atlas_rb 1.8.6 → 1.8.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.version +1 -1
- data/CHANGELOG.md +21 -0
- data/Gemfile.lock +1 -1
- data/lib/atlas_rb/system/token.rb +59 -0
- data/lib/atlas_rb.rb +1 -0
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 88e591bc06be2edcf972e7df8490f57656f0562680d3546598f7461b1ad25bc3
|
|
4
|
+
data.tar.gz: 997084c70c482d78cbc4627d7dcf65b91a1687b8bf6ed1855c0f46613b007389
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 87d74362da0a1b9fe6655c675fe834dce9c1ea824012d9f482c1828fbe6f299495793836c6840528d350aad020a1a28bf3a53f52136c336c114a3e41afb61096
|
|
7
|
+
data.tar.gz: b02aac392fa82e3f64c5a391e23215aa2eb6577285ddb0517ac2653ae67f33603dc05e4af018acb73c5a2d9859fc2b137309f51525db6b40aa36897cbe957cfa
|
data/.version
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.8.
|
|
1
|
+
1.8.7
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,26 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 1.8.7
|
|
4
|
+
|
|
5
|
+
### Added — personal-access token lifecycle (`System::Token.mint` / `.revoke`)
|
|
6
|
+
|
|
7
|
+
New system-context binding for the `POST /nuid` / `DELETE /nuid` endpoints so a
|
|
8
|
+
host app can mint and revoke a user's personal-access JWT (`ATLAS_JWT`, BYO-JWT
|
|
9
|
+
mode). Both are :system-gated on Atlas ("minting for an arbitrary NUID is
|
|
10
|
+
'become anyone'"), so they authenticate via `FaradayHelper#system_connection`
|
|
11
|
+
(hard-pinned system token + `User: NUID` header) — never the ambient-user
|
|
12
|
+
relay-signing path — mirroring `System::User`.
|
|
13
|
+
|
|
14
|
+
- `AtlasRb::System::Token.mint(nuid:)` → the JWT (`String`), or `nil` when the
|
|
15
|
+
NUID has no Atlas User row (404). The token is full-privilege for that user,
|
|
16
|
+
1-week TTL, single-jti.
|
|
17
|
+
- `AtlasRb::System::Token.revoke(nuid:)` → `true` on success (204), `false` on
|
|
18
|
+
404. Rotates the user's jti (single-jti model → all outstanding tokens die at
|
|
19
|
+
once). "Regenerate" is `revoke` followed by a fresh `mint`.
|
|
20
|
+
|
|
21
|
+
Unblocks Cerberus's "My DRS → Programmatic access" section (generate / regenerate
|
|
22
|
+
/ revoke), gated to the `northeastern:drs:repository:api` Grouper group.
