mumukit-auth 1.0.2 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 70c6f03db7fc8a236b7b46ca958514e61ff3dd13
-  data.tar.gz: e2a30faa89265699b2ea9d3817caedb9fa215d52
+  metadata.gz: c6c6bdaf752ff0631203b9b75b9f6355e8221072
+  data.tar.gz: 39560f938b75e9cf21bf68332e84f7414c9d31c7
 SHA512:
-  metadata.gz: f16261e01254897e2162a25782bfc83f8f4fb0eaf1ac61c398c661ed21f044a1b75ee2e7169c9facf963d4c8b4baaad9de4982d8a3a8eccdc042aeea6b44e4ed
-  data.tar.gz: fccafb9f032c7e850c404c2b7142aad7e5f9f76a260dc8017edc4617388b6320f5b5f00f7712876a52e4cafee6325085e00f82833b85250713d82b146efbf6e5
+  metadata.gz: bfeede5ef70098672b9d5e0b9c9ea143bec35b238e4ebbdd783832d7c6adee6b487d986fd4453cb45e219c5117b35ed9f968ee85fd44f534286fa4648511876e
+  data.tar.gz: 1b8e40683bf497d548b6a3b1bb906a46092a0e30aa479906eda25e33c850947860e324c426ec56552965716d029590b1632bae8be789ff56c558c7d185a747db

data/lib/mumukit/auth.rb

@@ -1,13 +1,15 @@
 require 'active_support/all'
 require 'mumukit/core'
 
+require_relative './auth/array'
+require_relative './auth/roles'
+require_relative './auth/slug'
 require_relative './auth/version'
 require_relative './auth/exceptions'
 require_relative './auth/grant'
-require_relative './auth/metadata'
 require_relative './auth/token'
+require_relative './auth/scope'
 require_relative './auth/permissions'
-require_relative './auth/user'
 
 require 'ostruct'
 

data/lib/mumukit/auth/array.rb

@@ -0,0 +1,6 @@
+class Array
+  # Expands the array to length, filling the blanks with the element given
+  def pad_with(element, length)
+    self.fill(element, self.length, length - self.length)
+  end
+end

data/lib/mumukit/auth/exceptions.rb

@@ -4,7 +4,4 @@ module Mumukit::Auth
 
   class UnauthorizedAccessError < StandardError
   end
-
-  class EmailNotRegistered < StandardError
-  end
 end

data/lib/mumukit/auth/grant.rb

@@ -1,15 +1,22 @@
+class String
+  def to_mumukit_grant
+    Mumukit::Auth::Grant.parse self
+  end
+end
+
+
 module Mumukit::Auth
   class Grant
     def as_json(options={})
       to_s
     end
 
-    def [](resource)
-      (self.class.slug? resource) ? allows?(resource) : access?(resource)
+    def to_mumukit_grant
+      self
     end
 
-    def self.slug?(resource_identifier)
-      /.*\/.*/.matches? resource_identifier
+    def ==(other)
+      other.class == self.class && to_s == other.to_s
     end
 
     def self.parse(pattern)
@@ -17,19 +24,15 @@ module Mumukit::Auth
         when '*' then
           AllGrant.new
         when /(.*)\/\*/
-          OrgGrant.new($1)
+          FirstPartGrant.new($1)
         else
-          SingleGrant.new(pattern)
+          SingleGrant.new(Slug.parse pattern)
       end
     end
   end
 
   class AllGrant < Grant
-    def allows?(slug)
-      true
-    end
-
-    def access?(organization)
+    def allows?(_resource_slug)
       true
     end
 
@@ -38,39 +41,32 @@ module Mumukit::Auth
     end
   end
 
-  class SingleGrant < Grant
-    def initialize(slug)
-      @slug = slug
-    end
-
-    def allows?(slug)
-      @slug == slug
+  class FirstPartGrant < Grant
+    def initialize(first)
+      @first = first
     end
 
-    def access?(organization)
-      @slug.split('/')[0] == organization
+    def allows?(resource_slug)
+      resource_slug.to_mumukit_slug.match_first @first
     end
 
     def to_s
-      @slug
+      "#{@first}/*"
     end
   end
 
-  class OrgGrant < Grant
-    def initialize(org)
-      @org = org
-    end
-
-    def allows?(slug)
-      /^#{@org}\/.*/.matches? slug
+  class SingleGrant < Grant
+    def initialize(slug)
+      @slug = slug
     end
 
