praxis 2.0.pre.13 → 2.0.pre.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c4be08481cbad0604fdb8e45dfc66aec895478a0b7578544b773af7fa6f3863f
-  data.tar.gz: 122625c252f5d9a2166e8958408bedf7ac5aee13500488e44c453ddeff3fbcc8
+  metadata.gz: 6af11de4fdf970e848d638ed6fd1f47db86dcd27562bca90e50805398a82b346
+  data.tar.gz: dd4b664b1b8afde291e0402eeb0bb57178214ac1d8d6a4dc691f532fff7ae29f
 SHA512:
-  metadata.gz: 6472e4ef1f9ad601ed5c13774a336b93d52356a3a0bccb3a3707953658918a79457d314ceca1ce676a15f51c10bcebb4556388c95ba3aeca2cbec40625b13734
-  data.tar.gz: d8a4bad9469579530974d3c61d61fd7441b4e9d48d2ecb90ac81d4951cda0293428f750011e406e755103abb162b4fb1c60b87a584fe77da74c68dafaa997ecd
+  metadata.gz: 525c64c37e1cfe27fe74c1ddbd02d3c6e45860acd0f8a79a5d9a0832274368c728dacc8096b3b37f63c302fe265161793320a64dcf44a84d99ee5074d9de9da2
+  data.tar.gz: 79a70e175f17a14d98beddd66add981c03a8c720dd45855221b5b3223cb021d056381a5fd87880e3cbe2886755445182cf6cad3427de9f38b44220a26b23955d

data/CHANGELOG.md

@@ -2,6 +2,15 @@
 
 ## next
 
+## 2.0.pre.14
+
+* More encoding/decoding robustness for filters. 
+  * Specs for how to encode filters are now properly defined by:
+    * The "value" of the filters query string needs to be URI encoded (like any other query string value). This encoding is subject to the normal rules, and therefore "could" leave some of the URI unreserved characters (i.e., 'markers') unencoded depending on the client (Section 2.2 of https://tools.ietf.org/html/rfc2396).
+    * The "values" for any of the conditions in the contents of the filters, however, will need to be properly "escaped" as well (prior to URL-encoding the whole syntax string itself like described above). This means that any match value needs to ensure that it has (at least) "(",")","|","&" and "," escaped as they are reserved characters for the filter expression syntax. For example, if I want to search for a name with value "Rocket&(Pants)", I need to first compose the syntax by: "name=<escaped Rocket&(Pants)>, which is "name=Rocket%26%28Pants%29" and then, just URI encode that query string value for the filters parameter in the URL like any other. For example: "filters=name%3DRocket%2526%2528Pants%2529"
+    * When using a multi-match (csv-separated) list of values, you need to escape each of the values as well, leaving the 'comma' unescape, as that's part of the syntax. Then uri-encode it all for the filters query string parameter value like above.
+  * Now, one can properly differentiate between fuzzy query prefix/postfix, and the literal data to search for (which can be or include '*'). Report that multi-matches (i.e., csv separated values for a single field, which translate into "IN" clauses) is not allowed if fuzzy matches are received (need to use multiple OR clauses for it).
+
 ## 2.0.pre.13
 
 * Fix filters parser regression, which would incorrectly decode url-encoded values

data/lib/praxis/extensions/attribute_filtering.rb

@@ -1,2 +1,15 @@
 require 'praxis/extensions/attribute_filtering/filtering_params'
-require 'praxis/extensions/attribute_filtering/filter_tree_node'
+require 'praxis/extensions/attribute_filtering/filter_tree_node'
+module Praxis
+  module Extensions
+    module AttributeFiltering
+      class MultiMatchWithFuzzyNotAllowedByAdapter < StandardError
+        def initialize
+          msg = 'Matching multiple, comma-separated values with fuzzy matches for a single field is not allowed by this DB adapter'\
+                'Please use multiple OR clauses instead.'
+          super(msg)
+        end
+      end
+    end
+  end
+end

data/lib/praxis/extensions/attribute_filtering/active_record_filter_query_builder.rb

