RubyGems - jwt_auth_cognito - Versions diffs - 1.0.0.pre.beta.11 → 1.0.0.pre.beta.12 - Mend

jwt_auth_cognito 1.0.0.pre.beta.11 → 1.0.0.pre.beta.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/jwt_auth_cognito/authorization_concern.rb +28 -0
data/lib/jwt_auth_cognito/jwt_validator.rb +22 -0
data/lib/jwt_auth_cognito/user_data_service.rb +29 -0
data/lib/jwt_auth_cognito/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e8069ccdfaed845402cd9053a2db66b2bc74359649de17ca2ce7ad010a939722
-  data.tar.gz: 3ba1441f8016d8e2d5b1bca7913fd7700f0ae51c8470ab1e6f06a2e1a9640697
+  metadata.gz: b17cfc63543d51251188fa8645cf7f9235d741851fc33087bf781cb26ba21c07
+  data.tar.gz: c51dd33e95f2346794ad4d50578982e09ed0395b22e192d8a69e4a196ef8c687
 SHA512:
-  metadata.gz: 897a6f309d17ba4f312e5b9b86a8daf4ab76050a6b5cd17543eaaf728c3ba242bc1ec34a8efb25f17395095cccf5225bf918850fb4f373ba0132311c3c0e84c7
-  data.tar.gz: 785494e60e28e09a5b3343eaf9b2dfc0d9a70343cf8f56ddd81768b172c0753696a3b03df84f24510ba50687d9d7cb6af8a3bce72fad2331e88bc195d9dc73b5
+  metadata.gz: eb6034d5dcb76d9523e4dcf68e488899b2ee50eba313aba072b069a4a552d8cc331175d72dca2577b7f85b9e3b63720dbafe98a21d7cf10107da457cab281436
+  data.tar.gz: 7e5e07f954ca37e0ece2cfed27763426903623aafb3a2f37dd9fecf9c54a876ace20ec7e9e0fea7e8ea8117bc34af28ecd730af22c387a196b43b704a4a40925

data/lib/jwt_auth_cognito/authorization_concern.rb CHANGED Viewed

@@ -59,6 +59,24 @@ module JwtAuthCognito
       @current_user_permissions ||= fetch_current_user_permissions
     end
+    # Raises ForbiddenError unless the user has the given permission over a specific resource.
+    # By convention reads the resource ID from params[:id]; override with resource_id: keyword arg.
+    #
+    #   before_action -> { authorize_resource_permission!('fleet:vehicles:write') }, only: [:update]
+    #   before_action -> { authorize_resource_permission!('fleet:vehicles:write', resource_id: params[:vehicle_id]) }
+    def authorize_resource_permission!(permission, resource_id: params[:id])
+      uid = jwt_user_id
+      aid = jwt_app_id
+      oid = jwt_org_id
+      raise JwtAuthCognito::ForbiddenError, 'Access denied' unless uid && aid && oid && resource_id
+      return if jwt_validator.check_resource_permission?(uid, aid, oid, resource_id.to_s, permission)
+      log_resource_permission_denied(permission, resource_id)
+      raise JwtAuthCognito::ForbiddenError, 'Access denied'
+    end
     private
     def fetch_current_user_permissions
@@ -114,5 +132,15 @@ module JwtAuthCognito
         "app_id=#{jwt_app_id} org_id=#{jwt_org_id}"
       )
     end
+    def log_resource_permission_denied(permission, resource_id)
+      return unless defined?(Rails)
+      Rails.logger.warn(
+        "[RESOURCE_PERMISSION_DENIED] user_id=#{jwt_user_id} " \
+        "permission=#{permission} resource_id=#{resource_id} " \
+        "app_id=#{jwt_app_id} org_id=#{jwt_org_id}"
+      )
+    end
   end
 end

data/lib/jwt_auth_cognito/jwt_validator.rb CHANGED Viewed

@@ -270,6 +270,28 @@ module JwtAuthCognito
       @user_data_service.resolve_effective_permissions(user_id, app_id, org_id)
     end
+    # Get the permissions the user has over a specific resource instance (ReBAC).
+    # Returns { resource_type:, resource_id:, permissions:, mode: } or nil.
+    def get_resource_permissions(user_id, app_id, org_id, resource_type, resource_id)
+      return nil unless @user_data_service
+      result = @user_data_service.resolve_resource_permissions(user_id, app_id, org_id, resource_id)
+      return nil unless result
+      { resource_type: resource_type, resource_id: resource_id,
+        permissions: result[:permissions], mode: result[:mode] }
+    end
+    # Verify if the user has a specific permission over a concrete resource instance.
+    def check_resource_permission?(user_id, app_id, org_id, resource_id, permission)
+      return false unless @user_data_service
+      result = @user_data_service.resolve_resource_permissions(user_id, app_id, org_id, resource_id)
+      return false unless result
+      PermissionChecker.permission_in_list?(permission, result[:permissions])
+    end
     def is_token_expired?(token)
       payload = decode_token(token)
       return true if payload.is_a?(Hash) && payload[:error]

data/lib/jwt_auth_cognito/user_data_service.rb CHANGED Viewed

@@ -372,6 +372,35 @@ module JwtAuthCognito
       @cache_timestamps[key] = Time.now.to_i
     end
+    # Resolve permissions the user has over a specific resource instance (ReBAC).
+    # Applies resourceRestrictions per-permission: open mode if none configured.
+    # Returns nil if the user has no active membership in that org.
+    def resolve_resource_permissions(user_id, app_id, organization_id, resource_id)
+      effective = resolve_effective_permissions(user_id, app_id, organization_id)
+      return nil unless effective
+      raw = @redis_service.get("user:permissions:#{user_id}")
+      return nil unless raw
+      data = JSON.parse(raw)
+      restrictions = data.dig('permissions', app_id, organization_id, 'resourceRestrictions')
+      has_any_restriction = restrictions.is_a?(Hash) && !restrictions.empty?
+      mode = has_any_restriction ? 'restricted' : 'open'
+      allowed = effective.select do |perm|
+        if !restrictions.is_a?(Hash) || !restrictions.key?(perm)
+          true
+        else
+          restrictions[perm].is_a?(Array) && restrictions[perm].include?(resource_id)
+        end
+      end
+      { permissions: allowed, mode: mode }
+    rescue StandardError => e
+      puts "Error resolving resource permissions for #{user_id}:#{resource_id}: #{e.message}"
+      nil
+    end
     def compute_permissions_from_roles(app_id, organization_id, role_names)
       roles_data = get_app_roles(app_id, organization_id)
       return [] unless roles_data.is_a?(Hash)

data/lib/jwt_auth_cognito/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module JwtAuthCognito
-  VERSION = '1.0.0-beta.11'
+  VERSION = '1.0.0-beta.12'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_auth_cognito
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre.beta.11
+  version: 1.0.0.pre.beta.12
 platform: ruby
 authors:
 - The Optimal
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-06-02 00:00:00.000000000 Z
+date: 2026-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-ssm