decision_agent 0.1.4 → 0.1.6

data/lib/decision_agent/auth/authenticator.rb

@@ -0,0 +1,127 @@
+module DecisionAgent
+  module Auth
+    class Authenticator
+      attr_reader :user_store, :session_manager, :password_reset_manager
+
+      def initialize(user_store: nil, session_manager: nil, password_reset_manager: nil)
+        @user_store = user_store || InMemoryUserStore.new
+        @session_manager = session_manager || SessionManager.new
+        @password_reset_manager = password_reset_manager || PasswordResetManager.new
+      end
+
+      def login(email, password)
+        user = @user_store.find_by_email(email)
+        return nil unless user
+        return nil unless user.active
+        return nil unless user.authenticate(password)
+
+        @session_manager.create_session(user.id)
+      end
+
+      def logout(token)
+        @session_manager.delete_session(token)
+      end
+
+      def authenticate(token)
+        session = @session_manager.get_session(token)
+        return nil unless session
+
+        user = @user_store.find_by_id(session.user_id)
+        return nil unless user
+        return nil unless user.active
+
+        { user: user, session: session }
+      end
+
+      def create_user(email:, password:, roles: [])
+        user = User.new(email: email, password: password, roles: roles)
+        @user_store.save(user)
+        user
+      end
+
+      def find_user(user_id)
+        @user_store.find_by_id(user_id)
+      end
+
+      def find_user_by_email(email)
+        @user_store.find_by_email(email)
+      end
+
+      def request_password_reset(email)
+        user = @user_store.find_by_email(email)
+        return nil unless user
+        return nil unless user.active
+
+        # Delete any existing reset tokens for this user
+        @password_reset_manager.delete_user_tokens(user.id)
+
+        # Create a new reset token (expires in 1 hour)
+        @password_reset_manager.create_token(user.id, expires_in: 3600)
+      end
+
+      def reset_password(token_string, new_password)
+        token = @password_reset_manager.get_token(token_string)
+        return nil unless token
+
+        user = @user_store.find_by_id(token.user_id)
+        return nil unless user
+        return nil unless user.active
+
+        # Update the password
+        user.update_password(new_password)
+        @user_store.save(user)
+
+        # Delete the used token and all other tokens for this user
+        @password_reset_manager.delete_user_tokens(user.id)
+
+        # Invalidate all existing sessions for security
+        @session_manager.delete_user_sessions(user.id)
+
+        user
+      end
+    end
+
+    # In-memory user store (can be replaced with ActiveRecord adapter later)
+    class InMemoryUserStore
+      def initialize
+        @users = {}
+        @users_by_email = {}
+        @mutex = Mutex.new
+      end
+
+      def save(user)
+        @mutex.synchronize do
+          @users[user.id] = user
+          @users_by_email[user.email.downcase] = user
+        end
+        user
+      end
+
+      def find_by_id(id)
+        @mutex.synchronize do
+          @users[id]
+        end
+      end
+
+      def find_by_email(email)
+        @mutex.synchronize do
+          @users_by_email[email.downcase]
+        end
+      end
+
+      def all
+        @mutex.synchronize do
+          @users.values.dup
+        end
+      end
+
+      def delete(id)
+        @mutex.synchronize do
+          user = @users.delete(id)
+          @users_by_email.delete(user.email.downcase) if user
+          user
+        end
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/password_reset_manager.rb

@@ -0,0 +1,57 @@
+module DecisionAgent
+  module Auth
+    class PasswordResetManager
+      def initialize
+        @tokens = {}
+        @mutex = Mutex.new
+        @cleanup_interval = 300 # 5 minutes
+        @last_cleanup = Time.now
+      end
+
+      def create_token(user_id, expires_in: 3600)
+        token = PasswordResetToken.new(user_id: user_id, expires_in: expires_in)
+        @mutex.synchronize do
+          @tokens[token.token] = token
+          cleanup_expired_tokens
+        end
+        token
+      end
+
+      def get_token(token_string)
+        @mutex.synchronize do
+          token = @tokens[token_string]
+          return nil unless token
+          return nil if token.expired?
+
+          token
+        end
+      end
+
+      def delete_token(token_string)
+        @mutex.synchronize do
+          @tokens.delete(token_string)
+        end
+      end
+
+      def delete_user_tokens(user_id)
+        @mutex.synchronize do
+          @tokens.delete_if { |_token_string, token| token.user_id == user_id }
+        end
+      end
+
+      def cleanup_expired_tokens
+        now = Time.now
+        return if (now - @last_cleanup) < @cleanup_interval
+
+        @tokens.delete_if { |_token_string, token| token.expired? }
+        @last_cleanup = now
+      end
+
+      def count
+        @mutex.synchronize do
+          @tokens.size
+        end
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/password_reset_token.rb

