super_auth 0.1.3 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1ea96c948511db2bcb65e7dc10b813ae6b5fddb1bbee785c7a3e59178c7b68f
-  data.tar.gz: 3d5eb559c56948c9edb31f801f28636ee594578759f83c452d3a62987432394e
+  metadata.gz: d1c0609f1c31ed023cb42444655098f37468e92f4a24f960f520877f5cb152ed
+  data.tar.gz: 8c7f9334b2226727b52550581756d9d34c50524283ad89339e2d8f0bdfd3094b
 SHA512:
-  metadata.gz: 272eba9bf5807006f956605eb927c7aaec6594fee0683c8ee155c7f4d614419dbd1927495860cfa73acc9b5973887d273605bdbbff58a8d0726f7f63a9ebdcd5
-  data.tar.gz: 904ee67ef8c4b858bfec6ea2cfe39bdc692dba063edee0a76f769209301c3c9a8850df37bf8b65584bd5a15db9cbf1df3125429c2d4a43f8b18f49e25c8bf665
+  metadata.gz: c3781d17e40e003e7e361789e71d3c9048920b7d14023b1af83de968f1e0e05b4f829fa5e3fda172c141c1c8dceea75888e407bc5f5210cf2148f870954c36df
+  data.tar.gz: 6b9edf03113857abcf6e9246f40dbb3a5d36814380f09e1d86782aa1220a56397dc9b2918fb3f85cb23aeeed1acc103d81af2a24c2abd253eb5e4ca140b54e50

data/.ruby-version

@@ -0,0 +1 @@
+3.2.6

data/Gemfile

@@ -12,10 +12,11 @@ gemspec
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
 gem "zeitwerk", "~> 2.6"
+gem "sequel"
 
-
-group :development do
+group :development, :test do
   gem "pry"
   gem "pg"
   gem "sqlite3"
-end
+  gem "activerecord"
+end

data/Gemfile.lock

@@ -1,16 +1,44 @@
 PATH
   remote: .
   specs:
-    super_auth (0.1.2)
+    super_auth (0.1.5)
       sequel
 
 GEM
   remote: https://rubygems.org/
   specs:
+    activemodel (8.0.2)
+      activesupport (= 8.0.2)
+    activerecord (8.0.2)
+      activemodel (= 8.0.2)
+      activesupport (= 8.0.2)
+      timeout (>= 0.4.0)
+    activesupport (8.0.2)
+      base64
+      benchmark (>= 0.3)
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.3.1)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
+      minitest (>= 5.1)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    base64 (0.3.0)
+    benchmark (0.4.1)
     bigdecimal (3.1.4)
     coderay (1.1.3)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.3)
     diff-lcs (1.5.0)
+    drb (2.2.3)
+    i18n (1.14.7)
+      concurrent-ruby (~> 1.0)
+    logger (1.7.0)
     method_source (1.0.0)
+    minitest (5.25.5)
     pg (1.5.4)
     pry (0.14.2)
       coderay (~> 1.1)
@@ -29,21 +57,30 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
     rspec-support (3.12.1)
+    securerandom (0.4.1)
     sequel (5.75.0)
       bigdecimal
-    sqlite3 (1.7.0-arm64-darwin)
-    sqlite3 (1.7.0-x86_64-linux)
+    sqlite3 (2.7.2-arm64-darwin)
+    sqlite3 (2.7.2-x86_64-linux-gnu)
+    timeout (0.4.3)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+    uri (1.0.3)
     zeitwerk (2.6.12)
 
 PLATFORMS
   arm64-darwin-22
+  arm64-darwin-23
+  arm64-darwin-24
   x86_64-linux
 
 DEPENDENCIES
+  activerecord
   pg
   pry
   rake (~> 13.0)
   rspec (~> 3.0)
+  sequel
   sqlite3
   super_auth!
   zeitwerk (~> 2.6)

data/README.md

@@ -1,23 +1,167 @@
 # SuperAuth
 
-TODO: Delete this and the text below, and describe your gem
+Super auth is turn-key authorization gem that makes unauthorized access unrepresentable. **Stop writing tests for authorization with confidence**
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/super_auth`. To experiment with that code, run `bin/console` for an interactive prompt.
+The intent is to use with ruby applications, as well as centralize authorization for multiple applications. If you look at the [OWASP top vulnerabilty](https://owasp.org/Top10/A01_2021-Broken_Access_Control/), broken
+access control is the NUMBER 1 most common security risk in modern applications today. super_auth provides a authentication strategy that allows you to completely de-risk your application, solving this issue once confidently.
 
