keycard 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5ba441d104509e55f853e1003f6dd2d8c39f362e5e93ee619b0dd9378f8c13b8
-  data.tar.gz: 0d503c7e8c4682348e2c6d1ba9d9d0425fdf61429a278882368bad5cb19c4823
+  metadata.gz: 99719e6ba14e97ad966b5a53b7e114f3eb6c6bc02aa674a1654f6c7f151ad793
+  data.tar.gz: 7ee5e247aab91665c1c2fcc394e6f7f535f2382af500ec723f185b130a0258ed
 SHA512:
-  metadata.gz: 578ff3eb3e114a3060b0236f6c471fabf45e947b1f2184828f68206eab35071bfa182482cfbab4e9a1750a48e2e127d1aa4e4feda050a11e53c1937ad0778837
-  data.tar.gz: a268b75e7207d0de7626b8f675567eddce0c070158343e2f55d424c6868c06837bfcd03c0be68a3ff8b1edc42aa5798df7d3b59cbadb5b00bea1173a0e855e6d
+  metadata.gz: ddc60f9e41240190b7143c86316de2234abc6cb034b12a39ed9c655c4595a0c1fcc572ddafc6f1ac39f0fac51264b9be7a05b9458452a5306506a87eb2abfbf0
+  data.tar.gz: 658684fbbc2ede87b6fb6ee85dd10e91d39537f8bc5435584df5e4152bcf28346d7ad6a25ee3d5eb5a9f30b2efa519ea183f9ccf95acd4d25cfc298a2b43d03e

data/.rubocop.yml

@@ -26,5 +26,11 @@ Metrics/BlockLength:
     - '*.gemspec'
   ExcludedMethods: ['describe', 'context']
 
+Naming/UncommunicativeMethodParamName:
+  AllowedNames: ['db']
+
 Style/StringLiterals:
   Enabled: false
+
+Style/ClassAndModuleChildren:
+  EnforcedStyle: compact

data/keycard.gemspec

@@ -1,7 +1,7 @@
 
 # frozen_string_literal: true
 
-lib = File.expand_path("../lib", __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "keycard/version"
 

data/lib/keycard/db.rb

@@ -4,159 +4,157 @@ require 'ostruct'
 require 'logger'
 require 'yaml'
 
-module Keycard
-  # Module for database interactions for Keycard.
-  module DB
-    # Any error with the database that Keycard itself detects but cannot handle.
-    class DatabaseError < StandardError; end
-
-    CONNECTION_ERROR = 'The Keycard database is not initialized. Call initialize! first.'
-
-    ALREADY_CONNECTED = 'Already connected; refusing to connect to another database.'
-
-    MISSING_CONFIG = <<~MSG
-      KEYCARD_DATABASE_URL and DATABASE_URL are both missing and a connection
-      has not been configured. Cannot connect to the Keycard database.
-      See Keycard::DB.connect! for help.
-    MSG
-
-    LOAD_ERROR = <<~MSG
-      Error loading Keycard database models.
-      Verify connection information and that the database is migrated.
-    MSG
-
-    SCHEMA_HEADER = "# Keycard Database Version\n"
-
-    class << self
-      # Initialize Keycard
-      #
-      # This connects to the database if it has not already happened and
-      # requires all of the Keycard model classes. It is required to do the
-      # connection setup first because of the design decision in Sequel that
-      # the schema is examined at the time of extending Sequel::Model.
-      def initialize!
-        connect! unless connected?
-        begin
-          model_files.each do |file|
-            require_relative file
-          end
-        rescue Sequel::DatabaseError, NoMethodError => e
-          raise DatabaseError, LOAD_ERROR + "\n" + e.message
+# Module for database interactions for Keycard.
+module Keycard::DB
+  # Any error with the database that Keycard itself detects but cannot handle.
+  class DatabaseError < StandardError; end
+
+  CONNECTION_ERROR = 'The Keycard database is not initialized. Call initialize! first.'
+
+  ALREADY_CONNECTED = 'Already connected; refusing to connect to another database.'
+
+  MISSING_CONFIG = <<~MSG
+    KEYCARD_DATABASE_URL and DATABASE_URL are both missing and a connection
+    has not been configured. Cannot connect to the Keycard database.
+    See Keycard::DB.connect! for help.
+  MSG
+
+  LOAD_ERROR = <<~MSG
+    Error loading Keycard database models.
+    Verify connection information and that the database is migrated.
+  MSG
+
+  SCHEMA_HEADER = "# Keycard Database Version\n"
+
+  class << self
+    # Initialize Keycard
+    #
+    # This connects to the database if it has not already happened and
+    # requires all of the Keycard model classes. It is required to do the
+    # connection setup first because of the design decision in Sequel that
+    # the schema is examined at the time of extending Sequel::Model.
+    def initialize!
+      connect! unless connected?
+      begin
+        model_files.each do |file|
+          require_relative file
         end
-        db
+      rescue Sequel::DatabaseError, NoMethodError => e
+        raise DatabaseError, LOAD_ERROR + "\n" + e.message
       end
+      db
+    end
 
