internal-affairs 1.0.0

data/lib/internal_affairs/api_utils.rb

@@ -0,0 +1,123 @@
+module InternalAffairs
+  module ApiUtils
+    extend self
+
+    class Error < StandardError
+      def initialize(_response)
+        @response = _response
+        @status = _response.status
+
+        super "IA api responded with #{@status}"
+      end
+
+      def status
+        @response.status
+      end
+
+      def json_body
+        JSON.parse @response.body
+      rescue JSON::ParserError
+        nil
+      end
+    end
+
+    def create_log(user:, ip:, kind:, data:, resources: [])
+      data = {
+        user: user,
+        ip: ip,
+        kind: kind,
+        data: data,
+        resources: resources
+      }
+
+      response = post("/api/v1/logs", log: data)
+      OpenStruct.new response['log']
+    end
+
+    def create_operation(user:, name:, amount: nil, uuid: nil, resources: [])
+      data = {
+        user: user,
+        name: name,
+        resources: resources
+      }
+
+      data[:uuid] = uuid if uuid.present?
+
+      if amount.present?
+        data[:amount] = amount.amount
+        data[:currency] = amount.currency.iso_code
+      end
+
+      response = post("/api/v1/operations", operation: data)
+      OpenStruct.new response['operation']
+    end
+
+    def get_operation(_id)
+      response = get("/api/v1/operations/#{_id}")
+      OpenStruct.new response['operation']
+    end
+
+    private
+
+    def get(_path, _headers = {})
+      perform_request(:get, _path, _headers)
+    end
+
+    def get_query(_path, _query, _headers = {})
+      get(_query.present? ? "#{_path}?#{_query.to_query}" : _path, _headers)
+    end
+
+    def post(_path, _data, _headers = {})
+      perform_request(:post, _path, _data, _headers)
+    end
+
+    def put(_path, _data, _headers = {})
+      perform_request(:put, _path, _data, _headers)
+    end
+
+    def delete(_path, _headers = {})
+      perform_request(:delete, _path, _headers)
+    end
+
+    def perform_request(_method, _path, _body = nil, _headers = {})
+      full_path = "#{config.host}#{_path}"
+
+      response = connection.public_send(_method, full_path) do |request|
+        request.headers.merge!(
+          "X-App-Id" => config.app_key_id,
+          "Accept" => "application/json"
+        )
+
+        if _body.present?
+          request.body = _body.to_json
+          request.headers["Content-Type"] = "application/json"
+        end
+
+        signer.sign request, config.app_key_secret
+      end
+
+      process_json_response response
+    end
+
+    def process_json_response(_response)
+      raise Error.new(_response) unless _response.success?
+
+      _response.body.empty? ? nil : JSON.parse(_response.body)
+    end
+
+    def connection
+      Faraday.new do |faraday|
+        faraday.adapter :patron
+        faraday.options.timeout = config.connection_timeout
+      end
+    end
+
+    def signer
+      Authograph.signer
+    end
+
+    def config
+      InternalAffairs.config
+    end
+  end
+end

data/lib/internal_affairs/approvable_model.rb

@@ -0,0 +1,31 @@
+module InternalAffairs
+  module ApprovableModel
+    extend ::ActiveSupport::Concern
+
+    class_methods do
+      def load_from_operation_serialized_attributes(_id)
+        find(_id)
+      end
+    end
+
+    def attributes_for_operation_serialization
+      attributes[self.class.primary_key]
+    end
+
+    def approvable_user
+      raise NotImplementedError, 'approvable_user not implemented'
+    end
+
+    def approvable_operation
+      raise NotImplementedError, 'approvable_operation not implemented'
+    end
+
+    def approvable_resources
+      []
+    end
+
+    def approvable_amount
+      nil
+    end
+  end
+end

data/lib/internal_affairs/audited_page.rb

@@ -0,0 +1,63 @@
+module InternalAffairs
+  module AuditedPage
+    extend ActiveSupport::Concern
+
+    METHODS_WITH_BODY = ['POST', 'PUT']
+    FORM_IGNORED_FIELDS = ['utf8', 'authenticity_token', 'commit']
+
+    def audit_page_action
+      yield
+    ensure
+      create_audit_log_or_fail_silently if InternalAffairs.config.audit_logs_enabled?
+    end
+
+    def create_audit_log_or_fail_silently
+      InternalAffairs::ApiUtils.create_log(
+        user: current_admin_user.email,
+        ip: audited_ip,
+        kind: 'request',
+        data: audited_data,
+        resources: audited_resources
+      )
+    rescue StandardError
+      nil
+    end
+
+    def audited_ip
+      request.env["HTTP_CF_CONNECTING_IP"] || request.ip
+    end
+
+    def audited_data
+      r = "#{request.method} #{response.status} #{request.path}"
+      if METHODS_WITH_BODY.include?(request.method)
+        r += " #{request.request_parameters.except(*FORM_IGNORED_FIELDS).to_json}"
+      end
+      r
+    end
+
+    def audited_resources
+      resources = [
+        { kind: 'url', path: request.path },
+        { kind: 'admin_page', admin_controller: params[:controller], admin_action: params[:action] }
+      ]
+
+      if !(resource_class <= ActiveAdmin::Page)
+        association_chain.each do |parent|
+          next unless parent.respond_to?(:to_global_id)
+
+          resources << { kind: 'object', global_id: parent.to_global_id.to_s }
+        end
+
+        if params[:id].present? && resource.respond_to?(:to_global_id)
+          resources << { kind: 'object', global_id: resource.to_global_id.to_s }
+        end
+      end
+
+      resources
+    end
+
+    included do
+      around_action :audit_page_action
+    end
+  end
+end

