rhino_project_core 0.20.0.alpha.0

data/lib/generators/rhino/module/templates/test/dummy/config/initializers/devise_token_auth.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+DeviseTokenAuth.setup do |config|
+  config.cookie_enabled = true
+  config.cookie_attributes = {
+    secure: true,
+    httponly: true,
+    expires: 1.day,
+    same_site: "None"
+    # WARNING: the :domain attribute specifies to whom the cookie will be sent to. It's recommended to leave it empty, so it acts in the most restrictive way as per https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#domain-and-path-attributes
+  }
+  # By default the authorization headers will change after each request. The
+  # client is responsible for keeping track of the changing tokens. Change
+  # this to false to prevent the Authorization header from changing after
+  # each request.
+  config.change_headers_on_each_request = false
+
+  # By default, users will need to re-authenticate after 2 weeks. This setting
+  # determines how long tokens will remain valid after they are issued.
+  # config.token_lifespan = 2.weeks
+
+  # Limiting the token_cost to just 4 in testing will increase the performance of
+  # your test suite dramatically. The possible cost value is within range from 4
+  # to 31. It is recommended to not use a value more than 10 in other environments.
+  config.token_cost = Rails.env.test? ? 4 : 10
+
+  # Sets the max number of concurrent devices per user, which is 10 by default.
+  # After this limit is reached, the oldest tokens will be removed.
+  # config.max_number_of_devices = 10
+
+  # Sometimes it's necessary to make several requests to the API at the same
+  # time. In this case, each request in the batch will need to share the same
+  # auth token. This setting determines how far apart the requests can be while
+  # still using the same auth token.
+  # config.batch_request_buffer_throttle = 5.seconds
+
+  # This route will be the prefix for all oauth2 redirect callbacks. For
+  # example, using the default '/omniauth', the github oauth2 provider will
+  # redirect successful authentications to '/omniauth/github/callback'
+  config.omniauth_prefix = "/api/auth/omniauth"
+
+  # By default sending current password is not needed for the password update.
+  # Uncomment to enforce current_password param to be checked before all
+  # attribute updates. Set it to :password if you want it to be checked only if
+  # password is updated.
+  # config.check_current_password_before_update = :attributes
+
+  # By default we will use callbacks for single omniauth.
+  # It depends on fields like email, provider and uid.
+  # config.default_callbacks = true
+
+  # Makes it possible to change the headers names
+  # config.headers_names = {:'access-token' => 'access-token',
+  #                        :'client' => 'client',
+  #                        :'expiry' => 'expiry',
+  #                        :'uid' => 'uid',
+  #                        :'token-type' => 'token-type' }
+
+  # By default, only Bearer Token authentication is implemented out of the box.
+  # If, however, you wish to integrate with legacy Devise authentication, you can
+  # do so by enabling this flag. NOTE: This feature is highly experimental!
+  # config.enable_standard_devise_support = false
+
+  # By default DeviseTokenAuth will not send confirmation email, even when including
+  # devise confirmable module. If you want to use devise confirmable module and
+  # send email, set it to true. (This is a setting for compatibility)
+  # config.send_confirmation_email = true
+
+  config.default_confirm_success_url = "#{ENV['FRONT_END_URL']}/auth/signin"
+  config.default_password_reset_url = "#{ENV['FRONT_END_URL']}/auth/reset-password"
+end

