insights-api-common 3.0.0

data/lib/insights/api/common/open_api/serializer.rb

@@ -0,0 +1,31 @@
+module Insights
+  module API
+    module Common
+      module OpenApi
+        module Serializer
+          def as_json(arg = {})
+            previous = super
+            encrypted_columns_set = (self.class.try(:encrypted_columns) || []).to_set
+            encryption_filtered = previous.except(*encrypted_columns_set)
+            return encryption_filtered unless arg.key?(:prefixes)
+            version = api_version_from_prefix(arg[:prefixes].first)
+            schema  = ::Insights::API::Common::OpenApi::Docs.instance[version].definitions[self.class.name]
+            attrs   = encryption_filtered.slice(*schema["properties"].keys)
+            schema["properties"].keys.each do |name|
+              next if attrs[name].nil?
+              attrs[name] = attrs[name].iso8601 if attrs[name].kind_of?(Time)
+              attrs[name] = attrs[name].to_s if name.ends_with?("_id") || name == "id"
+              attrs[name] = self.public_send(name) if !attrs.key?(name) && !encrypted_columns_set.include?(name)
+            end
+            attrs.compact
+          end
+
+          def api_version_from_prefix(prefix)
+            /\/?\w+\/v(?<major>\d+)[x\.]?(?<minor>\d+)?\// =~ prefix
+            [major, minor].compact.join(".")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/option_redirect_enhancements.rb

@@ -0,0 +1,23 @@
+module Insights
+  module API
+    module Common
+      module OptionRedirectEnhancements
+        def serve(req)
+          uri = URI.parse(path(req.path_parameters, req))
+
+          req.commit_flash
+
+          body = %(<html><body>You are being <a href="#{ERB::Util.unwrapped_html_escape(uri.to_s)}">redirected</a>.</body></html>)
+
+          headers = {
+            "Location" => uri.to_s,
+            "Content-Type" => "text/html",
+            "Content-Length" => body.length.to_s
+          }
+
+          [ status, headers, [body] ]
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/paginated_response.rb

@@ -0,0 +1,108 @@
+module Insights
+  module API
+    module Common
+      class PaginatedResponse
+        attr_reader :limit, :offset, :sort_by
+
+        def initialize(base_query:, request:, limit: nil, offset: nil, sort_by: nil)
+          @base_query = base_query
+          @request    = request
+          @limit      = (limit || 100).to_i.clamp(1, 1000)
+          @offset     = (offset || 0).to_i.clamp(0, Float::INFINITY)
+          @sort_by    = sort_by
+        end
+
+        def records
+          @records ||= begin
+            res = @base_query.order(:id).limit(limit).offset(offset)
+            order_options = sort_by_options(res.klass)
+            res = res.reorder(order_options) if order_options.present?
+            res
+          end
+        end
+
+        def response
+          {
+            "meta"  => metadata_hash,
+            "links" => links_hash,
+            "data"  => records
+          }
+        end
+
+        private
+
+        def metadata_hash
+          @metadata_hash ||= {"count" => count, "limit" => limit, "offset" => offset}
+        end
+
+        def links_hash
+          @links_hash ||= {
+            "first" => link_to_first,
+            "last"  => link_to_last,
+            "prev"  => link_to_prev,
+            "next"  => link_to_next,
+          }.compact
+        end
+
+        def link_to_first
+          link_with_new_offset(0)
+        end
+
+        def link_to_last
+          link_with_new_offset(max_limit_multiplier.clamp(0, Float::INFINITY) * limit)
+        end
+
+        def link_to_prev
+          return if offset == 0
+          prev_offset = offset - limit
+
+          link_with_new_offset(prev_offset.clamp(0, Float::INFINITY))
+        end
+
+        def link_to_next
+          next_offset = limit + offset
+          return if next_offset >= count
+
+          link_with_new_offset(next_offset)
+        end
+
+        def link_with_new_offset(offset)
+          URI::Generic.build(:path => request_uri.path, :query => query_hash_merge("offset" => offset.to_s)).to_s
+        end
+
+        def query_hash_merge(new_hash)
+          parsed_query.merge(new_hash).to_query
+        end
+
+        def parsed_query
+          @parsed_query ||= Rack::Utils.parse_query(request_uri.query)
+        end
+
+        def request_uri
+          @request_uri ||= URI.parse(@request.original_url)
+        end
+
+        def max_limit_multiplier
+          @max_limit_multiplier ||= ((count - 1) / limit)
+        end
+
+        def count
+          @count ||= @base_query.count
+        end
+
+        def sort_by_options(model)
+          @sort_by_options ||= begin
+            Array(sort_by).collect do |selection|
+              sort_attr, sort_order = selection.split(':')
+              sort_order ||= "asc"
+              arel = model.arel_attribute(sort_attr)
+              arel = arel.asc  if sort_order == "asc"
+              arel = arel.desc if sort_order == "desc"
+              arel
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/rbac/access.rb

