otto 1.5.0 → 2.0.0.pre1

data/lib/otto/security/authentication/strategies/public_strategy.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative '../auth_strategy'
+require_relative '../strategy_result'
+
+class Otto
+  module Security
+    module Authentication
+      module Strategies
+        # Public access strategy - always allows access
+        class PublicStrategy < AuthStrategy
+          def authenticate(env, _requirement)
+            Otto::Security::Authentication::StrategyResult.anonymous(metadata: { ip: env['REMOTE_ADDR'] })
+          end
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication/strategies/role_strategy.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require_relative '../auth_strategy'
+
+class Otto
+  module Security
+    module Authentication
+      module Strategies
+        # Role-based authentication strategy
+        class RoleStrategy < AuthStrategy
+          def initialize(allowed_roles, session_key: 'user_roles')
+            @allowed_roles = Array(allowed_roles)
+            @session_key = session_key
+          end
+
+          def authenticate(env, requirement)
+            session = env['rack.session']
+            return failure('No session available') unless session
+
+            user_roles = session[@session_key] || []
+            user_roles = Array(user_roles)
+
+            # Create user data from session
+            user_data = { user_roles: user_roles, session: session }
+
+            # For requirements like "role:admin", extract the role part
+            if requirement.include?(':')
+              required_role = requirement.split(':', 2).last
+              if user_roles.include?(required_role)
+                success(user: user_data, user_roles: user_roles, required_role: required_role)
+              else
+                failure("Insufficient privileges - requires role: #{required_role}")
+              end
+            else
+              # For direct strategy matches, check if user has any of the allowed roles
+              matching_roles = user_roles & @allowed_roles
+              if matching_roles.any?
+                success(user: user_data, user_roles: user_roles, allowed_roles: @allowed_roles,
+                        matching_roles: matching_roles)
+              else
+                failure("Insufficient privileges - requires one of roles: #{@allowed_roles.join(', ')}")
+              end
+            end
+          end
+
+          def user_context(env)
+            session = env['rack.session']
+            return {} unless session
+
+            user_roles = session[@session_key] || []
+            { user_roles: Array(user_roles) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication/strategies/session_strategy.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative '../auth_strategy'
+
+class Otto
+  module Security
+    module Authentication
+      module Strategies
+        # Session-based authentication strategy
+        class SessionStrategy < AuthStrategy
+          def initialize(session_key: 'user_id', session_store: nil)
+            @session_key = session_key
+            @session_store = session_store
+          end
+
+          def authenticate(env, _requirement)
+            session = env['rack.session']
+            return failure('No session available') unless session
+
+            user_id = session[@session_key]
+            return failure('Not authenticated') unless user_id
+
+            # Create a simple user hash for the generic strategy
+            user_data = { id: user_id, user_id: user_id }
+            success(session: session, user: user_data, auth_method: 'session')
+          end
+
+          def user_context(env)
+            session = env['rack.session']
+            return {} unless session
+
+            user_id = session[@session_key]
+            return {} unless user_id
+
+            { user_id: user_id }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication/strategy_result.rb

@@ -0,0 +1,223 @@
+# frozen_string_literal: true
+
+# lib/otto/security/authentication/strategy_result.rb
+
+# StrategyResult is an immutable data structure that holds the result of an
+# authentication strategy. It contains session, user, and metadata needed by
+# Otto Logic classes.
+#
+# @example Basic usage
+#   result = StrategyResult.new(
+#     session: { id: 'abc123', user_id: 1 },
+#     user: user_model_instance,  # Actual user model, not a hash
+#     auth_method: 'token',
+#     metadata: { ip: '127.0.0.1' }
+#   )
+#
+#   result.authenticated?  #=> true
+#   result.has_role?('admin')  #=> true
+#   result.user.name  #=> 'John' (assuming user model has name method)
+#
+class Otto
+  module Security
+    module Authentication
+      StrategyResult = Data.define(:session, :user, :auth_method, :metadata) do
+        # Create an anonymous (unauthenticated) result
+        # @return [StrategyResult] Anonymous result with empty session and nil user
+        def self.anonymous(metadata: {})
+          new(
+            session: {},
+            user: nil,  # Changed from {} to nil - clearer semantics
+            auth_method: 'anonymous',
+            metadata: metadata
+          )
+        end
+
+        # Check if the request is authenticated (has a user)
+        # @return [Boolean] True if user is present, false otherwise
+        def authenticated?
