practical 0.1.0 → 3.0.0.pre.alpha1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da7aaa72d992ff3aaf4a43ed5c374c6ff1652843075713e08fa95ab1244d88bf
-  data.tar.gz: 6c935a7c4cc3ac3538aa78c2f100b6b009b3113577b53bfba7b39efed5a3878d
+  metadata.gz: df17b4a0aff5baa56ac16602fe85779f7693b00331bff301258f084dbd4c15ef
+  data.tar.gz: a9ba95edf2300f43c70c72e028282a1045d831f76128cc705c1aaf7ab287e6dc
 SHA512:
-  metadata.gz: 88fd0246800371d155ccba2fc6337127a82e31e5ba41fb793bef3558149307914f095cb3e4fa620d86ca34a097f44fcf9278491667dc21bcd10856f04f453f2e
-  data.tar.gz: d7c98265992ff1ed00a0e9c6562bcebe239e749e4364345c5a364224c6835226909ae7e39802941867d6daa063e26739e02adb74556c5148927fa22ba682953c
+  metadata.gz: 38706fd22c3881826b066a9dd4d1032395d19ce2fe062b0ea64dca1cb974b4de0944bd7ddfc563277495dbdc35cbb0ca4ae83c264ed884515b09dec74c0f9bac
+  data.tar.gz: bbab74d5607eb57b2eeff685935cd20421170e2ce99c4eee30bf593e2581b4fc97d9c4c86d1e82698d0c1a2b76fd3a6b2a8156a2d4c30d103afcc344c41327cd

data/README.md

@@ -1,18 +1,18 @@
 # `practical`: The Practical Framework
 
-_This gem is currently being open-sourced from a private repo, while also being singificantly reorganized. Its 3.0 release will be live soon!_
+_This gem has been open-sourced from a private repo, while also being singificantly reorganized. The code is functional and (mostly) tested; but it is marked as alpha until it can be properly documented, and existing apps switched over to use 3.0_
 
 ## Installation
 
-TODO: Replace `UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG` with your gem name right after releasing it to RubyGems.org. Please do not do it earlier due to security reasons. Alternatively, replace this section with instructions to install your gem from git if you don't plan to release to RubyGems.org.
+TODO: Replace `practical` with your gem name right after releasing it to RubyGems.org. Please do not do it earlier due to security reasons. Alternatively, replace this section with instructions to install your gem from git if you don't plan to release to RubyGems.org.
 
 Install the gem and add to the application's Gemfile by executing:
 
-    $ bundle add UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG
+    $ bundle add practical
 
 If bundler is not being used to manage dependencies, install the gem by executing:
 
-    $ gem install UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG
+    $ gem install practical
 
 ## Usage
 

data/app/components/practical/views/flash_messages_component.rb

@@ -48,7 +48,6 @@ class Practical::Views::FlashMessagesComponent < Practical::Views::BaseComponent
       icon = data[:icon]
     end
 
-
     component = Practical::Views::ToastComponent.new(color_variant: color_variant)
 
     render component do |component|

data/app/components/practical/views/form/fallback_errors_section_component.rb

@@ -1,16 +1,18 @@
 # frozen_string_literal: true
 
 class Practical::Views::Form::FallbackErrorsSectionComponent < Practical::Views::BaseComponent
-  attr_reader :f, :blurb
-  def initialize(f:, blurb:, options:)
+  attr_reader :f, :id, :blurb
+  def initialize(f:, id:, blurb:, options:)
     @f = f
+    @id = id
     @blurb = blurb
     @options = options
   end
 
   def finalized_options
     mix({
-      class: ["error-section", "fallback-error-section", "wa-callout", "wa-danger"]
+      class: ["error-section", "fallback-error-section", "wa-callout", "wa-danger"],
+      id: id
     }, @options)
   end
 

data/app/components/practical/views/form/option_label_component.rb

@@ -9,7 +9,6 @@ class Practical::Views::Form::OptionLabelComponent < Practical::Views::BaseCompo
     self.options = options
   end
 
-
   def call
     tag.section(**mix({class: "wa-stack wa-size-s wa-gap-0"}, options)) {
       safe_join([

data/app/components/practical/views/navigation/breadcrumb_item_component.rb

@@ -8,7 +8,6 @@ class Practical::Views::Navigation::BreadcrumbItemComponent < Practical::Views::
     self.options = options
   end
 
