rails_base 0.51.0

data/app/models/rails_base/user_constants.rb

@@ -0,0 +1,28 @@
+module RailsBase
+  module UserConstants
+    ADMIN_ENUMS = [
+      ADMIN_ROLE_NONE = :none,
+      ADMIN_ROLE_VIEW_ONLY = :view_only,
+      ADMIN_ROLE_SUPER = :super,
+      ADMIN_ROLE_OWNER = :owner,
+    ]
+
+    SOFT_DESTROY_PARAMS = {
+      mfa_enabled: false,
+      email_validated: false,
+      last_mfa_login: nil,
+      encrypted_password: '',
+      phone_number: nil,
+    }
+
+    SAFE_AUTOMAGIC_UPGRADE_COLS = {
+      active: ->(user) { RailsBase.config.admin.active_tile_users?(user) } ,
+      admin: ->(user) { RailsBase.config.admin.admin_type_tile_users?(user) } ,
+      email: ->(user) { RailsBase.config.admin.email_tile_users?(user) } ,
+      email_validated: ->(user) { RailsBase.config.admin.email_validate_tile_users?(user) } ,
+      mfa_enabled: ->(user) { RailsBase.config.admin.mfa_tile_users?(user) } ,
+      phone_number: ->(user) { RailsBase.config.admin.phone_tile_users?(user) } ,
+      last_known_timezone: ->(user) { RailsBase.config.admin.modify_timezone_tile_users?(user) }
+    }
+  end
+end

data/app/models/secret.rb

@@ -0,0 +1,37 @@
+# == Schema Information
+#
+# Table name: secrets
+#
+#  id         :bigint           not null, primary key
+#  version    :integer
+#  secret     :text(65535)
+#  name       :string(255)
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#
+
+class Secret < RailsBase::ApplicationRecord
+  class << self
+    def update(name:, secret:)
+      next_version = get_secrets(name: name).select(:version).last&.version || 0
+      next_version += 1 # always increase the version
+
+      instance = new(version: next_version, name: name, secret: secret)
+      instance.save!
+
+      instance
+    end
+
+    def get_current_secret(name:)
+      get_secrets(name: name).last
+    end
+
+    def get_secret_range(name:, range: [-2..-1])
+      where(name: name)[*range]
+    end
+
+    def get_secrets(name:)
+      where(name: name)
+    end
+  end
+end

