cnfs-iam 0.0.1.alpha

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: '09c0a33b4d2abc84491e1eb15e1f275c04f634b939404b6987ac7bd266894b57'
+  data.tar.gz: d6a28ba8c62e0dc63fb4416e0703220878cc3afd8d91ef9cf9b8dceaac59608a
+SHA512:
+  metadata.gz: 1cde288627409018e8492144e8cc390040d0a283f7b762ed49dcf51687b944d77efde5aa024fb0c1baa115e48c4fb9bff388d359ef9d1033231ec3f3548e70ff
+  data.tar.gz: ac9e004aec8e9864e31573f543f24da06bdbc872ab5500455560ed03dc831bee53664ef43e6220197afde53eabd635ffd8162b959ee43d36b8e87660401b25f1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2019 Robert Roach
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,75 @@
+
+# IAM
+
+User Rob belongs to group Administrators
+Group Administrators has Role FullAccess
+
+User Pearl belongs to group DashboardUser
+Group DashboardUser has Role DashboardFullAccess
+
+Post is a model
+PostPolicy.update? current_user.has_role?
+
+## Groups
+
+Groups have 0 or more attached Policies which give permission for specific actions
+Groups have 0 or more Users
+
+## Users
+
+User have 0 or more attached Policies which give permission for specific actions
+Users belong to 0 or more Groups
+Users inherit Group permissions
+
+## Roles
+
+Roles have many policies
+A User may have permission to assume a specific Role
+The Role is assumed in order to accomplish a specific Action for which that specific Role has Permission
+
+
+## Policies
+
+Policies permit or deny certain Actions
+
+Example:
+
+AlexaForBusinessDeviceSetup
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "a4b:RegisterDevice",
+                "a4b:CompleteRegistration",
+                "a4b:SearchDevices"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+### Other Notes
+
+[]User, Root and Robot have a policies and actions jsonb column
+[]anytime an action or policy changes it calls its users, roles and robots which triggers them to update their properties and actions hashes
+
+
+Authenticate to get token:
+Root email and password
+User username and password
+Root access_key_id secret_access_key
+User same as above
+
+Make requests with JWT
+If the token is present:
+Is it authentic? Is it valid?
+If yes then select the tenant
+Then get the user from the JWT
+Perhaps there should be User and Root objects available to the services. Or use the client based objects 
+
+

data/Rakefile

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Ros::Iam'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path('spec/dummy/Rakefile', __dir__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'

data/app/controllers/concerns/is_tenant_scoped.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module IsTenantScoped
+  extend ActiveSupport::Concern
+
+  def login_user!
+    false
+  end
+
+  def tenant_schema(params, key = :account_id)
+    params_ = HashWithIndifferentAccess.new(params)
+
+    # this is not a dynamically created method but defined in our tenant concern
+    Tenant.find_by_schema_or_alias(params_[key])&.schema_name ||
+      Apartment::Tenant.current
+  end
+
+  def user_resource
+    "#{resource_name.capitalize}Resource".constantize
+  end
+end

data/app/controllers/credentials_controller.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+class CredentialsController < Iam::ApplicationController
+  # TODO: Remove this once we support registration of callbacks
+  def blackcomb
+    res = BlackcombUserCreate.call(params: blackcomb_params)
+    if res.success?
+      @current_jwt = Ros::Jwt.new(res.model.jwt_payload)
+      render json: json_resource(resource_class: UserResource, record: res.model), status: :created
+    else
+      resource = ApplicationResource.new(res, nil)
+      handle_exceptions JSONAPI::Exceptions::ValidationErrors.new(resource)
+    end
+  end
+
+  private
+
+  def blackcomb_params
+    permitted_params = jsonapi_params.permit(:account_id)
+
+    HashWithIndifferentAccess.new({ current_user: context[:user] }.merge(permitted_params))
+  end
+end

data/app/controllers/groups_controller.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class GroupsController < Iam::ApplicationController
+end

data/app/controllers/iam/application_controller.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module Iam
+  class ApplicationController < ::ApplicationController
+  end
+end

data/app/controllers/iam/confirmations_controller.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Iam
+  class ConfirmationsController < Devise::ConfirmationsController
+    include IsTenantScoped
+
+    skip_before_action :authenticate_it!, only: %i[create show]
+
+    respond_to :json
+
+    # POST /resource/confirmation
+    def create
+      Apartment::Tenant.switch tenant_schema(reset_params) do
+        return super unless find_user!
+
+        @current_user.send_confirmation_instructions
+
+        if successfully_sent?(@current_user)
+          render status: :ok, json: { message: 'ok' }
+        else
+          render status: :bad_request
+        end
+      end
+    end
+
+    # Devise v4.7.1 expects this to be a GET request and not PUT which is
+    # definitely not what I expected.
+    # https://github.com/plataformatec/devise/blob/v4.7.1/app/controllers/devise/confirmations_controller.rb#L21
+    #
+    # GET /resource/confirmation
+    def show
+      mail_token = begin
+                     Ros::Jwt.new(confirmation_params[:token]).decode
+                   rescue JWT::DecodeError => e
+                     render status: :bad_request, json: { errors: e }
+                     return
+                   end
+
+      return unless mail_token
+
+      Apartment::Tenant.switch tenant_schema(mail_token) do
+        res = User.confirm_by_token(mail_token[:token])
+        if res.confirmed?
+          render status: :ok, json: { message: 'ok' }
+        else
+          render status: :bad_request, json: { errors: res.errors }
+        end
+      end
+    end
+  end
+end