-
   def call
     tag.wa_breadcrumb_item(**mix({}, options)) {
       safe_join([

data/app/components/practical/views/navigation/breadcrumbs_component.rb

@@ -34,7 +34,8 @@ class Practical::Views::Navigation::BreadcrumbsComponent < Practical::Views::Bas
   end
 
   def build_crumb(crumb:)
-    render(Practical::Views::Navigation::BreadcrumbItemComponent.new(options: { href: crumb.current? ? nil : crumb.url })) {
+    href = crumb.current? ? nil : crumb.url
+    render(Practical::Views::Navigation::BreadcrumbItemComponent.new(options: { href: href })) {
       crumb.name
     }
   end

data/app/{controllers/concerns/practical/auth/passkeys → concerns/practical/auth/passkeys/controllers}/emergency_registrations.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
-module Practical::Auth::Passkeys::EmergencyRegistrations
+module Practical::Auth::Passkeys::Controllers::EmergencyRegistrations
   extend ActiveSupport::Concern
-  include Practical::Auth::Passkeys::WebAuthnDebugContext
+  include Practical::Auth::Passkeys::Controllers::WebAuthnDebugContext
 
   def new_challenge
     options_for_registration = generate_registration_options(

data/app/{controllers/concerns/practical/auth/passkeys → concerns/practical/auth/passkeys/controllers}/web_authn_debug_context.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module Practical::Auth::Passkeys::WebAuthnDebugContext
+module Practical::Auth::Passkeys::Controllers::WebAuthnDebugContext
   def honeybadger_webauthn_context
     debug_credential = WebAuthn::Credential.from_create(parsed_credential, relying_party: relying_party)
     debug_client_data_json = debug_credential.response.client_data.as_json

data/app/concerns/practical/memberships/controllers/membership_invitations/register_with_passkey.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+module Practical::Memberships::Controllers::MembershipInvitations::RegisterWithPasskey
+  extend ActiveSupport::Concern
+  include Practical::Auth::Passkeys::Controllers::WebAuthnDebugContext
+
+  def new_create_challenge
+    options_for_registration = generate_registration_options(
+      relying_party: relying_party,
+      user_details: user_details_for_registration,
+      exclude: []
+    )
+
+    store_challenge_in_session(options_for_registration: options_for_registration)
+
+    render json: options_for_registration
+  end
+
+  def raw_credential
+    passkey_params[:passkey_credential]
+  end
+
+  def verify_credential_integrity
+    return render_credential_missing_or_could_not_be_parsed_error if parsed_credential.nil?
+    return render_credential_missing_or_could_not_be_parsed_error unless parsed_credential.kind_of?(Hash)
+  rescue JSON::JSONError, TypeError
+    return render_credential_missing_or_could_not_be_parsed_error
+  end
+
+  def verify_passkey_challenge
+    @webauthn_credential = verify_registration(relying_party: relying_party)
+  rescue ::WebAuthn::Error => e
+    Honeybadger.notify(e, context: honeybadger_webauthn_context)
+    error_key = Warden::WebAuthn::ErrorKeyFinder.webauthn_error_key(exception: e)
+    render_passkey_error(message: find_message(error_key))
+    return false
+  end
+
+  def honeybadger_webauthn_context
+    debug_credential = WebAuthn::Credential.from_create(parsed_credential, relying_party: relying_party)
+    debug_client_data_json = debug_credential.response.client_data.as_json
+
+    return {
+      debug_client_data_json: debug_client_data_json,
+      relying_party_json: relying_party.as_json
+    }
+  end
+
+  def request_form_params
+    params.require(:create_new_user_with_membership_invitation_form).permit(:email)
+  end
+
+  def require_email_and_passkey_label
+    if request_form_params[:email].blank?
+      respond_to_email_missing_error
+      return false
+    end
+
+    if passkey_params[:passkey_label].blank?
+      respond_to_passkey_label_missing_error
+      return false
+    end
+
+    true
+  end
+
+  def render_credential_missing_or_could_not_be_parsed_error
+    render_passkey_error(message: find_message(:credential_missing_or_could_not_be_parsed))
+    delete_registration_challenge
+    return false
+  end
+
+  def render_passkey_error(message:)
+    errors = Practical::Views::ErrorHandling.build_error_json(
+      model: temporary_form_with_passkey_credential_error(message: message),
+      helpers: helpers
+    )
+    render json: errors, status: :bad_request
+  end
+
+  def registration_user_id
+    session[registration_user_id_key]
+  end
+
+  def delete_registration_user_id!
+    session.delete(registration_user_id_key)
+  end
+
+  def store_registration_user_id
+    session[registration_user_id_key] = WebAuthn.generate_user_id
+  end
+end

