orfeas_pam_dsl 0.6.0

data/Rakefile

@@ -0,0 +1,11 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "lib"
+  t.libs << "test"
+  t.test_files = FileList["test/**/*_test.rb"]
+  t.verbose = true
+end
+
+task default: :test

data/lib/pam_dsl/consent.rb

@@ -0,0 +1,110 @@
+module PamDsl
+  # Represents a consent requirement
+  class ConsentRequirement
+    attr_reader :purpose, :required, :granular, :withdrawable, :description, :expires_after
+
+    def initialize(purpose)
+      @purpose = purpose.to_sym
+      @required = true
+      @granular = false
+      @withdrawable = true
+      @description = ""
+      @expires_after = nil
+    end
+
+    # Set if consent is required
+    def required!(value = true)
+      @required = value
+      self
+    end
+
+    # Enable granular consent
+    def granular!(value = true)
+      @granular = value
+      self
+    end
+
+    # Set if consent is withdrawable
+    def withdrawable!(value = true)
+      @withdrawable = value
+      self
+    end
+
+    # Set description
+    def describe(text)
+      @description = text
+      self
+    end
+
+    # Set expiration duration
+    def expires_in(duration)
+      @expires_after = duration
+      self
+    end
+
+    # Check if consent is required
+    def required?
+      @required
+    end
+
+    # Check if consent is granular
+    def granular?
+      @granular
+    end
+
+    # Check if consent is withdrawable
+    def withdrawable?
+      @withdrawable
+    end
+
+    # Check if consent has expired
+    def expired?(granted_at)
+      return false unless @expires_after
+      granted_at < (Time.current - @expires_after)
+    end
+  end
+
+  # Container for consent requirements
+  class ConsentPolicy
+    attr_reader :requirements
+
+    def initialize
+      @requirements = []
+    end
+
+    # Define consent requirement for a purpose
+    def for_purpose(purpose, &block)
+      requirement = ConsentRequirement.new(purpose)
+      requirement.instance_eval(&block) if block_given?
+      @requirements << requirement
+      requirement
+    end
+
+    # Get consent requirement for a purpose
+    def requirement_for(purpose)
+      @requirements.find { |req| req.purpose == purpose.to_sym }
+    end
+
+    # Check if consent is required for a purpose
+    def required_for?(purpose)
+      requirement = requirement_for(purpose)
+      requirement ? requirement.required? : false
+    end
+
+    # Validate consent for a purpose
+    def validate!(purpose, granted_at: nil, granted: false)
+      requirement = requirement_for(purpose)
+      return true unless requirement&.required?
+
+      unless granted
+        raise ConsentRequiredError, "Consent required for purpose: #{purpose}"
+      end
+
+      if granted_at && requirement.expired?(granted_at)
+        raise ConsentRequiredError, "Consent expired for purpose: #{purpose}"
+      end
+
+      true
+    end
+  end
+end

data/lib/pam_dsl/field.rb

@@ -0,0 +1,76 @@
+module PamDsl
+  # Represents a PII field definition
+  class Field
+    attr_reader :name, :type, :sensitivity, :purposes, :transformations, :metadata
+
+    SENSITIVITY_LEVELS = [:public, :internal, :confidential, :restricted].freeze
+
+    PII_TYPES = [
+      :email, :name, :phone, :address, :ssn, :date_of_birth,
+      :ip_address, :credit_card, :financial, :health, :biometric,
+      :location, :identifier, :credential, :token, :payment_token, :custom
+    ].freeze
+
+    def initialize(name, type:, sensitivity: :internal)
+      @name = name.to_sym
+      @type = type.to_sym
+      @sensitivity = sensitivity.to_sym
+      @purposes = []
+      @transformations = {}
+      @metadata = {}
+
+      validate!
+    end
+
+    # Define allowed purposes for this field
+    def allow_for(*purpose_names)
+      @purposes.concat(purpose_names.map(&:to_sym))
+      self
+    end
+
+    # Define transformation rules for different contexts
+    def transform(context, &block)
+      @transformations[context.to_sym] = block
+      self
+    end
+
+    # Add metadata
+    def meta(key, value)
+      @metadata[key] = value
+      self
+    end
+
+    # Check if field is allowed for a purpose
+    def allowed_for?(purpose)
+      @purposes.empty? || @purposes.include?(purpose.to_sym)
+    end
+
+    # Apply transformation if defined
+    def apply_transformation(context, value)
+      transformation = @transformations[context.to_sym]
+      transformation ? transformation.call(value) : value
+    end
+
+    # Check if field is sensitive
+    def sensitive?
+      [:confidential, :restricted].include?(@sensitivity)
+    end
+
+    # Check if field is highly restricted
+    def restricted?
+      @sensitivity == :restricted
+    end
+
+    private
+
+    def validate!
+      unless SENSITIVITY_LEVELS.include?(@sensitivity)
+        raise InvalidFieldError, "Invalid sensitivity level: #{@sensitivity}. Must be one of #{SENSITIVITY_LEVELS.join(', ')}"
+      end
+
+      unless PII_TYPES.include?(@type)
+        raise InvalidFieldError, "Invalid PII type: #{@type}. Must be one of #{PII_TYPES.join(', ')}"
+      end
+    end
+  end
+end