+          !user.nil?
+        end
+
+        # Check if the request is anonymous (no user)
+        # @return [Boolean] True if not authenticated
+        def anonymous?
+          user.nil?
+        end
+
+        # Success/failure methods for compatibility
+        def success?
+          true  # If we have a StrategyResult, authentication succeeded
+        end
+
+        def failure?
+          false  # Failures return nil, not a StrategyResult
+        end
+
+
+        # Check if the user has a specific role
+        # @param role [String, Symbol] Role to check
+        # @return [Boolean] True if user has the role
+        def has_role?(role)
+          return false unless authenticated?
+
+          # Try user model methods first, fall back to hash access for backward compatibility
+          if user.respond_to?(:role)
+            user.role.to_s == role.to_s
+          elsif user.respond_to?(:has_role?)
+            user.has_role?(role)
+          elsif user.is_a?(Hash)
+            user_role = user[:role] || user['role']
+            user_role.to_s == role.to_s
+          else
+            false
+          end
+        end
+
+        # Check if the user has a specific permission
+        # @param permission [String, Symbol] Permission to check
+        # @return [Boolean] True if user has the permission
+        def has_permission?(permission)
+          return false unless authenticated?
+
+          # Try user model methods first, fall back to hash access for backward compatibility
+          if user.respond_to?(:has_permission?)
+            user.has_permission?(permission)
+          elsif user.respond_to?(:permissions)
+            permissions = user.permissions || []
+            permissions = [permissions] unless permissions.is_a?(Array)
+            permissions.map(&:to_s).include?(permission.to_s)
+          elsif user.is_a?(Hash)
+            permissions = user[:permissions] || user['permissions'] || []
+            permissions = [permissions] unless permissions.is_a?(Array)
+            permissions.map(&:to_s).include?(permission.to_s)
+          else
+            false
+          end
+        end
+
+        # Check if the user has any of the specified roles
+        # @param roles [Array<String, Symbol>] Roles to check
+        # @return [Boolean] True if user has any of the roles
+        def has_any_role?(*roles)
+          roles.flatten.any? { |role| has_role?(role) }
+        end
+
+        # Check if the user has any of the specified permissions
+        # @param permissions [Array<String, Symbol>] Permissions to check
+        # @return [Boolean] True if user has any of the permissions
+        def has_any_permission?(*permissions)
+          permissions.flatten.any? { |permission| has_permission?(permission) }
+        end
+
+        # Get user ID from various possible locations
+        # @return [String, Integer, nil] User ID or nil
+        def user_id
+          return nil unless authenticated?
+
+          # Try user model methods first, fall back to hash access and session
+          if user.respond_to?(:id)
+            user.id
+          elsif user.respond_to?(:user_id)
+            user.user_id
+          elsif user.is_a?(Hash)
+            user[:id] || user['id'] || user[:user_id] || user['user_id']
+          end || session[:user_id] || session['user_id']
+        end
+
+        # Get user name from various possible locations
+        # @return [String, nil] User name or nil
+        def user_name
+          return nil unless authenticated?
+
+          # Try user model methods first, fall back to hash access
+          if user.respond_to?(:name)
+            user.name
+          elsif user.respond_to?(:username)
+            user.username
+          elsif user.is_a?(Hash)
+            user[:name] || user['name'] || user[:username] || user['username']
+          end
+        end
+
+        # Get session ID from various possible locations
+        # @return [String, nil] Session ID or nil
+        def session_id
+          session[:id] || session['id'] || session[:session_id] || session['session_id']
+        end
+
+        # Get all user roles as an array
+        # @return [Array<String>] Array of roles (empty if none)
+        def roles
+          return [] unless authenticated?
