mno-enterprise-api 3.1.4 → 3.2.0

data/app/views/mno_enterprise/provision/_select_organization.html.haml

@@ -1,5 +1,9 @@
-.banners.promo.dark.darkblue
+.banners
+  .spacer1
   .container
+    .row
+      .col-md-6.text-center.col-md-offset-3
+        = image_tag 'mno_enterprise/main-logo.png', class: 'top-picture'
     .row
       %h2= t('mno_enterprise.provision.select_organization.title')
 .banners.promo
@@ -14,4 +18,4 @@
               = hidden_field_tag 'apps[]', app
             = select_tag :organization_id, options_for_select(@organizations.map { |o| [o.name, o.id]} )
             = submit_tag t('mno_enterprise.provision.select_organization.submit'), class: 'btn'
-        .spacer4
+        .spacer4

data/config/initializers/devise.rb

@@ -19,7 +19,7 @@ Devise.setup do |config|
   # Load and configure the ORM. Supports :active_record (default) and
   # :mongoid (bson_ext recommended) by default. Other ORMs may be
   # available as additional gems.
-  require 'devise/orm/active_record'
+  # require 'devise/orm/active_record'
 
   # ==> Configuration for any authentication mechanism
   # Configure which keys are used when authenticating a user. The default is
@@ -99,6 +99,9 @@ Devise.setup do |config|
   # Setup a pepper to generate the encrypted password.
   # config.pepper = '11ab398be280e434b1dc50197d359577c1bc52efd28a07d081e397c7c11dcf8d1ad80f40188d58421830c20351f5af8c1217b39397ca95ee33809c74b028972f'
 
+  # Send a notification email when the user's password is changed
+  config.send_password_change_notification = true
+
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
   # confirming their account. For instance, if set to 2.days, the user will be
@@ -233,7 +236,26 @@ Devise.setup do |config|
   # ==> OmniAuth
   # Add a new OmniAuth provider. Check the wiki for more information on setting
   # up on your models and hooks.
-  # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
+  if defined?(OmniAuth::OpenID) && !Rails.env.test?
+    require 'openid-store-redis'
+    config.omniauth :open_id,
+                    store: OpenID::Store::Redis.new,
+                    name: 'intuit',
+                    identifier: 'https://openid.intuit.com/openid/xrds',
+                    require: 'omniauth-openid'
+  end
+  if ENV['OAUTH_LINKEDIN_KEY'] && ENV['OAUTH_LINKEDIN_SECRET']
+    require 'omniauth-linkedin-oauth2'
+    config.omniauth :linkedin, ENV['OAUTH_LINKEDIN_KEY'], ENV['OAUTH_LINKEDIN_SECRET']
+  end
+  if ENV['OAUTH_GOOGLE_KEY'] && ENV['OAUTH_GOOGLE_SECRET']
+    require 'omniauth-google-oauth2'
+    config.omniauth :google_oauth2, ENV['OAUTH_GOOGLE_KEY'], ENV['OAUTH_GOOGLE_SECRET'], name: :google
+  end
+  if ENV['OAUTH_FACEBOOK_KEY'] && ENV['OAUTH_FACEBOOK_SECRET']
+    require 'omniauth-facebook'
+    config.omniauth :facebook, ENV['OAUTH_FACEBOOK_KEY'], ENV['OAUTH_FACEBOOK_SECRET'], secure_image_url: true
+  end
 
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or
@@ -258,16 +280,16 @@ Devise.setup do |config|
   # The router that invoked `devise_for`, in the example above, would be:
   # config.router_name = :my_engine
   config.router_name = :mno_enterprise
-  
-  #
-  # When using omniauth, Devise cannot automatically set Omniauth path,
-  # so you need to do it manually. For the users scope, it would be:
-  # config.omniauth_path_prefix = '/my_engine/users/auth'
-  #
+
   # When using omniauth, Devise cannot automatically set Omniauth path,
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = '/my_engine/users/auth'
-  #
+
   # Inherit from engine ApplicationController
   config.parent_controller = 'MnoEnterprise::ApplicationController'
+
+  Rails.application.config.after_initialize do
+    config.omniauth_path_prefix = '/mnoe/users/auth'
+    ::OmniAuth::config.path_prefix = config.omniauth_path_prefix if defined?(OmniAuth)
+  end
 end

data/config/initializers/devise_log.rb

@@ -1,12 +1,12 @@
 Warden::Manager.after_authentication do |user, auth, opts|
-  MnoEnterprise::EventLogger.info('user_login', user.id, "User login", user.email, user) if user
+  MnoEnterprise::EventLogger.info('user_login', user.id, 'User login', user) if user
 end
 
