audiences 1.6.2 → 2.0.1

data/lib/audiences/configuration.rb

@@ -5,6 +5,80 @@ module Audiences
 
   # Configuration options
 
+  # Sync groups and users with TwoPercent
+  config_accessor(:logger)
+
+  # Sync groups and users with TwoPercent
+  config_accessor(:observe_scim) { true }
+
+  # Group types that can form an audience
+  config_accessor :group_types do
+    %w[Groups]
+  end
+
+  # Group types that must be present in a user provisioning event
+  config_accessor :required_group_types do
+    []
+  end
+
+  DEFAULT_TERRITORY_ABBREVIATIONS = {
+    "Philadelphia" => "PHL", "New Jersey" => "NJ", "Maryland" => "MD", "Connecticut" => "CT",
+    "Long Island" => "LI", "Boston" => "BOS", "Atlanta" => "ATL", "Chicago" => "CHI",
+    "Detroit" => "DET", "Houston" => "HOU", "Dallas" => "DAL", "Denver" => "DEN", "Tampa" => "TPA",
+    "Austin" => "AUS", "Charlotte" => "CLT", "Nashville" => "NSH", "Phoenix" => "PHX",
+    "Pittsburgh" => "PIT", "San Antonio" => "SAO", "Fort Lauderdale" => "FLL", "Las Vegas" => "LVS",
+    "Orlando" => "ORL", "Cincinnati" => "CIN", "Columbus" => "CLB", "Jacksonville" => "JAX",
+    "Oklahoma City" => "OKC", "Raleigh" => "RLD", "Cleveland" => "CLE"
+  }.freeze
+
+  config_accessor(:territory_abbreviations) { DEFAULT_TERRITORY_ABBREVIATIONS }
+
+  # Defines a default scope for users, so the users that are part of an audience can
+  # be filtered (i.e.: only active, only users in a specific group, etc)
+  #
+  # By default, only active users are listed.
+  #
+  # I.e.:
+  #
+  #   # Allowing inactive users
+  #   Audiences.configure do |config|
+  #     config.default_users_scope = -> { all }
+  #   end
+  #
+  #   # Accepting only users in certain groups
+  #   Audiences.configure do |config|
+  #     config.default_users_scope = -> { includes(:groups).merge(Audiences::Group.where(scim_id: ALLOWED_GROUPS)) }
+  #   end
+  #
+  # This configuration defaults to `-> { active }`
+  #
+  config_accessor :default_users_scope do
+    ->(*) { active }
+  end
+
+  # Defines a default scope for groups, so the groups that are part of an audience can
+  # be filtered (i.e.: only active, only specific groups, etc)
+  #
+  # By default, only active groups are listed.
+  #
+  # I.e.:
+  #
+  #   # Allowing inactive groups
+  #   Audiences.configure do |config|
+  #     config.default_groups_scope = -> { all }
+  #   end
+  #
+  #   # Accepting only groups in certain groups
+  #   Audiences.configure do |config|
+  #     config.default_groups_scope = -> { where(scim_id: ALLOWED_GROUPS) }
+  #   end
+  #
+  # This configuration defaults to `-> { active }`
+  #
+  config_accessor :default_groups_scope do
+    ->(*) { active }
+  end
+
   # These are the user attributes that will be exposed in the audiences endpoints.
   # They're required by the UI to display the user information.
   #
@@ -37,7 +111,20 @@ module Audiences
   #   end
   #
   config_accessor :authenticate do
-    ->(*) { true }
+    ->(*) do
+      Audiences.logger.warn(<<~MESSAGE)
+        Audiences authenticate is currently configured using a default and is blocking authenticaiton.
+
+        To make this warning go away provide a configuration for `Audiences.config.authenticate`.
+
+        The value should:
+          1. Be callable like a Proc.
+          2. Return true when the request is permitted.
+          3. Return false when the request is not permitted.
+      MESSAGE
+
+      false
+    end
   end
 
