model_driven_api 3.6.2 → 3.6.4

data/app/controllers/api/v3/application_controller.rb

@@ -0,0 +1,132 @@
+class Api::V3::ApplicationController < Api::V2::ApplicationController
+  include Pagy::Backend
+
+  def index
+    authorize! :index, @model
+
+    status, result, status_number = check_for_custom_action
+    return render json: result, status: (status_number.presence || 200) if status == true
+
+    scope = apply_filters(@model.all)
+    scope = apply_sorting(scope)
+
+    pagy, records = pagy(scope, page: page_number, limit: page_size)
+
+    serializer = Api::V3::SerializerFactory.serializer_for(@model)
+    render json: serializer.new(records, **serializer_opts).serializable_hash.merge(meta: { total: pagy.count }),
+           status: :ok
+  end
+
+  def show
+    authorize! :show, @record
+
+    status, result, status_number = check_for_custom_action
+    return render json: result, status: (status_number.presence || 200) if status == true
+
+    serializer = Api::V3::SerializerFactory.serializer_for(@model)
+    render json: serializer.new(@record, **serializer_opts).serializable_hash, status: :ok
+  end
+
+  def create
+    authorize! :create, @model
+
+    status, result, status_number = check_for_custom_action
+    return render json: result, status: (status_number.presence || 200) if status == true
+
+    record = @model.new(jsonapi_attributes)
+    record.save!
+    serializer = Api::V3::SerializerFactory.serializer_for(@model)
+    render json: serializer.new(record, **serializer_opts).serializable_hash, status: :created
+  end
+
+  def update
+    authorize! :update, @record
+
+    status, result, status_number = check_for_custom_action
+    return render json: result, status: (status_number.presence || 200) if status == true
+
+    @record.update!(jsonapi_attributes)
+    serializer = Api::V3::SerializerFactory.serializer_for(@model)
+    render json: serializer.new(@record, **serializer_opts).serializable_hash, status: :ok
+  end
+
+  alias_method :patch, :update
+
+  def destroy
+    authorize! :destroy, @record
+
+    status, result, status_number = check_for_custom_action
+    return render json: result, status: (status_number.presence || 200) if status == true
+
+    @record.destroy!
+    head :no_content
+  end
+
+  private
+
+  def apply_filters(scope)
+    filter_params = params[:filter] || {}
+    filter_params.each do |field, value|
+      next unless @model.ransackable_attributes.include?(field.to_s)
+      scope = scope.where(field => value)
+    end
+    scope
+  end
+
+  def apply_sorting(scope)
+    return scope if params[:sort].blank?
+    params[:sort].to_s.split(",").each do |field|
+      if field.start_with?("-")
+        scope = scope.order(field[1..] => :desc)
+      else
+        scope = scope.order(field => :asc)
+      end
+    end
+    scope
+  end
+
+  def page_number
+    (params.dig("page", "number") || 1).to_i
+  end
+
+  def page_size
+    (params.dig("page", "size") || Pagy::DEFAULT[:limit] || 25).to_i
+  end
+
+  def jsonapi_attributes
+    (params.dig("data", "attributes") || {}).to_h
+  end
+
+  # Hybrid sideloading: json_attrs[:include] keys are the default;
+  # the client can override with ?include=assoc1,assoc2 (empty string = no sideloads).
+  def requested_includes
+    return default_includes if params["include"].nil?
+    params["include"].to_s.split(",").filter_map { |s| s.strip.to_sym unless s.strip.empty? }
+  end
+
+  def default_includes
+    jattrs = @model.respond_to?(:json_attrs) ? (@model.json_attrs || {}) : {}
+    Array(jattrs[:include]).flat_map do |item|
+      case item
+      when Hash then item.keys
+      when Symbol then [item]
+      else []
+      end
+    end
+  end
+
+  # JSON:API sparse fieldsets: ?fields[roles]=name,lock_version
+  def sparse_fields
+    return {} if params["fields"].blank?
+    params["fields"].to_h.transform_keys(&:to_sym).transform_values { |v| v.to_s.split(",").map(&:to_sym) }
+  end
+
+  def serializer_opts
+    opts = {}
+    includes = requested_includes
+    opts[:include] = includes if includes.any?
+    fields = sparse_fields
+    opts[:fields] = fields if fields.any?
+    opts
+  end
+end

