unsakini 0.0.4.pre.1 → 0.0.4

data/angular/src/environments/environment.ts

@@ -4,6 +4,5 @@
 // The list of which env maps to which file can be found in `angular-cli.json`.
 
 export const environment = {
-  production: false,
-  api_base_url: '/'
+  production: false
 };

data/angular/src/index.html

@@ -3,7 +3,7 @@
 <head>
   <meta charset="utf-8">
   <title>Angular</title>
-  <base href="/unsakini/app/">
+  <base href="/app/">
 
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link rel="icon" type="image/x-icon" href="favicon.ico">

data/angular/src/styles.css

@@ -0,0 +1 @@
+/* You can add global styles to this file, and also import other style files */

data/app/controllers/api/boards_controller.rb

@@ -0,0 +1,73 @@
+class Api::BoardsController < ApplicationController
+
+
+  include LoggedInControllerConcern
+  include SerializerControllerConcern
+  include BoardOwnerControllerConcern
+  include ::ActionController::Serialization
+
+  before_action :ensure_board, :only => [:show, :update, :destroy]
+  before_action :ensure_board_owner, :only => [:update, :destroy]
+
+  # Returns boards belonging to current user
+  #
+  # `GET /api/boards`
+  #
+  def index
+    admin = true
+    shared = false
+    admin = params[:is_admin] == 'true' if params[:admin]
+    shared = params[:shared] == 'true' if params[:shared]
+    result = @user.user_boards.shared(shared)
+    result = result.admin if admin
+    paginate json: result, per_page: 10
+  end
+
+  # Creates board belonging to current user.
+  #
+  # `POST /api/boards`
+  #
+  def create
+    @user_board = UserBoard.new(
+      name: params[:board][:name],
+      user_id: @user.id,
+      encrypted_password: params[:encrypted_password],
+      is_admin: true
+    )
+    if @user_board.save
+      render json: @user_board, status: :created
+    else
+      render json: @user_board.errors.full_messages, status: 422
+    end
+
+  end
+
+  # Render a single board.
+  #
+  # `GET /api/boards/:id`
+  #
+  def show
+    render json: @user_board
+  end
+
+  # Updates a single board.
+  #
+  # `PUT /api/boards/:id`
+  def update
+    if @user_board.update(name: params[:board][:name], encrypted_password: params[:encrypted_password])
+      render json: @user_board
+    else
+      errors = @board.errors.full_messages.concat @user_board.errors.full_messages
+      render json: errors, status: 422
+    end
+  end
+
+  # Deletes a board resource.
+  #
+  # `DELETE /api/boards/:id`
+  def destroy
+    @board.destroy
+    render json: {}, status: :ok
+  end
+
+end

data/app/controllers/api/comments_controller.rb

@@ -0,0 +1,51 @@
+class Api::CommentsController < ApplicationController
+
+  include LoggedInControllerConcern
+  include PostOwnerControllerConcern
+  include CommentOwnerControllerConcern
+  include ::ActionController::Serialization
+
+  before_action :ensure_post, only: [:index, :create]
+  before_action :ensure_comment, only: [:show, :update, :destroy]
+  before_action :ensure_comment_owner, only: [:update, :destroy]
+
+  # Renders the comments belonging to the post
+  #
+  # `GET /api/boards/:board_id/posts/:post_id/`
+  def index
+    paginate json: @post.comments.page(params[:page]), per_page: 20
+  end
+
+  # Creates new comment belonging to the post
+  #
+  # `POST /api/boards/:board_id/posts/:post_id/`
+  def create
+    @comment = Comment.new(params.permit(:content))
+    @comment.user = @user
+    @comment.post = @post
+    if @comment.save
+      render json: @comment
+    else
+      render json: @comment.errors, status: 422
+    end
+  end
+
+  # Updates a comment
+  #
+  # `PUT /api/boards/:board_id/posts/:post_id/comments/:id`
+  def update
+    if @comment.update(params.permit(:content))
+      render json: @comment
+    else
+      render json: @comment.errors, status: 422
+    end
+  end
+
+  # Deletes a comment
+  #
+  # `DELETE /api/boards/:board_id/posts/:post_id/comments/:id`
+  def destroy
+    @comment.destroy
+    render json: {}, status: :ok
+  end
+end

