proxes 0.9.7 → 0.9.8

data/lib/proxes/controllers/permissions.rb

@@ -1,41 +0,0 @@
-# frozen_string_literal: true
-
-require 'ditty/controllers/component'
-require 'proxes/models/permission'
-require 'ditty/policies/user_policy'
-require 'ditty/policies/role_policy'
-require 'proxes/policies/permission_policy'
-
-module ProxES
-  class Permissions < Ditty::Component
-    set model_class: Permission
-
-    FILTERS = [
-      { name: :user, field: 'user.email' },
-      { name: :role, field: 'role.name' },
-      { name: :verb }
-    ].freeze
-
-    SEARCHABLE = %i[pattern].freeze
-
-    helpers do
-      def user_options
-        policy_scope(::Ditty::User).as_hash(:email, :email)
-      end
-
-      def role_options
-        policy_scope(::Ditty::Role).as_hash(:name, :name)
-      end
-
-      def verb_options
-        ProxES::Permission.verbs
-      end
-    end
-
-    def find_template(views, name, engine, &block)
-      super(views, name, engine, &block) # Root
-      super(::Ditty::ProxES.view_folder, name, engine, &block) # This Component
-      super(::Ditty::App.view_folder, name, engine, &block) # Ditty
-    end
-  end
-end

data/lib/proxes/controllers/search.rb

@@ -1,45 +0,0 @@
-# frozen_string_literal: true
-
-require 'active_support/core_ext/object/blank'
-require 'ditty/controllers/application'
-require 'proxes/services/search'
-
-module ProxES
-  class Search < Ditty::Application
-    set base_path: "#{settings.map_path}/search"
-
-    get '/' do
-      page = (params['page'] || 1).to_i
-      size = (params['count'] || 25).to_i
-      from = ((page - 1) * size)
-      params['q'] = '*' if params['q'].blank?
-      result = ProxES::Services::Search.search(params['q'], index: params['indices'], from: from, size: size)
-      haml :"#{view_location}/index",
-           locals: {
-             title: 'Search',
-             indices: ProxES::Services::Search.indices,
-             fields: ProxES::Services::Search.fields(params['indices']),
-             result: result
-           }
-    end
-
-    get '/fields/?:indices?/?' do
-      json ProxES::Services::Search.fields params['indices']
-    end
-
-    get '/indices/?' do
-      json ProxES::Services::Search.indices
-    end
-
-    get '/values/:field/?:indices?/?' do |field|
-      size = params['size'] || 25
-      json ProxES::Services::Search.values(field, size: size, index: params['indices'])
-    end
-
-    def find_template(views, name, engine, &block)
-      super(views, name, engine, &block) # Root
-      super(::Ditty::ProxES.view_folder, name, engine, &block) # This Component
-      super(::Ditty::App.view_folder, name, engine, &block) # Ditty
-    end
-  end
-end

