proxes 0.9.13 → 0.10.1

data/lib/proxes/policies/request/index_policy.rb

@@ -8,11 +8,6 @@ module ProxES
   class Request
     class IndexPolicy < RequestPolicy
       class Scope < RequestPolicy::Scope
-        def resolve
-          result = super
-          return [] unless result.count > 0
-          %w[POST PUT].include?(request.request_method) ? request.index : result
-        end
       end
     end
   end

data/lib/proxes/policies/request/mget_policy.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'proxes/policies/request_policy'
+
+module ProxES
+  class Request
+    class MgetPolicy < RequestPolicy
+      class Scope < RequestPolicy::Scope
+      end
+    end
+  end
+end

data/lib/proxes/policies/request/msearch_policy.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'proxes/policies/request_policy'
+
+module ProxES
+  class Request
+    class MsearchPolicy < RequestPolicy
+      class Scope < RequestPolicy::Scope
+      end
+    end
+  end
+end

data/lib/proxes/policies/request/root_policy.rb

@@ -4,9 +4,6 @@ module ProxES
   class Request
     class RootPolicy < RequestPolicy
       class Scope < RequestPolicy::Scope
-        def resolve
-          request
-        end
       end
     end
   end

data/lib/proxes/policies/request/snapshot_policy.rb

@@ -6,9 +6,6 @@ module ProxES
   class Request
     class SnapshotPolicy < RequestPolicy
       class Scope < RequestPolicy::Scope
-        def resolve
-          request
-        end
       end
     end
   end

data/lib/proxes/policies/request_policy.rb

@@ -4,60 +4,59 @@ require 'active_support'
 require 'active_support/core_ext/object/blank'
 require 'ditty/services/logger'
 require 'proxes/models/permission'
-require 'proxes/helpers/indices'
 
 module ProxES
   class RequestPolicy
-    include Helpers::Indices
-
     attr_reader :user, :record
     alias request record
 
     def initialize(user, record)
-      @user = user
+      @user = user || Ditty::User.anonymous_user
       @record = record
     end
 
     def method_missing(method_sym, *arguments, &block)
-      return super if method_sym.to_s[-1] != '?'
+      return super unless respond_to_missing? method_sym
+
+      return false if permissions.empty?
+
+      return permissions.count.positive? unless request.indices?
 
-      return true if user && user.super_admin?
-      return false if request.indices? && !index_allowed?
-      action_allowed? method_sym[0..-2].upcase
+      # Only allow if all the indices match the given permissions
+      request.indices.find do |idx|
+        idx = idx[1..-1] if idx[0] == '-'
+        permissions.find { |perm| perm.index_regex.match idx }.nil?
+      end.nil?
     end
 
     def respond_to_missing?(name, _include_private = false)
       name[-1] == '?'
     end
 
-    def index_allowed?
-      patterns = patterns_for('INDEX').map do |permission|
-        return nil if permission.pattern.blank?
-        permission.pattern.gsub(/\{user.(.*)\}/) { |_match| user.send(Regexp.last_match[1].to_sym) }
-      end.compact
-      filter(request.index, patterns).count > 0
-    end
-
-    def action_allowed?(action)
-      # Give me all the user's permissions that match the verb
-      !!patterns_for(action).find { |permission| (request.path =~ /#{permission.pattern}/) }
+    def permissions
+      @permissions ||= Permission.for_user(user).for_request(request)
     end
 
     class Scope
-      include Helpers::Indices
-
       attr_reader :user, :scope
       alias request scope
 
       def initialize(user, scope)
-        @user = user
+        @user = user || Ditty::User.anonymous_user
         @scope = scope
       end
 
       def resolve
-        current_user = user || Ditty::User.anonymous_user
-        return [] if current_user.nil?
-        filter request.index, patterns
+        return permissions.map(&:index) if request.indices == ['*'] || request.indices == ['_all'] || request.indices.blank?
+
+        request.indices.select do |idx|
+          idx = idx[1..-1] if idx[0] == '-'
+          permissions.find { |perm| perm.index_regex.match idx }
+        end
+      end
+
+      def permissions
+        @permissions ||= Permission.for_user(user).for_request(request)
       end
     end
   end

