RubyGems - clonk - Versions diffs - 1.0.0 → 2.0.0 - Mend

clonk 1.0.0 → 2.0.0

Files changed (11) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 745227bb1c30916ca73bcb74eb7a6f5b41389e635810b51d04a09dc4fe52d870
-  data.tar.gz: c94c13fed88b877aa0c5c663ed81cdf6df6571e5974399921b0d108836219bfb
+  metadata.gz: 8f8dab272e5def2a4916f0865f6829f47345371716ac09c235e4fdc9411127e7
+  data.tar.gz: f3dbefc497d92a22dd31ea11fd31482fb2b94fdc39b229eec6c902e8995f6faf
 SHA512:
-  metadata.gz: '0813ad9d28ca9d8af7d5fc70c0e8fb40ec0a98068d083b54cb153ae170cdcbb03b95406b962ca8eb820a4f23d2e06d93a8639c42f5690130eb54233b919398e2'
-  data.tar.gz: 2a2393987b54c02da7596651e95587d204d92f9db6b0c54fc2673e738f9bb035fc4d25662641e79dfcbf4595e7fb0b7b32c48c0dfaca771947856d419ffa989e
+  metadata.gz: 703d6fa690a791364af18cc73c2b8eb391147cd3789683139203b5dec7809f1024f0478d82bd06fc673830b3b17d4b7215ff3be3debc7e625b70720505270ad2
+  data.tar.gz: a44c4a23a58c00d0eb43283013a9f4dd8de14900e112b1d779818ca67e86411abf974f200f89c87d45498437ada9aaa41024fe665a122496a5098223170ccf76

data/lib/clonk.rb CHANGED

@@ -2,18 +2,13 @@
 require 'faraday'
 require 'faraday_middleware'
-# require 'dotenv/load'
 require 'json'
-# require 'pp'
-BASE_URL = URI.encode(ENV.fetch('SSO_BASE_URL'))
-USERNAME = ENV.fetch('SSO_USERNAME')
-PASSWORD = ENV.fetch('SSO_PASSWORD')
-REALM = ENV.fetch('SSO_REALM')
+BASE_URL = CGI.escape(ENV.fetch('SSO_BASE_URL'))
+# Keycloak/Red Hat SSO API wrapper
 module Clonk
   class << self
     ##
     # Defines a Faraday::Connection object linked to the SSO instance.
@@ -25,88 +20,6 @@ module Clonk
         faraday.headers['Authorization'] = "Bearer #{token}" if token
       end
     end
-    ##
-    # Returns the admin API root for the realm.
-    def realm_admin_root(realm = REALM)
-      "#{BASE_URL}/auth/admin/realms/#{realm}"
-    end
-    ##
-    # Retrieves a token for the admin user.
-    def admin_token
-      data = {
-        username: USERNAME,
-        password: PASSWORD,
-        grant_type: 'password',
-        client_id: 'admin-cli'
-      }
-      JSON.parse(
-        connection(json: false)
-        .post('/auth/realms/master/protocol/openid-connect/token', data).body
-      )['access_token']
-    end
-    ##
-    # Returns a Faraday::Response for an API call via the given method.
-    # Always uses an admin token.
-    #--
-    # FIXME: Rename protocol to method - more descriptive
-    #++
-    def response(method: :get, path: '/', data: nil, token: admin_token)
-      return unless %i[get post put delete].include?(method)
-      conn = connection(token: token).public_send(method, path, data)
-    end
-    ##
-    # Returns a parsed JSON response for an API call via the given method.
-    # Useful in instances where only the data is necessary, and not
-    # HTTP status confirmation that the desired effect was caused.
-    # Always uses an admin token.
-    #--
-    # FIXME: Rename protocol to method - more descriptive
-    #++
-    def parsed_response(method: :get, path: '/', data: nil, token: admin_token)
-      resp = response(method: method, path: path, data: data, token: token)
-      JSON.parse(resp.body)
-    rescue JSON::ParserError
-      resp.body
-    end
-    ##
-    # Enables permissions for the given object.
-    #--
-    # TODO: Add this method to other models that need it, if any
-    #++
-    def set_permissions(object: nil, type: nil, enabled: true, realm: REALM)
-      parsed_response(
-        method: :put,
-        path: "#{realm_admin_root(realm)}/#{type}s/#{object['id']}/management/permissions",
-        data: { enabled: enabled },
-        token: @token
-      )
-    end
-    ##
-    # Returns the data for the permission with the given ID.
-    #--
-    # TODO: Move this method into Permission
-    #++
-    def get_permission(id: nil, realm: REALM)
-      parsed_response(
-        token: @token,
-        path: "#{client_url(client: @realm_management, realm: realm)}/authz/resource-server/permission/scope/#{id}"
-      )
-    end
   end
 end
@@ -117,3 +30,4 @@ require 'clonk/policy'
 require 'clonk/role'
 require 'clonk/realm'
 require 'clonk/permission'
+require 'clonk/connection'

