ddr-models 1.2.0 → 1.2.1

data/lib/ddr/auth/group_service.rb~

@@ -1,53 +0,0 @@
-module Ddr
-  module Auth
-    class GroupService
-
-      class_attribute :include_role_mapper_groups
-      self.include_role_mapper_groups = RoleMapper.role_names.present? rescue false
-
-      def role_mapper_user_groups(user)
-        RoleMapper.roles(user) rescue []
-      end
-
-      def role_mapper_groups
-        RoleMapper.role_names rescue []
-      end
-
-      def groups
-        default_groups | append_groups
-      end
-
-      def user_groups(user)
-        default_user_groups(user) | append_user_groups(user)
-      end
-
-      def superuser_group
-        Ddr::Auth.superuser_group
-      end
-
-      def append_groups
-        []
-      end
-
-      def append_user_groups(user)
-        []
-      end
-
-      def default_groups
-        dg = [Ddr::Auth.everyone_group, Ddr::Auth.authenticated_users_group]
-        dg += role_mapper_groups if include_role_mapper_groups
-        dg
-      end
-
-      def default_user_groups(user)
-        dug = [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
-        if user && user.persisted?
-          dug << Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED
-          dug += role_mapper_user_groups(user) if include_role_mapper_groups
-        end
-        dug
-      end
-
-    end
-  end
-end

data/lib/ddr/auth/grouper_service.rb~

@@ -1,77 +0,0 @@
-require 'dul_hydra'
-require 'grouper-rest-client'
-
-module DulHydra
-  module Services
-    class GrouperService
-
-      class_attribute :config
-
-      def self.configured?
-        !config.nil?
-      end
-
-      # List of all grouper groups for the repository
-      def self.repository_groups
-        groups = []
-        begin
-          client do |c|
-            g = c.groups(DulHydra.remote_groups_name_filter)
-            groups = g if c.ok?
-          end
-        rescue Ddr::Models::Error
-        end
-        groups
-      end
-
-      def self.repository_group_names
-        repository_groups.collect { |g| g["name"] }
-      end
-
-      def self.user_groups(user)
-        groups = []
-        begin
-          client do |c|
-            request_body = { 
-              "WsRestGetGroupsRequest" => {
-                "subjectLookups" => [{"subjectIdentifier" => subject_id(user)}]
-              }
-            }
-            # Have to use :call b/c grouper-rest-client :subjects method doesn't support POST
-            response = c.call("subjects", :post, request_body)
-            if c.ok?
-              result = response["WsGetGroupsResults"]["results"].first
-              # Have to manually filter results b/c Grouper WS version 1.5 does not support filter parameter
-              if result && result["wsGroups"]
-                groups = result["wsGroups"].select { |g| g["name"] =~ /^#{DulHydra.remote_groups_name_filter}/ }
-              end
-            end
-          end
-        rescue StandardError => e
-          Rails.logger.error e
-        end
-        groups
-      end
-
-      def self.user_group_names(user)
-        user_groups(user).collect { |g| g["name"] }
-      end
-      
-      def self.subject_id(user)
-        user.user_key.split('@').first
-      end
-
-      private
-
-      def self.client
-        raise Ddr::Models::Error unless configured?
-        yield Grouper::Rest::Client::Resource.new(config["url"], 
-                                                  user: config["user"], 
-                                                  password: config["password"],
-                                                  timeout: config.fetch("timeout", 5).to_i
-                                                  )
-      end
-
-    end
-  end
-end

