RubyGems - ddr-core - Versions diffs - 0.2.1 - Mend

ddr-core 0.2.1

Files changed (132) hide show

checksums.yaml +7 -0
data/LICENSE.txt +12 -0
data/README.md +27 -0
data/Rakefile +30 -0
data/app/assets/config/ddr_core_manifest.js +0 -0
data/app/controllers/users/omniauth_callbacks_controller.rb +11 -0
data/app/controllers/users/sessions_controller.rb +15 -0
data/app/models/concerns/ddr/captionable.rb +25 -0
data/app/models/concerns/ddr/describable.rb +108 -0
data/app/models/concerns/ddr/governable.rb +25 -0
data/app/models/concerns/ddr/has_admin_metadata.rb +141 -0
data/app/models/concerns/ddr/has_attachments.rb +10 -0
data/app/models/concerns/ddr/has_children.rb +10 -0
data/app/models/concerns/ddr/has_content.rb +132 -0
data/app/models/concerns/ddr/has_extracted_text.rb +10 -0
data/app/models/concerns/ddr/has_intermediate_file.rb +25 -0
data/app/models/concerns/ddr/has_multires_image.rb +14 -0
data/app/models/concerns/ddr/has_parent.rb +18 -0
data/app/models/concerns/ddr/has_struct_metadata.rb +21 -0
data/app/models/concerns/ddr/has_thumbnail.rb +33 -0
data/app/models/concerns/ddr/solr_document_behavior.rb +429 -0
data/app/models/concerns/ddr/streamable.rb +25 -0
data/app/models/ddr/admin_set.rb +28 -0
data/app/models/ddr/attachment.rb +14 -0
data/app/models/ddr/collection.rb +28 -0
data/app/models/ddr/component.rb +31 -0
data/app/models/ddr/contact.rb +23 -0
data/app/models/ddr/digest.rb +8 -0
data/app/models/ddr/file.rb +40 -0
data/app/models/ddr/item.rb +36 -0
data/app/models/ddr/language.rb +31 -0
data/app/models/ddr/media_type.rb +22 -0
data/app/models/ddr/resource.rb +94 -0
data/app/models/ddr/rights_statement.rb +25 -0
data/app/models/ddr/target.rb +17 -0
data/config/initializers/devise.rb +262 -0
data/config/locales/ddr-core.en.yml +85 -0
data/config/routes.rb +3 -0
data/db/migrate/20141104181418_create_users.rb +34 -0
data/db/migrate/20141107124012_add_columns_to_user.rb +46 -0
data/lib/ddr-core.rb +1 -0
data/lib/ddr/auth.rb +80 -0
data/lib/ddr/auth/ability.rb +18 -0
data/lib/ddr/auth/ability_definitions.rb +26 -0
data/lib/ddr/auth/ability_definitions/admin_set_ability_definitions.rb +9 -0
data/lib/ddr/auth/ability_definitions/alias_ability_definitions.rb +23 -0
data/lib/ddr/auth/ability_definitions/attachment_ability_definitions.rb +13 -0
data/lib/ddr/auth/ability_definitions/collection_ability_definitions.rb +28 -0
data/lib/ddr/auth/ability_definitions/component_ability_definitions.rb +13 -0
data/lib/ddr/auth/ability_definitions/item_ability_definitions.rb +13 -0
data/lib/ddr/auth/ability_definitions/lock_ability_definitions.rb +13 -0
data/lib/ddr/auth/ability_definitions/publication_ability_definitions.rb +16 -0
data/lib/ddr/auth/ability_definitions/role_based_ability_definitions.rb +39 -0
data/lib/ddr/auth/ability_definitions/superuser_ability_definitions.rb +9 -0
data/lib/ddr/auth/ability_factory.rb +10 -0
data/lib/ddr/auth/abstract_ability.rb +48 -0
data/lib/ddr/auth/affiliation.rb +14 -0
data/lib/ddr/auth/affiliation_groups.rb +20 -0