data/lib/clonk/client.rb CHANGED

@@ -1,150 +1,66 @@
-module Clonk
+# frozen_string_literal: true
+module Clonk
   ##
-  # This class represents a client within SSO. A client allows a user to authenticate against SSO with their credentials.
+  # This class represents a client within SSO. A client allows a user to
+  # authenticate against SSO with their credentials.
   class Client
     attr_accessor :id
     attr_reader :name
-    def initialize(clients_response, realm)
+    def initialize(clients_response)
       @id = clients_response['id']
       @name = clients_response['clientId']
-      @realm = realm
     end
+  end
-    ##
-    # Returns the defaults for some fields. The rest should be defined on a relevant call.
-    def self.defaults
-      {
-        fullScopeAllowed: false
-      }
-    end
-    ##
-    # Creates a client within SSO and returns the created client as a Client.
-    # Note: 'dag' stands for Direct Access Grants
-    def self.create(realm: REALM, name: nil, public_client: true, dag_enabled: true)
-      # TODO: Client with a secret
-      response = Clonk.response(
-        method: :post,
-        path: "#{Clonk.realm_admin_root(realm)}/clients",
-        data: defaults.merge(
-          clientId: name,
-          publicClient: public_client,
-          directAccessGrantsEnabled: dag_enabled
-        )
-      )
-      new_client_id = response.headers[:location].split('/')[-1]
-      new_from_id(new_client_id, realm)
+  # Defines a connection to SSO.
+  class Connection
+    def clients
+      objects(type: 'Client')
     end
-    ##
-    # Gets the config inside SSO for a particular client.
-    # This allows for access to many attributes that Clonk might not directly
-    # handle yet.
-    # You may be able to extend Clonk's functionality by using Clonk.response
-    # or Clonk.parsed_response with routes in the SSO API alongside this data.
-    def self.get_config(id, realm = REALM)
-      Clonk.parsed_response(
-        path: "#{Clonk.realm_admin_root(realm)}/clients/#{id}"
+    def create_client(**data)
+      create_object(
+        type: 'Client',
+        data: { fullScopeAllowed: false }.merge(data)
       )
     end
-    ##
-    # Gets the config inside SSO for this client.
-    def config
-      self.class.get_config(@id, @realm)
-    end
-    ##
-    # Creates a new Client instance from a client that exists in SSO
-    def self.new_from_id(id, realm = REALM)
-      new(get_config(id, realm), realm)
-    end
-    ##
-    # Returns an array of the clients that exist in the given realm.
-    def self.all(realm: REALM)
-      Clonk.parsed_response(
-        path: "#{Clonk.realm_admin_root(realm)}/clients"
-      ).map { |client| new_from_id(client['id'], realm) }
-    end
-    ##
-    # Searches for clients with the given name in the given realm.
-    def self.where(name: nil, realm: REALM)
-      all(realm: realm).select { |client| client.name == name }
-    end
-    ##
-    # Searches for exactly one client with the given name in the given realm.
-    def self.find_by(name: nil, realm: REALM)
-      where(name: name, realm: realm)&.first
-    end
-    ##
-    # Returns the URL that can be used to fetch this client's data from the API.
-    def url
-      "#{Clonk.realm_admin_root(@realm)}/clients/#{@id}"
-    end
     ##
     # Maps the given role into the scope of the client. If a user has that role,
     # it will be visible in tokens given by this client during authentication.
+    # FIXME: Write test!
-    def map_scope(client: nil, role: nil, realm: REALM)
-      Clonk.parsed_response(
+    def map_scope(client:, role:)
+      response(
         method: :post,
-        data: [role.config],
-        path: "#{url}/scope-mappings/clients/#{client.id}"
+        data: [config(role)],
+        path: "#{url_for(client)}/scope-mappings/clients/#{role.container_id}"
       )
     end
-    ##
-    # Creates a role within this client.
-    # it will be visible in tokens given by this client during authentication,
-    # as it is already in scope.
-    def create_role(realm: REALM, name: nil, description: nil, scope_param_required: false)
-      # TODO: Create realm roles
-      response = Clonk.response(method: :post,
-                      path: "#{url}/roles",
-                      data: {
-                        name: name,
-                        description: description,
-                        scopeParamRequired: scope_param_required
-                      })
-      Role.find_by(name: name, client: self)
-    end
     ##
     # Lists the client's permission IDs, if permissions are enabled.
     # These will be returned as either a boolean (false) if disabled,
     # or a hash of permission types and IDs.
+    # FIXME: Move to RHSSO so that permissions can actually be used!
+    # FIXME: Write test!
-    def permissions
-      Clonk.parsed_response(
-        path: "#{url}/management/permissions"
+    def permissions(client:)
+      parsed_response(
+        path: "#{url_for(client)}/management/permissions"
       )['scopePermissions'] || false
     end
     ##
-    # Enables or disables permissions for a client
+    # Enables or disables permissions for some object
+    # FIXME: Write test!
-    def set_permissions(enabled: true)
-      Clonk.parsed_response(
+    def set_permissions(object:, enabled: true)
+      parsed_response(
         method: :put,
-        path: "#{url}/management/permissions",
+        path: "#{url_for(object)}/management/permissions",
         data: {
           enabled: enabled
         }
@@ -153,18 +69,12 @@ module Clonk
     ##
     # Returns the client's secret
+    # FIXME: Write test!
-    def secret
-      Clonk.parsed_response(
-        path: "#{url}/client-secret"
+    def secret(client:)
+      parsed_response(
+        path: "#{url_for(client)}/client-secret"
       )['value']
     end
-    def delete
-      Clonk.response(
-        method: :delete,
-        path: url
-      )
-    end
   end
-end
+end