data/lib/ddr/auth/remote_group_service.rb~

@@ -1,35 +0,0 @@
-module DulHydra
-  module Services
-    class RemoteGroupService < GroupService
-
-      attr_reader :env
-
-      def initialize(env = nil)
-        @env = env
-      end
-
-      def append_groups
-        GrouperService.repository_group_names
-      end
-
-      def append_user_groups(user)
-        if env && env.key?(DulHydra.remote_groups_env_key)
-          remote_groups
-        else
-          GrouperService.user_group_names(user)
-        end
-      end
-
-      def remote_groups
-        # get the raw list of values
-        groups = env[DulHydra.remote_groups_env_key].split(DulHydra.remote_groups_env_value_delim)
-        # munge values to proper Grouper group names, if necessary
-        groups = groups.collect { |g| g.sub(*DulHydra.remote_groups_env_value_sub) } if DulHydra.remote_groups_env_value_sub
-        # filter group list as configured
-        groups = groups.select { |g| g =~ /^#{DulHydra.remote_groups_name_filter}/ } if DulHydra.remote_groups_name_filter
-        groups
-      end
-
-    end
-  end
-end

data/lib/ddr/auth/superuser.rb~

@@ -1,9 +0,0 @@
-class Superuser
-
-  include CanCan::Ability
-
-  def initialize
-    can :manage, :all
-  end
-
-end

data/lib/ddr/auth/user.rb~

@@ -1,65 +0,0 @@
-module Ddr
-  module Auth
-    module User
-      extend ActiveSupport::Concern
-
-      included do
-        include Blacklight::User
-        include Hydra::User
-
-        # has_many :batches, :inverse_of => :user, :class_name => DulHydra::Batch::Models::Batch
-        # has_many :ingest_folders, :inverse_of => :user
-        # has_many :metadata_files, :inverse_of => :user
-        # has_many :export_sets, :dependent => :destroy
-        has_many :events, inverse_of: :user, class_name: "Ddr::Events::Event"
-
-        delegate :can?, :cannot?, to: :ability
-
-        validates_uniqueness_of :username, :case_sensitive => false
-        validates_format_of :email, with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/
-
-        # TODO Remove :trackable, :validatable
-        devise :remote_user_authenticatable, :database_authenticatable, :rememberable, :trackable, :validatable
-
-        attr_writer :group_service
-      end
-
-      def group_service
-        @group_service ||= Ddr::Auth::GroupService.new
-      end
-
-      def to_s
-        user_key
-      end
-
-      def ability
-        @ability ||= ::Ability.new(self)
-      end
-
-      def groups
-        @groups ||= group_service.user_groups(self)
-      end
-
-      def member_of?(group)
-        group ? self.groups.include?(group) : false
-      end
-      
-      def authorized_to_act_as_superuser?
-        member_of? group_service.superuser_group
-      end
-
-      def principal_name
-        user_key
-      end
-
-      def principals
-        groups.dup << principal_name
-      end
-
-      def has_role?(obj, role)
-        obj.principal_has_role?(principals, role)
-      end
-
-    end
-  end
-end

data/spec/factories/user_factories.rb~

@@ -1,7 +0,0 @@
-FactoryGirl.define do
-  factory :user, class: Ddr::Auth::User do
-    sequence(:username) { |n| "person#{n}" }
-    email { |u| "#{u.username}@example.com" }
-    password "secret"
-  end
-end

data/spec/features/grouper_integration_spec.rb~

@@ -1,21 +0,0 @@
-require 'spec_helper'
-require 'dul_hydra'
-
-describe "Grouper integration", :type => :feature do
-  let(:user) { FactoryGirl.create(:user) }
-  let(:object) { FactoryGirl.create(:collection) }
-  before do
-    object.title = [ "Grouper Works!" ]
-    object.read_groups = ["duke:library:repository:ddr:foo:bar"]
-    object.save!
-    Warden.on_next_request do |proxy|
-      proxy.env[DulHydra.remote_groups_env_key] = "urn:mace:duke.edu:groups:library:repository:ddr:foo:bar"
-      proxy.set_user user
-    end
-  end
-  it "should honor Grouper group access control" do
-    visit url_for(object)
-    expect(page).to have_content("Grouper Works!")
-  end
-  
-end