   #
@@ -51,50 +138,6 @@ module Audiences
   #
   config_accessor(:identity_key) { :id }
 
-  #
-  # SCIM service configurations. This should be a Hash containint, at least, the URI.
-  #
-  # I.e.:
-  #
-  #   Audiences.configure do |config|
-  #     config.scim = { uri: "http://localhost/api/scim" }
-  #   end
-  #
-  # It can also contain HTTP headers, such as "Authorization":
-  #
-  # I.e.:
-  #
-  #   Audiences.configure do |config|
-  #     config.scim = {
-  #       uri: "http://localhost/api/scim",
-  #       headers: { "Authorization" => "Bearer auth-token" }
-  #     }
-  #   end
-  #
-  config_accessor :scim
-
-  #
-  # Resources defaults. Change this configuration via the `resource` helper.
-  # This configuration lists the current Audiences accessible resource defaults,
-  # and defaults to Users only. To add other resource types for criteria building.
-  #
-  # @see `resource`.
-  #
-  config_accessor :resources do
-    { Users: Scim::Resource.new(type: :Users, attributes: ["active", { "photos" => %w[type value] }],
-                                filter: "active eq true") }
-  end
-
-  #
-  # Configures a resource default.
-  #
-  # @param type [Symbol] the resource type in plural, as in scim (i.e.: :Users)
-  # @param attributes [String] the list of attributes to fetch for the resource (i.e.: "id,externalId,displayName")
-  # @see [Audiences::Scim::Resource]
-  def config.resource(type, **kwargs)
-    resources[type] = Scim::Resource.new(type: type, **kwargs)
-  end
-
   #
   # Notifications configurations.
   # Within this block, you should be able to easily register job classes to execute as

data/lib/audiences/editor_helper.rb

@@ -3,12 +3,15 @@
 module Audiences
   module EditorHelper
     def render_audiences_editor(context, html_class: "audiences-editor",
-                                uri: Audiences::Engine.routes.url_helpers.root_path)
+                                uri: Audiences::Engine.routes.url_helpers.root_path,
+                                allow_match_all: true, allow_individuals: true)
       content_tag(:div, "",
                   data: {
                     react_class: "AudiencesEditor",
                     audiences_uri: uri,
                     audiences_context: context.signed_key,
+                    allow_match_all: allow_match_all,
+                    allow_individuals: allow_individuals,
                   },
                   class: html_class)
     end

data/lib/audiences/engine.rb

@@ -10,8 +10,17 @@ module Audiences
   class Engine < ::Rails::Engine
     isolate_namespace Audiences
 
-    initializer "audiences.assets.precompile" do |app|
+    initializer "audiences.editor_helper" do |app|
       app.config.assets.precompile += %w[audiences-ujs.js] if app.config.respond_to?(:assets)
+
+      ActiveSupport.on_load(:action_view) do
+        require "audiences/editor_helper"
+        include Audiences::EditorHelper
+      end
+    end
+
+    initializer "audiences.logger" do
+      Audiences.config.logger ||= Rails.logger.tagged("Audiences")
     end
 
     initializer "audiences.model" do
@@ -21,5 +30,14 @@ module Audiences
         end
       end
     end
+
+    initializer "audiences.observers" do
+      if Audiences.config.observe_scim
+        Audiences::Scim::UpsertUsersObserver.start
+        Audiences::Scim::UpsertGroupsObserver.start
+        Audiences::Scim::PatchGroupsObserver.start
+        Audiences::Scim::PatchUsersObserver.start
+      end
+    end
   end
 end

data/lib/audiences/model.rb

@@ -10,25 +10,26 @@ module Audiences
       #
       # @param name [Symbol,String] the member relationship name
       #
-      # rubocop:disable Naming/PredicateName,Metrics/MethodLength,Metrics/AbcSize
+      # rubocop:disable Naming/PredicateName,Metrics/MethodLength
       def has_audience(name)
         has_one :"#{name}_context", -> { where(relation: name) },
                 as: :owner, dependent: :destroy,
                 class_name: "Audiences::Context"
-        has_many :"#{name}_external_users",
-                 through: :"#{name}_context", source: :users,
-                 class_name: "Audiences::ExternalUser"
-        has_many name, -> { readonly }, through: :"#{name}_external_users", source: :identity
 