+
+          roles_data = user[:roles] || user['roles']
+          if roles_data.is_a?(Array)
+            roles_data.map(&:to_s)
+          elsif roles_data
+            [roles_data.to_s]
+          else
+            role = user[:role] || user['role']
+            role ? [role.to_s] : []
+          end
+        end
+
+        # Get all user permissions as an array
+        # @return [Array<String>] Array of permissions (empty if none)
+        def permissions
+          return [] unless authenticated?
+
+          perms = user[:permissions] || user['permissions'] || []
+          perms = [perms] unless perms.is_a?(Array)
+          perms.map(&:to_s)
+        end
+
+        # Create a string representation for debugging
+        # @return [String] Debug representation
+        def inspect
+          if authenticated?
+            "#<StrategyResult authenticated user=#{user_name || user_id} roles=#{roles} method=#{auth_method}>"
+          else
+            "#<StrategyResult anonymous method=#{auth_method}>"
+          end
+        end
+
+        # Get user context - a hash containing user-specific information and metadata
+        # @return [Hash] User context hash
+        def user_context
+          if authenticated?
+            case auth_method
+            when 'session'
+              { user_id: user_id, session: session }
+            else
+              metadata
+            end
+          else
+            case auth_method
+            when 'anonymous'
+              {}
+            else
+              metadata
+            end
+          end
+        end
+
+        # Create a hash representation
+        # @return [Hash] Hash representation of the context
+        def to_h
+          {
+            session: session,
+            user: user,
+            auth_method: auth_method,
+            metadata: metadata,
+            authenticated: authenticated?,
+            user_id: user_id,
+            user_name: user_name,
+            roles: roles,
+            permissions: permissions
+          }
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication.rb

@@ -1,289 +1,35 @@
+# frozen_string_literal: true
+
 # lib/otto/security/authentication.rb
 #
-# Configurable authentication strategy system for Otto framework
-# Provides pluggable authentication patterns that can be customized per application
-#
-# Usage:
-#   otto = Otto.new('routes.txt', {
-#     auth_strategies: {
-#       'publically' => PublicStrategy.new,
-#       'authenticated' => SessionStrategy.new,
-#       'role:admin' => RoleStrategy.new(['admin']),
-#       'api_key' => APIKeyStrategy.new
-#     }
-#   })
-
-class Otto
-  module Security
-    # Base class for all authentication strategies
-    class AuthStrategy
-      # Check if the request meets the authentication requirements
-      # @param env [Hash] Rack environment
-      # @param requirement [String] Authentication requirement string
-      # @return [AuthResult] Result containing success status and context
-      def authenticate(env, requirement)
-        raise NotImplementedError, 'Subclasses must implement #authenticate'
-      end
-
-      # Optional: Extract user context for authenticated requests
-      # @param env [Hash] Rack environment
-      # @return [Hash] User context hash
-      def user_context(env)
-        {}
-      end
-
-      protected
-
-      # Helper to create successful auth result
-      def success(user_context = {})
-        AuthResult.new(true, user_context)
-      end
-
-      # Helper to create failed auth result
-      def failure(reason = 'Authentication failed')
-        AuthResult.new(false, {}, reason)
-      end
-    end
-
-    # Result object for authentication attempts
-    class AuthResult
-      attr_reader :user_context, :failure_reason
-
-      def initialize(success, user_context = {}, failure_reason = nil)
-        @success = success
-        @user_context = user_context
-        @failure_reason = failure_reason
-      end
-
-      def success?
-        @success
-      end
-
-      def failure?
