entitlements 0.1.7

data/lib/entitlements/data/groups/calculated/filters/member_of_group.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+# Filter class to remove members of a particular Entitlements-managed group.
+
+module Entitlements
+  class Data
+    class Groups
+      class Calculated
+        class Filters
+          class MemberOfGroup < Entitlements::Data::Groups::Calculated::Filters::Base
+            include ::Contracts::Core
+            C = ::Contracts
+
+            # Determine if the member is filtered as per this definition. Return true if the member
+            # is to be filtered out, false if the member does not match the filter.
+            #
+            # member - Entitlements::Models::Person object
+            #
+            # Returns true if the person is to be filtered out, false otherwise.
+            Contract Entitlements::Models::Person => C::Bool
+            def filtered?(member)
+              return false if filter == :all
+              return false unless member_of_named_group?(member, config.fetch("group"))
+              return true if filter == :none
+              !member_of_filter?(member)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/entitlements/data/groups/calculated/modifiers/base.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Entitlements
+  class Data
+    class Groups
+      class Calculated
+        class Modifiers
+          class Base
+            include ::Contracts::Core
+            C = ::Contracts
+
+            # Constructor. Needs the cache (Hash with various objects of interest) for
+            # future lookups.
+            #
+            # rs     - Entitlements::Data::Groups::Calculated::* object
+            # config - Configuration for this modifier as defined in entitlement
+            Contract C::KeywordArgs[
+              rs: C::Or[
+                Entitlements::Data::Groups::Calculated::Ruby,
+                Entitlements::Data::Groups::Calculated::Text,
+                Entitlements::Data::Groups::Calculated::YAML,
+              ],
+              config: C::Any
+            ] => C::Any
+            def initialize(rs:, config: nil)
+              @rs = rs
+              @config = config
+            end
+
+            private
+
+            attr_reader :config, :rs
+          end
+        end
+      end
+    end
+  end
+end

data/lib/entitlements/data/groups/calculated/modifiers/expiration.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "../../../../util/util"
+
+module Entitlements
+  class Data
+    class Groups
+      class Calculated
+        class Modifiers
+          class Expiration < Base
+            include ::Contracts::Core
+            C = ::Contracts
+
+            # Given a set of members in a group that is being calculated, modify the
+            # member set (the input) to be empty if the entitlement as a whole is expired.
+            # If we do this, add the metadata that allows an empty group, assuming there
+            # were in fact members in the group the first time we saw this.
+            #
+            # result - Set of Entitlements::Models::Person (mutated).
+            #
+            # Return true if we made any changes, false otherwise.
+            Contract C::SetOf[Entitlements::Models::Person] => C::Bool
+            def modify(result)
+              # If group is already empty, we have nothing to consider modifying, regardless
+              # of expiration date. Just return false right away.
+              if result.empty?
+                return false
+              end
+
+              # If the date is in the future, leave the entitlement unchanged.
+              return false if parse_date > Time.now.utc.to_date
+
+              # Empty the group. Set metadata allowing no members. Return true to indicate modification.
+              rs.metadata["no_members_ok"] = true
+              result.clear
+              true
+            end
+
+            private
+
+            # Returns a date object from the configuration given to the class.
+            #
+            # Takes no arguments.
+            #
+            # Returns a date object.
+            Contract C::None => Date
+            def parse_date
+              Entitlements::Util::Util.parse_date(config)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/entitlements/data/groups/calculated/ruby.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+# Interact with rules that are stored as ruby code.
+
+module Entitlements
+  class Data
+    class Groups
+      class Calculated
+        class Ruby < Entitlements::Data::Groups::Calculated::Base
+          include ::Contracts::Core
+          C = ::Contracts
+
+          # Standard interface: Calculate the members of this group.
+          #
+          # Takes no arguments.
+          #
+          # Returns a Set[Entitlements::Models::Person] with DN's of the people in the group.