data/lib/proxes/policies/search_policy.rb

@@ -4,8 +4,12 @@ require 'ditty/policies/application_policy'
 
 module ProxES
   class SearchPolicy < Ditty::ApplicationPolicy
+    def list?
+      search?
+    end
+
     def search?
-      user && user.super_admin?
+      user
     end
 
     def fields?
@@ -22,7 +26,7 @@ module ProxES
 
     class Scope < Ditty::ApplicationPolicy::Scope
       def resolve
-        user && user.super_admin? ? scope : scope.where(id: -1)
+        user&.super_admin? ? scope : scope.where(id: -1)
       end
     end
   end

data/lib/proxes/policies/status_check_policy.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'ditty/policies/application_policy'
+
+module ProxES
+  class StatusCheckPolicy < Ditty::ApplicationPolicy
+    def create?
+      user && (user.super_admin? || user.admin?)
+    end
+
+    def list?
+      user && (user.super_admin? || user.admin?)
+    end
+
+    def read?
+      create?
+    end
+
+    def update?
+      read?
+    end
+
+    def delete?
+      create?
+    end
+
+    def permitted_attributes
+      %i[type name source required_value order]
+    end
+
+    class Scope < Ditty::ApplicationPolicy::Scope
+      def resolve
+        user&.super_admin? ? scope : scope.where(id: -1)
+      end
+    end
+  end
+end

data/lib/proxes/request.rb

@@ -21,12 +21,18 @@ module ProxES
       path_parts
     end
 
+    # Indicate whether or not the request is index specific
     def indices?
       false
     end
 
+    # Return the indices associated with the request as an array. [] if `#indices?` is false
+    def indices
+      []
+    end
+
     def html?
-      get_header('HTTP_ACCEPT') && get_header('HTTP_ACCEPT').include?('text/html')
+      get_header('HTTP_ACCEPT')&.include?('text/html')
     end
 
     def duration
@@ -34,17 +40,22 @@ module ProxES
     end
 
     def user_id
-      return env['rack.session']['user_id'] if env['rack.session']
-      env['omniauth.auth'].uid if env['omniauth.auth']
+      return session['user_id'] if session['user_id']
+
+      env['omniauth.auth']&.uid
     end
 
     def user
       return nil if user_id.nil?
+
       @user ||= Ditty::User[user_id]
     end
 
     def detail
-      "#{request_method.upcase} #{fullpath} (#{self.class.name})"
+      detail = "#{request_method.upcase} #{fullpath} (#{self.class.name})"
+      return detail unless indices?
+
+      "#{detail} #{indices.join(',')}"
     end
 
     private
@@ -56,6 +67,7 @@ module ProxES
     def check_part(val)
       return val if val.nil?
       return [] if [endpoint, '_all'].include?(val) && !WRITE_METHODS.include?(request_method)
+
       val.split(',')
     end
 
@@ -73,11 +85,13 @@ module ProxES
 
       def path_endpoint(path)
         return '_root' if ['', nil, '/'].include? path
+
         path_parts = path[1..-1].split('/')
         return path_parts[-1] if ID_ENDPOINTS.include? path_parts[-1]
         return path_parts[-2] if path_parts[-1] == 'count' && path_parts[-2] == '_percolate'
         return path_parts[-2] if path_parts[-1] == 'scroll' && path_parts[-2] == '_search'
-        path_parts.find { |part| part[0] == '_' }
+
+        path_parts.find { |part| part[0] == '_' && part != '_all' }
       end
     end
   end

data/lib/proxes/request/bulk.rb

@@ -1,39 +1,23 @@
 # frozen_string_literal: true
 
-require 'proxes/request'
+require 'proxes/request/multi'
 require 'proxes/policies/request/bulk_policy'
 
 module ProxES
   class Request
-    class Bulk < Request
-      attr_reader :index, :type
-
-      REGEX = /"(index|delete|create|update)".*"_index"\s*:\s*"(.*?)"/
-
-      def bulk_indices
-        @bulk_indices ||= begin
-          body.read.scan(REGEX).tap { |_r| body.rewind }
-        end.map { |e| e[1] }.uniq
-      end
+    class Bulk < Multi
+      INDICES_REGEX = /"(index|delete|create|update)".*"_index"\s*:\s*"(.*?)"/
 