data/lib/generators/rhino/module/templates/test/test_helper.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require "simplecov" if ENV["COVERAGE"]
+
+# Configure Rails Environment
+ENV["RAILS_ENV"] = "test"
+
+require_relative "../test/dummy/config/environment"
+ActiveRecord::Migrator.migrations_paths = [File.expand_path("../test/dummy/db/migrate", __dir__)]
+require "rails/test_help"
+
+require "rhino/test_case"
+
+# Filter out the backtrace from minitest while preserving the one from other libraries.
+Minitest.backtrace_filter = Minitest::BacktraceFilter.new
+
+# Load fixtures from the engine
+if ActiveSupport::TestCase.respond_to?(:fixture_path=)
+  ActiveSupport::TestCase.fixture_path = File.expand_path("fixtures", __dir__)
+  ActionDispatch::IntegrationTest.fixture_path = ActiveSupport::TestCase.fixture_path
+  ActiveSupport::TestCase.file_fixture_path = File.expand_path("fixtures/files", __dir__)
+  ActiveSupport::TestCase.fixtures :all
+end
+
+# Load all test helpers
+# https://guides.rubyonrails.org/testing.html#eagerly-requiring-helpers
+# But we are in an engine so use that root - Rails.root would point to dummy
+Dir[Rhino::Engine.root.join("test", "test_helpers", "**", "*.rb")].each { |file| require file }
+
+class ActiveSupport::TestCase
+  # Run tests in parallel with specified workers
+  parallelize(workers: :number_of_processors)
+
+  # make each process running tests a separate command for simple cov.
+  # in the end, they will all get merged and not overwrite each other's results
+  # https://github.com/simplecov-ruby/simplecov/issues/718#issuecomment-538201587
+
+  parallelize_setup do |worker|
+    SimpleCov.command_name "#{SimpleCov.command_name}-#{worker}" if ENV["COVERAGE"]
+
+    # https://guides.rubyonrails.org/active_storage_overview.html#discarding-files-created-during-tests
+    ActiveStorage::Blob.service.root = "#{ActiveStorage::Blob.service.root}-#{worker}"
+  end
+
+  parallelize_teardown do |_worker|
+    SimpleCov.result if ENV["COVERAGE"]
+
+    # https://guides.rubyonrails.org/active_storage_overview.html#cleaning-up-fixtures
+    FileUtils.rm_rf(ActiveStorage::Blob.services.fetch(:test).root)
+  end
+
+  # Add more helper methods to be used by all tests here...
+  include FactoryBot::Syntax::Methods
+end

data/lib/generators/rhino/policy/policy_generator.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Rhino
+  class PolicyGenerator < ::Rails::Generators::NamedBase
+    source_root File.expand_path("templates", __dir__)
+
+    class_option :parent, type: :string, default: "Rhino::ViewerPolicy", desc: "The parent class for the policy"
+
+    check_class_collision suffix: "Policy"
+
+    hook_for :test_framework, as: :rhino_policy
+
+    def create_policy_file
+      template "policy.rb", File.join("app/policies", class_path, "#{file_name}_policy.rb")
+    end
+
+    private
+      def parent_class_name
+        # FIXME: Does this really need to be top level namespaced?
+        return options[:parent] if options[:parent].starts_with?("::")
+
+        "::#{options[:parent]}"
+      end
+
+      def parent_scope_class_name
+        "#{parent_class_name}::Scope"
+      end
+
+      def file_name
+        @file_name ||= super.sub(/_policy\z/i, "")
+      end
+  end
+end

data/lib/generators/rhino/policy/templates/policy.rb.tt

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+<% module_namespacing do -%>
+class <%= class_name %>Policy < <%= parent_class_name %>
+  # NOTE: Be explicit about which action you allow!
+  # def index?
+  #   authorize_action(false)
+  # end
+
+  # def show?
+  #   authorize_action(false)
+  # end
+
+  # def create?
+  #   authorize_action(false)
+  # end
+
+  # def update?
+  #   authorize_action(false)
+  # end
+
+  # def destroy?
+  #   authorize_action(false)
+  # end
+
+  # def permitted_attributes_for_create
+  #   super
+  #   super - [:name] # Remove the name attribute from the permitted attributes for create
+  # end
+
+  # def permitted_attributes_for_show
+  #   super
+  # end
+
+  # def permitted_attributes_for_update
+  #   super
+  # end
+
+  class Scope < <%= parent_scope_class_name %>
+    # NOTE: Be explicit about which records you allow access to!
+    # def resolve
+    #   scope.all
+    # end
+  end
+end
+<% end -%>

data/lib/generators/test_unit/rhino_policy_generator.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module TestUnit
+  module Generators
+    class RhinoPolicyGenerator < ::Rails::Generators::NamedBase
+      source_root File.expand_path("templates", __dir__)
+
+      def create_policy_test
+        template "policy_test.rb", File.join("test/policies", class_path, "#{file_name}_policy_test.rb")
+      end
+    end
+  end
+end