data/lib/ddr/auth/anonymous_ability.rb +7 -0
data/lib/ddr/auth/auth_context.rb +109 -0
data/lib/ddr/auth/auth_context_factory.rb +13 -0
data/lib/ddr/auth/detached_auth_context.rb +19 -0
data/lib/ddr/auth/dynamic_groups.rb +13 -0
data/lib/ddr/auth/effective_permissions.rb +12 -0
data/lib/ddr/auth/effective_roles.rb +9 -0
data/lib/ddr/auth/failure_app.rb +16 -0
data/lib/ddr/auth/group.rb +40 -0
data/lib/ddr/auth/grouper_gateway.rb +70 -0
data/lib/ddr/auth/groups.rb +32 -0
data/lib/ddr/auth/ldap_gateway.rb +74 -0
data/lib/ddr/auth/permissions.rb +18 -0
data/lib/ddr/auth/remote_groups.rb +14 -0
data/lib/ddr/auth/role_based_access_controls_enforcement.rb +56 -0
data/lib/ddr/auth/roles.rb +28 -0
data/lib/ddr/auth/roles/role.rb +121 -0
data/lib/ddr/auth/roles/role_type.rb +23 -0
data/lib/ddr/auth/roles/role_types.rb +52 -0
data/lib/ddr/auth/superuser_ability.rb +7 -0
data/lib/ddr/auth/test_helpers.rb +22 -0
data/lib/ddr/auth/user.rb +54 -0
data/lib/ddr/auth/web_auth_context.rb +29 -0
data/lib/ddr/core.rb +110 -0
data/lib/ddr/core/engine.rb +8 -0
data/lib/ddr/core/version.rb +5 -0
data/lib/ddr/error.rb +16 -0
data/lib/ddr/files.rb +13 -0
data/lib/ddr/fits.rb +189 -0
data/lib/ddr/index.rb +29 -0
data/lib/ddr/index/abstract_query_result.rb +22 -0
data/lib/ddr/index/connection.rb +38 -0
data/lib/ddr/index/csv_query_result.rb +84 -0
data/lib/ddr/index/document_builder.rb +9 -0
data/lib/ddr/index/field.rb +35 -0
data/lib/ddr/index/field_attribute.rb +22 -0
data/lib/ddr/index/fields.rb +154 -0
data/lib/ddr/index/filter.rb +139 -0
data/lib/ddr/index/query.rb +82 -0
data/lib/ddr/index/query_builder.rb +185 -0
data/lib/ddr/index/query_clause.rb +112 -0
data/lib/ddr/index/query_params.rb +40 -0
data/lib/ddr/index/query_result.rb +102 -0
data/lib/ddr/index/response.rb +30 -0
data/lib/ddr/index/sort_order.rb +28 -0
data/lib/ddr/index/unique_key_field.rb +12 -0
data/lib/ddr/managers.rb +9 -0
data/lib/ddr/managers/manager.rb +13 -0
data/lib/ddr/managers/technical_metadata_manager.rb +141 -0
data/lib/ddr/structure.rb +188 -0
data/lib/ddr/structures/agent.rb +49 -0
data/lib/ddr/structures/component_type_term.rb +29 -0
data/lib/ddr/structures/div.rb +64 -0
data/lib/ddr/structures/f_locat.rb +54 -0
data/lib/ddr/structures/file.rb +52 -0
data/lib/ddr/structures/file_grp.rb +35 -0
data/lib/ddr/structures/file_sec.rb +22 -0
data/lib/ddr/structures/fptr.rb +31 -0
data/lib/ddr/structures/mets_hdr.rb +37 -0
data/lib/ddr/structures/mptr.rb +49 -0
data/lib/ddr/structures/struct_map.rb +40 -0
data/lib/ddr/utils.rb +185 -0
data/lib/ddr/vocab.rb +22 -0
data/lib/ddr/vocab/asset.rb +51 -0
data/lib/ddr/vocab/contact.rb +9 -0
data/lib/ddr/vocab/display.rb +9 -0
data/lib/ddr/vocab/duke_terms.rb +13 -0
data/lib/ddr/vocab/rdf_vocabulary_parser.rb +43 -0
data/lib/ddr/vocab/roles.rb +25 -0
data/lib/ddr/vocab/sources/duketerms.rdf +870 -0
data/lib/ddr/vocab/vocabulary.rb +37 -0
data/lib/ddr/workflow.rb +8 -0
data/lib/tasks/ddr/core_tasks.rake +4 -0
metadata +428 -0