data/app/controllers/iam/passwords_controller.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Iam
+  class PasswordsController < Devise::PasswordsController
+    include IsTenantScoped
+
+    skip_before_action :authenticate_it!, only: %i[create update]
+
+    respond_to :json
+
+    # POST /resource/password
+    def create
+      Apartment::Tenant.switch tenant_schema(password_params) do
+        return super unless find_user!
+
+        @current_user.send_reset_password_instructions
+
+        if successfully_sent?(@current_user)
+          render status: :ok, json: { message: 'ok' }
+        else
+          render status: :bad_request
+        end
+      end
+    end
+
+    # PUT /resource/password
+    def update
+      mail_token = begin
+                     Ros::Jwt.new(reset_params[:token]).decode
+                   rescue JWT::DecodeError => e
+                     render status: :bad_request, json: { errors: e }
+                     return
+                   end
+
+      return unless mail_token
+
+      Apartment::Tenant.switch tenant_schema(mail_token) do
+        decoded_params = {
+          reset_password_token: mail_token[:token],
+          password: reset_params[:password],
+          password_confirmation: reset_params[:password_confirmation]
+        }
+
+        res = User.reset_password_by_token(decoded_params)
+
+        if res.persisted?
+          res.confirm unless res.confirmed?
+          @current_jwt = Ros::Jwt.new(res.jwt_payload)
+          render status: :ok, json: { message: 'ok' }
+        else
+          render status: :bad_request, json: { errors: res.errors }
+        end
+      end
+    end
+  end
+end

data/app/controllers/iam/sessions_controller.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Iam
+  class SessionsController < Devise::SessionsController
+    include IsTenantScoped
+
+    skip_before_action :authenticate_it!, only: :create
+
+    respond_to :json
+
+    # POST /resource/sign_in
+    def create
+      Apartment::Tenant.switch tenant_schema(sign_in_params) do
+        return super unless login_user!
+
+        @current_jwt = Ros::Jwt.new(current_user.jwt_payload)
+        render json: json_resource(resource_class: user_resource, record: current_user)
+      end
+    end
+  end
+end

data/app/controllers/policies_controller.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class PoliciesController < Iam::ApplicationController
+end

data/app/controllers/public_keys_controller.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class PublicKeysController < Iam::ApplicationController
+end

data/app/controllers/roots/sessions_controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Roots
+  class SessionsController < Iam::SessionsController
+    protected
+
+    def login_user!
+      @current_user = Root.find_by(email: sign_in_params[:email])
+      current_user&.valid_password? sign_in_params[:password]
+    end
+
+    def sign_in_params
+      jsonapi_params.permit(%i[email password])
+    end
+  end
+end

data/app/controllers/roots_controller.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+class RootsController < Iam::ApplicationController
+end

data/app/controllers/users/confirmations_controller.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Users
+  class ConfirmationsController < Iam::ConfirmationsController
+    protected
+
+    def find_user!
+      @current_user = User.find_by(username: reset_params[:username])
+    end
+
+    def reset_params
+      jsonapi_params.permit %i[username email account_id]
+    end
+
+    # refer to Users::PasswordController.reset_params for details on why we
+    # just allow :token
+    def confirmation_params
+      jsonapi_params.permit %i[token]
+    end
+  end
+end

data/app/controllers/users/passwords_controller.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Users
+  class PasswordsController < Iam::PasswordsController
+    protected
+
+    def find_user!
+      @current_user = User.find_by(username: password_params[:username])
+    end
+
+    def password_params
+      jsonapi_params.permit(%i[email username password password_confirmation account_id])
+    end
+
+    # NOTE: the received token should be the encoded token we sent on the email
+    # for password reset. JWT token should have the accountId, username and
+    # Devise's reset token. Since the FE does not have the encryption key,
+    # if they tamper the token with other params this would fail on validating
+    # when we try to use it. Also this generated JWT is not valid for auth
+    # as it doesnt have any credentials attached.
+    def reset_params
+      jsonapi_params.permit(%i[token password password_confirmation])
+    end
+  end
+end

data/app/controllers/users/sessions_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Users
+  class SessionsController < Iam::SessionsController
+    protected
+
+    def login_user!
+      @current_user = User.find_by(username: sign_in_params[:username])
+      return if current_user.nil?
+      return unless current_user.confirmed?
+
+      current_user&.valid_password? sign_in_params[:password]
+    end
+
+    def sign_in_params
+      jsonapi_params.permit(%i[email username password account_id])
+    end
+  end
+end

data/app/controllers/users_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class UsersController < Iam::ApplicationController
+  def create
+    res = UserCreate.call(params: create_params, user: context[:user])
+    if res.success?
+      render json: json_resource(resource_class: UserResource, record: res.model), status: :created
+    else
+      resource = ApplicationResource.new(res, nil)
+      handle_exceptions JSONAPI::Exceptions::ValidationErrors.new(resource)
+    end
+  end
+
+  def create_params
+    jsonapi_params.merge(relationships: params.require(:data).fetch(:relationships, {})).permit!
+  end
+end