data/app/lib/practical/forms/datatables/base.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module Practical::Forms::Datatables::Base
+  extend ActiveSupport::Concern
+
+  included do
+    attr_accessor :sort_key, :sort_direction, :filters, :sanitized
+
+    before_validation :normalize_sort_key_and_direction
+    validate :matches_schema?
+  end
+
+  def initialize(attributes = {})
+    super
+    self.sanitize!
+    if self.filters.present?
+      self.filters = self.class.filter_class.new(self.filters)
+    end
+  end
+
+  def sanitized?
+    return self.sanitized == true
+  end
+
+  def payload
+    {
+      sort_key: sort_key,
+      sort_direction: sort_direction,
+      filters: filters.to_h,
+    }
+  end
+
+  def merged_payload(filters: nil, sort_key: nil, sort_direction: nil)
+    result = payload
+    result[:filters] ||= {}
+    if filters.present?
+      result[:filters].merge!(filters)
+    end
+
+    result[:sort_key] = sort_key if sort_key.present?
+    result[:sort_direction] = sort_direction if sort_direction.present?
+
+    return result
+  end
+
+  def sanitize!
+    validate!
+    self.sanitized = true
+  rescue ActiveModel::ValidationError
+    self.attributes = self.class.default_payload
+    self.sanitized = true
+    self.errors.clear
+    self.validate!
+  end
+
+  def sort_direction_for(key:)
+    return nil unless key.downcase.strip == self.sort_key.downcase.strip
+    return sort_direction
+  end
+
+  def inverted_sort_direction_for(key:)
+    return "asc" unless key.downcase.strip == self.sort_key.downcase.strip
+    case sort_direction
+    when "asc"
+      "desc"
+    else
+      "asc"
+    end
+  end
+
+  def normalize_sort_key_and_direction
+    self.sort_key = sort_key.to_s.downcase.strip
+    self.sort_direction = sort_direction.to_s.downcase.strip
+  end
+
+  def matches_schema?
+    return if self.class.schema.validate?(payload)
+    errors.add(:base, :payload_does_not_match_schema)
+  end
+end

data/app/lib/practical/loaders/base.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+class Practical::Loaders::Base
+  include Pagy::Backend
+
+  attr_accessor :params, :base_relation, :datatable_form, :relation_builder, :pagy_instance, :records
+
+  def initialize(params:, base_relation:)
+    self.params = params
+    self.base_relation = base_relation
+  end
+
+  def self.load(params:, base_relation:)
+    instance = self.new(params: params, base_relation: base_relation)
+    instance.load
+    return instance
+  end
+
+  def load
+    self.datatable_form = build_datatable_form
+    self.relation_builder = build_relation_builder
+    self.pagy_instance, self.records = pagy(relation_builder.applied_relation, overflow: :last_page)
+  end
+
+  def datatable_payload
+    (datatable_params[:datatable] || default_payload)
+  end
+
+  def datatable_params
+    params.permit(datatable: [:sort_key, :sort_direction, filters: {}])
+  end
+
+  def build_datatable_form
+    raise NotImplementedError
+  end
+
+  def build_relation_builder
+    raise NotImplementedError
+  end
+
+  def default_payload
+    raise NotImplementedError
+  end
+end

data/app/lib/practical/relation_builders/base.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+class Practical::RelationBuilders::Base
+  attr_accessor :payload, :relation
+
+  def initialize(payload:, relation:)
+    self.payload = payload
+    self.relation = relation
+  end
+
+  def applied_relation
+    scope = apply_filtering(scope: relation)
+    scope = apply_ordering(scope: scope)
+
+    return scope
+  end
+
+  def apply_filtering(scope:)
+    raise NotImplementedError
+  end
+
+  def apply_ordering(scope:)
+    scope = first_order_sorting(scope: scope)
+    scope = second_order_sorting(scope: scope)
+    return scope
+  end
+
+  def first_order_sorting(scope:)
+    raise NotImplementedError
+  end
+
+  def second_order_sorting(scope:)
+    raise NotImplementedError
+  end
+end

