lesli_security 0.3.0

data/app/services/lesli_security/descriptor_privilege_service.rb

@@ -0,0 +1,74 @@
+module LesliSecurity 
+    class DescriptorPrivilegeService < Lesli::ApplicationLesliService 
+
+        def index params
+
+            # First we create a pivot table to convert from:
+            # controller_id
+            # list
+            # index
+            # show
+            # create
+            # update
+            # destroy
+            # to:
+            # controller_id | list | index | show | create | update | destroy |
+            # so this is more easy to manage by the API clients
+            # NOTE: it is necessary to group by controller id so we ger only one
+            # row by controller
+            privileges_pivot = Lesli::SystemController.joins(:actions)
+            .where("lesli_system_controller_actions.deleted_at IS NULL")
+            .group(:system_controller_id)
+            .select(
+                :system_controller_id,
+                "MAX(CASE WHEN lesli_system_controller_actions.name = 'list'    THEN lesli_system_controller_actions.id end) AS list_action",
+                "MAX(CASE WHEN lesli_system_controller_actions.name = 'index'   THEN lesli_system_controller_actions.id end) AS index_action",
+                "MAX(CASE WHEN lesli_system_controller_actions.name = 'show'    THEN lesli_system_controller_actions.id end) AS show_action",
+                "MAX(CASE WHEN lesli_system_controller_actions.name = 'create'  THEN lesli_system_controller_actions.id end) AS create_action",
+                "MAX(CASE WHEN lesli_system_controller_actions.name = 'update'  THEN lesli_system_controller_actions.id end) AS update_action",
+                "MAX(CASE WHEN lesli_system_controller_actions.name = 'destroy' THEN lesli_system_controller_actions.id end) AS destroy_action"
+            )
+
+            # We join to the SystemControllers table again to get the controller name
+            # IMPORTANT: We dont get the name from the previos SQL query due we dont want to group by the name string
+            # then we have to join to the descriptor_privileges table six times (one time for every action, list, index, etc)
+            # we have to do that due we need to check which privileges we have activated
+            # later in the select statement we get the id for the list action and if the id is not null get true/false if 
+            # action is assigned to the descriptor privileges
+            # we consider a privilege as active when it has an action assigned and the deleted_at column is null
+            # we remove the nulls using "attributes.compact" it is important to remove all the nulls due a null action id
+            # means the specific action is not implemented in any application routes, which means there is no view, controller
+            # or model defined for that action
+            Lesli::SystemController.joins("INNER JOIN (#{privileges_pivot.to_sql}) privileges ON privileges.system_controller_id = lesli_system_controllers.id")
+            .joins("left join lesli_descriptor_privileges dp_list  on dp_list.descriptor_id  = #{params[:descriptor_id]} and dp_list.action_id = privileges.list_action")
+            .joins("left join lesli_descriptor_privileges dp_index on dp_index.descriptor_id = #{params[:descriptor_id]} and dp_index.action_id = privileges.index_action")
+            .joins("left join lesli_descriptor_privileges dp_show  on dp_show.descriptor_id  = #{params[:descriptor_id]} and dp_show.action_id = privileges.show_action")
+            .joins("left join lesli_descriptor_privileges dp_create  on dp_create.descriptor_id  = #{params[:descriptor_id]} and dp_create.action_id = privileges.create_action")
+            .joins("left join lesli_descriptor_privileges dp_update  on dp_update.descriptor_id  = #{params[:descriptor_id]} and dp_update.action_id = privileges.update_action")
+            .joins("left join lesli_descriptor_privileges dp_destroy on dp_destroy.descriptor_id = #{params[:descriptor_id]} and dp_destroy.action_id = privileges.destroy_action")
+            .order(:name)
+            .select(
+                "name as controller",
+                "privileges.list_action",
+                "case when privileges.list_action is not null then case when dp_list.action_id is null then false else true end end as list_active",
+
+                "privileges.index_action",
+                "case when privileges.index_action is not null then case when dp_index.action_id is null or dp_index.deleted_at is not null then false else true end end as index_active",
+
+                "privileges.show_action",
+                "case when privileges.show_action is not null then case when dp_show.action_id is null or dp_show.deleted_at is not null then false else true end end as show_active",
+
+                "privileges.create_action",
+                "case when privileges.create_action is not null then case when dp_create.action_id is null or dp_create.deleted_at is not null then false else true end end as create_active",
+
+                "privileges.update_action",
+                "case when privileges.update_action is not null then case when dp_update.action_id is null or dp_update.deleted_at is not null then false else true end end as update_active",
+
+                "privileges.destroy_action",
+                "case when privileges.destroy_action is not null then case when dp_destroy.action_id is null or dp_update.deleted_at is not null then false else true end end as destroy_active",
+            ).map do |privilege|
+                privilege.attributes.compact
+            end
+        end
+    end
+end