data/lib/ddr/auth/ability_definitions/superuser_ability_definitions.rb ADDED

@@ -0,0 +1,9 @@
+module Ddr::Auth
+  class SuperuserAbilityDefinitions < AbilityDefinitions
+    def call
+      can :manage, :all
+    end
+  end
+end

data/lib/ddr/auth/ability_factory.rb ADDED

@@ -0,0 +1,10 @@
+module Ddr::Auth
+  class AbilityFactory
+    def self.call(user = nil, env = nil)
+      auth_context = AuthContextFactory.call(user, env)
+      auth_context.ability
+    end
+  end
+end

data/lib/ddr/auth/abstract_ability.rb ADDED

@@ -0,0 +1,48 @@
+require 'cancan'
+module Ddr::Auth
+  # @abstract
+  class AbstractAbility
+    include CanCan::Ability
+    class_attribute :ability_definitions
+    self.ability_definitions = []
+    # CanCan default aliases:
+    #
+    #   alias_action :index, :show, :to => :read
+    #   alias_action :new, :to => :create
+    #   alias_action :edit, :to => :update
+    #
+    class_attribute :exclude_default_aliases
+    self.exclude_default_aliases = false
+    attr_reader :auth_context
+    delegate :anonymous?, :authenticated?, :metadata_manager?,
+             :user, :groups, :agents, :member_of?,
+             :authorized_to_act_as_superuser?,
+             to: :auth_context
+    def initialize(auth_context)
+      @auth_context = auth_context
+      if exclude_default_aliases
+        clear_aliased_actions
+      end
+      apply_ability_definitions
+    end
+    def cache
+      @cache ||= {}
+    end
+    def apply_ability_definitions
+      ability_definitions.reduce(self, :apply)
+    end
+    def apply(ability_def)
+      ability_def.call(self)
+    end
+  end
+end

data/lib/ddr/auth/affiliation.rb ADDED

@@ -0,0 +1,14 @@
+module Ddr::Auth
+  module Affiliation
+    FACULTY   = "faculty".freeze
+    STAFF     = "staff".freeze
+    STUDENT   = "student".freeze
+    EMERITUS  = "emeritus".freeze
+    AFFILIATE = "affiliate".freeze
+    ALUMNI    = "alumni".freeze
+    ALL = [ FACULTY, STAFF, STUDENT, EMERITUS, AFFILIATE, ALUMNI ].freeze
+  end
+end

data/lib/ddr/auth/affiliation_groups.rb ADDED

@@ -0,0 +1,20 @@
+module Ddr::Auth
+  class AffiliationGroups
+    all = []
+    Affiliation::ALL.each do |affiliation|
+      group = Group.new "duke.#{affiliation}",
+                        label: "Duke #{affiliation.capitalize}" do |auth_context|
+        auth_context.affiliation.include? affiliation
+      end
+      const_set affiliation.upcase, group
+      all << const_get(affiliation.upcase)
+    end
+    ALL = all.freeze
+  end
+end

data/lib/ddr/auth/anonymous_ability.rb ADDED

@@ -0,0 +1,7 @@
+module Ddr::Auth
+  class AnonymousAbility < AbstractAbility
+    self.ability_definitions = Ability.ability_definitions.dup
+  end
+end

