RubyGems - unsakini - Versions diffs - 0.0.4.2 → 0.0.4.3 - Mend

unsakini 0.0.4.2 → 0.0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (222) hide show

data/app/controllers/concerns/unsakini/logged_in_controller_concern.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# Ensures users are logged in and sets `@user` instance variable in the controllers.
+# This is included in the base api controller.
+#
+# Returns `401` error if user is not authenticated
+module Unsakini
+  module LoggedInControllerConcern
+    extend ActiveSupport::Concern
+    included do
+      include Knock::Authenticable
+      before_action :ensure_logged_in
+    end
+    private
+    def ensure_logged_in
+      authenticate_for Unsakini::User
+      @user = current_unsakini_user
+      head :unauthorized unless @user
+    end
+  end
+end

data/app/controllers/concerns/unsakini/post_owner_controller_concern.rb ADDED Viewed

@@ -0,0 +1,38 @@
+# Ensures user is owner of the post and sets the `@post` variable in the controllers
+module Unsakini
+  module PostOwnerControllerConcern
+    extend ActiveSupport::Concern
+    # Ensures user is owner of the post and sets the `@post` variable in the controllers
+    def ensure_post
+      post_id = params[:post_id] || params[:id]
+      board_id = params[:board_id]
+      result = has_post_access(board_id, post_id)
+      status = result[:status]
+      @post = result[:post]
+      head status if status != :ok
+    end
+    # Validate if user has access to the post in the board
+    #
+    # @param board_id [Integer] board id
+    # @param post_id [Integer] post id
+    def has_post_access(board_id, post_id)
+      post = Unsakini::Post.where(id: post_id, board_id: board_id)
+      .joins("LEFT JOIN #{UserBoard.table_name} ON #{UserBoard.table_name}.board_id = #{Post.table_name}.board_id")
+      .where("#{UserBoard.table_name}.user_id = ?", @user.id)
+      .first
+      if post.nil?
+        return {status: :forbidden}
+      else
+        return {status: :ok, post: post}
+      end
+    end
+    # Ensures user is owner of the post. Must be run after {#ensure_post}`.
+    def ensure_post_owner
+      render json: {}, status: :forbidden if @post.user_id != @user.id
+    end
+  end
+end

data/app/controllers/concerns/unsakini/serializer_controller_concern.rb ADDED Viewed

@@ -0,0 +1,13 @@
+module Unsakini
+  module SerializerControllerConcern
+    extend ActiveSupport::Concern
+    included do
+      include ::ActionController::Serialization
+    end
+  end
+end

data/app/controllers/unsakini/base_controller.rb ADDED Viewed

@@ -0,0 +1,6 @@
+# Base controller for API controllers
+module Unsakini
+  class BaseController < ActionController::API
+  end
+end

data/app/controllers/unsakini/boards_controller.rb ADDED Viewed

@@ -0,0 +1,76 @@
+module Unsakini
+  class BoardsController < BaseController
+    include LoggedInControllerConcern
+    include SerializerControllerConcern
+    include BoardOwnerControllerConcern
+    include ::ActionController::Serialization
+    before_action :ensure_board, :only => [:show, :update, :destroy]
+    before_action :ensure_board_owner, :only => [:update, :destroy]
+    # Returns boards belonging to current user
+    #
+    # `GET /api/boards`
+    #
+    def index
+      admin = true
+      shared = false
+      admin = params[:is_admin] == 'true' if params[:admin]
+      shared = params[:shared] == 'true' if params[:shared]
+      result = @user.user_boards.shared(shared)
+      result = result.admin if admin
+      paginate json: result, per_page: 10
+    end
+    # Creates board belonging to current user.
+    #
+    # `POST /api/boards`
+    #
+    def create
+      @user_board = UserBoard.new(
+        name: params[:board][:name],
+        user_id: @user.id,
+        encrypted_password: params[:encrypted_password],
+        is_admin: true
+      )
+      if @user_board.save
+        render json: @user_board, status: :created
+      else
+        render json: @user_board.errors.full_messages, status: 422
+      end
+    end
+    # Render a single board.
+    #
+    # `GET /api/boards/:id`
+    #
+    def show
+      render json: @user_board
+    end
+    # Updates a single board.
+    #
+    # `PUT /api/boards/:id`
+    def update
+      if @user_board.update(name: params[:board][:name], encrypted_password: params[:encrypted_password])
+        render json: @user_board
+      else
+        errors = @board.errors.full_messages.concat @user_board.errors.full_messages
+        render json: errors, status: 422
+      end
+    end
+    # Deletes a board resource.
+    #
+    # `DELETE /api/boards/:id`
+    def destroy
+      @board.destroy
+      render json: {}, status: :ok
+    end
+  end
+end

