hephaestus 0.7.1 → 0.7.2.1

data/config/environments/production.rb

@@ -0,0 +1,96 @@
+# typed: false
+# frozen_string_literal: true
+
+require "active_support/core_ext/integer/time"
+
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # Code is not reloaded between requests.
+  config.enable_reloading = false
+
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both threaded web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # Full error reports are disabled and caching is turned on.
+  config.consider_all_requests_local = false
+  config.action_controller.perform_caching = true
+
+  # Ensures that a master key has been made available in ENV["RAILS_MASTER_KEY"], config/master.key, or an environment
+  # key such as config/credentials/production.key. This key is used to decrypt credentials (and other encrypted files).
+  # config.require_master_key = true
+
+  # Disable serving static files from `public/`, relying on NGINX/Apache to do so instead.
+  # config.public_file_server.enabled = false
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.asset_host = "http://assets.example.com"
+
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for Apache
+  # config.action_dispatch.x_sendfile_header = "X-Accel-Redirect" # for NGINX
+
+  # Assume all access to the app is happening through a SSL-terminating reverse proxy.
+  # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
+  config.assume_ssl = true
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  config.force_ssl = true
+
+  # Skip http-to-https redirect for the default health check endpoint.
+  config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } }, hsts: { subdomains: true, preload: true, expires: 1.year } }
+
+  # Log to STDOUT by default
+  config.logger = ActiveSupport::Logger.new($stdout)
+    .tap  { |logger| logger.formatter = Logger::Formatter.new }
+    .then { |logger| ActiveSupport::TaggedLogging.new(logger) }
+
+  # Prepend all log lines with the following tags.
+  config.log_tags = [:request_id]
+
+  # "info" includes generic and useful information about system operation, but avoids logging too much
+  # information to avoid inadvertent exposure of personally identifiable information (PII). If you
+  # want to log everything, set the level to "debug".
+  config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info")
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Use a real queuing backend for Active Job (and separate queues per environment).
+  config.active_job.queue_adapter = :solid_queue
+  config.solid_queue.connects_to = { database: { writing: :queue } }
+
+  # config.active_job.queue_name_prefix = "plug_email_production"
+
+  if defined?(ActionMailer)
+    # Disable caching for Action Mailer templates even if Action Controller
+    # caching is enabled.
+    config.action_mailer.perform_caching = false
+  end
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation cannot be found).
+  config.i18n.fallbacks = true
+
+  # Don't log any deprecations.
+  config.active_support.report_deprecations = false
+
+  # Enable DNS rebinding protection and other `Host` header attacks.
+  # config.hosts = [
+  #   "example.com",     # Allow requests from example.com
+  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
+  # ]
+  # Skip DNS rebinding protection for the default health check endpoint.
+  config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+
+  config.after_initialize do
+    Rails.logger.broadcast_to(SlackWebhookLogger.logger)
+  end
+end

data/config/environments/staging.rb

@@ -0,0 +1,94 @@
+# typed: false
+# frozen_string_literal: true
+
+require "active_support/core_ext/integer/time"
+
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # Code is not reloaded between requests.
+  config.enable_reloading = false
+
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both threaded web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # Full error reports are disabled and caching is turned on.
+  config.consider_all_requests_local = false
+  config.action_controller.perform_caching = true
+
+  # Ensures that a master key has been made available in ENV["RAILS_MASTER_KEY"], config/master.key, or an environment
+  # key such as config/credentials/production.key. This key is used to decrypt credentials (and other encrypted files).
+  # config.require_master_key = true
+
+  # Disable serving static files from `public/`, relying on NGINX/Apache to do so instead.
+  # config.public_file_server.enabled = false
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.asset_host = "http://assets.example.com"
+
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for Apache
+  # config.action_dispatch.x_sendfile_header = "X-Accel-Redirect" # for NGINX
+
+  # Assume all access to the app is happening through a SSL-terminating reverse proxy.
+  # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
+  config.assume_ssl = true
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  config.force_ssl = true
+
+  # Skip http-to-https redirect for the default health check endpoint.
+  config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } }, hsts: { subdomains: true, preload: true, expires: 1.year } }
+
+  # Log to STDOUT by default
+  config.logger = ActiveSupport::Logger.new($stdout)
+    .tap  { |logger| logger.formatter = Logger::Formatter.new }
+    .then { |logger| ActiveSupport::TaggedLogging.new(logger) }
+
+  # Prepend all log lines with the following tags.
+  config.log_tags = [:request_id]
+
+  # "info" includes generic and useful information about system operation, but avoids logging too much
+  # information to avoid inadvertent exposure of personally identifiable information (PII). If you
+  # want to log everything, set the level to "debug".
+  config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info")
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Use a real queuing backend for Active Job (and separate queues per environment).
+  config.active_job.queue_adapter = :solid_queue
+  config.solid_queue.connects_to = { database: { writing: :queue } }
+
+  if defined?(ActionMailer)
+    # Disable caching for Action Mailer templates even if Action Controller
+    # caching is enabled.
+    config.action_mailer.perform_caching = false
+
+    # Ignore bad email addresses and do not raise email delivery errors.
+    # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+    # config.action_mailer.raise_delivery_errors = false
+  end
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation cannot be found).
+  config.i18n.fallbacks = true
+
+  # Don't log any deprecations.
+  config.active_support.report_deprecations = false
+
+  # Enable DNS rebinding protection and other `Host` header attacks.
+  # config.hosts = [
+  #   "example.com",     # Allow requests from example.com
+  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
+  # ]
+  # Skip DNS rebinding protection for the default health check endpoint.
+  config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+
+  config.after_initialize do
+    Rails.logger.broadcast_to(SlackWebhookLogger.logger)
+  end
+end

