decision_agent 0.1.3 → 0.1.6

data/lib/decision_agent/auth/rbac_adapter.rb

@@ -0,0 +1,278 @@
+module DecisionAgent
+  module Auth
+    # Base adapter interface for RBAC integration
+    # Users can extend this to integrate with any authentication/authorization system
+    class RbacAdapter
+      # Check if a user has a specific permission
+      # @param user [Object] The user object from your auth system
+      # @param permission [Symbol, String] The permission to check
+      # @param resource [Object, nil] Optional resource for resource-level permissions
+      # @return [Boolean] true if user has permission, false otherwise
+      def can?(user, permission, resource = nil)
+        raise NotImplementedError, "Subclasses must implement #can?"
+      end
+
+      # Check if a user has a specific role
+      # @param user [Object] The user object from your auth system
+      # @param role [Symbol, String] The role to check
+      # @return [Boolean] true if user has role, false otherwise
+      def has_role?(user, role)
+        raise NotImplementedError, "Subclasses must implement #has_role?"
+      end
+
+      # Check if a user is active/enabled
+      # @param user [Object] The user object from your auth system
+      # @return [Boolean] true if user is active, false otherwise
+      def active?(user)
+        return false unless user
+
+        # Default implementation - can be overridden
+        user.respond_to?(:active?) ? user.active? : true
+      end
+
+      # Get user ID for audit/logging purposes
+      # @param user [Object] The user object from your auth system
+      # @return [String, Integer] User identifier
+      def user_id(user)
+        return nil unless user
+
+        user.respond_to?(:id) ? user.id : user.to_s
+      end
+
+      # Get user email for display/logging purposes
+      # @param user [Object] The user object from your auth system
+      # @return [String, nil] User email
+      def user_email(user)
+        return nil unless user
+
+        user.respond_to?(:email) ? user.email : nil
+      end
+    end
+
+    # Default adapter using the built-in User/Role/Permission system
+    class DefaultAdapter < RbacAdapter
+      def can?(user, permission, _resource = nil)
+        return false unless user
+        return false unless active?(user)
+
+        # Check if user has any role with the required permission
+        roles = extract_roles(user)
+        roles.any? do |role|
+          Role.has_permission?(role, permission)
+        end
+      end
+
+      def has_role?(user, role)
+        return false unless user
+
+        roles = extract_roles(user)
+        roles.include?(role.to_sym)
+      end
+
+      def active?(user)
+        return false unless user
+
+        user.respond_to?(:active) ? user.active : true
+      end
+
+      private
+
+      def extract_roles(user)
+        if user.respond_to?(:roles)
+          Array(user.roles).map(&:to_sym)
+        elsif user.respond_to?(:role)
+          [user.role.to_sym]
+        else
+          []
+        end
+      end
+    end
+
+    # Adapter for Devise + CanCanCan integration
+    class DeviseCanCanAdapter < RbacAdapter
+      def initialize(ability_class: nil)
+        super()
+        @ability_class = ability_class
+      end
+
+      def can?(user, permission, resource = nil)
+        return false unless user
+        return false unless active?(user)
+
+        # CanCanCan uses :can? method with action and resource
+        if user.respond_to?(:can?)
+          # Map permission to CanCanCan action
+          action = map_permission_to_action(permission)
+          user.can?(action, resource || Object)
+        elsif @ability_class
+          # Use Ability class if provided
+          ability = @ability_class.new(user)
+          action = map_permission_to_action(permission)
+          ability.can?(action, resource || Object)
+        else
+          false
+        end
+      end
+
+      def has_role?(user, role)
+        return false unless user
+        return false unless active?(user)
+
+        # Check if user has role via CanCanCan roles or other methods
+        if user.respond_to?(:has_role?)
+          user.has_role?(role)
+        elsif user.respond_to?(:roles)
+          user.roles.any? { |r| r.to_s == role.to_s || r.name.to_s == role.to_s }
+        else
+          false
+        end
+      end
+
+      def active?(user)
+        return false unless user
+
+        # Devise typically uses active_for_authentication? or active?
+        if user.respond_to?(:active_for_authentication?)
+          user.active_for_authentication?
+        elsif user.respond_to?(:active?)
+          user.active?
+        else
+          true
+        end
+      end
+
+      private
+
+      def map_permission_to_action(permission)
+        # Map decision_agent permissions to CanCanCan actions
+        mapping = {
+          read: :read,
+          write: :create,
+          delete: :destroy,
+          approve: :approve,
+          deploy: :deploy,
+          manage_users: :manage,
+          audit: :read
+        }
+        mapping[permission.to_sym] || permission.to_sym
+      end
+    end
+
+    # Adapter for Pundit authorization
+    class PunditAdapter < RbacAdapter
+      def can?(user, permission, resource = nil)
+        return false unless user
+        return false unless active?(user)
+
+        # Pundit uses policy classes
+        if resource.respond_to?(:policy_class)
+          policy = resource.policy_class.new(user, resource)
+          action = map_permission_to_action(permission)
+          policy.respond_to?(action) && policy.public_send(action)
+        elsif resource
+          # Try to infer policy class from resource
+          policy_class_name = "#{resource.class.name}Policy"
+          if Object.const_defined?(policy_class_name)
+            policy_class = Object.const_get(policy_class_name)
+            policy = policy_class.new(user, resource)
+            action = map_permission_to_action(permission)
+            policy.respond_to?(action) && policy.public_send(action)
+          else
+            false
+          end
+        else
+          false
+        end
+      end
+
+      def has_role?(user, role)
+        return false unless user
+        return false unless active?(user)
+
+        if user.respond_to?(:has_role?)
+          user.has_role?(role)
+        elsif user.respond_to?(:roles)
+          user.roles.any? { |r| r.to_s == role.to_s || r.name.to_s == role.to_s }
+        else
+          false
+        end
+      end
+
+      private
+
+      def map_permission_to_action(permission)
+        mapping = {
+          read: :show,
+          write: :create,
+          delete: :destroy,
+          approve: :approve,
+          deploy: :deploy,
+          manage_users: :manage,
+          audit: :audit
+        }
+        mapping[permission.to_sym] || permission.to_sym
+      end
+    end
+
+    # Custom adapter that allows users to provide their own logic via blocks/procs
+    class CustomAdapter < RbacAdapter
+      def initialize(
+        can_proc: nil,
+        has_role_proc: nil,
+        active_proc: nil,
+        user_id_proc: nil,
+        user_email_proc: nil
+      )
+        super()
+        @can_proc = can_proc
+        @has_role_proc = has_role_proc
+        @active_proc = active_proc
+        @user_id_proc = user_id_proc
+        @user_email_proc = user_email_proc
+      end
+
+      def can?(user, permission, resource = nil)
+        return false unless user
+        return false unless active?(user)
+
+        raise NotImplementedError, "CustomAdapter requires can_proc to be provided" unless @can_proc
+
+        @can_proc.call(user, permission, resource)
+      end
+
+      def has_role?(user, role)
+        return false unless user
+
+        raise NotImplementedError, "CustomAdapter requires has_role_proc to be provided" unless @has_role_proc
+
+        @has_role_proc.call(user, role)
+      end
+
+      def active?(user)
+        return false unless user
+
+        if @active_proc
+          @active_proc.call(user)
+        else
+          super
+        end
+      end
+
+      def user_id(user)
+        if @user_id_proc
+          @user_id_proc.call(user)
+        else
+          super
+        end
+      end
+
+      def user_email(user)
+        if @user_email_proc
+          @user_email_proc.call(user)
+        else
+          super
+        end
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/rbac_config.rb

