discourse/app/models/api_key_scope.rb

# frozen_string_literal: true

class ApiKeyScope < ActiveRecord::Base
  validates_presence_of :resource
  validates_presence_of :action

  class << self
    def list_actions
      actions = %w[list#category_feed]

      %i[latest unread new top].each { |f| actions.concat(["list#category_#{f}", "list##{f}"]) }

      actions
    end

    def default_mappings
      return @default_mappings unless @default_mappings.nil?

      mappings = {
        global: {
          read: { methods: %i[get] }
        },
        topics: {
          write: { actions: %w[posts#create], params: %i[topic_id] },
          read: {
            actions: %w[topics#show topics#feed topics#posts],
            params: %i[topic_id], aliases: { topic_id: :id }
          },
          read_lists: {
            actions: list_actions, params: %i[category_id],
            aliases: { category_id: :category_slug_path_with_id }
          },
          wordpress: { actions: %w[topics#wordpress], params: %i[topic_id] }
        },
        posts: {
          edit: { actions: %w[posts#update], params: %i[id] }
        },
        uploads: {
          create: {
            actions: %w[
              uploads#create
              uploads#generate_presigned_put
              uploads#complete_external_upload
              uploads#create_multipart
              uploads#batch_presign_multipart_parts
              uploads#abort_multipart
              uploads#complete_multipart
            ]
          }
        },
        users: {
          bookmarks: { actions: %w[users#bookmarks], params: %i[username] },
          sync_sso: { actions: %w[admin/users#sync_sso], params: %i[sso sig] },
          show: { actions: %w[users#show], params: %i[username external_id external_provider] },
          check_emails: { actions: %w[users#check_emails], params: %i[username] },
          update: { actions: %w[users#update], params: %i[username] },
          log_out: { actions: %w[admin/users#log_out] },
          anonymize: { actions: %w[admin/users#anonymize] },
          delete: { actions: %w[admin/users#destroy] },
          list: { actions: %w[admin/users#index] },
        },
        email: {
          receive_emails: { actions: %w[admin/email#handle_mail] }
        },
        badges: {
          create: { actions: %w[admin/badges#create] },
          show: { actions: %w[badges#show] },
          update: { actions: %w[admin/badges#update] },
          delete: { actions: %w[admin/badges#destroy] },
          list_user_badges: { actions: %w[user_badges#username], params: %i[username] },
          assign_badge_to_user: { actions: %w[user_badges#create], params: %i[username] },
          revoke_badge_from_user: { actions: %w[user_badges#destroy] },
        }
      }

      parse_resources!(mappings)
      @default_mappings = mappings
    end

    def scope_mappings
      plugin_mappings = DiscoursePluginRegistry.api_key_scope_mappings
      return default_mappings if plugin_mappings.empty?

      default_mappings.deep_dup.tap do |mappings|
        plugin_mappings.each do |plugin_mapping|
          parse_resources!(plugin_mapping)
          mappings.deep_merge!(plugin_mapping)
        end
      end
    end

    def parse_resources!(mappings)
      mappings.each_value do |resource_actions|
        resource_actions.each_value do |action_data|
          action_data[:urls] = find_urls(actions: action_data[:actions], methods: action_data[:methods])
        end
      end
    end

    def find_urls(actions:, methods:)
      urls = []

      if actions.present?
        Rails.application.routes.routes.each do |route|
          defaults = route.defaults
          action = "#{defaults[:controller].to_s}##{defaults[:action]}"
          path = route.path.spec.to_s.gsub(/\(\.:format\)/, '')
          api_supported_path = path.end_with?('.rss') || route.path.requirements[:format]&.match?('json')
          excluded_paths = %w[/new-topic /new-message /exception]

          if actions.include?(action) && api_supported_path && !excluded_paths.include?(path)
            urls << "#{path} (#{route.verb})"
          end
        end
      end

      if methods.present?
        methods.each do |method|
          urls << "* (#{method})"
        end
      end

      urls
    end
  end

  def permits?(env)
    RouteMatcher.new(**mapping.except(:urls), allowed_param_values: allowed_parameters).match?(env: env)
  end

  private

  def mapping
    @mapping ||= self.class.scope_mappings.dig(resource.to_sym, action.to_sym)
  end
end