data/config/environments/test.rb

@@ -0,0 +1,73 @@
+# typed: false
+# frozen_string_literal: true
+
+require "active_support/core_ext/integer/time"
+
+# The test environment is used exclusively to run your application's
+# test suite. You never need to work with it otherwise. Remember that
+# your test database is "scratch space" for the test suite and is wiped
+# and recreated between test runs. Don't rely on the data there!
+
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # While tests run files are not watched, reloading is not necessary.
+  config.enable_reloading = false
+
+  # Eager loading loads your entire application. When running a single test locally,
+  # this is usually not necessary, and can slow down your test suite. However, it's
+  # recommended that you enable it in continuous integration systems to ensure eager
+  # loading is working properly before deploying your code.
+  config.eager_load = ENV["CI"].present?
+
+  # Configure public file server for tests with Cache-Control for performance.
+  config.public_file_server.headers = { "Cache-Control" => "public, max-age=#{1.hour.to_i}" }
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local = true
+  config.action_controller.perform_caching = false
+  config.cache_store = :null_store
+
+  # Render exception templates for rescuable exceptions and raise for other exceptions.
+  config.action_dispatch.show_exceptions = :rescuable
+
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
+
+  if defined?(ActionMailer)
+    # Disable caching for Action Mailer templates even if Action Controller
+    # caching is enabled.
+    config.action_mailer.perform_caching = false
+
+    # Tell Action Mailer not to deliver emails to the real world.
+    # The :test delivery method accumulates sent emails in the
+    # ActionMailer::Base.deliveries array.
+    config.action_mailer.delivery_method = :test
+
+    # Unlike controllers, the mailer instance doesn't have any context about the
+    # incoming request so you'll need to provide the :host parameter yourself.
+    config.action_mailer.default_url_options = { host: "www.example.com" }
+  end
+
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+
+  # Raise exceptions for disallowed deprecations.
+  config.active_support.disallowed_deprecation = :raise
+
+  # Tell Active Support which deprecation messages to disallow.
+  config.active_support.disallowed_deprecation_warnings = []
+
+  # Raises error for missing translations.
+  # config.i18n.raise_on_missing_translations = true
+
+  # Annotate rendered view with file names.
+  # config.action_view.annotate_rendered_view_with_filenames = true
+
+  # Raise error when a before_action's only/except options reference missing actions.
+  config.action_controller.raise_on_missing_callback_actions = true
+
+  config.after_initialize do
+    Rails.logger.broadcast_to(SlackWebhookLogger.logger)
+  end
+end

data/config/initializers/application.rb

@@ -0,0 +1,14 @@
+# typed: false
+# frozen_string_literal: true
+
+Rails.application.configure do
+  # Configuration for the application, engines, and railties goes here.
+  #
+  # These settings can be overridden in specific environments using the files
+  # in config/environments, which are processed later.
+  #
+  config.time_zone = "UTC"
+
+  # Remove this in rails 8.1 as it will be the default
+  config.active_support.to_time_preserves_timezone = :zone
+end