data/app/services/lesli_security/descriptor_service.rb

@@ -0,0 +1,152 @@
+=begin
+
+Lesli
+
+Copyright (c) 2023, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by https://www.lesli.tech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+
+=end
+
+module LesliSecurity
+    class DescriptorService < Lesli::ApplicationLesliService
+
+        # @overwrite
+        # @return {Object}
+        # @description Finds a descriptor according the ID given
+        def find id
+            self.resource = self.current_user.account.descriptors.find_by_id(id)
+            self
+        end
+    
+        # @overwrite
+        # @return [Array] Paginated index of users.
+        # @description Return a paginated array of users, used mostly in frontend views
+        def index
+
+            descriptors = current_user.account.descriptors.where.not(
+                :name => ["owner"]
+            )
+    
+            # Count the amount of privileges assigned to every descriptor
+            descriptors = descriptors.joins(%(
+                left join  (
+                    select
+                        count(1) as total,
+                        descriptor_id
+                    from lesli_descriptor_privileges
+                    --where apga.status = TRUE
+                    group by descriptor_id
+                ) as actions
+                on actions.descriptor_id = lesli_descriptors.id
+            ))
+
+            descriptors = descriptors.select(
+                :id,
+                :name,
+                "coalesce(actions.total, 0) as privileges_count",
+                Date2.new.date_time.db_timestamps("lesli_descriptors")
+            )
+            
+            # skip native descriptors
+            #descriptors = descriptors.where.not("descriptors.name in (?)", ["owner", "sysadmin", "profile"])
+    
+            # Filter results by search string
+            # unless search_string.blank?
+            #     descriptors = descriptors.where("(LOWER(descriptors.name) SIMILAR TO ?)", search_string)
+            # end
+    
+            return descriptors
+            .page(query[:pagination][:page])
+            .per(query[:pagination][:perPage])
+            .order("#{query[:order][:by]} #{query[:order][:dir]} NULLS LAST")
+        end 
+    
+        # @overwrite
+        # @return {Hash}
+        # @description Retrives the descriptor with specific keys/attributes
+        def show 
+            { 
+                :id => resource.id,
+                :name => resource.name,
+                :privileges => resource.privileges
+                .joins(system_controller_action: :system_controller)
+                .select(
+                    "lesli_descriptor_privileges.id",
+                    "lesli_system_controllers.name as controlle_name",
+                    "lesli_system_controller_actions.name as action_name",
+                    "lesli_descriptor_privileges.created_at"
+                )
+            }
+        end
+    
+        # @overwrite
+        # @return {Object}
+        # @param {params} Hash of the permitted attributes for a descriptor
+        # @description Creates a new descriptor
+        def create params
+            descriptor = current_user.account.descriptors.new(params)
+
+            if descriptor.save
+                self.resource = descriptor
+                # TODO: keep track of the activities
+            else
+                self.error(descriptor.errors.full_messages.to_sentence)
+            end
+
+            self
+        end
+
+        # @overwrite
+        # @return {Object}
+        # @param {params} Hash of the permitted attributes for a descriptor
+        # @description Updates descriptor's attributes and saves logs if it went without problem
+        def update params
+
+            # TODO: keep track of the activities
+
+            unless self.resource.update(params)
+                self.error(self.resource.errors.full_messages.to_sentence)
+            end
+
+            self
+        end
+
+        # @overwrite
+        # @return {Object}
+        # @description Deletes the descriptor 
+        def destroy
+
+            # TODO: keep track of the activities
+
+            unless self.resource.destroy
+                self.error(self.resource.errors.full_messages.to_sentence)
+            end
+
+            self
+        end    
+    end
+end