-        scope :"with_#{name}", -> { includes(name) }
+        delegate :users, to: :"#{name}_context", prefix: :"#{name}_external"
+
+        define_method(name) do
+          send(:"#{name}_context").users.includes(:identity)
+                                  .map(&:identity)
+        end
+
         scope :"with_#{name}_context", -> { includes(:"#{name}_context") }
-        scope :"with_#{name}_external_users", -> { includes(:"#{name}_external_users") }
 
         after_initialize if: :new_record? do
           association(:"#{name}_context").build
         end
       end
-      # rubocop:enable Naming/PredicateName,Metrics/MethodLength,Metrics/AbcSize
+      # rubocop:enable Naming/PredicateName,Metrics/MethodLength
     end
   end
 end

data/lib/audiences/notifications.rb

@@ -29,8 +29,10 @@ module Audiences
     #
     # @param context [Audiences::Context] updated context
     #
-    def publish(context)
-      subscriptions[context.owner.class]&.call(context)
+    def publish(*contexts)
+      contexts.each do |context|
+        subscriptions[context.owner.class]&.call(context)
+      end
     end
   end
 end

data/lib/audiences/scim/field_mapping.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module Audiences
+  module Scim
+    class FieldMapping
+      def initialize(mapping)
+        @map = mapping
+      end
+
+      def remove(object, path, val)
+        return unless @map.key?(path)
+
+        case @map[path]
+        in { to: to, find: find }
+          remove_from_association(object, to, find, val)
+        else
+          current = object.send to(path)
+          _set object, path, current - value(path, val)
+        end
+      end
+
+      def add(object, path, val)
+        return unless @map.key?(path)
+
+        case @map[path]
+        in { to: to, find: find }
+          add_to_association(object, to, find, val)
+        else
+          current = object.send to(path)
+          _set object, path, current + value(path, val)
+        end
+      end
+
+      def replace(object, path, val)
+        _set object, path, value(path, val)
+      end
+
+    private
+
+      def _set(object, path, val)
+        return unless @map.key?(path)
+
+        object.send :"#{to(path)}=", val if @map[path]
+      end
+
+      def has?(...) = @map.key?(...)
+
+      def to(path)
+        case @map[path]
+        in { to: to } then to
+        in Symbol then @map[path]
+        end
+      end
+
+      def value(path, val)
+        case @map[path]
+        in { find: find } then [val].flatten.pluck("value").map(&find)
+        else val
+        end
+      end
+
+      def add_to_association(object, to, find, val)
+        # Use << operator to avoid loading all records
+        collection = object.send(to)
+        new_items = [val].flatten.pluck("value").filter_map(&find)
+        new_items.each { |item| collection << item unless collection.include?(item) }
+      end
+
+      def remove_from_association(object, to, find, val)
+        # Use delete operator to avoid loading all records
+        collection = object.send(to)
+        items_to_remove = [val].flatten.pluck("value").filter_map(&find)
+        collection.delete(*items_to_remove)
+      end
+    end
+  end
+end

data/lib/audiences/scim/observer_base.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Audiences
+  module Scim
+    class ObserverBase < AetherObservatory::ObserverBase
+    end
+  end
+end

data/lib/audiences/scim/patch_groups_observer.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Audiences
+  module Scim
+    class PatchGroupsObserver < ObserverBase
+      Audiences.config.group_types.each do |group_type|
+        subscribe_to "two_percent.scim.update.#{group_type}"
+      end
+
+      def process
+        Audiences.logger.info "Patching group #{group.display_name} (#{group.scim_id})"
+
+        patch_op.process(group, attributes_mapping)
+
+        group.save!
+
+        propagate_changes_to_users!
+      rescue => e
+        Audiences.logger.error e
+        raise
+      end
+
+    private
+
+      def patch_op = PatchOp.new(event_payload.params)
+
+      def attributes_mapping
+        FieldMapping.new("displayName" => :display_name,
+                         "externalId" => :external_id,
+                         "urn:ietf:params:scim:schemas:extension:authservice:2.0:Group:active" => :active,
+                         "members" => { to: :external_users,
+                                        find: ->(value) { ExternalUser.find_by(user_id: value) } })
+      end
+
+      def group
+        @group ||= Group.find_by!(resource_type: event_payload.resource,
+                                  scim_id: event_payload.id)
+      end
+
+      def propagate_changes_to_users!
+        patch_op.operations.each do |operation|
+          next unless operation.path == "members"
+
+          ExternalUser.where(user_id: operation.value.pluck("value")).find_each do |user|
+            TwoPercent::ReplaceEvent.create(resource: "Users", id: user.scim_id, params: user.as_scim)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/audiences/scim/patch_op.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Audiences
+  module Scim
+    class PatchOp
+      attr_reader :operations
+
+      def initialize(patch_op)
+        @operations = patch_op["Operations"].flat_map do |operation|
+          derive_operation(operation)
+        end
+      end
+
+      def process(object, operator)
+        @operations.each { _1.process(object, operator) }
+      end
+
+    private
+
+      Operation = Struct.new(:op, :path, :value) do
+        def process(object, operator)
+          raise "Operation #{op} is unknown to #{operator.class}" unless operator.respond_to?(op)
+
+          operator.public_send(op, object, path, value)
+        end
+      end
+
+      def derive_operation(operation)
+        case operation["value"]
+        when Hash
+          operation["value"].flat_map do |key, value|
+            derive_operation("op" => operation["op"],
+                             "path" => [operation["path"], key].compact.join("."),
+                             "value" => value)
+          end
+        else
+          [Operation.new(operation["op"], operation["path"], operation["value"])]
+        end
+      end
+    end
+  end
+end

