stripe 1.27.2 → 5.33.0

data/lib/stripe/stripe_response.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module Stripe
+  # StripeResponse encapsulates some vitals of a response that came back from
+  # the Stripe API.
+  class StripeResponse
+    # Headers provides an access wrapper to an API response's header data. It
+    # mainly exists so that we don't need to expose the entire
+    # `Net::HTTPResponse` object while still getting some of its benefits like
+    # case-insensitive access to header names and flattening of header values.
+    class Headers
+      # Initializes a Headers object from a Net::HTTP::HTTPResponse object.
+      def self.from_net_http(resp)
+        new(resp.to_hash)
+      end
+
+      # `hash` is expected to be a hash mapping header names to arrays of
+      # header values. This is the default format generated by calling
+      # `#to_hash` on a `Net::HTTPResponse` object because headers can be
+      # repeated multiple times. Using `#[]` will collapse values down to just
+      # the first.
+      def initialize(hash)
+        if !hash.is_a?(Hash) ||
+           !hash.keys.all? { |n| n.is_a?(String) } ||
+           !hash.values.all? { |a| a.is_a?(Array) } ||
+           !hash.values.all? { |a| a.all? { |v| v.is_a?(String) } }
+          raise ArgumentError,
+                "expect hash to be a map of string header names to arrays of " \
+                "header values"
+        end
+
+        @hash = {}
+
+        # This shouldn't be strictly necessary because `Net::HTTPResponse` will
+        # produce a hash with all headers downcased, but do it anyway just in
+        # case an object of this class was constructed manually.
+        #
+        # Also has the effect of duplicating the hash, which is desirable for a
+        # little extra object safety.
+        hash.each do |k, v|
+          @hash[k.downcase] = v
+        end
+      end
+
+      def [](name)
+        values = @hash[name.downcase]
+        if values && values.count > 1
+          warn("Duplicate header values for `#{name}`; returning only first")
+        end
+        values ? values.first : nil
+      end
+    end
+
+    # The data contained by the HTTP body of the response deserialized from
+    # JSON.
+    attr_accessor :data
+
+    # The raw HTTP body of the response.
+    attr_accessor :http_body
+
+    # A Hash of the HTTP headers of the response.
+    attr_accessor :http_headers
+
+    # The integer HTTP status code of the response.
+    attr_accessor :http_status
+
+    # The Stripe request ID of the response.
+    attr_accessor :request_id
+
+    # Initializes a StripeResponse object from a Net::HTTP::HTTPResponse
+    # object.
+    def self.from_net_http(http_resp)
+      resp = StripeResponse.new
+      resp.data = JSON.parse(http_resp.body, symbolize_names: true)
+      resp.http_body = http_resp.body
+      resp.http_headers = Headers.from_net_http(http_resp)
+      resp.http_status = http_resp.code.to_i
+      resp.request_id = http_resp["request-id"]
+      resp
+    end
+  end
+end

data/lib/stripe/util.rb

@@ -1,78 +1,107 @@
+# frozen_string_literal: true
+
+require "cgi"
+
 module Stripe
   module Util
-    def self.objects_to_ids(h)
-      case h
+    # Options that a user is allowed to specify.
+    OPTS_USER_SPECIFIED = Set[
+      :api_key,
+      :idempotency_key,
+      :stripe_account,
+      :stripe_version
+    ].freeze
+
+    # Options that should be copyable from one StripeObject to another
+    # including options that may be internal.
+    OPTS_COPYABLE = (
+      OPTS_USER_SPECIFIED + Set[:api_base]
+    ).freeze
+
+    # Options that should be persisted between API requests. This includes
+    # client, which is an object containing an HTTP client to reuse.
+    OPTS_PERSISTABLE = (
+      OPTS_USER_SPECIFIED + Set[:client] - Set[:idempotency_key]
+    ).freeze
+
+    def self.objects_to_ids(obj)
+      case obj
       when APIResource
-        h.id
+        obj.id
       when Hash
         res = {}
-        h.each { |k, v| res[k] = objects_to_ids(v) unless v.nil? }
+        obj.each { |k, v| res[k] = objects_to_ids(v) unless v.nil? }
         res
       when Array
-        h.map { |v| objects_to_ids(v) }
+        obj.map { |v| objects_to_ids(v) }
       else
-        h
+        obj
       end
     end
 
