haveapi 0.27.2 → 0.28.0

data/lib/haveapi/parameters/resource.rb

@@ -5,7 +5,7 @@ module HaveAPI::Parameters
 
     def initialize(resource, name: nil, label: nil, desc: nil,
                    choices: nil, value_id: :id, value_label: :label, required: nil,
-                   db_name: nil, fetch: nil)
+                   db_name: nil, fetch: nil, nullable: nil)
       @resource = resource
       @resource_path = build_resource_path(resource)
       @name = name || resource.resource_name.underscore.to_sym
@@ -15,6 +15,7 @@ module HaveAPI::Parameters
       @value_id = value_id
       @value_label = value_label
       @required = required
+      @nullable = nullable
       @db_name = db_name
       @extra = {
           fetch:
@@ -33,6 +34,10 @@ module HaveAPI::Parameters
       !@required
     end
 
+    def nullable?
+      @nullable == true && optional?
+    end
+
     def show_action
       @resource::Show
     end
@@ -56,6 +61,7 @@ module HaveAPI::Parameters
 
       {
         required: required?,
+        nullable: nullable?,
         label: @label,
         description: @desc,
         type: 'Resource',
@@ -91,17 +97,27 @@ module HaveAPI::Parameters
       attrs.each { |k, v| instance_variable_set("@#{k}", v) }
     end
 
-    def clean(raw)
+    def clean(raw, context = nil)
+      if raw.nil?
+        return nil if nullable?
+
+        raise HaveAPI::ValidationError, 'cannot be null'
+      end
+
       if raw.is_a?(String)
-        stripped = raw.strip
-        return nil if stripped.empty? && optional?
+        stripped = strip_string(raw)
+        return nil if stripped.empty? && nullable?
       end
 
-      extra = @extra.merge(optional: optional?)
+      extra = @extra.merge(optional: optional?, nullable: nullable?)
 
-      ::HaveAPI::ModelAdapter.for(
+      ret = ::HaveAPI::ModelAdapter.for(
         show_action.input.layout, @resource.model
       ).input_clean(@resource.model, raw, extra)
+
+      authorize_record!(ret, context)
+
+      ret
     end
 
     def validate(v, params)
@@ -114,6 +130,12 @@ module HaveAPI::Parameters
 
     private
 
+    def strip_string(value)
+      value.strip
+    rescue ArgumentError, Encoding::CompatibilityError
+      raise HaveAPI::ValidationError, 'invalid string encoding'
+    end
+
     def build_resource_path(r)
       path = []
       top_module = Kernel
@@ -132,5 +154,27 @@ module HaveAPI::Parameters
 
       path
     end
+
+    def authorize_record!(record, context)
+      return if record.nil? || context.nil?
+      return unless show_action.authorization
+
+      path = show_action.build_route('')
+      path_params = show_action.path_params(path, show_action.resolve_path_params(record))
+      child_context = HaveAPI::Context.new(
+        context.server,
+        version: context.version,
+        request: context.request,
+        action: show_action,
+        path:,
+        params: path_params,
+        user: context.current_user,
+        endpoint: context.endpoint
+      )
+      action = show_action.new(context.request, context.version, path_params, nil, child_context)
+      return if action.authorized?(context.current_user)
+
+      raise HaveAPI::ValidationError, 'resource not found'
+    end
   end
 end

data/lib/haveapi/parameters/typed.rb

@@ -1,8 +1,9 @@
 require 'date'
+require 'time'
 
 module HaveAPI::Parameters
   class Typed
-    ATTRIBUTES = %i[label desc type db_name default fill clean protected load_validators].freeze
+    ATTRIBUTES = %i[label desc type db_name default fill clean protected load_validators nullable].freeze
 
     attr_reader :name, :label, :desc, :type, :default
 
@@ -36,6 +37,10 @@ module HaveAPI::Parameters
       !required?
     end
 
+    def nullable?
+      @nullable == true && optional?
+    end
+
     def fill?
       @fill
     end
@@ -47,6 +52,7 @@ module HaveAPI::Parameters
     def describe(context)
       {
         required: required?,
+        nullable: nullable?,
         label: @label,
         description: @desc,
         type: @type ? @type.to_s : String.to_s,
@@ -73,17 +79,20 @@ module HaveAPI::Parameters
     end
 
     def clean(raw)
-      return instance_exec(raw, &@clean) if @clean
+      return validate_cleaned_value(instance_exec(raw, &@clean)) if @clean
 
