nexus_cqrs_auth 0.1.0 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9e062f14cca2a6a41d143bf648edbe21a6e661056fa5f8a408aeaea5c75d9b69
-  data.tar.gz: 686b79c46f969565dc23ba210bc48ff4a42f9c2f309b2592f82e0174e9e652b9
+  metadata.gz: a4e4dd0ea8f63b000ef78595be9e6241dc162d50e644c24c7291a8150fa6e98f
+  data.tar.gz: 6f14589729a606b05c4792d8b3e7ca04d182f2961c9454303a77c2a4ea138e48
 SHA512:
-  metadata.gz: 3168a7a3ae6bb2070a2b3790043c5630560502515d7305d87a64d36cdfd0ed88f969c036d292452a6be6758f5f045f147a0a6c25ff46463ad3b697b2d418b935
-  data.tar.gz: 7f64fc4f86f877b19621728360d1f9cbd1ed1afedbff3c8808dc250e9b729af99477c0148af58b64042fa75c88d785296c71d7c55119285b06b05b0bec3db63b
+  metadata.gz: fd99e19cd0512e8905ae4d8d454ef6f70d428731e0d2b6afef7d3e7f023d91f5be2fb44443bcbdb2fec23c3fb67c2e0e635f1a8406a61d2bce153e10908f0aec
+  data.tar.gz: 0a47018533846a9c4500331e9c2ade3147d3059533f3dc2de1492a5d88d24c8c0f43520d6b1ec1bc4f777d4b542b54803708c47b19bdfe9619a85ff884904bb8

data/Gemfile

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 source 'https://rubygems.org'
 
 gemspec

data/lib/nexus_cqrs_auth/helper.rb

@@ -1,18 +1,36 @@
+# frozen_string_literal: true
 require 'pundit'
 require 'strings-case'
 
 module NexusCqrsAuth
   include Pundit
   def authorize(command, record, query = nil, policy_class: nil)
+
+    # Populate the query from the command, or the params if it's being overriden
     query ||= Strings::Case.snakecase(command.demodularised_class_name) + '?'
-    @command_user = command.metadata[:current_user]
-    super_ = super(record, query, policy_class: policy_class)
-    @command_user = nil
-    super_
+
+    # Retreive the policy class object from the type of record we are passing in
+    policy_class ||= PolicyFinder.new(record).policy
+
+    # Pull context variables from command
+    user = command.metadata[:current_user]
+    global_permissions = command.metadata[:global_permissions]
+
+    # Instantiate new policy class, with context
+    policy = policy_class.new(UserContext.new(user, global_permissions), record)
+    raise NotAuthorizedError, query: query, record: record, policy: policy unless policy.public_send(query)
+
+    record.is_a?(Array) ? record.last : record
+  end
+
+  # Helper method for creating a permissions provider object from a query object. This allows certain permissions
+  # to be checked inside the command handler, as opposed to inside the policy
+  def permission_provider(query)
+    PermissionProvider.new(query.metadata[:current_user], query.metadata[:global_permissions])
   end
 
   def pundit_user
-    @command_user || super || nil
+    nil
   end
 
   def current_user

data/lib/nexus_cqrs_auth/middleware.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'nexus_cqrs'
 require 'pundit'
 

data/lib/nexus_cqrs_auth/ownable.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+# Concern used to integrate models to the permissions system. Including this module to a model will assume the
+# model can be "owned" by a user. When the model is created, permissions will automatically be assigned to the user
+# and permissions can be validated and "repaired" retroactively.
+module NexusCqrsAuth
+  module Ownable
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :granted_permissions, default: {}
+
+      # Default relationship to <class>_permissions
+      class_attribute :permissions_relation, default: top_ancestor_class.name.downcase + "_permissions"
+      class_attribute :owner_column, default: :user_id
+
+      before_create :assign_permissions
+
+      define_model_callbacks :create_permissions
+    end
+
+    module ClassMethods
+      # Gets the class that this module is included in
+      def top_ancestor_class
+        ancestors.first
+      end
+    end
+
+    def assign_permissions
+      # As we are doing this on before_create, we must "build" this association, as opposed to creating it. This
+      # ensures validation is passed before saving this parent Collection.
+      granted_permissions.each do |p|
+        unless permissions.where(permission: p, entity_id: id, user_id: owner_id).exists?
+          permissions.build(user_id: owner_id, permission: p)
+        end
+      end
+    end
+
+    def validate_owner_permissions
+    end
+
+    def owner_id
+      send(owner_column)
+    end
+
+    def permissions
+      if respond_to?(permissions_relation)
+        return send(permissions_relation)
+      end
+
+      raise OwnableRelationshipNotSet, "Permissions relation not set.
+Set it on your model with `self.permissions_relation = :xxx_permissions`, and ensure the relationship has been created"
+    end
+  end
+
+  class OwnableRelationshipNotSet < StandardError
+  end
+end