# == Schema Information
#
# Table name: api_key_scopes
#
#  id                 :bigint           not null, primary key
#  api_key_id         :integer          not null
#  resource           :string           not null
#  action             :string           not null
#  allowed_parameters :json
#  created_at         :datetime         not null
#  updated_at         :datetime         not null
#
# Indexes
#
#  index_api_key_scopes_on_api_key_id  (api_key_id)
#
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00			`# frozen_string_literal: true`

			`class ApiKeyScope < ActiveRecord::Base`
			`validates_presence_of :resource`
			`validates_presence_of :action`

			`class << self`
			`def list_actions`
UX: Help users understand the meaning of each scope. (#10468) 2020-08-18 14:12:04 -04:00			`actions = %w[list#category_feed]`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00
			`%i[latest unread new top].each { \|f\| actions.concat(["list#category_#{f}", "list##{f}"]) }`

			`actions`
			`end`

			`def default_mappings`
FEATURE: More API scopes (#10493) 2020-08-24 11:15:08 -04:00			`return @default_mappings unless @default_mappings.nil?`
UX: Help users understand the meaning of each scope. (#10468) 2020-08-18 14:12:04 -04:00
FEATURE: More API scopes (#10493) 2020-08-24 11:15:08 -04:00			`mappings = {`
FEATURE: Add read-only scope to API keys (#14856) This commit adds a global read-only scope that can be used to create new API keys. 2021-11-10 10:48:00 -05:00			`global: {`
			`read: { methods: %i[get] }`
			`},`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00			`topics: {`
FEATURE: More API scopes (#10493) 2020-08-24 11:15:08 -04:00			`write: { actions: %w[posts#create], params: %i[topic_id] },`
UX: Help users understand the meaning of each scope. (#10468) 2020-08-18 14:12:04 -04:00			`read: {`
FEATURE: More API scopes (#10493) 2020-08-24 11:15:08 -04:00			`actions: %w[topics#show topics#feed topics#posts],`
			`params: %i[topic_id], aliases: { topic_id: :id }`
UX: Help users understand the meaning of each scope. (#10468) 2020-08-18 14:12:04 -04:00			`},`
			`read_lists: {`
			`actions: list_actions, params: %i[category_id],`
FEATURE: More API scopes (#10493) 2020-08-24 11:15:08 -04:00			`aliases: { category_id: :category_slug_path_with_id }`
			`},`
			`wordpress: { actions: %w[topics#wordpress], params: %i[topic_id] }`
			`},`
FEATURE: An API key scope for editing posts. (#13441) 2021-06-18 11:53:10 -04:00			`posts: {`
			`edit: { actions: %w[posts#update], params: %i[id] }`
			`},`
FEATURE: adds uploads scope for API keys (#14941) * FEATURE: adds uploads scope for API keys * Add basic test, change "image" to "file" 2021-11-22 12:49:08 -05:00			`uploads: {`
FIX: Add more actions to the uploads API key scope (#15306) The uploads API key create scope did not cover the external upload API endpoints, or the direct S3 multipart endpoints, and this commit adds them. cf. https://meta.discourse.org/t/upload-create-api-key-insufficient/211896 2021-12-14 23:08:11 -05:00			`create: {`
			`actions: %w[`
			`uploads#create`
			`uploads#generate_presigned_put`
			`uploads#complete_external_upload`
			`uploads#create_multipart`
			`uploads#batch_presign_multipart_parts`
			`uploads#abort_multipart`
			`uploads#complete_multipart`
			`]`
			`}`
FEATURE: adds uploads scope for API keys (#14941) * FEATURE: adds uploads scope for API keys * Add basic test, change "image" to "file" 2021-11-22 12:49:08 -05:00			`},`
FEATURE: More API scopes (#10493) 2020-08-24 11:15:08 -04:00			`users: {`
			`bookmarks: { actions: %w[users#bookmarks], params: %i[username] },`
			`sync_sso: { actions: %w[admin/users#sync_sso], params: %i[sso sig] },`
FIX: Allow plugins to correctly extend API key scopes. (#12113) Adding a scope from a plugin was broken. This commit fixes it and adds a test. It also documents the instance method and renames the serialized "id" attribute to "scope_id" to avoid a conflict when the scope also has a parameter with the same name. 2021-02-17 12:42:44 -05:00			`show: { actions: %w[users#show], params: %i[username external_id external_provider] },`
FEATURE: Add user update, anonymize and delete API scopes (#11335) 2020-11-24 07:54:24 -05:00			`check_emails: { actions: %w[users#check_emails], params: %i[username] },`
			`update: { actions: %w[users#update], params: %i[username] },`
FEATURE: Add users:log_out API key scope (#11359) 2020-11-26 05:39:38 -05:00			`log_out: { actions: %w[admin/users#log_out] },`
FEATURE: Add user update, anonymize and delete API scopes (#11335) 2020-11-24 07:54:24 -05:00			`anonymize: { actions: %w[admin/users#anonymize] },`
			`delete: { actions: %w[admin/users#destroy] },`
FEATURE: Add 'users.list' API scope (#13742) 2021-07-15 23:10:04 -04:00			`list: { actions: %w[admin/users#index] },`
FEATURE: Add an API key scopes for handling incoming email. (#11245) Admins need to create a global API key if they want to use the mail-receiver. Let's add a scope for that. 2020-11-16 12:14:12 -05:00			`},`
			`email: {`
			`receive_emails: { actions: %w[admin/email#handle_mail] }`
FEATURE: Introduce API scopes for badges. 2021-12-05 21:27:25 -05:00			`},`
			`badges: {`
			`create: { actions: %w[admin/badges#create] },`
			`show: { actions: %w[badges#show] },`
			`update: { actions: %w[admin/badges#update] },`
			`delete: { actions: %w[admin/badges#destroy] },`
			`list_user_badges: { actions: %w[user_badges#username], params: %i[username] },`
			`assign_badge_to_user: { actions: %w[user_badges#create], params: %i[username] },`
			`revoke_badge_from_user: { actions: %w[user_badges#destroy] },`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00			`}`
			`}`
FEATURE: More API scopes (#10493) 2020-08-24 11:15:08 -04:00
FEATURE: Add read-only scope to API keys (#14856) This commit adds a global read-only scope that can be used to create new API keys. 2021-11-10 10:48:00 -05:00			`parse_resources!(mappings)`
FEATURE: More API scopes (#10493) 2020-08-24 11:15:08 -04:00			`@default_mappings = mappings`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00			`end`