data/app/lib/practical/test/shared/attachment/models/attachment/base.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+module Practical::Test::Shared::Attachment::Models::Attachment::Base
+  extend ActiveSupport::Concern
+
+  included do
+    def assert_file_metadata(attachment:, file_size:, file_name:, mime_type:)
+      assert_equal file_size, attachment.attachment.metadata["size"]
+      assert_equal file_name, attachment.attachment.metadata["filename"]
+      assert_equal mime_type, attachment.attachment.metadata["mime_type"]
+    end
+
+    def assert_file_type_support(file:, filepath:, mime_type:)
+      file_size = File.size(filepath)
+      file_name = File.basename(filepath)
+
+      create_saved_attachment(file: file) do |attachment|
+        assert_file_metadata(attachment: attachment,
+                             file_size: file_size,
+                             file_name: file_name,
+                             mime_type: mime_type
+                            )
+      end
+    end
+
+    def assert_invalid_file_size_too_large(attachment:)
+      assert_equal false, attachment.valid?
+      assert_equal ["size must not be greater than 20.0 MB"], attachment.errors[:attachment]
+    end
+
+    def assert_invalid_incorrect_mime_type(attachment:)
+      assert_equal false, attachment.valid?
+      assert_match %r{type must be one of:}, attachment.errors[:attachment].first
+    end
+
+    test "saves the file under attachment_data" do
+      assert_file_type_support(file: image_file,
+                               filepath: image_filepath,
+                               mime_type: "image/jpeg"
+                              )
+    end
+
+    test "allows CSV attachments" do
+      assert_file_type_support(file: csv_file,
+                               filepath: csv_filepath,
+                               mime_type: "text/csv"
+                              )
+    end
+
+    test "allows PDF attachments" do
+      assert_file_type_support(file: pdf_file,
+                               filepath: pdf_filepath,
+                               mime_type: "application/pdf"
+                              )
+    end
+
+    test "allows Word attachments" do
+      assert_file_type_support(file: word_file,
+                               filepath: word_filepath,
+                               mime_type: "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
+                              )
+    end
+
+    test "allows Excel attachments" do
+      assert_file_type_support(file: excel_file,
+                               filepath: excel_filepath,
+                               mime_type: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
+                              )
+    end
+
+    test "allows Numbers attachments" do
+      assert_file_type_support(file: numbers_file,
+                               filepath: numbers_filepath,
+                               mime_type: "application/vnd.apple.numbers"
+                              )
+    end
+
+    test "allows HEIC attachments" do
+      assert_file_type_support(file: heic_file,
+                               filepath: heic_filepath,
+                               mime_type: "image/heic"
+                              )
+    end
+
+    test "allows plain text attachments" do
+      assert_file_type_support(file: plaintext_file,
+                               filepath: plaintext_filepath,
+                               mime_type: "text/plain"
+                              )
+    end
+
+    test "allows RTF attachments" do
+      assert_file_type_support(file: rtf_file,
+                               filepath: rtf_filepath,
+                               mime_type: "application/rtf"
+                              )
+    end
+
+    test "limits attachments based on size" do
+      file = image_file
+      overage_file_size = 21*1024*1024 # 21 MB
+
+      Spy.on(file, size: overage_file_size)
+
+      attachment = build_new_attachment(file: file)
+
+      assert_invalid_file_size_too_large(attachment: attachment)
+    end
+
+    test "does not allow attachments that are not of the correct MIME type" do
+      Tempfile.open(%w(foo .jpg)) do |file|
+        file.write SecureRandom.hex
+        bad_mime_type = "application/x-sh"
+
+        Spy.on(uploader_class, mime_type: "image/heic")
+
+        attachment = build_new_attachment(file: file)
+
+        assert_invalid_incorrect_mime_type(attachment: attachment)
+      end
+    end
+  end
+end

data/app/lib/practical/test/shared/attachment/models/attachment/for_organization.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Practical::Test::Shared::Attachment::Models::Attachment::ForOrganization
+  extend ActiveSupport::Concern
+
+  included do
+    test "belongs_to the organization" do
+      reflection = model_class.reflect_on_association(:organization)
+      assert_equal :belongs_to, reflection.macro
+    end
+
+    test "belongs_to the user_reflection_name" do
+      reflection = model_class.reflect_on_association(user_reflection_name)
+      assert_equal :belongs_to, reflection.macro
+    end
+
+    test "validates that the user has a membership in the organization" do
+      attachment = valid_new_attachment
+
+      assert_not_includes other_user.organizations, attachment.organization
+
+      attachment.user = other_user
+
+      assert_equal false, attachment.valid?
+      assert_equal true, attachment.errors.of_kind?(:user, :cannot_access_organization)
+
+      attachment.user = regular_user_in_organization
+      assert_equal true, attachment.valid?
+
+      attachment.user = admin_user_in_organization
+      assert_equal true, attachment.valid?
+
+      attachment.save!
+
+      attachment.user = other_user
+      assert_equal true, attachment.valid?
+    end
+  end
+end

data/app/lib/practical/test/shared/attachment/models/organization/has_attachments.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Practical::Test::Shared::Attachment::Models::Organization::HasAttachments
+  extend ActiveSupport::Concern
+
+  included do
+    test "has_many: attachments" do
+      reflection = model_class.reflect_on_association(:attachments)
+      assert_equal :has_many, reflection.macro
+    end
+  end
+end

data/app/lib/practical/test/shared/auth/passkeys/controllers/emergency_registration/base.rb