-      # Connect to the Keycard database.
-      #
-      # The default is to use the settings under {.config}, but can be
-      # supplied here (and they will be merged into config as a side effect).
-      # The keys that will be used from either source are documented here as
-      # the options.
-      #
-      # Only one "mode" will be used; the first of these supplied will take
-      # precedence:
-      #
-      # 1. An already-connected {Sequel::Database} object
-      # 2. A connection string
-      # 3. A connection options hash
-      #
-      # While Keycard serves as a singleton, this will raise a DatabaseError
-      # if already connected. Check `connected?` if you are unsure.
-      #
-      # @see {Sequel.connect}
-      # @param [Hash] config Optional connection config
-      # @option config [String] :url A Sequel database URL
-      # @option config [Hash]   :opts A set of connection options
-      # @option config [Sequel::Database] :db An already-connected database;
-      # @return [Sequel::Database] The initialized database connection
-      def connect!(config = {})
-        raise DatabaseError, ALREADY_CONNECTED if connected?
-        merge_config!(config)
-        raise DatabaseError, MISSING_CONFIG if self.config.db.nil? && conn_opts.empty?
-
-        # We splat here because we might give one or two arguments depending
-        # on whether we have a string or not; to add our logger regardless.
-        @db = self.config.db || Sequel.connect(*conn_opts)
-      end
+    # Connect to the Keycard database.
+    #
+    # The default is to use the settings under {.config}, but can be
+    # supplied here (and they will be merged into config as a side effect).
+    # The keys that will be used from either source are documented here as
+    # the options.
+    #
+    # Only one "mode" will be used; the first of these supplied will take
+    # precedence:
+    #
+    # 1. An already-connected {Sequel::Database} object
+    # 2. A connection string
+    # 3. A connection options hash
+    #
+    # While Keycard serves as a singleton, this will raise a DatabaseError
+    # if already connected. Check `connected?` if you are unsure.
+    #
+    # @see {Sequel.connect}
+    # @param [Hash] config Optional connection config
+    # @option config [String] :url A Sequel database URL
+    # @option config [Hash]   :opts A set of connection options
+    # @option config [Sequel::Database] :db An already-connected database;
+    # @return [Sequel::Database] The initialized database connection
+    def connect!(config = {})
+      raise DatabaseError, ALREADY_CONNECTED if connected?
+      merge_config!(config)
+      raise DatabaseError, MISSING_CONFIG if self.config.db.nil? && conn_opts.empty?
+
+      # We splat here because we might give one or two arguments depending
+      # on whether we have a string or not; to add our logger regardless.
+      @db = self.config.db || Sequel.connect(*conn_opts)
+    end
 
-      # Run any pending migrations.
-      # This will connect with the current config if not already conencted.
-      def migrate!
-        connect! unless connected?
-        unless config.readonly
-          Sequel.extension :migration
-          Sequel::Migrator.run(db, File.join(__dir__, '../../db/migrations'), table: schema_table)
-        end
-      end
+    # Run any pending migrations.
+    # This will connect with the current config if not already conencted.
+    def migrate!
+      connect! unless connected?
+      return if config.readonly
 
-      def schema_table
-        :keycard_schema
-      end
+      Sequel.extension :migration
+      Sequel::Migrator.run(db, File.join(__dir__, '../../db/migrations'), table: schema_table)
+    end
 
-      def schema_file
-        'db/keycard.yml'
-      end
+    def schema_table
+      :keycard_schema
+    end
 
