ros-core 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: fa0abdc1ded91db064f338783e2d106403613a1bb1e3eb5fe895cdf417ecd682
+  data.tar.gz: 2a10b4e370a34c8b099a576b198d92129e6a4e6077531aa9c7d7b0b6bc915e6c
+SHA512:
+  metadata.gz: 62f0fd52ac519d27eca58a2eb13069376771b14169b521ca06576c5797984559da98071fdd1cb1b74366819659b57f50873cb8e143c2b95114b480928cdba43d
+  data.tar.gz: 0707dfdb6114e8e8fa34ede206c37324195ea33d8bd3c3b994315c4939179d3ef576091918f0a27b456e02843e896f6b41e6e24727862aee70ae8c41e5e25617

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2019 Robert Roach
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,3 @@
+## Summary
+
+Created by rails-templates

data/Rakefile

@@ -0,0 +1,22 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Ros::Core'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("spec/dummy/Rakefile", __dir__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'

data/app/controllers/ros/application_controller.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Ros
+  class ApplicationController < ::ApplicationController
+    include JSONAPI::ActsAsResourceController
+    rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+    include OpenApi::DSL
+
+    before_action :authenticate_it!
+    before_action :set_raven_context, if: -> { Settings.credentials.sentry_dsn }
+
+    def authenticate_it!
+      return unless @current_user = request.env['warden'].authenticate!(:api_token)
+      # set_jwt if request.env['HTTP_AUTHORIZATION'].starts_with?('Basic')
+      response.set_header('AUTHORIZATION', "Bearer #{jwt}") if request.env['HTTP_AUTHORIZATION'].starts_with?('Basic')
+
+      # render(status: :unauthorized, json: { errors: [{
+      #   status: 401, code: 'unauthorized', title: 'Unauthorized'
+      # }]})
+      # throw(:abort) unless @current_user
+    end
+
+    # def set_jwt; response.set_header('AUTHORIZATION', "Bearer #{jwt}") end
+
+    def jwt; Jwt.encode(current_user.jwt_payload) end
+
+    def current_user;  @current_user end
+
+    # Methods for Pundit
+    def context; { user: current_user } end
+    def user_not_authorized; head :forbidden end
+
+    def set_raven_context
+      # Raven.user_context(id: session[:current_user_id]) # or anything else in session
+      Raven.extra_context(params: params.to_unsafe_h, url: request.url, tenant: Apartment::Tenant.current)
+    end
+
+    # Documentation
+    api_dry [:index, :show] do
+      query :page, Integer
+    end
+  end
+end

data/app/controllers/tenants_controller.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class TenantsController < Ros::ApplicationController
+end

data/app/docs/application_doc.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class ApplicationDoc
+  include OpenApi::DSL
+end

data/app/docs/tenants_doc.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class TenantsDoc < ApplicationDoc
+  route_base '/v1/tenants'
+
+  api :index do
+    # ...
+  end
+end

data/app/models/concerns/api_belongs_to.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module ApiBelongsTo
+  # NOTE: Allows microservices to talk to each other using the api-client library
+  # fail ArgumentError,
+  #  "Column #{model_id} does not exist on #{name}" unless column_names.include?(foreign_key_column)
+  extend ActiveSupport::Concern
+
+  class_methods do
+    # Reads a GID, caches and returns the result with a simple declaration
+    # Example: api_belongs_to :user, class_name: 'Ros::IAM::User'
+    def api_belongs_to(model_name, class_name: nil, foreign_key: nil, polymorphic: nil)
+      model_name = model_name.to_s
+      class_name = class_name || model_name.classify
+      attr_type = polymorphic ? "#{model_name}_type" : model_name
+      attr_id = "#{model_name}_id"
+      gid_name = "#{model_name}_gid"
+
+      # defines a method that returns a GlobalID in format: gid://internal/Service::Model/:id
+      # Example: api_belongs_to :user, class_name: 'Ros::IAM::User'
+      # creates a method named #user_gid that returns a GlobalID representing that instance's gid referencing :user
+      define_method(gid_name) do
+        current_id = send(attr_id)&.to_s
+        unless instance_variable_get("@#{gid_name}")&.model_id == current_id
+          gid_string = "gid://internal/#{polymorphic ? send(attr_type) : class_name}/#{current_id}"
+          instance_variable_set("@#{gid_name}", current_id.blank? ? nil : GlobalID.new(gid_string))
+        end
+        instance_variable_get("@#{gid_name}")
+      end
+
+      # defines a method that returns a model from a remote service
+      # Example: api_belongs_to :user, class_name: 'Ros::IAM::User'
+      # creates a method named #user that returns an object from the GlobalID
+      define_method(model_name) do
+        current_id = send(attr_id)&.to_s
+        unless instance_variable_get("@#{model_name}")&.id == current_id
+          instance_variable_set("@#{model_name}", current_id.blank? ? nil : GlobalID::Locator.locate(send(gid_name)).first)
+        end
+        instance_variable_get("@#{model_name}")
+      end
+
+      # defines a method that takes an object and updates the associated _id and _gid values
+      # Example: api_belongs_to :user, class_name: 'Ros::IAM::User'
+      # creates a method named #user= that takes an object of type Ros::IAM::User and sets it on the model
+      define_method("#{model_name}=") do |obj|
+        fail ArgumentError, "Must be of type #{obj}" unless polymorphic || obj.class.name.eql?(class_name)
+        send("#{attr_id}=", obj.id)
+        send("#{attr_type}=", obj.class.name) if polymorphic
+        instance_variable_set("@#{model_name}", obj)
+        instance_variable_set("@#{gid_name}", obj.to_gid)
+      end
+    end
+  end
+end

