ddr-models 1.2.1 → 1.3.0

data/db/migrate/20141104181418_create_users.rb~

@@ -0,0 +1,6 @@
+class CreateUsers < ActiveRecord::Migration
+  def change
+    create_table :users do |t|
+    end
+  end
+end

data/lib/ddr/auth.rb

@@ -9,9 +9,12 @@ module Ddr
     autoload :GrouperService
     autoload :RemoteGroupService
 
-    # Superuser group
+    # Group authorized to act as superuser
     mattr_accessor :superuser_group
 
+    # Group authorized to create Collections
+    mattr_accessor :collection_creators_group
+
     ## Remote groups (i.e., Grouper) config settings
     # request.env key for group memberships
     mattr_accessor :remote_groups_env_key do
@@ -33,10 +36,12 @@ module Ddr
       "duke:library:repository:ddr:"
     end
 
+    # Name of group of which everyone (including anonymous users) is a member
     mattr_accessor :everyone_group do
       "public"
     end
 
+    # Group of authenticated users
     mattr_accessor :authenticated_users_group do
       "registered"
     end

data/lib/ddr/auth.rb~

@@ -0,0 +1,47 @@
+module Ddr
+  module Auth
+    extend ActiveSupport::Autoload
+
+    autoload :User
+    autoload :Superuser
+    autoload :Ability
+    autoload :GroupService
+    autoload :GrouperService
+    autoload :RemoteGroupService
+
+    # Superuser group
+    mattr_accessor :superuser_group do
+      ENV['SUPERUSER_GROUP']
+    end
+
+    ## Remote groups (i.e., Grouper) config settings
+    # request.env key for group memberships
+    mattr_accessor :remote_groups_env_key do
+      "ismemberof"
+    end
+
+    # request.env value internal delimiter
+    mattr_accessor :remote_groups_env_value_delim do
+      ";"
+    end
+
+    # pattern/repl for converting request.env membership values to proper (Grouper) group names
+    mattr_accessor :remote_groups_env_value_sub do
+      [/^urn:mace:duke\.edu:groups/, "duke"]
+    end
+
+    # Filter for getting list of remote groups for the repository - String, not Regexp
+    mattr_accessor :remote_groups_name_filter do
+      "duke:library:repository:ddr:"
+    end
+
+    mattr_accessor :everyone_group do
+      "public"
+    end
+
+    mattr_accessor :authenticated_users_group do
+      "registered"
+    end
+
+  end
+end

data/lib/ddr/auth/ability.rb

@@ -6,6 +6,7 @@ module Ddr
 
       def custom_permissions
         action_aliases
+        collection_permissions
         discover_permissions
         events_permissions
         attachment_permissions
@@ -20,6 +21,10 @@ module Ddr
         alias_action :permissions, :default_permissions, to: :update
       end
 
+      def collection_permissions
+        can :create, Collection if current_user.member_of?(Ddr::Auth.collection_creators_group)
+      end
+
       def read_permissions
         super
         can :read, ActiveFedora::Datastream do |ds|