-      def dump_schema!
-        connect! unless connected?
-        version = db[schema_table].first.to_yaml
-        File.write(schema_file, SCHEMA_HEADER + version)
-      end
+    def schema_file
+      'db/keycard.yml'
+    end
 
-      def load_schema!
-        connect! unless connected?
-        version = YAML.load_file(schema_file)[:version]
-        db[schema_table].delete
-        db[schema_table].insert(version: version)
-      end
+    def dump_schema!
+      connect! unless connected?
+      version = db[schema_table].first.to_yaml
+      File.write(schema_file, SCHEMA_HEADER + version)
+    end
 
-      def model_files
-        []
-      end
+    def load_schema!
+      connect! unless connected?
+      version = YAML.load_file(schema_file)[:version]
+      db[schema_table].delete
+      db[schema_table].insert(version: version)
+    end
 
-      # Merge url, opts, or db settings from a hash into our config
-      def merge_config!(config = {})
-        self.config.url  = config[:url]  if config.key?(:url)
-        self.config.opts = config[:opts] if config.key?(:opts)
-        self.config.db   = config[:db]   if config.key?(:db)
-      end
+    def model_files
+      []
+    end
 
-      def conn_opts
-        log = { logger: Logger.new('db/keycard.log') }
-        url = config.url
-        opts = config.opts
-        if url
-          [url, log]
-        elsif opts
-          [log.merge(opts)]
-        else
-          []
-        end
-      end
+    # Merge url, opts, or db settings from a hash into our config
+    def merge_config!(config = {})
+      self.config.url  = config[:url]  if config.key?(:url)
+      self.config.opts = config[:opts] if config.key?(:opts)
+      self.config.db   = config[:db]   if config.key?(:db)
+    end
 
-      def config
-        @config ||= OpenStruct.new(
-          url: ENV['KEYCARD_DATABASE_URL'] || ENV['DATABASE_URL'],
-          readonly: false
-        )
+    def conn_opts
+      log = { logger: Logger.new('db/keycard.log') }
+      url = config.url
+      opts = config.opts
+      if url
+        [url, log]
+      elsif opts
+        [log.merge(opts)]
+      else
+        []
       end
+    end
 
-      def connected?
-        !@db.nil?
-      end
+    def config
+      @config ||= OpenStruct.new(
+        url: ENV['KEYCARD_DATABASE_URL'] || ENV['DATABASE_URL'],
+        readonly: false
+      )
+    end
 
-      # The Keycard database
-      # @return [Sequel::Database] The connected database; be sure to call initialize! first.
-      def db
-        raise DatabaseError, CONNECTION_ERROR unless connected?
-        @db
-      end
+    def connected?
+      !@db.nil?
+    end
 
-      # Forward the Sequel::Database []-syntax down to db for convenience.
-      # Everything else must be called on db directly, but this is nice sugar.
-      def [](*args)
-        db[*args]
-      end
+    # The Keycard database
+    # @return [Sequel::Database] The connected database; be sure to call initialize! first.
+    def db
+      raise DatabaseError, CONNECTION_ERROR unless connected?
+      @db
+    end
+
+    # Forward the Sequel::Database []-syntax down to db for convenience.
+    # Everything else must be called on db directly, but this is nice sugar.
+    def [](*args)
+      db[*args]
     end
   end
 end

data/lib/keycard/institution_finder.rb

@@ -2,57 +2,61 @@
 
 require 'ipaddr'
 