@@ -0,0 +1,51 @@
+module DecisionAgent
+  module Auth
+    # Configuration class for RBAC adapter
+    class RbacConfig
+      attr_accessor :authenticator, :user_store
+
+      def initialize
+        @adapter = nil
+        @authenticator = nil
+        @user_store = nil
+      end
+
+      # Configure with a built-in adapter
+      # @param adapter_type [Symbol] :default, :devise_cancan, :pundit, or :custom
+      # @param options [Hash] Options for the adapter
+      def use(adapter_type, **options)
+        case adapter_type.to_sym
+        when :default
+          @adapter = DefaultAdapter.new
+        when :devise_cancan
+          @adapter = DeviseCanCanAdapter.new(**options)
+        when :pundit
+          @adapter = PunditAdapter.new(**options)
+        when :custom
+          @adapter = CustomAdapter.new(**options)
+        else
+          raise ArgumentError, "Unknown adapter type: #{adapter_type}. Use :default, :devise_cancan, :pundit, or :custom"
+        end
+        self
+      end
+
+      # Configure with a custom adapter instance
+      # @param adapter_instance [RbacAdapter] An instance of RbacAdapter or subclass
+      def adapter=(adapter_instance)
+        raise ArgumentError, "Adapter must be an instance of DecisionAgent::Auth::RbacAdapter" unless adapter_instance.is_a?(RbacAdapter)
+
+        @adapter = adapter_instance
+      end
+
+      # Get the configured adapter, or return default if none configured
+      def adapter
+        @adapter || DefaultAdapter.new
+      end
+
+      # Check if an adapter has been configured
+      def configured?
+        !@adapter.nil?
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/role.rb