data/lib/ddr/auth/ability.rb~

@@ -0,0 +1,204 @@
+module Ddr
+  module Auth
+    class Ability
+
+      include Hydra::PolicyAwareAbility
+
+      def custom_permissions
+        action_aliases
+        discover_permissions
+        export_sets_permissions
+        events_permissions
+        batches_permissions
+        ingest_folders_permissions
+        metadata_files_permissions
+        attachment_permissions
+        children_permissions
+        upload_permissions
+      end
+
+      def action_aliases
+        # read aliases
+        alias_action :attachments, :collection_info, :components, :event, :events, :items, :targets, to: :read
+        # edit/update aliases
+        alias_action :permissions, :default_permissions, to: :update
+      end
+
+      def read_permissions
+        super
+        can :read, ActiveFedora::Datastream do |ds|
+          can? :read, ds.pid
+        end
+      end
+
+      def edit_permissions
+        super
+        can [:edit, :update, :destroy], ActiveFedora::Datastream do |action, ds|
+          can? action, ds.pid
+        end
+      end
+
+      def export_sets_permissions
+        can :create, ExportSet if authenticated_user?
+        can :manage, ExportSet, user: current_user
+      end
+
+      def events_permissions
+        can :read, Ddr::Events::Event, user: current_user
+        can :read, Ddr::Events::Event do |e|
+          can? :read, e.pid
+        end
+      end
+      
+      def batches_permissions
+        can :manage, DulHydra::Batch::Models::Batch, :user_id => current_user.id
+        can :manage, DulHydra::Batch::Models::BatchObject do |batch_object|
+          can? :manage, batch_object.batch
+        end
+      end
+
+      def ingest_folders_permissions
+        can :create, IngestFolder if IngestFolder.permitted_folders(current_user).present?
+        can [:show, :procezz], IngestFolder, user: current_user
+      end
+      
+      def metadata_files_permissions
+        can [:show, :procezz], MetadataFile, user: current_user
+      end
+      
+      def download_permissions
+        can :download, ActiveFedora::Base do |obj|
+          if obj.is_a? Component
+            can?(:edit, obj) || (can?(:read, obj) && current_user.has_role?(obj, :downloader))
+          else
+            can? :read, obj
+          end
+        end
+        can :download, SolrDocument do |doc|
+          if doc.active_fedora_model == "Component"
+            can?(:edit, doc) || (can?(:read, doc) && current_user.has_role?(doc, :downloader))
+          else
+            can? :read, doc
+          end
+        end
+        can :download, ActiveFedora::Datastream do |ds|
+          if ds.dsid == Ddr::Datastreams::CONTENT and ds.digital_object.original_class == Component
+            can?(:edit, ds.pid) || (can?(:read, ds.pid) && current_user.has_role?(solr_doc(ds.pid), :downloader))
+          else
+            can? :read, ds.pid
+          end
+        end
+      end
+
+      def upload_permissions
+        can :upload, Ddr::Models::HasContent do |obj|
+          can?(:edit, obj)
+        end
+      end
+
+      def children_permissions
+        can :add_children, Ddr::Models::HasChildren do |obj|
+          can?(:edit, obj)
+        end
+      end
+
+      # Mimics Hydra::Ability#read_permissions
+      def discover_permissions
+        can :discover, String do |pid|
+          test_discover(pid)
+        end
+
+        can :discover, ActiveFedora::Base do |obj|
+          test_discover(obj.pid)
+        end 
+        
+        can :discover, SolrDocument do |obj|
+          cache.put(obj.id, obj)
+          test_discover(obj.id)
+        end 
+      end
+
+      def attachment_permissions
+        can :add_attachment, Ddr::Models::HasAttachments do |obj|
+          can?(:edit, obj)
+        end
+      end
+
+      # Mimics Hydra::Ability#test_read + Hydra::PolicyAwareAbility#test_read in one method
+      def test_discover(pid)
+        Rails.logger.debug("[CANCAN] Checking discover permissions for user: #{current_user.user_key} with groups: #{user_groups.inspect}")
+        group_intersection = user_groups & discover_groups(pid)
+        result = !group_intersection.empty? || discover_persons(pid).include?(current_user.user_key)
+        result || test_discover_from_policy(pid)
+      end 
+
+      # Mimics Hydra::PolicyAwareAbility#test_read_from_policy
+      def test_discover_from_policy(object_pid)
+        policy_pid = policy_pid_for(object_pid)
+        if policy_pid.nil?
+          return false
+        else
+          Rails.logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide DISCOVER permissions for #{current_user.user_key}?")
+          group_intersection = user_groups & discover_groups_from_policy(policy_pid)
+          result = !group_intersection.empty? || discover_persons_from_policy(policy_pid).include?(current_user.user_key)
+          Rails.logger.debug("[CANCAN] -policy- decision: #{result}")
+          result
+        end
+      end 
+
+      # Mimics Hydra::Ability#read_groups
+      def discover_groups(pid)
+        doc = permissions_doc(pid)
+        return [] if doc.nil?
+        dg = edit_groups(pid) | read_groups(pid) | (doc[self.class.discover_group_field] || [])
+        Rails.logger.debug("[CANCAN] discover_groups: #{dg.inspect}")
+        return dg
+      end
+
+      # Mimics Hydra::PolicyAwareAbility#read_groups_from_policy
+      def discover_groups_from_policy(policy_pid)
+        policy_permissions = policy_permissions_doc(policy_pid)
+        discover_group_field = Hydra.config[:permissions][:inheritable][:discover][:group]
+        dg = edit_groups_from_policy(policy_pid) | read_groups_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_group_field, nil) == nil) ? [] : policy_permissions.fetch(discover_group_field, nil))
+        Rails.logger.debug("[CANCAN] -policy- discover_groups: #{dg.inspect}")
+        return dg
+      end
+
+      # Mimics Hydra::Ability#read_persons
+      def discover_persons(pid)
+        doc = permissions_doc(pid)
+        return [] if doc.nil?
+        dp = edit_persons(pid) | read_persons(pid) | (doc[self.class.discover_person_field] || [])
+        Rails.logger.debug("[CANCAN] discover_persons: #{dp.inspect}")
+        return dp
+      end
+
+      def discover_persons_from_policy(policy_pid)
+        policy_permissions = policy_permissions_doc(policy_pid)
+        discover_individual_field = Hydra.config[:permissions][:inheritable][:discover][:individual]
+        dp = edit_persons_from_policy(policy_pid) | read_persons_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(discover_individual_field, nil) == nil) ? [] : policy_permissions.fetch(discover_individual_field, nil))
+        Rails.logger.debug("[CANCAN] -policy- discover_persons: #{dp.inspect}")
+        return dp
+      end
+
+      def self.discover_person_field 
+        Hydra.config[:permissions][:discover][:individual]
+      end
+
+      def self.discover_group_field
+        Hydra.config[:permissions][:discover][:group]
+      end
+
+      private
+
+      def authenticated_user?
+        current_user.persisted?
+      end
+
+      def solr_doc(pid)
+        SolrDocument.new(ActiveFedora::SolrService.query("id:\"#{pid}\"", rows: 1).first)
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/group_service.rb~

