haveapi 0.27.3 → 0.28.0

data/lib/haveapi/parameters/resource.rb

@@ -97,7 +97,7 @@ module HaveAPI::Parameters
       attrs.each { |k, v| instance_variable_set("@#{k}", v) }
     end
 
-    def clean(raw)
+    def clean(raw, context = nil)
       if raw.nil?
         return nil if nullable?
 
@@ -105,15 +105,19 @@ module HaveAPI::Parameters
       end
 
       if raw.is_a?(String)
-        stripped = raw.strip
+        stripped = strip_string(raw)
         return nil if stripped.empty? && nullable?
       end
 
       extra = @extra.merge(optional: optional?, nullable: nullable?)
 
-      ::HaveAPI::ModelAdapter.for(
+      ret = ::HaveAPI::ModelAdapter.for(
         show_action.input.layout, @resource.model
       ).input_clean(@resource.model, raw, extra)
+
+      authorize_record!(ret, context)
+
+      ret
     end
 
     def validate(v, params)
@@ -126,6 +130,12 @@ module HaveAPI::Parameters
 
     private
 
+    def strip_string(value)
+      value.strip
+    rescue ArgumentError, Encoding::CompatibilityError
+      raise HaveAPI::ValidationError, 'invalid string encoding'
+    end
+
     def build_resource_path(r)
       path = []
       top_module = Kernel
@@ -144,5 +154,27 @@ module HaveAPI::Parameters
 
       path
     end
+
+    def authorize_record!(record, context)
+      return if record.nil? || context.nil?
+      return unless show_action.authorization
+
+      path = show_action.build_route('')
+      path_params = show_action.path_params(path, show_action.resolve_path_params(record))
+      child_context = HaveAPI::Context.new(
+        context.server,
+        version: context.version,
+        request: context.request,
+        action: show_action,
+        path:,
+        params: path_params,
+        user: context.current_user,
+        endpoint: context.endpoint
+      )
+      action = show_action.new(context.request, context.version, path_params, nil, child_context)
+      return if action.authorized?(context.current_user)
+
+      raise HaveAPI::ValidationError, 'resource not found'
+    end
   end
 end

data/lib/haveapi/parameters/typed.rb

@@ -1,4 +1,5 @@
 require 'date'
+require 'time'
 
 module HaveAPI::Parameters
   class Typed
@@ -78,7 +79,7 @@ module HaveAPI::Parameters
     end
 
     def clean(raw)
-      return instance_exec(raw, &@clean) if @clean
+      return validate_cleaned_value(instance_exec(raw, &@clean)) if @clean
 
       if raw.nil?
         return nil if nullable?
@@ -87,7 +88,7 @@ module HaveAPI::Parameters
       end
 
       if raw.is_a?(String)
-        stripped = raw.strip
+        stripped = strip_string(raw)
         return nil if stripped.empty? && nullable?
       end
 
@@ -144,6 +145,20 @@ module HaveAPI::Parameters
 
     private
 
+    def validate_cleaned_value(value)
+      if value.nil? && !nullable?
+        raise HaveAPI::ValidationError, 'cannot be null'
+      end
+
+      value
+    end
+
+    def strip_string(value)
+      value.strip
+    rescue ArgumentError, Encoding::CompatibilityError
+      raise HaveAPI::ValidationError, 'invalid string encoding'
+    end
+
     def coerce_integer(raw)
       case raw
       when Integer
@@ -155,7 +170,7 @@ module HaveAPI::Parameters
 
         raw.to_i
       when String
-        s = raw.strip
+        s = strip_string(raw)
 
         if s.empty? || !s.match?(/\A[+-]?\d+\z/)
           raise HaveAPI::ValidationError, "not a valid integer #{raw.inspect}"
@@ -172,7 +187,7 @@ module HaveAPI::Parameters
         f = raw.to_f
 
       elsif raw.is_a?(String)
-        s = raw.strip
+        s = strip_string(raw)
         raise HaveAPI::ValidationError, "not a valid float #{raw.inspect}" if s.empty?
 
         begin
@@ -199,7 +214,7 @@ module HaveAPI::Parameters
         return true if raw == 1
 
       elsif raw.is_a?(String)
-        s = raw.strip
+        s = strip_string(raw)
         raise HaveAPI::ValidationError, "not a valid boolean #{raw.inspect}" if s.empty?
 