-## Installation
 
-TODO: Replace `UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG` with your gem name right after releasing it to RubyGems.org. Please do not do it earlier due to security reasons. Alternatively, replace this section with instructions to install your gem from git if you don't plan to release to RubyGems.org.
+## Installation
 
-Install the gem and add to the application's Gemfile by executing:
+    gem "super_auth"
 
-    $ bundle add UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG
 
-If bundler is not being used to manage dependencies, install the gem by executing:
+## Docs
 
-    $ gem install UPDATE_WITH_YOUR_GEM_NAME_PRIOR_TO_RELEASE_TO_RUBYGEMS_ORG
+How `super_auth` stacks up against other authentication strategies:
+[Do you really understand Authentication](https://dev.to/jonathanfrias/do-you-really-understand-authorization-1o5d)
 
 ## Usage
 
+SuperAuth is a rules engine engine that works on 5 different authorization concepts:
+
+- Users
+- Groups
+- Roles
+- Permissions
+- Resources
+
+The basis for how this works is that the rules engine is trying to match a user with a resource to determine access.
+The engine determines if it can find an authorization route betewen a user and a resource. It does so by looking at users, groups, roles, permissions.
+
+                         +-------+       +------+
+                         | Group |<----->| Role |
+                         +-------+\    / +------+
+                             ^     \  /     ^
+                             |      \/      |
+                             |      /\      |
+                             |     /  \     |
+                             V    /    \    V
+    +---------------+    +------+/      \+------------+    +----------+      +-------------------+
+    | YourApp::User |<-->| User |<------>| Permission |<-->| Resource | <--> | YourApp::Resource |
+    +---------------+    +------+        +------------+    +----------+      +-------------------+
+                             ^                                  ^
+                             |                                  |
+                             +----------------------------------+
+
+
+The lines between the boxes are called [edges](https://en.wikipedia.org/wiki/Glossary_of_graph_theory#edge).
+Note that `Group` and `Role` trees.
+
+In general the super_auth has 5 different pathing strategies to search for access.
+
+    1. users <-> group[s] <-> role[s] <-> permission <-> resource
+    2. users <->              role[s] <-> permission <-> resource
+    3. users <-> group[s] <->             permission <-> resource
+    4. users <->                          permission <-> resource
+    5. users <->                                         resource
+
+Edges can be drawn between any 2 objects, allowing super_auth can seamlessly scale in complexity with you.
+When `Group` and `Role` are used, the rules will apply to all descedants. If there are any edges
+between the specified user and the resource, then access is granted.
+
+
+You can see usage examples `spec/example_spec.rb`.
+
+We're going to need some users:
+
+    Users:
+      - Peter
+      - Michael
+      - Bethany
+      - Eloise
+      - Anna
+      - Dillon
+      - Guest (Unknown User)
+
+Let's see an example company structure:
+
+    Groups:
+      - Company
+        - Engineering_dept
+          - Backend
+          - Frontend
+        - Sales Department
+        - Marketing Department
+      - Customers
+        - CustomerA
+        - CustomerB
+      - Vendors
+        - VendorA
+        - VendorB
+
+We're going to define a roles:
+
+    Roles:
+      - Employee
+        - Engineering
+          - Señor Software Developer
+          - Señor Designer
+          - Software Developer
+          - Production Support
+        - Sales and Marketing
+          - Marketing Manager
+          - Marketing Associate
+      - CustomerRole
+
+We're going to define some permissions:
+
+    Permissions:
+      - create
+      - read
+      - update
+      - delete
+      - invoice
+      - login
+      - reboot
+      - deploy
+      - sign_contract
+      - subscribe
+      - unsubscribe
+      - publish_design
+
+Finally, we need some resources:
+
+    Resources:
+      - app1
+      - app2
+      - staging
+      - db1
+      - db2
+      - core_design_template
+      - customer_profile
+      - marketing_website
+      - customer_post1
+      - customer_post2
+      - customer_post3
+
+So we have sufficient prerequisite data to do some interesting authorizations. Let's draw some edges:
+
+    Peter <-> Frontend # Peter is on the Frontend team. (via Company->Engineering_dept->Frontend)
+    Engineering_dept <-> Engineering # Group "Engineering_dept" has the Role "Engineering"
+    Engineering <-> create # Engineering role can do basic CRUD operations
+    Engineering <-> read   # Peter can CRUD too
+    Engineering <-> update
+    Engineering <-> delete
+    core_design_template <-> create # Now, those CRUD permissions apply to core_design_template resource
+    core_design_template <-> read
+    core_design_template <-> update
+    core_design_template <-> delete
+
+With this, the following paths are created from Peter to the core_design_template:
+
+    Peter <-> Frontend <-> Engineering_dept <-> Engineering <-> create <-> core_design_template
+    Peter <-> Frontend <-> Engineering_dept <-> Engineering <-> read   <-> core_design_template
+    Peter <-> Frontend <-> Engineering_dept <-> Engineering <-> update <-> core_design_template
+    Peter <-> Frontend <-> Engineering_dept <-> Engineering <-> delete <-> core_design_template
+
+    Which completes the circuit using the path
+    user <-> group <-> group <-> role <-> permission <-> resource
+
+
+When you create/delete an edge new authorizations are generated and stored in the `super_auth` database table.
+Since the path is stored with the record, it trivial to audit access permissions using basic SQL.
+
 TODO: Write usage instructions here
 
