RubyGems - legion-rbac - Versions diffs - 0.3.2 → 0.3.3 - Mend

legion-rbac 0.3.2 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -0
data/lib/legion/rbac/group_role_mapper.rb +59 -0
data/lib/legion/rbac/middleware.rb +52 -42
data/lib/legion/rbac/settings.rb +1 -0
data/lib/legion/rbac/version.rb +1 -1
data/lib/legion/rbac.rb +1 -0
metadata +2 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6971b76fa8052ff121e686629a6abcf800d6819afbffe4fc0adcf146f9b00b1d
-  data.tar.gz: 97c808593590d1416dc799b3711fa0353d86f55307c16b71cde4ab5e704a093c
+  metadata.gz: 2805fec42a72b9618d9790becf4439f3fba5bbe3af5f60f4fd6ce22b230ca4b6
+  data.tar.gz: b4648e10753c56aec63c122f765a00cc545fe6626a3fcd25a344fa829df5e615
 SHA512:
-  metadata.gz: e6ef4dce9750b6de9544a49f12df5311f3a312a35ee46c89465f724b5ea0d02822bd9a8c23954665df498985a143913c4012f83401e8b0b12f776fd71e624eb2
-  data.tar.gz: 97bb68fae5dc33ac682461a12ef626ec8e5e392250ef11391381a9ad3212f587385648dcda982f6bcf2d9fc2bb601cdde9d699b58924da8bf4f7c73950164f54
+  metadata.gz: 2f1a104089a800dbfd7fdd6e062f24cef9205aed00c0accd543deee71327705b5f20dbb259f0cf9c579a67df5046b441ecdf1cfa33f84e485105f4b2fb18c4b9
+  data.tar.gz: 76c1c1466a6956c8406626c414173476181c2b936675aee21e6b7590afd7eb5021b4718c1db3dc01b1ee27f016039673387b54cfbf44933be7915b1c0e22e0ff

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,16 @@
 # Changelog
+## [0.3.3] - 2026-04-08
+### Added
+- `GroupRoleMapper` module: resolves RBAC roles from identity group memberships via exact-string `group_role_map` lookup; `enrich_principal` additive role enrichment; gated behind `Legion::Rbac.enabled?`
+- `group_role_map: {}` default added to `Settings.default` for Phase 7 configuration surface
+### Changed
+- RBAC middleware audit mode fix: `enabled=false` now full-bypasses (unchanged); `enabled=true, enforce=false` now runs `PolicyEngine` in dry-run mode and logs `[RBAC audit] would_deny` for any policy-denied request instead of bypassing entirely
+- Middleware principal resolution now reads `env['legion.rbac_principal']` first, falling back to `env['legion.principal']`, bridging Phase 7 Identity middleware handoff
+- Removed dead private `enforce?` method from middleware; callers now use `Legion::Rbac.enabled?` and `Legion::Rbac.enforcing?` directly to eliminate parallel implementations
 ## [0.3.2] - 2026-04-08
 ### Added

data/lib/legion/rbac/group_role_mapper.rb ADDED Viewed

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+module Legion
+  module Rbac
+    module GroupRoleMapper
+      # Resolve RBAC roles from group memberships using a configurable map.
+      #
+      # @param groups [Array<String>] group names or OIDs from identity provider
+      # @param group_role_map [Hash, nil] { group_name => role_name }; reads default_map when nil
+      # @return [Array<String>] resolved role names (may be empty)
+      #
+      # NOTE: v1 supports exact string match only. Regexp keys in group_role_map are NOT supported —
+      # JSON settings cannot represent Regexp objects. All map keys are compared via `to_s == to_s`.
+      # Pattern matching is deferred to Phase 9.
+      def self.resolve_roles(groups:, group_role_map: nil)
+        return [] unless Legion::Rbac.enabled?
+        map = group_role_map || default_map
+        return [] if groups.nil? || groups.empty? || map.empty?
+        normalized_map = {}
+        map.each do |key, role|
+          normalized_map[key.to_s] = role.to_s
+        end
+        roles = Set.new
+        groups.each do |group|
+          role = normalized_map[group.to_s]
+          roles << role if role
+        end
+        roles.to_a
+      end
+      # Enrich an RBAC principal hash with group-derived roles (additive, never removes).
+      #
+      # @param principal [Hash] from Identity::Request#to_rbac_principal
+      # @param groups [Array<String>] from identity provider
+      # @return [Hash] principal with :roles enriched
+      def self.enrich_principal(principal:, groups:)
+        return principal unless Legion::Rbac.enabled?
+        additional_roles = resolve_roles(groups: groups)
+        return principal if additional_roles.empty?
+        existing_roles = principal[:roles] || []
+        principal.merge(roles: (existing_roles + additional_roles).uniq)
+      end
+      def self.default_map
+        return {} unless defined?(Legion::Settings)
+        rbac_settings = Legion::Settings[:rbac]
+        rbac_settings&.dig(:group_role_map) || {}
+      end
+      private_class_method :default_map
+    end
+  end
+end