data/lib/internal_affairs/configuration.rb

@@ -0,0 +1,14 @@
+module InternalAffairs
+  class Configuration
+    attr_accessor :host, :app_key_id, :app_key_secret, :disable_audit_logs, :connection_timeout
+
+    def initialize
+      @disable_audit_logs = false
+      @connection_timeout = 1.0
+    end
+
+    def audit_logs_enabled?
+      !disable_audit_logs && host.present?
+    end
+  end
+end

data/lib/internal_affairs/noop_operation.rb

@@ -0,0 +1,41 @@
+module InternalAffairs
+  class NoopOperation
+    attr_reader :attributes
+
+    def self.load_from_operation_serialized_attributes(_attributes)
+      new(_attributes)
+    end
+
+    def attributes_for_operation_serialization
+      attributes
+    end
+
+    def initialize(_attributes)
+      @attributes = _attributes
+    end
+
+    def approvable_user
+      @attributes[:user]
+    end
+
+    def approvable_operation
+      @attributes[:operation]
+    end
+
+    def approvable_resources
+      @attributes[:resources] || []
+    end
+
+    def approvable_amount
+      @attributes[:amount]
+    end
+
+    def approve!
+      # do nothing
+    end
+
+    def reject!
+      # do nothing
+    end
+  end
+end

data/lib/internal_affairs/operation_manager.rb

@@ -0,0 +1,21 @@
+module InternalAffairs
+  module OperationManager
+    def request_operation_approval(_target)
+      uuid = SecureRandom.uuid
+
+      response = InternalAffairs::ApiUtils.create_operation(
+        uuid: uuid,
+        user: _target.approvable_user,
+        name: _target.approvable_operation,
+        amount: _target.approvable_amount,
+        resources: _target.approvable_resources
+      )
+
+      if response.state == 'approved'
+        _target.approve!
+      else
+        InternalAffairs::PendingOperation.create! operation_uuid: uuid, target: _target
+      end
+    end
+  end
+end

data/lib/internal_affairs/patching.rb

@@ -0,0 +1,9 @@
+module InternalAffairs
+  module Patching
+    def patch_active_admin
+      ActiveAdmin::BaseController.class_eval do
+        include InternalAffairs::AuditedPage
+      end
+    end
+  end
+end

data/lib/internal_affairs/pending_operation.rb

@@ -0,0 +1,34 @@
+module InternalAffairs
+  class PendingOperation < ::ActiveRecord::Base
+    serialize :target_attributes
+
+    self.table_name = "internal_affairs_pending_operations"
+
+    validates :operation_uuid, :target_class, presence: true
+
+    def target=(_target)
+      # use separate class and attributes serialization to support non-ar cases
+
+      if _target.present?
+        self.target_class = _target.class.to_s
+        self.target_attributes = _target.attributes_for_operation_serialization
+      else
+        self.target_class = self.target_attributes = nil
+      end
+
+      @target = _target
+    end
+
+    def target
+      @target ||= load_target
+    end
+
+    private
+
+    def load_target
+      return nil if target_class.nil?
+
+      target_class.constantize.load_from_operation_serialized_attributes(target_attributes)
+    end
+  end
+end

data/lib/internal_affairs/pending_operations_update_job.rb

@@ -0,0 +1,28 @@
+module InternalAffairs
+  class PendingOperationsUpdateJob < ::ActiveJob::Base
+    def perform
+      InternalAffairs::PendingOperation.all.find_each do |operation|
+        update_operation operation
+      end
+    end
+
+    private
+
+    def update_operation(_operation)
+      operation = InternalAffairs::ApiUtils.get_operation _operation.operation_uuid
+
+      ActiveRecord::Base.transaction do
+        case operation.state
+        when 'approved'
+          _operation.target.approve!
+          _operation.destroy
+        when 'rejected'
+          _operation.target.reject!
+          _operation.destroy
+        end
+      end
+    rescue StandardError => e
+      Raven.capture_exception e
+    end
+  end
+end

data/lib/internal_affairs/version.rb

@@ -0,0 +1,3 @@
+module InternalAffairs
+  VERSION = '1.0.0'
+end

data/lib/internal_affairs.rb

@@ -0,0 +1,26 @@
+require 'internal_affairs/api_utils'
+require 'internal_affairs/approvable_model'
+require 'internal_affairs/audited_page'
+require 'internal_affairs/configuration'
+require 'internal_affairs/noop_operation'
+require 'internal_affairs/operation_manager'
+require 'internal_affairs/patching'
+require 'internal_affairs/pending_operation'
+require 'internal_affairs/pending_operations_update_job'
+require 'internal_affairs/version'
+
+module InternalAffairs
+  extend InternalAffairs::Patching
+  extend InternalAffairs::OperationManager
+
+  def self.config
+    @@config
+  end
+
+  def self.configure
+    @@config = Configuration.new
+    yield @@config
+
+    patch_active_admin
+  end
+end