 ## Development
@@ -28,8 +172,8 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/super_auth.
+Bug reports and pull requests are welcome on GitHub at https://github.com/JonathanFrias/super_auth.
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+The gem is available as open source under the terms of the [GPL](https://www.gnu.org/licenses/quick-guide-gplv3.html).

data/db/migrate/1_users.rb

@@ -1,13 +1,15 @@
 Sequel.migration do
-  change do
-    create_table(:users) do
+  up do
+    create_table(:super_auth_users) do
       primary_key :id
-
       String :external_id # , null: false
       String :name
-
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_users)
+  end
 end

data/db/migrate/2_groups.rb

@@ -1,11 +1,15 @@
 Sequel.migration do
-  change do
-    create_table(:groups) do
+  up do
+    create_table(:super_auth_groups) do
       primary_key :id
       String :name, null: false
-      foreign_key :parent_id, :groups, deferrable: true, type: :integer
+      foreign_key :parent_id, :super_auth_groups, deferrable: true, type: :integer
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_groups)
+  end
 end

data/db/migrate/3_permissions.rb

@@ -1,10 +1,14 @@
 Sequel.migration do
-  change do
-    create_table(:permissions) do
+  up do
+    create_table(:super_auth_permissions) do
       primary_key :id
       String :name, null: false
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_permissions)
+  end
 end

data/db/migrate/4_roles.rb

@@ -1,11 +1,15 @@
 Sequel.migration do
-  change do
-    create_table(:roles) do
+  up do
+    create_table(:super_auth_roles) do
       primary_key :id
       String :name, null: false
-      foreign_key :parent_id, :roles, deferrable: true, type: :integer
+      foreign_key :parent_id, :super_auth_roles, deferrable: true, type: :integer
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_roles)
+  end
 end

data/db/migrate/5_resources.rb

@@ -1,13 +1,15 @@
 Sequel.migration do
-  change do
-    create_table(:resources) do
+  up do
+    create_table(:super_auth_resources) do
       primary_key :id
-
       String :name
       String :external_id # , null: false
-
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_resources)
+  end
 end

data/db/migrate/6_edge.rb

@@ -1,16 +1,18 @@
 Sequel.migration do
-  change do
-    create_table(:edges) do
+  up do
+    create_table(:super_auth_edges) do
       primary_key :id
-
-      foreign_key :user_id,       :users,       null: true
-      foreign_key :group_id,      :groups,      null: true
-      foreign_key :permission_id, :permissions, null: true
-      foreign_key :role_id,       :roles,       null: true
-      foreign_key :resource_id,   :resources,   null: true
-
+      foreign_key :user_id,       :super_auth_users,       null: true
+      foreign_key :group_id,      :super_auth_groups,      null: true
+      foreign_key :permission_id, :super_auth_permissions, null: true
+      foreign_key :role_id,       :super_auth_roles,       null: true
+      foreign_key :resource_id,   :super_auth_resources,   null: true
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_edges)
+  end
 end

