legion-rbac 0.3.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +12 -0
  3. data/CLAUDE.md +4 -1
  4. data/README.md +1 -1
  5. data/lib/legion/rbac/settings.rb +1 -0
  6. data/lib/legion/rbac/store.rb +3 -1
  7. data/lib/legion/rbac/version.rb +1 -1
  8. data/lib/legion/rbac.rb +20 -4
  9. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 222914812dd7014e897e4aa3a6311ea7b4e8062c74ad1c532774f2f3c9e06fca
4
- data.tar.gz: 30b265cf04e23b6456f839d5aeeeb47792751d3580f92b2085709b9f786388b5
3
+ metadata.gz: 6971b76fa8052ff121e686629a6abcf800d6819afbffe4fc0adcf146f9b00b1d
4
+ data.tar.gz: 97c808593590d1416dc799b3711fa0353d86f55307c16b71cde4ab5e704a093c
5
5
  SHA512:
6
- metadata.gz: 5e9e541ca68dffe258a0766c0dbf58069faf39475ca94db674f38b8d33430dc04a14bf75b360ce1dc72807361a7d67f9bfff558541e3287ddf51a7325bf0a416
7
- data.tar.gz: c327b53c9b782f461fc163aef47118c075f3367b9aa60585080faab7ebdf43c57092e580c86ea454a22c0ed5ecbd298a3027c442cc327988edd2dfe812047cb9
6
+ metadata.gz: e6ef4dce9750b6de9544a49f12df5311f3a312a35ee46c89465f724b5ea0d02822bd9a8c23954665df498985a143913c4012f83401e8b0b12f776fd71e624eb2
7
+ data.tar.gz: 97bb68fae5dc33ac682461a12ef626ec8e5e392250ef11391381a9ad3212f587385648dcda982f6bcf2d9fc2bb601cdde9d699b58924da8bf4f7c73950164f54
data/CHANGELOG.md CHANGED
@@ -1,5 +1,17 @@
1
1
  # Changelog
2
2
 
3
+ ## [0.3.2] - 2026-04-08
4
+
5
+ ### Added
6
+ - `client_id: nil` default added to Entra settings block for explicit Azure AD app registration tracking
7
+
8
+ ## [0.3.1] - 2026-04-03
9
+
10
+ ### Fixed
11
+ - `authorize!` and `authorize_execution!` now early-return when `rbac.enabled: false`, preventing NameError on missing RBAC models
12
+ - `authorize!` and `authorize_execution!` respect `rbac.enforce: false` — logs denials but does not raise AccessDenied
13
+ - `Store.db_available?` now also checks that `RbacRoleAssignment` model constant is defined before attempting DB queries
14
+
3
15
  ## [0.3.0] - 2026-04-02
4
16
 
5
17
  ### Changed
data/CLAUDE.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  **Parent**: `/Users/miverso2/rubymine/legion/CLAUDE.md`
4
4
  **GitHub**: https://github.com/LegionIO/legion-rbac
5
- **Version**: 0.2.7
5
+ **Version**: 0.3.2
6
6
 
7
7
  Optional RBAC gem for LegionIO. Vault-style flat policy model with deny-always-wins semantics.
8
8
 