data/lib/clonk/connection.rb ADDED

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+require_relative 'client'
+module Clonk
+  ##
+  # Defines a connection to SSO.
+  class Connection
+    attr_writer :realm
+    def initialize(base_url:, realm_id:, username:, password:, client_id: nil)
+      @base_url = base_url
+      @client_id = client_id
+      initial_access_token(
+        username: username, password: password, realm_id: realm_id,
+        client_id: client_id
+      )
+      @realm = create_instance_of(
+        'Realm', parsed_response(path: "/auth/realms/#{realm_id}")
+      )
+    end
+    # Methods common to most/all kinds of objects in SSO
+    ####################################################
+    ##
+    # Creates an object and returns an instance of it in SSO. Wrapped for each
+    # type.
+    def create_object(
+      type:, path: "/#{type.downcase}s", root: realm_admin_root, data: {}
+    )
+      creation_response = response(
+        method: :post, path: root + path, data: data
+      )
+      create_instance_of(
+        type,
+        parsed_response(
+          path: creation_response.headers[:location]
+        )
+      )
+    end
+    ##
+    # Returns all objects in the realm of that type. Wrapped for each type.
+    def objects(type:, path: "/#{type.downcase}s", root: realm_admin_root)
+      parsed_response(path: root + path).map do |object_response|
+        create_instance_of(type, object_response)
+      end
+    end
+    def create_instance_of(class_name, response)
+      Object.const_get('Clonk').const_get(class_name).new(response) || response
+    end
+    def delete(object)
+      response(path: url_for(object), method: :delete)
+    end
+    ##
+    # Returns the config in SSO for an object.
+    def config(object)
+      class_name = object.class.name.split('::').last.downcase + 's'
+      class_name = 'roles-by-id' if class_name == 'roles'
+      route = realm_admin_root + "/#{class_name}/#{object.id}"
+      parsed_response(path: route)
+    end
+    ##
+    # Map a role to another object.
+    # Common to groups and users
+    def map_role(role:, target:)
+      client_path = case role.container_id
+                    when @realm
+                      'realm'
+                    else
+                      "clients/#{role.container_id}"
+                    end
+      parsed_response(
+        method: :post, data: [config(role)],
+        path: "#{url_for(target)}/role-mappings/#{client_path}"
+      )
+    end
+    # Connection detail
+    ####################
+    ##
+    # Retrieves an initial access token for the user in the given realm.
+    def initial_access_token(
+      username: @username, password: @password, client_id: @client_id,
+      realm_id: @realm.name
+    )
+      @access_token = parsed_response(
+        method: :post,
+        path: "/auth/realms/#{realm_id}/protocol/openid-connect/token",
+        connection_params: { json: false, raise_error: true },
+        data: {
+          username: username, password: password, grant_type: 'password',
+          client_id: client_id
+        }
+      )['access_token']
+    end
+    ##
+    # Defines a Faraday::Connection object linked to the SSO instance.
+    def connection(raise_error: true, json: true, token: @access_token)
+      Faraday.new(url: @base_url) do |faraday|
+        faraday.request(json ? :json : :url_encoded)
+        faraday.use Faraday::Response::RaiseError if raise_error
+        faraday.adapter Faraday.default_adapter
+        faraday.headers['Authorization'] = "Bearer #{token}" unless token.nil?
+      end
+    end
+    ##
+    # Returns a Faraday::Response for an API call via the given method.
+    def response(method: :get, path: '/', data: nil, connection_params: {})
+      return unless %i[get post put delete].include?(method)
+      connection(connection_params).public_send(method, path, data)
+    end
+    ##
+    # Returns a parsed JSON response for an API call via the given method.
+    # Useful in instances where only the data is necessary, and not
+    # HTTP status confirmation that the desired effect was caused.
+    def parsed_response(
+      method: :get, path: '/', data: nil, connection_params: {}
+    )
+      resp = response(
+        method: method, path: path, data: data,
+        connection_params: connection_params
+      )
+      JSON.parse(resp.body)
+    rescue JSON::ParserError
+      resp.body
+    end
+    ##
+    # Returns the admin API root for the realm.
+    def realm_admin_root(realm = @realm)
+      "#{@base_url}/auth/admin/realms/#{realm&.name}"
+    end
+    ##
+    # Returns the URL for the given object.
+    # Argument is necessary as permissions are sometimes treated as policies
+    # within SSO for some reason, especially when fetching scopes, resources and
+    # policies.
+    # FIXME: Does not work with realms - realm_admin_root does, though.
+    def url_for(target, prefix: 'permision/scope')
+      class_name = target.class.name.split('::').last.downcase
+      url_for_permission(target, prefix: prefix) if class_name == 'permission'
+      "#{realm_admin_root}/#{class_name}s/#{target.id}"
+    end
+    def url_for_permission(permission, prefix: 'permission/scope')
+      client_url = url_for(
+        clients.find { |client| client.name == 'realm-management' }
+      )
+      "#{client_url}/authz/resource-server/#{prefix}/#{permission.id}"
+    end
+  end
+end