data/lib/nexus_cqrs_auth/permission_provider.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+module NexusCqrsAuth
+  class PermissionProvider
+    def initialize(user_id, global_permissions)
+      @user_id = user_id
+      @global_permissions = parse_permissions_array(global_permissions)
+    end
+
+    # Returns true if the current user has the requested permission on the requested entity (if passed), or globally
+    #
+    # @param [String] permission_key Permission key to check against
+    # @param [ApplicationRecord] permission_model Permission model
+    # @param [Integer] entity_id ID of the entity
+    # @return [Boolean] Returns true if the current user has this permission on this entity
+    # @example Check for permission
+    #   permissions.has_permission?('collection:publish', CollectionPermissions, collection.id) #=> true
+    def has_permission?(permission_key, permission_model = nil, entity_id = nil)
+      return false if @user_id.nil?
+
+      return true if @global_permissions.include?(permission_key)
+
+      # check entity-specific permissions
+      unless permission_model.nil?
+        return true if permission_model.where(permission: permission_key, entity_id: entity_id,
+user_id: @user_id.id).exists?
+      end
+
+      false
+    end
+
+    # Retrieves a list of permissions assigned to a user for a specific entity
+    #
+    # @param [ApplicationRecord] permission_model Permission model
+    # @param [Integer] entity_id ID of the entity
+    # @return [Array] Returns an array of hashes representing permission keys, along with their global status
+    # @example Get a list of permissions
+    #   permissions.for_user(CollectionPermissions, collection.id) #=>
+    #     [
+    #       {:global=>false, :key=>"collection:discard"},
+    #       {:global=>false, :key=>"collection:publish"},
+    #       {:global=>false, :key=>"collection:view_under_moderation"},
+    #       {:global=>false, :key=>"collection:set_status"}
+    #     ]
+    def for_user_on_entity(permission_model, entity_id)
+      return [] if @user_id.nil?
+
+      # retrieve entity-specific permissions from DB and map to hash
+      entity_permissions = permission_model.where(user_id: @user_id, entity_id: entity_id)
+        .map { |p| { global: false, key: p.permission } }
+
+      # Map global permissions to hash
+      global_permissions = @global_permissions.map { |p| { global: true, key: p } }
+
+      # Combine hashes and ensure global permissions take priority
+      (global_permissions + entity_permissions).uniq { |p| p[:key] }
+    end
+
+    private
+
+    def parse_permissions_array(permissions_array)
+      return [] if permissions_array.nil?
+
+      permissions = []
+
+      permissions_array.each do |entity, action_array|
+        action_array.each do |action|
+          permissions << entity + ":" + action
+        end
+      end
+
+      permissions
+    end
+  end
+end

data/lib/nexus_cqrs_auth/user_context.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+module NexusCqrsAuth
+  # Class used to provide additional context into pundit. This enables us to not only pass the user model, but also the
+  # global permissions for that user - as those are pulled from the user's request, not the model.
+  class UserContext
+    attr_reader :user, :global_permissions
+
+    def initialize(user, global_permissions)
+      @user = user
+      @global_permissions = global_permissions
+    end
+  end
+end

data/lib/nexus_cqrs_auth/version.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module NexusCqrsAuth
-  VERSION = '0.1.0'
+  VERSION = '1.2.1'
 end

data/lib/nexus_cqrs_auth.rb

@@ -1,2 +1,6 @@
+# frozen_string_literal: true
 require 'nexus_cqrs_auth/helper'
 require 'nexus_cqrs_auth/middleware'
+require 'nexus_cqrs_auth/permission_provider'
+require 'nexus_cqrs_auth/user_context'
+require 'nexus_cqrs_auth/ownable'

data/nexus_cqrs_auth.gemspec

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require_relative 'lib/nexus_cqrs_auth/version'
 
 Gem::Specification.new do |spec|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: nexus_cqrs_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.2.1
 platform: ruby
 authors:
 - Chris Harrison
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-08-25 00:00:00.000000000 Z
+date: 2021-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nexus_cqrs
@@ -68,6 +68,9 @@ files:
 - lib/nexus_cqrs_auth.rb
 - lib/nexus_cqrs_auth/helper.rb
 - lib/nexus_cqrs_auth/middleware.rb
+- lib/nexus_cqrs_auth/ownable.rb
+- lib/nexus_cqrs_auth/permission_provider.rb
+- lib/nexus_cqrs_auth/user_context.rb
 - lib/nexus_cqrs_auth/version.rb
 - nexus_cqrs_auth.gemspec
 homepage: 
@@ -88,7 +91,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.26
+rubygems_version: 3.2.30
 signing_key: 
 specification_version: 4
 summary: Authorisation for the Nexus CQRS pattern