data/spec/models/ability_spec.rb~

@@ -1,245 +0,0 @@
-require 'spec_helper'
-require 'dul_hydra'
-require 'cancan/matchers'
-
-describe Ability, type: :model, abilities: true do
-
-  subject { described_class.new(user) }
-  let(:user) { FactoryGirl.create(:user) }
-
-  describe "#upload_permissions", uploads: true do
-    let(:resource) { FactoryGirl.build(:component) }
-    context "user has edit permission" do
-      before { subject.can(:edit, resource) }
-      it { is_expected.to be_able_to(:upload, resource) }
-    end
-    context "user does not have edit permission" do
-      before { subject.cannot(:edit, resource) }
-      it { is_expected.not_to be_able_to(:upload, resource) }
-    end
-  end
-
-  describe "#download_permissions", downloads: true do
-    context "on an object" do
-      context "which is a Component", components: true do
-        let!(:resource) { FactoryGirl.create(:component) }
-        context "and user does NOT have the downloader role" do
-          context "and user has edit permission" do
-            before do
-              resource.edit_users = [user.user_key]
-              resource.save
-            end
-            it { is_expected.to be_able_to(:download, resource) }
-          end
-          context "and user has read permission" do
-            before do
-              resource.read_users = [user.user_key]
-              resource.save
-            end
-            it { is_expected.not_to be_able_to(:download, resource) }
-          end
-          context "and user lacks read permission" do
-            it { is_expected.not_to be_able_to(:download, resource) }
-          end
-        end
-
-        context "and user has the downloader role", roles: true do
-          before do
-            resource.roleAssignments.downloader << user.principal_name
-            resource.save
-          end
-          context "and user has edit permission" do
-            before do
-              resource.edit_users = [user.user_key]
-              resource.save
-            end
-            it { is_expected.to be_able_to(:download, resource) }
-          end
-          context "and user has read permission" do
-            before do
-              resource.read_users = [user.user_key]
-              resource.save
-            end
-            it { is_expected.to be_able_to(:download, resource) }
-          end
-          context "and user lacks read permission" do
-            it { is_expected.not_to be_able_to(:download, resource) }
-          end          
-        end
-      end
-
-      context "which is not a Component" do
-        let(:resource) { FactoryGirl.create(:test_content) }
-        context "and user has read permission" do
-          before do
-            resource.read_users = [user.user_key]
-            resource.save
-          end
-          it { is_expected.to be_able_to(:download, resource) }
-        end
-        context "and user lacks read permission" do
-          it { is_expected.not_to be_able_to(:download, resource) }
-        end                  
-      end
-    end
-
-    context "on a datastream", datastreams: true do
-
-      context "named 'content'", content: true do
-        let(:resource) { obj.content }
-        context "and object is a Component", components: true do
-          let(:obj) { FactoryGirl.create(:component) }
-          context "and user does not have the downloader role" do
-            context "and user has read permission on the object" do
-              before do
-                obj.read_users = [user.user_key]
-                obj.save
-              end
-              it { is_expected.not_to be_able_to(:download, resource) }
-            end
-            context "and user lacks read permission on the object" do
-              it { is_expected.not_to be_able_to(:download, resource) }
-            end
-          end
-
-          context "and user has the downloader role", roles: true do
-            before do
-              obj.roleAssignments.downloader << user.principal_name
-              obj.save
-            end
-            context "and user has read permission on the object" do
-              before do
-                obj.read_users = [user.user_key]
-                obj.save
-              end
-              it { is_expected.to be_able_to(:download, resource) }
-            end
-            context "and user lacks read permission on the object" do
-              it { is_expected.not_to be_able_to(:download, resource) }
-            end          
-          end
-        end