@@ -72,7 +72,8 @@ module Praxis
               column_prefix: column_prefix, 
               column_object: colo, 
               op: condition[:op], 
-              value: condition[:value]
+              value: condition[:value],
+              fuzzy: condition[:fuzzy]
             )
           end
 
@@ -192,8 +193,8 @@ module Praxis
           {associations_hash: h, conditions: conditions}
         end
 
-        def self.add_clause(query:, column_prefix:, column_object:, op:, value:)
-          likeval = get_like_value(value)
+        def self.add_clause(query:, column_prefix:, column_object:, op:, value:,fuzzy:)
+          likeval = get_like_value(value,fuzzy)
           case op
           when '!' # name! means => name IS NOT NULL (and the incoming value is nil)
             op = '!='
@@ -265,12 +266,22 @@ module Praxis
         end
 
         # Returns nil if the value was not a fuzzzy pattern
-        def self.get_like_value(value)
-          if value.is_a?(String) && (value[-1] == '*' || value[0] == '*')
-            likeval = value.dup
-            likeval[-1] = '%' if value[-1] == '*'
-            likeval[0] = '%' if value[0] == '*'
-            likeval
+        def self.get_like_value(value,fuzzy)
+          is_fuzzy = fuzzy.is_a?(Array) ? !fuzzy.compact.empty? : fuzzy
+          if is_fuzzy
+            unless value.is_a?(String)
+              raise MultiMatchWithFuzzyNotAllowedByAdapter.new
+            end
+            case fuzzy
+            when :start_end
+              '%'+value+'%'
+            when :start
+              '%'+value
+            when :end
+              value+'%'
+            end
+          else
+            nil
           end
         end
 

data/lib/praxis/extensions/attribute_filtering/filter_tree_node.rb

@@ -15,7 +15,7 @@ module Praxis
             if components.empty?
               return
             elsif components.size == 1
-              @conditions << hash.slice(:name, :op, :value, :node_object)
+              @conditions << hash.slice(:name, :op, :value, :fuzzy, :node_object)
             else
               children_data[components.first] ||= []
               children_data[components.first] << hash

data/lib/praxis/extensions/attribute_filtering/filtering_params.rb

@@ -182,7 +182,7 @@ module Praxis
               else
                 spec[:values]
               end
-            accum.push(name: attr_name, op: spec[:op], value: coerced , node_object: spec[:node_object])
+            accum.push(name: attr_name, op: spec[:op], value: coerced , fuzzy: spec[:fuzzies], node_object: spec[:node_object])
           end
           new(accum)
         end
@@ -225,7 +225,7 @@ module Praxis
             value = item[:value]
             unless value.empty?
               fuzzy_match = attr_filters[:fuzzy_match]
-              if (value[-1] == '*' || value[0] == '*') && !fuzzy_match
+              if item[:fuzzy] && !item[:fuzzy].empty? && !fuzzy_match
                 errors << "Fuzzy matching for #{attr_name} is not allowed (yet '*' was found in the value)"
               end
             end

data/lib/praxis/extensions/attribute_filtering/filters_parser.rb

@@ -15,41 +15,81 @@ module Praxis
           #   Example: [{:name=>"multi"@0, :op=>"="@5}, {:value=>"1"@6}, {:value=>"2"@8}]
           def initialize(triad:, parent_group:)
             @parent_group = parent_group
-
             if triad.is_a? Array # several values coming in
               spec, *values = triad
               @name = spec[:name].to_sym
               @op = spec[:op].to_s
 
