attrs, &block)
+        orig_attrs = attrs.clone
+
+        opts = attrs.last.is_a?(Hash) ? attrs.pop : nil
+
+        if opts && opts[:using]
+          require_required_and_optional_fields(attrs.first, opts)
+        else
+          validate_attributes(attrs, opts, &block)
+
+          block_given? ? new_scope(orig_attrs, &block) :
+            push_declared_params(attrs)
+        end
+      end
+
+      def optional(*attrs, &block)
+        orig_attrs = attrs
+
+        validations = {}
+        validations.merge!(attrs.pop) if attrs.last.is_a?(Hash)
+        validations[:type] ||= Array if block_given?
+        validates(attrs, validations)
+
+        block_given? ? new_scope(orig_attrs, true, &block) :
+          push_declared_params(attrs)
+      end
+
+      def mutually_exclusive(*attrs)
+        validates(attrs, mutual_exclusion: true)
+      end
+
+      def exactly_one_of(*attrs)
+        validates(attrs, exactly_one_of: true)
+      end
+
+      def group(*attrs, &block)
+        requires(*attrs, &block)
+      end
+
+      def params(params)
+        params = @parent.params(params) if @parent
+        if @element
+          if params.is_a?(Array)
+            params = params.flat_map { |el| el[@element] || {} }
+          elsif params.is_a?(Hash)
+            params = params[@element] || {}
+          else
+            params = {}
+          end
+        end
+        params
+      end
+
+      def use(*names)
+        named_params = @api.settings[:named_params] || {}
+        options = names.last.is_a?(Hash) ? names.pop : {}
+        names.each do |name|
+          params_block = named_params.fetch(name) do
+            raise "Params :#{name} not found!"
+          end
+          instance_exec(options, &params_block)
+        end
+      end
+      alias_method :use_scope, :use
+      alias_method :includes, :use
+
+      def full_name(name)
+        return "#{@parent.full_name(@element)}[#{name}]" if @parent
+        name.to_s
+      end
+
+      def root?
+        !@parent
+      end
+
+      protected
+
+      def push_declared_params(attrs)
+        @declared_params.concat attrs
+      end
+
+      private
+
+      def require_required_and_optional_fields(context, opts)
+        if context == :all
+          optional_fields = Array(opts[:except])
+          required_fields = opts[:using].keys - optional_fields
+        else # context == :none
+          required_fields = Array(opts[:except])
+          optional_fields = opts[:using].keys - required_fields
+        end
+        required_fields.each do |field|
+          field_opts = opts[:using][field]
+          raise ArgumentError, "required field not exist: #{field}" unless field_opts
+          requires(field, field_opts)
+        end
+        optional_fields.each do |field|
+          field_opts = opts[:using][field]
+          optional(field, field_opts) if field_opts
+        end
+      end
+
+      def validate_attributes(attrs, opts, &block)
+        validations = { presence: true }
+        validations.merge!(opts) if opts
+        validations[:type] ||= Array if block
+        validates(attrs, validations)
+      end
+
+      def new_scope(attrs, optional = false, &block)
+        opts = attrs[1] || { type: Array }
+        raise ArgumentError unless opts.keys.to_set.subset? [:type].to_set
+        ParamsScope.new(api: @api, element: attrs.first, parent: self, optional: optional, type: opts[:type], &block)
+      end
+
+      # Pushes declared params to parent or settings
+      def configure_declared_params
+        if @parent
+          @parent.push_declared_params [element => @declared_params]
+        else
+          @api.settings.peek[:declared_params] ||= []
+          @api.settings[:declared_params].concat @declared_params
+        end
+      end
+
+      def validates(attrs, validations)
+        doc_attrs = { required: validations.keys.include?(:presence) }
+
+        # special case (type = coerce)
+        validations[:coerce] = validations.delete(:type) if validations.key?(:type)
+
+        coerce_type = validations[:coerce]
+        doc_attrs[:type] = coerce_type.to_s if coerce_type
+
+        desc = validations.delete(:desc)
+        doc_attrs[:desc] = desc if desc
+
+        default = validations[:default]
+        doc_attrs[:default] = default if default
+
+        values = validations[:values]
+        doc_attrs[:values] = values if values
+
+        values = (values.is_a?(Proc) ? values.call : values)
+
+        # default value should be present in values array, if both exist
+        if default && values && !values.include?(default)
+          raise Grape::Exceptions::IncompatibleOptionValues.new(:default, default, :values, values)
+        end
+
+        # type should be compatible with values array, if both exist
+        if coerce_type && values && values.any? { |v| !v.kind_of?(coerce_type) }
+          raise Grape::Exceptions::IncompatibleOptionValues.new(:type, coerce_type, :values, values)
+        end
+
+        doc_attrs[:documentation] = validations.delete(:documentation) if validations.key?(:documentation)
+
+        full_attrs = attrs.collect { |name| { name: name, full_name: full_name(name) } }
+        @api.document_attribute(full_attrs, doc_attrs)
+
+        # Validate for presence before any other validators
+        if validations.key?(:presence) && validations[:presence]
+          validate('presence', validations[:presence], attrs, doc_attrs)
+          validations.delete(:presence)
+        end
+
+        # Before we run the rest of the validators, lets handle
+        # whatever coercion so that we are working with correctly
+        # type casted values
+        if validations.key? :coerce
+          validate('coerce', validations[:coerce], attrs, doc_attrs)
+          validations.delete(:coerce)
+        end
+
+        validations.each do |type, options|
+          validate(type, options, attrs, doc_attrs)
+        end
+      end
+
+      def validate(type, options, attrs, doc_attrs)
+        validator_class = Validations.validators[type.to_s]
+
+        if validator_class
+          (@api.settings.peek[:validations] ||= []) << validator_class.new(attrs, options, doc_attrs[:required], self)
+        else
+          raise Grape::Exceptions::UnknownValidator.new(type)
+        end
+      end
+    end
+
+    # This module is mixed into the API Class.
+    module ClassMethods
+      def reset_validations!
+        settings.peek[:declared_params] = []
+        settings.peek[:validations] = []
+      end
+
+      def params(&block)
+        ParamsScope.new(api: self, type: Hash, &block)
+      end
+
+      def document_attribute(names, opts)
+        @last_description ||= {}
+        @last_description[:params] ||= {}
+        Array(names).each do |name|
+          @last_description[:params][name[:full_name].to_s] ||= {}
+          @last_description[:params][name[:full_name].to_s].merge!(opts)
+        end
+      end
+    end
+  end
+end
+
+# Load all defined validations.
+Dir[File.expand_path('../validations/*.rb', __FILE__)].each do |path|
+  require(path)
+end