data/lib/legion/rbac/middleware.rb CHANGED Viewed

@@ -47,47 +47,19 @@ module Legion
       end
       def call(env)
-        return @app.call(env) unless enforce?
+        return @app.call(env) unless Legion::Rbac.enabled?
         path = env['PATH_INFO']
-        if skip_path?(path)
-          log.debug("RBAC middleware bypass path=#{path} reason=skip_path")
-          return @app.call(env)
-        end
-        if invoke_route?(path)
-          log.debug("RBAC middleware bypass path=#{path} reason=invoke_route")
-          return @app.call(env)
-        end
+        return bypass(env, path, :skip_path) if skip_path?(path)
+        return bypass(env, path, :invoke_route) if invoke_route?(path)
-        principal = env['legion.principal']
-        unless principal
-          log.warn("RBAC middleware denied method=#{env['REQUEST_METHOD']} path=#{path} reason=unauthenticated")
-          return denied_response('unauthenticated')
-        end
+        principal = env['legion.rbac_principal'] || env['legion.principal']
+        return guard_missing(env, path, 'unauthenticated') unless principal
         perm = find_permission(env['REQUEST_METHOD'], path)
-        unless perm
-          log.warn("RBAC middleware denied method=#{env['REQUEST_METHOD']} path=#{path} reason=unmapped_route")
-          return denied_response('unmapped route')
-        end
-        perm = effective_permission(env, perm)
-        result = policy_result(env, principal, perm)
+        return guard_missing(env, path, 'unmapped route') unless perm
-        if result[:allowed]
-          log.info(
-            "RBAC middleware allowed principal=#{principal.id} method=#{env['REQUEST_METHOD']} " \
-            "path=#{path} resource=#{perm[:resource]} action=#{perm[:action]} " \
-            "target_team=#{env['legion.rbac.target_team'] || 'none'}"
-          )
-          @app.call(env)
-        else
-          log.warn(
-            "RBAC middleware denied principal=#{principal.id} method=#{env['REQUEST_METHOD']} " \
-            "path=#{path} resource=#{perm[:resource]} action=#{perm[:action]} " \
-            "target_team=#{env['legion.rbac.target_team'] || 'none'} reason=#{result[:reason]}"
-          )
-          denied_response(result[:reason])
-        end
+        dispatch_policy(env, principal, effective_permission(env, perm))
       rescue StandardError => e
         handle_exception(
           e,
@@ -128,14 +100,52 @@ module Legion
         nil
       end
-      def enforce?
-        return false unless defined?(Legion::Settings)
-        return false if Legion::Settings[:rbac]&.fetch(:enabled, true) == false
+      def bypass(env, path, reason)
+        log.debug("RBAC middleware bypass path=#{path} reason=#{reason}")
+        @app.call(env)
+      end
-        Legion::Settings[:rbac][:enforce]
-      rescue StandardError => e
-        handle_exception(e, level: :warn, operation: 'rbac.middleware.enforce')
-        true
+      def guard_missing(env, path, reason)
+        if Legion::Rbac.enforcing?
+          log.warn("RBAC middleware denied method=#{env['REQUEST_METHOD']} path=#{path} reason=#{reason.tr(' ', '_')}")
+          denied_response(reason)
+        else
+          audit_and_proceed(env, reason)
+        end
+      end
+      def dispatch_policy(env, principal, perm)
+        result = policy_result(env, principal, perm)
+        path = env['PATH_INFO']
+        if result[:would_deny]
+          log.info(
+            "[RBAC audit] would_deny: #{result[:reason]} principal=#{result[:principal_id]} " \
+            "action=#{result[:action]} resource=#{result[:resource]}"
+          )
+          @app.call(env)
+        elsif result[:allowed]
+          log.info(
+            "RBAC middleware allowed principal=#{principal.id} method=#{env['REQUEST_METHOD']} " \
+            "path=#{path} resource=#{perm[:resource]} action=#{perm[:action]} " \
+            "target_team=#{env['legion.rbac.target_team'] || 'none'}"
+          )
+          @app.call(env)
+        else
+          log.warn(
+            "RBAC middleware denied principal=#{principal.id} method=#{env['REQUEST_METHOD']} " \
+            "path=#{path} resource=#{perm[:resource]} action=#{perm[:action]} " \
+            "target_team=#{env['legion.rbac.target_team'] || 'none'} reason=#{result[:reason]}"
+          )
+          denied_response(result[:reason])
+        end
+      end
+      def audit_and_proceed(env, reason)
+        log.info(
+          "[RBAC audit] would_deny: #{reason} method=#{env['REQUEST_METHOD']} path=#{env['PATH_INFO']}"
+        )
+        @app.call(env)
       end
       def denied_response(reason)

data/lib/legion/rbac/settings.rb CHANGED Viewed

@@ -18,6 +18,7 @@ module Legion
           default_local_role:   'admin',
           static_assignments:   [],
           route_permissions:    {},
+          group_role_map:       {},
           roles:                default_roles,
           entra:                entra_defaults,
           capability_audit:     capability_audit_defaults

data/lib/legion/rbac/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Legion
   module Rbac
-    VERSION = '0.3.2'
+    VERSION = '0.3.3'
   end
 end

data/lib/legion/rbac.rb CHANGED Viewed

@@ -13,6 +13,7 @@ require 'legion/rbac/team_scope'
 require 'legion/rbac/store'
 require 'legion/rbac/kerberos_claims_mapper'
 require 'legion/rbac/entra_claims_mapper'
+require 'legion/rbac/group_role_mapper'
 require 'legion/rbac/middleware'
 require 'legion/rbac/routes'
 require 'legion/rbac/capability_audit'

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: legion-rbac
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.3.3
 platform: ruby
 authors:
 - Esity
@@ -79,6 +79,7 @@ files:
 - lib/legion/rbac/capability_registry.rb
 - lib/legion/rbac/config_loader.rb
 - lib/legion/rbac/entra_claims_mapper.rb
+- lib/legion/rbac/group_role_mapper.rb
 - lib/legion/rbac/kerberos_claims_mapper.rb
 - lib/legion/rbac/middleware.rb
 - lib/legion/rbac/permission.rb