RubyGems - haveapi - Versions diffs - 0.27.2 → 0.28.0 - Mend

haveapi 0.27.2 → 0.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

checksums.yaml +4 -4
data/Gemfile +1 -1
data/haveapi.gemspec +1 -1
data/lib/haveapi/action.rb +125 -36
data/lib/haveapi/actions/paginable.rb +3 -1
data/lib/haveapi/authentication/basic/provider.rb +2 -0
data/lib/haveapi/authentication/chain.rb +11 -7
data/lib/haveapi/authentication/oauth2/config.rb +25 -3
data/lib/haveapi/authentication/oauth2/provider.rb +92 -11
data/lib/haveapi/authentication/oauth2/revoke_endpoint.rb +44 -3
data/lib/haveapi/authentication/token/provider.rb +53 -15
data/lib/haveapi/authorization.rb +42 -18
data/lib/haveapi/client_examples/php_client.rb +1 -1
data/lib/haveapi/client_examples/ruby_client.rb +1 -1
data/lib/haveapi/context.rb +10 -4
data/lib/haveapi/example.rb +15 -16
data/lib/haveapi/extensions/action_exceptions.rb +6 -6
data/lib/haveapi/model_adapters/active_record.rb +150 -71
data/lib/haveapi/model_adapters/hash.rb +1 -1
data/lib/haveapi/parameters/resource.rb +50 -6
data/lib/haveapi/parameters/typed.rb +40 -13
data/lib/haveapi/params.rb +27 -8
data/lib/haveapi/resource.rb +4 -1
data/lib/haveapi/resources/action_state.rb +13 -5
data/lib/haveapi/route.rb +2 -2
data/lib/haveapi/server.rb +137 -45
data/lib/haveapi/validator.rb +2 -2
data/lib/haveapi/validator_chain.rb +1 -0
data/lib/haveapi/validators/confirmation.rb +1 -0
data/lib/haveapi/validators/format.rb +6 -2
data/lib/haveapi/validators/length.rb +2 -0
data/lib/haveapi/validators/numericality.rb +2 -0
data/lib/haveapi/validators/presence.rb +1 -1
data/lib/haveapi/version.rb +1 -1
data/lib/haveapi/views/version_page/client_auth.erb +1 -1
data/lib/haveapi/views/version_page/client_example.erb +3 -3
data/lib/haveapi/views/version_page/client_init.erb +1 -1
data/lib/haveapi/views/version_page.erb +2 -2
data/lib/haveapi/views/version_sidebar.erb +4 -2
data/spec/action/authorize_spec.rb +99 -0
data/spec/action/runtime_spec.rb +426 -0
data/spec/action_state_spec.rb +52 -0
data/spec/authentication/basic_spec.rb +29 -0
data/spec/authentication/oauth2_spec.rb +329 -0
data/spec/authentication/token_spec.rb +195 -0
data/spec/authentication/token_version_routes_spec.rb +164 -0
data/spec/authorization_spec.rb +66 -0
data/spec/documentation/auth_filtering_spec.rb +195 -1
data/spec/documentation/current_user_html_escaping_spec.rb +47 -0
data/spec/documentation/examples_spec.rb +97 -0
data/spec/documentation/host_html_escaping_spec.rb +41 -0
data/spec/documentation_spec.rb +13 -0
data/spec/extensions/action_exceptions_spec.rb +30 -0
data/spec/model_adapters/active_record_spec.rb +408 -3
data/spec/parameters/typed_spec.rb +75 -7
data/spec/params_spec.rb +41 -0
data/spec/server/integration_spec.rb +90 -0
data/spec/validator_chain_spec.rb +39 -0
data/spec/validators/confirmation_spec.rb +14 -0
data/spec/validators/format_spec.rb +7 -0
data/spec/validators/length_spec.rb +6 -0
data/spec/validators/numericality_spec.rb +7 -0
data/spec/validators/presence_spec.rb +2 -0
data/test_support/client_test_api.rb +31 -3
metadata +8 -4
data/shell.nix +0 -20