-    def access?(organization)
-      @org == organization
+    def allows?(resource_slug)
+      resource_slug = resource_slug.to_mumukit_slug
+      resource_slug.match_first(@slug.first) && resource_slug.match_second(@slug.second)
     end
 
     def to_s
-      "#{@org}/*"
+      @slug.to_s
     end
   end
 end

data/lib/mumukit/auth/permissions.rb

@@ -1,58 +1,54 @@
-module Mumukit::Auth
-  class Permissions
+class Mumukit::Auth::Permissions
+  include Mumukit::Auth::Roles
 
-    def initialize(grants)
-      @grants = grants
-    end
+  attr_accessor :scopes
 
-    def protect!(slug)
-      raise Mumukit::Auth::UnauthorizedAccessError.new(unauthorized_message(slug)) unless allows?(slug)
-    end
+  def initialize(scopes={})
+    raise 'invalid scopes' if scopes.any? { |key, value| value.class != Mumukit::Auth::Scope  }
 
-    def allows?(slug)
-      any_grant? { |grant| grant.allows? slug }
-    end
-
-    def access?(organization)
-      any_grant? { |grant| grant.access? organization }
-    end
+    @scopes = scopes
+  end
 
-    def [](organization)
-      any_grant? { |grant| grant[organization] }
-    end
+  def has_permission?(role, resource_slug)
+    !!scope_for(role)&.allows?(resource_slug)
+  end
 
-    def as_json
-      to_s
-    end
+  def has_role?(role)
+    scopes[role].present?
+  end
 
-    def to_s
-      @grants.map(&:to_s).uniq.join(':')
-    end
+  def scope_for(role)
+    self.scopes[role]
+  end
 
-    def present?
-      to_s.present?
-    end
+  def add_permission!(role, *grants)
+    self.scopes[role] ||= Mumukit::Auth::Scope.new
+    scope_for(role)&.add_grant! *grants
+  end
 
-    def self.dump(permission)
-      permission.to_s
-    end
+  def remove_permission!(role, grant)
+    scope_for(role)&.remove_grant!(grant)
+  end
 
-    def self.load(pattern)
-      parse(pattern)
-    end
+  def update_permission!(role, old_grant, new_grant)
+    remove_permission! role, old_grant
+    add_permission! role, new_grant
+  end
 
-    def self.parse(pattern)
-      new(pattern.split(':').map { |grant_pattern| Grant.parse(grant_pattern) })
-    end
+  def as_json(options={})
+    scopes.as_json(options)
+  end
 
-    private
+  def self.parse(hash)
+    new(Hash[hash.map { |role, grants| [role, Mumukit::Auth::Scope.parse(grants)] }])
+  end
 
-    def any_grant?(&block)
-      @grants.any?(&block)
-    end
+  def self.load(json)
+    parse(JSON.parse(json))
+  end
 
-    def unauthorized_message(slug)
-      "Unauthorized access to #{slug}. Permissions are #{to_s}"
-    end
+  def self.dump(user)
+    user.to_json
   end
+
 end

data/lib/mumukit/auth/roles.rb

@@ -0,0 +1,12 @@
+module Mumukit::Auth
+  module Roles
+    ROLES = [:student, :teacher, :headmaster, :writer, :editor, :janitor, :owner]
+
+    ROLES.each do |role|
+      define_method "#{role}?" do |scope|
+        has_permission? role.to_sym, scope
+      end
+    end
+  end
+end
+

data/lib/mumukit/auth/scope.rb

@@ -0,0 +1,52 @@
+module Mumukit::Auth
+  class Scope
+    attr_accessor :grants
+
+    def initialize(grants=[])
+      @grants = grants
+    end
+
+    def protect!(resource_slug)
+      raise Mumukit::Auth::UnauthorizedAccessError.new(unauthorized_message(resource_slug)) unless allows?(resource_slug)
+    end
+
+    def allows?(resource_slug)
+      any_grant? { |grant| grant.allows? resource_slug }
+    end
+
+    def add_grant!(*grants)
+      self.grants.push *grants.map(&:to_mumukit_grant)
+    end
+
+    def remove_grant!(grant)
+      grant = grant.to_mumukit_grant
+      self.grants.delete(grant)
+    end
+
+    def to_s
+      grants.map(&:to_s).join(':')
+    end
+
+    def present?
+      to_s.present?
+    end
+
+    def self.parse(string)
+      new(string.split(':').map(&:to_mumukit_grant))
+    end
+
+    def as_json(_options={})
+      to_s
+    end
+
+    private
+
+    def any_grant?(&block)
+      @grants.any?(&block)
+    end
+
+    def unauthorized_message(slug)
+      "Unauthorized access to #{slug}. Permissions are #{to_s}"
+    end
+  end
+end