 Warden::Manager.before_logout do |user, auth, opts|
   # Determine whether it's a sign out or timeout
-  if auth.env['PATH_INFO'] =~ %r{^/auth/users/sign_out.json$}
-    MnoEnterprise::EventLogger.info('user_logout', user.id, "User logout", user.email, user) if user
+  if auth.env['PATH_INFO'] =~ %r{^/auth/users/sign_out}
+    MnoEnterprise::EventLogger.info('user_logout', user.id, 'User logout', user) if user
   else
-    MnoEnterprise::EventLogger.info('user_timeout', user.id, "User session expired", user.email, user) if user
+    MnoEnterprise::EventLogger.info('user_timeout', user.id, 'User session expired', user) if user
   end
 end

data/config/routes.rb

@@ -5,6 +5,7 @@ MnoEnterprise::Engine.routes.draw do
   get '/app_access_unauthorized', to: 'pages#app_access_unauthorized'
   get '/billing_details_required', to: 'pages#billing_details_required'
   get '/app_logout', to: 'pages#app_logout'
+  get '/terms', to: 'pages#terms'
 
   # Health Status
   get '/ping', to: 'status#ping'
@@ -38,9 +39,10 @@ MnoEnterprise::Engine.routes.draw do
       class_name: "MnoEnterprise::User",
       module: :devise,
       path_prefix: 'auth',
+      skip: :omniauth_callbacks,
       controllers: {
           confirmations: "mno_enterprise/auth/confirmations",
-          #omniauth_callbacks: "auth/omniauth_callbacks",
+          omniauth_callbacks: "mno_enterprise/auth/omniauth_callbacks",
           passwords: "mno_enterprise/auth/passwords",
           registrations: "mno_enterprise/auth/registrations",
           sessions: "mno_enterprise/auth/sessions",
@@ -54,6 +56,19 @@ MnoEnterprise::Engine.routes.draw do
     get "/auth/users/confirmation/lounge", to: "auth/confirmations#lounge", as: :user_confirmation_lounge
     patch "/auth/users/confirmation/finalize", to: "auth/confirmations#finalize", as: :user_confirmation_finalize
     patch "/auth/users/confirmation", to: "auth/confirmations#update"
+
+    # Patch omniauth routes as per plataformatec/devise#2692
+    providers = Regexp.union(Devise.omniauth_providers.map(&:to_s))
+    match "/users/auth/:provider",
+          constraints: { provider: providers },
+          to: "auth/omniauth_callbacks#passthru",
+          as: :user_omniauth_authorize,
+          via: [:get, :post]
+    match "/users/auth/:action/callback",
+          constraints: { action: providers },
+          controller: "auth/omniauth_callbacks",
+          as: :user_omniauth_callback,
+          via: [:get, :post]
   end
 
   #============================================================
@@ -76,9 +91,16 @@ MnoEnterprise::Engine.routes.draw do
   #============================================================
   namespace :jpi do
     namespace :v1 do
-      resources :marketplace, only: [:index, :show]
+      resources :marketplace, only: [:index, :show] do
+        member do
+          %i(app_reviews app_feedbacks app_comments app_questions app_answers).each do |name|
+            resources name, except: [:new, :edit], param: :review_id
+          end  
+        end
+      end
       resource :current_user, only: [:show, :update] do
         put :update_password
+        put :register_developer
         #post :deletion_request, action: :create_deletion_request
         #delete :deletion_request, action: :cancel_deletion_request
       end
@@ -92,7 +114,7 @@ MnoEnterprise::Engine.routes.draw do
         end
 
         # AppInstances
-        resources :app_instances, only: [:index, :destroy], shallow: true
+        resources :app_instances, only: [:index, :create, :destroy], shallow: true
 