data/app/controllers/api/posts_controller.rb

@@ -0,0 +1,58 @@
+class Api::PostsController < ApplicationController
+
+  include LoggedInControllerConcern
+  include BoardOwnerControllerConcern
+  include PostOwnerControllerConcern
+  include ::ActionController::Serialization
+
+  before_action :ensure_board, only: [:index, :create]
+  before_action :ensure_post, only: [:show, :update, :destroy]
+  before_action :ensure_post_owner, only: [:update, :destroy]
+
+# Renders the post belonging to the board
+#
+# `GET /api/boards/:board_id/posts`
+  def index
+    paginate json: @board.posts.page(params[:page]), per_page: 20
+  end
+
+# Renders a single post belonging to the board
+#
+# `GET /api/boards/:board_id/posts/:id`
+  def show
+    render json: @post
+  end
+
+# Creates a single post belonging to the board
+#
+# `POST /api/boards/:board_id/posts/`
+  def create
+    @post = Post.new(params.permit(:title, :content, :board_id))
+    @post.user = @user
+    if (@post.save)
+      render json: @post, status: :created
+    else
+      render json: @post.errors, status: 422
+    end
+  end
+
+# Updates a single post belonging to the board
+#
+# `PUT /api/boards/:board_id/posts/:id`
+  def update
+    if (@post.update(params.permit(:title, :content)))
+      render json: @post, status: :ok
+    else
+      render json: @post.errors, status: 422
+    end
+  end
+
+# Deletes a single post belonging to the board
+#
+# `DELETE /api/boards/:board_id/posts/:id`
+  def destroy
+    @post.destroy
+    render json: {}, status: :ok
+  end
+
+end

data/app/controllers/api/share_board_controller.rb

@@ -0,0 +1,118 @@
+class Api::ShareBoardController < ApplicationController
+
+  include LoggedInControllerConcern
+  include BoardOwnerControllerConcern
+  include PostOwnerControllerConcern
+  include CommentOwnerControllerConcern
+
+  before_action :validate_params
+
+  # Shares a board to other users. Example payload param:
+  #
+  # `POST /api/share/board`
+  #
+  # ```
+  # {
+  #   board: {
+  #     id: 1,
+  #     name: 'some encrypted text',
+  #   },
+  #   posts: [
+  #     {
+  #       board_id: 1,
+  #       title: 'some encrypted text',
+  #       content: 'some encrypted text',
+  #       comments: [
+  #         {
+  #           id: 1,
+  #           content: 'some encrypted text',
+  #           user_id: 1,
+  #           post_id: 1,
+  #         }
+  #       ]
+  #     }
+  #   ],
+  #   shared_user_ids: [1, 2, 3, 4],
+  #   encrypted_password: 'some encrypted password'
+  # }
+  # ```
+  # The `encrypted_password` param will be used to decrypt contents of this board. The encryption happens in the client so
+  # the server don't really know what is the original password. The board creator will have to share it privately to other users whom he/she shared it with so they can access the board.
+  #
+  # `posts` and `comments` fields can be empty.
+  def index
+    ActiveRecord::Base.transaction do
+      if params[:posts]
+        params[:posts].each do |post|
+          p = Post.find(post[:id])
+          p.title = post[:title]
+          p.content = post[:content]
+          p.save!
+
+          if post[:comments] and p.valid?
+            post[:comments].each do |comment|
+              c = Comment.find(comment[:id])
+              c.content = comment[:content]
+              c.save!
+            end
+          end
+        end
+      end
+      if @user_board.share(params[:shared_user_ids], params[:encrypted_password])
+        render json: {}, status: :ok
+      else
+        raise "An error occured"
+      end
+    end
+  rescue
+    # clean up the created {UserBoard}s
+    render json: ["Some of the data can't be saved."], status: 422
+  end
+
+  # Validates the contents of params against the database records.
+  def validate_params
+
+    if params[:encrypted_password].nil? or params[:shared_user_ids].nil? or params[:board].nil?
+      render json: {}, status: 422
+      return
+    end
+
+    result = has_board_access(params[:board][:id])
+    if result[:status] != :ok
+      render json: {}, status: result[:status]
+      return
+    else
+      if !result[:user_board].is_admin
+        render json: {}, status: :forbidden
+        return
+      end
+      @board = result[:board]
+      @user_board = result[:user_board]
+    end
+
+    if params[:posts]
+
+      params[:posts].each do |post|
+        s = has_post_access(params[:board][:id], post[:id])[:status]
+        if s != :ok
+          render json: {}, status: s
+          return
+        end
+
+        if post[:comments]
+          post[:comments].each do |comment|
+            s = has_comment_access(post[:id], comment[:id])[:status]
+            if s != :ok
+              render json: {}, status: s
+              return
+            end
+          end
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/app/controllers/api/users_controller.rb