-      if raw.is_a?(String)
-        stripped = raw.strip
-        return nil if stripped.empty? && optional?
+      if raw.nil?
+        return nil if nullable?
+
+        raise HaveAPI::ValidationError, 'cannot be null'
       end
 
-      if raw.nil?
-        @default
+      if raw.is_a?(String)
+        stripped = strip_string(raw)
+        return nil if stripped.empty? && nullable?
+      end
 
-      elsif @type.nil?
+      if @type.nil?
         nil
 
       elsif @type == Integer
@@ -136,6 +145,20 @@ module HaveAPI::Parameters
 
     private
 
+    def validate_cleaned_value(value)
+      if value.nil? && !nullable?
+        raise HaveAPI::ValidationError, 'cannot be null'
+      end
+
+      value
+    end
+
+    def strip_string(value)
+      value.strip
+    rescue ArgumentError, Encoding::CompatibilityError
+      raise HaveAPI::ValidationError, 'invalid string encoding'
+    end
+
     def coerce_integer(raw)
       case raw
       when Integer
@@ -147,7 +170,7 @@ module HaveAPI::Parameters
 
         raw.to_i
       when String
-        s = raw.strip
+        s = strip_string(raw)
 
         if s.empty? || !s.match?(/\A[+-]?\d+\z/)
           raise HaveAPI::ValidationError, "not a valid integer #{raw.inspect}"
@@ -164,7 +187,7 @@ module HaveAPI::Parameters
         f = raw.to_f
 
       elsif raw.is_a?(String)
-        s = raw.strip
+        s = strip_string(raw)
         raise HaveAPI::ValidationError, "not a valid float #{raw.inspect}" if s.empty?
 
         begin
@@ -191,7 +214,7 @@ module HaveAPI::Parameters
         return true if raw == 1
 
       elsif raw.is_a?(String)
-        s = raw.strip
+        s = strip_string(raw)
         raise HaveAPI::ValidationError, "not a valid boolean #{raw.inspect}" if s.empty?
 
         return true if %w[true t yes y 1].include?(s.downcase)
@@ -202,12 +225,16 @@ module HaveAPI::Parameters
     end
 
     def coerce_datetime(raw)
-      if raw.is_a?(String) && raw.strip.empty?
+      unless raw.is_a?(String)
+        raise HaveAPI::ValidationError, "not in ISO 8601 format '#{raw}'"
+      end
+
+      if strip_string(raw).empty?
         raise HaveAPI::ValidationError, "not in ISO 8601 format '#{raw}'"
       end
 
       DateTime.iso8601(raw).to_time
-    rescue ArgumentError
+    rescue ArgumentError, TypeError
       raise HaveAPI::ValidationError, "not in ISO 8601 format '#{raw}'"
     end
 

data/lib/haveapi/params.rb

@@ -134,12 +134,12 @@ module HaveAPI
 
       if include
         @include ||= []
-        @include.concat(include)
+        @include.concat(normalize_names(include))
       end
 
       if exclude
         @exclude ||= []
-        @exclude.concat(exclude)
+        @exclude.concat(normalize_names(exclude))
       end
 
       instance_eval(&block)
@@ -209,10 +209,17 @@ module HaveAPI
     # First step of validation. Check if input is in correct namespace
     # and has a correct layout.
     def check_layout(params)
-      if (params[namespace].nil? || !valid_layout?(params)) && any_required_params?
+      value = namespace ? params[namespace] : params
+
+      if value.nil?
+        raise ValidationError.new('invalid input layout', {}) if any_required_params?
+
+      elsif !valid_layout?(value)
         raise ValidationError.new('invalid input layout', {})
       end
 
+      return unless namespace
+
       case layout
       when :object, :hash
         params[namespace] ||= {}
@@ -224,12 +231,15 @@ module HaveAPI
 
