insights-api-common 3.0.0

data/lib/insights/api/common/rbac/seed.rb

@@ -0,0 +1,140 @@
+module Insights
+  module API
+    module Common
+      module RBAC
+        require 'rbac-api-client'
+
+        class Seed
+          def initialize(seed_file, user_file = nil)
+            @acl_data = YAML.load_file(seed_file)
+            @request = Insights::API::Common::Request.current || create_request(user_file)
+          end
+
+          def process
+            Insights::API::Common::Request.with_request(@request) do
+              create_groups
+              create_roles
+              create_policies
+            end
+          end
+
+          private
+
+          def create_groups
+            current = current_groups
+            names = current.collect(&:name)
+            group = RBACApiClient::Group.new
+            begin
+              Service.call(RBACApiClient::GroupApi) do |api_instance|
+                @acl_data['groups'].each do |grp|
+                  next if names.include?(grp['name'])
+
+                  Rails.logger.info("Creating #{grp['name']}")
+                  group.name = grp['name']
+                  group.description = grp['description']
+                  api_instance.create_group(group)
+                end
+              end
+            rescue RBACApiClient::ApiError => e
+              Rails.logger.error("Exception when calling GroupApi->create_group: #{e}")
+              raise
+            end
+          end
+
+          def current_groups
+            Service.call(RBACApiClient::GroupApi) do |api|
+              Service.paginate(api, :list_groups,  {}).to_a
+            end
+          end
+
+          def create_roles
+            current = current_roles
+            names = current.collect(&:name)
+            role_in = RBACApiClient::RoleIn.new
+            begin
+              Service.call(RBACApiClient::RoleApi) do |api_instance|
+                @acl_data['roles'].each do |role|
+                  next if names.include?(role['name'])
+
+                  role_in.name = role['name']
+                  role_in.access = []
+                  role['access'].each do |obj|
+                    access = RBACApiClient::Access.new
+                    access.permission = obj['permission']
+                    access.resource_definitions = create_rds(obj)
+                    role_in.access << access
+                  end
+                  api_instance.create_roles(role_in)
+                end
+              end
+            rescue RBACApiClient::ApiError => e
+              Rails.logger.error("Exception when calling RoleApi->create_roles: #{e}")
+              raise
+            end
+          end
+
+          def create_rds(obj)
+            obj.fetch('resource_definitions', []).collect do |item|
+              RBACApiClient::ResourceDefinition.new.tap do |rd|
+                rd.attribute_filter = RBACApiClient::ResourceDefinitionFilter.new.tap do |rdf|
+                  rdf.key = item['attribute_filter']['key']
+                  rdf.value = item['attribute_filter']['value']
+                  rdf.operation = item['attribute_filter']['operation']
+                end
+              end
+            end
+          end
+
+          def current_roles
+            Service.call(RBACApiClient::RoleApi) do |api|
+              Service.paginate(api, :list_roles, {}).to_a
+            end
+          end
+
+          def create_policies
+            names = current_policies.collect(&:name)
+            groups = current_groups
+            roles = current_roles
+            policy_in = RBACApiClient::PolicyIn.new
+            begin
+              Service.call(RBACApiClient::PolicyApi) do |api_instance|
+                @acl_data['policies'].each do |policy|
+                  next if names.include?(policy['name'])
+
+                  policy_in.name = policy['name']
+                  policy_in.description = policy['description']
+                  policy_in.group = find_uuid('Group', groups, policy['group']['name'])
+                  policy_in.roles = [find_uuid('Role', roles, policy['role']['name'])]
+                  api_instance.create_policies(policy_in)
+                end
+              end
+            rescue RBACApiClient::ApiError => e
+              Rails.logger.error("Exception when calling PolicyApi->create_policies: #{e}")
+              raise
+            end
+          end
+
+          def current_policies
+            Service.call(RBACApiClient::PolicyApi) do |api|
+              Service.paginate(api, :list_policies, {}).to_a
+            end
+          end
+
+          def find_uuid(type, data, name)
+            result = data.detect { |item| item.name == name }
+            raise "#{type} #{name} not found in RBAC service" unless result
+
+            result.uuid
+          end
+
+          def create_request(user_file)
+            raise "File #{user_file} not found" unless File.exist?(user_file)
+
+            user = YAML.load_file(user_file)
+            {:headers => {'x-rh-identity' => Base64.strict_encode64(user.to_json)}, :original_url => '/'}
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/rbac/service.rb