data/app/controllers/api/v3/auth/oauth_controller.rb

@@ -0,0 +1,4 @@
+module Api::V3::Auth
+  class OauthController < Api::V2::Auth::OauthController
+  end
+end

data/app/controllers/api/v3/authentication_controller.rb

@@ -0,0 +1,2 @@
+class Api::V3::AuthenticationController < Api::V2::AuthenticationController
+end

data/app/controllers/api/v3/info_controller.rb

@@ -0,0 +1,37 @@
+class Api::V3::InfoController < Api::V2::InfoController
+  # Override openapi/swagger to generate a v3-accurate spec.
+  # All other info actions (version, roles, heartbeat, ntp, translations,
+  # schema, dsl, settings) are inherited unchanged — they return plain JSON
+  # and are version-agnostic.
+  def openapi
+    uri = URI(request.url)
+    spec = {
+      "openapi" => "3.0.0",
+      "info" => {
+        "title" => "#{Settings.ns(:main).app_name} API",
+        "description" => Api::OpenApi::V3.new(ApplicationRecord.subclasses, request).description,
+        "version" => "v3",
+      },
+      "servers" => [
+        {
+          "url" => "#{uri.scheme}://#{uri.host}#{":#{uri.port}" if uri.port.present?}/api/v3",
+          "description" => "JSON:API v3 base URL",
+        },
+      ],
+      "components" => {
+        "securitySchemes" => {
+          "bearerAuth" => {
+            "type" => "http",
+            "scheme" => "bearer",
+            "bearerFormat" => "JWT",
+          },
+        },
+      },
+      "security" => [{ "bearerAuth" => [] }],
+      "paths" => Api::OpenApi::V3.new(ApplicationRecord.subclasses, request).generate,
+    }
+    render json: spec.to_json, status: 200
+  end
+
+  alias_method :swagger, :openapi
+end

data/app/controllers/api/v3/raw_controller.rb

@@ -0,0 +1,14 @@
+class Api::V3::RawController < Api::V3::ApplicationController
+  skip_before_action :extract_model
+
+  def sql
+    return render json: { error: "Query is required" }, status: 400 if params[:query].nil?
+
+    result = SafeSqlExecutor.execute_select(params[:query]).to_a
+    render json: result, status: 200
+  rescue ArgumentError => e
+    render json: { error: e.message }, status: 400
+  rescue ActiveRecord::StatementInvalid => e
+    render json: { error: e.message }, status: 400
+  end
+end

data/app/controllers/api/v3/users_controller.rb

@@ -0,0 +1,10 @@
+class Api::V3::UsersController < Api::V3::ApplicationController
+  before_action :check_demoting, only: [ :update, :patch, :destroy ]
+
+  private
+
+  def check_demoting
+    attrs = (params.dig("data", "attributes") || {})
+    unauthorized! StandardError.new("You cannot demote yourself") if (params[:id].to_i == current_user.id && (attrs.key?("admin") || attrs.key?("locked")))
+  end
+end

