ddr-core 0.2.1

data/lib/ddr/auth/ldap_gateway.rb

@@ -0,0 +1,74 @@
+require "net-ldap"
+
+module Ddr::Auth
+  class LdapGateway
+
+    SCOPE = Net::LDAP::SearchScope_SingleLevel
+
+    class_attribute :attributes
+    self.attributes = [ "edupersonaffiliation", "ismemberof" ]
+
+    attr_reader :ldap
+
+    def self.find(user_key)
+      new.find(user_key)
+    end
+
+    def initialize
+      @ldap = Net::LDAP.new(config)
+    end
+
+    def find(user_key)
+      result_set = ldap.search find_params(user_key)
+      if result_set
+        Result.new result_set.first
+      else
+        raise ldap.get_operation_result.message
+      end
+    end
+
+    class Result
+      attr_reader :result
+
+      def initialize(result)
+        @result = result
+      end
+
+      def affiliation
+        result ? result[:edupersonaffiliation] : []
+      end
+
+      def ismemberof
+        result ? result[:ismemberof] : []
+      end
+    end
+
+    private
+
+    def find_params(user_key)
+      { scope: SCOPE,
+        filter: filter(user_key),
+        size: 1,
+        attributes: attributes
+      }
+    end
+
+    def filter(user_key)
+      Net::LDAP::Filter.eq("eduPersonPrincipalName", user_key)
+    end
+
+    def config
+      { host: ENV["LDAP_HOST"],
+        port: ENV["LDAP_PORT"],
+        base: ENV["LDAP_BASE"],
+        auth:
+          { method: :simple,
+            username: ENV["LDAP_USER"],
+            password: ENV["LDAP_PASSWORD"]
+          },
+        encryption: { method: :simple_tls }
+      }
+    end
+
+  end
+end

data/lib/ddr/auth/permissions.rb

@@ -0,0 +1,18 @@
+module Ddr::Auth
+  class Permissions
+
+    READ         = :read
+    DOWNLOAD     = :download
+    ADD_CHILDREN = :add_children
+    UPDATE       = :update
+    REPLACE      = :replace
+    ARRANGE      = :arrange
+    PUBLISH      = :publish
+    UNPUBLISH    = :unpublish
+    AUDIT        = :audit
+    GRANT        = :grant
+
+    ALL = [ READ, DOWNLOAD, ADD_CHILDREN, UPDATE, REPLACE, ARRANGE, PUBLISH, UNPUBLISH, AUDIT, GRANT ]
+
+  end
+end

data/lib/ddr/auth/remote_groups.rb

@@ -0,0 +1,14 @@
+module Ddr::Auth
+  class RemoteGroups
+
+    # @param auth_context [AuthContext]
+    # @return [Array<Group>]
+    def self.call(auth_context)
+      auth_context.ismemberof.map do |id|
+        Group.new id.sub(/\Aurn:mace:duke\.edu:groups/, "duke")
+      end
+    end
+
+  end
+
+end

data/lib/ddr/auth/role_based_access_controls_enforcement.rb

@@ -0,0 +1,56 @@
+module Ddr
+  module Auth
+    #
+    # Hydra controller mixin for role-based access control
+    #
+    # Overrides Hydra::AccessControlsEnforcement#gated_discovery_filters
+    # to apply role filters instead of permissions filters.
+    #
+    module RoleBasedAccessControlsEnforcement
+
+      def self.included(controller)
+        controller.delegate :authorized_to_act_as_superuser?, to: :current_ability
+        controller.helper_method :authorized_to_act_as_superuser?
+      end
+
+      def current_ability
+        @current_ability ||= AbilityFactory.call(current_user, request.env)
+      end
+
+      # List of URIs for policies on which any of the current user's agent has a role in policy scope
+      def policy_role_policies
+        @policy_role_policies ||= Array.new.tap do |uris|
+          filters = current_ability.agents.map do |agent|
+            "#{Ddr::Index::Fields::POLICY_ROLE}:\"#{agent}\""
+          end.join(" OR ")
+          query = "#{Ddr::Index::Fields::ACTIVE_FEDORA_MODEL}:Collection AND (#{filters})"
+          results = ActiveFedora::SolrService.query(query, rows: Collection.count, fl: Ddr::Index::Fields::INTERNAL_URI)
+          results.each_with_object(uris) { |r, memo| memo << r[Ddr::Index::Fields::INTERNAL_URI] }
+        end
+      end
+
+      def policy_role_filters
+        if policy_role_policies.present?
+          rels = policy_role_policies.map { |pid| [:is_governed_by, pid] }
+          ActiveFedora::SolrService.construct_query_for_rel(rels, "OR")
+        end
+      end
+
+      def resource_role_filters
+        current_ability.agents.map do |agent|
+          ActiveFedora::SolrService.raw_query(Ddr::Index::Fields::RESOURCE_ROLE, agent)
+        end.join(" OR ")
+      end
+
+      def gated_discovery_filters
+        [resource_role_filters, policy_role_filters].compact
+      end
+
+      # Overrides Hydra::AccessControlsEnforcement
+      def enforce_show_permissions
+        authorize! :read, params[:id]
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/roles.rb

