legion-rbac 0.2.6 → 0.2.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4520154d312609d4efb9a4ecd822ac6fad916593c96b56c36562fa8d7b820d11
-  data.tar.gz: 17d138847a7bf5d90fb6fb8a6173ba4dda84fde6e69f8ff5cddf70ca6bfa5034
+  metadata.gz: 59a7e721e473fdb1e65fe31d2da68e7fc7fc0a65e2e077f199f62c98aaf78fb5
+  data.tar.gz: b59c16e31ab6f63b1f93947a6c47ba59c891c2275a4f73463f892f4c0a71d9a8
 SHA512:
-  metadata.gz: 44c8e72ea7dabf96f95772a7bcaec376d24a9af5b0402328e4c5f1c34aa1ad8a0bb8da74d1a635edc8fc6d26c29c66457af2f7f1ab772a59ec21003a1435c612
-  data.tar.gz: a352e948c5fd391f28980fd12f59f2b5430394ae0074f7dc24d57d1f1377d73c0c99d3952752ff80835b290ab6b2994af3df36afdd43813cdff2035c2e548f27
+  metadata.gz: c8431ff82ad752660da99454b4170999572d2c37259fe33605238fc4faa6fdabe3d5c50a29dfc0d40c2fb45225107e457f15ac1e14aa0d8c41f6985cb39aa855
+  data.tar.gz: aafee7d9c8e9a3a07974aae8b890a8120dda0a10906a45ec1e967745563db0c2eed90ae39d2e14603d383df900ef450add66484d00cd4254288c573d976a47f2

data/.github/CODEOWNERS

@@ -0,0 +1,7 @@
+# Auto-generated from team-config.yml
+# Team: core
+#
+# To apply: scripts/apply-codeowners.sh legion-rbac
+
+* @LegionIO/maintainers
+* @LegionIO/core

data/.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: bundler
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"

data/.github/workflows/ci.yml

@@ -3,14 +3,32 @@ on:
   push:
     branches: [main]
   pull_request:
+  schedule:
+    - cron: '0 9 * * 1'
 
 jobs:
   ci:
     uses: LegionIO/.github/.github/workflows/ci.yml@main
 
+  lint:
+    uses: LegionIO/.github/.github/workflows/lint-patterns.yml@main
+
+  security:
+    uses: LegionIO/.github/.github/workflows/security-scan.yml@main
+
+  version-changelog:
+    uses: LegionIO/.github/.github/workflows/version-changelog.yml@main
+
+  dependency-review:
+    uses: LegionIO/.github/.github/workflows/dependency-review.yml@main
+
+  stale:
+    if: github.event_name == 'schedule'
+    uses: LegionIO/.github/.github/workflows/stale.yml@main
+
   release:
-    needs: ci
+    needs: [ci, lint]
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     uses: LegionIO/.github/.github/workflows/release.yml@main
     secrets:
-      rubygems-api-key: ${{ secrets.RUBYGEMS_API_KEY }}
+      rubygems-api-key: ${{ secrets.RUBYGEMS_API_KEY }}

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [0.2.8] - 2026-03-28
+
+### Added
+- `Legion::Rbac::Routes` self-registering Sinatra route module (`lib/legion/rbac/routes.rb`): extracts all `/api/rbac/*` route handlers from LegionIO. Self-registers with `Legion::API.register_library_routes('rbac', Routes)` during boot. Includes fallback helpers for standalone mounting.
+
+## [0.2.7] - 2026-03-22
+
+### Changed
+- Corrected legion-settings version constraint to `>= 1.3.12`
+
 ## [0.2.6] - 2026-03-22
 