data/config/routes.rb

@@ -8,6 +8,50 @@ Rails.application.routes.draw do
       match "/auth/failure", to: redirect("/api/v2/auth/failure"), via: [:get, :post]
     end
     namespace :api, constraints: { format: :json } do
+      namespace :v3 do
+        if ThecoreAuthCommons.oauth_vars?
+          namespace :auth do
+            post :jwt, to: "oauth#exchange_token"
+          end
+        end
+
+        resources :users
+
+        namespace :info do
+          get :version
+          get :roles
+          get :translations
+          get :schema
+          get :dsl
+          get :heartbeat
+          get :ntp
+          get :settings
+          get :swagger
+          get :openapi
+        end
+
+        post "authenticate" => "authentication#authenticate"
+
+        get  ":ctrl/custom_action/:action_name",     to: "application#index"
+        get  ":ctrl/custom_action/:action_name/:id", to: "application#show"
+        post ":ctrl/custom_action/:action_name",     to: "application#create"
+        put  ":ctrl/custom_action/:action_name/:id", to: "application#update"
+        patch ":ctrl/custom_action/:action_name/:id", to: "application#update"
+        delete ":ctrl/custom_action/:action_name/:id", to: "application#destroy"
+
+        namespace :raw do
+          post :sql
+          get :sql
+        end
+
+        get  "*path/:id", to: "application#show"
+        get  "*path",     to: "application#index"
+        post "*path",     to: "application#create"
+        put  "*path/:id", to: "application#update"
+        patch "*path/:id", to: "application#update"
+        delete "*path/:id", to: "application#destroy"
+      end
+
       namespace :v2 do
         # Authentication via Oauth2 only if the environment variable is set
         if ThecoreAuthCommons.oauth_vars?

data/lib/api/custom_action_dispatcher.rb

@@ -0,0 +1,41 @@
+module Api
+  class CustomActionDispatcher
+    # Dispatch a custom action if the request signals one.
+    # Returns false if this is not a custom action call.
+    # Returns [true, body, status] when dispatched.
+    # Raises NoMethodError if the action name is present but not found.
+    def self.call(model, params, request)
+      custom_action = if !params[:do].blank?
+          params[:do]
+        elsif request.url.include?("/custom_action/")
+          params[:action_name]
+        end
+      return false unless custom_action
+
+      params[:request_url] = request.url
+      params[:remote_ip] = request.remote_ip
+      params[:request_verb] = request.request_method
+      params[:token] = extract_bearer(request)
+
+      Rails.logger.debug("CustomActionDispatcher: #{custom_action} on #{model}")
+
+      if model.respond_to?("custom_action_#{custom_action}")
+        body, status = model.send("custom_action_#{custom_action}", params)
+      elsif ("Endpoints::#{model}".constantize rescue false) &&
+            "Endpoints::#{model}".constantize.instance_methods.include?(custom_action.to_sym)
+        body, status = "Endpoints::#{model}".constantize.new(custom_action, params).result
+      else
+        raise NoMethodError
+      end
+
+      [true, body, status]
+    end
+
+    def self.extract_bearer(request)
+      pattern = /^Bearer /
+      header = request.headers["Authorization"]
+      header.gsub(pattern, "") if header&.match(pattern)
+    end
+    private_class_method :extract_bearer
+  end
+end

data/lib/api/model_resolver.rb

@@ -0,0 +1,20 @@
+module Api
+  class ModelResolver
+    class NotFound < StandardError; end
+
+    # Resolve model from params, controller_path, or controller_name.
+    # Returns nil when no class can be resolved (info/utility controllers use this path).
+    # Raises NotFound when a class is resolved but is not an ActiveRecord model (and not TestApi).
+    def self.resolve(params, controller_path, controller_name)
+      model = (params[:ctrl].classify.constantize rescue
+               params[:path].split("/").first.classify.constantize rescue
+               controller_path.classify.constantize rescue
+               controller_name.classify.constantize rescue
+               nil)
+      if model && model != TestApi
+        raise NotFound unless (model.new.is_a?(ActiveRecord::Base) rescue false)
+      end
+      model
+    end
+  end
+end