data/config/initializers/cors.rb

@@ -0,0 +1,19 @@
+# typed: false
+# frozen_string_literal: true
+
+# Be sure to restart your server when you modify this file.
+
+# Avoid CORS issues when API is called from the frontend app.
+# Handle Cross-Origin Resource Sharing (CORS) in order to accept cross-origin AJAX requests.
+
+# Read more: https://github.com/cyu/rack-cors
+
+# Rails.application.config.middleware.insert_before 0, Rack::Cors do
+#   allow do
+#     origins "example.com"
+#
+#     resource "*",
+#       headers: :any,
+#       methods: [:get, :post, :put, :patch, :delete, :options, :head]
+#   end
+# end

data/config/initializers/environment.rb

@@ -0,0 +1,94 @@
+# typed: false
+# frozen_string_literal: true
+
+def set_env_var(production:, staging:, local:)
+  case Rails.env
+  when "production"
+    %x(op read "#{production}").chomp
+  when "staging"
+    %x(op read "#{staging}").chomp
+  else
+    local
+  end
+end
+
+def productionish?
+  Rails.env.production? || Rails.env.staging?
+end
+
+def print_user_api_errors?
+  (Rails.env.development? || Rails.env.staging?) || ENV.fetch("DEBUG", false)
+end
+
+def plug_shortname
+  plug_name.downcase
+end
+
+def plug_name
+  plug_module[4..] # 4= "Plug".length
+end
+
+def plug_module
+  Rails.application.class.module_parent.name
+end
+
+def plug_url
+  if Rails.env.production?
+    "#{plug_shortname}.plugs.yetto.app"
+  elsif Rails.env.staging?
+    "#{plug_shortname}.plugs.yetto.dev"
+  elsif Rails.env.development?
+    "#{%x(hostname).chomp.downcase}-plug-#{plug_shortname}.ngrok.io"
+  elsif Rails.env.test?
+    "#{plug_shortname}.plugs.yetto.test"
+  end
+end
+
+module Hephaestus
+  YETTO_EMAIL_DOMAIN = if Rails.env.production?
+    "yetto.email"
+  elsif Rails.env.staging?
+    "yetto.dev"
+  elsif Rails.env.development?
+    "yetto-dev.email"
+  elsif Rails.env.test?
+    "yetto.test"
+  end
+
+  PROTOCOL = Rails.env.development? ? "http://" : "https://"
+  YETTO_URL = if Rails.env.production?
+    "web.yetto.app"
+  elsif Rails.env.staging?
+    "web.yetto.dev"
+  elsif Rails.env.development?
+    "localhost:3000"
+  elsif Rails.env.test?
+    "web.yetto.test"
+  end
+
+  SLACK_LOG_URL = set_env_var(
+    production: "op://Infra/Secrets/SLACK_LOG_URL",
+    staging: "op://Infra/Secrets/SLACK_LOG_URL",
+    local: ENV.fetch("SLACK_LOG_URL", "https://slack.com/the_log_room"),
+  )
+
+  YETTO_API_URL = "#{YETTO_URL}/api"
+  YETTO_REDIRECT_URL = productionish? ? "#{PROTOCOL}#{YETTO_URL}" : "#{PROTOCOL}127.0.0.1:3000"
+
+  # Every plug has these secrets
+  YETTO_PLUG_PEM = set_env_var(
+    production: "op://Plug-#{plug_name}/Production/YETTO_PLUG_PEM",
+    staging: "op://Plug-#{plug_name}/Staging/YETTO_PLUG_PEM",
+    local: ENV.fetch("YETTO_PLUG_PEM", Rails.root.join("test/fixtures/files/fake_pem_file/fake.pem").read),
+  )
+  YETTO_SIGNING_SECRET = set_env_var(
+    production: "op://Plug-#{plug_name}/Production/YETTO_SIGNING_SECRET",
+    staging: "op://Plug-#{plug_name}/Staging/YETTO_SIGNING_SECRET",
+    local: ENV.fetch("YETTO_SIGNING_SECRET", "super-secret"),
+  )
+  YETTO_PLUG_ID = set_env_var(
+    production: "op://Plug-#{plug_name}/Production/YETTO_PLUG_ID",
+    staging: "op://Plug-#{plug_name}/Staging/YETTO_PLUG_ID",
+    local: ENV.fetch("YETTO_PLUG_ID", "plug-id"),
+  )
+end

