/
base_controller.rb
447 lines (369 loc) · 15 KB
/
base_controller.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
module Api
# TODO: inherit from application controller after cleanup
class BaseController < ActionController::Base
include ApplicationShared
include Foreman::Controller::RequireSsl
include Foreman::Controller::ApiCsrfProtection
include Foreman::Controller::BruteforceProtection
before_action :set_default_response_format, :authorize, :set_taxonomy
before_action :add_info_headers, :set_gettext_locale
before_action :session_expiry, :update_activity_time
around_action :set_timezone
respond_to :json
after_action :log_response_body
rescue_from StandardError do |error|
Foreman::Logging.exception("Action failed", error)
render_error 'standard_error', :status => :internal_server_error, :locals => { :exception => error }
end
rescue_from NoMethodError do |error|
Foreman::Logging.exception("Action failed", error)
message = _("Internal Server Error: the server was unable to finish the request. ")
message << _("This may be caused by unavailability of some required service, incorrect API call or a server-side bug. ")
message << _("There may be more information in the server's logs.")
render_error 'custom_error', :status => :internal_server_error, :locals => { :message => message }
end
rescue_from ScopedSearch::QueryNotSupported, Apipie::ParamError do |error|
logger.info "#{error.message} (#{error.class})"
render_error 'param_error', :status => :bad_request, :locals => { :exception => error }
end
rescue_from ActiveRecord::RecordNotFound do |error|
logger.info "#{error.message} (#{error.class})"
not_found
end
rescue_from Foreman::AssociationNotFound do |error|
logger.info "#{error.message} (#{error.class})"
not_found error.message
end
rescue_from Foreman::MaintenanceException, :with => :service_unavailable
def get_resource(message = "Couldn't find resource")
instance_variable_get(:"@#{resource_name}") || raise(message)
end
helper_method :controller_permission
def controller_permission
controller_name
end
# overwrites resource_scope in FindCommon to consider nested objects
def resource_scope(options = {})
super(options).merge(parent_scope).readonly(false)
end
def parent_scope
parent_name, scope = parent_resource_details
return resource_class.where(nil) unless scope
association = resource_class.reflect_on_all_associations.detect {|assoc| assoc.plural_name == parent_name.pluralize}
# if couldn't find an association by name, try to find one by class
association ||= resource_class.reflect_on_all_associations.detect {|assoc| assoc.class_name == parent_name.camelize}
if association.nil? && parent_name == 'host'
association = resource_class.reflect_on_all_associations.detect {|assoc| assoc.class_name == 'Host::Base'}
end
raise "Association not found for #{parent_name}" unless association
result_scope = resource_class_join(association, scope).reorder(nil)
# Check that the scope resolves before return
result_scope.any?
result_scope
rescue ActiveRecord::ConfigurationError
# Chaining SQL with a parent scope does not always work, as the
# parent scope might have attributes the resource_class does not have.
#
# For example, chaining 'interfaces' with a parent scope (hosts) that
# contains an authorization filter (hostgroup = foo), will not work
# as the resulting SQL has attributes (hostgroup) the
# resource_class does not have.
#
# In such cases, we resolve the scope first, and then call 'where'
# on the results
resource_class.joins(association.name).
where(association.name => scope.select(:id))
end
def resource_class_join(association, scope)
resource_class.joins(association.name).merge(scope)
end
def resource_scope_for_index(options = {})
resource_scope(options).search_for(*search_options).paginate(paginate_options)
end
def api_request?
true
end
protected
def not_found(options = nil)
not_found_message = {}
case options
when String
not_found_message[:message] = options
when Hash
not_found_message.merge! options
else
render_error 'not_found', :status => :not_found
return false
end
render :json => not_found_message, :status => :not_found
false
end
def service_unavailable(exception = nil)
logger.debug "service unavailable: #{exception}" if exception
render_message(exception.message, :status => :service_unavailable)
end
def process_resource_error(options = { })
resource = options[:resource] || get_resource(options[:message])
raise 'resource have no errors' if resource.errors.empty?
if resource.respond_to?(:permission_failed?) && resource.permission_failed?