 ### Changed

data/legion-rbac.gemspec

@@ -27,5 +27,5 @@ Gem::Specification.new do |spec|
   }
 
   spec.add_dependency 'legion-json', '>= 1.2.0'
-  spec.add_dependency 'legion-settings', '>= 1.3.9'
+  spec.add_dependency 'legion-settings', '>= 1.3.12'
 end

data/lib/legion/rbac/routes.rb

@@ -0,0 +1,260 @@
+# frozen_string_literal: true
+
+# Self-registering route module for legion-rbac.
+# All routes previously defined in LegionIO/lib/legion/api/rbac.rb now live here
+# and are mounted via Legion::API.register_library_routes when legion-rbac boots.
+#
+# LegionIO/lib/legion/api/rbac.rb is preserved for backward compatibility but guards
+# its registration with defined?(Legion::Rbac::Routes) so double-registration is avoided.
+
+module Legion
+  module Rbac
+    module Routes
+      def self.registered(app)
+        app.helpers do # rubocop:disable Metrics/BlockLength
+          unless method_defined?(:parse_request_body)
+            define_method(:parse_request_body) do
+              raw = request.body.read
+              return {} if raw.nil? || raw.empty?
+
+              begin
+                parsed = Legion::JSON.load(raw)
+              rescue StandardError
+                halt 400, { 'Content-Type' => 'application/json' },
+                     Legion::JSON.dump({ error: { code: 'invalid_json', message: 'request body is not valid JSON' } })
+              end
+
+              unless parsed.respond_to?(:transform_keys)
+                halt 400, { 'Content-Type' => 'application/json' },
+                     Legion::JSON.dump({ error: { code:    'invalid_request_body',
+                                                  message: 'request body must be a JSON object' } })
+              end
+
+              parsed.transform_keys(&:to_sym)
+            end
+          end
+
+          unless method_defined?(:json_response)
+            define_method(:json_response) do |data, status_code: 200|
+              content_type :json
+              status status_code
+              Legion::JSON.dump({ data: data })
+            end
+          end
+
+          unless method_defined?(:json_error)
+            define_method(:json_error) do |code, message, status_code: 400|
+              content_type :json
+              status status_code
+              Legion::JSON.dump({ error: { code: code, message: message } })
+            end
+          end
+
+          unless method_defined?(:json_collection)
+            define_method(:json_collection) do |dataset|
+              content_type :json
+              Legion::JSON.dump({ data: dataset.all.map(&:values) })
+            end
+          end
+
+          unless method_defined?(:current_owner_msid)
+            define_method(:current_owner_msid) do
+              env['legion.owner_msid']
+            end
+          end
+        end
+
+        register_roles(app)
+        register_check(app)
+        register_assignments(app)
+        register_grants(app)
+        register_cross_team_grants(app)
+      end
+
+      def self.register_roles(app)
+        app.get '/api/rbac/roles' do
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+
+          roles = Legion::Rbac.role_index.transform_values do |role|
+            { name: role.name, description: role.description, cross_team: role.cross_team? }
+          end
+          json_response(roles)
+        end
+
+        app.get '/api/rbac/roles/:name' do
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+
+          role = Legion::Rbac.role_index[params[:name].to_sym]
+          halt 404, json_error('not_found', "Role #{params[:name]} not found", status_code: 404) unless role
+
+          json_response({
+                          name:        role.name,
+                          description: role.description,
+                          cross_team:  role.cross_team?,
+                          permissions: role.permissions.map { |p| { resource: p.resource_pattern, actions: p.actions } },
+                          deny_rules:  role.deny_rules.map { |d| { resource: d.resource_pattern, above_level: d.above_level } }
+                        })
+        end
+      end
+
+      def self.register_check(app)
+        app.post '/api/rbac/check' do
+          Legion::Logging.debug "API: POST /api/rbac/check params=#{params.keys}" if defined?(Legion::Logging)
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+
+          body = parse_request_body
+          principal = Legion::Rbac::Principal.new(
+            id:    body[:principal] || 'anonymous',
+            roles: body[:roles] || [],
+            team:  body[:team]
+          )
+          result = Legion::Rbac::PolicyEngine.evaluate(
+            principal: principal,
+            action:    body[:action] || 'read',
+            resource:  body[:resource] || '*',
+            enforce:   false
+          )
+          json_response(result)
+        rescue StandardError => e
+          Legion::Logging.error "API POST /api/rbac/check: #{e.class} — #{e.message}" if defined?(Legion::Logging)
+          json_error('rbac_error', e.message, status_code: 500)
+        end
+      end
+
+      def self.register_assignments(app) # rubocop:disable Metrics/AbcSize,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+        app.get '/api/rbac/assignments' do
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+          return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+          dataset = Legion::Data::Model::RbacRoleAssignment.order(:id)
+          dataset = dataset.where(team: params[:team]) if params[:team]
+          dataset = dataset.where(role: params[:role]) if params[:role]
+          dataset = dataset.where(principal_id: params[:principal]) if params[:principal]
+          json_collection(dataset)
+        end
+
+        app.post '/api/rbac/assignments' do
+          Legion::Logging.debug "API: POST /api/rbac/assignments params=#{params.keys}" if defined?(Legion::Logging)