         return true if %w[true t yes y 1].include?(s.downcase)
@@ -210,12 +225,16 @@ module HaveAPI::Parameters
     end
 
     def coerce_datetime(raw)
-      if raw.is_a?(String) && raw.strip.empty?
+      unless raw.is_a?(String)
+        raise HaveAPI::ValidationError, "not in ISO 8601 format '#{raw}'"
+      end
+
+      if strip_string(raw).empty?
         raise HaveAPI::ValidationError, "not in ISO 8601 format '#{raw}'"
       end
 
       DateTime.iso8601(raw).to_time
-    rescue ArgumentError
+    rescue ArgumentError, TypeError
       raise HaveAPI::ValidationError, "not in ISO 8601 format '#{raw}'"
     end
 

data/lib/haveapi/params.rb

@@ -134,12 +134,12 @@ module HaveAPI
 
       if include
         @include ||= []
-        @include.concat(include)
+        @include.concat(normalize_names(include))
       end
 
       if exclude
         @exclude ||= []
-        @exclude.concat(exclude)
+        @exclude.concat(normalize_names(exclude))
       end
 
       instance_eval(&block)
@@ -209,10 +209,17 @@ module HaveAPI
     # First step of validation. Check if input is in correct namespace
     # and has a correct layout.
     def check_layout(params)
-      if (params[namespace].nil? || !valid_layout?(params)) && any_required_params?
+      value = namespace ? params[namespace] : params
+
+      if value.nil?
+        raise ValidationError.new('invalid input layout', {}) if any_required_params?
+
+      elsif !valid_layout?(value)
         raise ValidationError.new('invalid input layout', {})
       end
 
+      return unless namespace
+
       case layout
       when :object, :hash
         params[namespace] ||= {}
@@ -224,12 +231,15 @@ module HaveAPI
 
     # Third step of validation. Check if all required params are present,
     # convert params to correct data types, set default values if necessary.
-    def validate(params)
+    def validate(params, context: nil, only: nil)
       errors = {}
+      permitted = only && only.map(&:to_sym)
 
       layout_aware(params) do |input|
         # First run - coerce values to correct types
         @params.each do |p|
+          next if permitted && !permitted.include?(p.name)
+
           if p.required? && input[p.name].nil?
             errors[p.name] = ['required parameter missing']
             next
@@ -241,7 +251,11 @@ module HaveAPI
           end
 
           begin
-            cleaned = p.clean(input[p.name])
+            cleaned = if p.method(:clean).arity.abs > 1
+                        p.clean(input[p.name], context)
+                      else
+                        p.clean(input[p.name])
+                      end
           rescue ValidationError => e
             errors[p.name] ||= []
             errors[p.name] << e.message
@@ -253,6 +267,7 @@ module HaveAPI
 
         # Second run - validate parameters
         @params.each do |p|
+          next if permitted && !permitted.include?(p.name)
           next if errors.has_key?(p.name)
           next if input[p.name].nil?
 
@@ -305,13 +320,17 @@ module HaveAPI
       kwargs
     end
 
-    def valid_layout?(params)
+    def normalize_names(names)
+      names.map { |v| v.is_a?(String) ? v.to_sym : v }
+    end
+
+    def valid_layout?(value)
       case layout
       when :object, :hash
-        params[namespace].is_a?(Hash)
+        value.is_a?(Hash)
 
       when :object_list, :hash_list
-        params[namespace].is_a?(Array)
+        value.is_a?(Array) && value.all?(Hash)
 
       else
         false

data/lib/haveapi/resource.rb

@@ -98,7 +98,10 @@ module HaveAPI
       end
 
       hash[:resources].each do |resource, children|
-        ret[:resources][resource.resource_name.underscore] = resource.describe(children, context)
+        child = resource.describe(children, context)
+        next if child[:actions].empty? && child[:resources].empty?
+
+        ret[:resources][resource.resource_name.underscore] = child
       end
 
       context.resource_path = orig_resource_path

data/lib/haveapi/resources/action_state.rb

@@ -77,12 +77,15 @@ module HaveAPI::Resources
     class Poll < HaveAPI::Action
       include Mixin
 