@@ -0,0 +1,40 @@
+class Api::UsersController < ApplicationController
+
+  include LoggedInControllerConcern
+  include ::ActionController::Serialization
+
+  skip_before_action :authenticate_user, only: [:create]
+  skip_before_action :set_user, only: [:create]
+
+  #Creates a new user
+  def create
+    @user = User.new(params.permit(:name, :email, :password, :password_confirmation))
+    if @user.save
+      render json: @user, status: :created
+    else
+      render json: @user.errors.full_messages, status: 422
+    end
+  end
+
+  # Renders the current user as json
+  #
+  # `GET /api/user/:id`
+  #
+  def show
+    render json: @user
+  end
+
+  # Returns the user with matching email
+  #
+  # `GET /api/users/search?email=xxx`
+  #
+  def search
+    user = User.where("email = ? AND id != ?", params[:email], @user.id).first
+    if user
+      render json: user
+    else
+      render json: {}, status: :not_found
+    end
+  end
+
+end

data/app/controllers/application_controller.rb

@@ -1,5 +1,5 @@
 # Base controller for API controllers
 
-# class ApplicationController < ActionController::Base
+class ApplicationController < ActionController::API
 
-# end
+end

data/app/controllers/concerns/board_owner_controller_concern.rb

@@ -0,0 +1,38 @@
+#Ensure user has access to the board and sets the `@board` variable in the controller
+module BoardOwnerControllerConcern
+  extend ActiveSupport::Concern
+
+  #Ensure user has access to the board and sets the `@board` variable in the controller
+  def ensure_board
+    board_id = params[:board_id] || params[:id]
+    result = has_board_access(board_id)
+    @board = result[:board]
+    @user_board = result[:user_board]
+    render json: {}, status: result[:status] if result[:status] != :ok
+  end
+
+  # Validate if user has access to board
+  #
+  # @param board_id [Integer] board id
+  def has_board_access(board_id)
+    board = nil
+    if !board_id.nil?
+      board = Board.find_by_id(board_id)
+    else
+      return {status: :bad_request}
+    end
+    if (board)
+      user_board = UserBoard.where(user_id: @user.id, board_id: board_id).first
+      return {status: :forbidden }if user_board.nil?
+        return {status: :ok, board: board, user_board: user_board}
+      else
+        return {status: :not_found}
+      end
+    end
+
+    #Ensures user is owner of the board. Must be run after {#ensure_board} method.
+    def ensure_board_owner
+      render json: {}, status: :forbidden if !@user_board.is_admin
+    end
+
+  end

data/app/controllers/concerns/comment_owner_controller_concern.rb

@@ -0,0 +1,33 @@
+# Ensures user is owner of the comment and sets the `@comment` variable in the controllers
+module CommentOwnerControllerConcern
+  extend ActiveSupport::Concern
+  
+  # Ensures user is owner of the comment and sets the `@comment` variable in the controllers
+  def ensure_comment
+    post_id = params[:post_id]
+    comment_id = params[:comment_id] || params[:id]
+    result = has_comment_access post_id, comment_id
+    @comment = result[:comment]
+    status = result[:status]
+    render json: {}, status: status if status != :ok
+  end
+
+  # Validate if user has access to comment in the post
+  #
+  # @param post_id [Integer] post id
+  # @param comment_id [Integer] comment id
+  def has_comment_access(post_id, comment_id)
+    comment = Comment.where(id: comment_id, post_id: post_id, user_id: @user.id).first
+    if comment.nil?
+      return {status: :forbidden, comment: comment}
+    else
+      return {status: :ok, comment: comment}
+    end
+  end
+
+  # Ensures user is the owner of the comment. Must be run after {#ensure_comment} method.
+  def ensure_comment_owner
+    render json: {}, status: :forbidden if @comment.user_id != @user.id
+  end
+
+end

