legion-rbac 0.3.1 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1e31de28dec8d6ed48595581dae626ad860e9f7f3b5bf7bd40086d66edeca25a
-  data.tar.gz: ef15533a37dafea6e3783761405ea446d57cdfa55aca62816770e913aa0823e1
+  metadata.gz: 2805fec42a72b9618d9790becf4439f3fba5bbe3af5f60f4fd6ce22b230ca4b6
+  data.tar.gz: b4648e10753c56aec63c122f765a00cc545fe6626a3fcd25a344fa829df5e615
 SHA512:
-  metadata.gz: 61dc20722e2fb34563fb06ec2f73b8db7c43e96450ff8ed7052ef3316827418b8896185a3d52ca6843ca620055ebae444090f4fb075f5740bbe521c30c900f86
-  data.tar.gz: 1154d70f8bbb2cee9e7b65414606d3bd5808b3f1822d40e02f1c5ca7b0896a6edd09e27534c7ab749ffaa0e3642ed99a08c00f19f169192d2803f5d7c9cf0822
+  metadata.gz: 2f1a104089a800dbfd7fdd6e062f24cef9205aed00c0accd543deee71327705b5f20dbb259f0cf9c579a67df5046b441ecdf1cfa33f84e485105f4b2fb18c4b9
+  data.tar.gz: 76c1c1466a6956c8406626c414173476181c2b936675aee21e6b7590afd7eb5021b4718c1db3dc01b1ee27f016039673387b54cfbf44933be7915b1c0e22e0ff

data/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [0.3.3] - 2026-04-08
+
+### Added
+- `GroupRoleMapper` module: resolves RBAC roles from identity group memberships via exact-string `group_role_map` lookup; `enrich_principal` additive role enrichment; gated behind `Legion::Rbac.enabled?`
+- `group_role_map: {}` default added to `Settings.default` for Phase 7 configuration surface
+
+### Changed
+- RBAC middleware audit mode fix: `enabled=false` now full-bypasses (unchanged); `enabled=true, enforce=false` now runs `PolicyEngine` in dry-run mode and logs `[RBAC audit] would_deny` for any policy-denied request instead of bypassing entirely
+- Middleware principal resolution now reads `env['legion.rbac_principal']` first, falling back to `env['legion.principal']`, bridging Phase 7 Identity middleware handoff
+- Removed dead private `enforce?` method from middleware; callers now use `Legion::Rbac.enabled?` and `Legion::Rbac.enforcing?` directly to eliminate parallel implementations
+
+## [0.3.2] - 2026-04-08
+
+### Added
+- `client_id: nil` default added to Entra settings block for explicit Azure AD app registration tracking
+
 ## [0.3.1] - 2026-04-03
 
 ### Fixed

data/CLAUDE.md

@@ -2,7 +2,7 @@
 
 **Parent**: `/Users/miverso2/rubymine/legion/CLAUDE.md`
 **GitHub**: https://github.com/LegionIO/legion-rbac
-**Version**: 0.2.7
+**Version**: 0.3.2
 
 Optional RBAC gem for LegionIO. Vault-style flat policy model with deny-always-wins semantics.
 
