legion-rbac 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +7 -0
  3. data/lib/legion/rbac/store.rb +3 -1
  4. data/lib/legion/rbac/version.rb +1 -1
  5. data/lib/legion/rbac.rb +20 -4
  6. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 222914812dd7014e897e4aa3a6311ea7b4e8062c74ad1c532774f2f3c9e06fca
4
- data.tar.gz: 30b265cf04e23b6456f839d5aeeeb47792751d3580f92b2085709b9f786388b5
3
+ metadata.gz: 1e31de28dec8d6ed48595581dae626ad860e9f7f3b5bf7bd40086d66edeca25a
4
+ data.tar.gz: ef15533a37dafea6e3783761405ea446d57cdfa55aca62816770e913aa0823e1
5
5
  SHA512:
6
- metadata.gz: 5e9e541ca68dffe258a0766c0dbf58069faf39475ca94db674f38b8d33430dc04a14bf75b360ce1dc72807361a7d67f9bfff558541e3287ddf51a7325bf0a416
7
- data.tar.gz: c327b53c9b782f461fc163aef47118c075f3367b9aa60585080faab7ebdf43c57092e580c86ea454a22c0ed5ecbd298a3027c442cc327988edd2dfe812047cb9
6
+ metadata.gz: 61dc20722e2fb34563fb06ec2f73b8db7c43e96450ff8ed7052ef3316827418b8896185a3d52ca6843ca620055ebae444090f4fb075f5740bbe521c30c900f86
7
+ data.tar.gz: 1154d70f8bbb2cee9e7b65414606d3bd5808b3f1822d40e02f1c5ca7b0896a6edd09e27534c7ab749ffaa0e3642ed99a08c00f19f169192d2803f5d7c9cf0822
data/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # Changelog
2
2
 
3
+ ## [0.3.1] - 2026-04-03
4
+
5
+ ### Fixed
6
+ - `authorize!` and `authorize_execution!` now early-return when `rbac.enabled: false`, preventing NameError on missing RBAC models
7
+ - `authorize!` and `authorize_execution!` respect `rbac.enforce: false` — logs denials but does not raise AccessDenied
8
+ - `Store.db_available?` now also checks that `RbacRoleAssignment` model constant is defined before attempting DB queries
9
+
3
10
  ## [0.3.0] - 2026-04-02
4
11
 
5
12
  ### Changed
data/lib/legion/rbac/store.rb CHANGED
@@ -9,7 +9,9 @@ module Legion
9
9
 
10
10
  class << self
11
11
  def db_available?
12
- available = defined?(Legion::Data) ? Legion::Settings[:data]&.dig(:connected) == true : false
12
+ available = (defined?(Legion::Data) &&
13
+ Legion::Settings[:data]&.dig(:connected) == true &&
14
+ defined?(Legion::Data::Model::RbacRoleAssignment)) || false
13
15
  log.debug("RBAC store db_available=#{available}")
14
16
  available
15
17
  end
data/lib/legion/rbac/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Legion
4
4
  module Rbac
5
- VERSION = '0.3.0'
5
+ VERSION = '0.3.1'
6
6
  end
7
7
  end
data/lib/legion/rbac.rb CHANGED
@@ -78,6 +78,12 @@ module Legion
78
78
  Legion::Settings[:rbac]&.fetch(:enabled, true) != false
79
79
  end
80
80
 
81
+ def enforcing?
82
+ return true unless defined?(Legion::Settings)
83
+
84
+ Legion::Settings[:rbac]&.fetch(:enforce, true) != false
85
+ end
86
+
81
87
  def events_enabled?
82
88
  return false unless defined?(Legion::Events)
83
89
  return false unless defined?(Legion::Settings)
@@ -88,15 +94,22 @@ module Legion
88
94
  end
89
95
 
90
96
  def authorize!(principal:, action:, resource:, **)
97
+ return { allowed: true, reason: 'rbac disabled' } unless enabled?
98
+
91
99
  result = PolicyEngine.evaluate(principal: principal, action: action, resource: resource, **)
92
100
  log.info("RBAC authorize principal=#{principal.id} action=#{action} resource=#{resource} allowed=#{result[:allowed]}")
93
- log.warn("RBAC authorize denied principal=#{principal.id} reason=#{result[:reason]}") unless result[:allowed]
94
- raise AccessDenied, result unless result[:allowed]
101
+
102
+ unless result[:allowed]
103
+ log.warn("RBAC authorize denied principal=#{principal.id} reason=#{result[:reason]}")
104
+ raise AccessDenied, result if enforcing?
105
+ end
95
106
 
96
107
  result
97
108
  end
98
109
 
99
110
  def authorize_execution!(principal:, runner_class:, function:, target_team: nil, **)
111
+ return { allowed: true, reason: 'rbac disabled' } unless enabled?
112
+
100
113
  runner_path = build_runner_path(runner_class, function)
101
114
  log.info(
102
115
  "RBAC authorize_execution principal=#{principal.id} runner=#{runner_path} " \
@@ -109,8 +122,11 @@ module Legion
109
122
  target_team: target_team,
110
123
  **
111
124
  )
112
- log.warn("RBAC authorize_execution denied principal=#{principal.id} reason=#{result[:reason]}") unless result[:allowed]
113
- raise AccessDenied, result unless result[:allowed]
125
+
126
+ unless result[:allowed]
127
+ log.warn("RBAC authorize_execution denied principal=#{principal.id} reason=#{result[:reason]}")
128
+ raise AccessDenied, result if enforcing?
129
+ end
114
130
 
115
131
  result
116
132
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: legion-rbac
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.0
4
+ version: 0.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Esity