-
Notifications
You must be signed in to change notification settings - Fork 357
/
application_controller.rb
221 lines (171 loc) · 6.66 KB
/
application_controller.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
require 'cloud_controller/blobstore/errors'
require 'cloud_controller/errors/compound_error'
module V3ErrorsHelper
def invalid_request!(message)
raise CloudController::Errors::ApiError.new_from_details('InvalidRequest', message)
end
def invalid_param!(message)
raise CloudController::Errors::ApiError.new_from_details('BadQueryParameter', message)
end
def unprocessable(message)
CloudController::Errors::ApiError.new_from_details('UnprocessableEntity', message)
end
def unprocessable!(message)
raise unprocessable(message)
end
def unauthorized!
raise CloudController::Errors::ApiError.new_from_details('NotAuthorized')
end
def resource_not_found_with_message!(message)
raise CloudController::Errors::ApiError.new_from_details('ResourceNotFound', message)
end
def bad_request!(message)
raise CloudController::Errors::ApiError.new_from_details('BadRequest', message)
end
def message_parse_error!(message)
raise CloudController::Errors::ApiError.new_from_details('MessageParseError', message)
end
def service_unavailable!(message)
raise CloudController::Errors::ApiError.new_from_details('ServiceUnavailable', message)
end
def resource_not_found!(resource)
raise CloudController::Errors::NotFound.new_from_details('ResourceNotFound', "#{resource.to_s.humanize} not found")
end
def not_found!
raise CloudController::Errors::NotFound.new_from_details('NotFound')
end
end
class ApplicationController < ActionController::Base
include VCAP::CloudController
include V3ErrorsHelper
include VCAP::CloudController::ParamsHashifier
ANONYMOUSLY_AVAILABLE = ['not_found', 'internal_error', 'bad_request', 'v3_info'].map(&:freeze).freeze
UNSCOPED_PAGES = ['not_found', 'internal_error', 'bad_request', 'v3_root', 'v3_info'].map(&:freeze).freeze
READ_SCOPE_HTTP_METHODS = ['GET', 'HEAD'].map(&:freeze).freeze
YAML_CONTENT_TYPE = 'application/x-yaml'.freeze
wrap_parameters :body, format: [:json, :url_encoded_form, :multipart_form]
before_action :validate_token!, if: :enforce_authentication?
before_action :check_read_permissions!, if: :enforce_read_scope?
before_action :check_write_permissions!, if: :enforce_write_scope?
before_action :hashify_params
before_action :null_coalesce_body
rescue_from CloudController::Blobstore::BlobstoreError, with: :handle_blobstore_error
rescue_from CloudController::Errors::NotAuthenticated, with: :handle_not_authenticated
rescue_from CloudController::Errors::NotFound, with: :handle_not_found
rescue_from CloudController::Errors::InvalidAuthToken, with: :handle_invalid_auth_token
rescue_from CloudController::Errors::ApiError, with: :handle_api_error
rescue_from CloudController::Errors::CompoundError, with: :handle_compound_error
def configuration
Config.config
end
def query_params
request.query_parameters.with_indifferent_access
end
def unmunged_body
JSON.parse(request.body.string)
end
def parsed_yaml
return @parsed_yaml if @parsed_yaml
allow_yaml_aliases = false
yaml = YAML.safe_load(request.body.string, [], [], allow_yaml_aliases)
message_parse_error!('invalid request body') if !yaml.is_a? Hash
@parsed_yaml = yaml
rescue Psych::BadAlias
bad_request!('Manifest does not support Anchors and Aliases')
end
def roles
VCAP::CloudController::SecurityContext.roles
end
def current_user
VCAP::CloudController::SecurityContext.current_user
end
def current_user_email
VCAP::CloudController::SecurityContext.current_user_email
end
def user_audit_info
VCAP::CloudController::UserAuditInfo.from_context(VCAP::CloudController::SecurityContext)
end
def url_builder
@url_builder ||= VCAP::CloudController::Presenters::ApiUrlBuilder
end
def request_id
::VCAP::Request.current_id
end
def logger
@logger ||= Steno.logger('cc.api')
end
def perm_client
@perm_client ||= CloudController::DependencyLocator.instance.perm_client
end
def statsd_client
@statsd_client ||= CloudController::DependencyLocator.instance.statsd_client
end
def permission_queryer
@permission_queryer ||= VCAP::CloudController::Permissions::Queryer.build(
perm_client,
statsd_client,
SecurityContext,
configuration.get(:perm, :enabled),
configuration.get(:perm, :query_raise_on_mismatch)
)
end
def add_warning_headers(warnings)
return if warnings.nil?
raise ArgumentError.new('warnings should be an array') unless warnings.is_a?(Array)
warnings.each do |warning|
response.add_header('X-Cf-Warnings', CGI.escape(warning))
end
end
private
###
### FILTERS
###
def enforce_authentication?
!ANONYMOUSLY_AVAILABLE.include?(action_name)
end
def enforce_read_scope?
return false if UNSCOPED_PAGES.include?(action_name)
READ_SCOPE_HTTP_METHODS.include?(request.method)
end
def enforce_write_scope?
return false if UNSCOPED_PAGES.include?(action_name)
!READ_SCOPE_HTTP_METHODS.include?(request.method)
end
def check_read_permissions!
read_scope = SecurityContext.scopes.include?('cloud_controller.read')
admin_read_only_scope = SecurityContext.scopes.include?('cloud_controller.admin_read_only')
global_auditor_scope = SecurityContext.scopes.include?('cloud_controller.global_auditor')
raise CloudController::Errors::ApiError.new_from_details('NotAuthorized') if !roles.admin? && !read_scope && !admin_read_only_scope && !global_auditor_scope
end
def check_write_permissions!
write_scope = SecurityContext.scopes.include?('cloud_controller.write')
raise CloudController::Errors::ApiError.new_from_details('NotAuthorized') if !roles.admin? && !write_scope
end
def validate_token!
return if current_user
if VCAP::CloudController::SecurityContext.missing_token?
raise CloudController::Errors::NotAuthenticated
end
raise CloudController::Errors::InvalidAuthToken
end
def handle_blobstore_error(error)
error = CloudController::Errors::ApiError.new_from_details('BlobstoreError', error.message)
handle_api_error(error)
end
def handle_exception(error)
presenter = ErrorPresenter.new(error, Rails.env.test?, V3ErrorHasher.new(error))
logger.info(presenter.log_message)
render status: presenter.response_code, json: presenter
end
alias_method :handle_not_authenticated, :handle_exception
alias_method :handle_api_error, :handle_exception
alias_method :handle_compound_error, :handle_exception
alias_method :handle_not_found, :handle_exception
alias_method :handle_invalid_auth_token, :handle_exception
def null_coalesce_body
hashed_params[:body] ||= {}
end
def membership
@membership ||= Membership.new(current_user)
end
end