+      MAX_TIMEOUT = 30
+
       desc 'Returns when the action is completed or timeout occurs'
       http_method :get
       route '{%{resource}_id}/poll'
 
       input(:hash) do
-        float :timeout, label: 'Timeout', desc: 'in seconds', default: 15, fill: true
+        float :timeout, label: 'Timeout', desc: 'in seconds', default: 15, fill: true,
+                        number: { min: 0, max: MAX_TIMEOUT }
         float :update_in, label: 'Progress',
                           desc: 'number of seconds after which the state is returned if the progress ' \
                                 'has changed',
@@ -99,6 +102,10 @@ module HaveAPI::Resources
       authorize { allow }
 
       def exec
+        if input[:timeout] > MAX_TIMEOUT
+          error!("timeout has to be maximally #{MAX_TIMEOUT}", {}, http_status: 400)
+        end
+
         t = Time.now
 
         loop do

data/lib/haveapi/route.rb

@@ -3,8 +3,8 @@ module HaveAPI
     attr_reader :path, :sinatra_path, :action, :resource_path
 
     def initialize(path, action, resource_path)
-      @path = path
-      @sinatra_path = path.gsub(/:([a-zA-Z\-_]+)/, '{\1}')
+      @sinatra_path = path.gsub(/:([a-zA-Z0-9\-_]+)/, '{\1}')
+      @path = @sinatra_path
       @action = action
       @resource_path = resource_path
     end

data/lib/haveapi/server.rb

@@ -49,8 +49,12 @@ module HaveAPI
         return if @formatter
 
         @formatter = OutputFormatter.new
-
-        unless @formatter.supports?(request.accept)
+        accept = request.accept
+      rescue ArgumentError, EncodingError
+        @formatter.supports?([])
+        report_error(400, {}, 'Bad Accept header')
+      else
+        unless @formatter.supports?(accept)
           @halted = true
           halt 406, "Not Acceptable\n"
         end
@@ -79,6 +83,19 @@ module HaveAPI
         @current_user
       end
 
+      def authenticated_versions
+        settings.api_server.versions.each_with_object({}) do |v, ret|
+          ret[v] = settings.api_server.send(:do_authenticate, v, request)
+        rescue HaveAPI::Authentication::TokenConflict => e
+          unless @formatter
+            @formatter = OutputFormatter.new
+            @formatter.supports?([])
+          end
+
+          report_error(400, {}, e.message)
+        end
+      end
+
       def access_control
         return unless request.env['HTTP_ORIGIN'] && request.env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
 
@@ -110,6 +127,10 @@ module HaveAPI
 
       def report_error(code, headers, msg)
         @halted = true
+        unless @formatter
+          @formatter = OutputFormatter.new
+          @formatter.supports?([])
+        end
 
         content_type @formatter.content_type, charset: 'utf-8'
         halt code, headers, @formatter.format(false, nil, msg, version: false)
@@ -172,10 +193,14 @@ module HaveAPI
         return ret if validators.nil?
 
         validators.each do |name, opts|
-          ret += "<h5>#{name.to_s.capitalize}</h5>"
+          ret += "<h5>#{escape_html(name.to_s.capitalize)}</h5>"
           ret += '<dl>'
-          opts.each do |k, v|
-            ret += "<dt>#{k}</dt><dd>#{escape_html(v.to_s)}</dd>"
+          if opts.respond_to?(:each_pair)
+            opts.each_pair do |k, v|
+              ret += "<dt>#{escape_html(k)}</dt><dd>#{escape_html(v.to_s)}</dd>"
+            end
+          else
+            ret += "<dt>description</dt><dd>#{escape_html(opts.to_s)}</dd>"
           end
           ret += '</dl>'
         end
@@ -270,12 +295,13 @@ module HaveAPI
 
       # Mount root
       @sinatra.get @root do
-        authenticated?(settings.api_server.default_version)
+        auth_users_by_version = authenticated_versions
 
         @api = settings.api_server.describe(Context.new(
                                               settings.api_server,
-                                              user: current_user,
-                                              params:
+                                              user: auth_users_by_version[settings.api_server.default_version],
+                                              params:,
+                                              auth_users_by_version:
                                             ))
 
         content_type 'text/html'
@@ -285,7 +311,6 @@ module HaveAPI
       @sinatra.options @root do
         setup_formatter
         access_control
-        authenticated?(settings.api_server.default_version)
         ret = nil
 
         ret = case params[:describe]
@@ -296,20 +321,26 @@ module HaveAPI
                 }
 
               when 'default'
+                auth_users_by_version = authenticated_versions
+
                 settings.api_server.describe_version(Context.new(
                                                        settings.api_server,
                                                        version: settings.api_server.default_version,
-                                                       user: current_user,
+                                                       user: auth_users_by_version[settings.api_server.default_version],
                                                        doc: true,
-                                                       params:
+                                                       params:,
+                                                       auth_users_by_version:
                                                      ))
 
               else
+                auth_users_by_version = authenticated_versions
+
                 settings.api_server.describe(Context.new(
                                                settings.api_server,
-                                               user: current_user,
+                                               user: auth_users_by_version[settings.api_server.default_version],
                                                doc: true,
-                                               params:
+                                               params:,
+                                               auth_users_by_version:
                                              ))
               end
 