@@ -0,0 +1,56 @@
+module DecisionAgent
+  module Auth
+    class Role
+      ROLES = {
+        admin: {
+          name: "Admin",
+          permissions: %i[read write delete approve deploy manage_users audit]
+        },
+        editor: {
+          name: "Editor",
+          permissions: %i[read write]
+        },
+        viewer: {
+          name: "Viewer",
+          permissions: [:read]
+        },
+        auditor: {
+          name: "Auditor",
+          permissions: %i[read audit]
+        },
+        approver: {
+          name: "Approver",
+          permissions: %i[read approve]
+        }
+      }.freeze
+
+      class << self
+        def all
+          ROLES.keys
+        end
+
+        def exists?(role)
+          ROLES.key?(role.to_sym)
+        end
+
+        def permissions_for(role)
+          role_data = ROLES[role.to_sym]
+          return [] unless role_data
+
+          role_data[:permissions]
+        end
+
+        def name_for(role)
+          role_data = ROLES[role.to_sym]
+          return nil unless role_data
+
+          role_data[:name]
+        end
+
+        def has_permission?(role, permission)
+          permissions_for(role).include?(permission.to_sym)
+        end
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/session.rb

@@ -0,0 +1,33 @@
+require "securerandom"
+
+module DecisionAgent
+  module Auth
+    class Session
+      attr_reader :token, :user_id, :created_at, :expires_at
+
+      def initialize(user_id:, expires_in: 3600)
+        @token = SecureRandom.hex(32)
+        @user_id = user_id
+        @created_at = Time.now.utc
+        @expires_at = @created_at + expires_in
+      end
+
+      def expired?
+        Time.now.utc > @expires_at
+      end
+
+      def valid?
+        !expired?
+      end
+
+      def to_h
+        {
+          token: @token,
+          user_id: @user_id,
+          created_at: @created_at.iso8601,
+          expires_at: @expires_at.iso8601
+        }
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/session_manager.rb

@@ -0,0 +1,57 @@
+module DecisionAgent
+  module Auth
+    class SessionManager
+      def initialize
+        @sessions = {}
+        @mutex = Mutex.new
+        @cleanup_interval = 300 # 5 minutes
+        @last_cleanup = Time.now
+      end
+
+      def create_session(user_id, expires_in: 3600)
+        session = Session.new(user_id: user_id, expires_in: expires_in)
+        @mutex.synchronize do
+          @sessions[session.token] = session
+          cleanup_expired_sessions
+        end
+        session
+      end
+
+      def get_session(token)
+        @mutex.synchronize do
+          session = @sessions[token]
+          return nil unless session
+          return nil if session.expired?
+
+          session
+        end
+      end
+
+      def delete_session(token)
+        @mutex.synchronize do
+          @sessions.delete(token)
+        end
+      end
+
+      def delete_user_sessions(user_id)
+        @mutex.synchronize do
+          @sessions.delete_if { |_token, session| session.user_id == user_id }
+        end
+      end
+
+      def cleanup_expired_sessions
+        now = Time.now
+        return if (now - @last_cleanup) < @cleanup_interval
+
+        @sessions.delete_if { |_token, session| session.expired? }
+        @last_cleanup = now
+      end
+
+      def count
+        @mutex.synchronize do
+          @sessions.size
+        end
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/user.rb