data/lib/ddr/auth/auth_context.rb ADDED

@@ -0,0 +1,109 @@
+module Ddr::Auth
+  # @abstract
+  class AuthContext
+    attr_reader :user, :env
+    def initialize(user = nil, env = nil)
+      @user = user
+      @env = env
+    end
+    def ability
+      if anonymous?
+        AnonymousAbility.new(self)
+      elsif superuser?
+        SuperuserAbility.new(self)
+      else
+        default_ability_class.new(self)
+      end
+    end
+    def default_ability_class
+      Ddr::Auth::default_ability.constantize
+    end
+    # Return whether a user is absent from the auth context.
+    # @return [Boolean]
+    def anonymous?
+      user.nil?
+    end
+    # Return whether a user is present in the auth context.
+    # @return [Boolean]
+    def authenticated?
+      !anonymous?
+    end
+    # Return whether context is authenticated in superuser scope.
+    # @return [Boolean]
+    def superuser?
+      env && env.key?("warden") && env["warden"].authenticate?(scope: :superuser)
+    end
+    def metadata_manager?
+      member_of? Ddr::Auth.metadata_managers_group
+    end
+    # Return the user agent for this context.
+    # @return [String] or nil, if auth context is anonymous/
+    def agent
+      anonymous? ? nil : user.agent
+    end
+    # Is the authenticated agent a Duke identity?
+    # @return [Boolean]
+    def duke_agent?
+      !!(agent =~ /@duke\.edu\z/)
+    end
+    # Return the list of groups for this context.
+    # @return [Array<Group>]
+    def groups
+      @groups ||= Groups.call(self)
+    end
+    # Is the user associated with the auth context a member of the group?
+    # @param group [Group, String] group object or group id
+    # @return [Boolean]
+    def member_of?(group)
+      if group.is_a? Group
+        groups.include? group
+      else
+        member_of? Group.new(group)
+      end
+    end
+    # Is the auth context authorized to act as superuser?
+    #   This is separate from whether the context is authenticated in superuser scope.
+    # @return [Boolean]
+    def authorized_to_act_as_superuser?
+      member_of? Ddr::Auth.superuser_group
+    end
+    # Return the combined user and group agents for this context.
+    # @return [Array<String>]
+    def agents
+      groups.map(&:agent).push(agent).compact
+    end
+    # The IP address associated with the context.
+    # @return [String]
+    def ip_address
+      nil
+    end
+    # The affiliation values associated with the context.
+    # @return [Array<String>]
+    def affiliation
+      []
+    end
+    # The remote group values associated with the context.
+    # @return [Array<String>]
+    def ismemberof
+      []
+    end
+  end
+end

data/lib/ddr/auth/auth_context_factory.rb ADDED

@@ -0,0 +1,13 @@
+module Ddr::Auth
+  class AuthContextFactory
+    def self.call(user = nil, env = nil)
+      if env
+        WebAuthContext.new(user, env)
+      else
+        DetachedAuthContext.new(user)
+      end
+    end
+  end
+end

data/lib/ddr/auth/detached_auth_context.rb ADDED

@@ -0,0 +1,19 @@
+module Ddr::Auth
+  class DetachedAuthContext < AuthContext
+    def affiliation
+      anonymous? ? super : ldap_result.affiliation
+    end
+    def ismemberof
+      anonymous? ? super : ldap_result.ismemberof
+    end
+    private
+    def ldap_result
+      @ldap_result ||= Ddr::Auth.ldap_gateway.find(user.user_key)
+    end
+  end
+end

data/lib/ddr/auth/dynamic_groups.rb ADDED

@@ -0,0 +1,13 @@
+module Ddr::Auth
+  class DynamicGroups
+    ALL = ([Groups::PUBLIC, Groups::REGISTERED, Groups::DUKE_ALL] + AffiliationGroups::ALL).freeze
+    # @param auth_context [AuthContext]
+    # @return [Array<Group>]
+    def self.call(auth_context)
+      ALL.select { |group| group.has_member?(auth_context) }
+    end
+  end
+end

data/lib/ddr/auth/effective_permissions.rb ADDED

@@ -0,0 +1,12 @@
+module Ddr::Auth
+  class EffectivePermissions
+    # @param obj [Object] an object that receives :roles and returns a RoleSet
+    # @param agents [String, Array<String>] agent(s) to match roles
+    # @return [Array<Symbol>]
+    def self.call(obj, agents)
+      EffectiveRoles.call(obj, agents).map(&:permissions).flatten.uniq
+    end
+  end
+end

data/lib/ddr/auth/effective_roles.rb ADDED

@@ -0,0 +1,9 @@
+module Ddr::Auth
+  class EffectiveRoles
+    def self.call(obj, agents)
+      ( obj.resource_roles | obj.inherited_roles ).select { |r| agents.include?(r.agent) }
+    end
+  end
+end

data/lib/ddr/auth/failure_app.rb ADDED

@@ -0,0 +1,16 @@
+module Ddr
+  module Auth
+    class FailureApp < Devise::FailureApp
+      def respond
+        if scope == :user && Ddr::Auth.require_shib_user_authn
+          store_location!
+          redirect_to user_omniauth_authorize_path(:shibboleth)
+        else
+          super
+        end
+      end
+    end
+  end
+end

