lotusrb 0.3.2 → 0.4.0

data/lib/lotus.rb

@@ -1,7 +1,6 @@
 require 'lotus/version'
 require 'lotus/application'
 require 'lotus/container'
-require 'lotus/logger'
 require 'lotus/environment'
 
 # A complete web framework for Ruby

data/lib/lotus/action/csrf_protection.rb

@@ -0,0 +1,167 @@
+require 'securerandom'
+
+module Lotus
+  module Action
+    # Invalid CSRF Token
+    #
+    # @since 0.4.0
+    class InvalidCSRFTokenError < ::StandardError
+    end
+
+    # CSRF Protection
+    #
+    # This security mechanism is enabled automatically if sessions are turned on.
+    #
+    # It stores a "challenge" token in session. For each "state changing request"
+    # (eg. <tt>POST</tt>, <tt>PATCH</tt> etc..), we should send a special param:
+    # <tt>_csrf_token</tt>.
+    #
+    # If the param matches with the challenge token, the flow can continue.
+    # Otherwise the application detects an attack attempt, it reset the session
+    # and <tt>Lotus::Action::InvalidCSRFTokenError</tt> is raised.
+    #
+    # We can specify a custom handling strategy, by overriding <tt>#handle_invalid_csrf_token</tt>.
+    #
+    # Form helper (<tt>#form_for</tt>) automatically sets a hidden field with the
+    # correct token. A special view method (<tt>#csrf_token</tt>) is available in
+    # case the form markup is manually crafted.
+    #
+    # We can disable this check on action basis, by overriding <tt>#verify_csrf_token?</tt>.
+    #
+    # @since 0.4.0
+    #
+    # @see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
+    # @see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
+    #
+    # @example Custom Handling
+    #   module Web::Controllers::Books
+    #     class Create
+    #       include Web::Action
+    #
+    #       def call(params)
+    #         # ...
+    #       end
+    #
+    #       private
+    #
+    #       def handle_invalid_csrf_token
+    #         Web::Logger.warn "CSRF attack: expected #{ session[:_csrf_token] }, was #{ params[:_csrf_token] }"
+    #         # manual handling
+    #       end
+    #     end
+    #   end
+    #
+    # @example Bypass Security Check
+    #   module Web::Controllers::Books
+    #     class Create
+    #       include Web::Action
+    #
+    #       def call(params)
+    #         # ...
+    #       end
+    #
+    #       private
+    #
+    #       def verify_csrf_token?
+    #         false
+    #       end
+    #     end
+    #   end
+    module CSRFProtection
+      # Session and params key for CSRF token.
+      #
+      # This key is shared with <tt>lotus-controller</tt> and <tt>lotus-helpers</tt>
+      #
+      # @since 0.4.0
+      # @api private
+      CSRF_TOKEN = :_csrf_token
+
+      # Idempotent HTTP methods
+      #
+      # By default, the check isn't performed if the request method is included
+      # in this list.
+      #
+      # @since 0.4.0
+      # @api private
+      IDEMPOTENT_HTTP_METHODS = Hash[
+        'GET'     => true,
+        'HEAD'    => true,
+        'TRACE'   => true,
+        'OPTIONS' => true
+      ].freeze
+
+      # @since 0.4.0
+      # @api private
+      def self.included(action)
+        action.class_eval do
+          before :set_csrf_token, :verify_csrf_token
+        end unless Lotus.env?(:test)
+      end
+
+      private
+      # Set CSRF Token in session
+      #
+      # @since 0.4.0
+      # @api private
+      def set_csrf_token
+        session[CSRF_TOKEN] ||= generate_csrf_token
+      end
+
+      # Verify if CSRF token from params, matches the one stored in session.
+      # If not, it raises an error.
+      #
+      # Don't override this method.
+      #
+      # To bypass the security check, please override <tt>#verify_csrf_token?</tt>.
+      # For custom handling of an attack, please override <tt>#handle_invalid_csrf_token</tt>.
+      #
+      # @since 0.4.0
+      # @api private
+      def verify_csrf_token
+        handle_invalid_csrf_token if invalid_csrf_token?
+      end
+
+      # Verify if CSRF token from params, matches the one stored in session.
+      #
+      # Don't override this method.
+      #
+      # @since 0.4.0
+      # @api private
+      def invalid_csrf_token?
+        verify_csrf_token? &&
+          session[CSRF_TOKEN] != params[CSRF_TOKEN]
+      end
+
+      # Generates a random CSRF Token
+      #
+      # @since 0.4.0
+      # @api private
+      def generate_csrf_token
+        SecureRandom.hex(32)
+      end
+
+      # Decide if perform the check or not.
+      #
+      # Override and return <tt>false</tt> if you want to bypass security check.
+      #
+      # @since 0.4.0
+      def verify_csrf_token?
+        !IDEMPOTENT_HTTP_METHODS[request_method]
+      end
+
+      # Handle CSRF attack.
+      #
+      # The default policy resets the session and raises an exception.
+      #
+      # Override this method, for custom handling.
+      #
+      # @raise [Lotus::Action::InvalidCSRFTokenError]
+      #
+      # @since 0.4.0
+      def handle_invalid_csrf_token
+        session.clear
+        raise InvalidCSRFTokenError.new
+      end
+    end
+  end
+end