@@ -0,0 +1,33 @@
+require "securerandom"
+
+module DecisionAgent
+  module Auth
+    class PasswordResetToken
+      attr_reader :token, :user_id, :created_at, :expires_at
+
+      def initialize(user_id:, expires_in: 3600)
+        @token = SecureRandom.hex(32)
+        @user_id = user_id
+        @created_at = Time.now.utc
+        @expires_at = @created_at + expires_in
+      end
+
+      def expired?
+        Time.now.utc > @expires_at
+      end
+
+      def valid?
+        !expired?
+      end
+
+      def to_h
+        {
+          token: @token,
+          user_id: @user_id,
+          created_at: @created_at.iso8601,
+          expires_at: @expires_at.iso8601
+        }
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/permission.rb

@@ -0,0 +1,29 @@
+module DecisionAgent
+  module Auth
+    class Permission
+      PERMISSIONS = {
+        read: "Read access to rules and versions",
+        write: "Create and modify rules",
+        delete: "Delete rules and versions",
+        approve: "Approve rule changes",
+        deploy: "Deploy rule versions",
+        manage_users: "Manage users and roles",
+        audit: "Access audit logs"
+      }.freeze
+
+      class << self
+        def all
+          PERMISSIONS.keys
+        end
+
+        def exists?(permission)
+          PERMISSIONS.key?(permission.to_sym)
+        end
+
+        def description_for(permission)
+          PERMISSIONS[permission.to_sym]
+        end
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/permission_checker.rb

@@ -0,0 +1,43 @@
+module DecisionAgent
+  module Auth
+    class PermissionChecker
+      attr_reader :adapter
+
+      def initialize(adapter: nil)
+        @adapter = adapter || DefaultAdapter.new
+      end
+
+      def can?(user, permission, resource = nil)
+        @adapter.can?(user, permission, resource)
+      end
+
+      def require_permission!(user, permission, resource = nil)
+        raise PermissionDeniedError, "User does not have permission: #{permission}" unless can?(user, permission, resource)
+
+        true
+      end
+
+      def has_role?(user, role)
+        @adapter.has_role?(user, role)
+      end
+
+      def require_role!(user, role)
+        raise PermissionDeniedError, "User does not have role: #{role}" unless has_role?(user, role)
+
+        true
+      end
+
+      def active?(user)
+        @adapter.active?(user)
+      end
+
+      def user_id(user)
+        @adapter.user_id(user)
+      end
+
+      def user_email(user)
+        @adapter.user_email(user)
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/rbac_adapter.rb