     def self.object_classes
-      @object_classes ||= {
-        # data structures
-        'list' => ListObject,
-
-        # business objects
-        'account' => Account,
-        'application_fee' => ApplicationFee,
-        'balance' => Balance,
-        'balance_transaction' => BalanceTransaction,
-        'bank_account' => BankAccount,
-        'card' => Card,
-        'charge' => Charge,
-        'coupon' => Coupon,
-        'customer' => Customer,
-        'event' => Event,
-        'fee_refund' => ApplicationFeeRefund,
-        'invoiceitem' => InvoiceItem,
-        'invoice' => Invoice,
-        'plan' => Plan,
-        'recipient' => Recipient,
-        'refund' => Refund,
-        'subscription' => Subscription,
-        'file_upload' => FileUpload,
-        'token' => Token,
-        'transfer' => Transfer,
-        'transfer_reversal' => Reversal,
-        'bitcoin_receiver' => BitcoinReceiver,
-        'bitcoin_transaction' => BitcoinTransaction,
-        'dispute' => Dispute,
-        'product' => Product,
-        'sku' => SKU,
-        'order' => Order,
-      }
-    end
-
-    def self.convert_to_stripe_object(resp, opts)
-      case resp
+      @object_classes ||= Stripe::ObjectTypes.object_names_to_classes
+    end
+
+    def self.object_name_matches_class?(object_name, klass)
+      Util.object_classes[object_name] == klass
+    end
+
+    # Converts a hash of fields or an array of hashes into a +StripeObject+ or
+    # array of +StripeObject+s. These new objects will be created as a concrete
+    # type as dictated by their `object` field (e.g. an `object` value of
+    # `charge` would create an instance of +Charge+), but if `object` is not
+    # present or of an unknown type, the newly created instance will fall back
+    # to being a +StripeObject+.
+    #
+    # ==== Attributes
+    #
+    # * +data+ - Hash of fields and values to be converted into a StripeObject.
+    # * +opts+ - Options for +StripeObject+ like an API key that will be reused
+    #   on subsequent API calls.
+    def self.convert_to_stripe_object(data, opts = {})
+      opts = normalize_opts(opts)
+
+      case data
       when Array
-        resp.map { |i| convert_to_stripe_object(i, opts) }
+        data.map { |i| convert_to_stripe_object(i, opts) }
       when Hash
-        # Try converting to a known object class.  If none available, fall back to generic StripeObject
-        object_classes.fetch(resp[:object], StripeObject).construct_from(resp, opts)
+        # Try converting to a known object class.  If none available, fall back
+        # to generic StripeObject
+        object_classes.fetch(data[:object], StripeObject)
+                      .construct_from(data, opts)
       else
-        resp
+        data
       end
     end
 
-    def self.file_readable(file)
-      # This is nominally equivalent to File.readable?, but that can
-      # report incorrect results on some more oddball filesystems
-      # (such as AFS)
-      begin
-        File.open(file) { |f| }
-      rescue
-        false
-      else
-        true
+    def self.log_error(message, data = {})
+      config = data.delete(:config) || Stripe.config
+      logger = config.logger || Stripe.logger
+      if !logger.nil? ||
+         !config.log_level.nil? && config.log_level <= Stripe::LEVEL_ERROR
+        log_internal(message, data, color: :cyan, level: Stripe::LEVEL_ERROR,
+                                    logger: Stripe.logger, out: $stderr)
+      end
+    end
+
+    def self.log_info(message, data = {})
+      config = data.delete(:config) || Stripe.config
+      logger = config.logger || Stripe.logger
+      if !logger.nil? ||
+         !config.log_level.nil? && config.log_level <= Stripe::LEVEL_INFO
+        log_internal(message, data, color: :cyan, level: Stripe::LEVEL_INFO,
+                                    logger: Stripe.logger, out: $stdout)
+      end
+    end
+
+    def self.log_debug(message, data = {})
+      config = data.delete(:config) || Stripe.config
+      logger = config.logger || Stripe.logger
+      if !logger.nil? ||
+         !config.log_level.nil? && config.log_level <= Stripe::LEVEL_DEBUG
+        log_internal(message, data, color: :blue, level: Stripe::LEVEL_DEBUG,
+                                    logger: Stripe.logger, out: $stdout)
       end
     end
 
@@ -81,7 +110,11 @@ module Stripe
       when Hash
         new_hash = {}
         object.each do |key, value|
-          key = (key.to_sym rescue key) || key
+          key = (begin
+                   key.to_sym
+                 rescue StandardError
+                   key
+                 end) || key
           new_hash[key] = symbolize_names(value)
         end
         new_hash
@@ -92,14 +125,33 @@ module Stripe
       end
     end
 
