cnfs-iam 0.0.1.alpha

data/app/models/user_policy_join.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class UserPolicyJoin < ApplicationRecord
+  belongs_to :user
+  belongs_to :policy
+
+  after_create :add_policy_to_user
+  after_destroy :remove_policy_from_user
+
+  def add_policy_to_user
+    user.attached_policies[policy.name] ||= 0
+    user.attached_policies[policy.name] += 1
+    user.save
+  end
+
+  def remove_policy_from_user
+    user.attached_policies[policy.name] -= 1
+    user.attached_policies.delete(policy.name) if user.attached_policies[policy.name].zero?
+    user.save
+  end
+end

data/app/models/user_role.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+class UserRole < Iam::ApplicationRecord
+  belongs_to :user
+  belongs_to :role
+end

data/app/operations/blackcomb_user_create.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+
+class BlackcombUserCreate < Ros::ActivityBase
+  step :valdidate_root_owner
+  failed :invalid_user, Output(:success) => End(:failure)
+  step :switch_tenant
+  failed :invalid_schema, Output(:success) => End(:failure)
+  step :create_or_find_blackcomb_user
+  failed :failed_to_create_user
+
+  private
+
+  def valdidate_root_owner(_ctx, params:, **)
+    Apartment::Tenant.current == 'public' && params[:current_user].root?
+  end
+
+  def invalid_user(_ctx, errors:, **)
+    errors.add(:user, 'Not a owner root')
+  end
+
+  def switch_tenant(_ctx, params:, **)
+    tenant = Tenant.find_by_schema_or_alias(params[:account_id])
+    return false unless tenant
+
+    tenant.switch!
+    true
+  end
+
+  def invalid_schema(_ctx, errors:, **)
+    errors.add(:account_id, 'Invalid account id')
+  end
+
+  def create_or_find_blackcomb_user(ctx, **)
+    ctx[:model] = User.find_or_initialize_by(username: 'blackcomb')
+
+    return true if ctx[:model].persisted?
+
+    password = SecureRandom.hex
+    ctx[:model].update(password: password, password_confirmation: password,
+                       confirmed_at: Time.zone.today, attached_policies: { AdministratorAccess: 1 })
+    ctx[:model].save
+  end
+
+  def failed_to_create_user(ctx, model:, **)
+    ctx[:errors] = model.errors
+  end
+end

data/app/operations/user_create.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+class UserCreate < Ros::ActivityBase
+  step :check_permission
+  failed :not_permitted, Output(:success) => End(:failure)
+  step :init
+  step :initialize_user
+  step :skip_confirmation_notification
+  step :generate_reset_passowrd_token
+  step :save__model, Output(:failure) => End(:failure)
+  step :create_relationships
+  step :send_welcome_email
+
+  private
+
+  def check_permission(_ctx, user:, **)
+    UserPolicy.new(user, User.new).create?
+  end
+
+  def not_permitted(_ctx, errors:, **)
+    errors.add(:user, 'not permitted to create a user')
+  end
+
+  def init(ctx, params:, **)
+    ctx[:relationships] = params.delete(:relationships)
+    true
+  end
+
+  def initialize_user(ctx, params:, **)
+    ctx[:model] = User.new(params)
+  end
+
+  def skip_confirmation_notification(_ctx, model:, **)
+    model.skip_confirmation_notification!
+  end
+
+  def generate_reset_passowrd_token(ctx, model:, **)
+    ctx[:reset_password_token], enc = Devise.token_generator.generate(model.class, :reset_password_token)
+
+    model.reset_password_token   = enc
+    model.reset_password_sent_at = Time.now.utc
+  end
+
+  def create_relationships(_ctx, model:, relationships:, **)
+    return true if relationships&.dig(:groups, :data).blank?
+
+    model.groups << Group.where(id: relationships[:groups][:data].pluck(:id)).all
+  end
+
+  def send_welcome_email(_ctx, model:, reset_password_token:, **)
+    AccountMailer.team_welcome(model, reset_password_token).deliver_later
+  end
+end

data/app/policies/action_policy.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+class ActionPolicy < Iam::ApplicationPolicy; end

data/app/policies/credential_policy.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+class CredentialPolicy < Iam::ApplicationPolicy; end

data/app/policies/group_policy.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+class GroupPolicy < Iam::ApplicationPolicy; end

data/app/policies/iam/application_policy.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module Iam
+  class ApplicationPolicy < ::ApplicationPolicy
+  end
+end

data/app/policies/policy_policy.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+class PolicyPolicy < Iam::ApplicationPolicy; end

data/app/policies/public_key_policy.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class PublicKeyPolicy < Iam::ApplicationPolicy
+end

data/app/policies/root_policy.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+class RootPolicy < Iam::ApplicationPolicy; end

data/app/policies/tenant_policy.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class TenantPolicy < Iam::ApplicationPolicy
+  include Ros::TenantPolicyConcern
+end

data/app/policies/user_policy.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+class UserPolicy < Iam::ApplicationPolicy
+  # def index?
+  #   user.action_permitted?(requested_action(__method__))
+  #   # user.admin? || !record.published?
+  # end
+
+  # def self.zactions
+  #   {
+  #     Write: [
+  #       'AddUserToGroup'
+  #     ]
+  #   }
+  # end
+
+  # def update?
+  #   super
+  #   # does current_user have permission 'UpdateUser'
+  # end
+
+  # NOTE: Iam is a class in the api-client as are all namespaced models
+  # requested_action = Iam::Service.find_by(name: 'User').actions.find_by(name: 'DescribeUser')
+  # NOTE: The result should be cached as this value will not change frequently
+  # NOTE: There should be a way to break the cache in case the value does change
+  # def requested_action(method_name)
+  #   Service.find_by(name: service_name).actions.find_by(name: action_name(method_name))
+  # end
+
+  # def action_name(method_name)
+  #   method_map[method_name] + service_name
+  # end
+end

data/app/resources/action_resource.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class ActionResource < Iam::ApplicationResource
+  # caching
+  attributes :name, :resource, :action_type
+
+  def action_type
+    @model.type
+  end
+end
+
+# class ListActionResource < ActionResource; end
+
+# class ReadActionResource < ActionResource; end
+
+# class WriteActionResource < ActionResource; end

data/app/resources/credential_resource.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class CredentialResource < Iam::ApplicationResource
+  attributes :access_key_id, :owner_type, :owner_id, :secret_access_key
+
+  filter :access_key_id
+
+  def self.descriptions
+    {
+      access_key_id: 'The access key'
+    }
+  end
+end

data/app/resources/group_resource.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class GroupResource < Iam::ApplicationResource
+  attributes :name
+  has_many :users
+
+  filter :name
+end

data/app/resources/iam/application_resource.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Iam
+  class ApplicationResource < ::ApplicationResource
+    abstract
+  end
+end

data/app/resources/policy_resource.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class PolicyResource < Iam::ApplicationResource
+  # caching
+  attributes :name
+  filter :name
+
+  has_many :actions
+end

data/app/resources/public_key_resource.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+class PublicKeyResource < Iam::ApplicationResource
+  attributes :content, :user_id
+  has_one :user
+end

data/app/resources/root_resource.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class RootResource < Iam::ApplicationResource
+  attributes :email, :jwt_payload
+  attributes :attached_policies, :attached_actions
+
+  has_many :credentials
+
+  filter :email
+
+  def attached_policies; {} end
+
+  def attached_actions; {} end
+end

data/app/resources/tenant_resource.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class TenantResource < Iam::ApplicationResource
+  attributes :account_id, :root_id, :alias, :name, :display_properties # :locale
+
+  filter :schema_name
+
+  def self.descriptions
+    {
+      schema_name: 'The name of the <h1>Schema</h1>'
+    }
+  end
+
+  def self.updatable_fields(context)
+    super - [:root_id]
+  end
+
+  def self.creatable_fields(context)
+    super - [:root_id]
+  end
+end

data/app/resources/user_resource.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class UserResource < Iam::ApplicationResource
+  attributes :username, :api, :console, :time_zone, :properties,
+             :display_properties, :jwt_payload, :attached_policies,
+             :attached_actions, :email, :password, :password_confirmation, :unconfirmed_email
+
+  has_many :groups
+  has_many :credentials
+  has_many :public_keys
+
+  filters :username, :groups
+
+  def fetchable_fields
+    super - %i[password password_confirmation]
+  end
+
+  def self.creatable_fields(context)
+    super - %i[attached_policies attached_actions jwt_payload]
+  end
+
+  def self.updatable_fields(context)
+    super - %i[attached_policies attached_actions jwt_payload]
+  end
+end

data/app/views/layouts/mailer.html.erb

@@ -0,0 +1,4 @@
+<html>
+  <head></head>
+  <body><%= yield %></body>
+</html>

data/app/views/user_mailer/confirmation_instructions.html.erb

@@ -0,0 +1,5 @@
+<p>Welcome <%= @resource.email %>!</p>
+
+<p>You can confirm your account email through the link below:</p>
+
+<p> <%= link_to 'Confirm my account', @confirmation_url %> </p>

data/app/views/user_mailer/email_changed.html.erb

@@ -0,0 +1,7 @@
+<p>Hello <%= @email %>!</p>
+
+<% if @resource.try(:unconfirmed_email?) %>
+  <p>We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>.</p>
+<% else %>
+  <p>We're contacting you to notify you that your email has been changed to <%= @resource.email %>.</p>
+<% end %>

data/app/views/user_mailer/password_change.html.erb

@@ -0,0 +1,3 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>We're contacting you to notify you that your password has been changed.</p>

data/app/views/user_mailer/reset_password_instructions.html.erb

@@ -0,0 +1,106 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+
+  <title>PERX Reset Password</title>
+
+  <link href="https://fonts.googleapis.com/css?family=Roboto:400,500" rel="stylesheet" type="text/css">
+  <style type="text/css">
+  </style>
+</head>
+<body style="margin:0; padding:0; background-color:#F2F6FC;">
+  <center>
+    <table width="100%" border="0" cellpadding="0" cellspacing="0" bgcolor="#F2F6FC">
+      <tr>
+        <td align="center" height="100%" valign="top" width="100%">
+          <!--[if (gte mso 9)|(IE)]>
+          <table align="center" border="0" cellspacing="24" cellpadding="0" width="600">
+          <tr>
+          <td align="center" valign="top" width="600">
+          <![endif]-->
+            <table align="center" border="0" cellpadding="0" cellspacing="24" width="100%" style="max-width:600px;" bgcolor="#ffffff">
+              <tr>
+                <td align="left">
+                  <img alt="Perx" src="https://cdn.uat.whistler.perxtech.io/dev1/global/assets/email/logo.png" width="96" height="34" style="width: 100%; max-width: 96px; font-family: 'Roboto', Helvetica, Arial, sans-serif; font-weight: 500; font-size: 24px; line-height: 24px; letter-spacing: 0.18px; color: #2664ed; text-transform: lowercase; display: block; border: 0px;" border="0">
+                </td>
+              </tr>
+              <tr>
+                <td align="center">
+                  <img alt="Illustration of user unlocking account" src="https://cdn.uat.whistler.perxtech.io/dev1/global/assets/email/email-reset.png" width="268" style="width: 100%; max-width: 268px; font-family: 'Roboto', Helvetica, Arial, sans-serif; font-weight: 400; font-size: 12px; line-height: 16px; letter-spacing: 0.4px; color: #7b7b7b; display: block; border: 0px;" border="0">
+                </td>
+              </tr>
+              <tr>
+                <td align="left" valign="top" style="font-family: 'Roboto', Helvetica, Arial, sans-serif; font-weight: 400; font-size: 24px; line-height: 24px; letter-spacing: 0.18px; color: #333333;">
+                  Hi <%= @resource.username %>,
+                </td>
+              </tr>
+              <tr>
+                <td align="left" valign="top" style="font-family: 'Roboto', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; letter-spacing: 0.15px; color: #7b7b7b;">
+                  A request has been made to reset your password. Simply click on the button below to reset it.
+                  <b style="font-family: 'Roboto', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; letter-spacing: 0.15px; color: #333333; font-weight: 500;">
+                    This password reset is only valid for the next 24 hours.
+                  </b>
+                </td>
+              </tr>
+              <tr>
+                <td align="center">
+                  <table width="100%" border="0" cellspacing="0" cellpadding="0">
+                    <tr>
+                      <td align="center">
+                        <table border="0" cellspacing="0" cellpadding="0" width="268" style="width: 100%; max-width: 268px;">
+                          <tr>
+                            <td align="center" width="100%" style="width: 100%; border-radius: 4px;" bgcolor="#2664ED"><a href="<%= @reset_url %>" target="_blank" style="font-size: 14px; letter-spacing: 0.75px; font-family: 'Roboto', Helvetica, Arial, sans-serif; color: #ffffff; font-weight: 500; text-decoration: none; border-radius: 4px; padding: 12px 24px; border: 1px solid #2664ED; display: block;"><!--[if mso]>&nbsp;<![endif]-->Reset Password<!--[if mso]>&nbsp;<![endif]--></a></td>
+                          </tr>
+                        </table>
+                      </td>
+                    </tr>
+                  </table>
+                </td>
+              </tr>
+              <tr>
+                <td align="left" valign="top" style="font-family: 'Roboto', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; letter-spacing: 0.15px; color: #7b7b7b;">
+                  If you did not make this request, you can safely ignore this email or
+                  <a href="#" target="_blank" style="font-family: 'Roboto', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; letter-spacing: 0.15px; color: #2664ED; font-weight: 400; display: inline-block; text-decoration: none;">
+                    contact support
+                  </a>
+                  if you have questions.
+                </td>
+              </tr>
+              <tr>
+                <td align="left" valign="top" style="font-family: 'Roboto', Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; letter-spacing: 0.15px; color: #7b7b7b;">
+                  Thank you, <br />
+                  Team Perx
+                </td>
+              </tr>
+              <tr>
+                <td height="1" style="font-size:1px; line-height:1px;">&nbsp;</td>
+              </tr>
+              <tr>
+                <td height="1" style="font-size:1px; line-height:1px;" bgcolor="#e8e8e8">&nbsp;</td>
+              </tr>
+              <tr>
+                <td height="1" style="font-size:1px; line-height:1px;">&nbsp;</td>
+              </tr>
+              <tr>
+                <td align="left" valign="top" style="font-family: 'Roboto', Helvetica, Arial, sans-serif; font-size: 12px; line-height: 16px; letter-spacing: 0.4px; color: #7b7b7b;">
+                  &copy; 2019 Perx Technologies. All rights reserved.<br /><br />
+                  20 Maxwell Road #02-01 <br />
+                  Maxwell House, 069113
+                </td>
+              </tr>
+
+            </table>
+          <!--[if (gte mso 9)|(IE)]>
+          </td>
+          </tr>
+          </table>
+          <![endif]-->
+        </td>
+      </tr>
+    </table>
+  </center>
+</body>
+</html>