data/lib/clonk/group.rb CHANGED

@@ -1,136 +1,60 @@
 # frozen_string_literal: true
 module Clonk
+  # Represents a group or subgroup within SSO.
   class Group
     attr_accessor :id
     attr_reader :name
-    def initialize(group_response, realm = REALM)
+    def initialize(group_response)
       @name = group_response['name']
       @id = group_response['id']
-      @realm = realm
-    end
-    # Gets config inside SSO for group with ID in realm
-    def self.get_config(id, realm = REALM)
-      Clonk.parsed_response(
-        path: "#{Clonk.realm_admin_root(realm)}/groups/#{id}"
-      )
-    end
-    def config
-      self.class.get_config(@id, @realm)
-    end
-    # Creates a new Group instance from a group that exists in SSO
-    def self.new_from_id(id, realm = REALM)
-      new(get_config(id, realm), realm)
-    end
-    # Creates a new group in SSO and casts it to an instance
-    def self.create(name: nil, realm: REALM)
-      new_group = new({ 'name' => name }, realm)
-      response = new_group.save(realm)
-      new_group.id = response.headers[:location].split('/')[-1]
-      new_group
-    end
-    def save(realm = REALM)
-      if @id
-        Clonk.parsed_response(
-          method: :put,
-          path: "#{Clonk.realm_admin_root(@realm)}/groups/#{@id}",
-          data: config.merge('name' => @name)
-        )
-      else
-        Clonk.response(
-          method: :post,
-          path: "#{Clonk.realm_admin_root(realm)}/groups",
-          data: { name: @name }
-        )
-      end
-    end
-    def create_subgroup(name: nil)
-      response = Clonk.parsed_response(
-        method: :post,
-        path: "#{url}/children",
-        data: { name: name }
-      )
-      self.class.new_from_id(response['id'], @realm)
     end
+  end
-    def subgroups
-      config["subGroups"].map { |group| self.class.new_from_id(group['id'], @realm) }
-    end
+  # Defines a connection to SSO.
+  class Connection
+    # Lists groups in the realm.
+    def groups(user: nil)
+      return objects(type: 'Group') unless user
-    def self.all(realm: REALM, flattened: false)
-      response = Clonk.parsed_response(
-        method: :get,
-        path: "#{Clonk.realm_admin_root(realm)}/groups",
-      )
-      response += response.map { |group| group['subGroups'] } if flattened
-      response.flatten
-              .map { |group| new_from_id(group['id'], realm) }
+      objects(type: 'Group', path: "/users/#{user.id}/groups")
     end
-    def self.where(name: nil, realm: REALM)
-      all(flattened: true, realm: realm)
-        .select { |group| group['name'] == name }
-        .map { |group| new_from_id(group['id'], realm) }
-    end
+    # Lists subgroups of a given group.
+    def subgroups(group)
+      subgroups = config(group)['subGroups']
+      return [] if subgroups.nil?
-    def self.find_by(name: nil, realm: REALM)
-      where(name: name, realm: realm)&.first
+      subgroups.map { |subgroup| create_instance_of('Group', subgroup) }
     end
-    def self.find(id: nil, realm: REALM)
-      if all.find { |group| group['id'] == id }
-        new_from_id(id, realm)
-      end
-    end
+    # Creates a group in SSO and returns its representation as a Clonk::Group.
+    def create_group(**data)
+      return if data[:name].nil? # Breaks things in SSO!
-    def url
-      "#{Clonk.realm_admin_root(@realm)}/groups/#{@id}"
+      create_object(type: 'Group', data: data)
     end
-    def map_role(role: nil)
-      client_path = role.container_id == @realm ? 'realm' : "clients/#{role.container_id}"
-      response = Clonk.parsed_response(
-        method: :post,
-        data: [role.config],
-        path: "#{url}/role-mappings/#{client_path}"
+    # Creates a subgroup in SSO and returns its representation as a
+    # Clonk::Group.
+    def create_subgroup(group:, **data)
+      create_object(
+        type: 'Group', path: "/groups/#{group.id}/children", data: data
       )
     end
-    def add_user(user: nil, realm: REALM)
-      Clonk.parsed_response(
+    # Adds a user to a group.
+    def add_to_group(user:, group:)
+      response(
         method: :put,
-        path: "#{user.url}/groups/#{@id}",
+        path: "#{realm_admin_root}/users/#{user.id}/groups/#{group.id}",
         data: {
-          groupId: @id,
           userId: user.id,
-          realm: @realm
-        }
-      )
-    end
-    def set_permissions(enabled: true)
-      Clonk.parsed_response(
-        method: :put,
-        path: "#{url}/management/permissions",
-        data: {
-          enabled: enabled
+          groupId: group.id,
+          realm: @realm.name
         }
       )
     end
-    def delete
-      Clonk.response(
-        method: :delete,
-        path: url
-      )
-    end
   end
 end

