haveapi 0.27.3 → 0.28.0

data/lib/haveapi/validators/numericality.rb

@@ -94,6 +94,8 @@ module HaveAPI
         v = v.to_i
       end
 
+      return false unless v.is_a?(::Numeric)
+
       ret = true
       ret = false if @min && v < @min
       ret = false if @max && v > @max

data/lib/haveapi/validators/presence.rb

@@ -35,8 +35,8 @@ module HaveAPI
     def valid?(v)
       return false if v.nil?
       return !v.strip.empty? if !@empty && v.is_a?(::String)
+      return !v.empty? if !@empty && v.respond_to?(:empty?)
 
-      # FIXME: other data types?
       true
     end
   end

data/lib/haveapi/version.rb

@@ -1,4 +1,4 @@
 module HaveAPI
   PROTOCOL_VERSION = '2.0'.freeze
-  VERSION = '0.27.3'.freeze
+  VERSION = '0.28.0'.freeze
 end

data/lib/haveapi/views/version_page/client_auth.erb

@@ -1,2 +1,2 @@
 <h4><%= client.label %></h4>
-<pre><code class="<%= client.code %>"><%= client.auth(host, base_url, api_version, method, desc) %></code></pre>
+<pre><code class="<%= client.code %>"><%= escape_html(client.auth(host, base_url, api_version, method, desc)) %></code></pre>

data/lib/haveapi/views/version_page/client_example.erb

@@ -1,11 +1,11 @@
 <h6><%= client.label %></h6>
 <% sample = client.new(host, base_url, api_version, r_name, resource, a_name, action) %>
 <% if sample.respond_to?(:example) %>
-  <pre><code class="<%= client.code %>"><%= sample.example(example) %></code></pre>
+  <pre><code class="<%= client.code %>"><%= escape_html(sample.example(example)) %></code></pre>
 
 <% else %>
   <h6>Request</h6>
-  <pre><code class="<%= client.code %>"><%= sample.request(example) %></code></pre>
+  <pre><code class="<%= client.code %>"><%= escape_html(sample.request(example)) %></code></pre>
   <h6>Response</h6>
-  <pre><code class="<%= client.code %>"><%= sample.response(example) %></code></pre>
+  <pre><code class="<%= client.code %>"><%= escape_html(sample.response(example)) %></code></pre>
 <% end %>

data/lib/haveapi/views/version_page/client_init.erb

@@ -1,2 +1,2 @@
 <h4><%= client.label %></h4>
-<pre><code class="<%= client.code %>"><%= client.init(host, base_url, api_version) %></code></pre>
+<pre><code class="<%= client.code %>"><%= escape_html(client.init(host, base_url, api_version)) %></code></pre>

data/lib/haveapi/views/version_page.erb

@@ -1,7 +1,7 @@
 <h1 id="api">API v<%= @v %></h1>
 
 <ol class="breadcrumb">
-  <li><a href="<%= root %>"><%= host %></a></li>
+  <li><a href="<%= escape_html(root) %>"><%= escape_html(host) %></a></li>
   <li class="active">v<%= @v %></li>
 </ol>
 
@@ -21,7 +21,7 @@
   <li><a href="https://github.com/vpsfreecz/haveapi-client-php" target="_blank">PHP</a></li>
   <li>
     <a href="https://github.com/vpsfreecz/haveapi-webui" target="_blank">Generic web interface</a>
-    (<a href="https://webui.haveapi.org/v<%= version %>/#<%= escape(base_url) %>" target="_blank">connect to this API</a>)
+    (<a href="https://webui.haveapi.org/v<%= version %>/#<%= urlescape(base_url) %>" target="_blank">connect to this API</a>)
   </li>
   <li><a href="https://github.com/vpsfreecz/haveapi-fs" target="_blank">FUSE-based file system</a></li>
 </ul>

data/lib/haveapi/views/version_sidebar.erb

@@ -1,9 +1,11 @@
 <h1>Authentication</h1>
 <p class="authentication">
   <% if current_user %>
-      Logged as <%= current_user.login %> [<a class="logout" href="<%= logout_url %>">logout</a>]
+      Logged as <%= escape_html(current_user.login) %> [<a class="logout" href="<%= escape_html(logout_url) %>">logout</a>]
+  <% elsif @help[:authentication].any? %>
+      <a class="login btn btn-default" href="<%= escape_html(url("#{root}_login")) %>">Login</a>
   <% else %>
-      <a class="login btn btn-default" href="<%= url("#{root}_login") %>">Login</a>
+      Authentication disabled.
   <% end %>
 </p>
 <p>

data/spec/action/authorize_spec.rb

@@ -9,6 +9,10 @@ module AuthorizeSpec
     end
   end
 
+  class << self
+    attr_accessor :shared_hash_list
+  end
+
   class BasicProvider < HaveAPI::Authentication::Basic::Provider
     protected
 