@@ -0,0 +1,53 @@
+module Ddr
+  module Auth
+    class GroupService
+
+      class_attribute :include_role_mapper_groups
+      self.include_role_mapper_groups = RoleMapper.role_names.present? rescue false
+
+      def role_mapper_user_groups(user)
+        RoleMapper.roles(user) rescue []
+      end
+
+      def role_mapper_groups
+        RoleMapper.role_names rescue []
+      end
+
+      def groups
+        default_groups | append_groups
+      end
+
+      def user_groups(user)
+        default_user_groups(user) | append_user_groups(user)
+      end
+
+      def superuser_group
+        Ddr::Auth.superuser_group
+      end
+
+      def append_groups
+        []
+      end
+
+      def append_user_groups(user)
+        []
+      end
+
+      def default_groups
+        dg = [Ddr::Auth.everyone_group, Ddr::Auth.authenticated_users_group]
+        dg += role_mapper_groups if include_role_mapper_groups
+        dg
+      end
+
+      def default_user_groups(user)
+        dug = [Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_PUBLIC]
+        if user && user.persisted?
+          dug << Hydra::AccessControls::AccessRight::PERMISSION_TEXT_VALUE_AUTHENTICATED
+          dug += role_mapper_user_groups(user) if include_role_mapper_groups
+        end
+        dug
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/grouper_service.rb~

@@ -0,0 +1,77 @@
+require 'dul_hydra'
+require 'grouper-rest-client'
+
+module DulHydra
+  module Services
+    class GrouperService
+
+      class_attribute :config
+
+      def self.configured?
+        !config.nil?
+      end
+
+      # List of all grouper groups for the repository
+      def self.repository_groups
+        groups = []
+        begin
+          client do |c|
+            g = c.groups(DulHydra.remote_groups_name_filter)
+            groups = g if c.ok?
+          end
+        rescue Ddr::Models::Error
+        end
+        groups
+      end
+
+      def self.repository_group_names
+        repository_groups.collect { |g| g["name"] }
+      end
+
+      def self.user_groups(user)
+        groups = []
+        begin
+          client do |c|
+            request_body = { 
+              "WsRestGetGroupsRequest" => {
+                "subjectLookups" => [{"subjectIdentifier" => subject_id(user)}]
+              }
+            }
+            # Have to use :call b/c grouper-rest-client :subjects method doesn't support POST
+            response = c.call("subjects", :post, request_body)
+            if c.ok?
+              result = response["WsGetGroupsResults"]["results"].first
+              # Have to manually filter results b/c Grouper WS version 1.5 does not support filter parameter
+              if result && result["wsGroups"]
+                groups = result["wsGroups"].select { |g| g["name"] =~ /^#{DulHydra.remote_groups_name_filter}/ }
+              end
+            end
+          end
+        rescue StandardError => e
+          Rails.logger.error e
+        end
+        groups
+      end
+
+      def self.user_group_names(user)
+        user_groups(user).collect { |g| g["name"] }
+      end
+      
+      def self.subject_id(user)
+        user.user_key.split('@').first
+      end
+
+      private
+
+      def self.client
+        raise Ddr::Models::Error unless configured?
+        yield Grouper::Rest::Client::Resource.new(config["url"], 
+                                                  user: config["user"], 
+                                                  password: config["password"],
+                                                  timeout: config.fetch("timeout", 5).to_i
+                                                  )
+      end
+
+    end
+  end
+end

data/lib/ddr/auth/remote_group_service.rb~

@@ -0,0 +1,35 @@
+module DulHydra
+  module Services
+    class RemoteGroupService < GroupService
+
+      attr_reader :env
+
+      def initialize(env = nil)
+        @env = env
+      end
+
+      def append_groups
+        GrouperService.repository_group_names
+      end
+
+      def append_user_groups(user)
+        if env && env.key?(DulHydra.remote_groups_env_key)
+          remote_groups
+        else
+          GrouperService.user_group_names(user)
+        end
+      end
+
+      def remote_groups
+        # get the raw list of values
+        groups = env[DulHydra.remote_groups_env_key].split(DulHydra.remote_groups_env_value_delim)
+        # munge values to proper Grouper group names, if necessary
+        groups = groups.collect { |g| g.sub(*DulHydra.remote_groups_env_value_sub) } if DulHydra.remote_groups_env_value_sub
+        # filter group list as configured
+        groups = groups.select { |g| g =~ /^#{DulHydra.remote_groups_name_filter}/ } if DulHydra.remote_groups_name_filter
+        groups
+      end
+
+    end
+  end
+end