jwtauth 0.2.3 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 133c62c21f3825c7cceedbad5395dae11cb4dcdc
-  data.tar.gz: 5e4cec0830accd1b2b93c730d998914a4cb8daae
+  metadata.gz: 001dd1412a0f2ff8431611490222199d76e1b366
+  data.tar.gz: 54182546254c2cbb51b20b6c65d0ce8a09f4cde1
 SHA512:
-  metadata.gz: e7b5c770cd442cdad5a0f1daba2b928bc0f53c19928cbd236ffa5ae2ae8349c6f327ff0f96fa835644caf5e1c8586d461a384744ad7add01cbf6c47506fef635
-  data.tar.gz: ad3a53e8b6de9daa8bcd8ee2d916a4c169bae14c0b3843507ec3d6c0e410c141615da1d027c53a8bf9d2b52f00a925c5c6c35e237458c115f76e6e0427154888
+  metadata.gz: e2f6e0cf4784ef59b4c4e98db8ee820ae9c0e326cd9bc83488c90bfb6b27ea5a0cc6be28b7a52f18caeb0faeda7af1009747e593df36ae577c04c7f9a14f1703
+  data.tar.gz: bc3ba8325a68ac19c3772bb325a7adfc0be4c7d78dbe65a9ba93cfbf71c821a1666158bc386439682501471f7bd96e922b7a19f10701d39d6d365fa310bd3522

data/lib/jwtauth.rb

@@ -17,6 +17,14 @@ module Jwtauth
   # mattr_accessor :session_path
   @@session_path = nil
 
+  # Define current service contain entities
+  # mattr_accessor :service_name
+  @@service_name = nil
+
+  # Define namespace (String | Array) include +current service+ for service
+  # mattr_accessor :namespace
+  @@namespace = nil
+
   # Algorithm, JWT use to encode
   # mattr_accessor :algorithm
   @@algorithm = 'RS256'
@@ -57,6 +65,22 @@ module Jwtauth
     @@session_path = session_path
   end
 
+  def self.service_name
+    @@service_name
+  end
+
+  def self.service_name=(service_name)
+    @@service_name = service_name
+  end
+
+  def self.namespace
+    @@namespace
+  end
+
+  def self.namespace=(namespace)
+    @@namespace = namespace
+  end
+
   def self.algorithm
     @@algorithm
   end
@@ -116,7 +140,9 @@ module Jwtauth
         uri.query = CGI.unescape({
           'uid' => origin_request.headers['uid'],
           'client' => origin_request.headers['client'],
-          'access-token' => origin_request.headers['access-token'],}.to_query)
+          'access-token' => origin_request.headers['access-token'],
+          'namespace' => Jwtauth.namespace,
+        }.to_query)
 
         Net::HTTP.start(uri.host, uri.port,
           :use_ssl => uri.scheme == 'https') do |http|
@@ -165,7 +191,7 @@ module Jwtauth
     end
 
     # Handle for user not authorized
-    def user_not_authorized(exception)
+    def user_not_authenticated(exception)
       status = :forbidden
 