-        !@success
-      end
-    end
-
-    # Public access strategy - always allows access
-    class PublicStrategy < AuthStrategy
-      def authenticate(env, requirement)
-        success
-      end
-    end
-
-    # Session-based authentication strategy
-    class SessionStrategy < AuthStrategy
-      def initialize(session_key: 'user_id', session_store: nil)
-        @session_key = session_key
-        @session_store = session_store
-      end
-
-      def authenticate(env, requirement)
-        session = env['rack.session']
-        return failure('No session available') unless session
-
-        user_id = session[@session_key]
-        return failure('Not authenticated') unless user_id
-
-        success(user_id: user_id, session: session)
-      end
-
-      def user_context(env)
-        session = env['rack.session']
-        return {} unless session
-
-        user_id = session[@session_key]
-        user_id ? { user_id: user_id } : {}
-      end
-    end
-
-    # Role-based authentication strategy
-    class RoleStrategy < AuthStrategy
-      def initialize(allowed_roles, session_key: 'user_roles')
-        @allowed_roles = Array(allowed_roles)
-        @session_key = session_key
-      end
-
-      def authenticate(env, requirement)
-        session = env['rack.session']
-        return failure('No session available') unless session
-
-        user_roles = session[@session_key] || []
-        user_roles = Array(user_roles)
-
-        # For requirements like "role:admin", extract the role part
-        if requirement.include?(':')
-          required_role = requirement.split(':', 2).last
-          if user_roles.include?(required_role)
-            success(user_roles: user_roles, required_role: required_role)
-          else
-            failure("Insufficient privileges - requires role: #{required_role}")
-          end
-        else
-          # For direct strategy matches, check if user has any of the allowed roles
-          matching_roles = user_roles & @allowed_roles
-          if matching_roles.any?
-            success(user_roles: user_roles, allowed_roles: @allowed_roles, matching_roles: matching_roles)
-          else
-            failure("Insufficient privileges - requires one of roles: #{@allowed_roles.join(', ')}")
-          end
-        end
-      end
-
-      def user_context(env)
-        session = env['rack.session']
-        return {} unless session
-
-        user_roles = session[@session_key] || []
-        { user_roles: Array(user_roles) }
-      end
-    end
-
-    # API key authentication strategy
-    class APIKeyStrategy < AuthStrategy
-      def initialize(api_keys: [], header_name: 'X-API-Key', param_name: 'api_key')
-        @api_keys = Array(api_keys)
-        @header_name = header_name
-        @param_name = param_name
-      end
-
-      def authenticate(env, requirement)
-        # Try header first, then query parameter
-        api_key = env["HTTP_#{@header_name.upcase.tr('-', '_')}"]
+# Index file for Otto authentication module
+# Requires all authentication-related components for backward compatibility
 
-        if api_key.nil?
-          request = Rack::Request.new(env)
-          api_key = request.params[@param_name]
-        end
+require_relative 'authentication/auth_strategy'
+require_relative 'authentication/strategy_result'
+require_relative 'authentication/failure_result'
+require_relative 'authentication/authentication_middleware'
 
-        return failure('No API key provided') unless api_key
+# Load all strategies
+require_relative 'authentication/strategies/public_strategy'
+require_relative 'authentication/strategies/session_strategy'
+require_relative 'authentication/strategies/role_strategy'
+require_relative 'authentication/strategies/api_key_strategy'
+require_relative 'authentication/strategies/permission_strategy'
 
-        if @api_keys.empty? || @api_keys.include?(api_key)
-          success(api_key: api_key)
-        else
-          failure('Invalid API key')
-        end
-      end
-    end
-
-    # Permission-based authentication strategy
-    class PermissionStrategy < AuthStrategy
-      def initialize(required_permissions, session_key: 'user_permissions')
-        @required_permissions = Array(required_permissions)
-        @session_key = session_key
-      end
-
-      def authenticate(env, requirement)
-        session = env['rack.session']
-        return failure('No session available') unless session
-
-        user_permissions = session[@session_key] || []
