ddr-models 1.2.0

data/lib/ddr/auth/group_service.rb

@@ -0,0 +1,53 @@
+module Ddr
+  module Auth
+    class GroupService
+
+      class_attribute :include_role_mapper_groups
+      self.include_role_mapper_groups = RoleMapper.role_names.present? rescue false
+
+      def role_mapper_user_groups(user)
+        RoleMapper.roles(user) rescue []
+      end
+
+      def role_mapper_groups
+        RoleMapper.role_names rescue []
+      end
+
+      def groups
+        default_groups | append_groups
+      end
+
+      def user_groups(user)
+        default_user_groups(user) | append_user_groups(user)
+      end
+
+      def superuser_group
+        Ddr::Auth.superuser_group
+      end
+
+      def append_groups
+        []
+      end
+
+      def append_user_groups(user)
+        []
+      end
+
+      def default_groups
+        dg = [Ddr::Auth.everyone_group, Ddr::Auth.authenticated_users_group]
+        dg += role_mapper_groups if include_role_mapper_groups
+        dg
+      end
+
+      def default_user_groups(user)
+        dug = [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
+        if user && user.persisted?
+          dug << Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED
+          dug += role_mapper_user_groups(user) if include_role_mapper_groups
+        end
+        dug
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/group_service.rb~

@@ -0,0 +1,53 @@
+module Ddr
+  module Auth
+    class GroupService
+
+      class_attribute :include_role_mapper_groups
+      self.include_role_mapper_groups = RoleMapper.role_names.present? rescue false
+
+      def role_mapper_user_groups(user)
+        RoleMapper.roles(user) rescue []
+      end
+
+      def role_mapper_groups
+        RoleMapper.role_names rescue []
+      end
+
+      def groups
+        default_groups | append_groups
+      end
+
+      def user_groups(user)
+        default_user_groups(user) | append_user_groups(user)
+      end
+
+      def superuser_group
+        Ddr::Auth.superuser_group
+      end
+
+      def append_groups
+        []
+      end
+
+      def append_user_groups(user)
+        []
+      end
+
+      def default_groups
+        dg = [Ddr::Auth.everyone_group, Ddr::Auth.authenticated_users_group]
+        dg += role_mapper_groups if include_role_mapper_groups
+        dg
+      end
+
+      def default_user_groups(user)
+        dug = [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
+        if user && user.persisted?
+          dug << Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED
+          dug += role_mapper_user_groups(user) if include_role_mapper_groups
+        end
+        dug
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/grouper_service.rb

@@ -0,0 +1,76 @@
+require 'grouper-rest-client'
+
+module Ddr
+  module Auth
+    class GrouperService
+
+      class_attribute :config
+
+      def self.configured?
+        !config.nil?
+      end
+
+      # List of all grouper groups for the repository
+      def self.repository_groups
+        groups = []
+        begin
+          client do |c|
+            g = c.groups(Ddr::Auth.remote_groups_name_filter)
+            groups = g if c.ok?
+          end
+        rescue Ddr::Models::Error
+        end
+        groups
+      end
+
+      def self.repository_group_names
+        repository_groups.collect { |g| g["name"] }
+      end
+
+      def self.user_groups(user)
+        groups = []
+        begin
+          client do |c|
+            request_body = { 
+              "WsRestGetGroupsRequest" => {
+                "subjectLookups" => [{"subjectIdentifier" => subject_id(user)}]
+              }
+            }
+            # Have to use :call b/c grouper-rest-client :subjects method doesn't support POST
+            response = c.call("subjects", :post, request_body)
+            if c.ok?
+              result = response["WsGetGroupsResults"]["results"].first
+              # Have to manually filter results b/c Grouper WS version 1.5 does not support filter parameter
+              if result && result["wsGroups"]
+                groups = result["wsGroups"].select { |g| g["name"] =~ /^#{Ddr::Auth.remote_groups_name_filter}/ }
+              end
+            end
+          end
+        rescue StandardError => e
+          Rails.logger.error e
+        end
+        groups
+      end
+
+      def self.user_group_names(user)
+        user_groups(user).collect { |g| g["name"] }
+      end
+      
+      def self.subject_id(user)
+        user.user_key.split('@').first
+      end
+
+      private
+
+      def self.client
+        raise Ddr::Models::Error unless configured?
+        yield Grouper::Rest::Client::Resource.new(config["url"], 
+                                                  user: config["user"], 
+                                                  password: config["password"],
+                                                  timeout: config.fetch("timeout", 5).to_i
+                                                  )
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/grouper_service.rb~