data/lib/haveapi/server.rb CHANGED Viewed

@@ -49,8 +49,12 @@ module HaveAPI
         return if @formatter
         @formatter = OutputFormatter.new
-        unless @formatter.supports?(request.accept)
+        accept = request.accept
+      rescue ArgumentError, EncodingError
+        @formatter.supports?([])
+        report_error(400, {}, 'Bad Accept header')
+      else
+        unless @formatter.supports?(accept)
           @halted = true
           halt 406, "Not Acceptable\n"
         end
@@ -79,6 +83,19 @@ module HaveAPI
         @current_user
       end
+      def authenticated_versions
+        settings.api_server.versions.each_with_object({}) do |v, ret|
+          ret[v] = settings.api_server.send(:do_authenticate, v, request)
+        rescue HaveAPI::Authentication::TokenConflict => e
+          unless @formatter
+            @formatter = OutputFormatter.new
+            @formatter.supports?([])
+          end
+          report_error(400, {}, e.message)
+        end
+      end
       def access_control
         return unless request.env['HTTP_ORIGIN'] && request.env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
@@ -110,6 +127,10 @@ module HaveAPI
       def report_error(code, headers, msg)
         @halted = true
+        unless @formatter
+          @formatter = OutputFormatter.new
+          @formatter.supports?([])
+        end
         content_type @formatter.content_type, charset: 'utf-8'
         halt code, headers, @formatter.format(false, nil, msg, version: false)
@@ -172,10 +193,14 @@ module HaveAPI
         return ret if validators.nil?
         validators.each do |name, opts|
-          ret += "<h5>#{name.to_s.capitalize}</h5>"
+          ret += "<h5>#{escape_html(name.to_s.capitalize)}</h5>"
           ret += '<dl>'
-          opts.each do |k, v|
-            ret += "<dt>#{k}</dt><dd>#{escape_html(v.to_s)}</dd>"
+          if opts.respond_to?(:each_pair)
+            opts.each_pair do |k, v|
+              ret += "<dt>#{escape_html(k)}</dt><dd>#{escape_html(v.to_s)}</dd>"
+            end
+          else
+            ret += "<dt>description</dt><dd>#{escape_html(opts.to_s)}</dd>"
           end
           ret += '</dl>'
         end
@@ -270,12 +295,13 @@ module HaveAPI
       # Mount root
       @sinatra.get @root do
-        authenticated?(settings.api_server.default_version)
+        auth_users_by_version = authenticated_versions
         @api = settings.api_server.describe(Context.new(
                                               settings.api_server,
-                                              user: current_user,
-                                              params:
+                                              user: auth_users_by_version[settings.api_server.default_version],
+                                              params:,
+                                              auth_users_by_version:
                                             ))
         content_type 'text/html'
@@ -285,7 +311,6 @@ module HaveAPI
       @sinatra.options @root do
         setup_formatter
         access_control
-        authenticated?(settings.api_server.default_version)
         ret = nil
         ret = case params[:describe]
@@ -296,20 +321,26 @@ module HaveAPI
                 }
               when 'default'
+                auth_users_by_version = authenticated_versions
                 settings.api_server.describe_version(Context.new(
                                                        settings.api_server,
                                                        version: settings.api_server.default_version,
-                                                       user: current_user,
+                                                       user: auth_users_by_version[settings.api_server.default_version],
                                                        doc: true,
-                                                       params:
+                                                       params:,
+                                                       auth_users_by_version:
                                                      ))
               else
+                auth_users_by_version = authenticated_versions
                 settings.api_server.describe(Context.new(
                                                settings.api_server,
-                                               user: current_user,
+                                               user: auth_users_by_version[settings.api_server.default_version],
                                                doc: true,
-                                               params:
+                                               params:,
+                                               auth_users_by_version:
                                              ))
               end
@@ -340,7 +371,7 @@ module HaveAPI
         end
       end
-      @sinatra.get %r{#{@root}doc/([^\.]+)(\.md)?} do |f, _|
+      @sinatra.get %r{#{@root}doc/([^.]+)(\.md)?} do |f, _|
         content_type 'text/html'
         erb :doc_layout, layout: :main_layout do
           begin
@@ -349,7 +380,11 @@ module HaveAPI
             halt 404
           end
-          @sidebar = erb :"doc_sidebars/#{f}"
+          begin
+            @sidebar = erb :"doc_sidebars/#{f}"
+          rescue Errno::ENOENT
+            @sidebar = ''
+          end
         end
       end
@@ -481,35 +516,45 @@ module HaveAPI
       @sinatra.method(route.http_method).call(route.sinatra_path) do
         setup_formatter
-        if route.action.auth
+        if route.action.auth || settings.api_server.action_state_auth_required?(route)
           authenticate!(v)
         else
           authenticated?(v)
         end
-        begin
-          body = request.body.read
+        raw_body = request.body.read
+        body_method = !%i[get head options].include?(route.http_method.to_sym)
-          body = if body.empty?
-                   nil
-                 else
-                   JSON.parse(body, symbolize_names: true)
-                 end