-        user_permissions = Array(user_permissions)
-
-        # Extract permission from requirement (e.g., "permission:write" -> "write")
-        required_permission = requirement.split(':', 2).last
-
-        if user_permissions.include?(required_permission)
-          success(user_permissions: user_permissions, required_permission: required_permission)
-        else
-          failure("Insufficient privileges - requires permission: #{required_permission}")
-        end
-      end
-
-      def user_context(env)
-        session = env['rack.session']
-        return {} unless session
-
-        user_permissions = session[@session_key] || []
-        { user_permissions: Array(user_permissions) }
-      end
-    end
-
-    # Authentication middleware that enforces route-level auth requirements
-    class AuthenticationMiddleware
-      def initialize(app, config = {})
-        @app = app
-        @config = config
-        @strategies = config[:auth_strategies] || {}
-        @default_strategy = config[:default_auth_strategy] || 'publically'
-
-        # Add default public strategy if not provided
-        @strategies['publically'] ||= PublicStrategy.new
-      end
-
-      def call(env)
-        # Check if this route has auth requirements
-        route_definition = env['otto.route_definition']
-        return @app.call(env) unless route_definition
-
-        auth_requirement = route_definition.auth_requirement
-        return @app.call(env) unless auth_requirement
-
-        # Find appropriate strategy
-        strategy = find_strategy(auth_requirement)
-        unless strategy
-          return auth_error_response("Unknown authentication strategy: #{auth_requirement}")
-        end
-
-        # Perform authentication
-        auth_result = strategy.authenticate(env, auth_requirement)
-
-        if auth_result.success?
-          # Add user context to environment for handlers to use
-          env['otto.user_context'] = auth_result.user_context
-          env['otto.auth_result'] = auth_result
-          @app.call(env)
-        else
-          auth_error_response(auth_result.failure_reason)
-        end
-      end
-
-      private
-
-      def find_strategy(requirement)
-        # Try exact match first - this has highest priority
-        return @strategies[requirement] if @strategies[requirement]
-
-        # For colon-separated requirements like "role:admin", try prefix match
-        if requirement.include?(':')
-          prefix = requirement.split(':', 2).first
-
-          # Check if we have a strategy registered for the prefix
-          prefix_strategy = @strategies[prefix]
-          return prefix_strategy if prefix_strategy
-
-          # Try fallback patterns for role: and permission: requirements
-          if requirement.start_with?('role:')
-            return @strategies['role'] || RoleStrategy.new([])
-          elsif requirement.start_with?('permission:')
-            return @strategies['permission'] || PermissionStrategy.new([])
-          end
-        end
-
-        nil
-      end
-
-      def auth_error_response(message)
-        body = JSON.generate({
-          error: 'Authentication Required',
-          message: message,
-          timestamp: Time.now.to_i
-        })
-
-        headers = {
-          'Content-Type' => 'application/json',
-          'Content-Length' => body.bytesize.to_s
-        }
-
-        # Add security headers if available from config hash or Otto instance
-        if @config.is_a?(Hash) && @config[:security_headers]
-          headers.merge!(@config[:security_headers])
-        elsif @config.respond_to?(:security_config) && @config.security_config
-          headers.merge!(@config.security_config.security_headers)
-        end
-
-        [401, headers, [body]]
-      end
-    end
+class Otto
+  module Security
+    # Backward compatibility aliases for the old namespace
+    AuthStrategy = Authentication::AuthStrategy
+    PublicStrategy = Authentication::Strategies::PublicStrategy
+    SessionStrategy = Authentication::Strategies::SessionStrategy
+    RoleStrategy = Authentication::Strategies::RoleStrategy
+    APIKeyStrategy = Authentication::Strategies::APIKeyStrategy
+    PermissionStrategy = Authentication::Strategies::PermissionStrategy
+    AuthenticationMiddleware = Authentication::AuthenticationMiddleware
   end
+
+  # Top-level backward compatibility aliases
+  StrategyResult = Security::Authentication::StrategyResult
+  FailureResult = Security::Authentication::FailureResult
 end