data/lib/generators/test_unit/templates/policy_test.rb.tt

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class <%= class_name %>PolicyTest < Rhino::TestCase::Policy
+  # Testing for a policy where users can view any blog, create, update and destroy their own
+  # but cannot update or destroy another users blog.
+
+  # def setup
+  #   @current_user = create :user
+  #   @another_user = create :user
+
+  #   @blog = Blog.create(title: "Test Blog", author: @current_user)
+  #   @another_user_blog = Blog.create(title: "Other Blog", author: @another_user)
+  # end
+
+  # test "allows create for user" do
+  #   assert_permit @current_user, Blog, :create
+  # end
+
+  # test "allows update for user" do
+  #   assert_permit @current_user, @blog, :update
+  # end
+
+  # test "does not allow update for another users blog" do
+  #   assert_not_permit @current_user, @another_user_blog, :update
+  # end
+
+  # test "allows destroy for user" do
+  #   assert_permit @current_user, @blog, :destroy
+  # end
+
+  # test "does not allow destroy for another users blog" do
+  #   assert_not_permit @current_user, @another_user_blog, :destroy
+  # end
+
+  # test "allows index for user and returns correct blogs" do
+  #   assert_permit @current_user, Blog, :index
+  #   assert_scope_only @current_user, Blog, [@blog, @another_user_blog]
+  # end
+
+  # test "allows show for user and returns correct blog" do
+  #   assert_permit @current_user, @blog, :show
+  #   assert_scope_only @current_user, @blog, [@blog]
+  # end
+
+  # test "allows show for another users blog" do
+  #   assert_permit @current_user, @another_user_blog, :show
+  #   assert_scope_only @current_user, [@another_user_blog]
+  # end
+
+  # If the user could instead not show another users blog, the following test could be used instead
+  ## test "does not allow show for another users blog" do
+  ##   assert_not_permit @current_user, @another_user_blog, :show
+  ##   assert_scope_empty @current_user, @another_user_blog
+  ## end
+end