-        rescue StandardError => e
+        if body_method && !raw_body.empty? && !settings.api_server.send(:json_content_type?, request)
+          report_error(415, {}, 'Unsupported Content-Type')
+        end
+        begin
+          body = raw_body.empty? ? nil : JSON.parse(raw_body, symbolize_names: true)
+        rescue JSON::ParserError
           report_error(400, {}, 'Bad JSON syntax')
         end
-        action = route.action.new(request, v, params, body, Context.new(
-                                                              settings.api_server,
-                                                              version: v,
-                                                              request: self,
-                                                              action: route.action,
-                                                              path: route.path,
-                                                              params:,
-                                                              user: current_user,
-                                                              endpoint: true,
-                                                              resource_path: route.resource_path
-                                                            ))
+        if !raw_body.empty? && !body.is_a?(Hash)
+          report_error(400, {}, 'JSON body must be an object')
+        end
+        action_params = body_method ? settings.api_server.send(:path_params, route, params) : params
+        context_params = body ? action_params.merge(body) : action_params
+        context = Context.new(
+          settings.api_server,
+          version: v,
+          request: self,
+          action: route.action,
+          path: route.path,
+          params: context_params,
+          user: current_user,
+          endpoint: true,
+          resource_path: route.resource_path
+        )
+        action = route.action.new(request, v, action_params, body, context)
         unless action.authorized?(current_user)
           report_error(403, {}, 'Access denied. Insufficient permissions.')
@@ -537,7 +582,7 @@ module HaveAPI
         pass if params[:method] && params[:method] != route_method
-        if route.action.auth
+        if route.action.auth || settings.api_server.action_state_auth_required?(route)
           authenticate!(v)
         else
           authenticated?(v)
@@ -563,6 +608,8 @@ module HaveAPI
           unless desc
             report_error(403, {}, 'Access denied. Insufficient permissions.')
           end
+        rescue ValidationError => e
+          report_error(400, e.to_hash, e.message)
         rescue StandardError => e
           tmp = settings.api_server.call_hooks_for(:description_exception, args: [ctx, e])
           report_error(
@@ -577,19 +624,28 @@ module HaveAPI
     end
     def describe(context)
-      context.version = @default_version
+      original_user = context.current_user
+      auth_users_by_version = context.auth_users_by_version
+      authenticated_description = auth_users_by_version&.values&.any?
-      ret = {
-        default_version: @default_version,
-        versions: { default: describe_version(context) }
-      }
+      ret = { default_version: @default_version, versions: {} }
+      context.version = @default_version
+      context.current_user = auth_users_by_version ? auth_users_by_version[@default_version] : original_user
+      ret[:versions][:default] = describe_version(context) unless authenticated_description && context.current_user.nil?
       @versions.each do |v|
+        user = auth_users_by_version ? auth_users_by_version[v] : original_user
+        next if authenticated_description && user.nil?
         context.version = v
+        context.current_user = user
         ret[:versions][v] = describe_version(context)
       end
       ret
+    ensure
+      context.current_user = original_user
     end
     def describe_version(context)
@@ -618,6 +674,12 @@ module HaveAPI
       r.describe(hash, context)
     end
+    def action_state_auth_required?(route)
+      return false if @auth_chain.empty?
+      route.action.resource == HaveAPI::Resources::ActionState
+    end
     def version_prefix(v)
       "#{@root}v#{v}/"
     end
@@ -625,15 +687,45 @@ module HaveAPI
     # @param v [String] API version
     # @param provider [Authentication::Base]
     # @param prefix [String]
-    def add_auth_routes(v, provider, prefix: '')
-      provider.register_routes(@sinatra, "#{@root}_auth/#{prefix}")
+    def add_auth_routes(v, provider, prefix: '', global: false)
+      provider.register_routes(@sinatra, auth_prefix(v, prefix, global:))
     end
-    def add_auth_module(v, name, mod, prefix: '')
+    def add_auth_module(v, name, mod, prefix: '', global: false)
       @routes[v] ||= { authentication: { name => { resources: {} } } }
       HaveAPI.get_version_resources(mod, v).each do |r|
-        mount_resource("#{@root}_auth/#{prefix}/", v, r, @routes[v][:authentication][name][:resources])
+        mount_resource("#{auth_prefix(v, prefix, global:)}/", v, r, @routes[v][:authentication][name][:resources])
+      end
+    end
+    def auth_prefix(v, prefix, global:)
+      root = global ? "#{@root}_auth" : "#{version_prefix(v)}_auth"
+      "#{root}/#{prefix}"
+    end
+    def json_content_type?(request)
+      media_type = if request.respond_to?(:media_type)
+                     request.media_type
+                   else
+                     request.content_type.to_s.split(';').first
+                   end
+      media_type == 'application/json' || media_type.to_s.end_with?('+json')
+    end
+    def path_params(route, params)
+      route.action.path_param_names(route.path).each_with_object({}) do |name, ret|
+        value = if params.has_key?(name.to_sym)
+                  params[name.to_sym]
+                elsif params.has_key?(name)
+                  params[name]
+                end
+        next if value.nil?
+        ret[name] = value
+        ret[name.to_sym] = value
       end
     end