data/app/controllers/concerns/logged_in_controller_concern.rb

@@ -0,0 +1,21 @@
+# Ensures users are logged in and sets `@user` instance variable in the controllers.
+# This is included in the base api controller.
+#
+# Returns `401` error if user is not authenticated
+module LoggedInControllerConcern
+  extend ActiveSupport::Concern
+
+  included do
+    include Knock::Authenticable
+  	before_action :authenticate_user
+    before_action :set_user
+  end
+
+  private
+  # Sets the `@user` variable in the controllers
+  def set_user
+  	render json: {}, status: :unauthorized if current_user.nil?
+    @user = current_user
+  end
+
+end

data/app/controllers/concerns/post_owner_controller_concern.rb

@@ -0,0 +1,36 @@
+# Ensures user is owner of the post and sets the `@post` variable in the controllers
+module PostOwnerControllerConcern
+  extend ActiveSupport::Concern
+
+  # Ensures user is owner of the post and sets the `@post` variable in the controllers
+  def ensure_post
+    post_id = params[:post_id] || params[:id]
+    board_id = params[:board_id]
+    result = has_post_access(board_id, post_id)
+    status = result[:status]
+    @post = result[:post]
+    render json: {}, status: status if status != :ok
+  end
+
+  # Validate if user has access to the post in the board
+  #
+  # @param board_id [Integer] board id
+  # @param post_id [Integer] post id
+  def has_post_access(board_id, post_id)
+    post = Post.where(id: post_id, board_id: board_id)
+                .joins("LEFT JOIN user_boards ON user_boards.board_id = posts.board_id")
+                .where("user_boards.user_id = ?", @user.id)
+                .first
+    if post.nil?
+      return {status: :forbidden}
+    else
+      return {status: :ok, post: post}
+    end
+  end
+
+  # Ensures user is owner of the post. Must be run after {#ensure_post}`.
+  def ensure_post_owner
+    render json: {}, status: :forbidden if @post.user_id != @user.id
+  end
+
+end

data/app/controllers/concerns/serializer_controller_concern.rb

@@ -0,0 +1,11 @@
+module SerializerControllerConcern
+
+  extend ActiveSupport::Concern
+
+  included do
+    include ::ActionController::Serialization
+    # respond_to :json
+  end
+
+
+end

data/app/controllers/user_token_controller.rb

@@ -0,0 +1,2 @@
+class UserTokenController < Knock::AuthTokenController
+end

data/app/controllers/web_base_controller.rb

@@ -0,0 +1,23 @@
+# Base controller for web pages
+
+class WebBaseController < ActionController::Base
+  include ActionController::ImplicitRender
+  include ActionView::Layouts
+
+  # Renders welcome page
+  def index
+  	@project = 'Unsakini'
+  	@description = 'Opensource Encrypted Bulletin Board'
+  	@version = Unsakini::VERSION
+  	@author = 'Adones Pitogo'
+  	@repository = 'https://github.com/adonespitogo/unsakini'
+  	@title = "#{@project} | #{@description}"
+  	@tagline = "Created by and for online activists, information security enthusiasts and government surveillance evaders."
+  	@keywords = "unsakini, encrypted, bulletin board, BB, ruby, rails"
+  end
+
+  # Renders the angular index view when request url is /app/* to enable html5 pushState capability of angularjs
+  def app
+    render file: "#{Rails.root}/public/app/index.html", layout: false
+  end
+end

data/app/models/application_record.rb

@@ -0,0 +1,5 @@
+# Base application model
+
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+end