data/lib/clonk/permission.rb CHANGED

@@ -1,82 +1,61 @@
+# frozen_string_literal: true
 module Clonk
   class Permission
     def initialize(permission_response, realm)
       @id = permission_response['id']
       @realm = realm
     end
+  end
-    ##
-    # Returns the API URL for this permission.
-    # Argument is necessary as permissions are sometimes treated as policies
-    # within SSO for some reason, especially when fetching scopes, resources and
-    # policies.
-    def url(prefix: 'permission/scope')
-      client_url = Clonk::Client.find_by(realm: @realm, name: 'realm-management').url
-      "#{client_url}/authz/resource-server/#{prefix}/#{@id}"
-    end
-    ##
-    # Creates a new Permission instance from a given permission ID and realm.
-    def self.new_from_id(id: nil, realm: REALM)
-      client_url = Clonk::Client.find_by(realm: realm, name: 'realm-management').url
-      response = Clonk.parsed_response(
-        path: "#{client_url}/authz/resource-server/permission/scope/#{id}"
-      )
-      new(response, realm)
+  # Defines a connection to SSO.
+  class Connection
+    def permissions
+      clients.find { |client| client.name == 'realm-management' }
     end
     ##
-    # Returns the config within SSO for this permission.
-    def config
-      Clonk.parsed_response(
-        path: "#{url}"
+    # Returns the policy IDs associated with a permission.
+    # FIXME: untested!
+    def policies(permission)
+      parsed_response(
+        path: "#{url_for(permission, prefix: 'policy')}/associatedPolicies"
       )
     end
-    ##
-    # Returns the policy IDs associated with this permission.
-    def policies
-      Clonk.parsed_response(
-        path: "#{url(prefix: 'policy')}/associatedPolicies"
-      ).map { |policy| policy['id'] }
-    end
     ##
     # Returns the resource IDs associated with this permission.
-    def resources
-      Clonk.parsed_response(
-        path: "#{url(prefix: 'policy')}/resources"
-      ).map { |resource| resource['_id'] }
+    # FIXME: untested!
+    def resources(permission)
+      parsed_response(
+        path: "#{url_for(permission, prefix: 'policy')}/resources"
+      )
     end
     ##
     # Returns the scope IDs associated with this permission.
-    def scopes
-      Clonk.parsed_response(
-        path: "#{url(prefix: 'policy')}/scopes"
-      ).map { |scope| scope['id'] }
+    # FIXME: untested
+    def scopes(permission)
+      parsed_response(
+        path: "#{url_for(permission, prefix: 'policy')}/scopes"
+      )
     end
     ##
     # Adds the given policy/resource/scope IDs to this permission in SSO.
-    def update(policies: [], resources: [], scopes: [])
-      data = config.merge(
-        policies: self.policies + policies,
-        resources: self.resources + resources,
-        scopes: self.scopes + scopes
-       )
-      Clonk.parsed_response(
-        path: url,
+    # FIXME: untested