-module Keycard
-  # looks up institution ID(s) by IP address
-  class InstitutionFinder
-    INST_QUERY = <<~SQL
-        SELECT inst FROM aa_network WHERE
-                ? >= dlpsAddressStart
-            AND ? <= dlpsAddressEnd
-            AND dlpsAccessSwitch = 'allow'
-            AND dlpsDeleted = 'f'
-            AND inst is not null
-      AND inst NOT IN
-          ( SELECT inst FROM aa_network WHERE
-            ? >= dlpsAddressStart
-            AND ? <= dlpsAddressEnd
-            AND dlpsAccessSwitch = 'deny'
-            AND dlpsDeleted = 'f' )
-    SQL
-
-    def initialize(db: Keycard::DB.db)
-      @db = db
-      @stmt = @db[INST_QUERY, *[:$client_ip] * 4].prepare(:select, :unused)
-    end
+# looks up institution ID(s) by IP address
+class Keycard::InstitutionFinder
+  IDENTITY_ATTRS = %i[dlpsInstitutionId].freeze
+
+  INST_QUERY = <<~SQL
+      SELECT inst FROM aa_network WHERE
+              ? >= dlpsAddressStart
+          AND ? <= dlpsAddressEnd
+          AND dlpsAccessSwitch = 'allow'
+          AND dlpsDeleted = 'f'
+          AND inst is not null
+    AND inst NOT IN
+        ( SELECT inst FROM aa_network WHERE
+          ? >= dlpsAddressStart
+          AND ? <= dlpsAddressEnd
+          AND dlpsAccessSwitch = 'deny'
+          AND dlpsDeleted = 'f' )
+  SQL
+
+  def initialize(db: Keycard::DB.db)
+    @db = db
+    @stmt = @db[INST_QUERY, *[:$client_ip] * 4].prepare(:select, :unused)
+  end
+
+  def identity_keys
+    IDENTITY_ATTRS
+  end
 
-    def attributes_for(request)
-      return {} unless (numeric_ip = numeric_ip(request.client_ip))
+  def attributes_for(request)
+    return {} unless (numeric_ip = numeric_ip(request.client_ip))
 
-      insts = insts_for_ip(numeric_ip)
+    insts = insts_for_ip(numeric_ip)
 
-      if !insts.empty?
-        { 'dlpsInstitutionId' => insts }
-      else
-        {}
-      end
+    if !insts.empty?
+      { dlpsInstitutionId: insts }
+    else
+      {}
     end
+  end
 
-    private
+  private
 
-    attr_reader :stmt
+  attr_reader :stmt
 
-    def insts_for_ip(numeric_ip)
-      stmt.call(client_ip: numeric_ip).map { |row| row[:inst] }
-    end
+  def insts_for_ip(numeric_ip)
+    stmt.call(client_ip: numeric_ip).map { |row| row[:inst] }
+  end
 
-    def numeric_ip(dotted_ip)
-      return unless dotted_ip
+  def numeric_ip(dotted_ip)
+    return unless dotted_ip
 
-      begin
-        IPAddr.new(dotted_ip).to_i
-      rescue IPAddr::InvalidAddressError
-        nil
-      end
+    begin
+      IPAddr.new(dotted_ip).to_i
+    rescue IPAddr::InvalidAddressError
+      nil
     end
   end
 end

data/lib/keycard/railtie.rb

@@ -1,108 +1,106 @@
 # frozen_string_literal: true
 
-module Keycard
-  # Railtie to hook Keycard into Rails applications.
-  #
-  # This does three things at present:
-  #
-  #   1. Loads our rake tasks, so you can run keycard:migrate from the app.
-  #   2. Pulls the Rails database information off of the ActiveRecord
-  #      connection and puts it on Keycard::DB.config before any application
-  #      initializers are run.
-  #   3. Sets up the Keycard database connection after application
-  #      initializers have run, if it has not already been done and we are not
-  #      running as a Rake task. This condition is key because when we are in
-  #      rails server or console, we want to initialize!, but when we are in
-  #      a rake task to update the database, we have to let it connect, but
-  #      not initialize.
-  class Railtie < Rails::Railtie
-    railtie_name :keycard
-
-    class << self
-      # Register a callback to run before anything in 'config/initializers' runs.
-      # The block will get a reference to Keycard::DB.config as its only parameter.
-      def before_initializers(&block)
-        before_blocks << block
-      end
+# Railtie to hook Keycard into Rails applications.
+#
+# This does three things at present:
+#
+#   1. Loads our rake tasks, so you can run keycard:migrate from the app.
+#   2. Pulls the Rails database information off of the ActiveRecord
+#      connection and puts it on Keycard::DB.config before any application
+#      initializers are run.
+#   3. Sets up the Keycard database connection after application
+#      initializers have run, if it has not already been done and we are not
+#      running as a Rake task. This condition is key because when we are in
+#      rails server or console, we want to initialize!, but when we are in
+#      a rake task to update the database, we have to let it connect, but
+#      not initialize.
+class Keycard::Railtie < Rails::Railtie
+  railtie_name :keycard
+
+  class << self
+    # Register a callback to run before anything in 'config/initializers' runs.
+    # The block will get a reference to Keycard::DB.config as its only parameter.
+    def before_initializers(&block)
+      before_blocks << block
+    end
 