@@ -0,0 +1,70 @@
+require "bcrypt"
+require "securerandom"
+
+module DecisionAgent
+  module Auth
+    class User
+      attr_reader :id, :email, :roles, :created_at, :updated_at
+      attr_accessor :active
+
+      def initialize(email:, password: nil, password_hash: nil, roles: [], active: true, id: nil)
+        @id = id || SecureRandom.uuid
+        @email = email
+        @roles = Array(roles)
+        @active = active
+        @created_at = Time.now.utc
+        @updated_at = Time.now.utc
+
+        if password_hash
+          @password_hash = password_hash
+        elsif password
+          @password_hash = BCrypt::Password.create(password)
+        else
+          raise ArgumentError, "Either password or password_hash must be provided"
+        end
+      end
+
+      def authenticate(password)
+        return false unless @active
+
+        BCrypt::Password.new(@password_hash) == password
+      end
+
+      def assign_role(role)
+        role_symbol = role.to_sym
+        @roles << role_symbol unless @roles.include?(role_symbol)
+        @updated_at = Time.now.utc
+      end
+
+      def remove_role(role)
+        role_symbol = role.to_sym
+        @roles.delete(role_symbol)
+        @updated_at = Time.now.utc
+      end
+
+      def has_role?(role)
+        @roles.include?(role.to_sym)
+      end
+
+      def update_password(new_password)
+        @password_hash = BCrypt::Password.create(new_password)
+        @updated_at = Time.now.utc
+      end
+
+      def to_h
+        {
+          id: @id,
+          email: @email,
+          roles: @roles.map(&:to_s),
+          active: @active,
+          created_at: @created_at.iso8601,
+          updated_at: @updated_at.iso8601
+        }
+      end
+
+      def to_json(*args)
+        to_h.to_json(*args)
+      end
+    end
+  end
+end

data/lib/decision_agent/context.rb

@@ -3,7 +3,9 @@ module DecisionAgent
     attr_reader :data
 
     def initialize(data)
-      @data = deep_freeze(data.is_a?(Hash) ? data : {})
+      # Create a deep copy before freezing to avoid mutating the original
+      data_hash = data.is_a?(Hash) ? data : {}
+      @data = deep_freeze(deep_dup(data_hash))
     end
 
     def [](key)
@@ -28,15 +30,33 @@ module DecisionAgent
 
     private
 
-    def deep_freeze(obj)
+    def deep_dup(obj)
       case obj
       when Hash
-        obj.transform_values { |v| deep_freeze(v) }.freeze
+        obj.transform_values { |v| deep_dup(v) }
       when Array
-        obj.map { |v| deep_freeze(v) }.freeze
+        obj.map { |v| deep_dup(v) }
       else
+        obj
+      end
+    end
+
+    def deep_freeze(obj)
+      return obj if obj.frozen?
+
+      case obj
+      when Hash
+        obj.each_value { |v| deep_freeze(v) }
+        obj.freeze
+      when Array
+        obj.each { |v| deep_freeze(v) }
+        obj.freeze
+      when String, Symbol, Numeric, TrueClass, FalseClass, NilClass
         obj.freeze
+      else
+        obj.freeze if obj.respond_to?(:freeze)
       end
+      obj
     end
   end
 end

data/lib/decision_agent/decision.rb

@@ -40,14 +40,21 @@ module DecisionAgent
     end
 
     def deep_freeze(obj)
+      return obj if obj.frozen?
+
       case obj
       when Hash
-        obj.transform_values { |v| deep_freeze(v) }.freeze
+        obj.each_value { |v| deep_freeze(v) }
+        obj.freeze
       when Array
-        obj.map { |v| deep_freeze(v) }.freeze
-      else
+        obj.each { |v| deep_freeze(v) }
         obj.freeze
+      when String, Symbol, Numeric, TrueClass, FalseClass, NilClass
+        obj.freeze
+      else
+        obj.freeze if obj.respond_to?(:freeze)
       end
+      obj
     end
   end
 end