model_driven_api 3.2.4 → 3.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 010f1acfbe42371a8465ba5eeae1f6a5cc0d8c7d5891c30b52ed2c9056bfd7d0
-  data.tar.gz: fb81afbec2d0ce91297c68b212a97e213c0b0d7cf15630c82af753f5511ec1f7
+  metadata.gz: e73b3aaf951e74746e4f15fd020a5e9811b13f8222bee893e3b657323dbea0f7
+  data.tar.gz: 38f200e4c7550d9f15ff356e3323fe2a4bdaa5328f6c4c94e5d05401de1cf60a
 SHA512:
-  metadata.gz: '01941ccd88639849a80e1068266b083911915793f0513835e6caf2c61b718d7c4c80d0c57c4a59f25f4a64ddf85a728d18fccada0cf7e53e813b39293b26b339'
-  data.tar.gz: e9243797670a8dba2dbd87a2e79571dbb5e39dea8fa26379934a08fe74137db7bb053fc73bbb63d811962397bff5e4cb64c11fdf7b65b5abcfe363827a7185df
+  metadata.gz: 84c35cf76c50627514dc34702c136f3506fed645ccfb2228d26c21338de8b310e598d18fb302c11675056d0956310641fe0b1d0c60edfb5869ef88e718643833
+  data.tar.gz: 003ee1a957b5f8a2dc9c40c68acf8d57ec4d64ae5e29f26452ea7f763db37e93bb2cd6dd410ca4d31535e8b1613252a335b8efa75cd6462a0bbd2131df8a25c0

data/app/controllers/api/v2/info_controller.rb

@@ -198,6 +198,98 @@ class Api::V2::InfoController < Api::V2::ApplicationController
           }
         }
       },
+      "/raw/sql": {
+        "post": {
+          "summary": "Raw SQL query execution of SELECT queries",
+          "description": "Executes a SQL query on the underlying PostgreSQL database.
+
+Designed for SELECT queries that use the json_agg function to aggregate results into JSON arrays. 
+
+Other query types are not recommended and may be restricted for security and performance reasons. 
+
+Only SELECT statements are allowed. DDL and DML statements (INSERT, UPDATE, DELETE) are forbidden.
+
+Queries can be as simple as 
+          
+    SELECT json_agg(u) AS result
+    FROM users u
+    WHERE u.active = true;
+
+or more complex, using joins, subqueries, CTEs, and other SQL features. like:
+
+    WITH order_details AS (
+        SELECT 
+            o.id AS order_id,
+            o.date AS order_date,
+            json_agg(
+                json_build_object(
+                    'item_id', i.id,
+                    'item_name', i.name,
+                    'quantity', oi.quantity,
+                    'price', oi.price
+                )
+            ) AS items
+        FROM orders o
+        JOIN order_items oi ON o.id = oi.order_id
+        JOIN items i ON i.id = oi.item_id
+        GROUP BY o.id
+    )
+    SELECT json_agg(
+        json_build_object(
+            'order_id', od.order_id,
+            'order_date', od.order_date,
+            'customer', json_build_object(
+                'id', c.id,
+                'name', c.name
+            ),
+            'items', od.items
+        )
+    ) AS result
+  FROM order_details od
+  JOIN customers c ON c.id = od.order_id;
+
+          ",
+          "tags": ["Raw"],
+          "security": [
+            "bearerAuth": []
+          ],
+          "responses": {
+            "200": {
+              "description": "SQL Query Result",
+              "content": {
+                "application/json": {
+                  "schema": {
+                    "type": "array",
+                    "items": {
+                      "type": "object",
+                      "properties": {
+                        "json_agg": {
+                          "type": "string"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "requestBody": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "query": {
+                      "type": "string",
+                      "example": "SELECT json_agg(u) FROM users u WHERE u.active = true;"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
       "/info/version": {
         "get": {
           "summary": "Version",

data/app/controllers/api/v2/raw_controller.rb

@@ -0,0 +1,17 @@
+# require 'model_driven_api/version'
+class Api::V2::RawController < Api::V2::ApplicationController
+  # Info uses a different auth method: username and password
+  # skip_before_action :authenticate_request, only: [:version, :swagger, :openapi], raise: false
+  skip_before_action :extract_model
+  
+  # api :GET, '/api/v2/raw/sql'
+  def sql
+    # if params is nil, render 400
+    render json: { error: "Query is required" }, status: 400 and return if params[:query].nil?
+
+    query = params[:query]
+
+    render json: SafeSqlExecutor.execute_select(query).first["json_agg"], status: 200
+  end
+
+end

data/config/routes.rb

@@ -18,6 +18,10 @@ Rails.application.routes.draw do
                 get :openapi
             end
 
+            namespace :raw do
+              post :sql
+            end
+
             post "authenticate" => "authentication#authenticate"
             post ":ctrl/search" => 'application#index'
 

data/lib/model_driven_api/version.rb

@@ -1,3 +1,3 @@
 module ModelDrivenApi
-  VERSION = "3.2.4".freeze
+  VERSION = "3.2.5".freeze
 end

data/lib/model_driven_api.rb

@@ -15,6 +15,8 @@ require 'deep_merge/rails_compat'
 
 require "model_driven_api/engine"
 
+require "safe_sql_executor"
+
 module ModelDrivenApi
   def self.smart_merge src, dest
       src.deeper_merge! dest, {

data/lib/safe_sql_executor.rb

@@ -0,0 +1,20 @@
+module SafeSqlExecutor
+  def self.execute_select(query)
+    # Validate the query
+    validate_select_query(query)
+
+    # Execute the query
+    ActiveRecord::Base.connection.execute(query)
+  end
+
+  private
+
+  def self.validate_select_query(query)
+    sanitized_query = query.strip.gsub(/\s+/, " ").upcase
+
+    # Allow SELECT or WITH...SELECT queries
+    unless sanitized_query.match?(/^(WITH .+)?SELECT /)
+      raise ArgumentError, "Only SELECT queries (including with CTEs) are allowed"
+    end
+  end
+end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: model_driven_api
 version: !ruby/object:Gem::Version
-  version: 3.2.4
+  version: 3.2.5
 platform: ruby
 authors:
 - Gabriele Tassoni
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-07-22 00:00:00.000000000 Z
+date: 2025-01-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thecore_backend_commons
@@ -124,6 +123,7 @@ files:
 - app/controllers/api/v2/application_controller.rb
 - app/controllers/api/v2/authentication_controller.rb
 - app/controllers/api/v2/info_controller.rb
+- app/controllers/api/v2/raw_controller.rb
 - app/controllers/api/v2/users_controller.rb
 - app/models/endpoints/test_api.rb
 - app/models/test_api.rb
@@ -146,13 +146,13 @@ files:
 - lib/model_driven_api/engine.rb
 - lib/model_driven_api/version.rb
 - lib/non_crud_endpoints.rb
+- lib/safe_sql_executor.rb
 - lib/tasks/model_driven_api_tasks.rake
 homepage: https://github.com/gabrieletassoni/model_driven_api
 licenses:
 - MIT
 metadata:
   allowed_push_host: https://rubygems.org
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -167,8 +167,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
-signing_key: 
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Convention based RoR engine which uses DB schema introspection to create
   REST APIs.