@@ -0,0 +1,66 @@
+module Insights
+  module API
+    module Common
+      module RBAC
+        class Access
+          attr_reader :acl
+          DEFAULT_LIMIT = 500
+          def initialize(resource, verb)
+            @resource = resource
+            @verb     = verb
+            @regexp   = Regexp.new(":(#{Regexp.escape(@resource)}|\\*):(#{Regexp.escape(@verb)}|\\*)")
+            @app_name = ENV["APP_NAME"]
+          end
+
+          def process
+            Service.call(RBACApiClient::AccessApi) do |api|
+              @acl ||= Service.paginate(api, :get_principal_access, {:limit => DEFAULT_LIMIT}, @app_name).select do |item|
+                @regexp.match?(item.permission)
+              end
+            end
+            self
+          end
+
+          def accessible?
+            @acl.any?
+          end
+
+          def id_list
+            ids.include?('*') ? [] : ids
+          end
+
+          def owner_scoped?
+            ids.include?('*') ? false : owner_scope_filter?
+          end
+
+          def self.enabled?
+            ENV['BYPASS_RBAC'].blank?
+          end
+
+          private
+
+          def ids
+            @ids ||= @acl.each_with_object([]) do |item, ids|
+              item.resource_definitions.each do |rd|
+                next unless rd.attribute_filter.key == 'id'
+                next unless rd.attribute_filter.operation == 'equal'
+
+                ids << rd.attribute_filter.value
+              end
+            end
+          end
+
+          def owner_scope_filter?
+            @acl.any? do |item|
+              item.resource_definitions.any? do |rd|
+                rd.attribute_filter.key == 'owner' &&
+                  rd.attribute_filter.operation == 'equal' &&
+                  rd.attribute_filter.value == '{{username}}'
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/rbac/acl.rb

@@ -0,0 +1,74 @@
+module Insights
+  module API
+    module Common
+      module RBAC
+        class ACL
+          def create(resource_id, permissions)
+            permissions.collect do |permission|
+              create_acl(permission, resource_id)
+            end
+          end
+
+          def remove(acls, resource_id, permissions)
+            permissions.each_with_object(acls) do |permission, as|
+              delete_matching(as, resource_id, permission)
+            end
+          end
+
+          def add(acls, resource_id, permissions)
+            new_acls = permissions.each_with_object([]) do |permission, as|
+              next if find_matching(acls, resource_id, permission)
+
+              as << create_acl(permission, resource_id)
+            end
+            new_acls + acls
+          end
+
+          def resource_defintions_empty?(acls, permission)
+            acls.each do |acl|
+              if acl.permission == permission
+                return acl.resource_definitions.empty?
+              end
+            end
+            true
+          end
+
+          private
+
+          def create_acl(permission, resource_id = nil)
+            resource_def = resource_definition(resource_id) if resource_id
+            RBACApiClient::Access.new.tap do |access|
+              access.permission = permission
+              access.resource_definitions = resource_def ? [resource_def] : []
+            end
+          end
+
+          def resource_definition(resource_id)
+            rdf = RBACApiClient::ResourceDefinitionFilter.new.tap do |obj|
+              obj.key       = 'id'
+              obj.operation = 'equal'
+              obj.value     = resource_id.to_s
+            end
+
+            RBACApiClient::ResourceDefinition.new.tap do |rd|
+              rd.attribute_filter = rdf
+            end
+          end
+
+          def matches?(access, resource_id, permission)
+            access.permission == permission &&
+              access.resource_definitions.any? { |rdf| rdf.attribute_filter.key == 'id' && rdf.attribute_filter.operation == 'equal' && rdf.attribute_filter.value == resource_id.to_s }
+          end
+
+          def find_matching(acls, resource_id, permission)
+            acls.detect { |access| matches?(access, resource_id, permission) }
+          end
+
+          def delete_matching(acls, resource_id, permission)
+            acls.delete_if { |access| matches?(access, resource_id, permission) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/rbac/policies.rb