data/app/services/lesli_security/role_descriptor_service.rb

@@ -0,0 +1,61 @@
+module LesliSecurity
+    class RoleDescriptorService < Lesli::ApplicationLesliService
+
+        def index role
+
+            # Left join to the role power table, so we can get the records
+            # from the assigned descriptors and the available descriptors
+            sanitized_role_power_join = ActiveRecord::Base.sanitize_sql([%(
+                left join lesli_role_powers 
+                on lesli_role_powers.descriptor_id = lesli_descriptors.id 
+                and lesli_role_powers.role_id = ?
+            ), role.id])
+
+            current_user.account.descriptors
+            .where.not(:name => "owner")
+            .joins(sanitized_role_power_join)
+            .select(
+                "coalesce(lesli_role_powers.descriptor_id, lesli_descriptors.id) as id", 
+                "lesli_descriptors.name as name",
+                "lesli_descriptors.description as description",
+                # we take a descriptor as active if it is already in the role power table
+                # to validate this we use the following logic:
+                #   if the role power is not deleted (deleted_at column must be null)
+                #   and the descriptor_id is not null in the role power table
+                "case when lesli_role_powers.deleted_at is null and lesli_role_powers.id is not null then true else false end as active"
+            )
+        end
+
+        def privileges role
+
+            # Inner join the role power table with the descriptors
+            # so we get only the descriptors that are assigned to the specific role
+            sanitized_role_power_join = ActiveRecord::Base.sanitize_sql([%(
+                inner join lesli_role_powers 
+                on lesli_role_powers.descriptor_id = lesli_descriptors.id 
+                and lesli_role_powers.deleted_at is null
+                and lesli_role_powers.role_id = ?
+            ), role.id])
+
+            current_user.account.descriptors
+            .where.not(:name => "owner")
+            .joins(sanitized_role_power_join)
+            .select(
+                "coalesce(lesli_role_powers.descriptor_id, lesli_descriptors.id) as id", 
+                "lesli_descriptors.name as name", 
+                "lesli_role_powers.plist",
+                "lesli_role_powers.pindex",
+                "lesli_role_powers.pshow",
+                "lesli_role_powers.pcreate",
+                "lesli_role_powers.pupdate",
+                "lesli_role_powers.pdestroy",
+                Lesli::Descriptor::Privilege.joins(action: :system_controller).where("lesli_descriptor_privileges.descriptor_id = lesli_descriptors.id and lesli_system_controller_actions.name = 'list'").arel.exists.as("has_list"),
+                Lesli::Descriptor::Privilege.joins(action: :system_controller).where("lesli_descriptor_privileges.descriptor_id = lesli_descriptors.id and lesli_system_controller_actions.name = 'index'").arel.exists.as("has_index"),
+                Lesli::Descriptor::Privilege.joins(action: :system_controller).where("lesli_descriptor_privileges.descriptor_id = lesli_descriptors.id and lesli_system_controller_actions.name = 'show'").arel.exists.as("has_show"),
+                Lesli::Descriptor::Privilege.joins(action: :system_controller).where("lesli_descriptor_privileges.descriptor_id = lesli_descriptors.id and lesli_system_controller_actions.name = 'create'").arel.exists.as("has_create"),
+                Lesli::Descriptor::Privilege.joins(action: :system_controller).where("lesli_descriptor_privileges.descriptor_id = lesli_descriptors.id and lesli_system_controller_actions.name = 'update'").arel.exists.as("has_update"),
+                Lesli::Descriptor::Privilege.joins(action: :system_controller).where("lesli_descriptor_privileges.descriptor_id = lesli_descriptors.id and lesli_system_controller_actions.name = 'destroy'").arel.exists.as("has_destroy")
+            )
+        end
+    end
+end