data/lib/ddr/auth/group.rb ADDED

@@ -0,0 +1,40 @@
+require "delegate"
+module Ddr
+  module Auth
+    # Wraps a String
+    class Group < SimpleDelegator
+      attr_reader :rule
+      def initialize(id, opts={}, &rule)
+        super(id)
+        @label = opts[:label]
+        @rule = rule
+        freeze
+      end
+      # @param user [Ddr::Auth::AuthContext]
+      def has_member?(auth_context)
+        rule ? instance_exec(auth_context, &rule) : auth_context.member_of?(self)
+      end
+      def id
+        __getobj__
+      end
+      def label
+        @label || id
+      end
+      def agent
+        to_s
+      end
+      def inspect
+        "#<#{self.class.name} id=#{id.inspect}, label=#{label.inspect}>"
+      end
+    end
+  end
+end

data/lib/ddr/auth/grouper_gateway.rb ADDED

@@ -0,0 +1,70 @@
+require 'grouper-rest-client'
+require "delegate"
+module Ddr
+  module Auth
+    class GrouperGateway < SimpleDelegator
+      SUBJECT_ID_RE = Regexp.new('[^@]+(?=@duke\.edu)')
+      DEFAULT_TIMEOUT = 5
+      def self.repository_groups(*args)
+        new.repository_groups(*args)
+      end
+      def self.user_groups(*args)
+        new.user_groups(*args)
+      end
+      def initialize
+        super Grouper::Rest::Client::Resource.new(ENV["GROUPER_URL"],
+                                                  user: ENV["GROUPER_USER"],
+                                                  password: ENV["GROUPER_PASSWORD"],
+                                                  timeout: ENV.fetch("GROUPER_TIMEOUT", DEFAULT_TIMEOUT).to_i)
+      end
+      # List of all grouper groups for the repository
+      def repository_groups(raw = false)
+        repo_groups = groups(REPOSITORY_GROUP_FILTER)
+        if ok?
+          return repo_groups if raw
+          repo_groups.map do |g|
+            Group.new(g["name"], label: g["displayExtension"])
+          end
+        else
+          []
+        end
+      end
+      def user_groups(user, raw = false)
+        groups = []
+        subject_id = user.principal_name.scan(SUBJECT_ID_RE).first
+        return groups unless subject_id
+        begin
+          request_body = {
+            "WsRestGetGroupsRequest" => {
+              "subjectLookups" => [{"subjectIdentifier" => subject_id}]
+            }
+          }
+          # Have to use :call b/c grouper-rest-client :subjects method doesn't support POST
+          response = call("subjects", :post, request_body)
+          if ok?
+            result = response["WsGetGroupsResults"]["results"].first
+            # Have to manually filter results b/c Grouper WS version 1.5 does not support filter parameter
+            if result && result["wsGroups"]
+              groups = result["wsGroups"].select { |g| g["name"] =~ /^#{REPOSITORY_GROUP_FILTER}/ }
+            end
+          end
+        rescue StandardError => e
+          # XXX Should we raise a custom exception?
+          Rails.logger.error e
+        end
+        return groups if raw
+        groups.map do |g|
+          Group.new(g["name"], label: g["displayExtension"])
+        end
+      end
+    end
+  end
+end

data/lib/ddr/auth/groups.rb ADDED

@@ -0,0 +1,32 @@
+module Ddr
+  module Auth
+    module Groups
+      PUBLIC = Group.new "public", label: "Public" do |auth_context|
+        true
+      end
+      REGISTERED = Group.new "registered", label: "Registered Users" do |auth_context|
+        auth_context.authenticated?
+      end
+      DUKE_ALL = Group.new "duke.all", label: "Duke NetIDs" do |auth_context|
+        auth_context.duke_agent?
+      end
+      # Return the list of all groups available for use in the repository,
+      #   i.e., that can be used to assert access controls.
+      # @return [Array<Group>] the groups
+      def self.all
+        DynamicGroups::ALL + Ddr::Auth.grouper_gateway.repository_groups
+      end
+      # @param auth_context [AuthContext]
+      # @return [Array<Group>]
+      def self.call(auth_context)
+        DynamicGroups.call(auth_context) + RemoteGroups.call(auth_context)
+      end
+    end
+  end
+end