-      # Register a callback to run after anything in 'config/initializers' runs.
-      # The block will get a reference to Keycard::DB.config as its only parameter.
-      # Keycard::DB.initialize! will not have been automatically called at this
-      # point, so this is an opportunity to do so if an initializer has not.
-      def after_initializers(&block)
-        after_blocks << block
-      end
+    # Register a callback to run after anything in 'config/initializers' runs.
+    # The block will get a reference to Keycard::DB.config as its only parameter.
+    # Keycard::DB.initialize! will not have been automatically called at this
+    # point, so this is an opportunity to do so if an initializer has not.
+    def after_initializers(&block)
+      after_blocks << block
+    end
 
-      # Register a callback to run when Keycard is ready and fully initialized.
-      # This will happen once in production, and on each request in development.
-      # If you need to do something once in development, you can choose between
-      # keeping a flag or using the after_initializers.
-      def when_keycard_is_ready(&block)
-        ready_blocks << block
-      end
+    # Register a callback to run when Keycard is ready and fully initialized.
+    # This will happen once in production, and on each request in development.
+    # If you need to do something once in development, you can choose between
+    # keeping a flag or using the after_initializers.
+    def when_keycard_is_ready(&block)
+      ready_blocks << block
+    end
 
-      def before_blocks
-        @before ||= []
-      end
+    def before_blocks
+      @before_blocks ||= []
+    end
 
-      def after_blocks
-        @after ||= []
-      end
+    def after_blocks
+      @after_blocks ||= []
+    end
 
-      def ready_blocks
-        @ready ||= []
-      end
+    def ready_blocks
+      @ready_blocks ||= []
+    end
 
-      def under_rake!
-        @rake = true
-      end
+    def under_rake!
+      @under_rake = true
+    end
 
-      def under_rake?
-        @rake ||= false
-      end
+    def under_rake?
+      @under_rake ||= false
     end
+  end
 
-    # This runs before anything in 'config/initializers' runs.
-    initializer "keycard.before_initializers", before: :load_config_initializers do
-      config = Keycard::DB.config
-      unless config.url
-        case Rails.env
-        when "development"
-          config[:opts] = { adapter: 'sqlite', database: "db/keycard_development.sqlite3" }
-        when "test"
-          config[:opts] = { adapter: 'sqlite' }
-        else 
-          raise "Keycard::DB.config must be configured"
-        end
+  # This runs before anything in 'config/initializers' runs.
+  initializer "keycard.before_initializers", before: :load_config_initializers do
+    config = Keycard::DB.config
+    unless config.url
+      case Rails.env
+      when "development"
+        config[:opts] = { adapter: 'sqlite', database: "db/keycard_development.sqlite3" }
+      when "test"
+        config[:opts] = { adapter: 'sqlite' }
+      else
+        raise "Keycard::DB.config must be configured"
       end
+    end
 
-      Railtie.before_blocks.each do |block|
-        block.call(config.to_h)
-      end
+    Railtie.before_blocks.each do |block|
+      block.call(config.to_h)
     end
+  end
 
-    # This runs after everything in 'config/initializers' runs.
-    initializer "keycard.after_initializers", after: :load_config_initializers do
-      config = Keycard::DB.config
-      Railtie.after_blocks.each do |block|
-        block.call(config.to_h)
-      end
+  # This runs after everything in 'config/initializers' runs.
+  initializer "keycard.after_initializers", after: :load_config_initializers do
+    config = Keycard::DB.config
+    Railtie.after_blocks.each do |block|
+      block.call(config.to_h)
+    end
 
-      Keycard::DB.initialize! unless Railtie.under_rake?
+    Keycard::DB.initialize! unless Railtie.under_rake?
 