@@ -29,6 +29,9 @@ lib/legion/rbac/policy_engine.rb # Core evaluator
 lib/legion/rbac/team_scope.rb   # Cross-team access validation
 lib/legion/rbac/store.rb        # Dual-mode data access
 lib/legion/rbac/middleware.rb              # Rack middleware
+lib/legion/rbac/routes.rb                 # Sinatra REST API routes for RBAC management
+lib/legion/rbac/capability_registry.rb    # Per-extension capability declarations and querying
+lib/legion/rbac/capability_audit.rb       # Source code scanning for dangerous patterns; enforces declared capabilities
 lib/legion/rbac/entra_claims_mapper.rb    # Entra ID claims -> Legion roles
 lib/legion/rbac/kerberos_claims_mapper.rb # Kerberos principal + AD groups -> Legion roles
 ```

data/README.md

@@ -2,7 +2,7 @@
 
 Role-based access control for LegionIO, following Vault-style flat policy patterns.
 
-**Version**: 0.2.9
+**Version**: 0.3.2
 
 ## Features
 

data/lib/legion/rbac/group_role_mapper.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Legion
+  module Rbac
+    module GroupRoleMapper
+      # Resolve RBAC roles from group memberships using a configurable map.
+      #
+      # @param groups [Array<String>] group names or OIDs from identity provider
+      # @param group_role_map [Hash, nil] { group_name => role_name }; reads default_map when nil
+      # @return [Array<String>] resolved role names (may be empty)
+      #
+      # NOTE: v1 supports exact string match only. Regexp keys in group_role_map are NOT supported —
+      # JSON settings cannot represent Regexp objects. All map keys are compared via `to_s == to_s`.
+      # Pattern matching is deferred to Phase 9.
+      def self.resolve_roles(groups:, group_role_map: nil)
+        return [] unless Legion::Rbac.enabled?
+
+        map = group_role_map || default_map
+        return [] if groups.nil? || groups.empty? || map.empty?
+
+        normalized_map = {}
+        map.each do |key, role|
+          normalized_map[key.to_s] = role.to_s
+        end
+
+        roles = Set.new
+        groups.each do |group|
+          role = normalized_map[group.to_s]
+          roles << role if role
+        end
+        roles.to_a
+      end
+
+      # Enrich an RBAC principal hash with group-derived roles (additive, never removes).
+      #
+      # @param principal [Hash] from Identity::Request#to_rbac_principal
+      # @param groups [Array<String>] from identity provider
+      # @return [Hash] principal with :roles enriched
+      def self.enrich_principal(principal:, groups:)
+        return principal unless Legion::Rbac.enabled?
+
+        additional_roles = resolve_roles(groups: groups)
+        return principal if additional_roles.empty?
+
+        existing_roles = principal[:roles] || []
+        principal.merge(roles: (existing_roles + additional_roles).uniq)
+      end
+
+      def self.default_map
+        return {} unless defined?(Legion::Settings)
+
+        rbac_settings = Legion::Settings[:rbac]
+        rbac_settings&.dig(:group_role_map) || {}
+      end
+
+      private_class_method :default_map
+    end
+  end
+end

data/lib/legion/rbac/middleware.rb

@@ -47,47 +47,19 @@ module Legion
       end
 
       def call(env)
-        return @app.call(env) unless enforce?
+        return @app.call(env) unless Legion::Rbac.enabled?
 
         path = env['PATH_INFO']
-        if skip_path?(path)
-          log.debug("RBAC middleware bypass path=#{path} reason=skip_path")
-          return @app.call(env)
-        end
-        if invoke_route?(path)
-          log.debug("RBAC middleware bypass path=#{path} reason=invoke_route")
-          return @app.call(env)
-        end
+        return bypass(env, path, :skip_path) if skip_path?(path)
+        return bypass(env, path, :invoke_route) if invoke_route?(path)
 
-        principal = env['legion.principal']
-        unless principal
-          log.warn("RBAC middleware denied method=#{env['REQUEST_METHOD']} path=#{path} reason=unauthenticated")
-          return denied_response('unauthenticated')
-        end
+        principal = env['legion.rbac_principal'] || env['legion.principal']
+        return guard_missing(env, path, 'unauthenticated') unless principal
 
         perm = find_permission(env['REQUEST_METHOD'], path)
-        unless perm
-          log.warn("RBAC middleware denied method=#{env['REQUEST_METHOD']} path=#{path} reason=unmapped_route")
-          return denied_response('unmapped route')
-        end
-        perm = effective_permission(env, perm)
-        result = policy_result(env, principal, perm)
+        return guard_missing(env, path, 'unmapped route') unless perm
 
-        if result[:allowed]