@@ -0,0 +1,278 @@
+module DecisionAgent
+  module Auth
+    # Base adapter interface for RBAC integration
+    # Users can extend this to integrate with any authentication/authorization system
+    class RbacAdapter
+      # Check if a user has a specific permission
+      # @param user [Object] The user object from your auth system
+      # @param permission [Symbol, String] The permission to check
+      # @param resource [Object, nil] Optional resource for resource-level permissions
+      # @return [Boolean] true if user has permission, false otherwise
+      def can?(user, permission, resource = nil)
+        raise NotImplementedError, "Subclasses must implement #can?"
+      end
+
+      # Check if a user has a specific role
+      # @param user [Object] The user object from your auth system
+      # @param role [Symbol, String] The role to check
+      # @return [Boolean] true if user has role, false otherwise
+      def has_role?(user, role)
+        raise NotImplementedError, "Subclasses must implement #has_role?"
+      end
+
+      # Check if a user is active/enabled
+      # @param user [Object] The user object from your auth system
+      # @return [Boolean] true if user is active, false otherwise
+      def active?(user)
+        return false unless user
+
+        # Default implementation - can be overridden
+        user.respond_to?(:active?) ? user.active? : true
+      end
+
+      # Get user ID for audit/logging purposes
+      # @param user [Object] The user object from your auth system
+      # @return [String, Integer] User identifier
+      def user_id(user)
+        return nil unless user
+
+        user.respond_to?(:id) ? user.id : user.to_s
+      end
+
+      # Get user email for display/logging purposes
+      # @param user [Object] The user object from your auth system
+      # @return [String, nil] User email
+      def user_email(user)
+        return nil unless user
+
+        user.respond_to?(:email) ? user.email : nil
+      end
+    end
+
+    # Default adapter using the built-in User/Role/Permission system
+    class DefaultAdapter < RbacAdapter
+      def can?(user, permission, _resource = nil)
+        return false unless user
+        return false unless active?(user)
+
+        # Check if user has any role with the required permission
+        roles = extract_roles(user)
+        roles.any? do |role|
+          Role.has_permission?(role, permission)
+        end
+      end
+
+      def has_role?(user, role)
+        return false unless user
+
+        roles = extract_roles(user)
+        roles.include?(role.to_sym)
+      end
+
+      def active?(user)
+        return false unless user
+
+        user.respond_to?(:active) ? user.active : true
+      end
+
+      private
+
+      def extract_roles(user)
+        if user.respond_to?(:roles)
+          Array(user.roles).map(&:to_sym)
+        elsif user.respond_to?(:role)
+          [user.role.to_sym]
+        else
+          []
+        end
+      end
+    end
+
+    # Adapter for Devise + CanCanCan integration
+    class DeviseCanCanAdapter < RbacAdapter
+      def initialize(ability_class: nil)
+        super()
+        @ability_class = ability_class
+      end
+
+      def can?(user, permission, resource = nil)
+        return false unless user
+        return false unless active?(user)
+
+        # CanCanCan uses :can? method with action and resource
+        if user.respond_to?(:can?)
+          # Map permission to CanCanCan action
+          action = map_permission_to_action(permission)
+          user.can?(action, resource || Object)
+        elsif @ability_class
+          # Use Ability class if provided
+          ability = @ability_class.new(user)
+          action = map_permission_to_action(permission)
+          ability.can?(action, resource || Object)
+        else
+          false
+        end
+      end
+
+      def has_role?(user, role)
+        return false unless user
+        return false unless active?(user)
+
+        # Check if user has role via CanCanCan roles or other methods
+        if user.respond_to?(:has_role?)
+          user.has_role?(role)
+        elsif user.respond_to?(:roles)
+          user.roles.any? { |r| r.to_s == role.to_s || r.name.to_s == role.to_s }
+        else
+          false
+        end
+      end
+
+      def active?(user)
+        return false unless user
+
+        # Devise typically uses active_for_authentication? or active?
+        if user.respond_to?(:active_for_authentication?)
+          user.active_for_authentication?
+        elsif user.respond_to?(:active?)
+          user.active?
+        else
+          true
+        end
+      end
+
+      private
+
+      def map_permission_to_action(permission)
+        # Map decision_agent permissions to CanCanCan actions
+        mapping = {
+          read: :read,
+          write: :create,
+          delete: :destroy,
+          approve: :approve,
+          deploy: :deploy,
+          manage_users: :manage,
+          audit: :read
+        }
+        mapping[permission.to_sym] || permission.to_sym
+      end
+    end
+
+    # Adapter for Pundit authorization
+    class PunditAdapter < RbacAdapter
+      def can?(user, permission, resource = nil)
+        return false unless user
+        return false unless active?(user)
+
+        # Pundit uses policy classes
+        if resource.respond_to?(:policy_class)
+          policy = resource.policy_class.new(user, resource)
+          action = map_permission_to_action(permission)
+          policy.respond_to?(action) && policy.public_send(action)
+        elsif resource
+          # Try to infer policy class from resource
+          policy_class_name = "#{resource.class.name}Policy"
+          if Object.const_defined?(policy_class_name)
+            policy_class = Object.const_get(policy_class_name)
+            policy = policy_class.new(user, resource)
+            action = map_permission_to_action(permission)
+            policy.respond_to?(action) && policy.public_send(action)
+          else
+            false
+          end
+        else
+          false
+        end
+      end
+
+      def has_role?(user, role)
+        return false unless user
+        return false unless active?(user)
+
+        if user.respond_to?(:has_role?)
+          user.has_role?(role)
+        elsif user.respond_to?(:roles)
+          user.roles.any? { |r| r.to_s == role.to_s || r.name.to_s == role.to_s }
+        else
+          false
+        end
+      end
+
+      private
+
+      def map_permission_to_action(permission)
+        mapping = {
+          read: :show,
+          write: :create,
+          delete: :destroy,
+          approve: :approve,
+          deploy: :deploy,
+          manage_users: :manage,
+          audit: :audit
+        }
+        mapping[permission.to_sym] || permission.to_sym
+      end
+    end
+
+    # Custom adapter that allows users to provide their own logic via blocks/procs
+    class CustomAdapter < RbacAdapter
+      def initialize(
+        can_proc: nil,
+        has_role_proc: nil,
+        active_proc: nil,
+        user_id_proc: nil,
+        user_email_proc: nil
+      )
+        super()
+        @can_proc = can_proc
+        @has_role_proc = has_role_proc
+        @active_proc = active_proc
+        @user_id_proc = user_id_proc
+        @user_email_proc = user_email_proc
+      end
+
+      def can?(user, permission, resource = nil)
+        return false unless user
+        return false unless active?(user)
+
+        raise NotImplementedError, "CustomAdapter requires can_proc to be provided" unless @can_proc
+
+        @can_proc.call(user, permission, resource)
+      end
+
+      def has_role?(user, role)
+        return false unless user
+
+        raise NotImplementedError, "CustomAdapter requires has_role_proc to be provided" unless @has_role_proc
+
+        @has_role_proc.call(user, role)
+      end
+
+      def active?(user)
+        return false unless user
+
+        if @active_proc
+          @active_proc.call(user)
+        else
+          super
+        end
+      end
+
+      def user_id(user)
+        if @user_id_proc
+          @user_id_proc.call(user)
+        else
+          super
+        end
+      end
+
+      def user_email(user)
+        if @user_email_proc
+          @user_email_proc.call(user)
+        else
+          super
+        end
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/rbac_config.rb