@@ -0,0 +1,33 @@
+module Insights
+  module API
+    module Common
+      module RBAC
+        class Policies
+          def initialize(prefix)
+            @prefix = prefix
+          end
+
+          def add_policy(policy_name, description, group_name, role_uuid)
+            Service.call(RBACApiClient::PolicyApi) do |api_instance|
+              policy_in = RBACApiClient::PolicyIn.new
+              policy_in.name = policy_name
+              policy_in.description = description
+              policy_in.group = group_name
+              policy_in.roles = [role_uuid]
+              api_instance.create_policies(policy_in)
+            end
+          end
+
+          # delete all policies that contains the role.
+          def delete_policy(role)
+            Service.call(RBACApiClient::PolicyApi) do |api_instance|
+              Service.paginate(api_instance, :list_policies, :name => @prefix).each do |policy|
+                api_instance.delete_policy(policy.uuid) if policy.roles.map(&:uuid).include?(role.uuid)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/rbac/query_shared_resource.rb

@@ -0,0 +1,45 @@
+module Insights
+  module API
+    module Common
+      module RBAC
+        class QuerySharedResource
+          require 'rbac-api-client'
+
+          include Utilities
+          attr_accessor :share_info
+
+          def initialize(options)
+            @app_name = options[:app_name]
+            @resource_id = options[:resource_id]
+            @resource_name = options[:resource_name]
+            @share_info = []
+            @roles = RBAC::Roles.new("#{@app_name}-#{@resource_name}-#{@resource_id}", 'account')
+          end
+
+          def process
+            build_share_info
+            self
+          end
+
+          private
+
+          def build_share_info
+            @roles.with_each_role do |role|
+              _id, group_uuid = parse_ids_from_name(role.name)
+              group = get_group(group_uuid)
+              @share_info << { 'group_name'  => group.name,
+                               'group_uuid'  => group.uuid,
+                               'permissions' => role.access.collect(&:permission)}
+            end
+          end
+
+          def get_group(uuid)
+            Service.call(RBACApiClient::GroupApi) do |api_instance|
+              api_instance.get_group(uuid)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/insights/api/common/rbac/roles.rb

@@ -0,0 +1,77 @@
+module Insights
+  module API
+    module Common
+      module RBAC
+        class Roles
+          attr_reader :roles
+
+          def initialize(prefix = nil, scope = 'principal')
+            @roles = {}
+            load(prefix, scope)
+          end
+
+          def find(name)
+            uuid = @roles[name]
+            get(uuid) if uuid
+          end
+
+          def with_each_role
+            @roles.each_value do |uuid|
+              yield get(uuid)
+            end
+          end
+
+          def add(name, acls)
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              role_in = RBACApiClient::RoleIn.new
+              role_in.name = name
+              role_in.access = acls
+              api_instance.create_roles(role_in).tap do |role|
+                @roles[name] = role.uuid
+              end
+            end
+          end
+
+          def update(role)
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              api_instance.update_role(role.uuid, role)
+            end
+          end
+
+          def delete(role)
+            @roles.delete(role.name)
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              api_instance.delete_role(role.uuid)
+            end
+          end
+
+          def self.assigned_role?(role_name)
+            opts = { :name  => role_name,
+                     :scope => 'principal' }
+
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              Service.paginate(api_instance, :list_roles, opts).count.positive?
+            end
+          end
+
+          private
+
+          def load(prefix, scope)
+            opts = { :scope => scope, :name => prefix, :limit => 500 }
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              Service.paginate(api_instance, :list_roles, opts).each do |role|
+                @roles[role.name] = role.uuid
+              end
+            end
+          end
+
+          def get(uuid)
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              api_instance.get_role(uuid)
+            end
+          end
+        end
+      end
+    end
+  end
+end