@@ -0,0 +1,67 @@
+module Insights
+  module API
+    module Common
+      module RBAC
+        require 'rbac-api-client'
+
+        class Service
+          def self.call(klass)
+            setup
+            yield init(klass)
+          rescue RBACApiClient::ApiError => err
+            Rails.logger.error("RBACApiClient::ApiError #{err.message} ")
+            raise
+          end
+
+          def self.paginate(obj, method, pagination_options, *method_args)
+            Enumerator.new do |enum|
+              opts = { :limit => 10, :offset => 0 }.merge(pagination_options)
+              count = nil
+              fetched = 0
+              begin
+                loop do
+                  args = [method_args, opts].flatten.compact
+                  result = obj.send(method, *args)
+                  count ||= result.meta.count
+                  opts[:offset] = opts[:offset] + result.data.count
+                  result.data.each do |element|
+                    enum.yield element
+                  end
+                  fetched += result.data.count
+                  break if count == fetched || result.data.empty?
+                end
+              rescue StandardError => e
+                Rails.logger.error("Exception when calling pagination on #{method} #{e}")
+                raise
+              end
+            end
+          end
+
+          private_class_method def self.setup
+            RBACApiClient.configure do |config|
+              config.host   = ENV['RBAC_URL'] || 'localhost'
+              config.scheme = URI.parse(ENV['RBAC_URL']).try(:scheme) || 'http'
+              dev_credentials(config)
+            end
+          end
+
+          private_class_method def self.init(klass)
+            headers = Insights::API::Common::Request.current_forwardable
+            Rails.logger.info("Sending Headers to RBAC #{headers}")
+            klass.new.tap do |api|
+              api.api_client.default_headers = api.api_client.default_headers.merge(headers)
+            end
+          end
+
+          private_class_method def self.dev_credentials(config)
+            # Set up user/pass for basic auth if we're in dev and they exist.
+            if Rails.env.development?
+              config.username = ENV.fetch('DEV_USERNAME')
+              config.password = ENV.fetch('DEV_PASSWORD')
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/rbac/share_resource.rb

@@ -0,0 +1,60 @@
+module Insights
+  module API
+    module Common
+      module RBAC
+        class ShareResource
+          require 'rbac-api-client'
+          include Utilities
+
+          def initialize(options)
+            @app_name = options[:app_name]
+            @resource_name = options[:resource_name]
+            @permissions = options[:permissions]
+            @resource_ids = options[:resource_ids]
+            @group_uuids = SortedSet.new(options[:group_uuids])
+            @acls = RBAC::ACL.new
+          end
+
+          def process
+            validate_groups
+            @roles = RBAC::Roles.new("#{@app_name}-#{@resource_name}-", 'account')
+            @group_uuids.each { |uuid| manage_roles_for_group(uuid) }
+            self
+          end
+
+          private
+
+          def manage_roles_for_group(group_uuid)
+            @resource_ids.each do |resource_id|
+              name = unique_name(resource_id, group_uuid)
+              role = @roles.find(name)
+              role ? update_existing_role(role, resource_id) : add_new_role(name, group_uuid, resource_id)
+            end
+          end
+
+          def update_existing_role(role, resource_id)
+            role.access = @acls.add(role.access, resource_id, @permissions)
+            @roles.update(role) if role.access.present?
+          end
+
+          def add_new_role(name, group_uuid, resource_id)
+            acls = @acls.create(resource_id, @permissions)
+            role = @roles.add(name, acls)
+            add_policy(name, group_uuid, role.uuid)
+          end
+
+          def add_policy(name, group_uuid, role_uuid)
+            Service.call(RBACApiClient::PolicyApi) do |api_instance|
+              policy_in = RBACApiClient::PolicyIn.new
+              policy_in.name = name
+              policy_in.description = 'Shared Policy'
+              policy_in.group = group_uuid
+              policy_in.roles = [role_uuid]
+              api_instance.create_policies(policy_in)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/rbac/unshare_resource.rb

@@ -0,0 +1,32 @@
+module Insights
+  module API
+    module Common
+      module RBAC
+        require 'rbac-api-client'
+
+        class UnshareResource < ShareResource
+          attr_accessor :count
+
+          def initialize(options)
+            @count = 0
+            super
+          end
+
+          private
+
+          def manage_roles_for_group(group_uuid)
+            @resource_ids.each do |resource_id|
+              name = unique_name(resource_id, group_uuid)
+              role = @roles.find(name)
+              next unless role
+
+              role.access = @acls.remove(role.access, resource_id, @permissions)
+              role.access.present? ? @roles.update(role) : @roles.delete(role)
+              @count += 1
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/rbac/utilities.rb