data/lib/haveapi/validator.rb CHANGED Viewed

@@ -89,9 +89,9 @@ module HaveAPI
     # may use this information as it will.
     def validate(v, params)
       @params = params
-      ret = valid?(v)
+      valid?(v)
+    ensure
       @params = nil
-      ret
     end
     protected

data/lib/haveapi/validator_chain.rb CHANGED Viewed

@@ -69,6 +69,7 @@ module HaveAPI
       ret = []
       @validators.each do |validator|
+        validator = validator.clone
         next if validator.validate(value, params)
         ret << format(validator.message, value:)

data/lib/haveapi/validators/confirmation.rb CHANGED Viewed

@@ -20,6 +20,7 @@ module HaveAPI
     def setup
       @param = simple? ? take : take(:param)
+      @param = @param.to_sym if @param.is_a?(::String)
       @equal = take(:equal, true)
       @message = take(
         :message,

data/lib/haveapi/validators/format.rb CHANGED Viewed

@@ -33,11 +33,15 @@ module HaveAPI
     end
     def valid?(v)
+      return false unless v.respond_to?(:to_str)
+      matched = @rx.match?(v.to_str)
       if @match
-        @rx.match(v) ? true : false
+        matched
       else
-        @rx.match(v) ? false : true
+        !matched
       end
     end
   end

data/lib/haveapi/validators/length.rb CHANGED Viewed

@@ -62,6 +62,8 @@ module HaveAPI
     end
     def valid?(v)
+      return false unless v.respond_to?(:length)
       len = v.length
       return len == @equals if @equals

data/lib/haveapi/validators/numericality.rb CHANGED Viewed

@@ -94,6 +94,8 @@ module HaveAPI
         v = v.to_i
       end
+      return false unless v.is_a?(::Numeric)
       ret = true
       ret = false if @min && v < @min
       ret = false if @max && v > @max