+    def update_permission(
+      permission:, policies: [], resources: [], scopes: []
+    )
+      data = config(permission).merge(
+        policies: policies(permission) + policies,
+        resources: resources(permission) + resources,
+        scopes: scopes(permission) + scopes
+      )
+      parsed_response(
+        path: url_for(permission),
         data: data,
         method: :put
       )
     end
   end
-end
+end

data/lib/clonk/policy.rb CHANGED

@@ -1,6 +1,7 @@
+# frozen_string_literal: true
 module Clonk
   class Policy
     attr_accessor :id
     attr_reader :name
@@ -12,6 +13,7 @@ module Clonk
     ##
     # Gets config inside SSO for policy with ID in realm.
+    # FIXME: move to connection class
     def self.get_config(id, realm = REALM)
       Clonk.parsed_response(
@@ -19,15 +21,9 @@ module Clonk
       )
     end
-    ##
-    # Gets config inside SSO for policy.
-    def config
-      self.class.get_config(@id, @realm)
-    end
     ##
     # Creates a new Policy instance from a policy that exists in SSO
+    # FIXME: move to connection class
     def self.new_from_id(id, realm = REALM)
       new(get_config(id, realm), realm)
@@ -37,6 +33,7 @@ module Clonk
     # Returns defaults for a policy.
     # I've found no reason to override these, but then again, I'm not 100% sure
     # how they work. Overrides will be added to necessary methods if requested.
+    # FIXME: move to connection class
     def self.defaults
       {
@@ -51,6 +48,7 @@ module Clonk
     #--
     # TODO: Expand to allow for other policy types
     # TODO: Don't assume role as default type
+    # FIXME: move to connection class
     #++
     def self.define(type: :role, name: nil, objects: [], description: nil, groups_claim: nil)
@@ -60,16 +58,17 @@ module Clonk
         roles: (objects.map { |role| { id: role.id, required: true } } if type == :role),
         groups: (objects.map { |group| { id: group.id, extendChildren: false } } if type == :group),
         groupsClaim: (groups_claim if type == :group),
-        clients: (objects.map { |client| client.id } if type == :client),
+        clients: (objects.map(&:id) if type == :client),
         description: description
-      ).delete_if { |k,v| v.nil?}
+      ).delete_if { |_k, v| v.nil? }
     end
     ##
     # Defines and creates a policy in SSO.
+    # FIXME: move to connection class
     def self.create(type: :role, name: nil, objects: [], description: nil, groups_claim: nil, realm: REALM)
-      data = self.define(type: type, name: name, objects: objects, description: description, groups_claim: groups_claim)
+      data = define(type: type, name: name, objects: objects, description: description, groups_claim: groups_claim)
       realm_management_url = Clonk::Client.find_by(name: 'realm-management', realm: realm).url
       Clonk.parsed_response(
         method: :post,
@@ -78,4 +77,4 @@ module Clonk
       )
     end
   end
-end
+end