data/lib/proxes/controllers/status.rb

@@ -1,115 +0,0 @@
-# frozen_string_literal: true
-
-require 'ditty/controllers/application'
-require 'proxes/policies/status_policy'
-require 'proxes/services/es'
-
-module ProxES
-  class Status < Ditty::Application
-    helpers ProxES::Services::ES
-
-    def find_template(views, name, engine, &block)
-      super(views, name, engine, &block) # Root
-      super(::Ditty::ProxES.view_folder, name, engine, &block) # This Component
-      super(::Ditty::App.view_folder, name, engine, &block) # Ditty
-    end
-
-    # This provides a URL that can be polled by a monitoring system. It will return
-    # 200 OK if all the checks pass, or 500 if any of the checks fail.
-    get '/check' do
-      checks = []
-      begin
-        health = client.cluster.health level: 'cluster'
-        checks << { text: 'Cluster Reachable', passed: true, value: health['cluster_name'] }
-        checks << { text: 'Cluster Health', passed: health['status'] == 'green', value: health['status'] }
-
-        node_stats = client.nodes.stats
-
-        master_nodes = []
-        data_nodes = []
-        ingestion_nodes = []
-        node_stats['nodes'].each_value do |node|
-          if node['roles']
-            master_nodes << node['name'] if node['roles'].include? 'master'
-            data_nodes << node['name'] if node['roles'].include? 'data'
-            ingestion_nodes << node['name'] if node['roles'].include? 'ingest'
-          elsif node['attributes']
-            master_nodes << node['name'] unless node['attributes']['master'] == 'false'
-            data_nodes << node['name'] unless node['attributes']['data'] == 'false'
-            ingestion_nodes << node['name'] unless node['attributes']['ingest'] == 'false'
-          elsif node['settings']
-            master_nodes << node['name'] unless node['settings']['node']['master'] == 'false'
-            data_nodes << node['name'] unless node['settings']['node']['data'] == 'false'
-            ingestion_nodes << node['name'] unless node['settings']['node']['ingest'] == 'false'
-          end
-        end
-        checks << {
-          text: 'Master Nodes',
-          passed: master_nodes.count > 0,
-          value: master_nodes.count > 0 ? master_nodes.sort : 'None'
-        }
-        checks << {
-          text: 'Data Nodes',
-          passed: data_nodes.count > 0,
-          value: data_nodes.count > 0 ? data_nodes.sort : 'None'
-        }
-        checks << {
-          text: 'Ingestion Nodes',
-          passed: true,
-          value: ingestion_nodes.count > 0 ? ingestion_nodes.sort : 'None'
-        }
-
-        jvm_values = []
-        jvm_passed = true
-        node_stats['nodes'].each_value do |node|
-          jvm_values << "#{node['name']}: #{node['jvm']['mem']['heap_used_percent']}%"
-          jvm_passed = false if node['jvm']['mem']['heap_used_percent'] > 85
-        end
-        checks << { text: 'Node JVM Heap', passed: jvm_passed, value: jvm_values.sort }
-
-        fs_values = []
-        fs_passed = true
-        node_stats['nodes'].each_value do |node|
-          next if node['attributes'] && node['attributes']['data'] == 'false'
-          next if node['roles'] && node['roles'].include?('data') == false
-          stats = node['fs']['total']
-          left = stats['available_in_bytes'] / stats['total_in_bytes'].to_f * 100
-          fs_values << "#{node['name']}: #{format('%.02f', left)}% Free"
-          fs_passed = false if left < 10
-        end
-        checks << { text: 'Node File Systems', passed: fs_passed, value: fs_values.sort }
-
-        cpu_values = []
-        cpu_passed = true
-        node_stats['nodes'].each_value do |node|
-          value = (node['os']['cpu_percent'] || node['os']['cpu']['percent'])
-          cpu_values << "#{node['name']}: #{value}"
-          cpu_passed = false if value.to_i > 70
-        end
-        checks << { text: 'Node CPU Usage', passed: cpu_passed, value: cpu_values.sort }
-
-        memory_values = []
-        memory_sum = 0
-        node_stats['nodes'].each_value do |node|
-          memory_sum += node['os']['mem']['used_percent']
-          memory_values << "#{node['name']}: #{node['os']['mem']['used_percent']}"
-        end
-        memory_passed = (memory_sum / memory_values.size).to_i < 100
-        checks << { text: 'Node Memory Usage', passed: memory_passed, value: memory_values.sort }
-      rescue Faraday::Error => e
-        checks << { text: 'Cluster Reachable', passed: false, value: e.message }
-      end
-
-      status checks.find { |c| c[:passed] == false } ? 500 : 200
-
-      respond_to do |format|
-        format.html do
-          haml :'status/check', locals: { title: 'Status Check', checks: checks }
-        end
-        format.json do
-          json checks
-        end
-      end
-    end
-  end
-end