-          log.info(
-            "RBAC middleware allowed principal=#{principal.id} method=#{env['REQUEST_METHOD']} " \
-            "path=#{path} resource=#{perm[:resource]} action=#{perm[:action]} " \
-            "target_team=#{env['legion.rbac.target_team'] || 'none'}"
-          )
-          @app.call(env)
-        else
-          log.warn(
-            "RBAC middleware denied principal=#{principal.id} method=#{env['REQUEST_METHOD']} " \
-            "path=#{path} resource=#{perm[:resource]} action=#{perm[:action]} " \
-            "target_team=#{env['legion.rbac.target_team'] || 'none'} reason=#{result[:reason]}"
-          )
-          denied_response(result[:reason])
-        end
+        dispatch_policy(env, principal, effective_permission(env, perm))
       rescue StandardError => e
         handle_exception(
           e,
@@ -128,14 +100,52 @@ module Legion
         nil
       end
 
-      def enforce?
-        return false unless defined?(Legion::Settings)
-        return false if Legion::Settings[:rbac]&.fetch(:enabled, true) == false
+      def bypass(env, path, reason)
+        log.debug("RBAC middleware bypass path=#{path} reason=#{reason}")
+        @app.call(env)
+      end
 
-        Legion::Settings[:rbac][:enforce]
-      rescue StandardError => e
-        handle_exception(e, level: :warn, operation: 'rbac.middleware.enforce')
-        true
+      def guard_missing(env, path, reason)
+        if Legion::Rbac.enforcing?
+          log.warn("RBAC middleware denied method=#{env['REQUEST_METHOD']} path=#{path} reason=#{reason.tr(' ', '_')}")
+          denied_response(reason)
+        else
+          audit_and_proceed(env, reason)
+        end
+      end
+
+      def dispatch_policy(env, principal, perm)
+        result = policy_result(env, principal, perm)
+        path = env['PATH_INFO']
+
+        if result[:would_deny]
+          log.info(
+            "[RBAC audit] would_deny: #{result[:reason]} principal=#{result[:principal_id]} " \
+            "action=#{result[:action]} resource=#{result[:resource]}"
+          )
+          @app.call(env)
+        elsif result[:allowed]
+          log.info(
+            "RBAC middleware allowed principal=#{principal.id} method=#{env['REQUEST_METHOD']} " \
+            "path=#{path} resource=#{perm[:resource]} action=#{perm[:action]} " \
+            "target_team=#{env['legion.rbac.target_team'] || 'none'}"
+          )
+          @app.call(env)
+        else
+          log.warn(
+            "RBAC middleware denied principal=#{principal.id} method=#{env['REQUEST_METHOD']} " \
+            "path=#{path} resource=#{perm[:resource]} action=#{perm[:action]} " \
+            "target_team=#{env['legion.rbac.target_team'] || 'none'} reason=#{result[:reason]}"
+          )
+          denied_response(result[:reason])
+        end
+      end
+
+      def audit_and_proceed(env, reason)
+        log.info(
+          "[RBAC audit] would_deny: #{reason} method=#{env['REQUEST_METHOD']} path=#{env['PATH_INFO']}"
+        )
+        @app.call(env)
       end
 
       def denied_response(reason)

data/lib/legion/rbac/settings.rb

@@ -18,6 +18,7 @@ module Legion
           default_local_role:   'admin',
           static_assignments:   [],
           route_permissions:    {},
+          group_role_map:       {},
           roles:                default_roles,
           entra:                entra_defaults,
           capability_audit:     capability_audit_defaults
@@ -47,6 +48,7 @@ module Legion
         log.debug('RBAC Entra defaults requested')
         {
           tenant_id:    nil,
+          client_id:    nil,
           role_map:     {
             'Legion.Admin'      => 'admin',
             'Legion.Supervisor' => 'supervisor',

data/lib/legion/rbac/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Rbac
-    VERSION = '0.3.1'
+    VERSION = '0.3.3'
   end
 end

data/lib/legion/rbac.rb

@@ -13,6 +13,7 @@ require 'legion/rbac/team_scope'
 require 'legion/rbac/store'
 require 'legion/rbac/kerberos_claims_mapper'
 require 'legion/rbac/entra_claims_mapper'
+require 'legion/rbac/group_role_mapper'
 require 'legion/rbac/middleware'
 require 'legion/rbac/routes'
 require 'legion/rbac/capability_audit'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-rbac
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.3.3
 platform: ruby
 authors:
 - Esity
@@ -79,6 +79,7 @@ files:
 - lib/legion/rbac/capability_registry.rb
 - lib/legion/rbac/config_loader.rb
 - lib/legion/rbac/entra_claims_mapper.rb
+- lib/legion/rbac/group_role_mapper.rb
 - lib/legion/rbac/kerberos_claims_mapper.rb
 - lib/legion/rbac/middleware.rb
 - lib/legion/rbac/permission.rb