+          Contract C::None => C::SetOf[Entitlements::Models::Person]
+          def members
+            @members ||= begin
+              Entitlements.logger.debug "Calculating members from #{filename}"
+              result = rule_obj.members
+
+              # Since this is user-written code not subject to contracts, do some basic
+              # format checking of the result, and standardize the output.
+              unless result.is_a?(Set)
+                raise "Expected Set[String|Entitlements::Models::Person] from #{ruby_class_name}.members, got #{result.class}!"
+              end
+
+              cleaned_set = result.map do |item|
+                if item.is_a?(String)
+                  begin
+                    Entitlements.cache[:people_obj].read.fetch(item)
+                  rescue KeyError => exc
+                    raise_rule_exception(exc)
+                  end
+                elsif item.is_a?(Entitlements::Models::Person)
+                  item
+                else
+                  raise "In #{ruby_class_name}.members, expected String or Person but got #{item.inspect}"
+                end
+              end
+
+              # All good, return the result.
+              Set.new(cleaned_set)
+            end
+          end
+
+          # Standard interface: Get the description of this group.
+          #
+          # Takes no arguments.
+          #
+          # Returns a String with the group description, or "" if undefined.
+          Contract C::None => String
+          def description
+            result = rule_obj.description
+            return result if result.is_a?(String)
+            raise "Expected String from #{ruby_class_name}.description, got #{result.class}!"
+          end
+
+          private
+
+          # Get a hash of the filters defined in the group.
+          #
+          # Takes no arguments.
+          #
+          # Returns a Hash[String => :all/:none/List of strings].
+          Contract C::None => C::HashOf[String => C::Or[:all, :none, C::ArrayOf[String]]]
+          def initialize_filters
+            rule_obj.filters
+          end
+
+          # Files can support metadata intended for consumption by things other than LDAP.
+          # This returns the metadata from the file as a hash.
+          #
+          # Takes no arguments.
+          #
+          # Returns Hash[<String>key => <Object>value]
+          Contract C::None => C::HashOf[String => C::Any]
+          def initialize_metadata
+            return {} unless rule_obj.respond_to?(:metadata)
+
+            result = rule_obj.metadata
+
+            unless result.is_a?(Hash)
+              raise ArgumentError, "For metadata in #{filename}: expected Hash, got #{result.inspect}!"
+            end
+
+            result.each do |key, _|
+              next if key.is_a?(String)
+              raise ArgumentError, "For metadata in #{filename}: keys are expected to be strings, but #{key.inspect} is not!"
+            end
+
+            result
+          end
+
+          # Instantiate the object exactly once, on demand. Cache it for later.
+          #
+          # Takes no arguments.
+          #
+          # Returns an object.
+          Contract C::None => Object
+          def rule_obj
+            @rule_obj ||= begin
+              require filename
+              clazz = Kernel.const_get(ruby_class_name)
+              clazz.new
+            end
+          end
+
+          # Raise an exception which adds in the offending class name and filename (which
+          # is a user-defined entitlement that gave rise to a problem).
+          #
+          # exc - An Exception that is to be raised.
+          #
+          # Returns nothing (raises the exception after logging).
+          Contract Exception => nil
+          def raise_rule_exception(exc)
+            Entitlements.logger.fatal "#{exc.class} when processing #{ruby_class_name}!"
+            raise exc
+          end
+
+          # Turn the filename into a ruby class name. We care about the name of the last
+          # directory, and the name of the file itself. Convert these into CamelCase for
+          # the ruby class.
+          #
+          # Takes no arguments.
+          #
+          # Returns a String with the class name.
+          Contract C::None => String
+          def ruby_class_name
+            ["Entitlements", "Rule", ou, cn].map { |x| camelize(x) }.join("::")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/entitlements/data/groups/calculated/rules/base.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+# Base class for rules that we write.
+
+module Entitlements
+  class Data
+    class Groups
+      class Calculated
+        class Rules
+          class Base
+            include ::Contracts::Core
+            C = ::Contracts
+
+            # Interface method: Get a Set[Entitlements::Models::Person] matching this condition.