|
|
23
|
+
|
|
3
24
|
## 1.8.5
|
|
4
25
|
|
|
5
26
|
### Fixed — `find` returns a tombstone (`410`) instead of raising
|
data/Gemfile.lock
CHANGED
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module AtlasRb
|
|
4
|
+
module System
|
|
5
|
+
# Personal-access token lifecycle — mint and revoke the 1-week JWT a real
|
|
6
|
+
# person exports as `ATLAS_JWT` to drive atlas_rb / curl against Atlas
|
|
7
|
+
# headless (BYO-JWT mode, see {AtlasRb::FaradayHelper}). Cerberus's "My DRS
|
|
8
|
+
# → Programmatic access" section calls these post-SSO and hands the token
|
|
9
|
+
# to the librarian; the token is never persisted by Cerberus.
|
|
10
|
+
#
|
|
11
|
+
# ## Why a separate class from {System::User}
|
|
12
|
+
#
|
|
13
|
+
# Token lifecycle is a distinct concern from SSO user provisioning: minting
|
|
14
|
+
# a bearer credential for someone is "become anyone," which is exactly why
|
|
15
|
+
# both Atlas endpoints are :system-gated (`authorize! :mint_token, User`).
|
|
16
|
+
# Keeping it in its own class keeps that carve-out legible rather than
|
|
17
|
+
# burying it among provisioning methods.
|
|
18
|
+
#
|
|
19
|
+
# Both methods authenticate via {FaradayHelper#system_connection} — the
|
|
20
|
+
# hard-pinned system token + `User: NUID` header — so there is no way to
|
|
21
|
+
# issue them as a regular user. This is never the ambient-user
|
|
22
|
+
# relay-signing path.
|
|
23
|
+
class Token
|
|
24
|
+
extend AtlasRb::FaradayHelper
|
|
25
|
+
|
|
26
|
+
# Mint a personal-access JWT for a real person (`POST /nuid`).
|
|
27
|
+
# System-gated. The returned token authenticates as `nuid` in BYO-JWT
|
|
28
|
+
# mode (Atlas resolves identity from the token's `sub`, ignores any
|
|
29
|
+
# `User:` / `On-Behalf-Of` header, and refuses `:system`/`:anonymous`).
|
|
30
|
+
# Full-privilege for that user, 1-week TTL, single-jti.
|
|
31
|
+
#
|
|
32
|
+
# @param nuid [String] the NUID the token will act as.
|
|
33
|
+
# @return [String, nil] the JWT, or nil when the NUID has no Atlas User
|
|
34
|
+
# row (404) — a clean "no such user" signal for the caller to surface.
|
|
35
|
+
def self.mint(nuid:)
|
|
36
|
+
response = system_connection.post("/nuid", { nuid: nuid }.to_json)
|
|
37
|
+
return nil if response.status == 404
|
|
38
|
+
|
|
39
|
+
AtlasRb::Mash.new(JSON.parse(response.body))["token"]
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
# Revoke every outstanding token for a user (`DELETE /nuid`) by rotating
|
|
43
|
+
# its jti. System-gated. Single-jti model → all-or-nothing: every token
|
|
44
|
+
# the user holds dies at once. "Regenerate" on the Cerberus side is
|
|
45
|
+
# {.revoke} followed by a fresh {.mint}.
|
|
46
|
+
#
|
|
47
|
+
# The NUID rides as a query param (`system_connection`'s params hash) so
|
|
48
|
+
# this sidesteps DELETE-with-body handling; Atlas reads it from
|
|
49
|
+
# `params[:nuid]` either way.
|
|
50
|
+
#
|
|
51
|
+
# @param nuid [String] the NUID whose tokens to invalidate.
|
|
52
|
+
# @return [Boolean] true on success (204), false when the NUID has no
|
|
53
|
+
# Atlas User row (404).
|
|
54
|
+
def self.revoke(nuid:)
|
|
55
|
+
system_connection({ nuid: nuid }).delete("/nuid").status == 204
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
end
|
data/lib/atlas_rb.rb
CHANGED
|
@@ -30,6 +30,7 @@ require_relative "atlas_rb/admin/collection"
|
|
|
30
30
|
require_relative "atlas_rb/admin/community"
|
|
31
31
|
require_relative "atlas_rb/system"
|
|
32
32
|
require_relative "atlas_rb/system/user"
|
|
33
|
+
require_relative "atlas_rb/system/token"
|
|
33
34
|
require_relative "atlas_rb/audit_event"
|
|
34
35
|
|
|
35
36
|
# Ruby client for the Atlas API — Northeastern University's institutional
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: atlas_rb
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.8.
|
|
4
|
+
version: 1.8.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Cliff
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2026-07-
|
|
11
|
+
date: 2026-07-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: faraday
|
|
@@ -150,6 +150,7 @@ files:
|
|
|
150
150
|
- lib/atlas_rb/person.rb
|
|
151
151
|
- lib/atlas_rb/resource.rb
|
|
152
152
|
- lib/atlas_rb/system.rb
|
|
153
|
+
- lib/atlas_rb/system/token.rb
|
|
153
154
|
- lib/atlas_rb/system/user.rb
|
|
154
155
|
- lib/atlas_rb/user.rb
|
|
155
156
|
- lib/atlas_rb/version.rb
|