-
-        context "and object is not a Component" do
-          let(:obj) { FactoryGirl.create(:test_content) }
-          context "and user has read permission on the object" do
-            before do
-              obj.read_users = [user.user_key]
-              obj.save
-            end
-            it { is_expected.to be_able_to(:download, resource) }
-          end
-          context "and user lacks read permission on the object" do
-            it { is_expected.not_to be_able_to(:download, resource) }
-          end                  
-        end
-
-      end
-
-      context "not named 'content'" do
-        let(:obj) { FactoryGirl.create(:test_model) }
-        let(:resource) { obj.descMetadata }
-        context "and user has read permission on the object" do
-          before do
-            obj.read_users = [user.user_key]
-            obj.save
-          end
-          it { is_expected.to be_able_to(:download, resource) }
-        end
-        context "and user lacks read permission on the object" do
-          it { is_expected.not_to be_able_to(:download, resource) }
-        end        
-      end
-
-    end
-
-  end # download_permissions
-
-  describe "#discover_permissions" do
-    # TODO
-  end
-
-  describe "#events_permissions", events: true do
-    let(:object) { FactoryGirl.create(:test_model) }
-    let(:resource) { Ddr::Events::Event.new(pid: object.pid) }
-    context "event is associated with a user" do
-      before { resource.user = user }
-      it { is_expected.to be_able_to(:read, resource) }
-    end
-    context "event is not associated with a user" do      
-      context "and can read object" do
-        before do
-          object.read_users = [user.user_key]
-          object.save!
-        end
-        it { is_expected.to be_able_to(:read, resource) }
-      end
-      context "and cannot read object" do
-        it { is_expected.not_to be_able_to(:read, resource) }
-      end
-    end
-  end
-
-  describe "#export_sets_permissions", export_sets: true do
-    let(:resource) { ExportSet.new(user: user) }
-    context "associated user" do
-      it { is_expected.to be_able_to(:manage, resource) }
-    end
-    context "other user" do
-      subject { described_class.new(other_user) }
-      let(:other_user) { FactoryGirl.create(:user) }
-      it { is_expected.not_to be_able_to(:read, resource) }
-    end
-  end
-  
-  describe "#ingest_folders_permissions", ingest_folders: true do
-    let(:resource) { IngestFolder }
-    context "user has no permitted ingest folders" do
-      before { allow(resource).to receive(:permitted_folders).with(user).and_return([]) }
-      it { is_expected.not_to be_able_to(:create, resource) }
-    end
-    context "user has at least one permitted ingest folder" do
-      before { allow(resource).to receive(:permitted_folders).with(user).and_return(['dir']) }
-      it { is_expected.to be_able_to(:create, resource) }
-    end
-  end
-
-  describe "#attachment_permissions", attachments: true do
-    context "object can have attachments" do
-      let(:resource) { FactoryGirl.build(:test_model_omnibus) }
-      context "and user lacks edit rights" do
-        before { subject.cannot(:edit, resource) }
-        it { is_expected.not_to be_able_to(:add_attachment, resource) }
-      end
-      context "and user has edit rights" do
-        before { subject.can(:edit, resource) }
-        it { is_expected.to be_able_to(:add_attachment, resource) }
-      end
-    end
-    context "object cannot have attachments" do
-      let(:resource) { FactoryGirl.build(:test_model) }
-      before { subject.can(:edit, resource) }
-      it { is_expected.not_to be_able_to(:add_attachment, resource) }
-    end
-  end
-
-  describe "#children_permissions", children: true do
-    context "user has edit rights on object" do
-      before { subject.can(:edit, resource) }
-      context "and object can have children" do
-        let(:resource) { FactoryGirl.build(:collection) }
-        it { is_expected.to be_able_to(:add_children, resource) }
-      end
-      context "but object cannot have children" do
-        let(:resource) { FactoryGirl.build(:component) }
-        it { is_expected.not_to be_able_to(:add_children, resource) }
-      end
-    end
-    context "user lacks edit rights on attached_to object" do
-      let(:resource) { FactoryGirl.build(:collection) }
-      before { subject.cannot(:edit, resource) }
-      it { is_expected.not_to be_able_to(:add_children, resource) }
-    end    
-  end
-
-end