deny_access
else
log_resource_errors resource
render_error 'unprocessable_entity', :status => :unprocessable_entity
end
end
def process_success(response = nil)
render_status = request.post? ? :created : :ok
response ||= get_resource
respond_with response, :responder => ApiResponder, :status => render_status
end
def process_response(condition, response = nil)
if condition
process_success response
else
process_resource_error
end
end
def render_message(msg, render_options = {})
render_options[:json] = { :message => msg }
render render_options
end
def log_resource_errors(resource)
logger.error "Unprocessable entity #{resource.class.name} (id: #{resource.try(:id) || 'new'}):\n #{resource.errors.full_messages.join("\n ")}\n"
end
def authorize
if bruteforce_attempt?
log_bruteforce
render_error('bruteforce_attempt', :status => :unauthorized)
return false
end
unless authenticate
count_login_failure
render_error('unauthorized', :status => :unauthorized, :locals => { :user_login => @available_sso.try(:user) })
return false
end
unless authorized
deny_access
return false
end
true
end
def require_admin
unless is_admin?
render_error('access_denied', :status => :unauthorized, :locals => { :details => _('Admin permissions required') })
false
end
end
def set_admin_user
User.current = User.anonymous_api_admin
end
def deny_access(details = nil)
render_error 'access_denied', :status => :forbidden, :locals => { :details => details }
false
end
def set_default_response_format
request.format = :json if params[:format].blank?
end
def api_version
raise NotImplementedError
end
def render_error(error, options = { })
options = set_error_details(error, options)
render options.merge(:template => "/api/v#{api_version}/errors/#{error}")
end
def search_options
[params[:search], {:order => params[:order]}]
end
def paginate_options
{
:page => params[:page],
:per_page => params[:per_page],
}
end
def add_version_header
response.headers["Foreman_version"] = SETTINGS[:version].full
response.headers["Foreman_api_version"] = api_version
end
def add_taxonomies_header
current_org = "#{Organization.current.id}; #{Organization.current.name}" if Organization.current
response.headers["Foreman_current_organization"] = current_org || '; ANY'
current_loc = "#{Location.current.id}; #{Location.current.name}" if Location.current
response.headers["Foreman_current_location"] = current_loc || '; ANY'
end
def add_info_headers
add_version_header
add_taxonomies_header
end
# this method is used with nested resources, where obj_id is passed into the parameters hash.
# it automatically updates the search text box with the relevant relationship
# e.g. /hosts/fqdn/reports # would add host = fqdn to the search bar
def setup_search_options
params[:search] ||= ""
params.keys.each do |param|
if param =~ /(\w+)_id$/
if params[param].present?
query = " #{Regexp.last_match(1)} = #{params[param]}"
params[:search] += query unless params[:search].include? query
end
end
end
end
def log_response_body
logger.debug { "Body: #{response.body}" }
end
private
attr_reader :nested_obj
def find_required_nested_object
find_nested_object
return @nested_obj if @nested_obj
not_found
end
def find_optional_nested_object
find_nested_object
return @nested_obj if @nested_obj
not_found_if_nested_id_exists
end
def find_nested_object
_parent_name, parent_resource_scope = parent_resource_details
return if parent_resource_scope.nil?
@nested_obj = parent_resource_scope.first
end
def not_found_if_nested_id_exists
allowed_nested_id.each do |obj_id|
# this method does not reliably work when you have multiple parameters and some of them can be nil
# find_nested_object in such case returns nil (since org and loc can be nil for any context),
# but it detects other paramter which can have value set
# therefore we always skip these
next if [ 'organization_id', 'location_id' ].include?(obj_id)
if params[obj_id].present?
not_found _("%{resource_name} not found by id '%{id}'") % { :resource_name => obj_id.humanize, :id => params[obj_id] }
return
end
end
end
def missing_permissions
Foreman::AccessControl.permissions_for_controller_action(path_to_authenticate)
end
def set_error_details(error, options)
case error
when 'access_denied'
fail_message = _('Missing one of the required permissions: %s') % missing_permissions.map(&:name).join(', ')
Foreman::Logging.logger('permissions').info fail_message
if options.fetch(:locals, {}).fetch(:details, nil).blank?