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+          return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+          body = parse_request_body
+          record = Legion::Data::Model::RbacRoleAssignment.create(
+            principal_type: body[:principal_type] || 'human',
+            principal_id:   body[:principal_id],
+            role:           body[:role],
+            team:           body[:team],
+            granted_by:     current_owner_msid || 'api',
+            expires_at:     body[:expires_at] ? Time.parse(body[:expires_at]) : nil
+          )
+          Legion::Logging.info "API: created RBAC assignment #{record.id} role=#{body[:role]} principal=#{body[:principal_id]}" if defined?(Legion::Logging)
+          json_response(record.values, status_code: 201)
+        rescue Sequel::ValidationFailed => e
+          Legion::Logging.warn "API POST /api/rbac/assignments returned 422: #{e.message}" if defined?(Legion::Logging)
+          json_error('validation_error', e.message, status_code: 422)
+        end
+
+        app.delete '/api/rbac/assignments/:id' do
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+          return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+          record = Legion::Data::Model::RbacRoleAssignment[params[:id].to_i]
+          halt 404, json_error('not_found', 'Assignment not found', status_code: 404) unless record
+
+          record.destroy
+          Legion::Logging.info "API: deleted RBAC assignment #{params[:id]}" if defined?(Legion::Logging)
+          json_response({ deleted: true })
+        end
+      end
+
+      def self.register_grants(app)
+        app.get '/api/rbac/grants' do
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+          return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+          dataset = Legion::Data::Model::RbacRunnerGrant.order(:id)
+          dataset = dataset.where(team: params[:team]) if params[:team]
+          json_collection(dataset)
+        end
+
+        app.post '/api/rbac/grants' do
+          Legion::Logging.debug "API: POST /api/rbac/grants params=#{params.keys}" if defined?(Legion::Logging)
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+          return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+          body = parse_request_body
+          record = Legion::Data::Model::RbacRunnerGrant.create(
+            team:           body[:team],
+            runner_pattern: body[:runner_pattern],
+            actions:        Array(body[:actions]).join(','),
+            granted_by:     current_owner_msid || 'api'
+          )
+          Legion::Logging.info "API: created RBAC grant #{record.id} team=#{body[:team]} pattern=#{body[:runner_pattern]}" if defined?(Legion::Logging)
+          json_response(record.values, status_code: 201)
+        rescue Sequel::ValidationFailed => e
+          Legion::Logging.warn "API POST /api/rbac/grants returned 422: #{e.message}" if defined?(Legion::Logging)
+          json_error('validation_error', e.message, status_code: 422)
+        end
+
+        app.delete '/api/rbac/grants/:id' do
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+          return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+          record = Legion::Data::Model::RbacRunnerGrant[params[:id].to_i]
+          halt 404, json_error('not_found', 'Grant not found', status_code: 404) unless record
+
+          record.destroy
+          Legion::Logging.info "API: deleted RBAC grant #{params[:id]}" if defined?(Legion::Logging)
+          json_response({ deleted: true })
+        end
+      end
+
+      def self.register_cross_team_grants(app)
+        app.get '/api/rbac/grants/cross-team' do
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+          return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+          dataset = Legion::Data::Model::RbacCrossTeamGrant.order(:id)
+          json_collection(dataset)
+        end
+
+        app.post '/api/rbac/grants/cross-team' do
+          Legion::Logging.debug "API: POST /api/rbac/grants/cross-team params=#{params.keys}" if defined?(Legion::Logging)
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+          return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+          body = parse_request_body
+          record = Legion::Data::Model::RbacCrossTeamGrant.create(
+            source_team:    body[:source_team],
+            target_team:    body[:target_team],
+            runner_pattern: body[:runner_pattern],
+            actions:        Array(body[:actions]).join(','),
+            granted_by:     current_owner_msid || 'api',
+            expires_at:     body[:expires_at] ? Time.parse(body[:expires_at]) : nil
+          )
+          Legion::Logging.info "API: created cross-team RBAC grant #{record.id} #{body[:source_team]}->#{body[:target_team]}" if defined?(Legion::Logging)
+          json_response(record.values, status_code: 201)
+        rescue Sequel::ValidationFailed => e
+          Legion::Logging.warn "API POST /api/rbac/grants/cross-team returned 422: #{e.message}" if defined?(Legion::Logging)
+          json_error('validation_error', e.message, status_code: 422)
+        end
+
+        app.delete '/api/rbac/grants/cross-team/:id' do
+          return json_error('rbac_unavailable', 'legion-rbac not installed', status_code: 501) unless defined?(Legion::Rbac)
+          return json_error('db_unavailable', 'legion-data not connected', status_code: 503) unless Legion::Rbac::Store.db_available?
+
+          record = Legion::Data::Model::RbacCrossTeamGrant[params[:id].to_i]
+          halt 404, json_error('not_found', 'Grant not found', status_code: 404) unless record
+
+          record.destroy
+          Legion::Logging.info "API: deleted cross-team RBAC grant #{params[:id]}" if defined?(Legion::Logging)
+          json_response({ deleted: true })
+        end
+      end
+
+      class << self
+        private :register_roles, :register_check, :register_assignments, :register_grants, :register_cross_team_grants
+      end
+    end
+  end
+end