data/lib/audiences/scim/patch_users_observer.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Audiences
+  module Scim
+    class PatchUsersObserver < ObserverBase
+      subscribe_to "two_percent.scim.update.Users"
+
+      def process
+        Audiences.logger.info "Patching user #{user.display_name} (#{user.scim_id})"
+
+        process_attributes!
+        process_data!
+
+        user.save!
+      rescue => e
+        Audiences.logger.error e
+        raise
+      end
+
+    private
+
+      def patch_op = PatchOp.new(event_payload.params)
+
+      def process_data! = patch_op.process(user, ScimData.new)
+
+      def process_attributes!
+        patch_op.process user, FieldMapping.new("externalId" => :user_id,
+                                                "displayName" => :display_name,
+                                                "active" => :active,
+                                                "photos" => { to: :picture_urls, find: :itself })
+      end
+
+      def user
+        @user ||= Audiences::ExternalUser.find_by!(scim_id: event_payload.id)
+      end
+    end
+  end
+end

data/lib/audiences/scim/scim_data.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Audiences
+  module Scim
+    class ScimData
+      def replace(object, key, value) = _replace(object.data || {}, key.split("."), value)
+
+      def add(object, key, val)
+        value = object.data&.dig(*key.split(".")) || []
+        replace(key, [...value, val])
+      end
+
+      def remove(object, key, val)
+        values = object.data&.dig(*key.split(".")) || []
+        to_remove = [val].flatten.pluck("value")
+        replace(key, values&.reject { |value| to_remove.include?(value["value"]) })
+      end
+
+    private
+
+      def _replace(data, key, val)
+        first_key, *rest_keys = key
+        if rest_keys.empty?
+          data[first_key] = val
+        else
+          _replace(data[first_key] ||= {}, rest_keys, val)
+        end
+      end
+    end
+  end
+end

data/lib/audiences/scim/upsert_groups_observer.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Audiences
+  module Scim
+    class UpsertGroupsObserver < ObserverBase
+      Audiences.config.group_types.each do |group_type|
+        subscribe_to "two_percent.scim.create.#{group_type}"
+        subscribe_to "two_percent.scim.replace.#{group_type}"
+      end
+
+      def process
+        Audiences.logger.info "#{upsert_action} group #{new_display_name} (#{new_external_id})"
+
+        group.update! external_id: new_external_id, display_name: new_display_name, active: new_active
+        Audiences::PersistedResourceEvent.create(resource_type: "Groups", params: event_payload.params)
+      rescue => e
+        Audiences.logger.error e
+        raise
+      end
+
+    private
+
+      def upsert_action = group.persisted? ? "Updating" : "Creating"
+
+      def new_external_id = event_payload.params["externalId"]
+
+      def new_display_name = event_payload.params["displayName"]
+
+      def new_active
+        active = event_payload.params.dig("urn:ietf:params:scim:schemas:extension:authservice:2.0:Group", "active")
+        active.nil? || active
+      end
+
+      def group
+        @group ||= Audiences::Group.where(resource_type: event_payload.resource,
+                                          scim_id: event_payload.params["id"])
+                                   .first_or_initialize
+      end
+    end
+  end
+end

