cnfs-iam 0.0.1.alpha

data/app/mailers/account_mailer.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+class AccountMailer < Devise::Mailer
+  default template_path: 'user_mailer',
+          from: Settings.smtp.from
+
+  layout 'mailer'
+
+  def confirmation_instructions(resource, devise_token, _opts = {})
+    @resource = resource
+    @devise_token = devise_token
+    @confirmation_url = user_confirmation_url
+
+    mail to: resource.email
+  end
+
+  def reset_password_instructions(resource, devise_token, _opts = {})
+    @resource = resource
+    @devise_token = devise_token
+    @reset_url = user_reset_password_url
+
+    mail to: resource.email
+  end
+
+  def team_welcome(resource, devise_token, _opts = {})
+    @resource = resource
+    @devise_token = devise_token
+    @account_name = Tenant.current_tenant&.alias
+    @reset_url = new_user_password_url
+
+    mail to: resource.email
+  end
+
+  private
+
+  def token
+    # the token here is whatever we get from devise which can be (at present) an
+    # account confirmation token or a password confirmation token
+    Ros::Jwt.new(token: @devise_token,
+                 account_id: Tenant.current_tenant&.alias,
+                 username: @resource.username).encode(:confirmation)
+  end
+
+  def user_confirmation_url
+    account_url :confirm
+  end
+
+  def user_reset_password_url
+    account_url :reset
+  end
+
+  def new_user_password_url
+    account_url :new
+  end
+
+  def account_url(kind)
+    base_url + "/password/#{kind}?#{token_name kind}=#{token}"
+  end
+
+  def token_name(kind)
+    case kind
+    when :confirm
+      'confirmation_token'
+    when :reset, :new
+      'reset_password_token'
+    else
+      raise ArgumentError, "Unknown token type: #{kind}"
+    end
+  end
+
+  def base_url
+    Tenant.current_tenant.properties['base_url'] || 'http://localhost:4200'
+  end
+end

data/app/models/action.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+class Action < Iam::ApplicationRecord
+end
+
+# class ReadAction < Action; end

data/app/models/credential.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+class Credential < Iam::ApplicationRecord
+  # NOTE: to manually authenticate a password from the console
+  # credential.authenticate_secret_access_key(secret_access_key_plaintext)
+  # See: https://blog.bigbinary.com/2019/04/23/rails-6-allows-configurable-attribute-name-on-has_secure_password.html
+  has_secure_password :secret_access_key, validations: false
+
+  belongs_to :owner, polymorphic: true
+
+  before_validation :generate_values, on: :create
+
+  # validates :access_key_id, length: { is: 20 }
+
+  def self.access_key_id_to_schema_name(access_key_id)
+    Ros::AccessKey.decode(access_key_id)[:schema_name]
+  end
+
+  def self.validate(access_key_id, secret_access_key)
+    access_key = to_access_key(access_key_id)
+    Apartment::Tenant.switch(access_key[:schema_name]) do
+      return unless (credential = find_by(access_key_id: access_key_id))
+
+      credential.authenticate_secret_access_key(secret_access_key).try(:owner)
+    end
+  end
+
+  def generate_values
+    # TODO: Refactor to get from RequestStore
+    self.access_key_id = Ros::AccessKey.generate(owner)
+    self.secret_access_key = SecureRandom.urlsafe_base64(40)
+  end
+
+  def to_access_key
+    Ros.access_key(access_key_id)
+  end
+
+  def token
+    return unless secret_access_key # only available when the object is just created
+
+    "Basic #{access_key_id}:#{secret_access_key}"
+  end
+
+  def self.urn_id
+    :access_key_id
+  end
+end

data/app/models/group.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class Group < Iam::ApplicationRecord
+  has_many :group_policies, class_name: 'GroupPolicyJoin'
+  has_many :policies, through: :group_policies
+  has_many :actions, through: :policies
+
+  has_many :user_groups
+  has_many :users, through: :user_groups
+  has_many :user_actions, through: :users, source: :actions
+
+  def urn_id
+    "group/#{name}"
+  end
+end