data/lib/legion/rbac/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Rbac
-    VERSION = '0.2.6'
+    VERSION = '0.2.8'
   end
 end

data/lib/legion/rbac.rb

@@ -11,6 +11,7 @@ require 'legion/rbac/team_scope'
 require 'legion/rbac/store'
 require 'legion/rbac/entra_claims_mapper'
 require 'legion/rbac/middleware'
+require 'legion/rbac/routes'
 
 module Legion
   module Rbac
@@ -26,10 +27,20 @@ module Legion
     class << self
       attr_reader :role_index
 
+      def register_routes
+        return unless defined?(Legion::API) && Legion::API.respond_to?(:register_library_routes)
+
+        Legion::API.register_library_routes('rbac', Legion::Rbac::Routes)
+        Legion::Logging.debug 'Legion::Rbac routes registered with API' if defined?(Legion::Logging)
+      rescue StandardError => e
+        Legion::Logging.warn "Legion::Rbac route registration failed: #{e.message}" if defined?(Legion::Logging)
+      end
+
       def setup
         Legion::Settings.merge_settings(:rbac, Legion::Rbac::Settings.default)
         @role_index = ConfigLoader.load_roles
         Legion::Settings[:rbac][:connected] = true
+        register_routes
       end
 
       def shutdown

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-rbac
 version: !ruby/object:Gem::Version
-  version: 0.2.6
+  version: 0.2.8
 platform: ruby
 authors:
 - Esity
@@ -29,14 +29,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.9
+        version: 1.3.12
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.9
+        version: 1.3.12
 description: Role-based access control for LegionIO with team scoping and policy enforcement
 email:
 - matthewdiverson@gmail.com
@@ -47,6 +47,8 @@ extra_rdoc_files:
 - LICENSE
 - README.md
 files:
+- ".github/CODEOWNERS"
+- ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rspec"
@@ -67,6 +69,7 @@ files:
 - lib/legion/rbac/policy_engine.rb
 - lib/legion/rbac/principal.rb
 - lib/legion/rbac/role.rb
+- lib/legion/rbac/routes.rb
 - lib/legion/rbac/settings.rb
 - lib/legion/rbac/store.rb
 - lib/legion/rbac/team_scope.rb