data/app/controllers/unsakini/comments_controller.rb ADDED Viewed

@@ -0,0 +1,54 @@
+module Unsakini
+  class CommentsController < BaseController
+    include LoggedInControllerConcern
+    include PostOwnerControllerConcern
+    include CommentOwnerControllerConcern
+    include ::ActionController::Serialization
+    before_action :ensure_post, only: [:index, :create]
+    before_action :ensure_comment, only: [:show, :update, :destroy]
+    before_action :ensure_comment_owner, only: [:update, :destroy]
+    # Renders the comments belonging to the post
+    #
+    # `GET /api/boards/:board_id/posts/:post_id/`
+    def index
+      paginate json: @post.comments.page(params[:page]), per_page: 20
+    end
+    # Creates new comment belonging to the post
+    #
+    # `POST /api/boards/:board_id/posts/:post_id/`
+    def create
+      @comment = Comment.new(params.permit(:content))
+      @comment.user = @user
+      @comment.post = @post
+      if @comment.save
+        render json: @comment
+      else
+        render json: @comment.errors, status: 422
+      end
+    end
+    # Updates a comment
+    #
+    # `PUT /api/boards/:board_id/posts/:post_id/comments/:id`
+    def update
+      if @comment.update(params.permit(:content))
+        render json: @comment
+      else
+        render json: @comment.errors, status: 422
+      end
+    end
+    # Deletes a comment
+    #
+    # `DELETE /api/boards/:board_id/posts/:post_id/comments/:id`
+    def destroy
+      @comment.destroy
+      render json: {}, status: :ok
+    end
+  end
+end

data/app/controllers/unsakini/posts_controller.rb ADDED Viewed

@@ -0,0 +1,61 @@
+module Unsakini
+  class PostsController < BaseController
+    include LoggedInControllerConcern
+    include BoardOwnerControllerConcern
+    include PostOwnerControllerConcern
+    include ::ActionController::Serialization
+    before_action :ensure_board, only: [:index, :create]
+    before_action :ensure_post, only: [:show, :update, :destroy]
+    before_action :ensure_post_owner, only: [:update, :destroy]
+    # Renders the post belonging to the board
+    #
+    # `GET /api/boards/:board_id/posts`
+    def index
+      paginate json: @board.posts.page(params[:page]), per_page: 20
+    end
+    # Renders a single post belonging to the board
+    #
+    # `GET /api/boards/:board_id/posts/:id`
+    def show
+      render json: @post
+    end
+    # Creates a single post belonging to the board
+    #
+    # `POST /api/boards/:board_id/posts/`
+    def create
+      @post = Post.new(params.permit(:title, :content, :board_id))
+      @post.user = @user
+      if (@post.save)
+        render json: @post, status: :created
+      else
+        render json: @post.errors, status: 422
+      end
+    end
+    # Updates a single post belonging to the board
+    #
+    # `PUT /api/boards/:board_id/posts/:id`
+    def update
+      if (@post.update(params.permit(:title, :content)))
+        render json: @post, status: :ok
+      else
+        render json: @post.errors, status: 422
+      end
+    end
+    # Deletes a single post belonging to the board
+    #
+    # `DELETE /api/boards/:board_id/posts/:id`
+    def destroy
+      @post.destroy
+      render json: {}, status: :ok
+    end
+  end
+end