@@ -0,0 +1,28 @@
+module Ddr::Auth
+  module Roles
+    extend ActiveSupport::Autoload
+
+    autoload :Role
+    autoload :RoleType
+    autoload :RoleTypes
+
+    include RoleTypes
+
+    RESOURCE_SCOPE = "resource".freeze
+    POLICY_SCOPE = "policy".freeze
+    SCOPES = [RESOURCE_SCOPE, POLICY_SCOPE].freeze
+
+    class << self
+
+      def type_map
+        @type_map ||= role_types.map { |role_type| [role_type.to_s, role_type] }.to_h
+      end
+
+      def role_types
+        @role_types ||= RoleTypes.constants(false).map { |const| RoleTypes.const_get(const) }
+      end
+
+    end
+
+  end
+end

data/lib/ddr/auth/roles/role.rb

@@ -0,0 +1,121 @@
+module Ddr
+  module Auth
+    module Roles
+      #
+      # The assignment of a role to an agent within a scope.
+      #
+      class Role < Valkyrie::Resource
+
+        DEFAULT_SCOPE = Roles::RESOURCE_SCOPE
+
+        ValidScope = Valkyrie::Types::Strict::String.enum(*(Roles::SCOPES))
+        ValidRoleType = Valkyrie::Types::Strict::String.enum(*(Roles::role_types.map(&:title)))
+
+        attribute :agent, Valkyrie::Types::Strict::String.constrained(min_size: 1)
+        attribute :role_type, ValidRoleType
+        attribute :scope, ValidScope
+
+        class << self
+
+          # Build a Role instance from hash attributes
+          # @param args [Hash] the attributes
+          # @return [Role] the role
+          # @example
+          #   Role.build type: "Curator", agent: "bob", scope: "resource"
+          def build(args={})
+            new.tap do |role|
+              args[:role_type] ||= args.delete(:type)
+              args[:agent] ||= nil # Triggers a constraint error
+              args[:agent] = args[:agent].to_s # Coerce Ddr::Auth:Group to string
+
+              args.each do |attr, val|
+                role.set_value(attr, val)
+              end
+
+              role.scope ||= DEFAULT_SCOPE
+            end
+          end
+
+          ###############
+          # FIXME or remove serialization/deserialization
+          ###############
+          #
+          # # Deserialize a Role from JSON
+          # # @param json [String] the JSON string
+          # # @return [Role] the role
+          # def from_json(json)
+          #   build JSON.parse(json)
+          # end
+
+          # alias_method :deserialize, :from_json
+
+          private
+
+          #
+          # DELETEME
+          #
+          # def build_attributes(args={})
+          #   # symbolize keys and stringify values
+          #   attrs = args.each_with_object({}) do |(k, v), memo|
+          #     memo[k.to_sym] = Array(v).first.to_s
+          #   end
+          #   # set default scope if necessary
+          #   attrs[:scope] ||= DEFAULT_SCOPE
+          #   # accept :type key for role_type attribute
+          #   if attrs.key?(:type)
+          #     attrs[:role_type] = attrs.delete(:type)
+          #   end
+          #   attrs
+          # end
+
+        end # class << self
+
+        # Roles are considered equal (==) if they
+        # are of the same type and have the same agent and scope.
+        # @param other [Object] the object of comparison
+        # @return [Boolean] the result
+        def ==(other)
+          self.class == other.class &&
+            role_type == other.role_type &&
+            scope == other.scope &&
+            agent == other.agent
+        end
+
+        alias_method :eql?, :==
+
+        def in_resource_scope?
+          scope == Roles::RESOURCE_SCOPE
+        end
+
+        def in_policy_scope?
+          scope == Roles::POLICY_SCOPE
+        end
+
+        def inspect
+          "#<#{self.class.name} role_type=#{role_type.inspect}, " \
+          "agent=#{agent.inspect}, scope=#{scope.inspect}>"
+        end
+
+        # TODO refactor up?
+        def proper_attributes
+          attributes.slice(self.class.fields - self.class.reserved_attributes)
+        end
+
+        ###############
+        # FIXME or remove serialization/deserialization
+        ###############
+        #
+        # delegate :to_json, to: :proper_attributes
+        #
+        # alias_method :serialize, :to_json
+
+        # Returns the permissions associated with the role
+        # @return [Array<Symbol>] the permissions
+        def permissions
+          Roles.type_map[role_type].permissions
+        end
+
+      end
+    end
+  end
+end

