proxes 0.9.8 → 0.9.9

data/lib/proxes/middleware/metrics.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'wisper'
+
+module ProxES
+  module Middleware
+    class Metrics
+      include Wisper::Publisher
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = Request.from_env(env)
+        broadcast(:call_started, request)
+
+        result = @app.call request.env
+
+        broadcast(:call_completed, request) if result[0].to_i >= 200 && result[0].to_i < 300
+        result
+      end
+    end
+  end
+end

data/lib/proxes/middleware/security.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'proxes/request'
+require 'proxes/policies/request_policy'
+require 'ditty/services/logger'
+require 'ditty/helpers/pundit'
+require 'ditty/helpers/authentication'
+
+module ProxES
+  module Middleware
+    class Security
+      attr_reader :env, :logger
+
+      include Ditty::Helpers::Authentication
+      include Ditty::Helpers::Pundit
+
+      def initialize(app, logger = nil)
+        @app = app
+        @logger = logger || ::Ditty::Services::Logger.instance
+      end
+
+      def call(env)
+        @env = env
+        request = ProxES::Request.from_env(env)
+        log(request, 'BEFORE')
+
+        check_basic request
+        authorize request
+
+        request.index = policy_scope(request) if request.indices?
+        log(request, 'AFTER')
+
+        @app.call env
+      end
+
+      def check_basic(request)
+        auth = Rack::Auth::Basic::Request.new(request.env)
+        return false unless auth.provided? && auth.basic?
+
+        identity = ::Ditty::Identity.find(username: auth.credentials[0])
+        identity ||= ::Ditty::Identity.find(username: CGI.unescape(auth.credentials[0]))
+        return false unless identity && identity.authenticate(auth.credentials[1])
+        request.env['rack.session'] ||= {}
+        request.env['rack.session']['user_id'] = identity.user_id
+      end
+
+      def authorize(request)
+        Pundit.authorize(request.user, request, request.request_method.downcase + '?')
+      end
+
+      def log(request, stage)
+        logger.debug '============' + stage.ljust(56) + '============'
+        logger.debug '= ' + "Request: #{request.detail}".ljust(76) + ' ='
+        logger.debug '= ' + "Endpoint: #{request.endpoint}".ljust(76) + ' ='
+        logger.debug '================================================================================'
+      end
+    end
+  end
+end

data/lib/proxes/models/permission.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'ditty/models/base'
+require 'ditty/models/user'
+require 'ditty/models/role'
+
+module ProxES
+  class Permission < ::Sequel::Model
+    include ::Ditty::Base
+
+    many_to_one :role, class: ::Ditty::Role
+    many_to_one :user, class: ::Ditty::User
+
+    dataset_module do
+      def for_user(a_user, action)
+        where(verb: action).where { Sequel.|({ role: a_user.roles }, { user_id: a_user.id }) }
+      end
+    end
+
+    def validate
+      validates_presence %i[verb pattern]
+      validates_presence :role_id unless user_id
+      validates_presence :user_id unless role_id
+      validates_includes self.class.verbs, :verb
+    end
+
+    class << self
+      def verbs
+        %w[GET POST PUT DELETE HEAD OPTIONS TRACE INDEX]
+      end
+
+      def from_audit_log(audit_log)
+        return {} if audit_log.details.nil?
+        match = audit_log.details.match(/^(\w)+ (\S+)/)
+        return {} if match.nil?
+        {
+          verb: match[1],
+          path: match[2]
+        }
+      end
+    end
+  end
+end
+
+module Ditty
+  class User < ::Sequel::Model
+    one_to_many :permissions, class: ::ProxES::Permission
+  end
+end
+
+module Ditty
+  class Role < ::Sequel::Model
+    one_to_many :permissions, class: ::ProxES::Permission
+  end
+end