data/lib/clonk/realm.rb CHANGED

@@ -1,52 +1,30 @@
+# frozen_string_literal: true
 module Clonk
+  # Represents a realm within SSO.
   class Realm
-    def initialize(realm_response)
-      @name = realm_response['id']
-    end
-    ##
-    # Creates a realm with the given name, returning it as a Realm object
-    def self.create(name: nil)
-      Clonk.parsed_response(
-        method: :post,
-        path: '/auth/admin/realms',
-        data: { id: name, realm: name, enabled: true }
-      )
-      new_from_id(id: name)
-    end
+    attr_reader :name
-    ##
-    # Returns all realms in this instance of SSO.
-    def self.all
-      Clonk.parsed_response(
-        path: '/auth/admin/realms'
-      ).map { |realm| new_from_id(id: realm['id'])}
+    def initialize(realm_response)
+      @name = realm_response['realm'] || realm_response['id']
     end
+  end
-    ##
-    # Returns the realm with the given name.
-    def self.find_by(name: nil)
-      Clonk.parsed_response(
-        path: "/auth/admin/realms/#{name}"
-      )
+  # Defines a connection to SSO.
+  class Connection
+    # Lists all realms in SSO.
+    def realms
+      objects(type: 'Realm', path: '', root: realm_admin_root(nil))
     end
-    ##
-    # Gets the config for this realm in SSO.
-    def config
-      Clonk.parsed_response(
-        path: "/auth/admin/realms/#{@name}"
+    # Creates a new realm with the given data.
+    def create_realm(**data)
+      create_object(
+        type: 'Realm',
+        path: '',
+        root: realm_admin_root(nil),
+        data: { enabled: true, id: data['realm'] }.merge(data)
       )
     end
-    ##
-    # Creates a new Realm object from a given realm ID.
-    def self.new_from_id(id: nil)
-      new(find_by(name: id))
-    end
   end
 end

data/lib/clonk/role.rb CHANGED

@@ -1,74 +1,32 @@
+# frozen_string_literal: true
 module Clonk
+  # Represents a role within SSO.
   class Role
     attr_accessor :id
     attr_accessor :container_id
     attr_reader :name
-    def initialize(role_response, realm)
+    def initialize(role_response)
       @id = role_response['id']
-      @realm = realm
       @container_id = role_response['containerId']
       @name = role_response['name']
     end
+  end
-    ##
-    # Returns all roles for the given client. Can also return all roles
-    # applicable to a specific target object.
-    #--
-    # FIXME: target_type should really be inherited from classname of incoming
-    # object
-    #++
-    def self.all(client: nil, target: nil, target_type: nil, realm: REALM)
-      # need this to work with realms too
-      case target
-      when nil
-        path = "#{Clonk.realm_admin_root(realm)}/clients/#{client.id}/roles"
-      else
-        path = "#{Clonk.realm_admin_root(realm)}/#{target_type}s/#{target.id}/role-mappings/clients/#{client.id}/available"
-      end
-      Clonk.parsed_response(
-        path: path
-      ).map { |role| new_from_id(role['id'], realm) }
-    end
-    ##
-    # Returns all roles with the given name.
-    def self.where(client: nil, target: nil, target_type: nil, realm: REALM, name: nil)
-      all(client: client, target: target, target_type: target_type, realm: realm)
-        .select { |role| role.name == name }
-    end
-    ##
-    # Returns the first role with the given name.
-    def self.find_by(client: nil, target: nil, target_type: nil, realm: REALM, name: nil)
-      where(client: client, target: target, target_type: target_type, realm: realm, name: name)&.first
-    end
-    ##
-    # Gets config inside SSO for role with ID in realm
-    def self.get_config(id, realm = REALM)
-      Clonk.parsed_response(
-        path: "#{Clonk.realm_admin_root(realm)}/roles-by-id/#{id}"
-      )
-    end
-    ##
-    # Gets config inside SSO for this role
-    def config
-      self.class.get_config(@id, @realm)
+  # Defines a connection to SSO.
+  class Connection
+    def roles(client:)
+      objects(type: 'Role', root: url_for(client))
     end
     ##
-    # Creates a new Role instance from a role that exists in SSO
+    # Creates a role within the given client.
+    # it will be visible in tokens given by this client during authentication,
+    # as it is already in scope.
-    def self.new_from_id(id, realm = REALM)
-      new(get_config(id, realm), realm)
+    def create_role(client:, **data)
+      create_object(type: 'Role', root: url_for(client), data: data)
     end
   end
-end
+end