-      Railtie.ready_blocks.each do |block|
-        block.call(Keycard::DB.db)
-      end
+    Railtie.ready_blocks.each do |block|
+      block.call(Keycard::DB.db)
     end
+  end
 
-    def rake_files
-      base = Pathname(__dir__) + '../tasks/'
-      [base + 'migrate.rake']
-    end
+  def rake_files
+    base = Pathname(__dir__) + '../tasks/'
+    [base + 'migrate.rake']
+  end
 
-    rake_tasks do
-      Railtie.under_rake!
-      rake_files.each { |file| load file }
-    end
+  rake_tasks do
+    Railtie.under_rake!
+    rake_files.each { |file| load file }
   end
 end

data/lib/keycard/request/attributes.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+module Keycard::Request
+  # Base class for extracting attributes from a Rack request.
+  #
+  # This provides the interface for attribute extraction, independent of how
+  # the application is served and accessed. It is not intended to be used
+  # directly; you should use {AttributesFactory} to create an appropriate
+  # subclass based on configuration.
+  #
+  # The overall design is that a subclass will extract various attributes
+  # from the request headers and environment, and a set of attribute finders
+  # may be supplied to examine the base set and add additional attributes.
+  class Attributes
+    IDENTITY_ATTRS = %i[user_pid user_eid].freeze
+
+    def initialize(request, finders: [])
+      @request = request
+      @finders = finders
+    end
+
+    # The user's persistent identifier.
+    #
+    # If the client has authenticated as a user, this will be a peristent
+    # identifier suitable as a key for an application account. It is
+    # expressly opaque, meaning that it cannot be assumed to be resolvable
+    # to a person or be useful for display purposes. It can be relied on to
+    # be stable for the same person as the identity provider determines that.
+    def user_pid
+      nil
+    end
+
+    # The user's enterprise identifier.
+    #
+    # If the client has authenticated as a user and the identity provider has
+    # releases one, this will be the "enterprise" identifier, some string that
+    # is useful for display and resolving to a person. It will tend to be
+    # something recognizable to that person, such as a network ID or email
+    # address. It may be helpful for displaying who is logged in or looking
+    # up directory information, for example. It should not be assumed to be
+    # permanent; that is, the EID may change for a person (and PID), so this
+    # should not used as a database key, for example.
+    def user_eid
+      nil
+    end
+
+    # The user's IP address.
+    #
+    # This will be a string version of the IP address of the client, whether
+    # or not they have been proxied.
+    def client_ip
+      nil
+    end
+
+    # The set of base attributes for this request.
+    #
+    # Subclasses should implement user_pid, user_eid, and client_ip
+    # and include them in the hash under those keys.
+    def base
+      {}
+    end
+
+    def [](attr)
+      all[attr]
+    end
+
+    def all
+      base.merge!(external).delete_if { |_k, v| v.nil? || v == '' }
+    end
+
+    def external
+      finders
+        .map        { |finder| finder.attributes_for(self) }
+        .reduce({}) { |hash, attrs| hash.merge!(attrs) }
+    end
+
+    def identity
+      all.select { |k, _v| identity_keys.include?(k.to_sym) }
+    end
+
+    def supplemental
+      all.reject { |k, _v| identity_keys.include?(k.to_sym) }
+    end
+
+    def identity_keys
+      @identity_keys ||= IDENTITY_ATTRS + finders.map(&:identity_keys).flatten
+    end
+
+    private
+
+    attr_reader :finders
+    attr_reader :request
+  end
+end

data/lib/keycard/request/attributes_factory.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Keycard::Request
+  # Factory to simplify creation of Attributes instances. It binds in a list
+  # of finders and inspects the Keycard.config.access mode to determine which
+  # subclass to use. You can register a factory instance as a service and then
+  # use .for instead of naming concrete classes when processing requests.
+  class AttributesFactory
+    MODE_MAP = {
+      direct:     DirectAttributes,
+      proxy:      ProxiedAttributes,
+      cosign:     CosignAttributes,
+      shibboleth: ShibbolethAttributes
+    }.freeze
+
+    def initialize(finders: [InstitutionFinder.new])
+      @finders = finders
+    end
+
+    def for(request)
+      mode = MODE_MAP[Keycard.config.access.to_sym]
+      if mode.nil?
+        # TODO: Warn about this once to the appropriate log; probably in a config check, not here.
+        # puts "Keycard does not recognize the '#{access}' access mode, using 'direct'."
+        mode = DirectAttributes
+      end
+      mode.new(request, finders: finders)
+    end
+
+    private
+
+    attr_reader :finders
+  end
+end