data/config/initializers/filter_parameter_logging.rb

@@ -0,0 +1,23 @@
+# typed: false
+# frozen_string_literal: true
+
+# Be sure to restart your server when you modify this file.
+
+# Configure parameters to be filtered from the log file. Use this to limit dissemination of
+# sensitive information. See the ActiveSupport::ParameterFilter documentation for supported
+# notations and behaviors.
+Rails.application.config.filter_parameters += [
+  :passw,
+  :secret,
+  :token,
+  :_key,
+  :crypt,
+  :salt,
+  :certificate,
+  :otp,
+  :ssn,
+  :credentials,
+  :html_content,
+  :text_content,
+  :attachments,
+]

data/config/initializers/inflections.rb

@@ -0,0 +1,21 @@
+# typed: false
+# frozen_string_literal: true
+
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, "\\1en"
+#   inflect.singular /^(ox)en/i, "\\1"
+#   inflect.irregular "person", "people"
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# These inflection rules are supported but not enabled by default:
+ActiveSupport::Inflector.inflections(:en) do |inflect|
+  inflect.acronym("API")
+  inflect.acronym("HTTP")
+  inflect.acronym("GitHub")
+end

data/config/initializers/litestream.rb

@@ -0,0 +1,36 @@
+# typed: false
+# frozen_string_literal: true
+
+# Use this hook to configure the litestream-ruby gem.
+# All configuration options will be available as environment variables, e.g.
+# config.replica_bucket becomes LITESTREAM_REPLICA_BUCKET
+# This allows you to configure Litestream using Rails encrypted credentials,
+# or some other mechanism where the values are only avaialble at runtime.
+
+Rails.application.configure do
+  # An example of using Rails encrypted credentials to configure Litestream.
+  # litestream_credentials = Rails.application.credentials.litestream
+
+  # Replica-specific bucket location.
+  # This will be your bucket's URL without the `https://` prefix.
+  # For example, if you used DigitalOcean Spaces, your bucket URL could look like:
+  #   https://myapp.fra1.digitaloceanspaces.com
+  # And so you should set your `replica_bucket` to:
+  #   myapp.fra1.digitaloceanspaces.com
+  # Litestream supports Azure Blog Storage, Backblaze B2, DigitalOcean Spaces,
+  # Scaleway Object Storage, Google Cloud Storage, Linode Object Storage, and
+  # any SFTP server.
+  # In this example, we are using Rails encrypted credentials to store the URL to
+  # our storage provider bucket.
+  # config.litestream.replica_bucket = litestream_credentials&.replica_bucket
+
+  # Replica-specific authentication key.
+  # Litestream needs authentication credentials to access your storage provider bucket.
+  # In this example, we are using Rails encrypted credentials to store the access key ID.
+  # config.litestream.replica_key_id = litestream_credentials&.replica_key_id
+
+  # Replica-specific secret key.
+  # Litestream needs authentication credentials to access your storage provider bucket.
+  # In this example, we are using Rails encrypted credentials to store the secret access key.
+  # config.litestream.replica_access_key = litestream_credentials&.replica_access_key
+end

data/config/initializers/lograge.rb

@@ -0,0 +1,27 @@
+# typed: false
+# frozen_string_literal: true
+
+require "lograge"
+
+Rails.application.configure do
+  config.lograge.enabled = true
+  config.lograge.custom_options = lambda do |event|
+    span = OpenTelemetry::Trace.current_span
+    {
+      time: event.time,
+      trace_id: span.context.hex_trace_id,
+      span_id: span.context.hex_span_id,
+    }
+  end
+
+  config.lograge.custom_payload do |controller|
+    payload = {
+      host: controller.request.host,
+    }
+
+    payload
+  end
+
+  config.lograge.keep_original_rails_log = true
+  config.lograge.logger = ActiveSupport::Logger.new(Rails.root.join("log", "lograge_#{Rails.env}.log"))
+end