         # Teams
         resources :teams, only: [:index, :show, :create, :update, :destroy], shallow: true do
@@ -113,8 +135,17 @@ MnoEnterprise::Engine.routes.draw do
 
       namespace :impac do
         resources :dashboards, only: [:index, :show, :create, :update, :destroy] do
-          resources :widgets, shallow: true, only: [:create, :destroy, :update]
-          resources :kpis, shallow: true, only: [:create, :destroy, :update]
+          resources :widgets, shallow: true, only: [:create, :update, :destroy]
+          resources :kpis, shallow: true, only: [:show, :create, :update, :destroy] do
+            resources :alerts, shallow: true, only: [:create, :update, :destroy]
+          end
+        end
+
+        resources :kpis, only: :index
+        resources :alerts, only: :index
+
+        resources :organizations, only: [] do
+          resources :widgets, only: :index
         end
       end
 
@@ -124,13 +155,17 @@ MnoEnterprise::Engine.routes.draw do
       #============================================================
       namespace :admin, defaults: {format: 'json'} do
         resources :audit_events, only: [:index]
+        resources :app_instances, only: [:destroy], shallow: true
+        resources :app_reviews, only: [:index, :show,  :update]
+        resources :app_comments, only: [:create]
+        resources :app_answers, only: [:create]
         resources :users, only: [:index, :show, :destroy, :update, :create] do
           collection do
             get :count
             post :signup_email
           end
         end
-        resources :organizations, only: [:index, :show, :create] do
+        resources :organizations, only: [:index, :show, :update, :create] do
           collection do
             get :in_arrears
             get :count

data/lib/mno_enterprise/api.rb

@@ -1,6 +1,7 @@
 require 'action_view' # To fix "uninitialized constant Haml::ActionView"
 require 'jbuilder'
 require 'haml'
+require 'credit_card_validations'
 
 require 'mno_enterprise/core'
 

data/lib/mno_enterprise/audit_events_listener.rb

@@ -0,0 +1,28 @@
+require 'httparty'
+
+module MnoEnterprise
+  class AuditEventsListener
+    include HTTParty
+    base_uri "#{MnoEnterprise.mno_api_private_host || MnoEnterprise.mno_api_host}/api/mnoe/v1/audit_events"
+    read_timeout 0.1
+    basic_auth MnoEnterprise.tenant_id, MnoEnterprise.tenant_key
+
+    def info(key, current_user_id, description, subject_type, subject_id, metadata)
+      self.class.post('', body: {
+        data: {
+          key: key,
+          user_id: current_user_id,
+          description: description,
+          metadata: metadata,
+          subject_type: subject_type,
+          subject_id: subject_id
+        }})
+    rescue Net::ReadTimeout
+      # Meant to fail
+    end
+
+  end
+
+
+end
+

data/lib/mno_enterprise/concerns/controllers/jpi/v1/app_instances_controller.rb

@@ -0,0 +1,45 @@
+module MnoEnterprise::Concerns::Controllers::Jpi::V1::AppInstancesController
+  extend ActiveSupport::Concern
+
+  #==================================================================
+  # Included methods
+  #==================================================================
+  # 'included do' causes the included code to be evaluated in the
+  # context where it is included rather than being executed in the module's context
+  included do
+    respond_to :json
+  end
+
+  #==================================================================
+  # Instance methods
+  #==================================================================
+  # GET /mnoe/jpi/v1/organization/1/apps.json?timestamp=151452452345
+  def index
+    @app_instances = parent_organization.app_instances.active.where("updated_at.gt" => Time.at(timestamp)).select do |i|
+      # force owner assignment to avoid a refetch in ability can?(:access,i)
+      i.owner = parent_organization
+      can?(:access,i)
+    end
+  end
+
+  # POST /mnoe/jpi/v1/organization/1/app_instances
+  def create
+    authorize! :manage_app_instances, parent_organization
+    app_instance = parent_organization.app_instances.create(product: params[:nid])
+    MnoEnterprise::EventLogger.info('app_add', current_user.id, 'App added', app_instance)
+    head :created
+  end
+
+  # DELETE /mnoe/jpi/v1/app_instances/1
+  def destroy
+    app_instance = MnoEnterprise::AppInstance.find(params[:id])
+
+    if app_instance
+      authorize! :manage_app_instances, app_instance.owner
+      MnoEnterprise::EventLogger.info('app_destroy', current_user.id, 'App destroyed', app_instance)
+      app_instance.terminate
+    end
+
+    head :accepted
+  end
+end

