cartodb-4.42/app/controllers/carto/api/api_keys_controller.rb

require_relative 'paged_searcher'

class Carto::Api::ApiKeysController < ::Api::ApplicationController
  include Carto::UUIDHelper
  include Carto::Api::PagedSearcher
  include Carto::Api::AuthApiAuthentication

  ssl_required :create, :destroy, :regenerate_token, :show, :index

  before_filter :any_api_authorization_required, only: [:index, :show]
  skip_filter :api_authorization_required, only: [:index, :show]
  before_filter :engine_required
  before_filter :load_api_key, only: [:destroy, :regenerate_token, :show]

  rescue_from Carto::ParamInvalidError, with: :rescue_from_carto_error
  rescue_from Carto::LoadError, with: :rescue_from_carto_error
  rescue_from Carto::UnprocesableEntityError, with: :rescue_from_carto_error
  rescue_from Carto::UnauthorizedError, with: :rescue_from_carto_error
  rescue_from Carto::CartoError, with: :rescue_from_carto_error

  VALID_ORDER_PARAMS = [:type, :name, :updated_at].freeze
  VALID_TYPE_PARAMS = [Carto::ApiKey::TYPE_MASTER,
                       Carto::ApiKey::TYPE_DEFAULT_PUBLIC,
                       Carto::ApiKey::TYPE_REGULAR].freeze

  def create
    api_key = target_user.api_keys.create_regular_key!(name: params[:name], grants: params[:grants])
    render_jsonp(Carto::Api::ApiKeyPresenter.new(api_key).to_poro, 201)
  rescue ActiveRecord::RecordInvalid => e
    raise Carto::UnprocesableEntityError.new(e.message)
  rescue CartoDB::QuotaExceeded => e
    raise Carto::CartoError.new(e.message, 403)
  end

  def destroy
    raise Carto::UnauthorizedError.new unless @viewed_api_key.can_be_deleted?

    @viewed_api_key.destroy
    head :no_content
  end

  def regenerate_token
    @viewed_api_key.regenerate_token!
    render_jsonp(Carto::Api::ApiKeyPresenter.new(@viewed_api_key).to_poro, 200)
  end

  def index
    page, per_page, order, _order_direction = page_per_page_order_params(VALID_ORDER_PARAMS)

    api_keys = target_user.api_keys.by_type(type_param).order_weighted_by_type
    api_keys = request_api_key.master? ? api_keys : api_keys.where(id: request_api_key.id)
    filtered_api_keys = Carto::PagedModel.paged_association(api_keys, page, per_page, order)

    result = filtered_api_keys.map { |api_key| json_for_api_key(api_key) }

    render_jsonp(
      paged_result(
        result: result,
        total_count: api_keys.count,
        page: page,
        per_page: per_page,
        params: params
      ) { |params| api_keys_url(params) },
      200
    )
  end

  def show
    render_jsonp(Carto::Api::ApiKeyPresenter.new(@viewed_api_key).to_poro, 200)
  end

  private

  def load_api_key
    name = params[:id]
    @viewed_api_key = Carto::ApiKey.where(user_id: target_user.id, name: name).user_visible.first
    if !@viewed_api_key || !request_api_key.master? && @viewed_api_key != request_api_key
      raise Carto::LoadError.new("API key not found: #{name}")
    end
  end

  def json_for_api_key(api_key)
    Carto::Api::ApiKeyPresenter.new(api_key).to_poro.merge(
      _links: {
        self: api_key_url(id: CGI::escape(api_key.name))
      }
    )
  end

  def type_param
    types = (params[:type] || '').split(',').map(&:strip)
    raise Carto::ParamInvalidError.new(:type, VALID_TYPE_PARAMS) unless (types - VALID_TYPE_PARAMS).empty?
    types
  end

  def target_user
    if params[:target_user].nil?
      current_viewer
    else
      # just org owners or org admins can manage api keys for other users
      raise Carto::UnauthorizedError.new unless current_viewer.organization_admin?
      user = Carto::User.where(username: params[:target_user], organization: current_viewer.organization.id).first
      raise Carto::LoadError.new("User '#{params[:target_user]}' not found in the organization '#{current_viewer.organization.name}'") if user.nil?
      user
    end
  end
end