data/lib/audiences/scim/upsert_users_observer.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module Audiences
+  module Scim
+    class UpsertUsersObserver < ObserverBase
+      subscribe_to "two_percent.scim.create.Users"
+      subscribe_to "two_percent.scim.replace.Users"
+
+      def process
+        log_upsert_action
+        external_user.update! updated_attributes
+        return unless valid_group_types?
+
+        Audiences::PersistedResourceEvent.create(resource_type: "Users", params: event_payload.params)
+      rescue => e
+        Audiences.logger.error e
+        raise
+      end
+
+    private
+
+      def log_upsert_action
+        Audiences.logger.info "#{upsert_action} user #{event_payload.params['displayName']} (#{scim_id})"
+      end
+
+      def scim_id = event_payload.params["id"]
+
+      def external_user
+        @external_user ||= Audiences::ExternalUser.where(scim_id: scim_id).first_or_initialize
+      end
+
+      def upsert_action = external_user.persisted? ? "Updating" : "Creating"
+
+      def updated_attributes
+        {
+          user_id: event_payload.params["externalId"],
+          display_name: event_payload.params["displayName"],
+          picture_urls: new_picture_urls,
+          data: event_payload.params,
+          groups: new_groups,
+          active: event_payload.params.fetch("active", false),
+        }
+      end
+
+      def new_picture_urls = event_payload.params["photos"]&.pluck("value")
+
+      def new_groups
+        event_payload.params.fetch("groups", []).filter_map do |group|
+          Audiences::Group.find_by(scim_id: group["value"])
+        end
+      end
+
+      def valid_group_types?
+        missing = external_user.missing_group_types
+        return true if missing.empty?
+
+        Audiences.logger.warn "Provisioning event for user #{scim_id} with missing group types: #{missing.join(', ')}"
+        false
+      end
+    end
+  end
+end

data/lib/audiences/scim.rb

@@ -2,20 +2,14 @@
 
 module Audiences
   module Scim
-    autoload :Client, "audiences/scim/client"
-    autoload :Resource, "audiences/scim/resource"
-    autoload :ResourcesQuery, "audiences/scim/resources_query"
-
-  module_function
-
-    def client
-      Client.new(**Audiences.config.scim)
-    end
-
-    def resource(type)
-      Audiences.config.resources.fetch(type) do
-        Resource.new(type: type)
-      end
-    end
+    autoload :ScimData, "audiences/scim/scim_data"
+    autoload :FieldMapping, "audiences/scim/field_mapping"
+    autoload :PatchOp, "audiences/scim/patch_op"
+
+    autoload :ObserverBase, "audiences/scim/observer_base"
+    autoload :PatchGroupsObserver, "audiences/scim/patch_groups_observer"
+    autoload :PatchUsersObserver, "audiences/scim/patch_users_observer"
+    autoload :UpsertGroupsObserver, "audiences/scim/upsert_groups_observer"
+    autoload :UpsertUsersObserver, "audiences/scim/upsert_users_observer"
   end
 end

data/lib/audiences/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Audiences
-  VERSION = "1.6.2"
+  VERSION = "2.0.1"
 end

data/lib/audiences.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "aether_observatory"
+
 # Audiences system
 # Audiences pushes notifications to your rails app when a
 # SCIM backend updates a user, notifying matching audiences.
@@ -17,7 +19,7 @@ module_function
   # Params might contain:
   #
   # match_all: Boolean
-  # criteria: Array<{ <group_type>: Array<Integer> }>
+  # criteria: { groups: Array<{ <group_type>: Array<{ id: Integer }> }> }
   #
   # @param token [String] a signed token (see #sign)
   # @param params [Hash] the updated params
@@ -27,13 +29,11 @@ module_function
     Audiences::Context.load(key) do |context|
       context.update!(
         match_all: match_all,
-        criteria: ::Audiences::Criterion.map(criteria),
-        extra_users: ::Audiences::ExternalUser.fetch(extra_users.pluck("externalId"))
+        extra_users: ::Audiences::ExternalUser.from_scim(*extra_users.map(&:with_indifferent_access)),
+        criteria: ::Audiences::Criterion.map(criteria.map(&:with_indifferent_access))
       )
-      context.refresh_users!
     end
   end
 end
 
 require "audiences/configuration"
-require "audiences/railtie"