-              @values = if values.empty?
-                ""
+              if values.empty?
+                @values = ""
+                @fuzzies = nil
               elsif values.size == 1
-                CGI.unescape(values.first[:value].to_s)
+                raw_val = values.first[:value].to_s
+                @values, @fuzzies = _compute_fuzzy(values.first[:value].to_s)
               else
-                values.map{|e| CGI.unescape(e[:value].to_s)}
+                @values = []
+                @fuzzies = []
+                results = values.each do|e| 
+                  val, fuz = _compute_fuzzy(e[:value].to_s)
+                  @values.push val
+                  @fuzzies.push fuz
+                end
               end
             else # No values for the operand
               @name = triad[:name].to_sym
               @op = triad[:op].to_s
               if ['!','!!'].include?(@op)
-                @values = nil
+                @values, @fuzzies = [nil, nil]
               else
                 # Value operand without value? => convert it to empty string
                 raise "Interesting, didn't know this could happen. Oops!" if triad[:value].is_a?(Array) && !triad[:value].empty?
-                @values = (triad[:value] == []) ? '' : CGI.unescape(triad[:value].to_s) # TODO: could this be an array (or it always comes the other if)
+                if triad[:value] == []
+                  @values, @fuzzies = ['', nil]
+                else
+                  @values, @fuzzies = _compute_fuzzy(triad[:value].to_s)
+                end
               end
             end
           end
-        
+          # Takes a raw val, and spits out the output val (unescaped), and the fuzzy definition
+          def _compute_fuzzy(raw_val)
+            starting = raw_val[0] == '*'
+            ending = raw_val[-1] == '*'
+            newval, fuzzy = if starting && ending
+              [raw_val[1..-2], :start_end]
+            elsif starting
+              [raw_val[1..-1], :start]
+            elsif ending
+              [raw_val[0..-2], :end]
+            else
+              [raw_val,nil]
+            end
+            newval = CGI.unescape(newval) if newval
+            [newval,fuzzy]
+          end
           def flattened_conditions
-            [{name: @name, op: @op, values: @values, node_object: self}]
+            [{name: @name, op: @op, values: @values, fuzzies: @fuzzies, node_object: self}]
           end
 
+          # Dumps the value, marking where the fuzzy might be, and removing the * to differentiate from literals
+          def _dump_value(val,fuzzy)
+            case fuzzy
+            when nil
+              val
+            when :start_end
+              '{*}' + val + '{*}'
+            when :start
+              '{*}' + val
+            when :end
+               val +'{*}'
+            end
+          end
           def dump
             vals = if values.is_a? Array
-              "[#{values.join(',')}]" # Purposedly enclose in brackets to make sure we differentiate
+              dumped = values.map.with_index{|val,i| _dump_value(val, @fuzzies[i])}
+              "[#{dumped.join(',')}]" # Purposedly enclose in brackets to make sure we differentiate
             else
-              (values == '') ? "\"#{values}\"" : values # Dump the empty string explicitly with quotes if we've converted no value to empty string
+              (values == '') ? '""' : _dump_value(values,@fuzzies) # Dump the empty string explicitly with quotes if we've converted no value to empty string
             end
             "#{name}#{op}#{vals}"
           end
@@ -134,7 +174,7 @@ module Praxis
           end
    
           rule(:name)    { match('[a-zA-Z0-9_\.]').repeat(1) } # TODO: are these the only characters that we allow for names?
-          rule(:chars) { match('[^&|),]').repeat(0).as(:value) }
+          rule(:chars) { match('[^&|(),]').repeat(0).as(:value) }
           rule(:value)    { chars >> (comma >> chars ).repeat }
 
           rule(:triad)  { 

data/lib/praxis/version.rb

@@ -1,3 +1,3 @@
 module Praxis
-  VERSION = '2.0.pre.13'
+  VERSION = '2.0.pre.14'
 end

data/spec/praxis/extensions/attribute_filtering/active_record_filter_query_builder_spec.rb

@@ -71,7 +71,7 @@ describe Praxis::Extensions::AttributeFiltering::ActiveRecordFilterQueryBuilder
             end
           end
         end
-          context 'that maps to a different name' do
+        context 'that maps to a different name' do
           let(:filters_string) { 'name=Book1'}
           it_behaves_like 'subject_equivalent_to', ActiveBook.where(simple_name: 'Book1')
         end
@@ -79,6 +79,23 @@ describe Praxis::Extensions::AttributeFiltering::ActiveRecordFilterQueryBuilder
           let(:filters_string) { 'fake_nested.name=Book1'}
           it_behaves_like 'subject_equivalent_to', ActiveBook.where(simple_name: 'Book1')
         end
+        context 'passing multiple values' do
+          context 'without fuzzy matching' do
+            let(:filters_string) { 'category_uuid=deadbeef1,deadbeef2' }
+            it_behaves_like 'subject_equivalent_to', ActiveBook.where(category_uuid: ['deadbeef1','deadbeef2'])
+          end
+          context 'with fuzzy matching' do
+            let(:filters_string) { 'category_uuid=*deadbeef1,deadbeef2*' }
+            it 'is not supported' do
+              expect{
+                subject
+              }.to raise_error(
+                Praxis::Extensions::AttributeFiltering::MultiMatchWithFuzzyNotAllowedByAdapter,
+                /Please use multiple OR clauses instead/
+              )
+            end
+          end
+        end
       end
 