			`def scope_mappings`
			`plugin_mappings = DiscoursePluginRegistry.api_key_scope_mappings`
FIX: Adding a custom scope should not modify the original ones. (#12178) Default scopes are stored inside a class variable, which shouldn't be modified when a custom scope is added. If this happens, we're no longer to remove the scope when the plugin is disabled. 2021-02-22 18:10:53 -05:00			`return default_mappings if plugin_mappings.empty?`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00
FIX: Adding a custom scope should not modify the original ones. (#12178) Default scopes are stored inside a class variable, which shouldn't be modified when a custom scope is added. If this happens, we're no longer to remove the scope when the plugin is disabled. 2021-02-22 18:10:53 -05:00			`default_mappings.deep_dup.tap do \|mappings\|`
FEATURE: Add read-only scope to API keys (#14856) This commit adds a global read-only scope that can be used to create new API keys. 2021-11-10 10:48:00 -05:00			`plugin_mappings.each do \|plugin_mapping\|`
			`parse_resources!(plugin_mapping)`
			`mappings.deep_merge!(plugin_mapping)`
			`end`
			`end`
			`end`
UX: Help users understand the meaning of each scope. (#10468) 2020-08-18 14:12:04 -04:00
FEATURE: Add read-only scope to API keys (#14856) This commit adds a global read-only scope that can be used to create new API keys. 2021-11-10 10:48:00 -05:00			`def parse_resources!(mappings)`
			`mappings.each_value do \|resource_actions\|`
			`resource_actions.each_value do \|action_data\|`
			`action_data[:urls] = find_urls(actions: action_data[:actions], methods: action_data[:methods])`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00			`end`
			`end`
			`end`
UX: Help users understand the meaning of each scope. (#10468) 2020-08-18 14:12:04 -04:00
FEATURE: Add read-only scope to API keys (#14856) This commit adds a global read-only scope that can be used to create new API keys. 2021-11-10 10:48:00 -05:00			`def find_urls(actions:, methods:)`
FIX: Missing allowed urls when displaying granualar API key scopes. Follow-up to 3791fbd9196c5a10d2723e3c46e7cf8f008caa4c 2021-12-05 21:51:47 -05:00			`urls = []`
FEATURE: Add read-only scope to API keys (#14856) This commit adds a global read-only scope that can be used to create new API keys. 2021-11-10 10:48:00 -05:00
			`if actions.present?`
FIX: Missing allowed urls when displaying granualar API key scopes. Follow-up to 3791fbd9196c5a10d2723e3c46e7cf8f008caa4c 2021-12-05 21:51:47 -05:00			`Rails.application.routes.routes.each do \|route\|`
FEATURE: Add read-only scope to API keys (#14856) This commit adds a global read-only scope that can be used to create new API keys. 2021-11-10 10:48:00 -05:00			`defaults = route.defaults`
			`action = "#{defaults[:controller].to_s}##{defaults[:action]}"`
			`path = route.path.spec.to_s.gsub(/\(\.:format\)/, '')`
			`api_supported_path = path.end_with?('.rss') \|\| route.path.requirements[:format]&.match?('json')`
			`excluded_paths = %w[/new-topic /new-message /exception]`