@@ -0,0 +1,77 @@
+require 'dul_hydra'
+require 'grouper-rest-client'
+
+module DulHydra
+  module Services
+    class GrouperService
+
+      class_attribute :config
+
+      def self.configured?
+        !config.nil?
+      end
+
+      # List of all grouper groups for the repository
+      def self.repository_groups
+        groups = []
+        begin
+          client do |c|
+            g = c.groups(DulHydra.remote_groups_name_filter)
+            groups = g if c.ok?
+          end
+        rescue Ddr::Models::Error
+        end
+        groups
+      end
+
+      def self.repository_group_names
+        repository_groups.collect { |g| g["name"] }
+      end
+
+      def self.user_groups(user)
+        groups = []
+        begin
+          client do |c|
+            request_body = { 
+              "WsRestGetGroupsRequest" => {
+                "subjectLookups" => [{"subjectIdentifier" => subject_id(user)}]
+              }
+            }
+            # Have to use :call b/c grouper-rest-client :subjects method doesn't support POST
+            response = c.call("subjects", :post, request_body)
+            if c.ok?
+              result = response["WsGetGroupsResults"]["results"].first
+              # Have to manually filter results b/c Grouper WS version 1.5 does not support filter parameter
+              if result && result["wsGroups"]
+                groups = result["wsGroups"].select { |g| g["name"] =~ /^#{DulHydra.remote_groups_name_filter}/ }
+              end
+            end
+          end
+        rescue StandardError => e
+          Rails.logger.error e
+        end
+        groups
+      end
+
+      def self.user_group_names(user)
+        user_groups(user).collect { |g| g["name"] }
+      end
+      
+      def self.subject_id(user)
+        user.user_key.split('@').first
+      end
+
+      private
+
+      def self.client
+        raise Ddr::Models::Error unless configured?
+        yield Grouper::Rest::Client::Resource.new(config["url"], 
+                                                  user: config["user"], 
+                                                  password: config["password"],
+                                                  timeout: config.fetch("timeout", 5).to_i
+                                                  )
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/remote_group_service.rb

@@ -0,0 +1,35 @@
+module Ddr
+  module Auth
+    class RemoteGroupService < GroupService
+
+      attr_reader :env
+
+      def initialize(env = nil)
+        @env = env
+      end
+
+      def append_groups
+        GrouperService.repository_group_names
+      end
+
+      def append_user_groups(user)
+        if env && env.key?(Ddr::Auth.remote_groups_env_key)
+          remote_groups
+        else
+          GrouperService.user_group_names(user)
+        end
+      end
+
+      def remote_groups
+        # get the raw list of values
+        groups = env[Ddr::Auth.remote_groups_env_key].split(Ddr::Auth.remote_groups_env_value_delim)
+        # munge values to proper Grouper group names, if necessary
+        groups = groups.collect { |g| g.sub(*Ddr::Auth.remote_groups_env_value_sub) } if Ddr::Auth.remote_groups_env_value_sub
+        # filter group list as configured
+        groups = groups.select { |g| g =~ /^#{Ddr::Auth.remote_groups_name_filter}/ } if Ddr::Auth.remote_groups_name_filter
+        groups
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/remote_group_service.rb~

@@ -0,0 +1,35 @@
+module DulHydra
+  module Services
+    class RemoteGroupService < GroupService
+
+      attr_reader :env
+
+      def initialize(env = nil)
+        @env = env
+      end
+
+      def append_groups
+        GrouperService.repository_group_names
+      end
+
+      def append_user_groups(user)
+        if env && env.key?(DulHydra.remote_groups_env_key)
+          remote_groups
+        else
+          GrouperService.user_group_names(user)
+        end
+      end
+
+      def remote_groups
+        # get the raw list of values
+        groups = env[DulHydra.remote_groups_env_key].split(DulHydra.remote_groups_env_value_delim)
+        # munge values to proper Grouper group names, if necessary
+        groups = groups.collect { |g| g.sub(*DulHydra.remote_groups_env_value_sub) } if DulHydra.remote_groups_env_value_sub
+        # filter group list as configured
+        groups = groups.select { |g| g =~ /^#{DulHydra.remote_groups_name_filter}/ } if DulHydra.remote_groups_name_filter
+        groups
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/superuser.rb