data/lib/proxes/forwarder.rb

@@ -1,49 +0,0 @@
-require 'proxes/services/es'
-require 'net/http/persistent'
-require 'singleton'
-require 'rack'
-
-module ProxES
-  # A lot of code in this comes from Rack::Proxy
-  class Forwarder
-    include Singleton
-    include ProxES::Services::ES
-
-    def call(env)
-      source = Rack::Request.new(env)
-      response = conn.send(source.request_method.downcase) do |req|
-        source_body = body_from(source)
-        req.body = source_body if source_body
-        req.url source.fullpath == '' ? URI.parse(env['REQUEST_URI']).request_uri : source.fullpath
-      end
-      mangle response
-    end
-
-    def mangle(response)
-      headers = (response.respond_to?(:headers) && response.headers) || self.class.normalize_headers(response.to_hash)
-      body    = response.body || ['']
-      body    = [body] unless body.respond_to?(:each)
-
-      # Not sure where this is coming from, but it causes timeouts on the client
-      headers.delete('transfer-encoding')
-      # Ensure that the content length rack middleware kicks in
-      headers.delete('content-length')
-
-      [response.status, headers, body]
-    end
-
-    def body_from(request)
-      return nil if request.body.nil? || (Kernel.const_defined?('::Puma::NullIO') && request.body.is_a?(Puma::NullIO))
-      request.body.read.tap { |_r| request.body.rewind }
-    end
-
-    class << self
-      def normalize_headers(headers)
-        mapped = headers.map do |k, v|
-          [k, v.is_a?(Array) ? v.join("\n") : v]
-        end
-        Rack::Utils::HeaderHash.new Hash[mapped]
-      end
-    end
-  end
-end

data/lib/proxes/helpers/indices.rb

@@ -1,33 +0,0 @@
-# frozen_string_literal: true
-
-require 'active_support'
-require 'active_support/core_ext/object/blank'
-
-module ProxES
-  module Helpers
-    module Indices
-      def filter(asked, against)
-        return against.map { |a| a.gsub(/\.\*/, '*') } if asked == ['*'] || asked.blank?
-
-        answer = []
-        against.each do |pattern|
-          answer.concat(asked.select { |idx| idx =~ /#{pattern}/ })
-        end
-        answer
-      end
-
-      def patterns
-        return [] if user.nil?
-        patterns_for('INDEX').map do |permission|
-          return nil if permission.pattern.blank?
-          permission.pattern.gsub(/\{user.(.*)\}/) { |_match| user.send(Regexp.last_match[1].to_sym) }
-        end.compact
-      end
-
-      def patterns_for(action)
-        return [] if user.nil?
-        Permission.for_user(user, action)
-      end
-    end
-  end
-end

data/lib/proxes/loggers/elasticsearch.rb

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-require 'logger'
-
-module ProxES
-  module Loggers
-    class Elasticsearch < ::Logger
-    end
-  end
-end