@@ -93,7 +93,8 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::EmergencyRegistrati
         assert_json_redirected_to expected_new_session_url
       end
 
-      credential = hydrate_response_from_raw_credential(client: client, relying_party: webauthn_relying_party, raw_credential: raw_credential).credential
+      credential = hydrate_response_from_raw_credential(client: client, relying_party: webauthn_relying_party,
+                                                        raw_credential: raw_credential).credential
 
       new_passkey = emergency_passkey_registration.reload.passkey
       assert_equal label, new_passkey.label
@@ -103,7 +104,7 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::EmergencyRegistrati
     end
 
     test "use: does not allow overriding who the passkey is registered for" do
-      old_owner = owner_instance
+      owner_instance
       emergency_passkey_registration = valid_emergency_registration
       assert_nil emergency_passkey_registration.used_at
 
@@ -126,14 +127,16 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::EmergencyRegistrati
       raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
       label = Faker::Computer.os
 
-      params = params_that_try_to_override_owner_during_emergency_registration(label: label, raw_credential: raw_credential)
+      params = params_that_try_to_override_owner_during_emergency_registration(label: label,
+                                                                               raw_credential: raw_credential)
 
       assert_difference "#{passkey_class}.count", +1 do
         use_emergency_registration_action(token: token, params: params)
         assert_json_redirected_to expected_new_session_url
       end
 
-      credential = hydrate_response_from_raw_credential(client: client, relying_party: webauthn_relying_party, raw_credential: raw_credential).credential
+      credential = hydrate_response_from_raw_credential(client: client, relying_party: webauthn_relying_party,
+                                                        raw_credential: raw_credential).credential
 
       new_passkey = emergency_passkey_registration.reload.passkey
       assert_equal label, new_passkey.label
@@ -321,7 +324,7 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::EmergencyRegistrati
       challenge = expected_stored_challenge
       client = webauthn_client
 
-      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
       label = Faker::Computer.os
 
       params = params_for_using_emergency_passkey_registration(label: label, raw_credential: nil)
@@ -355,7 +358,7 @@ module Practical::Test::Shared::Auth::Passkeys::Controllers::EmergencyRegistrati
       challenge = expected_stored_challenge
       client = webauthn_client
 
-      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
       label = Faker::Computer.os
 
       params = params_for_using_emergency_passkey_registration(label: label, raw_credential: "blah")

data/app/lib/practical/test/shared/auth/passkeys/controllers/emergency_registration/cross_pollination.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Practical::Test::Shared::Auth::Passkeys::Controllers::EmergencyRegistration::CrossPollination
+  extend ActiveSupport::Concern
+
+  included do
+    test "show: raises ActiveSupport::MessageVerifier::InvalidSignature if a different resource's Emergency Registration token is given" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        show_emergency_registration_action(token: valid_emergency_registration_token_for_other_resource)
+      end
+    end
+
+    test "new_create_challenge: raises ActiveSupport::MessageVerifier::InvalidSignature if a different resource's Emergency Registration token is given" do
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        get_new_challenge_action(token: valid_emergency_registration_token_for_other_resource)
+      end
+    end
+
+    test "use: raises ActiveSupport::MessageVerifier::InvalidSignature if a different resource's Emergency Registration token is given" do
+      emergency_passkey_registration = valid_emergency_registration
+      assert_nil emergency_passkey_registration.used_at
+
+      token = emergency_passkey_registration.generate_token_for(:emergency_registration)
+
+      get_new_challenge_action(token: token)
+      assert_response :ok
+
+      assert_passkey_registration_challenge(
+        data: response.parsed_body,
+        stored_challenge: expected_stored_challenge,
+        relying_party_data: expected_relying_party_data,
+        user_data: expected_user_data_for_challenge,
+        credentials_to_exclude: expected_credentials_to_exclude
+      )
+
+      challenge = expected_stored_challenge
+      client = webauthn_client
+
+      raw_credential = create_credential_and_return_payload_from_challenge(client: client, challenge: challenge)
+      label = Faker::Computer.os
+
+      params = params_for_using_emergency_passkey_registration(label: label, raw_credential: raw_credential)
+
+      assert_raises ActiveSupport::MessageVerifier::InvalidSignature do
+        use_emergency_registration_action(token: valid_emergency_registration_token_for_other_resource, params: params)
+      end
+    end
+  end
+end