data/lib/haveapi/validators/presence.rb CHANGED Viewed

@@ -35,8 +35,8 @@ module HaveAPI
     def valid?(v)
       return false if v.nil?
       return !v.strip.empty? if !@empty && v.is_a?(::String)
+      return !v.empty? if !@empty && v.respond_to?(:empty?)
-      # FIXME: other data types?
       true
     end
   end

data/lib/haveapi/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module HaveAPI
   PROTOCOL_VERSION = '2.0'.freeze
-  VERSION = '0.27.2'.freeze
+  VERSION = '0.28.0'.freeze
 end

data/lib/haveapi/views/version_page/client_auth.erb CHANGED Viewed

@@ -1,2 +1,2 @@
 <h4><%= client.label %></h4>
-<pre><code class="<%= client.code %>"><%= client.auth(host, base_url, api_version, method, desc) %></code></pre>
+<pre><code class="<%= client.code %>"><%= escape_html(client.auth(host, base_url, api_version, method, desc)) %></code></pre>

data/lib/haveapi/views/version_page/client_example.erb CHANGED Viewed

@@ -1,11 +1,11 @@
 <h6><%= client.label %></h6>
 <% sample = client.new(host, base_url, api_version, r_name, resource, a_name, action) %>
 <% if sample.respond_to?(:example) %>
-  <pre><code class="<%= client.code %>"><%= sample.example(example) %></code></pre>
+  <pre><code class="<%= client.code %>"><%= escape_html(sample.example(example)) %></code></pre>
 <% else %>
   <h6>Request</h6>
-  <pre><code class="<%= client.code %>"><%= sample.request(example) %></code></pre>
+  <pre><code class="<%= client.code %>"><%= escape_html(sample.request(example)) %></code></pre>
   <h6>Response</h6>
-  <pre><code class="<%= client.code %>"><%= sample.response(example) %></code></pre>
+  <pre><code class="<%= client.code %>"><%= escape_html(sample.response(example)) %></code></pre>
 <% end %>

data/lib/haveapi/views/version_page/client_init.erb CHANGED Viewed

@@ -1,2 +1,2 @@
 <h4><%= client.label %></h4>
-<pre><code class="<%= client.code %>"><%= client.init(host, base_url, api_version) %></code></pre>
+<pre><code class="<%= client.code %>"><%= escape_html(client.init(host, base_url, api_version)) %></code></pre>

data/lib/haveapi/views/version_page.erb CHANGED Viewed

@@ -1,7 +1,7 @@
 <h1 id="api">API v<%= @v %></h1>
 <ol class="breadcrumb">
-  <li><a href="<%= root %>"><%= host %></a></li>
+  <li><a href="<%= escape_html(root) %>"><%= escape_html(host) %></a></li>
   <li class="active">v<%= @v %></li>
 </ol>
@@ -21,7 +21,7 @@
   <li><a href="https://github.com/vpsfreecz/haveapi-client-php" target="_blank">PHP</a></li>
   <li>
     <a href="https://github.com/vpsfreecz/haveapi-webui" target="_blank">Generic web interface</a>
-    (<a href="https://webui.haveapi.org/v<%= version %>/#<%= escape(base_url) %>" target="_blank">connect to this API</a>)
+    (<a href="https://webui.haveapi.org/v<%= version %>/#<%= urlescape(base_url) %>" target="_blank">connect to this API</a>)
   </li>
   <li><a href="https://github.com/vpsfreecz/haveapi-fs" target="_blank">FUSE-based file system</a></li>
 </ul>