       case exception
@@ -185,7 +211,277 @@ module Jwtauth
 
       base.class_eval do
         attr_reader :current_user
-        rescue_from Jwtauth::AuthorizedError, with: :user_not_authorized
+        rescue_from Jwtauth::AuthorizedError, with: :user_not_authenticated
+      end
+    end
+
+    module ClassMethods
+    end
+  end
+
+  module Model
+    module ForeignKeys
+      COMPANY_ID = :company_id
+      DEPARTMENT_ID = :department_id
+      USER_ID = :user_id
+    end
+
+    def self.included(base)
+      base.extend ClassMethods
+
+      base.class_eval do
+      end
+    end
+
+    module ClassMethods
+      def new2nd params, current_user
+        _record = self.new(params)
+
+        _record[self::ForeignKeys::USER_ID] = current_user.id if _record[self::ForeignKeys::USER_ID].blank?
+        _record[self::ForeignKeys::DEPARTMENT_ID] = current_user.department_id if _record[self::ForeignKeys::DEPARTMENT_ID].blank?
+        _record[self::ForeignKeys::COMPANY_ID] = current_user.company_id if _record[self::ForeignKeys::COMPANY_ID].blank?
+
+        _record
+      end
+    end
+  end
+
+  # require include Pundit (gem <<pundit>>)
+  module Apiv01Controller
+    # Require define entity class name
+    def define_entity
+      send_json_error(['entity model is not defined'], :internal_server_error)
+    end
+
+    # Send error messages with status
+    def send_json_error(errors = [], status = :unprocessable_entity)
+      render json: errors, status: status
+    end
+
+    # Handle for user not authorized
+    def user_not_authorized(exception)
+      policy_name = exception.policy.class.to_s.underscore
+      error_message = I18n.t("#{policy_name}.#{exception.query}", scope: "pundit", default: :default)
+
+      if request.format.symbol == :json
+        send_json_error [error_message], :forbidden
+      else
+        render template: 'errors/401', locals: { message: error_message }
+      end
+    end
+
+    # GET /api/v02/entity_name(s)
+    def index
+      authorize @entity_model
+      @records = core_index_filter(policy_scope(@entity_model))
+
+      render json: { filters: filter_jsons, records: records_as_json(@records) }
+    end
+
+    # GET /api/v02/entity_names(s)/1
+    def show
+      authorize @record
+
+      render json: record_as_json(@record)
+    end
+
+    # POST /api/v02/entity_names(s)
+    def create
+      @record = @entity_model.new2nd(entity_params, current_user)
+      authorize @record
+
+      if @record.save
+        render json: record_as_json(@record), status: :created
+      else
+        render json: @record.errors.full_messages, status: :unprocessable_entity
+      end
+    end
+
+    # PATCH/PUT /api/v02/entity_names(s)/1
+    def update
+      authorize @record
+      @record.assign_attributes(entity_params)
+      authorize @record
+
+      if @record.save
+        render json: record_as_json(@record), status: :ok
+      else
+        render json: @record.errors.full_messages, status: :unprocessable_entity
+      end
+    end
+
+    # DELETE /api/v02/entity_names(s)/1
+    def destroy
+      authorize @record
+
+      @record.destroy
+    end
+
+    protected
+      # Use callbacks to share common setup or constraints between actions.
+      def set_entity
+        @record = @entity_model.find(params[:id])
+      end
+
+      # Only allow a trusted parameter "white list" through.
+      def entity_params
+        params.require(:record).permit(:created_at)
+      end
+
+      # Strong parameters for default search query
+      def search_params
+        params.permit(:id)
+      end
+
+      # Strong parameters for default advanced search query
+      def advanced_search_params
+        params.permit(:created_at)
+      end
+
+    def self.included(base)
+      base.extend ClassMethods
+
+      base.class_eval do
+        # Define entity model before action
+        before_action :authorize_user!
+        before_action :define_entity
+        before_action :set_entity, only: [:show, :update, :destroy]
+        rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
+        attr_reader :entity_model
+      end
+    end
+
+    module ClassMethods
+    end
+  end
+
+  # require use Pundit (gem <<pundit>>)
+  module Policy
+    # Reference from authservice/models/role.rb