data/app/models/group_policy_join.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class GroupPolicyJoin < Iam::ApplicationRecord
+  belongs_to :group
+  belongs_to :policy
+
+  after_create :add_policy_to_users
+  after_destroy :remove_policy_from_users
+
+  def add_policy_to_users
+    group.users.each do |user|
+      user.attached_policies[policy.name] ||= 0
+      user.attached_policies[policy.name] += 1
+      user.save
+    end
+  end
+
+  def remove_policy_from_users
+    group.users.each do |user|
+      user.attached_policies[policy.name] -= 1
+      user.attached_policies.delete(policy.name) if user.attached_policies[policy.name].zero?
+      user.save
+    end
+  end
+end

data/app/models/iam/application_record.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Iam
+  class ApplicationRecord < ::ApplicationRecord
+    self.abstract_class = true
+  end
+end

data/app/models/policy.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class Policy < Iam::ApplicationRecord
+  has_many :policy_actions
+  has_many :actions, through: :policy_actions
+
+  has_many :user_policy_joins
+  has_many :group_policy_joins
+  has_many :role_policy_joins
+end

data/app/models/policy_action.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+class PolicyAction < Iam::ApplicationRecord
+  belongs_to :policy
+  belongs_to :action
+end

data/app/models/public_key.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class PublicKey < Iam::ApplicationRecord
+  belongs_to :user
+
+  after_commit :enqueue
+
+  def enqueue
+    Ros::PlatformEventProcessJob.set(queue: job_queue).perform_later(job_payload.to_json)
+  end
+
+  def job_queue; 'storage_default' end
+
+  def job_payload
+    { operation: 'IamPublicKeyProcess', id: user.id }
+  end
+end

data/app/models/role.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class Role < Iam::ApplicationRecord
+  has_many :role_policies, class_name: 'RolePolicyJoin'
+  has_many :policies, through: :role_policies
+  has_many :actions, through: :policies
+
+  has_many :user_roles
+  has_many :users, through: :user_roles
+  has_many :user_actions, through: :users, source: :actions
+end

data/app/models/role_policy_join.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+class RolePolicyJoin < Iam::ApplicationRecord
+  belongs_to :role
+  belongs_to :policy
+end

data/app/models/root.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class Root < Iam::ApplicationRecord
+  has_one :tenant
+  has_many :credentials, as: :owner
+  # has_many :ssh_keys
+
+  def to_urn
+    "#{self.class.urn_base}:#{tenant.account_id}:root/#{id}"
+  end
+
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable
+  #         :jwt_authenticatable, # jwt_revocation_strategy: self
+  #         jwt_revocation_strategy: Devise::JWT::RevocationStrategies::Null
+
+  def jwt_payload
+    @jwt_payload ||= { sub: to_urn, scope: '*' }
+  end
+
+  def current_tenant
+    tenant
+  end
+end

data/app/models/root_credential.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class RootCredential < Credential
+  def current_tenant
+    Tenant.find(tenant_id)
+  end
+end

data/app/models/tenant.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+class Tenant < Iam::ApplicationRecord
+  include Ros::TenantConcern
+
+  belongs_to :root
+
+  before_validation :generate_values, on: :create
+  validate :fixed_values_unchanged_x, if: :persisted?
+
+  # after_commit :create_service_tenants, on: :create
+
+  def enabled?
+    state.eql? 'active'
+  end
+
+  def create_service_tenants
+    Ros::Sdk.configured_services.each do |name, service|
+      next if name.eql? 'iam'
+
+      service::Tenant.create(schema_name: schema_name)
+      # TODO: Log a warning if any call fails
+    end
+  end
+
+  def fixed_values_unchanged_x
+    errors.add(:root_id, 'root_id cannot be changed') if root_id_changed?
+  end
+
+  def generate_values
+    self.state = 'active'
+    self.schema_name ||= rand(100_000_000..999_999_999).to_s.scan(/.{3}/).join('_')
+  end
+end
+
+# after_commit :seed_tenant, on: :create, unless: -> { Rails.env.production? }
+# after_create :seed_tenant #, on: :create, unless: -> { Rails.env.production? }
+
+# def seed_tenant
+#   Action.count
+#   Apartment::Tenant.switch(schema_name) do
+#     service = Service.create(name: 'User')
+#     action = ReadAction.create(service: service, name: 'DescribeUser')
+
+#     # Create a few Policies
+#     policy_admin = Policy.create(name: 'AdministratorAccess')
+#     policy_user_full = Policy.create(name: 'PerxUserFullAccess')
+#     policy_user_read_only = Policy.create(name: 'PerxUserReadOnlyAccess')
+
+#     # Attach the Action to the Admin Policy
+#     policy_admin.actions << action
+
+#     # Create a Group
+#     group_admin = Group.create(name: 'Administrators')
+
+#     # Attach the Admin Policy to the Group
+#     group_admin.policies << policy_admin
+
+#     # Create a User
+#     user_admin = User.create(email: 'admin@example.com', password: 'abc123za')
+
+#     # Assign the User to the Admin Group
+#     group_admin.users << user_admin
+
+#     # Role.create(name: 'PerxServiceRoleForIAM')
+#     # Role.create(name: 'PerxUserReadOnlyAccess')
+#   end
+# end