@@ -120,6 +124,46 @@ describe AuthorizeSpec do
           items.select { |item| item[:owner_id] == restrictions[:owner_id] }
         end
       end
+
+      define_action(:OwnerList) do
+        route 'owners/{owner_id}/list'
+        http_method :get
+
+        authorize do |_user, path_params|
+          restrict owner_id: path_params['owner_id'].to_i
+          allow
+        end
+
+        output(:object_list) do
+          integer :id
+          integer :owner_id
+          string :name
+        end
+
+        define_method(:exec) do
+          restrictions = with_restricted
+          items.select { |item| item[:owner_id] == restrictions[:owner_id] }
+        end
+      end
+
+      define_action(:HashList) do
+        route 'hash_list'
+        http_method :get
+
+        authorize do |user|
+          output blacklist: [:secret] unless user.admin?
+          allow
+        end
+
+        output(:hash_list) do
+          string :public
+          string :secret
+        end
+
+        def exec
+          AuthorizeSpec.shared_hash_list
+        end
+      end
     end
   end
 
@@ -137,11 +181,32 @@ describe AuthorizeSpec do
     }
   end
 
+  let(:full_hash_list) do
+    [
+      {
+        public: 'visible',
+        secret: 'admin-only'
+      }
+    ]
+  end
+
   def call_get_action(resource, action, params = {})
     env 'rack.input', StringIO.new('')
     call_api(resource, action, params)
   end
 
+  def with_pre_authorize(listener)
+    hooks = HaveAPI::Hooks.hooks
+    action_hooks = hooks[HaveAPI::Action][:pre_authorize]
+    original = action_hooks[:listeners].dup
+
+    HaveAPI::Action.connect_hook(:pre_authorize, &listener)
+
+    yield
+  ensure
+    action_hooks[:listeners] = original
+  end
+
   it 'denies non-admins from admin-only action' do
     login('user', 'pass')
     call_get_action([:Item], :admin_only, {})
@@ -226,6 +291,25 @@ describe AuthorizeSpec do
     expect(api_response[:item]).to have_key(:secret)
   end
 
+  it 'does not mutate shared hash list output while filtering fields' do
+    described_class.shared_hash_list = full_hash_list.map(&:dup)
+
+    login('user', 'pass')
+    call_get_action([:Item], :hash_list, {})
+
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    expect(api_response[:items]).to eq([{ public: 'visible' }])
+    expect(described_class.shared_hash_list).to eq(full_hash_list)
+
+    login('admin', 'pass')
+    call_get_action([:Item], :hash_list, {})
+
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    expect(api_response[:items]).to eq(full_hash_list)
+  end
+
   it 'restricts list results to the current user' do
     login('user', 'pass')
     call_get_action([:Item], :list, {})
@@ -259,6 +343,21 @@ describe AuthorizeSpec do
     expect(owners).to eq([1])
   end
 
+  it 'fails closed when action restrictions conflict with global restrictions' do
+    with_pre_authorize(proc do |ret, _context|
+      ret[:blocks] << proc do |user|
+        restrict owner_id: user.id
+      end
+      ret
+    end) do
+      login('user', 'pass')
+      get '/v1/items/owners/2/list', {}, input: ''
+    end
+
+    expect(last_response.status).to eq(403)
+    expect(api_response).not_to be_ok
+  end
+
   it 'hides admin-only actions from non-admin documentation' do
     login('user', 'pass')
     call_api(:options, '/v1/')