       context 'by a field or a related model' do

data/spec/praxis/extensions/attribute_filtering/filtering_params_spec.rb

@@ -29,7 +29,14 @@ describe Praxis::Extensions::AttributeFiltering::FilteringParams do
           { name: :two, op: '>', value: 'normal'},
         ]
         expect(described_class.load(str).parsed_array.map{|i| i.slice(:name,:op,:value)}).to eq(parsed)
-    end
+      end
+      it 'does not handle badly escaped values that contain reserved chars ()|&,' do
+        badly_escaped = 'val('
+        str = "one=#{badly_escaped}&(two>normal|three!)"
+        expect{
+          described_class.load(str)
+        }.to raise_error(Parslet::ParseFailed)
+      end
     end
     context 'parses for operator' do
       described_class::VALUE_OPERATORS.each do |op|

data/spec/praxis/extensions/attribute_filtering/filters_parser_spec.rb

@@ -1,6 +1,5 @@
 require 'praxis/extensions/attribute_filtering/filters_parser'
 
-
 describe Praxis::Extensions::AttributeFiltering::FilteringParams::Condition do
 end 
 
@@ -121,17 +120,26 @@ describe Praxis::Extensions::AttributeFiltering::FilteringParams::Parser do
     context 'supports everything (except &|(),) for values (even without encoding..not allowed, but just to ensure the parser does not bomb)' do
       it_behaves_like 'round-trip-properly', {
         'v=1123' => 'v=1123',
-        'v=*foo*' => 'v=*foo*',
-        'v=*^%$#@!foo' => 'v=*^%$#@!foo',
+        'v=*foo*' => 'v={*}foo{*}',
+        'v=*^%$#@!foo' => 'v={*}^%$#@!foo',
         'v=_-=\{}"?:><' => 'v=_-=\{}"?:><',
         'v=_-=\{}"?:><,another_value!' => 'v=[_-=\{}"?:><,another_value!]',
       }
     end
+    context 'properly detects and handles fuzzy matching encoded as {*} in the dump' do
+      it_behaves_like 'round-trip-properly', {
+        'v=*foo' => 'v={*}foo',
+        'v=*foo*' => 'v={*}foo{*}',
+        'v=foo*' => 'v=foo{*}',
+        'v=*start,end*,*both*' => 'v=[{*}start,end{*},{*}both{*}]',
+        "v=*#{CGI.escape('***')},#{CGI.escape('*')}" => 'v=[{*}***,*]', # Simple exact match on 2nd
+      }
+    end
     context 'properly handles url-encoded values' do
       it_behaves_like 'round-trip-properly', {
         "v=#{CGI.escape('1123')}" => 'v=1123',
-        "v=#{CGI.escape('*foo*')}" => 'v=*foo*',
-        "v=#{CGI.escape('*^%$#@!foo')}" => 'v=*^%$#@!foo',
+        "v=*#{CGI.escape('foo')}*" => 'v={*}foo{*}',
+        "v=*#{CGI.escape('^%$#@!foo')}" => 'v={*}^%$#@!foo',
         "v=#{CGI.escape('~!@#$%^&*()_+-={}|[]\:";\'<>?,./`')}" => 'v=~!@#$%^&*()_+-={}|[]\:";\'<>?,./`',
         "v=#{CGI.escape('_-+=\{}"?:><')},#{CGI.escape('another_value!')}" => 'v=[_-+=\{}"?:><,another_value!]',
       }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: praxis
 version: !ruby/object:Gem::Version
-  version: 2.0.pre.13
+  version: 2.0.pre.14
 platform: ruby
 authors:
 - Josep M. Blanquer
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-24 00:00:00.000000000 Z
+date: 2021-02-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack