cnfs-iam 0.0.1.alpha

data/config/routes.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+Ros::Iam::Engine.routes.draw do
+  jsonapi_resources :public_keys
+  devise_for :users, module: 'users', defaults: { format: :json }
+  devise_for :roots, module: 'roots', defaults: { format: :json }
+
+  jsonapi_resources :credentials
+  jsonapi_resources :groups
+  jsonapi_resources :policies
+  jsonapi_resources :roots
+  jsonapi_resources :users
+
+  # TODO: temporary route until we support registering callbacks to allow
+  # a root owner account to create a tenant
+  post '/blackcomb_credentials', to: 'credentials#blackcomb'
+end

data/config/sidekiq.yml

@@ -0,0 +1,5 @@
+---
+:queues:
+  - iam_default
+  - mailers
+

data/config/spring.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+Spring.application_root = './spec/dummy'

data/db/migrate/20190101000001_create_policies.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class CreatePolicies < ActiveRecord::Migration[6.0]
+  def change
+    create_table :policies do |t|
+      t.string :name, null: false, index: { unique: true }
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20190101000002_create_actions.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class CreateActions < ActiveRecord::Migration[6.0]
+  def change
+    create_table :actions do |t|
+      t.string :name, null: false, index: { unique: true }
+      t.string :type, null: false
+      t.string :resource
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20190101000003_create_policy_actions.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class CreatePolicyActions < ActiveRecord::Migration[6.0]
+  def change
+    create_table :policy_actions do |t|
+      t.references :policy, foreign_key: true
+      t.references :action, foreign_key: true
+
+      t.timestamps
+    end
+    add_index :policy_actions, %i[policy_id action_id], unique: true
+  end
+end

data/db/migrate/20190215214352_create_roots.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+class CreateRoots < ActiveRecord::Migration[6.0]
+  def change
+    create_table :roots do |t|
+      t.boolean :api, null: false, default: false
+      t.string :time_zone, null: false, default: 'UTC'
+
+      ## Database authenticatable
+      t.string :email, null: false, default: '', index: { unique: true }
+      t.string :encrypted_password, null: false, default: ''
+
+      ## Recoverable
+      t.string   :reset_password_token, index: { unique: true }
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      # t.integer  :sign_in_count, default: 0, null: false
+      # t.datetime :current_sign_in_at
+      # t.datetime :last_sign_in_at
+      # t.string   :current_sign_in_ip
+      # t.string   :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, default: 0, null: false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      t.timestamps null: false
+    end
+    # add_index :users, :confirmation_token,   unique: true
+    # add_index :users, :unlock_token,         unique: true
+  end
+end

data/db/migrate/20190215214353_update_tenants.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class UpdateTenants < ActiveRecord::Migration[6.0]
+  def change
+    add_reference :tenants, :root, null: false, foreign_key: true, index: { unique: true }
+    add_column :tenants, :alias, :string, null: true, index: { unique: true }
+    add_column :tenants, :name, :string
+    add_column :tenants, :state, :string
+  end
+end

data/db/migrate/20190215214355_create_credentials.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class CreateCredentials < ActiveRecord::Migration[6.0]
+  def change
+    create_table :credentials do |t|
+      t.references :owner, polymorphic: true
+      t.string :access_key_id, length: 20, index: { unique: true }
+      t.string :secret_access_key_digest
+
+      t.timestamps
+    end
+    # add_index :credentials, :access_key_id, unique: true
+  end
+end

data/db/migrate/20190215214407_create_users.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+class CreateUsers < ActiveRecord::Migration[6.0]
+  # rubocop:disable Metrics/MethodLength
+  def change
+    create_table :users do |t|
+      t.boolean :console, null: false, default: false, comment: 'Allow console access when true'
+      t.boolean :api, null: false, default: false, comment: 'Allow API access when true'
+      t.string :time_zone, null: false, default: 'UTC', comment: 'Adjust timestamps to this time zone'
+      t.jsonb :attached_policies, null: false, default: {}
+      t.jsonb :attached_actions, null: false, default: {}
+      t.jsonb :properties, null: false, default: {}, comment: 'Custom properties of the user'
+      t.jsonb :display_properties, null: false, default: {}, comment: 'Custom display properties of the user'
+
+      ## Database authenticatable
+      t.string :username, null: false, index: { unique: true }
+      t.string :encrypted_password, null: false, default: '', comment: 'Required if console is true'
+
+      ## Recoverable
+      t.string   :reset_password_token, index: { unique: true }
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      # t.integer  :sign_in_count, default: 0, null: false
+      # t.datetime :current_sign_in_at
+      # t.datetime :last_sign_in_at
+      # t.string   :current_sign_in_ip
+      # t.string   :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, default: 0, null: false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      t.timestamps null: false
+    end
+    # add_index :users, :confirmation_token,   unique: true
+    # add_index :users, :unlock_token,         unique: true
+  end
+  # rubocop:enable Metrics/MethodLength
+end

data/db/migrate/20190215214409_create_user_credentials.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class CreateUserCredentials < ActiveRecord::Migration[6.0]
+  def change
+    create_table :user_credentials do |t|
+      t.references :user, foreign_key: true
+      t.integer :credential_id, foreign_key: true, index: { unique: true }
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20190215214410_create_user_policy_joins.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class CreateUserPolicyJoins < ActiveRecord::Migration[6.0]
+  def change
+    create_table :user_policy_joins do |t|
+      t.references :user, foreign_key: true
+      t.references :policy, foreign_key: true
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20190215214411_create_groups.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class CreateGroups < ActiveRecord::Migration[6.0]
+  def change
+    create_table :groups do |t|
+      t.string :name
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20190215214412_create_user_groups.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class CreateUserGroups < ActiveRecord::Migration[6.0]
+  def change
+    create_table :user_groups do |t|
+      t.references :user, foreign_key: true
+      t.references :group, foreign_key: true
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20190215214413_create_group_policy_joins.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class CreateGroupPolicyJoins < ActiveRecord::Migration[6.0]
+  def change
+    create_table :group_policy_joins do |t|
+      t.references :group, foreign_key: true
+      t.references :policy, foreign_key: true
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20190215214415_create_roles.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class CreateRoles < ActiveRecord::Migration[6.0]
+  def change
+    create_table :roles do |t|
+      t.string :name
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20190215214416_create_user_roles.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class CreateUserRoles < ActiveRecord::Migration[6.0]
+  def change
+    create_table :user_roles do |t|
+      t.references :user, foreign_key: true
+      t.references :role, foreign_key: true
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20190215214421_create_role_policy_joins.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class CreateRolePolicyJoins < ActiveRecord::Migration[6.0]
+  def change
+    create_table :role_policy_joins do |t|
+      t.references :role, foreign_key: true
+      t.references :policy, foreign_key: true
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20190924091536_add_display_properties_to_tenants.rb

@@ -0,0 +1,5 @@
+class AddDisplayPropertiesToTenants < ActiveRecord::Migration[6.0]
+  def change
+    add_column :tenants, :display_properties, :jsonb, default: {}
+  end
+end

data/db/migrate/20191021220135_create_public_keys.rb

@@ -0,0 +1,10 @@
+class CreatePublicKeys < ActiveRecord::Migration[6.0]
+  def change
+    create_table :public_keys do |t|
+      t.references :user
+      t.string :content
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20191120083154_add_confirmable_email_to_user.rb

@@ -0,0 +1,9 @@
+class AddConfirmableEmailToUser < ActiveRecord::Migration[6.0]
+  def change
+    add_column :users, :email, :string
+    add_column :users, :confirmation_token, :string
+    add_column :users, :confirmed_at, :datetime
+    add_column :users, :confirmation_sent_at, :datetime
+    add_column :users, :unconfirmed_email, :string
+  end
+end

data/db/seeds/development/tenants.seeds.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+# NOTE: Disabling event logging
+logging_mem = Settings.event_logging.enabled
+Settings.event_logging.enabled = false
+# if 'platform owner' account does not exist then create it and initialize credentials file
+initialize = Root.find_by(email: 'root@platform.com').nil?
+
+create_list = if initialize
+                [
+                  { email: 'root@platform.com', password: 'asdfjkl;', api: true, alias: 'owner' },
+                  { email: 'root@generic.com', password: 'asdfjkl;', alias: 'generic' },
+                  { email: 'root@banking.com', password: 'asdfjkl;', alias: 'banking' },
+                  { email: 'root@telco.com', password: 'asdfjkl;', alias: 'telco' },
+                  { email: 'root@insurance.com', password: 'asdfjkl;', alias: 'insurance' },
+                  { email: 'root@retail.com', password: 'asdfjkl;', alias: 'retail' }
+                ]
+              else
+                # TODO: We don't need it anymore
+                # id = Root.last.id
+                # create_list = [
+                #   { email: "root@client#{id + 1}.com", password: 'asdfjkl;' },
+                #   { email: "root@client#{id + 2}.com", password: 'asdfjkl;' }
+                # ]
+                []
+              end
+owner_root = Root.create!(email: 'root@owner.com', password: 'asdfjkl;')
+Tenant.create(schema_name: 'public', name: 'Account 1', alias: 'root', root: owner_root)
+
+@created_list = []
+create_list.each do |account|
+  tenant_alias = account.delete(:alias)
+  Root.create!(account).tap do |root|
+    root.create_tenant(schema_name: Tenant.account_id_to_schema(root.id.to_s * 9)[0..10],
+                       name: "Account #{root.id}", state: :active, alias: tenant_alias)
+    credential = Credential.create(owner: root)
+    @created_list.append(type: 'root', owner: root, tenant: root.tenant, credential: credential,
+                         secret: credential.secret_access_key)
+  end
+end
+Settings.event_logging.enabled = logging_mem

data/db/seeds/development/users.seeds.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+# ubocop:disable Metrics/BlockLength
+after 'development:tenants' do
+  Tenant.all.each do |tenant|
+    next if tenant.id.eql? 1
+
+    tenant.switch do
+      if Policy.count.zero?
+        # Add IAM Policies
+        Policy.create(name: 'AdministratorAccess')
+        Policy.create(name: 'IamUserFullAccess')
+        Policy.create(name: 'IamUserReadOnlyAccess')
+      end
+      next if User.count.positive?
+
+      user = User.create(username: 'Admin',
+                         console: true,
+                         api: true,
+                         time_zone: 'Asia/Singapore',
+                         email: 'admin@example.com',
+                         confirmed_at: DateTime.now,
+                         password: 'asdfjkl;')
+      User.create(username: 'Microsite',
+                  console: false,
+                  api: true,
+                  time_zone: 'Asia/Singapore',
+                  email: 'microsite@example.com',
+                  confirmed_at: DateTime.now)
+      # user.locale: 'en-US'
+      credential = user.credentials.create
+      @created_list.append(type: 'user',
+                           owner: user,
+                           tenant: tenant,
+                           credential: credential,
+                           secret: credential.secret_access_key)
+
+      # Create a Group
+      group_admin = Group.create(name: 'Admin')
+
+      # Attach the Admin Policy to the Group
+      group_admin.policies << Policy.first
+
+      # Assign the first User to the Admin Group
+      group_admin.users << User.first
+
+      # NOTE: create remainign groups
+      Group.create(name: 'Creator')
+      Group.create(name: 'Customer Support')
+      Group.create(name: 'Manager')
+      Group.create(name: 'Viewer')
+
+      # Role.create(name: 'PerxServiceRoleForIAM')
+      # Role.create(name: 'PerxUserReadOnlyAccess')
+    end
+  end
+
+  # Append newly created credentials to credentials.json in the tmp directory
+  FileUtils.mkdir_p(Ros.host_tmp_dir)
+  File.open("#{Ros.host_tmp_dir}/credentials.json", 'w') do |f|
+    f.puts(@created_list.to_json)
+  end
+  # Output the contents so that it can be captured by the helm log file when deployed into kubernetes
+  STDOUT.puts 'Credentials are next:'
+  STDOUT.puts File.read("#{Ros.host_tmp_dir}/credentials.json")
+end
+# ubocop:enable Metrics/BlockLength

data/lib/ros/api_token_strategy.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Ros
+  # NOTE: Overrides methods in ros-core gem
+  class ApiTokenStrategy
+    def authenticate_basic
+      credential = if access_key[:owner_type].eql?('Root')
+                     Apartment::Tenant.switch('public') { Credential.find_by(access_key_id: access_key_id) }
+                   else
+                     Credential.find_by(access_key_id: access_key_id)
+                   end
+      return unless credential
+
+      credential.authenticate_secret_access_key(secret_access_key).try(:owner)
+    end
+
+    def authenticate_bearer
+      return unless (urn = Urn.from_jwt(token))
+      return unless urn.model_name.in? %w[Root User]
+
+      urn.instance
+    end
+  end
+end