data/lib/mno_enterprise/concerns/controllers/jpi/v1/current_users_controller.rb

@@ -23,11 +23,21 @@ module MnoEnterprise::Concerns::Controllers::Jpi::V1::CurrentUsersController
   # PUT /mnoe/jpi/v1/current_user
   def update
     @user = current_user
-
     @user.assign_attributes(user_params)
     changes = @user.changes
     if @user.update(user_params)
-      MnoEnterprise::EventLogger.info('user_update', current_user.id, "User update", changes, @user)
+      MnoEnterprise::EventLogger.info('user_update', current_user.id, 'User update', @user, changes)
+      render :show
+    else
+      render json: @user.errors, status: :bad_request
+    end
+  end
+
+  # PUT /mnoe/jpi/v1/current_user/register_developer
+  def register_developer
+    @user = current_user
+    if @user.update(developer: true)
+      MnoEnterprise::EventLogger.info('register_developer', current_user.id, "User developer register", @user)
       render :show
     else
       render json: @user.errors, status: :bad_request
@@ -39,14 +49,14 @@ module MnoEnterprise::Concerns::Controllers::Jpi::V1::CurrentUsersController
     @user = current_user
 
     if @user.update(password_params.merge(current_password_required: true))
-      MnoEnterprise::EventLogger.info('user_update_password', current_user.id, "User password change", @user.email, @user)
+      MnoEnterprise::EventLogger.info('user_update_password', current_user.id, 'User password change', @user)
       sign_in @user, bypass: true
       render :show
     else
       render json: @user.errors, status: :bad_request
     end
   end
-    
+
   private
     def user_params
       params.require(:user).permit(:name, :surname, :email, :company, :settings, :phone, :website, :phone_country_code, :current_password, :password, :password_confirmation)

data/lib/mno_enterprise/concerns/controllers/jpi/v1/impac/alerts_controller.rb

@@ -0,0 +1,76 @@
+module MnoEnterprise::Concerns::Controllers::Jpi::V1::Impac::AlertsController
+  extend ActiveSupport::Concern
+
+  #==================================================================
+  # Included methods
+  #==================================================================
+  # 'included do' causes the included code to be evaluated in the
+  # context where it is included rather than being executed in the module's context
+  included do
+    respond_to :json
+  end
+
+  # GET /jpi/v1/impac/alerts
+  def index
+    @alerts = current_user.alerts
+  end
+
+  # POST /jpi/v1/impac/kpis/:kpi_id/alerts
+  def create
+    return render_bad_request('attach alert to kpi', 'no alert specified') unless params.require(:alert)
+    return render_not_found('kpi') unless kpi_alert.kpi
+
+    authorize! :manage_alert, kpi_alert
+
+    if (@alert = current_user.alerts.create(kpi_alert.attributes))
+      render 'show'
+    else
+      render_bad_request('attach alert to kpi', "impossible to save record: #{@kpi_alert.inspect}")
+    end
+  end
+
+  # PUT /jpi/v1/impac/alerts/:id
+  def update
+    return render_bad_request('update alert attributes', 'no alert hash specified') unless params.require(:alert)
+    return render_not_found('alert') unless alert
+
+    attributes = params.require(:alert).permit(:title, :webhook, :sent)
+
+    authorize! :manage_alert, alert
+
+    if alert.update(attributes)
+      render 'show'
+    else
+      render_bad_request('update alert', "unable to save record: #{alert.inspect}")
+    end
+  end
+
+  # DELETE /jpi/v1/impac/alerts/:id
+  def destroy
+    return render_not_found('alert') unless alert
+
+    authorize! :manage_alert, alert
+
+    service = alert.service
+    if alert.destroy
+      render json: { deleted: { service: service } }
+    else
+      render_bad_request('destroy alert', "impossible to destroy record: #{alert.inspect}")
+    end
+  end
+
+
+  private
+
+    def alert
+      @alert ||= MnoEnterprise::Impac::Alert.find(params.require(:id))
+    end
+
+    def kpi_alert
+      @alert ||= (
+        kpi_id = params.require(:kpi_id)
+        attributes = params.require(:alert).merge(impac_kpi_id: kpi_id)
+        MnoEnterprise::Impac::Alert.new(attributes)
+      )
+    end
+end

data/lib/mno_enterprise/concerns/controllers/jpi/v1/impac/dashboards_controller.rb