@@ -0,0 +1,51 @@
+module DecisionAgent
+  module Auth
+    # Configuration class for RBAC adapter
+    class RbacConfig
+      attr_accessor :authenticator, :user_store
+
+      def initialize
+        @adapter = nil
+        @authenticator = nil
+        @user_store = nil
+      end
+
+      # Configure with a built-in adapter
+      # @param adapter_type [Symbol] :default, :devise_cancan, :pundit, or :custom
+      # @param options [Hash] Options for the adapter
+      def use(adapter_type, **options)
+        case adapter_type.to_sym
+        when :default
+          @adapter = DefaultAdapter.new
+        when :devise_cancan
+          @adapter = DeviseCanCanAdapter.new(**options)
+        when :pundit
+          @adapter = PunditAdapter.new(**options)
+        when :custom
+          @adapter = CustomAdapter.new(**options)
+        else
+          raise ArgumentError, "Unknown adapter type: #{adapter_type}. Use :default, :devise_cancan, :pundit, or :custom"
+        end
+        self
+      end
+
+      # Configure with a custom adapter instance
+      # @param adapter_instance [RbacAdapter] An instance of RbacAdapter or subclass
+      def adapter=(adapter_instance)
+        raise ArgumentError, "Adapter must be an instance of DecisionAgent::Auth::RbacAdapter" unless adapter_instance.is_a?(RbacAdapter)
+
+        @adapter = adapter_instance
+      end
+
+      # Get the configured adapter, or return default if none configured
+      def adapter
+        @adapter || DefaultAdapter.new
+      end
+
+      # Check if an adapter has been configured
+      def configured?
+        !@adapter.nil?
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/role.rb

@@ -0,0 +1,56 @@
+module DecisionAgent
+  module Auth
+    class Role
+      ROLES = {
+        admin: {
+          name: "Admin",
+          permissions: %i[read write delete approve deploy manage_users audit]
+        },
+        editor: {
+          name: "Editor",
+          permissions: %i[read write]
+        },
+        viewer: {
+          name: "Viewer",
+          permissions: [:read]
+        },
+        auditor: {
+          name: "Auditor",
+          permissions: %i[read audit]
+        },
+        approver: {
+          name: "Approver",
+          permissions: %i[read approve]
+        }
+      }.freeze
+
+      class << self
+        def all
+          ROLES.keys
+        end
+
+        def exists?(role)
+          ROLES.key?(role.to_sym)
+        end
+
+        def permissions_for(role)
+          role_data = ROLES[role.to_sym]
+          return [] unless role_data
+
+          role_data[:permissions]
+        end
+
+        def name_for(role)
+          role_data = ROLES[role.to_sym]
+          return nil unless role_data
+
+          role_data[:name]
+        end
+
+        def has_permission?(role, permission)
+          permissions_for(role).include?(permission.to_sym)
+        end
+      end
+    end
+  end
+end

data/lib/decision_agent/auth/session.rb

@@ -0,0 +1,33 @@
+require "securerandom"
+
+module DecisionAgent
+  module Auth
+    class Session
+      attr_reader :token, :user_id, :created_at, :expires_at
+
+      def initialize(user_id:, expires_in: 3600)
+        @token = SecureRandom.hex(32)
+        @user_id = user_id
+        @created_at = Time.now.utc
+        @expires_at = @created_at + expires_in
+      end
+
+      def expired?
+        Time.now.utc > @expires_at
+      end
+
+      def valid?
+        !expired?
+      end
+
+      def to_h
+        {
+          token: @token,
+          user_id: @user_id,
+          created_at: @created_at.iso8601,
+          expires_at: @expires_at.iso8601
+        }
+      end
+    end
+  end
+end