data/app/models/board.rb

@@ -0,0 +1,14 @@
+#Board model
+
+class Board < ApplicationRecord
+  include EncryptableModelConcern
+  encryptable_attributes :name
+
+  validates :name, presence: true
+
+  has_many :users, through: :user_boards
+
+  has_many :user_boards, :dependent => :delete_all
+  has_many :posts, :dependent => :destroy
+
+end

data/app/models/comment.rb

@@ -0,0 +1,9 @@
+#Comment model
+class Comment < ApplicationRecord
+  include EncryptableModelConcern
+  encryptable_attributes :content
+  validates :content, presence: true
+
+  belongs_to :post
+  belongs_to :user
+end

data/app/models/concerns/encryptable_model_concern.rb

@@ -0,0 +1,96 @@
+require 'openssl'
+require 'base64'
+
+# Responsible for encryption and decryption of certain model attributes
+
+module EncryptableModelConcern
+  extend ActiveSupport::Concern
+
+  included do
+    before_save :encrypt_encryptable_attributes
+    after_save :decrypt_encryptable_attributes
+    after_find :decrypt_encryptable_attributes
+  end
+
+  module ClassMethods
+    # Sets the `encryptable_attributes` class instance variable in the model.
+    #
+    # Encryptable attributes are encrypted before saving using `before_save` hook and decrypted using `after_save` and `after_find` hooks.
+    #
+    # Example:
+    # ```
+    #   class Board < BaseModel
+    #     encryptable_attributes :name, :title, :content
+    #   end
+    # ```
+    # @param attrs [Symbol] model attributes
+    #
+    def encryptable_attributes(*attrs)
+      @encryptable_attributes = attrs
+    end
+
+  end
+
+  # Returns the model's `encryptable_attributes` class instance variable.
+  #
+  def encryptable_attributes
+    self.class.instance_variable_get(:@encryptable_attributes) || []
+  end
+
+  private
+  # Encryptes the model's encryptable attributes before saving using Rails' `before_save` hook.
+  #
+  # **Note: Be careful in calling this method manually as it can corrupt the data.**
+  def encrypt_encryptable_attributes
+    encryptable_attributes.each do |k|
+      self[k] = encrypt(self[k])
+    end
+  end
+
+  # Decrypts the model's encryptable attributes using Rails' `after_save` and `after_find` hooks.
+  #
+  # **Note: Be careful in calling this method manually as it can corrupt the data.**
+  def decrypt_encryptable_attributes
+    encryptable_attributes.each do |k|
+      self[k] = decrypt(self[k])
+    end
+  end
+
+  # Determins if the value being encrypted/decryped is empty.
+  def is_empty_val(value)
+    !value or value.nil? or value == ""
+  end
+
+  # Returns the cipher algorithm used
+  def cipher
+    OpenSSL::Cipher::Cipher.new('aes-256-cbc')
+  end
+
+  # Returns the encryption key from the `unsakini_crypto_key` config
+  def cipher_key
+    begin
+      Rails.configuration.unsakini_crypto_key
+    rescue Exception => e
+      raise 'Encryption key is not set! Please run `rails g unsakini:config` before you proceed.'
+    end
+  end
+
+  # Encrypts model attribute value
+  def encrypt(value)
+    return value if is_empty_val(value)
+    c = cipher.encrypt
+    c.key = Digest::SHA256.digest(cipher_key)
+    c.iv = iv = c.random_iv
+    Base64.encode64(iv) + Base64.encode64(c.update(value.to_s) + c.final)
+  end
+
+  # Decrypts model attribute value
+  def decrypt(value)
+    return value if is_empty_val(value)
+    c = cipher.decrypt
+    c.key = Digest::SHA256.digest(cipher_key)
+    c.iv = Base64.decode64 value.slice!(0,25)
+    c.update(Base64.decode64(value.to_s)) + c.final
+  end
+
+end

data/app/models/post.rb

@@ -0,0 +1,12 @@
+#Post model
+
+class Post < ApplicationRecord
+  include EncryptableModelConcern
+  encryptable_attributes :title, :content
+  validates :title, presence: true
+  validates :content, presence: true
+
+  belongs_to :user
+  belongs_to :board
+  has_many :comments, :dependent => :delete_all
+end