data/db/migrate/7_authorization.rb

@@ -0,0 +1,39 @@
+Sequel.migration do
+  up do
+    create_table(:super_auth_authorizations) do
+      Integer :user_id, null: true
+      String :user_name, null: true
+      String :user_external_id, null: true
+      DateTime :user_created_at, null: true
+      DateTime :user_updated_at, null: true
+      Integer :group_id, null: true
+      String :group_name, null: true
+      String :group_path, null: true
+      String :group_name_path, null: true
+      String :group_parent_name, null: true
+      String :group_parent_id, null: true
+      DateTime :group_created_at, null: true
+      DateTime :group_updated_at, null: true
+      Integer :role_id, null: true
+      String :role_name, null: true
+      String :role_path, null: true
+      String :role_name_path, null: true
+      String :role_parent_id, null: true
+      DateTime :role_created_at, null: true
+      DateTime :role_updated_at, null: true
+      Integer :permission_id, null: true
+      String :permission_name, null: true
+      DateTime :permission_created_at, null: true
+      DateTime :permission_updated_at, null: true
+      Integer :resource_id, null: true
+      String :resource_name, null: true
+      String :resource_external_id, null: true
+      DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
+      DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
+    end
+  end
+
+  down do
+    drop_table(:super_auth_authorizations)
+  end
+end

data/lib/basic_loader.rb

@@ -3,10 +3,21 @@
 # File generated automatically, do not edit
 # See https://blog.pawelpokrywka.com/p/gem-with-zeitwerk-as-development-only-dependency
 
+require 'super_auth/active_record' if defined?(ActiveRecord::Base)
+require 'super_auth/authorization'
 require 'super_auth/edge'
 require 'super_auth/nestable'
 require 'super_auth/group'
 require 'super_auth/permission'
+require 'super_auth/railtie'
 require 'super_auth/resource'
 require 'super_auth/role'
 require 'super_auth/user'
+require 'super_auth/active_record/authorization' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/by_current_user' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/edge' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/group' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/permission' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/resource' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/role' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/user' if defined?(ActiveRecord::Base)

data/lib/super_auth/active_record/authorization.rb

@@ -0,0 +1,3 @@
+class SuperAuth::ActiveRecord::Authorization < ActiveRecord::Base
+  self.table_name = 'super_auth_authorizations'
+end

data/lib/super_auth/active_record/by_current_user.rb

@@ -0,0 +1,24 @@
+module SuperAuth::ActiveRecord::ByCurrentUser
+  def self.included(base)
+    base.has_many :super_auth_authorizations
+
+    base.send(:default_scope, **{all_queries: true}) do
+      raise "SuperAuth.current_user not set" if SuperAuth.current_user.blank?
+
+      if SuperAuth.current_user.system?
+        self
+      else
+        # Important:
+        # We use a subquery here instead of a inner join because we don't want
+        # to potentially affect break on queries issue count queries in their app.
+        where(id: SuperAuth::ActiveRecord::Authorization.where(super_auth_user_id: SuperAuth.current_user.id).select(:resource_id))
+      end
+    end
+  end
+
+  def system? = false
+
+  module ClassMethods
+  end
+
+end

data/lib/super_auth/active_record/edge.rb

@@ -0,0 +1,3 @@
+class SuperAuth::ActiveRecord::Edge < ActiveRecord::Base
+  self.table_name = 'super_auth_edges'
+end

data/lib/super_auth/active_record/group.rb

@@ -0,0 +1,3 @@
+class SuperAuth::ActiveRecord::Group < ActiveRecord::Base
+  self.table_name = 'super_auth_groups'
+end

data/lib/super_auth/active_record/permission.rb

@@ -0,0 +1,3 @@
+class SuperAuth::ActiveRecord::Permission < ActiveRecord::Base
+  self.table_name = 'super_auth_permissions'
+end

data/lib/super_auth/active_record/resource.rb

@@ -0,0 +1,3 @@
+class SuperAuth::ActiveRecord::Resource < ActiveRecord::Base
+  self.table_name = 'super_auth_resources'
+end

data/lib/super_auth/active_record/role.rb

@@ -0,0 +1,3 @@
+class SuperAuth::ActiveRecord::Role < ActiveRecord::Base
+  self.table_name = 'super_auth_roles'
+end

data/lib/super_auth/active_record/user.rb

@@ -0,0 +1,8 @@
+class SuperAuth::ActiveRecord::User < ActiveRecord::Base
+  self.table_name = 'super_auth_users'
+
+  def model_name = ActiveModel::Name.new(:user)
+
+  def system? = self.class.system == self
+  def self.system = find_or_create_by(name: "system")
+end

data/lib/super_auth/active_record.rb

@@ -0,0 +1,3 @@
+require "active_record"
+module SuperAuth::ActiveRecord
+end

data/lib/super_auth/authorization.rb

@@ -0,0 +1,2 @@
+class SuperAuth::Authorization < Sequel::Model(:super_auth_authorizations)
+end