data/lib/keycard/request/cosign_attributes.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Keycard::Request
+  # This class extracts attributes for Cosign-protected applications. It
+  # follows the same basic pattern as for general proxied requests; that is,
+  # the pid/eid are the same and there are currently no additional
+  # attributes extracted.
+  class CosignAttributes < Attributes
+    def base
+      {
+        user_pid:  user_pid,
+        user_eid:  user_eid,
+        client_ip: client_ip
+      }
+    end
+
+    def user_pid
+      request.env['HTTP_X_REMOTE_USER']
+    end
+
+    def user_eid
+      user_pid
+    end
+
+    def client_ip
+      (request.env['HTTP_X_FORWARDED_FOR'] || '').split(',').first
+    end
+  end
+end

data/lib/keycard/request/direct_attributes.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Keycard::Request
+  # This class should be used to extract attributes when the application will
+  # serve HTTP requests directly or through a proxy that passes trusted
+  # values into the application environment to be accessed as usual.
+  class DirectAttributes < Attributes
+    def base
+      {
+        user_pid:  user_pid,
+        user_eid:  user_eid,
+        client_ip: client_ip
+      }
+    end
+
+    def user_pid
+      request.env['REMOTE_USER']
+    end
+
+    def user_eid
+      user_pid
+    end
+
+    def client_ip
+      (request.env['REMOTE_ADDR'] || '').split(',').first
+    end
+  end
+end

data/lib/keycard/{proxied_request.rb → request/proxied_attributes.rb}

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module Keycard
+module Keycard::Request
   # This request wrapper should be used when the application will be served
   # behind a reverse proxy. It relies on the trusted relationship with the
   # proxy to use HTTP headers for forwarded values.
@@ -8,17 +8,25 @@ module Keycard
   # The typical headers forwarded are X-Forwarded-User and X-Forwarded-For,
   # which, somewhat confusingly, are transposed into HTTP_X_REMOTE_USER and
   # HTTP_X_FORWARDED_FOR once the Rack request is assembled.
-  class ProxiedRequest < SimpleDelegator
-    def self.for(request)
-      new(request)
+  class ProxiedAttributes < Attributes
+    def base
+      {
+        user_pid:  user_pid,
+        user_eid:  user_eid,
+        client_ip: client_ip
+      }
     end
 
-    def username
-      env['HTTP_X_REMOTE_USER'] || ''
+    def user_pid
+      request.env['HTTP_X_REMOTE_USER']
+    end
+
+    def user_eid
+      user_pid
     end
 
     def client_ip
-      (env['HTTP_X_FORWARDED_FOR'] || '').split(',').first || ''
+      (request.env['HTTP_X_FORWARDED_FOR'] || '').split(',').first
     end
   end
 end

data/lib/keycard/request/shibboleth_attributes.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+module Keycard::Request
+  # This class extracts attributes for Shibboleth-enabled applications.
+  # It trusts specific HTTP headers, so the app must not be exposed to direct
+  # requests. The pid is typically a SAML2 Persistent NameID, which is very
+  # long and cumbersome. The presence of an eid depends on attribute release
+  # by the IdP, and will commonly be an eduPersonPrincipalName. The only two
+  # attributes guaranteed to have usable values are the client_ip, for all
+  # requests, and the user_pid, for requests from authenticated users.
+  class ShibbolethAttributes < Attributes
+    def base # rubocop:disable Metrics/MethodLength
+      {
+        user_pid:                   user_pid,
+        user_eid:                   user_eid,
+        client_ip:                  client_ip,
+        persistentNameID:           persistent_id,
+        eduPersonPrincipalName:     principal_name,
+        eduPersonScopedAffiliation: affiliation,
+        displayName:                display_name,
+        mail:                       email,
+        authnContextClassRef:       authn_context,
+        authenticationMethod:       authn_method,
+        identity_provider:          identity_provider
+      }
+    end
+
+    def user_pid
+      persistent_id
+    end
+
+    def user_eid
+      principal_name
+    end
+
+    def client_ip
+      safe('HTTP_X_FORWARDED_FOR').split(',').first
+    end
+
+    def persistent_id
+      get 'HTTP_X_SHIB_PERSISTENT_ID'
+    end
+
+    def principal_name
+      get 'HTTP_X_SHIB_EDUPERSONPRINCIPALNAME'
+    end
+
+    def display_name
+      get 'HTTP_X_SHIB_DISPLAYNAME'
+    end
+
+    def email
+      get 'HTTP_X_SHIB_MAIL'
+    end
+
+    def affiliation
+      safe('HTTP_X_SHIB_EDUPERSONSCOPEDAFFILIATION').split(';')
+    end
+
+    def authn_method
+      get 'HTTP_X_SHIB_AUTHENTICATION_METHOD'
+    end
+
+    def authn_context
+      get 'HTTP_X_SHIB_AUTHNCONTEXT_CLASS'
+    end
+
+    def identity_provider
+      get 'HTTP_X_SHIB_IDENTITY_PROVIDER'
+    end
+
+    def identity_keys
+      %i[user_pid user_eid eduPersonScopedAffiliation]
+    end
+
+    private
+
+    def get(key)
+      request.env[key]
+    end
+
+    def safe(key)
+      get(key) || ''
+    end
+  end
+end