data/lib/lotus/application.rb

@@ -2,6 +2,7 @@ require 'lotus/utils/class_attribute'
 require 'lotus/frameworks'
 require 'lotus/configuration'
 require 'lotus/loader'
+require 'lotus/logger'
 require 'lotus/rendering_policy'
 require 'lotus/middleware'
 
@@ -105,7 +106,8 @@ module Lotus
     # @return [Lotus::Application] a new instance of the application
     #
     # @since 0.1.0
-    def initialize
+    def initialize(options = {})
+      self.class.configuration.path_prefix options[:path_prefix]
       self.class.load!(self)
     end
 

data/lib/lotus/cli.rb

@@ -61,14 +61,14 @@ module Lotus
     end
 
     desc 'new', 'generates a new application'
-    method_option :database,       aliases: '-d', desc: 'application database',     type: :string,  default: 'filesystem'
-    method_option :architecture,   aliases: '-a', desc: 'application architecture', type: :string,  default: 'container'
-    method_option :application,                   desc: 'application name',         type: :string,  default: 'web'
-    method_option :application_base_url,          desc: 'application base url',     type: :string,  default: '/'
-    method_option :path,                          desc: 'path',                     type: :string
-    method_option :test,                          desc: 'application test framework (rspec/minitest)', type: :string,  default: 'minitest'
-    method_option :lotus_head,                    desc: 'use Lotus HEAD',           type: :boolean, default: false
-    method_option :help,           aliases: '-h', desc: 'displays the usage method'
+    method_option :database,             aliases: '-d',             desc: 'application database',     type: :string,  default: 'filesystem'
+    method_option :architecture,         aliases: ['-a', '--arch'], desc: 'application architecture', type: :string,  default: 'container'
+    method_option :application,                                     desc: 'application name',         type: :string,  default: 'web'
+    method_option :application_base_url,                            desc: 'application base url',     type: :string,  default: '/'
+    method_option :path,                                            desc: 'path',                     type: :string
+    method_option :test,                                            desc: 'application test framework (rspec/minitest)', type: :string,  default: 'minitest'
+    method_option :lotus_head,                                      desc: 'use Lotus HEAD',           type: :boolean, default: false
+    method_option :help,                 aliases: '-h',             desc: 'displays the usage method'
 
     def new(name = nil)
       if options[:help] || name.nil?
@@ -79,11 +79,12 @@ module Lotus
       end
     end
 
-    desc 'generate', 'generates a new action'
-    method_option :application_base_url, desc: 'application base url',     type: :string
-    method_option :path,                desc: 'applications path',                                         type: :string,  default: 'apps'
-    method_option :skip_view,           desc: 'skip the creation of view and templates (only for action)', type: :boolean, default: false
-    method_option :help, aliases: '-h', desc: 'displays the usage method'
+    desc 'generate', 'generates action, model or migration'
+    method_option :application_base_url, desc: 'application base url',                                      type: :string
+    method_option :path,                 desc: 'applications path',                                         type: :string
+    method_option :url,                  desc: 'relative URL for action',                                   type: :string
+    method_option :skip_view,            desc: 'skip the creation of view and templates (only for action)', type: :boolean, default: false
+    method_option :help, aliases: '-h',  desc: 'displays the usage method'
 
     # @since 0.3.0
     # @api private

data/lib/lotus/commands/console.rb

@@ -24,7 +24,7 @@ module Lotus
       def start
         # Clear out ARGV so Pry/IRB don't attempt to parse the rest
         ARGV.shift until ARGV.empty?
-        require @environment.env_config.to_s
+        @environment.require_application_environment
 