FIX: Missing allowed urls when displaying granualar API key scopes. Follow-up to 3791fbd9196c5a10d2723e3c46e7cf8f008caa4c 2021-12-05 21:51:47 -05:00			`if actions.include?(action) && api_supported_path && !excluded_paths.include?(path)`
			`urls << "#{path} (#{route.verb})"`
FEATURE: An API key scope for editing posts. (#13441) 2021-06-18 11:53:10 -04:00			`end`
UX: Help users understand the meaning of each scope. (#10468) 2020-08-18 14:12:04 -04:00			`end`
			`end`
FEATURE: Add read-only scope to API keys (#14856) This commit adds a global read-only scope that can be used to create new API keys. 2021-11-10 10:48:00 -05:00
			`if methods.present?`
			`methods.each do \|method\|`
FIX: Missing allowed urls when displaying granualar API key scopes. Follow-up to 3791fbd9196c5a10d2723e3c46e7cf8f008caa4c 2021-12-05 21:51:47 -05:00			`urls << "* (#{method})"`
FEATURE: Add read-only scope to API keys (#14856) This commit adds a global read-only scope that can be used to create new API keys. 2021-11-10 10:48:00 -05:00			`end`
			`end`

FIX: Missing allowed urls when displaying granualar API key scopes. Follow-up to 3791fbd9196c5a10d2723e3c46e7cf8f008caa4c 2021-12-05 21:51:47 -05:00			`urls`
UX: Help users understand the meaning of each scope. (#10468) 2020-08-18 14:12:04 -04:00			`end`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00			`end`

REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope 2020-10-06 12:20:15 -04:00			`def permits?(env)`
			`RouteMatcher.new(**mapping.except(:urls), allowed_param_values: allowed_parameters).match?(env: env)`
FEATURE: Add scopes to API keys (#9844) * Added scopes UI * Create scopes when creating a new API key * Show scopes on the API key show route * Apply scopes on API requests * Extend scopes from plugins * Add missing scopes. A mapping can be associated with multiple controller actions * Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes * Add not null validations and index for api_key_id * Annotate model * DEV: Move default mappings to ApiKeyScope * Remove unused attribute and improve UI for existing keys * Support multiple parameters separated by a comma 2020-07-16 14:51:24 -04:00			`end`

			`private`

			`def mapping`
			`@mapping \|\|= self.class.scope_mappings.dig(resource.to_sym, action.to_sym)`
			`end`
			`end`

			`# == Schema Information`
			`#`
			`# Table name: api_key_scopes`
			`#`
			`# id :bigint not null, primary key`
			`# api_key_id :integer not null`
			`# resource :string not null`
			`# action :string not null`
			`# allowed_parameters :json`
			`# created_at :datetime not null`
			`# updated_at :datetime not null`
			`#`
			`# Indexes`
			`#`
			`# index_api_key_scopes_on_api_key_id (api_key_id)`
			`#`