data/app/models/short_lived_data.rb

@@ -0,0 +1,132 @@
+# == Schema Information
+#
+# Table name: short_lived_data
+#
+#  id                      :bigint           not null, primary key
+#  user_id                 :integer          not null
+#  data                    :string(255)      not null
+#  reason                  :string(255)
+#  death_time              :datetime         not null
+#  extra                   :string(255)
+#  created_at              :datetime         not null
+#  updated_at              :datetime         not null
+#  exclusive_use_count     :integer          default(0)
+#  exclusive_use_count_max :integer
+#
+
+class ShortLivedData < RailsBase::ApplicationRecord
+  self.table_name = 'short_lived_data'
+
+  DEFAULT_TIME_TO_LIVE = 1.hour.freeze
+  LENGTH_OF_HEX = 64.freeze
+  MAX_ATTEMPTS = 10.freeze
+  VALID_DATA_USE_LENGTH = [:numeric, :alphanumeric, :hex].freeze
+  VALID_DATA_NON_LENGTH = [:uuid]
+  VALID_DATA_USE = [VALID_DATA_NON_LENGTH, VALID_DATA_USE_LENGTH].flatten.freeze
+
+  class << self
+    # ShortLivedData.create_data_key(user: User.first, ttl: 5.hours)
+    def create_data_key(user:, max_use: nil, data: nil, data_use: :alphanumeric, expires_at: nil, ttl: DEFAULT_TIME_TO_LIVE, reason: 'default', length: LENGTH_OF_HEX, extra: nil)
+      raise ":ttl is expected to be an ActiveSupport::Duration" unless ttl.is_a?(ActiveSupport::Duration)
+
+      if data.nil?
+        data = generate_secure_datum(data_use, length: length)
+        attempt = 0
+        while get_by_data(data: data, reason: reason)
+          Rails.logger.warn "Data key already in use for #{data_use}. Attempt #{attempt} for reason #{reason} for user_id #{user.id}"
+          data = generate_secure_hex(data_use, length: length)
+          attempt +=1
+          raise "Failed to generate unique id. Attempted #{attempt} times" if attempt >= MAX_ATTEMPTS
+        end
+      end
+
+      # expires at takes precedence since this is a dangerous oeration and should only be done with caution
+      # dangerous because of time zone checks --- we dont do that
+      death_time = Time.now + ttl
+      death_time = expires_at if expires_at
+
+      create(user_id: user.id, data: data, death_time: death_time, reason: reason, extra: extra, exclusive_use_count_max: max_use)
+    end
+
+    def get_by_data(data:, reason: nil)
+      # data is indexed and uniq
+      params = { data: data, reason: reason }.compact
+      where(params).first
+    end
+
+    def generate_secure_datum(data_use, length: LENGTH_OF_HEX)
+      case data_use.to_sym
+      when :numeric
+        return rand.to_s[2..(2+(length-1))]
+      when *VALID_DATA_USE_LENGTH
+        return SecureRandom.public_send(data_use, length)
+      when *VALID_DATA_NON_LENGTH
+        return SecureRandom.public_send(data_use)
+      else
+        raise ArgumentError, "Unexpected data_use: Expected #{VALID_DATA_USE}. given [#{data_use}]"
+      end
+    end
+
+    def find_datum(data:, reason: nil, access_count: true)
+      datum = get_by_data(data: data, reason: reason)
+
+      params = {
+        user: datum&.user,
+        use_count: datum&.exclusive_use_count,
+        max_use_count: datum&.exclusive_use_count_max,
+        valid: datum&.is_valid? || false,
+        invalid_reason: datum&.invalid_reason || ['Forbidden. Invalid usecase'],
+        found: !datum.nil?,
+        extra: datum&.extra,
+        access_count_proc: -> { datum&.add_access_count! }
+      }
+      datum&.add_access_count! if access_count
+
+      return params unless params[:valid]
+
+      if reason && (datum&.reason.to_sym != reason.to_sym)
+        params[:valid] = false
+        params[:invalid_reason] = ['Unknown reason for datum field']
+      end
+
+      params
+    end
+  end
+
+  def add_access_count!
+    # only update if count is valid and we can add things -- save db call
+    return false unless used_count_valid?
+
+    update_attributes(exclusive_use_count: exclusive_use_count + 1)
+  end
+
+  def invalid_reason
+    arr = []
+    arr << 'too many uses' unless used_count_valid?
+    arr << 'expired' unless still_alive?
+    arr
+  end
+
+  def is_valid?
+    used_count_valid? && still_alive?
+  end
+
+  def still_alive?
+    (death_time).to_f > Time.now.to_f
+  end
+
+  def used_count_valid?
+    return true if exclusive_use_count_max.nil?
+
+    return exclusive_use_count < exclusive_use_count_max
+  end
+
+  def user
+    @user ||= User.find(user_id)
+  end
+
+  def user=(u)
+    update_attributes(user_id: u.id)
+    u.id
+  end
+end