@@ -29,6 +29,9 @@ lib/legion/rbac/policy_engine.rb # Core evaluator
29
29
  lib/legion/rbac/team_scope.rb # Cross-team access validation
30
30
  lib/legion/rbac/store.rb # Dual-mode data access
31
31
  lib/legion/rbac/middleware.rb # Rack middleware
32
+ lib/legion/rbac/routes.rb # Sinatra REST API routes for RBAC management
33
+ lib/legion/rbac/capability_registry.rb # Per-extension capability declarations and querying
34
+ lib/legion/rbac/capability_audit.rb # Source code scanning for dangerous patterns; enforces declared capabilities
32
35
  lib/legion/rbac/entra_claims_mapper.rb # Entra ID claims -> Legion roles
33
36
  lib/legion/rbac/kerberos_claims_mapper.rb # Kerberos principal + AD groups -> Legion roles
34
37
  ```
data/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  Role-based access control for LegionIO, following Vault-style flat policy patterns.
4
4
 
5
- **Version**: 0.2.9
5
+ **Version**: 0.3.2
6
6
 
7
7
  ## Features
8
8
 
data/lib/legion/rbac/settings.rb CHANGED
@@ -47,6 +47,7 @@ module Legion
47
47
  log.debug('RBAC Entra defaults requested')
48
48
  {
49
49
  tenant_id: nil,
50
+ client_id: nil,
50
51
  role_map: {
51
52
  'Legion.Admin' => 'admin',
52
53
  'Legion.Supervisor' => 'supervisor',
data/lib/legion/rbac/store.rb CHANGED
@@ -9,7 +9,9 @@ module Legion
9
9
 
10
10
  class << self
11
11
  def db_available?
12
- available = defined?(Legion::Data) ? Legion::Settings[:data]&.dig(:connected) == true : false
12
+ available = (defined?(Legion::Data) &&
13
+ Legion::Settings[:data]&.dig(:connected) == true &&
14
+ defined?(Legion::Data::Model::RbacRoleAssignment)) || false
13
15
  log.debug("RBAC store db_available=#{available}")
14
16
  available
15
17
  end
data/lib/legion/rbac/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Legion
4
4
  module Rbac
5
- VERSION = '0.3.0'
5
+ VERSION = '0.3.2'
6
6
  end
7
7
  end
data/lib/legion/rbac.rb CHANGED
@@ -78,6 +78,12 @@ module Legion
78
78
  Legion::Settings[:rbac]&.fetch(:enabled, true) != false
79
79
  end
80
80
 
81
+ def enforcing?
82
+ return true unless defined?(Legion::Settings)
83
+
84
+ Legion::Settings[:rbac]&.fetch(:enforce, true) != false
85
+ end
86
+
81
87
  def events_enabled?
82
88
  return false unless defined?(Legion::Events)
83
89
  return false unless defined?(Legion::Settings)
@@ -88,15 +94,22 @@ module Legion
88
94
  end
89
95
 
90
96
  def authorize!(principal:, action:, resource:, **)
97
+ return { allowed: true, reason: 'rbac disabled' } unless enabled?
98
+
91
99
  result = PolicyEngine.evaluate(principal: principal, action: action, resource: resource, **)
92
100
  log.info("RBAC authorize principal=#{principal.id} action=#{action} resource=#{resource} allowed=#{result[:allowed]}")
93
- log.warn("RBAC authorize denied principal=#{principal.id} reason=#{result[:reason]}") unless result[:allowed]
94
- raise AccessDenied, result unless result[:allowed]
101
+
102
+ unless result[:allowed]
103
+ log.warn("RBAC authorize denied principal=#{principal.id} reason=#{result[:reason]}")
104
+ raise AccessDenied, result if enforcing?
105
+ end
95
106
 
96
107
  result
97
108
  end
98
109
 
99
110
  def authorize_execution!(principal:, runner_class:, function:, target_team: nil, **)
111
+ return { allowed: true, reason: 'rbac disabled' } unless enabled?
112
+
100
113
  runner_path = build_runner_path(runner_class, function)
101
114
  log.info(
102
115
  "RBAC authorize_execution principal=#{principal.id} runner=#{runner_path} " \
@@ -109,8 +122,11 @@ module Legion
109
122
  target_team: target_team,
110
123
  **
111
124
  )
112
- log.warn("RBAC authorize_execution denied principal=#{principal.id} reason=#{result[:reason]}") unless result[:allowed]
113
- raise AccessDenied, result unless result[:allowed]
125
+
126
+ unless result[:allowed]
127
+ log.warn("RBAC authorize_execution denied principal=#{principal.id} reason=#{result[:reason]}")
128
+ raise AccessDenied, result if enforcing?
129
+ end
114
130
 
115
131
  result
116
132
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: legion-rbac
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.0
4
+ version: 0.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Esity