options = options.deep_merge({:locals => {:details => fail_message }})
end
end
options
end
protected
# will be overwritten by each controller. initialize as empty array to prevent handling nil variable
def allowed_nested_id
[]
end
# will be overwritten by each controller. initialize as empty array to prevent handling nil variable
def skip_nested_id
[]
end
def action_permission
case params[:action]
when 'new', 'create'
'create'
when 'edit', 'update'
'edit'
when 'destroy'
'destroy'
when 'index', 'show', 'status'
'view'
else
raise ::Foreman::Exception.new(N_("unknown permission for %s"), "#{params[:controller]}##{params[:action]}")
end
end
def parent_permission(child_permission)
case child_permission.to_s
when 'create', 'destroy'
'edit'
when 'edit', 'view'
'view'
else
raise ::Foreman::Exception.new(N_("unknown parent permission for %s"), "#{params[:controller]}##{child_permission}")
end
end
def parent_resource_details
parent_name, parent_class, parent_id = nil
params.each do |param, value|
parent_id = value
parent_name, parent_class = extract_resource_from_param(param)
break if parent_class
end
return nil if parent_name.nil? || parent_class.nil?
# for admin we don't want to add any context condition, that would fail for hosts since we'd add join to
# taxonomy table without any condition, inner join would return no host in this case
return nil if User.current.admin? && [ Organization, Location ].include?(parent_class) && parent_id.blank?
# for taxonomies, nil is valid value which indicates, we need to search in Users all taxonomies
return [parent_name, User.current.my_organizations] if parent_class == Organization && parent_id.blank?
return [parent_name, User.current.my_locations] if parent_class == Location && parent_id.blank?
parent_scope = scope_for(parent_class, :permission => "#{parent_permission(action_permission)}_#{parent_name.pluralize}")
parent_scope = select_by_resource_id_scope(parent_scope, parent_class, parent_id)
[parent_name, parent_scope]
end
def extract_resource_from_param(param)
md = param.match(/(\w+)_id$/)
md ? [md[1], resource_class_for(resource_name(md[1]))] : nil
end
# This method adds a condition to the base_scope in form:
# "resource_class.id = resource_id [ OR resource_class.friendly_id_column = resource_id ]"
# the optional part will be added if the resource class supports friendly_id
# it will also add "ORDER BY" query in order to prioritize
# records with friendly_id_column hit rather than those that have filtered because of
# id column filtering
# Should be replaced after moving to friendly_id version >= 5.0
def select_by_resource_id_scope(base_scope, resource_class, resource_id)
arel = resource_class.arel_table
arel_query = arel[:id].eq(resource_id)
arel_query.to_sql
begin
query_field = resource_class.friendly_id_config.query_field
rescue NoMethodError
# FriendlyId is not supported (didn't find a better way to test it)
# The problem is in Host <-> Host::Managed hack. #responds_to? query_field
# will return false values.
query_field = nil
end
if query_field
friendly_field_query = arel[query_field].eq(resource_id)
arel_query = arel_query.or(friendly_field_query)
end
filtered_scope = base_scope.where(arel_query)
filtered_scope = prioritize_friendly_name_records(filtered_scope, friendly_field_query) if query_field
filtered_scope
end
# Prefer records that matched the friendly column upon those matched the ID column
def prioritize_friendly_name_records(base_scope, friendly_field_query)
field_query = friendly_field_query.to_sql
base_scope.order("CASE WHEN #{field_query} THEN 1 ELSE 0 END")
end
def parameter_filter_context
Foreman::ParameterFilter::Context.new(:api, controller_name, params[:action])
end
class << self
def parameter_filter_context
Foreman::ParameterFilter::Context.new(:api, controller_name, nil)
end
protected
def add_scoped_search_description_for(resource)
search_fields = resource.scoped_search_definition.fields.map do |k, f|
info = { :name => k.to_s }
if f.complete_value.is_a?(Hash)
info[:values] = f.complete_value.keys
else
# type is unknown for fields that are delegated to external methods
# 'string' is a good guess in such cases
info[:type] = f.ext_method.nil? ? f.type.to_s : 'string' rescue ''
end
info
end
meta :search => search_fields.sort_by { |info| info[:name] }
end
end
end
end