+    # Encodes a hash of parameters in a way that's suitable for use as query
+    # parameters in a URI or as form parameters in a request body. This mainly
+    # involves escaping special characters from parameter keys and values (e.g.
+    # `&`).
+    def self.encode_parameters(params)
+      Util.flatten_params(params)
+          .map { |k, v| "#{url_encode(k)}=#{url_encode(v)}" }.join("&")
+    end
+
+    # Encodes a string in a way that makes it suitable for use in a set of
+    # query parameters in a URI or in a set of form parameters in a request
+    # body.
     def self.url_encode(key)
-      URI.escape(key.to_s, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+      CGI.escape(key.to_s).
+        # Don't use strict form encoding by changing the square bracket control
+        # characters back to their literals. This is fine by the server, and
+        # makes these parameter strings easier to read.
+        gsub("%5B", "[").gsub("%5D", "]")
     end
 
-    def self.flatten_params(params, parent_key=nil)
+    def self.flatten_params(params, parent_key = nil)
       result = []
+
+      # do not sort the final output because arrays (and arrays of hashes
+      # especially) can be order sensitive, but do sort incoming parameters
       params.each do |key, value|
-        calculated_key = parent_key ? "#{parent_key}[#{url_encode(key)}]" : url_encode(key)
+        calculated_key = parent_key ? "#{parent_key}[#{key}]" : key.to_s
         if value.is_a?(Hash)
           result += flatten_params(value, calculated_key)
         elsif value.is_a?(Array)
@@ -108,25 +160,38 @@ module Stripe
           result << [calculated_key, value]
         end
       end
+
       result
     end
 
     def self.flatten_params_array(value, calculated_key)
       result = []
-      value.each do |elem|
+      value.each_with_index do |elem, i|
         if elem.is_a?(Hash)
-          result += flatten_params(elem, "#{calculated_key}[]")
+          result += flatten_params(elem, "#{calculated_key}[#{i}]")
         elsif elem.is_a?(Array)
           result += flatten_params_array(elem, calculated_key)
         else
-          result << ["#{calculated_key}[]", elem]
+          result << ["#{calculated_key}[#{i}]", elem]
         end
       end
       result
     end
 
+    # `Time.now` can be unstable in cases like an administrator manually
+    # updating its value or a reconcilation via NTP. For this reason, prefer
+    # the use of the system's monotonic clock especially where comparing times
+    # to calculate an elapsed duration.
+    #
+    # Shortcut for getting monotonic time, mostly for purposes of line length
+    # and test stubbing. Returns time in seconds since the event used for
+    # monotonic reference purposes by the platform (e.g. system boot time).
+    def self.monotonic_time
+      Process.clock_gettime(Process::CLOCK_MONOTONIC)
+    end
+
     def self.normalize_id(id)
-      if id.kind_of?(Hash) # overloaded id
+      if id.is_a?(Hash) # overloaded id
         params_hash = id.dup
         id = params_hash.delete(:id)
       else
@@ -140,23 +205,153 @@ module Stripe
     def self.normalize_opts(opts)
       case opts
       when String
-        {:api_key => opts}
+        { api_key: opts }
       when Hash
-        check_api_key!(opts.fetch(:api_key)) if opts.has_key?(:api_key)
+        check_api_key!(opts.fetch(:api_key)) if opts.key?(:api_key)
         opts.clone
       else
-        raise TypeError.new('normalize_opts expects a string or a hash')
+        raise TypeError, "normalize_opts expects a string or a hash"
       end
     end
 
     def self.check_string_argument!(key)
-      raise TypeError.new("argument must be a string") unless key.is_a?(String)
+      raise TypeError, "argument must be a string" unless key.is_a?(String)
+
       key
     end
 