data/lib/haveapi/views/version_sidebar.erb CHANGED Viewed

@@ -1,9 +1,11 @@
 <h1>Authentication</h1>
 <p class="authentication">
   <% if current_user %>
-      Logged as <%= current_user.login %> [<a class="logout" href="<%= logout_url %>">logout</a>]
+      Logged as <%= escape_html(current_user.login) %> [<a class="logout" href="<%= escape_html(logout_url) %>">logout</a>]
+  <% elsif @help[:authentication].any? %>
+      <a class="login btn btn-default" href="<%= escape_html(url("#{root}_login")) %>">Login</a>
   <% else %>
-      <a class="login btn btn-default" href="<%= url("#{root}_login") %>">Login</a>
+      Authentication disabled.
   <% end %>
 </p>
 <p>

data/spec/action/authorize_spec.rb CHANGED Viewed

@@ -9,6 +9,10 @@ module AuthorizeSpec
     end
   end
+  class << self
+    attr_accessor :shared_hash_list
+  end
   class BasicProvider < HaveAPI::Authentication::Basic::Provider
     protected
@@ -120,6 +124,46 @@ describe AuthorizeSpec do
           items.select { |item| item[:owner_id] == restrictions[:owner_id] }
         end
       end
+      define_action(:OwnerList) do
+        route 'owners/{owner_id}/list'
+        http_method :get
+        authorize do |_user, path_params|
+          restrict owner_id: path_params['owner_id'].to_i
+          allow
+        end
+        output(:object_list) do
+          integer :id
+          integer :owner_id
+          string :name
+        end
+        define_method(:exec) do
+          restrictions = with_restricted
+          items.select { |item| item[:owner_id] == restrictions[:owner_id] }
+        end
+      end
+      define_action(:HashList) do
+        route 'hash_list'
+        http_method :get
+        authorize do |user|
+          output blacklist: [:secret] unless user.admin?
+          allow
+        end
+        output(:hash_list) do
+          string :public
+          string :secret
+        end
+        def exec
+          AuthorizeSpec.shared_hash_list
+        end
+      end
     end
   end
@@ -137,11 +181,32 @@ describe AuthorizeSpec do
     }
   end
+  let(:full_hash_list) do
+    [
+      {
+        public: 'visible',
+        secret: 'admin-only'
+      }
+    ]
+  end
   def call_get_action(resource, action, params = {})
     env 'rack.input', StringIO.new('')
     call_api(resource, action, params)
   end
+  def with_pre_authorize(listener)
+    hooks = HaveAPI::Hooks.hooks
+    action_hooks = hooks[HaveAPI::Action][:pre_authorize]
+    original = action_hooks[:listeners].dup
+    HaveAPI::Action.connect_hook(:pre_authorize, &listener)
+    yield
+  ensure
+    action_hooks[:listeners] = original
+  end
   it 'denies non-admins from admin-only action' do
     login('user', 'pass')
     call_get_action([:Item], :admin_only, {})
@@ -226,6 +291,25 @@ describe AuthorizeSpec do
     expect(api_response[:item]).to have_key(:secret)
   end
+  it 'does not mutate shared hash list output while filtering fields' do
+    described_class.shared_hash_list = full_hash_list.map(&:dup)
+    login('user', 'pass')
+    call_get_action([:Item], :hash_list, {})
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    expect(api_response[:items]).to eq([{ public: 'visible' }])
+    expect(described_class.shared_hash_list).to eq(full_hash_list)
+    login('admin', 'pass')
+    call_get_action([:Item], :hash_list, {})
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    expect(api_response[:items]).to eq(full_hash_list)
+  end
   it 'restricts list results to the current user' do
     login('user', 'pass')
     call_get_action([:Item], :list, {})
@@ -259,6 +343,21 @@ describe AuthorizeSpec do
     expect(owners).to eq([1])
   end
+  it 'fails closed when action restrictions conflict with global restrictions' do
+    with_pre_authorize(proc do |ret, _context|
+      ret[:blocks] << proc do |user|
+        restrict owner_id: user.id
+      end
+      ret
+    end) do
+      login('user', 'pass')
+      get '/v1/items/owners/2/list', {}, input: ''
+    end
+    expect(last_response.status).to eq(403)
+    expect(api_response).not_to be_ok
+  end
   it 'hides admin-only actions from non-admin documentation' do
     login('user', 'pass')
     call_api(:options, '/v1/')