data/lib/proxes/middleware/error_handling.rb

@@ -1,62 +0,0 @@
-# frozen_string_literal: true
-
-require 'wisper'
-require 'proxes/request'
-require 'ditty/services/logger'
-
-module ProxES
-  module Middleware
-    class ErrorHandling
-      attr_reader :logger
-
-      include Wisper::Publisher
-
-      def initialize(app, logger = nil)
-        @app = app
-        @logger = logger || ::Ditty::Services::Logger.instance
-      end
-
-      def call(env)
-        request = ProxES::Request.from_env(env)
-        response = @app.call env
-        broadcast(:es_request_failed, request, response) unless (200..299).cover?(response[0])
-        response
-      rescue Errno::EHOSTUNREACH
-        error 'Could not reach Elasticsearch at ' + ENV['ELASTICSEARCH_URL']
-      rescue Errno::ECONNREFUSED, Faraday::ConnectionFailed, SocketError
-        error 'Elasticsearch not listening at ' + ENV['ELASTICSEARCH_URL']
-      rescue Pundit::NotAuthorizedError, Ditty::Helpers::NotAuthenticated => e
-        broadcast(:es_request_denied, request, e)
-        log_not_authorized request
-        raise e if env['APP_ENV'] == 'development'
-        request.html? && request.user.nil? ? login_and_redirect(request) : error('Not Authorized', 401)
-      rescue StandardError => e
-        broadcast(:es_request_denied, request, e)
-        log_not_authorized request
-        raise e if env['APP_ENV'] == 'development'
-        error 'Forbidden', 403
-      end
-
-      def log_not_authorized(request)
-        user = request.user ? request.user.email : 'unauthenticated request'
-        logger.error "Access denied for #{user} by security layer: #{request.detail}"
-      end
-
-      # Response Helpers
-      def error(message, code = 500)
-        headers = { 'Content-Type' => 'application/json' }
-        headers['WWW-Authenticate'] = 'Basic realm="security"' if code == 401
-        [code, headers, ['{"error":"' + message + '"}']]
-      end
-
-      def login_and_redirect(request)
-        request.session['omniauth.origin'] = request.url unless request.url == '/_proxes/auth/identity'
-        redirect '/_proxes/auth/identity'
-      end
-
-      def redirect(destination, code = 302)
-        [code, { 'Location' => destination }, []]
-      end
-    end
-  end
-end

data/lib/proxes/middleware/metrics.rb

@@ -1,25 +0,0 @@
-# frozen_string_literal: true
-
-require 'wisper'
-
-module ProxES
-  module Middleware
-    class Metrics
-      include Wisper::Publisher
-
-      def initialize(app)
-        @app = app
-      end
-
-      def call(env)
-        request = Request.from_env(env)
-        broadcast(:call_started, request)
-
-        result = @app.call request.env
-
-        broadcast(:call_completed, request) if result[0].to_i >= 200 && result[0].to_i < 300
-        result
-      end
-    end
-  end
-end

data/lib/proxes/middleware/security.rb

@@ -1,59 +0,0 @@
-# frozen_string_literal: true
-
-require 'proxes/request'
-require 'proxes/policies/request_policy'
-require 'ditty/services/logger'
-require 'ditty/helpers/pundit'
-require 'ditty/helpers/authentication'
-
-module ProxES
-  module Middleware
-    class Security
-      attr_reader :env, :logger
-
-      include Ditty::Helpers::Authentication
-      include Ditty::Helpers::Pundit
-
-      def initialize(app, logger = nil)
-        @app = app
-        @logger = logger || ::Ditty::Services::Logger.instance
-      end
-
-      def call(env)
-        @env = env
-        request = ProxES::Request.from_env(env)
-        log(request, 'BEFORE')
-
-        check_basic request
-        authorize request
-
-        request.index = policy_scope(request) if request.indices?
-        log(request, 'AFTER')
-
-        @app.call env
-      end
-
-      def check_basic(request)
-        auth = Rack::Auth::Basic::Request.new(request.env)
-        return false unless auth.provided? && auth.basic?
-
-        identity = ::Ditty::Identity.find(username: auth.credentials[0])
-        identity ||= ::Ditty::Identity.find(username: CGI.unescape(auth.credentials[0]))
-        return false unless identity && identity.authenticate(auth.credentials[1])
-        request.env['rack.session'] ||= {}
-        request.env['rack.session']['user_id'] = identity.user_id
-      end
-
-      def authorize(request)
-        Pundit.authorize(request.user, request, request.request_method.downcase + '?')
-      end
-
-      def log(request, stage)
-        logger.debug '============' + stage.ljust(56) + '============'
-        logger.debug '= ' + "Request: #{request.detail}".ljust(76) + ' ='
-        logger.debug '= ' + "Endpoint: #{request.endpoint}".ljust(76) + ' ='
-        logger.debug '================================================================================'
-      end
-    end
-  end
-end