data/lib/keycard/request.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# A container module for classes related to processing HTTP/Rack requests
+module Keycard::Request
+end
+
+require_relative 'request/attributes'
+require_relative 'request/cosign_attributes'
+require_relative 'request/direct_attributes'
+require_relative 'request/proxied_attributes'
+require_relative 'request/shibboleth_attributes'
+require_relative 'request/attributes_factory'

data/lib/keycard/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Keycard
-  VERSION = "0.1.2"
+  VERSION = "0.2.0"
 end

data/lib/keycard.rb

@@ -15,7 +15,5 @@ end
 
 require "keycard/db"
 require "keycard/railtie" if defined?(Rails)
-require "keycard/request_attributes"
 require "keycard/institution_finder"
-require "keycard/direct_request"
-require "keycard/proxied_request"
+require "keycard/request"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: keycard
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Noah Botimer
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-06-08 00:00:00.000000000 Z
+date: 2018-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -188,11 +188,15 @@ files:
 - keycard.gemspec
 - lib/keycard.rb
 - lib/keycard/db.rb
-- lib/keycard/direct_request.rb
 - lib/keycard/institution_finder.rb
-- lib/keycard/proxied_request.rb
 - lib/keycard/railtie.rb
-- lib/keycard/request_attributes.rb
+- lib/keycard/request.rb
+- lib/keycard/request/attributes.rb
+- lib/keycard/request/attributes_factory.rb
+- lib/keycard/request/cosign_attributes.rb
+- lib/keycard/request/direct_attributes.rb
+- lib/keycard/request/proxied_attributes.rb
+- lib/keycard/request/shibboleth_attributes.rb
 - lib/keycard/version.rb
 - lib/tasks/migrate.rake
 homepage: https://github.com/mlibrary/keycard

data/lib/keycard/direct_request.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module Keycard
-  # This request wrapper should be used when the application will serve HTTP
-  # requests directly or through a proxy that sets up the usual environment.
-  class DirectRequest < SimpleDelegator
-    def self.for(request)
-      new(request)
-    end
-
-    def username
-      env['REMOTE_USER'] || ''
-    end
-
-    def client_ip
-      (env['REMOTE_ADDR'] || '').split(',').first || ''
-    end
-  end
-end

data/lib/keycard/request_attributes.rb

@@ -1,49 +0,0 @@
-# frozen_string_literal: true
-
-module Keycard
-  # This class is responsible for extracting the user attributes (i.e. the
-  # complete set of things that determine the user's #identity), given a Rack
-  # request.
-  class RequestAttributes
-    def initialize(request, finder: InstitutionFinder.new, request_factory: default_factory)
-      @request  = request
-      @finder   = finder
-      @request_factory = request_factory
-    end
-
-    def [](attr)
-      all[attr]
-    end
-
-    def all
-      user_attributes.merge(finder.attributes_for(request))
-    end
-
-    private
-
-    def user_attributes
-      { username: request.username }
-    end
-
-    def request
-      request_factory.for(@request)
-    end
-
-    def default_factory
-      access = Keycard.config.access.to_sym
-      case access
-      when :direct
-        DirectRequest
-      when :proxy
-        ProxiedRequest
-      else
-        # TODO: Warn about this once to the appropriate log; probably in a config check, not here.
-        # puts "Keycard does not recognize the '#{access}' access mode, using 'direct'."
-        DirectRequest
-      end
-    end
-
-    attr_reader :finder
-    attr_reader :request_factory
-  end
-end