data/spec/action/runtime_spec.rb

@@ -30,6 +30,289 @@ describe HaveAPI::Action do
           end
         end
 
+        define_action(:OptionalShape) do
+          route 'optional_shape'
+          http_method :post
+          authorize { allow }
+
+          input do
+            string :label
+          end
+
+          output do
+            bool :ok
+          end
+
+          def exec
+            { ok: true }
+          end
+        end
+
+        define_action(:Batch) do
+          route 'batch'
+          http_method :post
+          authorize { allow }
+
+          input(:hash_list) do
+            string :label, required: true
+          end
+
+          meta(:global) do
+            input do
+              bool :confirmed, required: true
+            end
+          end
+
+          output(:hash) do
+            integer :count
+          end
+
+          def exec
+            { count: input.size }
+          end
+        end
+
+        define_action(:OutputOnlyObjectMeta) do
+          route 'output_only_object_meta'
+          http_method :post
+          authorize { allow }
+
+          input do
+            string :msg
+          end
+
+          meta(:object) do
+            output do
+              string :etag
+            end
+          end
+
+          output do
+            string :msg
+          end
+
+          def exec
+            { msg: input[:msg] }
+          end
+        end
+
+        define_action(:DigitPath) do
+          route 'ipv4/{ip4_id}'
+          http_method :get
+
+          authorize do |_user, path_params|
+            deny if path_params['ip4_id'] == '1'
+
+            allow
+          end
+
+          output do
+            string :value
+          end
+
+          def exec
+            { value: 'ok' }
+          end
+        end
+
+        define_action(:ColonPath) do
+          route 'accounts/:account_id/secret'
+          http_method :get
+
+          authorize do |_user, path_params|
+            deny unless path_params['account_id'] == '1'
+
+            allow
+          end
+
+          output do
+            string :value
+          end
+
+          def exec
+            { value: params['account_id'] }
+          end
+        end
+
+        define_action(:BodyShadow) do
+          route 'profiles/{profile_id}'
+          http_method :put
+
+          authorize do |_user, path_params|
+            deny unless path_params['profile_id'] == '2'
+
+            allow
+          end
+
+          input do
+            string :name
+          end
+
+          output do
+            string :route_profile_id
+          end
+
+          def exec
+            { route_profile_id: params['profile_id'] }
+          end
+        end
+
+        define_action(:FilteredDefault) do
+          route 'filtered_default'
+          http_method :post
+
+          authorize do
+            input blacklist: [:admin]
+            allow
+          end
+
+          input do
+            string :name
+            bool :admin, default: true, fill: true
+          end
+
+          output do
+            bool :saw_admin
+            bool :admin
+          end
+
+          def exec
+            { saw_admin: input.has_key?(:admin), admin: input[:admin] }
+          end
+        end
+
+        define_action(:MetadataInput) do
+          route 'metadata_input'
+          http_method :post
+
+          authorize do
+            input blacklist: [:confirmed]
+            allow
+          end
+
+          meta(:global) do
+            input do
+              bool :confirmed
+            end
+          end
+
+          output do
+            bool :saw_confirmed
+          end
+
+          def exec
+            { saw_confirmed: meta.has_key?(:confirmed) }
+          end
+        end
+
+        define_action(:MetadataOutput) do
+          route 'metadata_output'
+          http_method :post
+
+          authorize do
+            output blacklist: [:secret_status]
+            allow
+          end
+
+          meta(:global) do
+            output do
+              string :public_status
+              string :secret_status
+            end
+          end
+
+          output do
+            bool :ok
+          end
+
+          def exec
+            set_meta(public_status: 'queued', secret_status: 'internal-token')
+            { ok: true }
+          end
+        end
+
+        define_action(:UnnamespacedInput) do
+          route 'unnamespaced_input'
+          http_method :post
+
+          authorize do
+            input blacklist: [:secret]
+            allow
+          end
+
+          input(:hash, namespace: false) do
+            string :public
+            string :secret
+          end
+
+          output do
+            bool :params_saw_secret
+            bool :input_saw_secret
+          end
+
+          def exec
+            {
+              params_saw_secret: params.has_key?(:secret),
+              input_saw_secret: input.has_key?(:secret)
+            }
+          end
+        end
+
+        define_action(:TopLevelBody) do
+          route 'top_level_body'
+          http_method :post
+
+          authorize do
+            input blacklist: [:secret]
+            allow
+          end
+
+          input do
+            string :public
+            string :secret
+          end
+
+          output do
+            bool :params_saw_secret
+            bool :input_saw_secret
+          end
+
+          def exec
+            {
+              params_saw_secret: params.has_key?(:secret),
+              input_saw_secret: input.has_key?(:secret)
+            }
+          end
+        end
+
+        define_action(:Closed) do
+          route 'closed'
+          http_method :post
+          auth false
+
+          output do
+            bool :ok
+          end
+
+          def exec
+            { ok: true }
+          end
+        end
+
+        define_action(:Show) do
+          route '{test_id}'
+          http_method :get
+          authorize { allow }
+
+          output do
+            string :id
+          end
+
+          def exec
+            { id: params['test_id'] }
+          end
+        end
+
         define_action(:Order) do
           http_method :post
           authorize { allow }
@@ -164,6 +447,149 @@ describe HaveAPI::Action do
       expect(api_response.response).to have_key(:_meta)
     end
 