data/app/models/concerns/ros/tenant_concern.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+module Ros
+  module TenantConcern
+    extend ActiveSupport::Concern
+  
+    class_methods do
+      def excluded_models
+        %w(Tenant)
+      end
+
+      def urn_id; :account_id end
+  
+      def public_schema_endpoints; [] end
+  
+      def schema_name_for(id:)
+        Tenant.find_by(id: id)&.schema_name || public_schema
+      end
+  
+      def schema_name_from(account_id: nil, id: nil)
+        if account_id and (tenant = Tenant.find_by(schema_name: account_id_to_schema(account_id)))
+          return tenant.schema_name
+        elsif id and (tenant = Tenant.find_by(id: id))
+          return tenant.schema_name
+        end
+      end
+
+      def account_id_to_schema(account_id) 
+        account_id.to_s.scan(/.{3}/).join('_')
+      end
+  
+      def public_schema
+        case ActiveRecord::Base.connection.class.name
+        when 'ActiveRecord::ConnectionAdapters::SQLite3Adapter'
+          nil
+        when 'ActiveRecord::ConnectionAdapters::PostgreSQLAdapter'
+          'public'
+        end
+      end
+    end
+  
+    included do
+      attr_reader :account_id
+
+      validates :schema_name, presence: true, length: { is: 11 }
+
+      validate :fixed_values_unchanged, if: :persisted?
+  
+      after_create :create_schema
+  
+      after_destroy :destroy_schema
+
+      def fixed_values_unchanged
+        errors.add(:schema_name, 'schema_name cannot be changed') if schema_name_changed?
+      end
+
+      def account_id
+        @account_id ||= schema_name.remove('_')
+      end
+
+      def current_tenant
+        self
+      end
+
+      def switch!
+        Apartment::Tenant.switch!(schema_name)
+      end
+
+      def switch
+        Apartment::Tenant.switch(schema_name) do
+          yield
+        end
+      end
+  
+      # NOTE: This method is very important!
+      # Called by RpcWorker#receive and TenantMiddleware#parse_tenant_name
+      # It parses a request hash and sets the necessary RequestStere settings
+      # The caller then uses these settings to select the appropriate schema for the request to operate on
+# TODO: This is probably where the JWT will be processed; Or it will already be decrypted and values put into the header
+# NOTE: Either way, the request header needs to put the tenant somewhere so logging can be done per tenant
+      def self.set_request_store(request_hash)
+        request = RequestStore.store[:tenant_request] = ApiAll::TenantRequest.new(request_hash)
+        raise ArgumentError, 'Tenant schema is nil!' unless request.schema_name
+        RequestStore.store[:tenant] = find_by!(schema_name: request.schema_name)
+      end
+  
+      def create_schema
+        Apartment::Tenant.create(schema_name)
+        Rails.logger.info("Tenant created: #{schema_name}")
+      rescue Apartment::TenantExists => e
+        Rails.logger.warn("Failed to create tenant (already exists): #{schema_name}")
+        raise e if Rails.env.production? # Don't raise an exception in dev mode so to allow seeds to work
+      end
+  
+      def destroy_schema
+        Apartment::Tenant.drop(schema_name)
+        Rails.logger.info("Tenant dropped: #{schema_name}")
+      rescue Apartment::TenantNotFound => e
+        Rails.logger.warn("Failed to drop tenant (not found): #{schema_name}")
+        raise e if Rails.env.production? # Don't raise an exception in dev mode so to allow seeds to work
+      end
+    end
+  end
+end