data/app/controllers/unsakini/share_board_controller.rb ADDED Viewed

@@ -0,0 +1,122 @@
+module Unsakini
+  class ShareBoardController < BaseController
+    include LoggedInControllerConcern
+    include BoardOwnerControllerConcern
+    include PostOwnerControllerConcern
+    include CommentOwnerControllerConcern
+    before_action :validate_params
+    # Shares a board to other users. Example payload param:
+    #
+    # `POST /api/share/board`
+    #
+    # ```
+    # {
+    #   board: {
+    #     id: 1,
+    #     name: 'some encrypted text',
+    #   },
+    #   posts: [
+    #     {
+    #       board_id: 1,
+    #       title: 'some encrypted text',
+    #       content: 'some encrypted text',
+    #       comments: [
+    #         {
+    #           id: 1,
+    #           content: 'some encrypted text',
+    #           user_id: 1,
+    #           post_id: 1,
+    #         }
+    #       ]
+    #     }
+    #   ],
+    #   shared_user_ids: [1, 2, 3, 4],
+    #   encrypted_password: 'some encrypted password'
+    # }
+    # ```
+    # The `encrypted_password` param will be used to decrypt contents of this board. The encryption happens in the client so
+    # the server don't really know what is the original password. The board creator will have to share it privately to other users whom he/she shared it with so they can access the board.
+    #
+    # `posts` and `comments` fields can be empty.
+    def index
+      ActiveRecord::Base.transaction do
+        if params[:posts]
+          params[:posts].each do |post|
+            p = Post.find(post[:id])
+            p.title = post[:title]
+            p.content = post[:content]
+            p.save!
+            if post[:comments] and p.valid?
+              post[:comments].each do |comment|
+                c = Comment.find(comment[:id])
+                c.content = comment[:content]
+                c.save!
+              end
+            end
+          end
+        end
+        if @user_board.share(params[:shared_user_ids], params[:encrypted_password])
+          render json: {}, status: :ok
+        else
+          raise "An error occured"
+        end
+      end
+    rescue
+      # clean up the created {UserBoard}s
+      render json: ["Some of the data can't be saved."], status: 422
+    end
+    # Validates the contents of params against the database records.
+    def validate_params
+      if params[:encrypted_password].nil? or params[:shared_user_ids].nil? or params[:board].nil?
+        render json: {}, status: 422
+        return
+      end
+      result = has_board_access(params[:board][:id])
+      if result[:status] != :ok
+        render json: {}, status: result[:status]
+        return
+      else
+        if !result[:user_board].is_admin
+          render json: {}, status: :forbidden
+          return
+        end
+        @board = result[:board]
+        @user_board = result[:user_board]
+      end
+      if params[:posts]
+        params[:posts].each do |post|
+          s = has_post_access(params[:board][:id], post[:id])[:status]
+          if s != :ok
+            render json: {}, status: s
+            return
+          end
+          if post[:comments]
+            post[:comments].each do |comment|
+              s = has_comment_access(post[:id], comment[:id])[:status]
+              if s != :ok
+                render json: {}, status: s
+                return
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/unsakini/user_token_controller.rb ADDED Viewed

@@ -0,0 +1,17 @@
+module Unsakini
+  class UserTokenController < Knock::AuthTokenController
+    def create
+      if entity.confirmed_at?
+        render json: auth_token, status: :created
+      else
+        res = {message: "Your account needs confirmation. Please follow the confirmation instructions sent to #{auth_params[:email]}"}
+        render status: 401, json: res
+      end
+    end
+    def entity_name
+      self.class.name.split('TokenController').first
+    end
+  end
+end

data/app/controllers/unsakini/users_controller.rb ADDED Viewed

@@ -0,0 +1,69 @@
+module Unsakini
+  class UsersController < BaseController
+    include LoggedInControllerConcern
+    include ::ActionController::Serialization
+    skip_before_action :ensure_logged_in, only: [:create, :confirm]
+    #Creates a new user
+    def create
+      user = User.new(user_params)
+      if user.save
+        UserMailer.confirm_account(user).deliver_now
+        render json: user, status: :created
+      else
+        render json: user.errors, status: 422
+      end
+    end
+    # confirm user account
+    def confirm
+      token = params[:token].to_s
+      user = User.find_by(confirmation_token: token)
+      if user.present? && user.confirmation_token_valid?
+        if user.mark_as_confirmed!
+          render json: {status: 'User confirmed successfully'}, status: :ok
+        else
+          render json: user.errors, status: 422
+        end
+      else
+        render json: ['Invalid token'], status: :not_found
+      end
+    end
+    # Renders the current user as json
+    #
+    # `GET /api/user/:id`
+    #
+    def show
+      render json: @user
+    end
+    # Returns the user with matching email
+    #
+    # `GET /api/users/search?email=xxx`
+    #
+    def search
+      user = User.where("email = ? AND id != ?", params[:email], @user.id).first
+      if user
+        render json: user
+      else
+        render json: {}, status: :not_found
+      end
+    end
+    private
+    def user_params
+      params.permit(:name, :email, :password, :password_confirmation)
+    end
+  end
+end

data/app/controllers/unsakini/web_controller.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# Base controller for web pages
+module Unsakini
+  class WebController < ActionController::Base
+    include ActionController::ImplicitRender
+    include ActionView::Layouts
+    # Renders welcome page
+    def index
+      @project = 'Unsakini'
+      @description = 'Privacy. Confidentiality. Security.'
+      @version = VERSION
+      @author = 'Adones Pitogo'
+      @repository = 'https://github.com/adonespitogo/unsakini'
+      @title = "#{@project} | #{@description}"
+      @tagline = "Created by and for online activists, information security enthusiasts and government surveillance evaders."
+      @keywords = "unsakini, encrypted, bulletin board, BB, ruby, rails"
+    end
+    # Renders the angular index view when request url is /app/* to enable html5 pushState capability of angularjs
+    def app
+      gem_root = File.expand_path '../../../..', __FILE__
+      render file: "#{gem_root}/public/unsakini/app/index.html", layout: false
+    end
+  end
+end