         # Add convenience methods to the main:Object binding
         TOPLEVEL_BINDING.eval('self').send(:include, Methods)

data/lib/lotus/commands/db.rb

@@ -17,11 +17,113 @@ module Lotus
         end
       end
 
+      desc 'db create', 'create database'
+
+      desc 'create', 'create database for current environment'
+      method_option :environment, desc: 'path to environment configuration (config/environment.rb)'
+
+      def create
+        if options[:help]
+          invoke :help, ['create']
+        else
+          assert_allowed_environment!
+          require 'lotus/commands/db/create'
+          Lotus::Commands::DB::Create.new(environment).start
+        end
+      end
+
+      desc 'db drop', 'drop database'
+
+      desc 'drop', 'drop database for current environment'
+      method_option :environment, desc: 'path to environment configuration (config/environment.rb)'
+
+      def drop
+        if options[:help]
+          invoke :help, ['drop']
+        else
+          assert_allowed_environment!
+          require 'lotus/commands/db/drop'
+          Lotus::Commands::DB::Drop.new(environment).start
+        end
+      end
+
+      desc 'db migrate', 'migrate database'
+
+      desc 'migrate', 'migrate database for current environment'
+      method_option :environment, desc: 'path to environment configuration (config/environment.rb)'
+
+      def migrate(version = nil)
+        if options[:help]
+          invoke :help, ['migrate']
+        else
+          require 'lotus/commands/db/migrate'
+          Lotus::Commands::DB::Migrate.new(environment, version).start
+        end
+      end
+
+      desc 'db apply', 'apply database changes'
+
+      desc 'apply', 'migrate, dump schema, delete migrations (experimental)'
+      method_option :environment, desc: 'path to environment configuration (config/environment.rb)'
+
+      def apply
+        if options[:help]
+          invoke :help, ['apply']
+        else
+          assert_development_environment!
+          require 'lotus/commands/db/apply'
+          Lotus::Commands::DB::Apply.new(environment).start
+        end
+      end
+
+      desc 'db prepare', 'prepare database'
+
+      desc 'prepare', 'create and migrate database'
+      method_option :environment, desc: 'path to environment configuration (config/environment.rb)'
+
+      def prepare
+        if options[:help]
+          invoke :help, ['prepare']
+        else
+          assert_allowed_environment!
+          require 'lotus/commands/db/prepare'
+          Lotus::Commands::DB::Prepare.new(environment).start
+        end
+      end
+
+      desc 'db version', 'database version'
+
+      desc 'version', 'current database version'
+      method_option :environment, desc: 'path to environment configuration (config/environment.rb)'
+
+      def version
+        if options[:help]
+          invoke :help, ['version']
+        else
+          require 'lotus/commands/db/version'
+          Lotus::Commands::DB::Version.new(environment).start
+        end
+      end
+
       private
 
       def environment
         Lotus::Environment.new(options)
       end
+
+      def assert_allowed_environment!
+        if environment.environment?(:production)
+          puts "Can't run this command in production mode"
+          exit 1
+        end
+      end
+
+      def assert_development_environment!
+        unless environment.environment?(:development)
+          puts "This command can be ran only in development mode"
+          exit 1
+        end
+      end
     end
   end
 end

data/lib/lotus/commands/db/abstract.rb

@@ -0,0 +1,15 @@
+module Lotus
+  module Commands
+    class DB
+      class Abstract
+        def initialize(environment)
+          environment.require_application_environment
+        end
+
+        def start
+          raise NotImplementedError
+        end
+      end
+    end
+  end
+end

data/lib/lotus/commands/db/apply.rb

@@ -0,0 +1,14 @@
+require 'lotus/commands/db/abstract'
+
+module Lotus
+  module Commands
+    class DB
+      class Apply < Abstract
+        def start
+          require 'lotus/model/migrator'
+          Lotus::Model::Migrator.apply
+        end
+      end
+    end
+  end
+end

data/lib/lotus/commands/db/console.rb

@@ -10,7 +10,7 @@ module Lotus
           @name        = name
           @environment = environment
           @env_options = environment.to_options
-          load_config
+          @environment.require_application_environment
         end
 
         def start
@@ -44,10 +44,6 @@ module Lotus
         def connection_string
           adapter_class.new(mapper, adapter_config.uri).connection_string
         end
-
-        def load_config
-          require @env_options[:env_config]
-        end
       end
     end
   end

data/lib/lotus/commands/db/create.rb

@@ -0,0 +1,14 @@
+require 'lotus/commands/db/abstract'
+
+module Lotus
+  module Commands
+    class DB
+      class Create < Abstract
+        def start
+          require 'lotus/model/migrator'
+          Lotus::Model::Migrator.create
+        end
+      end
+    end
+  end
+end

data/lib/lotus/commands/db/drop.rb

@@ -0,0 +1,14 @@
+require 'lotus/commands/db/abstract'
+
+module Lotus
+  module Commands
+    class DB
+      class Drop < Abstract
+        def start
+          require 'lotus/model/migrator'
+          Lotus::Model::Migrator.drop
+        end
+      end
+    end
+  end
+end

data/lib/lotus/commands/db/migrate.rb

@@ -0,0 +1,19 @@
+require 'lotus/commands/db/abstract'
+
+module Lotus
+  module Commands
+    class DB
+      class Migrate < Abstract
+        def initialize(environment, version)
+          super(environment)
+          @version = version
+        end
+
+        def start
+          require 'lotus/model/migrator'
+          Lotus::Model::Migrator.migrate(version: @version)
+        end
+      end
+    end
+  end
+end