@@ -340,7 +371,7 @@ module HaveAPI
         end
       end
 
-      @sinatra.get %r{#{@root}doc/([^\.]+)(\.md)?} do |f, _|
+      @sinatra.get %r{#{@root}doc/([^.]+)(\.md)?} do |f, _|
         content_type 'text/html'
         erb :doc_layout, layout: :main_layout do
           begin
@@ -349,7 +380,11 @@ module HaveAPI
             halt 404
           end
 
-          @sidebar = erb :"doc_sidebars/#{f}"
+          begin
+            @sidebar = erb :"doc_sidebars/#{f}"
+          rescue Errno::ENOENT
+            @sidebar = ''
+          end
         end
       end
 
@@ -481,35 +516,45 @@ module HaveAPI
       @sinatra.method(route.http_method).call(route.sinatra_path) do
         setup_formatter
 
-        if route.action.auth
+        if route.action.auth || settings.api_server.action_state_auth_required?(route)
           authenticate!(v)
         else
           authenticated?(v)
         end
 
-        begin
-          body = request.body.read
+        raw_body = request.body.read
+        body_method = !%i[get head options].include?(route.http_method.to_sym)
 
-          body = if body.empty?
-                   nil
-                 else
-                   JSON.parse(body, symbolize_names: true)
-                 end
-        rescue StandardError => e
+        if body_method && !raw_body.empty? && !settings.api_server.send(:json_content_type?, request)
+          report_error(415, {}, 'Unsupported Content-Type')
+        end
+
+        begin
+          body = raw_body.empty? ? nil : JSON.parse(raw_body, symbolize_names: true)
+        rescue JSON::ParserError
           report_error(400, {}, 'Bad JSON syntax')
         end
 
-        action = route.action.new(request, v, params, body, Context.new(
-                                                              settings.api_server,
-                                                              version: v,
-                                                              request: self,
-                                                              action: route.action,
-                                                              path: route.path,
-                                                              params:,
-                                                              user: current_user,
-                                                              endpoint: true,
-                                                              resource_path: route.resource_path
-                                                            ))
+        if !raw_body.empty? && !body.is_a?(Hash)
+          report_error(400, {}, 'JSON body must be an object')
+        end
+
+        action_params = body_method ? settings.api_server.send(:path_params, route, params) : params
+        context_params = body ? action_params.merge(body) : action_params
+
+        context = Context.new(
+          settings.api_server,
+          version: v,
+          request: self,
+          action: route.action,
+          path: route.path,
+          params: context_params,
+          user: current_user,
+          endpoint: true,
+          resource_path: route.resource_path
+        )
+
+        action = route.action.new(request, v, action_params, body, context)
 
         unless action.authorized?(current_user)
           report_error(403, {}, 'Access denied. Insufficient permissions.')
@@ -537,7 +582,7 @@ module HaveAPI
 
         pass if params[:method] && params[:method] != route_method
 
-        if route.action.auth
+        if route.action.auth || settings.api_server.action_state_auth_required?(route)
           authenticate!(v)
         else
           authenticated?(v)
@@ -563,6 +608,8 @@ module HaveAPI
           unless desc
             report_error(403, {}, 'Access denied. Insufficient permissions.')
           end
+        rescue ValidationError => e
+          report_error(400, e.to_hash, e.message)
         rescue StandardError => e
           tmp = settings.api_server.call_hooks_for(:description_exception, args: [ctx, e])
           report_error(
@@ -577,19 +624,28 @@ module HaveAPI
     end
 
     def describe(context)
-      context.version = @default_version
+      original_user = context.current_user
+      auth_users_by_version = context.auth_users_by_version
+      authenticated_description = auth_users_by_version&.values&.any?
 