data/app/mailers/unsakini/user_mailer.rb ADDED Viewed

@@ -0,0 +1,13 @@
+module Unsakini
+  class UserMailer < ::ActionMailer::Base
+    default from: 'notifications@example.com'
+    def confirm_account(user)
+      @user = user
+      @url  = "#{root_url}app/account/confirm/#{@user.confirmation_token}"
+      mail(to: @user.email, subject: 'Unsakini - Account Confirmation')
+    end
+  end
+end

data/app/models/concerns/unsakini/encryptable_model_concern.rb ADDED Viewed

@@ -0,0 +1,97 @@
+require 'openssl'
+require 'base64'
+# Responsible for encryption and decryption of certain model attributes
+module Unsakini
+  module EncryptableModelConcern
+    extend ActiveSupport::Concern
+    included do
+      before_save :encrypt_encryptable_attributes
+      after_save :decrypt_encryptable_attributes
+      after_find :decrypt_encryptable_attributes
+    end
+    module ClassMethods
+      # Sets the `encryptable_attributes` class instance variable in the model.
+      #
+      # Encryptable attributes are encrypted before saving using `before_save` hook and decrypted using `after_save` and `after_find` hooks.
+      #
+      # Example:
+      # ```
+      #   class Board < BaseModel
+      #     encryptable_attributes :name, :title, :content
+      #   end
+      # ```
+      # @param attrs [Symbol] model attributes
+      #
+      def encryptable_attributes(*attrs)
+        @encryptable_attributes = attrs
+      end
+    end
+    # Returns the model's `encryptable_attributes` class instance variable.
+    #
+    def encryptable_attributes
+      self.class.instance_variable_get(:@encryptable_attributes) || []
+    end
+    private
+    # Encryptes the model's encryptable attributes before saving using Rails' `before_save` hook.
+    #
+    # **Note: Be careful in calling this method manually as it can corrupt the data.**
+    def encrypt_encryptable_attributes
+      encryptable_attributes.each do |k|
+        self[k] = encrypt(self[k])
+      end
+    end
+    # Decrypts the model's encryptable attributes using Rails' `after_save` and `after_find` hooks.
+    #
+    # **Note: Be careful in calling this method manually as it can corrupt the data.**
+    def decrypt_encryptable_attributes
+      encryptable_attributes.each do |k|
+        self[k] = decrypt(self[k])
+      end
+    end
+    # Determins if the value being encrypted/decryped is empty.
+    def is_empty_val(value)
+      !value or value.nil? or value == ""
+    end
+    # Returns the cipher algorithm used
+    def cipher
+      OpenSSL::Cipher::Cipher.new('aes-256-cbc')
+    end
+    # Returns the encryption key from the `unsakini_crypto_key` config
+    def cipher_key
+      begin
+        Rails.configuration.unsakini_crypto_key
+      rescue Exception => e
+        raise 'Encryption key is not set! Please run `rails g unsakini:config` before you proceed.'
+      end
+    end
+    # Encrypts model attribute value
+    def encrypt(value)
+      return value if is_empty_val(value)
+      c = cipher.encrypt
+      c.key = Digest::SHA256.digest(cipher_key)
+      c.iv = iv = c.random_iv
+      Base64.encode64(iv) + Base64.encode64(c.update(value.to_s) + c.final)
+    end
+    # Decrypts model attribute value
+    def decrypt(value)
+      return value if is_empty_val(value)
+      c = cipher.decrypt
+      c.key = Digest::SHA256.digest(cipher_key)
+      c.iv = Base64.decode64 value.slice!(0,25)
+      c.update(Base64.decode64(value.to_s)) + c.final
+    end
+  end
+end

data/app/models/unsakini/application_record.rb ADDED Viewed

@@ -0,0 +1,7 @@
+# Base application model
+require_dependency 'unsakini'
+module Unsakini
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/unsakini/board.rb ADDED Viewed

@@ -0,0 +1,16 @@
+#Board model
+module Unsakini
+  class Board < ApplicationRecord
+    include EncryptableModelConcern
+    encryptable_attributes :name
+    validates :name, presence: true
+    has_many :users, through: :user_boards
+    has_many :user_boards, :dependent => :delete_all
+    has_many :posts, :dependent => :destroy
+  end
+end

data/app/models/unsakini/comment.rb ADDED Viewed

@@ -0,0 +1,12 @@
+#Comment model
+module Unsakini
+  class Comment < ApplicationRecord
+    include EncryptableModelConcern
+    encryptable_attributes :content
+    validates :content, presence: true
+    belongs_to :post
+    belongs_to :user
+  end
+end

data/app/models/unsakini/post.rb ADDED Viewed

@@ -0,0 +1,15 @@
+#Post model
+module Unsakini
+  class Post < ApplicationRecord
+    include EncryptableModelConcern
+    encryptable_attributes :title, :content
+    validates :title, presence: true
+    validates :content, presence: true
+    belongs_to :user
+    belongs_to :board
+    has_many :comments, :dependent => :delete_all
+  end
+end