data/app/models/user.rb

@@ -0,0 +1,143 @@
+# == Schema Information
+#
+# Table name: users
+#
+#  id                         :bigint           not null, primary key
+#  first_name                 :string(255)      default(""), not null
+#  last_name                  :string(255)      default(""), not null
+#  phone_number               :string(255)
+#  last_mfa_login             :datetime
+#  email_validated            :boolean          default(FALSE)
+#  mfa_enabled                :boolean          default(FALSE), not null
+#  active                     :boolean          default(TRUE), not null
+#  admin                      :string(255)
+#  last_known_timezone        :string(255)
+#  last_known_timezone_update :datetime
+#  email                      :string(255)      default(""), not null
+#  encrypted_password         :string(255)      default(""), not null
+#  reset_password_token       :string(255)
+#  reset_password_sent_at     :datetime
+#  remember_created_at        :datetime
+#  sign_in_count              :integer          default(0), not null
+#  current_sign_in_at         :datetime
+#  last_sign_in_at            :datetime
+#  current_sign_in_ip         :string(255)
+#  last_sign_in_ip            :string(255)
+#  created_at                 :datetime         not null
+#  updated_at                 :datetime         not null
+#
+class User < RailsBase::ApplicationRecord
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :trackable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable, :timeoutable, :trackable
+
+  include RailsBase::UserConstants
+
+  validate :enforce_owner, if: :will_save_change_to_admin?
+  validate :enforce_admin_type, if: :will_save_change_to_admin?
+
+  def self._def_admin_convenience_method!(admin_method:)
+    types = RailsBase.config.admin.admin_types
+    #### metods on the instance
+    define_method("at_least_#{admin_method}?") do
+      i = types.find_index(admin.to_sym)
+      i >= types.find_index(admin_method.to_sym)
+    end
+
+    define_method("admin_#{admin_method}?") do
+      admin.to_sym == admin_method
+    end
+
+    define_method("admin_#{admin_method}!") do
+      update_attributes!(admin: admin_method)
+    end
+
+    #### metods on the class
+    define_singleton_method("admin_#{admin_method}s") do
+      where(admin: admin_method)
+    end
+
+    define_singleton_method("admin_#{admin_method}") do
+      arr = [admin_method]
+      arr = [admin_method, '', nil] if ADMIN_ROLE_NONE == admin_method
+      where(admin: arr)
+    end
+  end
+
+  def self.time_bound
+    Time.zone.now - RailsBase.config.auth.mfa_time_duration
+  end
+
+  def admin
+    (self[:admin].presence || ADMIN_ROLE_NONE).to_sym
+  end
+
+  def full_name
+  	"#{first_name} #{last_name}"
+  end
+
+  def past_mfa_time_duration?
+    return true if last_mfa_login.nil?
+
+    last_mfa_login < self.class.time_bound
+  end
+
+  def set_last_mfa_login!(time: Time.zone.now)
+    update(last_mfa_login: time)
+  end
+
+  def masked_phone
+    return nil unless phone_number
+
+    "(#{phone_number[0]}**) ****-**#{phone_number[-2..-1]}"
+  end
+
+  def soft_destroy_user!
+    update(SOFT_DESTROY_PARAMS)
+  end
+
+  def destroy_user!
+    self.delete
+  end
+
+  def inspect_name
+    "[#{id}]: #{full_name}"
+  end
+
+  def update_tz(tz_name:)
+    return if last_known_timezone == tz_name
+
+    Rails.logger.info { "#{id}: Setting tz_name: #{tz_name}"  }
+    update_attributes(last_known_timezone: tz_name, last_known_timezone_update: Time.now )
+  end
+
+  def timezone
+    RailsBase.config.user.user_timezone(self)
+  end
+
+  def convert_time(time:)
+    time.in_time_zone(timezone)
+  end
+
+  private
+
+  def enforce_admin_type
+    from, to = admin_change_to_be_saved
+    return if RailsBase.config.admin.admin_types.include?(to.to_sym)
+
+    errors.add(:admin, "Undefined admin type. Expected #{RailsBase.config.admin.admin_types}. Given #{to}")
+  end
+
+  def enforce_owner
+    from, to = admin_change_to_be_saved
+    # skip validation event if we are not updating to owner role
+    return if to.to_sym != ADMIN_ROLE_OWNER
+
+    # add 1 because we are trying to change the current user to ADMIN_ROLE_OWNER
+    count = User.where(admin: ADMIN_ROLE_OWNER).count + 1
+    return if count <= RailsBase.config.owner.max
+
+    errors.add(:admin, "unable to have more than #{RailsBase.config.owner.max} owner(s).")
+  end
+end

data/app/services/rails_base/admin_risky_mfa_send.rb

@@ -0,0 +1,80 @@
+require 'twilio_helper'
+require 'velocity_limiter'
+
+module RailsBase
+  class AdminRiskyMfaSend < RailsBase::ServiceBase
+    include ActionView::Helpers::DateHelper
+    include VelocityLimiter
+
+    class NoPhoneNumber < StandardError; end
+
+    MAX_USE_COUNT = 1.freeze
+    DATA_USE = :numeric
+    EXPIRES_AT = 1.minutes
+
+    delegate :user, to: :context
+    delegate :reason, to: :context
+
+    def call
+      validate_phone!
+
+      velocity = velocity_limit_reached?
+      context.fail!(message: velocity[:msg]) if velocity[:reached]
+
+      data_point = create_short_lived_data
+      send_twilio!(data_point.data)
+      context.short_lived_data = data_point
+      context.message = "MFA code has been succesfully sent. you have #{EXPIRES_AT}"
+    end
+
+    def send_twilio!(code)
+      TwilioJob.perform_later(message: message(code), to: user.phone_number)
+      log(level: :info, msg: "Sent twilio message to #{user.phone_number}")
+    rescue StandardError => e
+      log(level: :error, msg: "Error caught #{e.class.name}")
+      log(level: :error, msg: "Failed to send sms to #{user.phone_number}")
+      context.fail!(message: "Failed to send sms. Please retry logging in.")
+    end
+
+    def message(code)
+      "Hello #{user.full_name}. Here is your admin verification code #{code}."
+    end
+
+    def create_short_lived_data
+      params = {
+        user: user,
+        max_use: MAX_USE_COUNT,
+        reason: reason,
+        data_use: DATA_USE,
+        expires_at: EXPIRES_AT.from_now,
+        length: Authentication::Constants::MFA_LENGTH,
+      }
+      ShortLivedData.create_data_key(params)
+    end
+
+    def velocity_max_in_frame
+      RailsBase.config.admin.admin_velocity_max_in_frame
+    end
+
+    def velocity_max
+      RailsBase.config.admin.admin_velocity_max
+    end
+
+    def velocity_frame
+      RailsBase.config.admin.admin_velocity_frame
+    end
+
+    def cache_key
+      "#{self.class.name.downcase}.#{user.id}"
+    end
+
+    def validate_phone!
+      context.fail!(message: "No phone for user [#{user.id}] [#{user.phone_number}]") if user.phone_number.nil?
+    end
+
+    def validate!
+      raise "Expected user to be a User. Received #{user.class}" unless user.is_a? User
+      raise "Expected reason to be a present." if reason.nil?
+    end
+  end
+end