@@ -0,0 +1,13 @@
+module Ddr
+  module Auth
+    class Superuser
+
+      include CanCan::Ability
+
+      def initialize
+        can :manage, :all
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/superuser.rb~

@@ -0,0 +1,9 @@
+class Superuser
+
+  include CanCan::Ability
+
+  def initialize
+    can :manage, :all
+  end
+
+end

data/lib/ddr/auth/user.rb

@@ -0,0 +1,71 @@
+module Ddr
+  module Auth
+    module User
+      extend ActiveSupport::Concern
+
+      included do
+        include Blacklight::User
+
+        has_many :events, inverse_of: :user, class_name: "Ddr::Events::Event"
+
+        delegate :can?, :cannot?, to: :ability
+
+        validates_uniqueness_of :username, :case_sensitive => false
+        validates_format_of :email, with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/
+
+        # TODO Remove :trackable, :validatable
+        devise :remote_user_authenticatable, :database_authenticatable, :rememberable, :trackable, :validatable
+
+        attr_writer :group_service
+      end
+
+      module ClassMethods
+        def find_by_user_key(key)
+          self.send("find_by_#{Devise.authentication_keys.first}", key)
+        end
+      end
+
+      # Copied from Hydra::User
+      def user_key
+        send(Devise.authentication_keys.first)
+      end
+
+      def group_service
+        @group_service ||= GroupService.new
+      end
+
+      def to_s
+        user_key
+      end
+
+      def ability
+        @ability ||= ::Ability.new(self)
+      end
+
+      def groups
+        @groups ||= group_service.user_groups(self)
+      end
+
+      def member_of?(group)
+        group ? self.groups.include?(group) : false
+      end
+      
+      def authorized_to_act_as_superuser?
+        member_of? group_service.superuser_group
+      end
+
+      def principal_name
+        user_key
+      end
+
+      def principals
+        groups.dup << principal_name
+      end
+
+      def has_role?(obj, role)
+        obj.principal_has_role?(principals, role)
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/user.rb~

@@ -0,0 +1,65 @@
+module Ddr
+  module Auth
+    module User
+      extend ActiveSupport::Concern
+
+      included do
+        include Blacklight::User
+        include Hydra::User
+
+        # has_many :batches, :inverse_of => :user, :class_name => DulHydra::Batch::Models::Batch
+        # has_many :ingest_folders, :inverse_of => :user
+        # has_many :metadata_files, :inverse_of => :user
+        # has_many :export_sets, :dependent => :destroy
+        has_many :events, inverse_of: :user, class_name: "Ddr::Events::Event"
+
+        delegate :can?, :cannot?, to: :ability
+
+        validates_uniqueness_of :username, :case_sensitive => false
+        validates_format_of :email, with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/
+
+        # TODO Remove :trackable, :validatable
+        devise :remote_user_authenticatable, :database_authenticatable, :rememberable, :trackable, :validatable
+
+        attr_writer :group_service
+      end
+
+      def group_service
+        @group_service ||= Ddr::Auth::GroupService.new
+      end
+
+      def to_s
+        user_key
+      end
+
+      def ability
+        @ability ||= ::Ability.new(self)
+      end
+
+      def groups
+        @groups ||= group_service.user_groups(self)
+      end
+
+      def member_of?(group)
+        group ? self.groups.include?(group) : false
+      end
+      
+      def authorized_to_act_as_superuser?
+        member_of? group_service.superuser_group
+      end
+
+      def principal_name
+        user_key
+      end
+
+      def principals
+        groups.dup << principal_name
+      end
+
+      def has_role?(obj, role)
+        obj.principal_has_role?(principals, role)
+      end
+
+    end
+  end
+end