data/lib/rhino/engine.rb

@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+require "rhino/version"
+
+# https://guides.rubyonrails.org/engines.html#other-gem-dependencies
+require "activeadmin"
+require "acts-as-taggable-on"
+require "ancestry"
+require "arel-helpers"
+require "countries"
+require "devise"
+require "devise_invitable"
+require "devise_token_auth"
+require "friendly_id"
+require "geocoder"
+require "omniauth"
+require "omniauth-azure-activedirectory-v2"
+require "omniauth-auth0"
+require "omniauth-facebook"
+require "omniauth-github"
+require "omniauth-google-oauth2"
+require "omniauth/rails_csrf_protection"
+require "rack/cors"
+require "pg_search"
+require "phonelib"
+require "pundit"
+require "segment/analytics"
+
+module Rhino
+  class Engine < ::Rails::Engine
+    config.before_configuration do
+      # When running the dummy apps through rails commands the .env file won't exist in the root
+      # but the DB_NAME variable will have been set by rhino_command; the rake task name will be
+      # set for rhino:dev:setup
+      if Rails.env.development? && (!File.exist?(Rails.root.join(".env")) && (!run_from_dummy? && !run_from_dev_setup? && !run_from_package?))
+        raise ".env file must exist in development - see README.md"
+      end
+    end
+
+    initializer "rhino.active_record_extension" do
+      ActiveSupport.on_load(:active_record) do
+        require_relative "resource/active_record_extension"
+        require_relative "resource/active_record_tree"
+        require_relative "resource/active_model_extension"
+
+        include Rhino::Resource::ActiveRecordExtension if Rhino.auto_include_active_record
+      end
+    end
+
+    initializer "rhino.active_storage_extension" do
+      ActiveSupport.on_load(:active_storage_attachment) do
+        require_relative "resource/active_storage_extension"
+
+        include Rhino::Resource::ActiveStorageExtension
+      end
+    end
+
+    # https://guides.rubyonrails.org/engines.html#overriding-models-and-controllers
+    # Use root instead of Rails.root to scope for this engine
+    initializer "rhino.overrides" do
+      overrides = "#{root}/app/overrides"
+      Rails.autoloaders.main.ignore(overrides)
+
+      config.to_prepare do
+        Dir.glob("#{overrides}/**/*_override.rb").each do |override|
+          load override
+        end
+      end
+    end
+
+    initializer "rhino.check_resources" do
+      config.after_initialize do
+        check_resources
+      end
+    end
+
+    initializer "rhino.resource_reloader" do
+      config.after_initialize do
+        Rails.application.reloader.to_prepare do
+          Rhino.resource_classes = nil
+        end
+      end
+    end
+
+    initializer "rhino.register_module" do
+      require "rhino/omniauth/strategies/azure_o_auth2"
+
+      config.after_initialize do
+        Rhino.registered_modules[:rhino] = {
+          version: Rhino::VERSION::STRING,
+          authOwner: Rhino.auth_owner.model_name.singular,
+          baseOwner: Rhino.base_owner.model_name.singular,
+          oauth: Rhino::OmniauthHelper.strategies_metadata,
+          allow_signup: Rhino.allow_signup
+        }
+      end
+    end
+
+    def top_level_references(resource)
+      # Handle things like rhino_references [{ blog_post: [:blog] }]
+      # Just check the top level ones for now
+      resource.references.flat_map { |ref| ref.is_a?(Hash) ? ref.keys : ref }
+    end
+
+    def unowned?(resource)
+      # Special case
+      return true if resource.ancestors.include?(Rhino::Resource::ActiveStorageExtension)
+
+      # Owners are not themselves owned
+      resource.auth_owner? || resource.base_owner? || resource.global_owner?
+    end
+
+    def check_owner_reflections
+      raise "#{Rhino.base_owner} must have reflection for #{Rhino.auth_owner}" if Rhino.base_to_auth.nil?
+
+      raise "#{Rhino.auth_owner} must have reflection for #{Rhino.base_owner}" if Rhino.auth_to_base.nil?
+    end
+
+    def check_ownership(resource)
+      return if unowned?(resource)
+
+      raise "#{resource} does not have rhino ownership set" unless resource.resource_owned_by.present?
+    end
+
+    def check_references(resource)
+      # Some resource types don't have reflections
+      top_level_reflections = resource.try(:reflections)&.keys&.map(&:to_sym) || []
+
+      # All references should have a reflection
+      delta = top_level_references(resource) - top_level_reflections
+
+      raise "#{resource} has references #{delta} that do not exist as associations" if delta.present?
+    end
+
+    def check_owner_reference(resource)
+      return if unowned?(resource)
+
+      # If its in the list, we're good
+      return if top_level_references(resource).include?(resource.resource_owned_by)
+
+      raise "#{resource} does not have a reference to its owner #{resource.resource_owned_by}"
+    end
+
+    def check_resources
+      check_owner_reflections
+
+      Rhino.resource_classes.each do |resource|
+        check_ownership(resource)
+        check_references(resource)
+        check_owner_reference(resource) if resource.ancestors.include?(Rhino::Resource::ActiveRecordExtension)
+      end
+    end
+
+    def self.run_from_dummy?
+      ENV["DB_NAME"].present?
+    end
+
+    def self.run_from_dev_setup?
+      defined?(Rake.application) && Rake.application.top_level_tasks == ["rhino:dev:setup"]
+    end
+
+    def self.run_from_package?
+      defined?(Rake.application) && Rake.application.top_level_tasks == ["package"]
+    end
+  end
+end

data/lib/rhino/omniauth/strategies/azure_o_auth2.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+return unless defined?(::OmniAuth::Strategies::AzureActivedirectoryV2)
+
+module Rhino
+  module Omniauth
+    module Strategies
+      class AzureOAuth2 < ::OmniAuth::Strategies::AzureActivedirectoryV2
+        option :name, "azure_oauth2"
+        option :callback_path, "/api/auth/omniauth/azure_oauth2/callback"
+      end
+    end
+  end
+end
+
+::OmniAuth::Strategies::AzureOauth2 = Rhino::Omniauth::Strategies::AzureOAuth2