data/app/services/lesli_security/role_service.rb

@@ -0,0 +1,215 @@
+=begin
+
+Lesli
+
+Copyright (c) 2023, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS development platform.
+
+Made with ♥ by https://www.lesli.tech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+
+=end
+
+module LesliSecurity
+    class RoleService < Lesli::ApplicationLesliService
+
+        def find id 
+            self.resource = current_user.account.roles.find_by_id(id)
+            self
+        end 
+
+
+        # @return [Array] Paginated index of users.
+        # @description Return a paginated array of users, used mostly in frontend views
+        def index 
+
+            current_user.account.roles.where.not(
+                :name => ["owner"]
+            ).joins("
+                left join (
+                    select
+                        count(1) users,
+                        role_id
+                    from lesli_user_powers
+                    inner join lesli_users as u
+                        on u.id = lesli_user_powers.user_id
+                        and u.deleted_at is null
+                    where lesli_user_powers.deleted_at is null
+                    group by (role_id)
+                ) users on users.role_id = lesli_roles.id
+            ").where("lesli_roles.object_level_permission <= ?", current_user.max_object_level_permission)
+            .select(
+                :id, 
+                :name, 
+                :active, 
+                :isolated, 
+                :description,
+                :path_default, 
+                :object_level_permission, 
+                "users.users"
+            )
+            .page(query[:pagination][:page])
+            .per(query[:pagination][:perPage])
+            .order(object_level_permission: :desc, name: :asc)
+        end
+
+        # @overwrite
+        # @return {Object}
+        # @description Retrives the role
+        def show
+            self.resource
+        end
+
+        # @overwrite
+        # @return {Object}
+        # @param {params} Hash of the permitted attributes for a role
+        # @description Creates a new role
+        def create params
+
+            role = current_user.account.roles.new(params)
+
+            unless current_user.can_work_with_role?(role)
+                self.error(I18n.t("core.roles.messages_danger_creating_role_object_level_permission_too_high"))
+            end
+
+            # check if user can work with that object level permission
+            if role.object_level_permission.to_f >= current_user.roles.map(&:object_level_permission).max()
+                self.error(I18n.t("core.roles.messages_danger_creating_role_object_level_permission_too_high"))
+            end
+
+            # do not create if errors found
+            return self unless self.successful?
+
+            # Try to save role and logs if it went OK
+            if role.save
+                self.resource = role
+                #Role::Activity.log_create(current_user, self.resource)
+            else
+                self.error(role.errors.full_messages.to_sentence)
+            end
+
+            self
+        end
+
+        # @overwrite
+        # @return {Object}
+        # @param {params} Hash of the permitted attributes for a role
+        # @description Updates role's attributes and saves logs if it went without problem
+        def update params
+            old_attributes = self.resource.attributes
+
+            unless self.resource.update(params)
+                self.error(self.resource.errors.full_messages.to_sentence)
+            end
+
+            if self.successful?
+                new_attributes = self.resource.attributes
+
+                LesliSecurity::Role::Activity.log_update(current_user, role, old_attributes, new_attributes)
+            end
+
+            self
+        end
+
+        # @overwrite
+        # @return {Object}
+        # @description Deletes the role 
+        def destroy
+            unless self.resource.destroy
+                self.error(self.resource.errors.full_messages.to_sentence)
+            end
+
+            if self.successful?
+                LesliSecurity::Role::Activity.log_destroy(current_user, self.resource)
+            end
+
+            self
+        end
+
+        def options 
+            { 
+                :object_level_permissions => self.roles_with_object_level_permission
+            }
+        end 
+
+        private 
+
+        def roles_with_object_level_permission
+            levels = {}
+
+            # get all the different object level permission registered in the roles
+            existing_levels = current_user.account.roles
+            .select(:object_level_permission)
+            .order(object_level_permission: :desc)
+            .distinct
+            .map { |level| level.object_level_permission }
+
+            # Build the next available object levels
+            # basically we need to add the possibles object level permissions between the
+            # existing ones
+            existing_levels.each_with_index do |level_current, i|
+
+                level_next = 0
+
+                # get the next OLP in the list of the existing roles
+                level_next = existing_levels.to_a[i+1] unless existing_levels.to_a[i+1].nil?
+
+                # calculate the new next level, basically we get the level right in the middle
+                # between the existing levels, example:
+                #   1000    existing level
+                #    750    new projected level
+                #    500    existing level
+                level_new = (level_current + level_next) / 2
+
+                # add the levels to the levels object
+                levels[level_current] = []
+
+                next if level_next == 0
+
+                levels[level_new] = []
+
+            end
+
+            # Get all the existing roles
+            current_user.account.roles
+            .select(:id, :name, :object_level_permission)
+            .where.not(object_level_permission: nil).each do |role|
+                levels[role.object_level_permission] = [] if levels[role.object_level_permission].blank?
+                # push the role grouping by the object level permission
+                levels[role.object_level_permission].push(role)
+            end
+
+            levels_sorted = []
+
+            levels.keys.each do |key|
+                levels_sorted.push({
+                    level: key,
+                    roles: levels[key]
+                })
+            end
+
+            levels_sorted
+        end
+    end
+end