data/lib/clonk/user.rb CHANGED

@@ -1,114 +1,41 @@
+# frozen_string_literal: true
 module Clonk
+  ##
+  # Represents a user in SSO.
   class User
     attr_accessor :id
     attr_reader :username
-    def initialize(user_response, realm)
+    def initialize(user_response)
       @username = user_response['username']
       @id = user_response['id']
-      @realm = realm
-    end
-    ##
-    # Gets config inside SSO for user with ID in realm
-    def self.get_config(id, realm = REALM)
-      Clonk.parsed_response(
-        path: "#{Clonk.realm_admin_root(realm)}/users/#{id}"
-      )
-    end
-    ##
-    # Gets config inside SSO for this user
-    def config
-      self.class.get_config(@id, @realm)
     end
+  end
-    ##
-    # Creates a new User instance from a user that exists in SSO
-    def self.new_from_id(id, realm = REALM)
-      new(get_config(id, realm), realm)
-    end
-    ##
-    # Creates a user in SSO, returning a User instance with their ID and
-    # username
-    def self.create(realm: REALM, username: nil, enabled: true)
-      response = Clonk.response(method: :post,
-                      path: "#{Clonk.realm_admin_root(realm)}/users",
-                      data: { username: username, enabled: enabled }
-                      )
-      self.new_from_id(response.headers[:location].split('/')[-1], realm)
-    end
-    ##
-    # Returns all users in the given realm
-    def self.all(realm: REALM)
-      Clonk.parsed_response(
-        path: "#{Clonk.realm_admin_root(realm)}/users"
-      ).map { |user| new_from_id(user['id'], realm) }
-    end
-    ##
-    # Returns all users in the given realm with the given username
-    def self.where(username: nil, realm: REALM)
-      all(realm: realm).select { |user| user.username == username }
-    end
-    ##
-    # returns a user in the given realm with the given username
-    def self.find_by(username: nil, realm: REALM)
-      where(username: username, realm: realm)&.first
-    end
-    ##
-    # Returns the API URL from which the user is accessible.
-    def url
-      "#{Clonk.realm_admin_root(@realm)}/users/#{@id}"
+  # Defines a connection to SSO.
+  class Connection
+    # Lists all users in the realm.
+    def users
+      objects(type: 'User')
     end
-    ##
-    # Maps a role to a user.
-    def map_role(role: nil)
-      client_path = role.container_id == @realm ? 'realm' : "clients/#{role.container_id}"
-      response = Clonk.parsed_response(
-        method: :post,
-        data: [role.config],
-        path: "#{url}/role-mappings/#{client_path}"
-      )
+    # Creates a new user in SSO and returns its representation as a Clonk::User.
+    def create_user(**data)
+      create_object(type: 'User', data: { enabled: true }.merge(data))
     end
-    ##
-    # Sets the user's password.
-    #--
-    # FIXME: Currently always a permanent password Make that temporary flag do things.
-    #++
-    def set_password(password: nil, temporary: false)
-      Clonk.parsed_response(
+    # Sets the password for a user.
+    def set_password_for(user:, password: nil, temporary: false)
+      response(
         method: :put,
         data: {
           type: 'password',
           value: password,
-          temporary: false
+          temporary: temporary
         },
-        path: "#{url}/reset-password"
-      )
-    end
-    def delete
-      Clonk.response(
-        method: :delete,
-        path: url
+        path: "#{url_for(user)}/reset-password"
       )
     end
   end
-end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clonk
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Simon Fish
@@ -60,6 +60,7 @@ extra_rdoc_files: []
 files:
 - lib/clonk.rb
 - lib/clonk/client.rb
+- lib/clonk/connection.rb
 - lib/clonk/group.rb
 - lib/clonk/permission.rb
 - lib/clonk/policy.rb