data/lib/proxes/policies/permission_policy.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'ditty/policies/application_policy'
+
+module ProxES
+  class PermissionPolicy < Ditty::ApplicationPolicy
+    def create?
+      user && user.super_admin?
+    end
+
+    def list?
+      create?
+    end
+
+    def read?
+      create?
+    end
+
+    def update?
+      read?
+    end
+
+    def delete?
+      create?
+    end
+
+    def permitted_attributes
+      %i[verb pattern role_id user_id]
+    end
+
+    class Scope < Ditty::ApplicationPolicy::Scope
+      def resolve
+        user && user.super_admin? ? scope : scope.where(id: -1)
+      end
+    end
+  end
+end

data/lib/proxes/policies/request/bulk_policy.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'active_support'
+require 'active_support/core_ext/object/blank'
+require 'proxes/policies/request_policy'
+
+module ProxES
+  class Request
+    class BulkPolicy < RequestPolicy
+      def post?
+        return false if user.nil? ||
+                        (request.index && !index_allowed?) ||
+                        (request.bulk_indices == '' || patterns.blank?)
+
+        patterns.find do |pattern|
+          request.bulk_indices.find { |idx| idx !~ /#{pattern}/ }
+        end.nil?
+      end
+
+      class Scope < RequestPolicy::Scope
+      end
+    end
+  end
+end

data/lib/proxes/policies/request/cat_policy.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'proxes/policies/request_policy'
+
+module ProxES
+  class Request
+    class CatPolicy < RequestPolicy
+      class Scope < RequestPolicy::Scope
+      end
+    end
+  end
+end

data/lib/proxes/policies/request/create_policy.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'proxes/policies/request_policy'
+
+module ProxES
+  class Request
+    class CreatePolicy < RequestPolicy
+      class Scope < RequestPolicy::Scope
+        def resolve
+          super.count > 0 ? request.index : []
+        end
+      end
+    end
+  end
+end

data/lib/proxes/policies/request/index_policy.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'ditty/db'
+require 'proxes/models/permission'
+require 'proxes/policies/request_policy'
+
+module ProxES
+  class Request
+    class IndexPolicy < RequestPolicy
+      class Scope < RequestPolicy::Scope
+        def resolve
+          result = super
+          return [] unless result.count > 0
+          %w[POST PUT].include?(request.request_method) ? request.index : result
+        end
+      end
+    end
+  end
+end

data/lib/proxes/policies/request/root_policy.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module ProxES
+  class Request
+    class RootPolicy < RequestPolicy
+      class Scope < RequestPolicy::Scope
+        def resolve
+          request
+        end
+      end
+    end
+  end
+end

data/lib/proxes/policies/request/search_policy.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'active_support'
+require 'active_support/core_ext/object/blank'
+require 'proxes/policies/request_policy'
+
+module ProxES
+  class Request
+    class SearchPolicy < RequestPolicy
+      class Scope < RequestPolicy::Scope
+      end
+    end
+  end
+end

data/lib/proxes/policies/request/snapshot_policy.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'proxes/policies/request_policy'
+
+module ProxES
+  class Request
+    class SnapshotPolicy < RequestPolicy
+      class Scope < RequestPolicy::Scope
+        def resolve
+          request
+        end
+      end
+    end
+  end
+end

data/lib/proxes/policies/request/stats_policy.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'proxes/policies/request_policy'
+
+module ProxES
+  class Request
+    class StatsPolicy < RequestPolicy
+      class Scope < RequestPolicy::Scope
+      end
+    end
+  end
+end

data/lib/proxes/policies/request_policy.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'active_support'
+require 'active_support/core_ext/object/blank'
+require 'ditty/services/logger'
+require 'proxes/models/permission'
+require 'proxes/helpers/indices'
+
+module ProxES
+  class RequestPolicy
+    include Helpers::Indices
+
+    attr_reader :user, :record
+    alias request record
+
+    def initialize(user, record)
+      @user = user
+      @record = record
+    end
+
+    def method_missing(method_sym, *arguments, &block)
+      return super if method_sym.to_s[-1] != '?'
+
+      return false if request.indices? && !index_allowed?
+      action_allowed? method_sym[0..-2].upcase
+    end
+
+    def respond_to_missing?(name, _include_private = false)
+      name[-1] == '?'
+    end
+
+    def index_allowed?
+      patterns = patterns_for('INDEX').map do |permission|
+        return nil if permission.pattern.blank?
+        permission.pattern.gsub(/\{user.(.*)\}/) { |_match| user.send(Regexp.last_match[1].to_sym) }
+      end.compact
+      filter(request.index, patterns).count > 0
+    end
+
+    def action_allowed?(action)
+      # Give me all the user's permissions that match the verb
+      !!patterns_for(action).find { |permission| (request.path =~ /#{permission.pattern}/) }
+    end
+
+    class Scope
+      include Helpers::Indices
+
+      attr_reader :user, :scope
+      alias request scope
+
+      def initialize(user, scope)
+        @user = user
+        @scope = scope
+      end
+
+      def resolve
+        return [] if user.nil?
+        filter request.index, patterns
+      end
+    end
+  end
+end