     # Third step of validation. Check if all required params are present,
     # convert params to correct data types, set default values if necessary.
-    def validate(params)
+    def validate(params, context: nil, only: nil)
       errors = {}
+      permitted = only && only.map(&:to_sym)
 
       layout_aware(params) do |input|
         # First run - coerce values to correct types
         @params.each do |p|
+          next if permitted && !permitted.include?(p.name)
+
           if p.required? && input[p.name].nil?
             errors[p.name] = ['required parameter missing']
             next
@@ -241,7 +251,11 @@ module HaveAPI
           end
 
           begin
-            cleaned = p.clean(input[p.name])
+            cleaned = if p.method(:clean).arity.abs > 1
+                        p.clean(input[p.name], context)
+                      else
+                        p.clean(input[p.name])
+                      end
           rescue ValidationError => e
             errors[p.name] ||= []
             errors[p.name] << e.message
@@ -253,6 +267,7 @@ module HaveAPI
 
         # Second run - validate parameters
         @params.each do |p|
+          next if permitted && !permitted.include?(p.name)
           next if errors.has_key?(p.name)
           next if input[p.name].nil?
 
@@ -305,13 +320,17 @@ module HaveAPI
       kwargs
     end
 
-    def valid_layout?(params)
+    def normalize_names(names)
+      names.map { |v| v.is_a?(String) ? v.to_sym : v }
+    end
+
+    def valid_layout?(value)
       case layout
       when :object, :hash
-        params[namespace].is_a?(Hash)
+        value.is_a?(Hash)
 
       when :object_list, :hash_list
-        params[namespace].is_a?(Array)
+        value.is_a?(Array) && value.all?(Hash)
 
       else
         false

data/lib/haveapi/resource.rb

@@ -98,7 +98,10 @@ module HaveAPI
       end
 
       hash[:resources].each do |resource, children|
-        ret[:resources][resource.resource_name.underscore] = resource.describe(children, context)
+        child = resource.describe(children, context)
+        next if child[:actions].empty? && child[:resources].empty?
+
+        ret[:resources][resource.resource_name.underscore] = child
       end
 
       context.resource_path = orig_resource_path

data/lib/haveapi/resources/action_state.rb

@@ -77,18 +77,22 @@ module HaveAPI::Resources
     class Poll < HaveAPI::Action
       include Mixin
 
+      MAX_TIMEOUT = 30
+
       desc 'Returns when the action is completed or timeout occurs'
       http_method :get
       route '{%{resource}_id}/poll'
 
       input(:hash) do
-        float :timeout, label: 'Timeout', desc: 'in seconds', default: 15, fill: true
+        float :timeout, label: 'Timeout', desc: 'in seconds', default: 15, fill: true,
+                        number: { min: 0, max: MAX_TIMEOUT }
         float :update_in, label: 'Progress',
                           desc: 'number of seconds after which the state is returned if the progress ' \
-                                'has changed'
-        bool :status, desc: 'status to check with if update_in is set'
-        integer :current, desc: 'progress to check with if update_in is set'
-        integer :total, desc: 'progress to check with if update_in is set'
+                                'has changed',
+                          nullable: true
+        bool :status, desc: 'status to check with if update_in is set', nullable: true
+        integer :current, desc: 'progress to check with if update_in is set', nullable: true
+        integer :total, desc: 'progress to check with if update_in is set', nullable: true
       end
 
       output(:hash) do
@@ -98,6 +102,10 @@ module HaveAPI::Resources
       authorize { allow }
 
       def exec
+        if input[:timeout] > MAX_TIMEOUT
+          error!("timeout has to be maximally #{MAX_TIMEOUT}", {}, http_status: 400)
+        end
+
         t = Time.now
 
         loop do

data/lib/haveapi/route.rb

@@ -3,8 +3,8 @@ module HaveAPI
     attr_reader :path, :sinatra_path, :action, :resource_path
 
     def initialize(path, action, resource_path)
-      @path = path
-      @sinatra_path = path.gsub(/:([a-zA-Z\-_]+)/, '{\1}')
+      @sinatra_path = path.gsub(/:([a-zA-Z0-9\-_]+)/, '{\1}')
+      @path = @sinatra_path
       @action = action
       @resource_path = resource_path
     end