+    module Privileges
+      CREATE = 'create'.freeze
+      READ = 'read'.freeze
+      UPDATE = 'update'.freeze
+      DELETE = 'delete'.freeze
+    end
+
+    # Reference from authservice/models/role.rb
+    module LevelsOfAccess
+      NONE = 'none'.freeze
+      USER = 'user'.freeze
+      BUSINESS_UNIT = 'bu'.freeze
+      FAMILY_BU_TREE = 'fbu'.freeze
+      ORGANIZATION = 'org'.freeze
+    end
+
+    attr_reader :user, :record
+
+    def initialize(user, record)
+      @user = user
+      @record = record
+    end
+
+    def index?
+      get_level_of_access(Privileges::READ) != LevelsOfAccess::NONE
+    end
+
+    def show?
+      record_action?(get_level_of_access(Privileges::READ))
+    end
+
+    def create?
+      record_action?(get_level_of_access(Privileges::CREATE))
+    end
+
+    def new?
+      create?
+    end
+
+    def update?
+      record_action?(get_level_of_access(Privileges::UPDATE))
+    end
+
+    def edit?
+      update?
+    end
+
+    def destroy?
+      record_action?(get_level_of_access(Privileges::DELETE))
+    end
+
+    def scope
+      Pundit.policy_scope!(user, record.class)
+    end
+
+    def _entity_class
+      @record.is_a?(Class) ? @record.name.underscore : @record.class.name.underscore
+    end
+
+    protected
+      def get_level_of_access(method_name, service_name = Jwtauth.service_name)
+        level_of_access = nil
+
+        if @user.role_permissions.is_a?(Hash)
+          level_of_access = @user.role_permissions.dig(service_name, _entity_class, method_name)
+        end
+
+        level_of_access ? level_of_access : LevelsOfAccess::NONE
+      end
+
+      def record_action?(level_of_access)
+        case level_of_access
+        when LevelsOfAccess::USER
+          @user.id == @record[@record.class::ForeignKeys::USER_ID]
+        when LevelsOfAccess::BUSINESS_UNIT
+          @user.departments[LevelsOfAccess::BUSINESS_UNIT].include?(@record[@record.class::ForeignKeys::USER_ID])
+        when LevelsOfAccess::FAMILY_BU_TREE
+          @user.departments[LevelsOfAccess::FAMILY_BU_TREE].include?(@record[@record.class::ForeignKeys::DEPARTMENT_ID])
+        when LevelsOfAccess::ORGANIZATION
+          @user.company_id == @record[@record.class::ForeignKeys::COMPANY_ID]
+        else
+          false
+        end
+      end
+
+    class Scope
+      attr_reader :user, :scope
+
+      def initialize(user, scope)
+        @user = user
+        @scope = scope
+      end
+
+      def resolve
+        case get_level_of_access(Privileges::READ)
+        when LevelsOfAccess::BUSINESS_UNIT
+          scope.where(scope::ForeignKeys::DEPARTMENT_ID => @user.departments[LevelsOfAccess::BUSINESS_UNIT])
+        when LevelsOfAccess::FAMILY_BU_TREE
+          scope.where(scope::ForeignKeys::DEPARTMENT_ID => @user.departments[LevelsOfAccess::FAMILY_BU_TREE])
+        when LevelsOfAccess::ORGANIZATION
+          scope.where(scope::ForeignKeys::COMPANY_ID => @user.company_id)
+        else
+          scope.where(scope::ForeignKeys::USER_ID => @user.id)
+        end
+      end
+
+      protected
+        # Reference from Policy.instance.get_level_of_access
+        def get_level_of_access(method_name, service_name = Jwtauth.service_name)
+          level_of_access = nil
+
+          if @user.role_permissions.is_a?(Hash)
+            level_of_access = @user.role_permissions.dig(service_name, scope.name.downcase, method_name)
+          end
+
+          level_of_access ? level_of_access : LevelsOfAccess::NONE
+        end
+    end
+
+    def self.included(base)
+      base.extend ClassMethods
+
+      base.class_eval do
       end
     end
 

data/lib/jwtauth/user.rb

@@ -1,11 +1,16 @@
 module Jwtauth
   class User
-    attr_reader :id, :uid, :role
+    attr_reader :id, :uid, :role, :department_id, :company_id
+    attr_reader :role_permissions, :departments
 
     def initialize attrs
       @id = attrs['id']
       @uid = attrs['uid']
       @role = attrs['role']
+      @department_id = attrs['department_id']
+      @company_id = attrs['company_id']
+      @role_permissions = attrs['role_permissions']
+      @departments = attrs['departments']
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jwtauth
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.3.1
 platform: ruby
 authors:
 - Dieu Pham