data/app/models/user.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+class User < Iam::ApplicationRecord
+  has_many :credentials, as: :owner
+  has_many :public_keys
+
+  has_many :user_policies, class_name: 'UserPolicyJoin'
+  has_many :policies, through: :user_policies
+  has_many :actions, through: :policies
+
+  has_many :user_groups, dependent: :delete_all
+  has_many :groups, through: :user_groups
+  has_many :group_policies, through: :groups, source: :policies
+  has_many :group_actions, through: :groups, source: :actions
+
+  has_many :user_roles
+  has_many :roles, through: :user_roles
+  has_many :role_policies, through: :roles, source: :policies
+  has_many :role_actions, through: :roles, source: :actions
+
+  # TODO: we need to support an empty username when an email is provided
+  validates :username, presence: true
+  validates :username, uniqueness: true
+  # store_accessor :permissions, :authorized_policies, :authorized_actions
+
+  # TODO: validate locales inclusion in list and time_zone in available time zones
+  # validates :locale, :time_zone, presence: true
+
+  def self.urn_id
+    :username
+  end
+
+  # We allow users being created without a password so they can choose one
+  # themselves
+  #
+  # Devise calls this
+  def password_required?
+    confirmed?
+  end
+
+  # Devise calls this
+  def password_update!(params)
+    update!(password: params[:password]) if params[:password] == params[:password_confirmation]
+  end
+
+  # Send an email using ActiveJob. This is used for password resets and
+  # when a new users needs to set his initial password
+  #
+  # Devise calls this
+  def send_devise_notification(notification, *args)
+    devise_mailer.send(notification, self, *args).deliver_later
+  end
+
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+  devise :database_authenticatable,
+         :confirmable,
+         :recoverable,
+         # :registerable,
+         # :rememberable, :validatable,
+         # :jwt_authenticatable, # jwt_revocation_strategy: self
+         # authentication_keys: [:username],
+         authentication_keys: [:username]
+  # jwt_revocation_strategy: Devise::JWT::RevocationStrategies::Null
+
+  def jwt_payload
+    @jwt_payload ||= { sub: to_urn }
+  end
+end

data/app/models/user_credential.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class UserCredential < Iam::ApplicationRecord
+  belongs_to :user
+  belongs_to :credential
+
+  before_validation :create_credential, unless: :credential
+end

data/app/models/user_group.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class UserGroup < Iam::ApplicationRecord
+  belongs_to :user
+  belongs_to :group
+
+  after_create :add_policies_to_user
+  after_destroy :remove_policies_from_user
+
+  def add_policies_to_user
+    group.policies.each do |policy|
+      user.attached_policies[policy.name] ||= 0
+      user.attached_policies[policy.name] += 1
+    end
+    user.save
+  end
+
+  def remove_policies_from_user
+    group.policies.each do |policy|
+      user.attached_policies[policy.name] -= 1
+      user.attached_policies.delete(policy.name) if user.attached_policies[policy.name].zero?
+    end
+    user.save
+  end
+end