data/lib/api/open_api/base.rb

@@ -0,0 +1,91 @@
+module Api
+  module OpenApi
+    class Base
+      def initialize(models, request)
+        @models = models
+        @request = request
+      end
+
+      private
+
+      def compute_type(model, key)
+        Rails.logger.debug "compute_type #{model} #{key}"
+        # if it's a file, a date or a text, then return string
+        instance = model.new
+        # If it's a method, it is a peculiar case, in which we have to return "object" and additionalProperties: true
+        return "method" if model.methods.include?(:json_attrs) && model.json_attrs && model.json_attrs.include?(:methods) && model.json_attrs[:methods].include?(key.to_sym)
+        # If it's not the case of a method, then it's a field
+        method_class = instance.send(key).class.to_s
+        Rails.logger.debug "compute_type #{model} #{key} #{method_class}"
+        method_key = model.columns_hash[key]
+
+        # Not columns
+        return nil if method_key.nil?
+        return "object" if method_class == "ActiveStorage::Attached::One"
+        return "array" if method_class == "ActiveStorage::Attached::Many" || method_class == "Array" || method_class.ends_with?("Array") || method_class.ends_with?("Collection") || method_class.ends_with?("Relation") || method_class.ends_with?("Set") || method_class.ends_with?("List") || method_class.ends_with?("Queue") || method_class.ends_with?("Stack") || method_class.ends_with?("ActiveRecord_Associations_CollectionProxy")
+
+        # Columns
+        case method_key.type
+        when :json, :jsonb
+          return "object"
+        when :enum
+          return "array"
+        when :text, :hstore
+          return "string"
+        when :decimal, :float, :bigint
+          return "number"
+        end
+        method_key.type.to_s
+      end
+
+      def integer?(str)
+        true if Integer(str) rescue false
+      end
+
+      def number?(str)
+        true if Float(str) rescue false
+      end
+
+      def datetime?(str)
+        true if DateTime.parse(str) rescue false
+      end
+
+      def create_properties_from_model(model, dsl, remove_reserved = false)
+        parsed_json = JSON.parse(model.new.to_json(dsl))
+        parsed_json.keys.map do |k|
+          type = compute_type(model, k)
+
+          # Remove fields that cannot be created or updated
+          if remove_reserved && %w( id created_at updated_at lock_version ).include?(k.to_s)
+            nil
+          elsif type == "method" && (parsed_json[k].is_a?(FalseClass) || parsed_json[k].is_a?(TrueClass))
+            [k, { "type": "boolean" }]
+          elsif type == "method" && parsed_json[k].is_a?(String) && number?(parsed_json[k])
+            [k, { "type": "number" }]
+          elsif type == "method" && parsed_json[k].is_a?(String) && integer?(parsed_json[k])
+            [k, { "type": "integer" }]
+          elsif type == "method" && parsed_json[k].is_a?(String) && datetime?(parsed_json[k])
+            [k, { "type": "string", "format": "date-time" }]
+          elsif type == "method"
+            # Unknown or complex format returned
+            [k, { "type": "object", "additionalProperties": true }]
+          elsif type == "date"
+            [k, { "type": "string", "format": "date" }]
+          elsif type == "datetime"
+            [k, { "type": "string", "format": "date-time" }]
+          elsif type == "object" && (k.classify.constantize rescue false)
+            sub_model = k.classify.constantize
+            properties = dsl[:include].present? && dsl[:include].include?(k) ? create_properties_from_model(sub_model, dsl[:include][k.to_sym]) : create_properties_from_model(sub_model, {})
+            [k, { "type": "object", "properties": properties }] rescue nil
+          elsif type == "array" && (k.classify.constantize rescue false)
+            sub_model = k.classify.constantize
+            properties = dsl[:include].present? && dsl[:include].include?(k) ? create_properties_from_model(sub_model, dsl[:include][k.to_sym]) : create_properties_from_model(sub_model, {})
+            [k, { "type": "array", "items": { "type": "object", "properties": properties } }] rescue nil
+          else
+            [k, { "type": type }]
+          end unless type.blank?
+        end.compact.to_h
+      end
+    end
+  end
+end