data/app/services/rails_base/admin_update_attribute.rb

@@ -0,0 +1,100 @@
+module RailsBase
+  class AdminUpdateAttribute < RailsBase::ServiceBase
+    delegate :params, to: :context
+    delegate :klass_string, to: :context
+    delegate :admin_user, to: :context
+
+    def call
+      validate_model!
+      validate_model_row!
+
+      attribute = validate_attribute!
+      validate_permission!(attribute: attribute)
+      fail_attribute!(attribute: attribute)
+
+      original_value = model_row.public_send(attribute)
+      begin
+        model_row.update_attributes!(attribute => sanitized_value)
+      rescue ActiveRecord::RecordInvalid => e
+        context.fail!(message: "Failed to update [#{attribute}] with #{sanitized_value} on #{model}##{model_row.id}. #{e.message}")
+      rescue StandardError
+        context.fail!(message: "Failed to update [#{attribute}] with #{sanitized_value} on #{model}##{model_row.id}")
+      end
+      context.attribute = sanitized_value
+      context.original_attribute = original_value
+      context.model = model_row
+      context.message = "#{model}##{params[:id]} has changed attribute [#{attribute}] from [#{original_value}]=>#{sanitized_value}"
+    end
+
+    def fail_attribute!(attribute:)
+      if params[:_fail_].present?
+        log(level: :warn, msg: "FAIL param passed in. Automagic failure for admin update")
+        context.fail!(message: "Failed to update [#{attribute}] with #{sanitized_value} on #{model}##{model_row.id}")
+      end
+    end
+
+    def validate_permission!(attribute:)
+      proc = model::SAFE_AUTOMAGIC_UPGRADE_COLS[attribute]
+      return if proc.call(admin_user)
+
+      context.fail!(message: "User does not have permissions to update #{attribute}")
+    end
+
+    def validate_attribute!
+      attribute = params[:attribute].to_sym
+      unless model::SAFE_AUTOMAGIC_UPGRADE_COLS.keys.include?(attribute)
+        context.fail!(message: "#{attribute} is not part of allowed updatable columns")
+      end
+      attribute
+    end
+
+    def sanitized_value
+      case params[:value]
+      when 'true'
+        true
+      when 'false'
+        false
+      else
+        params[:value]
+      end
+    end
+
+    def model
+      @model ||= klass_string ? klass_string.constantize : User
+    end
+
+    def model_row
+      @model_row ||= begin
+        model.find(params[:id])
+      rescue ActiveRecord::RecordNotFound
+        nil
+      end
+    end
+
+    def validate_model_row!
+      return if model_row
+
+      context.fail!(message: "Failed to find id:#{params[:id]} on model: #{model}")
+    end
+
+    def validate_model!
+      begin
+        model
+      rescue StandardError
+        context.fail!(message: "Failed to find model")
+      end
+
+      begin
+        model::SAFE_AUTOMAGIC_UPGRADE_COLS
+      rescue StandardError
+        context.fail!(message: "#{model}::SAFE_AUTOMAGIC_UPGRADE_COLS array does not exist")
+      end
+    end
+
+    def validate!
+      raise "Expected params to be a Hash. Received #{params.class}" unless [ActionController::Parameters, Hash].include?(params.class)
+      raise "Expected params to have a id. Received #{params[:id]}" if params[:id].nil?
+      raise "Expected admin_user." if admin_user.nil?
+    end
+  end
+end