data/lib/ddr/auth/roles/role_type.rb

@@ -0,0 +1,23 @@
+module Ddr
+  module Auth
+    module Roles
+      class RoleType
+
+        attr_reader :title, :description, :permissions
+        alias_method :label, :title
+
+        def initialize(title, description, permissions)
+          @title = title.freeze
+          @description = description.freeze
+          @permissions = permissions.freeze
+          freeze
+        end
+
+        def to_s
+          title
+        end
+
+      end
+    end
+  end
+end

data/lib/ddr/auth/roles/role_types.rb

@@ -0,0 +1,52 @@
+module Ddr
+  module Auth
+    module Roles
+      module RoleTypes
+
+        CURATOR = RoleType.new(
+          "Curator",
+          "The Curator role conveys responsibility for curating a resource " \
+          "and delegating responsibilities to other agents.",
+          Permissions::ALL
+        )
+
+        EDITOR = RoleType.new(
+          "Editor",
+          "The Editor role conveys reponsibility for managing the content, " \
+          "description and structural arrangement of a resource.",
+          [ Permissions::READ, Permissions::DOWNLOAD, Permissions::ADD_CHILDREN,
+            Permissions::UPDATE, Permissions::REPLACE, Permissions::ARRANGE ]
+        )
+
+        METADATA_EDITOR = RoleType.new(
+          "MetadataEditor",
+          "The Metadata Editor role conveys responsibility for " \
+          "managing the description of a resource.",
+          [ Permissions::READ, Permissions::DOWNLOAD, Permissions::UPDATE ]
+        )
+
+        CONTRIBUTOR = RoleType.new(
+          "Contributor",
+          "The Contributor role conveys responsibility for adding related " \
+          "resources to a resource, such as works to a collection.",
+          [ Permissions::READ, Permissions::ADD_CHILDREN ]
+        )
+
+        DOWNLOADER = RoleType.new(
+          "Downloader",
+          "The Downloader role conveys access to the \"master\" file " \
+          "(original content bitstream) of a resource.",
+          [ Permissions::READ, Permissions::DOWNLOAD ]
+        )
+
+        VIEWER = RoleType.new(
+          "Viewer",
+          "The Viewer role conveys access to the description and \"access\" " \
+          "files (e.g., derivative bitstreams) of a resource.",
+          [ Permissions::READ ]
+        )
+
+      end
+    end
+  end
+end

data/lib/ddr/auth/superuser_ability.rb

@@ -0,0 +1,7 @@
+module Ddr::Auth
+  class SuperuserAbility < AbstractAbility
+
+    self.ability_definitions = [ SuperuserAbilityDefinitions ]
+
+  end
+end

data/lib/ddr/auth/test_helpers.rb

@@ -0,0 +1,22 @@
+module Ddr
+  module Auth
+    module TestHelpers
+
+      class MockLdapGateway
+        def self.find(*args); new.find(*args); end
+        def find(user_key); Ddr::Auth::LdapGateway::Result.new(nil); end
+      end
+
+      class MockGrouperGateway
+        def self.repository_groups(*args); new.repository_groups(*args); end
+        def repository_groups(raw = false); []; end
+        def self.user_groups(*args); new.user_groups(*args); end
+        def user_groups(user, raw = false); []; end
+      end
+
+    end
+  end
+end
+
+Ddr::Auth.ldap_gateway = Ddr::Auth::TestHelpers::MockLdapGateway
+Ddr::Auth.grouper_gateway = Ddr::Auth::TestHelpers::MockGrouperGateway

data/lib/ddr/auth/user.rb

@@ -0,0 +1,54 @@
+require 'devise'
+
+module Ddr::Auth
+  module User
+    extend ActiveSupport::Concern
+
+    included do
+      delegate :can, :can?, :cannot, :cannot?, to: :ability
+
+      validates_uniqueness_of :username, case_sensitive: false
+      validates_format_of :email, with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/
+
+      devise :database_authenticatable, :omniauthable, omniauth_providers: [:shibboleth]
+
+      class_attribute :user_key_attribute
+      self.user_key_attribute = Devise.authentication_keys.first
+    end
+
+    module ClassMethods
+      def find_by_user_key(key)
+        send("find_by_#{user_key_attribute}", key)
+      end
+
+      def from_omniauth(auth)
+        user = find_by_user_key(auth.uid) ||
+               new(user_key_attribute => auth.uid, :password => Devise.friendly_token)
+        user.update!(email: auth.info.email,
+                     display_name: auth.info.name,
+                     first_name: auth.info.first_name,
+                     last_name: auth.info.last_name,
+                     nickname: auth.info.nickname)
+        user
+      end
+    end
+
+    # Copied from Hydra::User
+    def user_key
+      send(user_key_attribute)
+    end
+
+    def to_s
+      user_key
+    end
+
+    def agent
+      user_key
+    end
+
+    def ability
+      @ability ||= AbilityFactory.call(self)
+    end
+
+  end
+end