data/app/models/ros/application_record.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Ros
+  # ALL models inherit from this class
+  class ApplicationRecord < ::ApplicationRecord
+    self.abstract_class = true
+    include ApiBelongsTo
+
+    # urn:partition:service:region:account_id:resource_type
+    # def self.to_urn; "#{urn_base}:#{current_tenant.try(:account_id)}:#{name.underscore}" end
+    def self.to_urn; "#{urn_base}:#{account_id}:#{name.underscore}" end
+
+    def self.account_id
+      Apartment::Tenant.current.eql?('public') ? '' : Apartment::Tenant.current.remove('_')
+    end
+
+    def self.current_tenant; Tenant.find_by(schema_name: Apartment::Tenant.current) end
+
+    # Universal Resource Name (URNs) and Service Namespaces
+    # urn:partition:service:region
+    def self.urn_base; "urn:#{Settings.service.partition_name}:#{Settings.service.name}:#{Settings.service.region}" end
+
+    def self.find_by_urn(value); find_by(urn_id => value) end
+
+    # urn:partition:service:region:account_id:resource_type/id
+    def to_urn; "#{self.class.to_urn}/#{send(self.class.urn_id)}" end
+
+    def current_tenant; self.class.current_tenant end
+
+    # NOTE: Override in model to provide a custom id
+    def self.urn_id; :id end
+  end
+end

data/app/policies/ros/application_policy.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+module Ros
+  class ApplicationPolicy
+    attr_reader :user, :record
+
+    def self.actions
+      descendants.reject{ |d| d.name.eql? 'ApplicationPolicy' }.each_with_object([]) do |policy, ary|
+        ary.concat(policy.accepted_actions.values.flatten)
+      end.uniq
+    end
+
+    def self.policies
+      descendants.reject{ |d| d.name.eql? 'ApplicationPolicy' }.each_with_object([]) do |policy, ary|
+        ary.concat(policy.accepted_policies.values.flatten)
+      end.uniq
+    end
+  
+    def initialize(user, record)
+      @user = user
+      @record = record
+    end
+  
+    # UserPolicy.new({ policies: ['IamFullAccess'] }, nil).index?
+    def index?
+      standard_check?
+    end
+  
+    def show?
+      standard_check?
+    end
+  
+    def create?
+      standard_check?
+    end
+  
+    def new?
+      create?
+    end
+  
+    def update?
+      standard_check?
+    end
+  
+    def edit?
+      update?
+    end
+  
+    def destroy?
+      standard_check?
+    end
+
+    class Scope
+      attr_reader :user, :scope
+  
+      def initialize(user, scope)
+        @user = user
+        @scope = scope
+      end
+  
+      def resolve
+        scope.all
+      end
+    end
+  
+    # def self.policies
+    #   {
+    #     "#{policy_name}FullAccess": {
+    #       Effect: 'Allow',
+    #       Action: "#{policy_name}:*",
+    #       Resource: '*'
+    #     },
+    #     "#{policy_name}ReadOnlyAccess": {
+    #       Effect: 'Allow',
+    #       Action: ["#{policy_name}:Get*", "#{policy_name}:List*"],
+    #       Resource: '*'
+    #     }
+    #   }
+    # end
+    #
+    def service; Settings.service.name.eql?('iam') ? :local : :remote end
+
+    def standard_check?
+      action = caller_locations(1,1)[0].label.to_sym
+# Just like apartment, this will need code for if in IAM or in remote
+      if service.eql?(:local)
+        (user.policies.pluck(:name) & accepted_policies(action)).any? || (user.actions.pluck(:name) & accepted_actions(action)).any?
+      else
+        (user.policies & accepted_policies(action)).any? || (user.actions.pluck(:name) & accepted_actions(action)).any?
+      end
+    end
+
+    def accepted_policies(action); self.class.accepted_policies[action] || [] end
+    def accepted_actions(action); self.class.accepted_actions[action] || [] end
+
+    def self.accepted_policies
+      {
+        index?: [
+          "AdministratorAccess",
+          "#{policy_name}FullAccess",
+          "#{policy_name}ReadOnlyAccess",
+        ],
+        show?: [
+          "AdministratorAccess",
+          "#{policy_name}ReadOnlyAccess",
+        ],
+        create?: [
+          "AdministratorAccess",
+          "#{policy_name}FullAccess",
+        ],
+        update?: [
+          "AdministratorAccess",
+          "#{policy_name}FullAccess",
+        ],
+        destroy?: [
+          "AdministratorAccess",
+          "#{policy_name}FullAccess",
+        ]
+      }
+    end
+
+    def self.accepted_actions
+      {
+        index?: [
+          "#{policy_name}List#{model_name.pluralize}"
+        ],
+        create?: [
+          "#{policy_name}Create#{model_name}"
+        ]
+      }
+    end
+
+    def self.policy_name; Settings.service.policy_name end
+
+    def self.model_name
+      "#{name.gsub('Policy', '')}"
+    end
+  end
+end