data/lib/mumukit/auth/slug.rb

@@ -0,0 +1,71 @@
+class String
+  def to_mumukit_slug
+    Mumukit::Auth::Slug.parse self
+  end
+end
+
+module Mumukit::Auth
+  class Slug
+    attr_accessor :first, :second
+
+    alias_method :organization, :first
+
+    alias_method :repository, :second
+    alias_method :course, :second
+    alias_method :content, :second
+
+    def initialize(first, second)
+      @first = first
+      @second = second
+    end
+
+    def match_first(first)
+      match self.first, first
+    end
+
+    def match_second(second)
+      match self.second, second
+    end
+
+    def ==(o)
+      self.class == o.class && to_s == o.to_s
+    end
+
+    def to_s
+      "#{first}/#{second}"
+    end
+
+    def to_mumukit_slug
+      self
+    end
+
+    def self.join(*parts)
+      raise 'Slugs must have up to two parts' if parts.length > 2
+      new(*parts.pad_with('_', 2))
+    end
+
+    def self.parse(slug)
+      validate_slug! slug
+
+      self.new *slug.split('/')
+    end
+
+    private
+
+    def match(pattern, part)
+      pattern == '_' || pattern == part
+    end
+
+    def self.validate_slug!(slug)
+      unless slug =~ /.*\/.*/
+        raise Mumukit::Auth::InvalidSlugFormatError, "Invalid slug: #{slug}. It must be in first/second format"
+      end
+    end
+  end
+
+  class InvalidSlugFormatError < StandardError
+  end
+end
+
+
+

data/lib/mumukit/auth/token.rb

@@ -9,24 +9,23 @@ module Mumukit::Auth
     end
 
     def metadata
-      @metadata ||= Mumukit::Auth::Metadata.new(jwt['app_metadata'] || {})
-    end
-
-    def permissions(app)
-      metadata.permissions(app)
+      @metadata ||= jwt['metadata'] || {}
     end
 
     def verify_client!
       raise Mumukit::Auth::InvalidTokenError.new('aud mismatch') if Mumukit::Auth.config.client_id != jwt['aud']
     end
 
-    def self.from_env(env)
+    def self.from_rack_env(env)
       new(env.dig('omniauth.auth', 'extra', 'raw_info') || {})
     end
 
-    def self.decode_header(header)
-      raise Mumukit::Auth::InvalidTokenError.new('missing authorization header') if header.nil?
-      decode header.split(' ').last
+    def self.encode_dummy_auth_header(metadata)
+      'dummy token ' + encode(metadata)
+    end
+
+    def self.encode(metadata)
+      JWT.encode({aud: Mumukit::Auth.config.client_id, metadata: metadata}, decoded_secret)
     end
 
     def self.decode(encoded)
@@ -35,35 +34,14 @@ module Mumukit::Auth
       raise Mumukit::Auth::InvalidTokenError.new(e)
     end
 
-    def self.encode_dummy_auth_header(metadata)
-      encoded_token = JWT.encode(
-          {aud: Mumukit::Auth.config.client_id,
-           app_metadata: metadata},
-          decoded_secret)
-      'dummy token ' + encoded_token
+    def self.decode_header(header)
+      raise Mumukit::Auth::InvalidTokenError.new('missing authorization header') if header.nil?
+      decode header.split(' ').last
     end
 
     def self.decoded_secret
       JWT.base64url_decode(Mumukit::Auth.config.client_secret)
     end
   end
-
-
-  class Permissions
-    def to_mumukit_auth_permissions
-      self
-    end
-  end
 end
 
-class String
-  def to_mumukit_auth_permissions
-    Mumukit::Auth::Permissions.parse(self)
-  end
-end
-
-class NilClass
-  def to_mumukit_auth_permissions
-    Mumukit::Auth::Permissions.new([])
-  end
-end