@@ -0,0 +1,30 @@
+module Insights
+  module API
+    module Common
+      module RBAC
+        module Utilities
+          def validate_groups
+            Service.call(RBACApiClient::GroupApi) do |api|
+              uuids = SortedSet.new
+              Service.paginate(api, :list_groups, {}).each { |group| uuids << group.uuid }
+              missing = @group_uuids - uuids
+              raise Insights::API::Common::InvalidParameter, "The following group uuids are missing #{missing.to_a.join(",")}" unless missing.empty?
+            end
+          end
+
+          def unique_name(resource_id, group_id)
+            "#{@app_name}-#{@resource_name}-#{resource_id}-group-#{group_id}"
+          end
+
+          def parse_ids_from_name(name)
+            @regexp ||= Regexp.new("#{@app_name}-#{@resource_name}-(?<resource_id>.*)-group-(?<group_uuid>.*)")
+            result = @regexp.match(name)
+            if result
+              [result[:resource_id], result[:group_uuid]]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/request.rb

@@ -0,0 +1,111 @@
+module Insights
+  module API
+    module Common
+      class RequestNotSet < ArgumentError
+        def initialize
+          super("Current request has not been set")
+        end
+      end
+
+      class InvalidParameter < StandardError
+      end
+
+      class Request
+        REQUEST_ID_KEY = "x-rh-insights-request-id".freeze
+        IDENTITY_KEY   = 'x-rh-identity'.freeze
+        PERSONA_KEY    = 'x-rh-persona'.freeze
+        FORWARDABLE_HEADER_KEYS = [REQUEST_ID_KEY, IDENTITY_KEY, PERSONA_KEY].freeze
+        OPTIONAL_AUTH_PATHS = [
+          %r{\A/api/v[0-9]+(\.[0-9]+)?/openapi.json\z},
+          %r{\A/api/[^/]+/v[0-9]+(\.[0-9]+)?/openapi.json\z}
+        ].freeze
+
+        def self.current
+          Thread.current[:current_request]
+        end
+
+        def self.current!
+          current || raise(RequestNotSet)
+        end
+
+        def self.current=(request)
+          Thread.current[:current_request] =
+            case request
+            when ActionDispatch::Request
+              new(:headers => request.headers, :original_url => request.original_url)
+            when Hash
+              new(request)
+            when Request, nil
+              request
+            else
+              raise ArgumentError, 'Not an Insights::API::Common::Request or ActionDispatch::Request Class, Hash, or nil'
+            end
+        end
+
+        def self.with_request(request)
+          saved = current
+          self.current = request
+          yield current
+        ensure
+          self.current = saved
+        end
+
+        def self.current_forwardable
+          current!.forwardable
+        end
+
+        attr_reader :headers, :original_url
+
+        def initialize(headers:, original_url:, **_kwargs)
+          headers = from_hash(headers) if headers.kind_of?(Hash)
+          @headers, @original_url = headers, original_url
+        end
+
+        def request_id
+          headers.fetch(REQUEST_ID_KEY, nil)
+        end
+
+        def identity
+          @identity ||= JSON.parse(Base64.decode64(headers.fetch(IDENTITY_KEY)))
+        rescue KeyError
+          raise IdentityError, "x-rh-identity not found"
+        end
+
+        def user
+          @user ||= User.new(identity)
+        end
+
+        def entitlement
+          @entitlement ||= Entitlement.new(identity)
+        end
+
+        def to_h
+          {:headers => forwardable, :original_url => original_url}
+        end
+
+        def forwardable
+          FORWARDABLE_HEADER_KEYS.each_with_object({}) do |key, hash|
+            hash[key] = headers[key] if headers.key?(key)
+          end
+        end
+
+        def required_auth?
+          !optional_auth?
+        end
+
+        def optional_auth?
+          uri_path = URI.parse(original_url).path
+          OPTIONAL_AUTH_PATHS.any? { |optional_auth_path_regex| optional_auth_path_regex.match(uri_path) }
+        end
+
+        private
+
+        def from_hash(hash)
+          ActionDispatch::Http::Headers.from_hash({}).tap do |headers|
+            hash.each { |k, v| headers.add(k, v) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/routing.rb

@@ -0,0 +1,26 @@
+module Insights
+  module API
+    module Common
+      class Routing
+        attr_reader :route_mapper
+
+        def initialize(route_mapper)
+          @route_mapper = route_mapper
+        end
+
+        def redirect_major_version(version, prefix, via: [:delete, :get, :options, :patch, :post])
+          route_mapper.match(
+            "/#{version.split('.').first}/*path(.:format)",
+            :format => false,
+            :via    => via,
+            :to     => route_mapper.redirect(
+              :path      => "/#{prefix}/#{version}/%{path}",
+              :only_path => true,
+              :status    => 302
+            )
+          )
+        end
+      end
+    end
+  end
+end