data/lib/proxes/policies/search_policy.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'ditty/policies/application_policy'
+
+module ProxES
+  class SearchPolicy < Ditty::ApplicationPolicy
+    def search?
+      user && user.super_admin?
+    end
+
+    def fields?
+      search?
+    end
+
+    def indices?
+      search?
+    end
+
+    def values?
+      search?
+    end
+
+    class Scope < Ditty::ApplicationPolicy::Scope
+      def resolve
+        user && user.super_admin? ? scope : scope.where(id: -1)
+      end
+    end
+  end
+end

data/lib/proxes/policies/status_policy.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'ditty/policies/application_policy'
+
+module ProxES
+  class StatusPolicy < Ditty::ApplicationPolicy
+    def check?
+      user
+    end
+
+    def list?
+      check?
+    end
+
+    class Scope < Ditty::ApplicationPolicy::Scope
+      def resolve
+        []
+      end
+    end
+  end
+end

data/lib/proxes/request.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require 'rack'
+
+module ProxES
+  class Request < Rack::Request
+    ID_ENDPOINTS = %w[_create _explain _mlt _percolate _source _termvector _update].freeze
+    WRITE_METHODS = %w[POST PUT DELETE].freeze
+
+    def initialize(env)
+      @started = Time.now.to_f
+      super
+      parse
+    end
+
+    def endpoint
+      path_parts[0]
+    end
+
+    def parse
+      path_parts
+    end
+
+    def indices?
+      false
+    end
+
+    def html?
+      get_header('HTTP_ACCEPT') && get_header('HTTP_ACCEPT').include?('text/html')
+    end
+
+    def duration
+      Time.now.to_f - @started
+    end
+
+    def user_id
+      return env['omniauth.auth'].uid if env['omniauth.auth']
+      env['rack.session']['user_id'] if env['rack.session']
+    end
+
+    def user
+      return nil if user_id.nil?
+      @user ||= Ditty::User[user_id]
+    end
+
+    def detail
+      "#{request_method.upcase} #{fullpath} (#{self.class.name})"
+    end
+
+    private
+
+    def path_parts
+      @path_parts ||= path.split('?')[0][1..-1].split('/')
+    end
+
+    def check_part(val)
+      return val if val.nil?
+      return [] if [endpoint, '_all'].include?(val) && !WRITE_METHODS.include?(request_method)
+      val.split(',')
+    end
+
+    class << self
+      def from_env(env)
+        endpoint = path_endpoint(env['REQUEST_PATH'])
+        endpoint_class = endpoint.nil? ? 'index' : endpoint[1..-1]
+        begin
+          require 'proxes/request/' + endpoint_class.downcase
+          Request.const_get(endpoint_class.titlecase).new(env)
+        rescue LoadError
+          new(env)
+        end
+      end
+
+      def path_endpoint(path)
+        return '_root' if ['', nil, '/'].include? path
+        path_parts = path[1..-1].split('/')
+        return path_parts[-1] if ID_ENDPOINTS.include? path_parts[-1]
+        return path_parts[-2] if path_parts[-1] == 'count' && path_parts[-2] == '_percolate'
+        return path_parts[-2] if path_parts[-1] == 'scroll' && path_parts[-2] == '_search'
+        path_parts.find { |part| part[0] == '_' }
+      end
+    end
+  end
+end