data/lib/rhino/resource/active_model_extension/backing_store/google_sheet.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Rhino
+  module Resource
+    module ActiveModelExtension
+      module BackingStore
+        module GoogleSheet
+          extend ActiveSupport::Concern
+
+          def backing_store_update
+            attr_map = sheet.list.keys.index_by(&:downcase)
+
+            # ID won't be mapped
+            attrs = serializable_hash(except: :id).transform_keys { |k| attr_map[k] }
+
+            sheet.list[id - 1].update(attrs)
+
+            sheet.synchronize
+          end
+
+          def backing_store_destroy
+            sheet.delete_rows(id + 1, 1)
+
+            sheet.synchronize
+          end
+
+          included do
+            thread_mattr_accessor :google_client
+            thread_mattr_accessor :google_sheet
+            thread_mattr_accessor :google_worksheet
+
+            class_attribute :sheet_id, default: nil
+            class_attribute :work_sheet_title, default: nil
+
+            delegate :sheet, to: :class
+          end
+
+          class_methods do # rubocop:todo Metrics/BlockLength
+            def backing_store_index
+              sheet.reload
+
+              idx = 0
+              sheet.list.map do |row|
+                idx += 1
+                row_to_instance(row, idx)
+              end
+            end
+
+            def backing_store_create(model)
+              attr_map = sheet.list.keys.index_by(&:downcase)
+
+              # ID won't be mapped
+              attrs = model.serializable_hash(except: :id).transform_keys { |k| attr_map[k] }
+
+              sheet.list.push(attrs)
+
+              sheet.synchronize
+            end
+
+            def backing_store_show(id)
+              sheet.reload
+
+              row_to_instance(sheet.list[id.to_i - 1], id)
+            end
+
+            def sheet
+              return @google_worksheet if @google_worksheet
+
+              @google_client = GoogleDrive::Session.from_service_account_key(nil)
+
+              # Pass the sheet id
+              @google_sheet = @google_client.spreadsheet_by_key(sheet_id)
+
+              return @google_worksheet = @google_sheet.worksheet_by_title(work_sheet_title) if work_sheet_title
+
+              @google_worksheet = @google_sheet.worksheets[0]
+            end
+
+            def row_to_instance(row, id)
+              attrs = row.to_hash
+              attrs = attrs.transform_keys(&:downcase).transform_keys(&:to_sym)
+              new(attrs.merge(id:))
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rhino/resource/active_model_extension/backing_store.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Rhino
+  module Resource
+    module ActiveModelExtension
+      module BackingStore
+        extend ActiveSupport::Concern
+
+        def backing_store_update
+          raise NotImplementedError, "#update is not implemented for BackingStore"
+        end
+
+        def backing_store_destroy
+          raise NotImplementedError, "#destroy is not implemented for BackingStore"
+        end
+
+        class_methods do
+          def backing_store_create
+            raise NotImplementedError, "#create is not implemented for BackingStore"
+          end
+
+          def backing_store_index
+            raise NotImplementedError, "#index is not implemented for BackingStore"
+          end
+
+          def backing_store_show
+            raise NotImplementedError, "#show is not implemented for BackingStore"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rhino/resource/active_model_extension/describe.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Rhino
+  module Resource
+    module ActiveModelExtension
+      module Describe
+        extend ActiveSupport::Concern
+
+        class_methods do
+          def describe # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+            properties = all_properties.index_with { |p| describe_property(p) }
+
+            required = properties.reject { |_p, d| d[:nullable] || d[:readOnly] }.keys
+            # required: [] is not valid and will be compacted away
+            required = nil unless required.present?
+
+            {
+              "x-rhino-model": {
+                model: model_name.singular,
+                modelPlural: model_name.collection,
+                name: model_name.name.camelize(:lower),
+                pluralName: model_name.name.camelize(:lower).pluralize,
+                readableName: model_name.human,
+                pluralReadableName: model_name.human.pluralize,
+                ownedBy: resource_owned_by,
+                singular: route_singular?,
+                path: "#{Rhino.namespace}/#{route_path}"
+              },
+              type: :object,
+              properties:,
+              required:
+            }.compact
+          end
+        end
+      end
+    end
+  end
+end