data/config/initializers/opentelemetry.rb

@@ -0,0 +1,41 @@
+# typed: false
+# frozen_string_literal: true
+
+unless Rails.env.development?
+  # establish the environment for OTEL
+  ENV["OTEL_EXPORTER_OTLP_ENDPOINT"] = "https://api.honeycomb.io"
+
+  ENV["OTEL_EXPORTER_OTLP_HEADERS"] = set_env_var(
+    production: "op://Plug-#{plug_name}/Production/OTEL_EXPORTER_OTLP_HEADERS",
+    staging: "op://Plug-#{plug_name}/Staging/OTEL_EXPORTER_OTLP_HEADERS",
+    local: ENV.fetch("OTEL_EXPORTER_OTLP_HEADERS", "x-honeycomb-team=your-api-key"),
+  )
+
+  ENV["OTEL_SERVICE_NAME"] = "plug-#{plug_shortname}-#{Rails.env}"
+
+  require "opentelemetry/sdk"
+  require "opentelemetry/semantic_conventions"
+
+  OpenTelemetry::SDK.configure do |c|
+    c.logger = Rails.logger
+
+    c.use_all(
+      "OpenTelemetry::Instrumentation::PG" => { db_statement: :obfuscate },
+      "OpenTelemetry::Instrumentation::Rack" => { use_rack_events: false },
+    )
+
+    if productionish?
+      c.add_span_processor(
+        OpenTelemetry::SDK::Trace::Export::BatchSpanProcessor.new(
+          OpenTelemetry::Exporter::OTLP::Exporter.new,
+        ),
+      )
+    else # useful for testing instrumentation
+      c.add_span_processor(
+        OpenTelemetry::SDK::Trace::Export::SimpleSpanProcessor.new(
+          OpenTelemetry::SDK::Trace::Export::SpanExporter.new,
+        ),
+      )
+    end # development is intentionally disabled
+  end
+end

data/config/initializers/sidekiq.rb

@@ -0,0 +1,13 @@
+# typed: false
+# frozen_string_literal: true
+
+require "sidekiq"
+
+Sidekiq.configure_server do |config|
+  config.logger = Sidekiq::Logger.new($stdout)
+  config.redis = { url: ENV.fetch("REDIS_URL", "redis://localhost:6379/1") }
+end
+Sidekiq.configure_client do |config|
+  config.logger = Sidekiq::Logger.new($stdout)
+  config.redis = { url: ENV.fetch("REDIS_URL", "redis://localhost:6379/1") }
+end

data/config/initializers/slack_webhook_logger.rb

@@ -0,0 +1,19 @@
+# typed: false
+# frozen_string_literal: true
+
+require "slack_webhook_logger"
+
+SlackWebhookLogger.setup do |config|
+  # Webhook URL
+  #
+  # The URL where messages will be sent.
+  config.webhook_url = Hephaestus::SLACK_LOG_URL
+
+  # The minimum error level to see in Slack.
+  #
+  # All log levels are supported, but don't do anything less then :warn since Slack only allows one message
+  # per minute.
+  config.level = :WARN
+
+  config.ignore_patterns = [/Can't verify CSRF token authenticity/, /is not a valid MIME type/]
+end

data/config/litestream.yml

@@ -0,0 +1,12 @@
+# This is the actual configuration file for litestream.
+#
+# You can either use the generated `config/initializers/litestream.rb`
+# file to configure the litestream-ruby gem, which will populate these
+# ENV variables when using the `rails litestream:replicate` command.
+#
+# Or, if you prefer, manually manage ENV variables and this configuration file.
+# In that case, simply ensure that the ENV variables are set before running the
+# `replicate` command.
+#
+# For more details, see: https://litestream.io/reference/config/
+dbs:

data/config/queue.yml

@@ -0,0 +1,18 @@
+default: &default
+  dispatchers:
+    - polling_interval: 1
+      batch_size: 500
+  workers:
+     - queues: [high_priority*, mid_priority*, low_priority*]
+       threads: 5
+     - queues: "*" # default, mailers, etc
+       threads: 3
+
+development:
+  <<: *default
+
+test:
+  <<: *default
+
+production:
+  <<: *default

data/config/recurring.yml

@@ -0,0 +1,10 @@
+# production:
+#   periodic_cleanup:
+#     class: CleanSoftDeletedRecordsJob
+#     queue: background
+#     args: [ 1000, { batch_size: 500 } ]
+#     schedule: every hour
+#   periodic_command:
+#     command: "SoftDeletedRecord.due.delete_all"
+#     priority: 2
+#     schedule: at 5am every day

data/config/routes.rb

@@ -0,0 +1,17 @@
+# typed: false
+# frozen_string_literal: true
+
+# this file doesn't actually do anything; consumed routes are
+# in lib/hephaestus/engine.rb
+Hephaestus::Engine.routes.draw do
+  resources :settings, only: [:new, :edit]
+
+  #############################################
+  # error pages -- these MUST be at the end! ##
+  #############################################
+
+  get "/500", to: "application#render500" if Rails.env.production? || Rails.env.staging?
+
+  match "/", to: "application#not_found", via: :all
+  match "/*unmatched_route", to: "application#not_found", via: :all
+end