+            #
+            # value  - The value to match.
+            # filename - Name of the file resulting in this rule being called
+            # options  - Optional hash of additional method-specific options
+            #
+            # Returns a Set[Entitlements::Models::Person].
+            Contract C::KeywordArgs[
+              value: String,
+              filename: C::Maybe[String],
+              options: C::Optional[C::HashOf[Symbol => C::Any]]
+            ] => C::SetOf[Entitlements::Models::Person]
+            def self.matches(value:, filename: nil, options: {})
+              # :nocov:
+              raise "matches() must be defined in the child class #{self.class}!"
+              # :nocov:
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/entitlements/data/groups/calculated/rules/group.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+# Is someone in an LDAP group?
+
+module Entitlements
+  class Data
+    class Groups
+      class Calculated
+        class Rules
+          class Group < Entitlements::Data::Groups::Calculated::Rules::Base
+
+            FILE_EXTENSIONS = {
+              "rb"   => "Entitlements::Data::Groups::Calculated::Ruby",
+              "txt"  => "Entitlements::Data::Groups::Calculated::Text",
+              "yaml" => "Entitlements::Data::Groups::Calculated::YAML"
+            }
+
+            # Interface method: Get a Set[Entitlements::Models::Person] matching this condition.
+            #
+            # value    - The value to match.
+            # filename - Name of the file resulting in this rule being called
+            # options  - Optional hash of additional method-specific options
+            #
+            # Returns a Set[Entitlements::Models::Person].
+            Contract C::KeywordArgs[
+              value: String,
+              filename: C::Maybe[String],
+              options: C::Optional[C::HashOf[Symbol => C::Any]]
+            ] => C::SetOf[Entitlements::Models::Person]
+            def self.matches(value:, filename: nil, options: {})
+              # We've asked for a managed group, so we need to calculate that group and return its members.
+              # First parse the value into the ou and cn.
+              raise "Error: Unexpected value #{value.inspect} in #{self.class}!" unless value =~ %r{\A(.+)/([^/]+)\z}
+              ou = value.rpartition("/").first
+              cn = value.rpartition("/").last
+
+              # Check the cache. If we are in the process of calculating it, it's a circular dependency that should be alerted upon.
+              # If we've already calculated this, just return the value.
+              current_value = Entitlements.cache[:calculated].fetch(ou, {}).fetch(cn, nil)
+              if current_value == :calculating
+                Entitlements.cache[:dependencies] << "#{ou}/#{cn}"
+                raise "Error: Circular dependency #{Entitlements.cache[:dependencies].join(' -> ')}"
+              end
+
+              # If we have calculated this before, then apply modifiers and return the result. `current_value` here
+              # is a set with the correct answers but that does not take into effect any modifiers. Therefore we
+              # reference back to the object so we can have the modifiers applied. There's a cache in the object that
+              # remembers the value of `.modified_members` each time it's calculated, so this is inexpensive.
+              filebase_with_path = File.join(Entitlements::Util::Util.path_for_group(ou), cn)
+              if Entitlements.cache[:file_objects].key?(filebase_with_path)
+                return Entitlements.cache[:file_objects][filebase_with_path].modified_members
+              end
+
+              # We actually need to calculate this group. Find the file based on the ou and cn in the directory.
+              files = files_for(ou, options: options)
+              match_regex = Regexp.new("\\A" + Regexp.escape(cn.gsub("*", "\f")).gsub("\\f", ".*") + "\\z")
+              matching_files = files.select { |base, _ext| match_regex.match(base) }
+              if matching_files.any?
+                result = Set.new
+                matching_files.each do |filebase, ext|
+                  filebase_with_path = File.join(Entitlements::Util::Util.path_for_group(ou), filebase)
+
+                  # If the object has already been calculated then we can just merge the value from
+                  # the cache without going any further. Otherwise, create a new object for the group
+                  # reference and calculate them.