data/lib/mumukit/auth/version.rb

@@ -1,5 +1,5 @@
 module Mumukit
   module Auth
-    VERSION = '1.0.2'
+    VERSION = '2.0.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mumukit-auth
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 2.0.0
 platform: ruby
 authors:
 - Franco Leonardo Bulgarelli
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-12 00:00:00.000000000 Z
+date: 2016-12-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -66,20 +66,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: auth0
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: mumukit-core
   requirement: !ruby/object:Gem::Requirement
@@ -102,12 +88,14 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/mumukit/auth.rb
+- lib/mumukit/auth/array.rb
 - lib/mumukit/auth/exceptions.rb
 - lib/mumukit/auth/grant.rb
-- lib/mumukit/auth/metadata.rb
 - lib/mumukit/auth/permissions.rb
+- lib/mumukit/auth/roles.rb
+- lib/mumukit/auth/scope.rb
+- lib/mumukit/auth/slug.rb
 - lib/mumukit/auth/token.rb
-- lib/mumukit/auth/user.rb
 - lib/mumukit/auth/version.rb
 homepage: http://github.com/mumuki/mumukit-auth
 licenses:

data/lib/mumukit/auth/metadata.rb

@@ -1,70 +0,0 @@
-class Mumukit::Auth::Metadata
-  def initialize(json)
-    @json = json
-  end
-
-  def as_json(_options={})
-    @json
-  end
-
-  def permissions(app)
-    @json.dig(app, 'permissions').to_mumukit_auth_permissions
-  end
-
-  def add_permission!(app, permission)
-    if permissions(app).present?
-      @json[app] = process_add_permission(app, permission)
-    else
-      @json.merge!("#{app}" => {'permissions' => permission})
-    end
-  end
-
-  def remove_permission!(app, permission)
-    if permissions(app).present?
-      @json[app] = process_remove_permission(app, permission)
-    end
-    @json.delete(app) if @json.dig(app, 'permissions').blank?
-  end
-
-  def process_permission(new_permissions)
-    {'permissions' => Mumukit::Auth::Permissions.load(new_permissions).to_s}
-  end
-
-  def process_remove_permission(app, permission)
-    process_permission(permissions(app).as_json.split(':').reject { |it| it == permission }.join(':'))
-  end
-
-  def process_add_permission(app, permission)
-    process_permission(permissions(app).as_json + ":#{permission}")
-  end
-
-  def librarian?(slug)
-    has_role? 'bibliotheca', slug
-  end
-
-  def admin?(slug)
-    has_role? 'admin', slug
-  end
-
-  def teacher?(slug)
-    has_role? 'classroom', slug
-  end
-
-  def student?(slug)
-    has_role? 'atheneum', slug
-  end
-
-  def self.load(json)
-    new(JSON.parse(json))
-  end
-
-  def self.dump(metadata)
-    metadata.to_json
-  end
-
-  private
-
-  def has_role?(app, slug)
-    permissions(app)[slug]
-  end
-end

data/lib/mumukit/auth/user.rb

@@ -1,78 +0,0 @@
-require 'auth0'
-
-class Mumukit::Auth::User
-
-  attr_accessor :social_id, :user
-
-  def initialize(social_id, user=nil)
-    @social_id = social_id
-    @user = user || client.user(@social_id)
-  end
-
-  def add_permission!(key, permission)
-    metadata.add_permission!(key, permission)
-    update_user_metadata!
-  end
-
-  def remove_permission!(key, permission)
-    metadata.remove_permission!(key, permission)
-    update_user_metadata!
-  end
-
-  def permissions_string
-    apps.select { |app| @user[app].present? }.map { |app| {app.to_s => @user[app]} }.reduce({}, :merge).to_json
-  end
-
-  def metadata
-    @metadata ||= Mumukit::Auth::Metadata.load(permissions_string)
-  end
-
-  def permissions_for(app)
-    metadata[app]['permissions']
-  end
-
-  def apps
-    ['bibliotheca', 'classroom', 'admin', 'atheneum']
-  end
-
-  def client
-    self.class.client
-  end
-
-  def librarian?(slug)
-    metadata.librarian? slug
-  end
-
-  def admin?(slug)
-    metadata.admin? slug
-  end
-
-  def teacher?(slug)
-    metadata.teacher? slug
-  end
-
-  def student?(slug)
-    metadata.student? slug
-  end
-
-  def self.from_email(email)
-    user = client.users("email:#{email}").first
-    raise Mumukit::Auth::EmailNotRegistered.new('There is no user registered with that email.') unless user.present?
-    new(user['user_id'])
-  end
-
-  def self.client
-    Auth0Client.new(
-        :client_id => ENV['MUMUKI_AUTH0_CLIENT_ID'],
-        :client_secret => ENV['MUMUKI_AUTH0_CLIENT_SECRET'],
-        :domain => "mumuki.auth0.com"
-    )
-  end
-
-  private
-
-  def update_user_metadata!
-    client.update_user_metadata social_id, metadata.as_json
-  end
-
-end