-      ret = {
-        default_version: @default_version,
-        versions: { default: describe_version(context) }
-      }
+      ret = { default_version: @default_version, versions: {} }
+
+      context.version = @default_version
+      context.current_user = auth_users_by_version ? auth_users_by_version[@default_version] : original_user
+      ret[:versions][:default] = describe_version(context) unless authenticated_description && context.current_user.nil?
 
       @versions.each do |v|
+        user = auth_users_by_version ? auth_users_by_version[v] : original_user
+        next if authenticated_description && user.nil?
+
         context.version = v
+        context.current_user = user
         ret[:versions][v] = describe_version(context)
       end
 
       ret
+    ensure
+      context.current_user = original_user
     end
 
     def describe_version(context)
@@ -618,6 +674,12 @@ module HaveAPI
       r.describe(hash, context)
     end
 
+    def action_state_auth_required?(route)
+      return false if @auth_chain.empty?
+
+      route.action.resource == HaveAPI::Resources::ActionState
+    end
+
     def version_prefix(v)
       "#{@root}v#{v}/"
     end
@@ -625,15 +687,45 @@ module HaveAPI
     # @param v [String] API version
     # @param provider [Authentication::Base]
     # @param prefix [String]
-    def add_auth_routes(v, provider, prefix: '')
-      provider.register_routes(@sinatra, "#{@root}_auth/#{prefix}")
+    def add_auth_routes(v, provider, prefix: '', global: false)
+      provider.register_routes(@sinatra, auth_prefix(v, prefix, global:))
     end
 
-    def add_auth_module(v, name, mod, prefix: '')
+    def add_auth_module(v, name, mod, prefix: '', global: false)
       @routes[v] ||= { authentication: { name => { resources: {} } } }
 
       HaveAPI.get_version_resources(mod, v).each do |r|
-        mount_resource("#{@root}_auth/#{prefix}/", v, r, @routes[v][:authentication][name][:resources])
+        mount_resource("#{auth_prefix(v, prefix, global:)}/", v, r, @routes[v][:authentication][name][:resources])
+      end
+    end
+
+    def auth_prefix(v, prefix, global:)
+      root = global ? "#{@root}_auth" : "#{version_prefix(v)}_auth"
+      "#{root}/#{prefix}"
+    end
+
+    def json_content_type?(request)
+      media_type = if request.respond_to?(:media_type)
+                     request.media_type
+                   else
+                     request.content_type.to_s.split(';').first
+                   end
+
+      media_type == 'application/json' || media_type.to_s.end_with?('+json')
+    end
+
+    def path_params(route, params)
+      route.action.path_param_names(route.path).each_with_object({}) do |name, ret|
+        value = if params.has_key?(name.to_sym)
+                  params[name.to_sym]
+                elsif params.has_key?(name)
+                  params[name]
+                end
+
+        next if value.nil?
+
+        ret[name] = value
+        ret[name.to_sym] = value
       end
     end
 

data/lib/haveapi/validator.rb

@@ -89,9 +89,9 @@ module HaveAPI
     # may use this information as it will.
     def validate(v, params)
       @params = params
-      ret = valid?(v)
+      valid?(v)
+    ensure
       @params = nil
-      ret
     end
 
     protected

data/lib/haveapi/validator_chain.rb

@@ -69,6 +69,7 @@ module HaveAPI
       ret = []
 
       @validators.each do |validator|
+        validator = validator.clone
         next if validator.validate(value, params)
 
         ret << format(validator.message, value:)

data/lib/haveapi/validators/confirmation.rb

@@ -20,6 +20,7 @@ module HaveAPI
 
     def setup
       @param = simple? ? take : take(:param)
+      @param = @param.to_sym if @param.is_a?(::String)
       @equal = take(:equal, true)
       @message = take(
         :message,

data/lib/haveapi/validators/format.rb

@@ -33,11 +33,15 @@ module HaveAPI
     end
 
     def valid?(v)
+      return false unless v.respond_to?(:to_str)
+
+      matched = @rx.match?(v.to_str)
+
       if @match
-        @rx.match(v) ? true : false
+        matched
 
       else
-        @rx.match(v) ? false : true
+        !matched
       end
     end
   end

data/lib/haveapi/validators/length.rb

@@ -62,6 +62,8 @@ module HaveAPI
     end
 
     def valid?(v)
+      return false unless v.respond_to?(:length)
+
       len = v.length
 
       return len == @equals if @equals