+    it 'rejects optional-only input namespaces with invalid shapes' do
+      call_api([:Test], :optional_shape, { test: 'not-a-hash' })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.message).to eq('invalid input layout')
+    end
+
+    it 'rejects list inputs with invalid element shapes' do
+      call_api([:Test], :batch, { tests: ['not-a-hash'], _meta: { confirmed: true } })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.message).to eq('invalid input layout')
+    end
+
+    it 'validates global metadata on list input actions' do
+      call_api([:Test], :batch, { tests: [{ label: 'one' }] })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.errors[:confirmed]).to include('required parameter missing')
+
+      call_api([:Test], :batch, { tests: [{ label: 'one' }], _meta: { confirmed: 'maybe' } })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.errors[:confirmed].first).to include('not a valid boolean')
+    end
+
+    it 'rejects malformed metadata namespaces' do
+      call_api([:Test], :echo, { test: { msg: 'hi' }, _meta: 'not-a-hash' })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.message).to eq('invalid input layout')
+    end
+
+    it 'ignores object metadata definitions without input' do
+      call_api([:Test], :output_only_object_meta, {
+        test: {
+          msg: 'hi',
+          _meta: {
+            etag: 'client-value'
+          }
+        }
+      })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:msg]).to eq('hi')
+    end
+
+    it 'uses path parameters containing digits for authorization' do
+      get '/v1/tests/ipv4/1', {}, input: ''
+
+      expect(last_response.status).to eq(403)
+      expect(api_response).not_to be_ok
+    end
+
+    it 'uses colon-style route parameters for authorization' do
+      get '/v1/tests/accounts/2/secret', {}, input: ''
+
+      expect(last_response.status).to eq(403)
+      expect(api_response).not_to be_ok
+    end
+
+    it 'does not let JSON body keys shadow route parameters for authorization' do
+      call_api(:put, '/v1/tests/profiles/1', {
+        profile_id: '2',
+        test: {
+          name: 'attacker'
+        }
+      })
+
+      expect(last_response.status).to eq(403)
+      expect(api_response).not_to be_ok
+    end
+
+    it 'does not reintroduce filtered input defaults' do
+      call_api([:Test], :filtered_default, { test: { name: 'acct' } })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:saw_admin]).to be(false)
+    end
+
+    it 'applies input authorization filters to metadata input' do
+      call_api([:Test], :metadata_input, { _meta: { confirmed: true } })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:saw_confirmed]).to be(false)
+    end
+
+    it 'applies output authorization filters to global metadata' do
+      call_api([:Test], :metadata_output, {})
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response.response[:_meta]).to include(public_status: 'queued')
+      expect(api_response.response[:_meta]).not_to have_key(:secret_status)
+    end
+
+    it 'filters unnamespaced input in the safe params view' do
+      call_api([:Test], :unnamespaced_input, { public: 'ok', secret: 'hidden' })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:params_saw_secret]).to be(false)
+      expect(api_response[:test][:input_saw_secret]).to be(false)
+    end
+
+    it 'does not expose top-level JSON keys outside the input namespace as safe params' do
+      call_api([:Test], :top_level_body, {
+        secret: 'top-level hidden',
+        test: {
+          public: 'ok',
+          secret: 'nested hidden'
+        }
+      })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:params_saw_secret]).to be(false)
+      expect(api_response[:test][:input_saw_secret]).to be(false)
+    end
+
+    it 'denies OPTIONS for actions without an authorization block without raising' do
+      call_api(:options, '/v1/tests/closed?method=POST')
+
+      expect(last_response.status).to eq(403)
+      expect(api_response).not_to be_ok
+    end
+
+    it 'rejects invalid route argument encoding in action descriptions' do
+      call_api(:options, '/v1/tests/%FF?method=GET')
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.message).to eq('invalid path parameter encoding')
+    end
+
     it 'runs prepare, pre_exec, exec in order' do
       action_class(:order).calls.clear