-      def index=(idx)
-        @index = idx
-        self.path_info = '/' + [index, type, endpoint].compact
-                                                      .map { |v| v.is_a?(Array) ? v.join(',') : v }
-                                                      .select { |v| !v.nil? && v != '' }.join('/')
-      end
+      attr_reader :index, :type
 
       def endpoint
         '_bulk'
       end
 
-      def parse
-        @index ||= check_part(path_parts[0]) unless path_parts[0] == endpoint
-        @type  ||= check_part(path_parts[1]) unless path_parts[1] == endpoint
-      end
-
-      def indices?
-        !@index.nil?
+      class << self
+        def indices_regex
+          INDICES_REGEX
+        end
       end
     end
   end

data/lib/proxes/request/cat.rb

@@ -25,8 +25,14 @@ module ProxES
       end
 
       def indices?
+        return false if type.nil?
+
         %w[shards indices segments count recovery].include? type.first
       end
+
+      def indices
+        @index || []
+      end
     end
   end
 end

data/lib/proxes/request/create.rb

@@ -28,6 +28,10 @@ module ProxES
       def indices?
         true
       end
+
+      def indices
+        @index || []
+      end
     end
   end
 end

data/lib/proxes/request/index.rb

@@ -28,6 +28,10 @@ module ProxES
       def indices?
         true
       end
+
+      def indices
+        @index || []
+      end
     end
   end
 end

data/lib/proxes/request/mget.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'proxes/request/multi'
+require 'proxes/policies/request/mget_policy'
+
+module ProxES
+  class Request
+    class Mget < Multi
+      INDICES_REGEX = /"(_index)"\s*:\s*"(.*?)"/
+
+      attr_reader :index, :type
+
+      def endpoint
+        '_mget'
+      end
+
+      class << self
+        def indices_regex
+          INDICES_REGEX
+        end
+      end
+    end
+  end
+end

data/lib/proxes/request/msearch.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'proxes/request/multi'
+require 'proxes/policies/request/msearch_policy'
+
+module ProxES
+  class Request
+    class Msearch < Multi
+      INDICES_REGEX = /"(index)"\s*:\s*"(.*?)"/
+
+      attr_reader :index, :type
+
+      def endpoint
+        '_msearch'
+      end
+
+      class << self
+        def indices_regex
+          INDICES_REGEX
+        end
+      end
+    end
+  end
+end

data/lib/proxes/request/multi.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'proxes/request'
+
+module ProxES
+  class Request
+    class Multi < Request
+      # Read up on URL-based access control - https://www.elastic.co/guide/en/elasticsearch/reference/current/url-access-control.html
+      # Setting `rest.action.multi.allow_explicit_index` to false will not allow the user to send an index in the request body
+      # which negates this. Depending on your needs, you can enable / disable this
+      def body_indices
+        # TODO: Do / Don't do this depending on rest.action.multi.allow_explicit_index
+        @body_indices ||= begin
+          body.read.scan(self.class.indices_regex).tap { |_r| body.rewind }
+        end.map { |e| e[1] }.compact.uniq
+      end
+
+      def index=(idx)
+        @body_indices = []
+        @index = idx
+        self.path_info = '/' + [index, type, endpoint].compact
+                                                      .map { |v| v.is_a?(Array) ? v.join(',') : v }
+                                                      .select { |v| !v.nil? && v != '' }.join('/')
+      end
+
+      def parse
+        @index ||= check_part(path_parts[0]) unless path_parts[0] == endpoint
+        @type  ||= check_part(path_parts[1]) unless path_parts[1] == endpoint
+      end
+
+      def indices?
+        indices.blank? == false
+      end
+
+      def indices
+        body_indices + (@index || [])
+      end
+    end
+  end
+end