+                  unless Entitlements.cache[:file_objects][filebase_with_path]
+                    clazz = Kernel.const_get(FILE_EXTENSIONS[ext])
+                    Entitlements.cache[:file_objects][filebase_with_path] = clazz.new(
+                      filename: "#{filebase_with_path}.#{ext}",
+                    )
+                    if Entitlements.cache[:file_objects][filebase_with_path].members == :calculating
+                      next if matching_files.size > 1
+                      raise "Error: Invalid self-referencing wildcard in #{ou}/#{filebase}.#{ext}"
+                    end
+                  end
+
+                  unless Entitlements.cache[:file_objects][filebase_with_path].modified_members == :calculating
+                    result.merge Entitlements.cache[:file_objects][filebase_with_path].modified_members
+                  end
+                end
+                return result
+              end
+
+              # No file exists... handle accordingly
+              path = File.join(Entitlements::Util::Util.path_for_group(ou), "#{cn}.(rb|txt|yaml)")
+              if options[:skip_broken_references]
+                Entitlements.logger.warn "Could not find a configuration for #{path} - skipped (filename: #{filename.inspect})"
+                return Set.new
+              end
+
+              Entitlements.logger.fatal "Error: Could not find a configuration for #{path} (filename: #{filename.inspect})"
+              raise "Error: Could not find a configuration for #{path} (filename: #{filename.inspect})"
+            end
+
+            # Enumerate and cache all files in a directory for more efficient processing later.
+            #
+            # path - A String with the directory structure relative to Entitlements.config_path
+            #
+            # Returns a Set of Hashes with { "file_without_extension" => "extension" }
+            Contract String, C::KeywordArgs[options: C::HashOf[Symbol => C::Any]] => C::HashOf[String => String]
+            def self.files_for(path, options:)
+              @files_for_cache ||= {}
+              @files_for_cache[path] ||= begin
+                full_path = Entitlements::Util::Util.path_for_group(path)
+                if File.directory?(full_path)
+                  result = {}
+                  Dir.entries(full_path).each do |name|
+                    next if name.start_with?(".")
+                    next unless name.end_with?(*FILE_EXTENSIONS.keys.map { |k| ".#{k}" })
+                    next unless File.file?(File.join(full_path, name))
+                    raise "Unparseable name: #{full_path}/#{name}" unless name =~ /\A(.+)\.(\w+)\z/
+                    result[Regexp.last_match(1)] = Regexp.last_match(2)
+                  end
+                  result
+                elsif options[:skip_broken_references]
+                  Entitlements.logger.warn "Could not find any configuration in #{full_path} - skipped"
+                  {}
+                else
+                  message = "Error: Could not find any configuration in #{full_path}"
+                  Entitlements.logger.fatal message
+                  raise RuntimeError, message
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/entitlements/data/groups/calculated/rules/username.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+# The simplest equality check we could imagine.
+
+module Entitlements
+  class Data
+    class Groups
+      class Calculated
+        class Rules
+          class Username < Entitlements::Data::Groups::Calculated::Rules::Base
+            include ::Contracts::Core
+            C = ::Contracts
+
+            # Interface method: Get a Set[Entitlements::Models::Person] matching this condition.
+            #
+            # value  - The value to match.
+            # filename - Name of the file resulting in this rule being called
+            # options  - Optional hash of additional method-specific options
+            #
+            # Returns a Set[Entitlements::Models::Person].
+            Contract C::KeywordArgs[
+              value: String,
+              filename: C::Maybe[String],
+              options: C::Optional[C::HashOf[Symbol => C::Any]]
+            ] => C::SetOf[Entitlements::Models::Person]
+            def self.matches(value:, filename: nil, options: {})
+              # Username is easy - the value is the uid.
+              begin
+                Set.new([Entitlements.cache[:people_obj].read(value)].compact)
+              rescue Entitlements::Data::People::NoSuchPersonError
+                # We are not currently treating this as a fatal error and as such we are just
+                # ignoring it. Implementors will want to implement CI-level checks for unknown
+                # people if this is a concern.
+                Set.new({})
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end