@@ -19,58 +19,84 @@ module MnoEnterprise::Concerns::Controllers::Jpi::V1::Impac::DashboardsControlle
   end
 
   # GET /mnoe/jpi/v1/impac/dashboards/1
+  #   -> GET /api/mnoe/v1/users/1/dashboards
   def show
     dashboard
-    render json: { errors: "Dashboard id #{params[:id]} doesn't exist" }, status: :not_found unless @dashboard
+    render_not_found('dashboard') unless @dashboard
   end
 
   # POST /mnoe/jpi/v1/impac/dashboards
-  #  -> POST /api/mnoe/v1/users/282/dashboards
+  #   -> POST /api/mnoe/v1/users/1/dashboards
   def create
+    # TODO: dashboards.build breaks as dashboard.organization_ids returns nil, instead of an
+    #       empty array. (see MnoEnterprise::Impac::Dashboard #organizations)
+    # @dashboard = dashboards.build(dashboard_create_params)
+    # TODO: enable authorization
+    # authorize! :manage_dashboard, @dashboard
+    # if @dashboard.save
     if @dashboard = dashboards.create(dashboard_create_params)
-      # authorize! :create, @dashboard
-      MnoEnterprise::EventLogger.info('dashboard_create', current_user.id, 'Dashboard Creation', nil, @dashboard)
+      MnoEnterprise::EventLogger.info('dashboard_create', current_user.id, 'Dashboard Creation', @dashboard)
+
       render 'show'
     else
-      render json: @dashboard.errors, status: :bad_request
+      render_bad_request('create dashboard', @dashboard.errors)
     end
   end
 
   # PUT /mnoe/jpi/v1/impac/dashboards/1
+  #   -> PUT /api/mnoe/v1/dashboards/1
   def update
+    return render_not_found('dashboard') unless dashboard
+
+    # TODO: enable authorization
+    # authorize! :manage_dashboard, dashboard
+
     if dashboard.update(dashboard_update_params)
-      # dashboard.assign_attributes(attrs)
-      # authorize! :update, dashboard
       render 'show'
     else
-      render json: @dashboard.errors, status: :bad_request
+      render_bad_request('update dashboard', dashboard.errors)
     end
   end
 
   # DELETE /mnoe/jpi/v1/impac/dashboards/1
+  #   -> DELETE /api/mnoe/v1/dashboards/1
   def destroy
-    # authorize! :destroy, @dashboard
+    return render_not_found('dashboard') unless dashboard
+
+    # TODO: enable authorization
+    # authorize! :manage_dashboard, dashboard
+
     if dashboard.destroy
-      MnoEnterprise::EventLogger.info('dashboard_delete', current_user.id, 'Dashboard Deletion', nil, dashboard)
+      MnoEnterprise::EventLogger.info('dashboard_delete', current_user.id, 'Dashboard Deletion', dashboard)
       head status: :ok
     else
-      render json: 'Unable to destroy dashboard', status: :bad_request
+      render_bad_request('destroy dashboard', 'Unable to destroy dashboard')
     end
   end
 
-  protected
+  private
 
-  def dashboard
-    @dashboard ||= current_user.dashboards.to_a.find { |d| d.id.to_s == params[:id].to_s }
-  end
+    def dashboard
+      @dashboard ||= current_user.dashboards.find(params[:id].to_i)
+    end
 
-  def dashboards
-    @dashboards ||= current_user.dashboards
-  end
+    def dashboards
+      @dashboards ||= current_user.dashboards
+    end
+
+    def whitelisted_params
+      [:name, :currency, {widgets_order: []}, {organization_ids: []}]
+    end
+
+    # Allows all metadata attrs to be permitted, and maps it to :settings
+    # for the Her "meta_data" issue.
+    def dashboard_params
+      params.require(:dashboard).permit(*whitelisted_params).tap do |whitelisted|
+        whitelisted[:settings] = params[:dashboard][:metadata] || {}
+      end
+      .except(:metadata)
+    end
+    alias :dashboard_update_params  :dashboard_params
+    alias :dashboard_create_params  :dashboard_params
 
-  def dashboard_params
-    params.require(:dashboard).permit(:name, :currency, {widgets_order: []}, {organization_ids: []})
-  end
-  alias :dashboard_update_params  :dashboard_params
-  alias :dashboard_create_params  :dashboard_params
 end