     def self.check_api_key!(key)
-      raise TypeError.new("api_key must be a string") unless key.is_a?(String)
+      raise TypeError, "api_key must be a string" unless key.is_a?(String)
+
       key
     end
+
+    # Normalizes header keys so that they're all lower case and each
+    # hyphen-delimited section starts with a single capitalized letter. For
+    # example, `request-id` becomes `Request-Id`. This is useful for extracting
+    # certain key values when the user could have set them with a variety of
+    # diffent naming schemes.
+    def self.normalize_headers(headers)
+      headers.each_with_object({}) do |(k, v), new_headers|
+        k = k.to_s.tr("_", "-") if k.is_a?(Symbol)
+        k = k.split("-").reject(&:empty?).map(&:capitalize).join("-")
+
+        new_headers[k] = v
+      end
+    end
+
+    # Generates a Dashboard link to inspect a request ID based off of a request
+    # ID value and an API key, which is used to attempt to extract whether the
+    # environment is livemode or testmode.
+    def self.request_id_dashboard_url(request_id, api_key)
+      env = !api_key.nil? && api_key.start_with?("sk_live") ? "live" : "test"
+      "https://dashboard.stripe.com/#{env}/logs/#{request_id}"
+    end
+
+    # Constant time string comparison to prevent timing attacks
+    # Code borrowed from ActiveSupport
+    def self.secure_compare(str_a, str_b)
+      return false unless str_a.bytesize == str_b.bytesize
+
+      l = str_a.unpack "C#{str_a.bytesize}"
+
+      res = 0
+      str_b.each_byte { |byte| res |= byte ^ l.shift }
+      res.zero?
+    end
+
+    #
+    # private
+    #
+
+    COLOR_CODES = {
+      black: 0, light_black: 60,
+      red: 1, light_red: 61,
+      green: 2, light_green: 62,
+      yellow: 3, light_yellow: 63,
+      blue: 4, light_blue: 64,
+      magenta: 5, light_magenta: 65,
+      cyan: 6, light_cyan: 66,
+      white: 7, light_white: 67,
+      default: 9,
+    }.freeze
+    private_constant :COLOR_CODES
+
+    # Uses an ANSI escape code to colorize text if it's going to be sent to a
+    # TTY.
+    def self.colorize(val, color, isatty)
+      return val unless isatty
+
+      mode = 0 # default
+      foreground = 30 + COLOR_CODES.fetch(color)
+      background = 40 + COLOR_CODES.fetch(:default)
+
+      "\033[#{mode};#{foreground};#{background}m#{val}\033[0m"
+    end
+    private_class_method :colorize
+
+    # Turns an integer log level into a printable name.
+    def self.level_name(level)
+      case level
+      when LEVEL_DEBUG then "debug"
+      when LEVEL_ERROR then "error"
+      when LEVEL_INFO  then "info"
+      else level
+      end
+    end
+    private_class_method :level_name
+
+    def self.log_internal(message, data = {}, color:, level:, logger:, out:)
+      data_str = data.reject { |_k, v| v.nil? }
+                     .map do |(k, v)|
+        format("%<key>s=%<value>s",
+               key: colorize(k, color, logger.nil? && !out.nil? && out.isatty),
+               value: wrap_logfmt_value(v))
+      end.join(" ")
+
+      if !logger.nil?
+        # the library's log levels are mapped to the same values as the
+        # standard library's logger
+        logger.log(level,
+                   format("message=%<message>s %<data_str>s",
+                          message: wrap_logfmt_value(message),
+                          data_str: data_str))
+      elsif out.isatty
+        out.puts format("%<level>s %<message>s %<data_str>s",
+                        level: colorize(level_name(level)[0, 4].upcase,
+                                        color, out.isatty),
+                        message: message,
+                        data_str: data_str)
+      else
+        out.puts format("message=%<message>s level=%<level>s %<data_str>s",
+                        message: wrap_logfmt_value(message),
+                        level: level_name(level),
+                        data_str: data_str)
+      end
+    end
+    private_class_method :log_internal
+
+    # Wraps a value in double quotes if it looks sufficiently complex so that
+    # it can be read by logfmt parsers.
+    def self.wrap_logfmt_value(val)
+      # If value is any kind of number, just allow it to be formatted directly
+      # to a string (this will handle integers or floats).
+      return val if val.is_a?(Numeric)
+
+      # Hopefully val is a string, but protect in case it's not.
+      val = val.to_s
+
+      if %r{[^\w\-/]} =~ val
+        # If the string contains any special characters, escape any double
+        # quotes it has, remove newlines, and wrap the whole thing in quotes.
+        format(%("%<value>s"), value: val.gsub('"', '\"').delete("\n"))
+      else
+        # Otherwise use the basic value if it looks like a standard set of
+        # characters (and allow a few special characters like hyphens, and
+        # slashes)
+        val
+      end
+    end
+    private_class_method :wrap_logfmt_value
   end
 end