super_auth 0.1.4 → 0.2.0

data/config/routes.rb

@@ -0,0 +1,73 @@
+SuperAuth::Engine.routes.draw do
+  # Main graph visualization interface
+  get '/', to: 'graph#index', as: :root
+  get '/graph', to: 'graph#index'
+
+  # Graph data API
+  get '/graph/data', to: 'graph#data'
+  get '/graph/orphaned', to: 'graph#orphaned'
+  post '/graph/compile_authorizations', to: 'graph#compile_authorizations'
+
+  # Authorization check
+  get '/graph/authorize', to: 'graph#authorize'
+
+  # Legacy visualization endpoint
+  get '/visualization', to: 'graph#visualization'
+
+  # CRUD operations for graph entities
+  scope :graph do
+    resources :users, only: [:create, :destroy], controller: 'graph' do
+      collection do
+        post '/', action: :create_user
+      end
+      member do
+        delete '/', action: :delete_user
+      end
+    end
+
+    resources :groups, only: [:create, :destroy], controller: 'graph' do
+      collection do
+        post '/', action: :create_group
+      end
+      member do
+        delete '/', action: :delete_group
+      end
+    end
+
+    resources :roles, only: [:create, :destroy], controller: 'graph' do
+      collection do
+        post '/', action: :create_role
+      end
+      member do
+        delete '/', action: :delete_role
+      end
+    end
+
+    resources :permissions, only: [:create, :destroy], controller: 'graph' do
+      collection do
+        post '/', action: :create_permission
+      end
+      member do
+        delete '/', action: :delete_permission
+      end
+    end
+
+    resources :graph_resources, only: [:create, :destroy], controller: 'graph', path: 'resources' do
+      collection do
+        post '/', action: :create_resource
+      end
+      member do
+        delete '/', action: :delete_resource
+      end
+    end
+
+    resources :edges, only: [:create, :destroy], controller: 'graph' do
+      collection do
+        post '/', action: :create_edge
+      end
+      member do
+        delete '/', action: :delete_edge
+      end
+    end
+  end
+end

data/db/migrate/1_users.rb

@@ -1,13 +1,16 @@
 Sequel.migration do
-  change do
-    create_table?(:super_auth_users) do
+  up do
+    create_table(:super_auth_users) do
       primary_key :id
-
       String :external_id # , null: false
+      String :external_type # , null: false
       String :name
-
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_users)
+  end
 end

data/db/migrate/2_groups.rb

@@ -1,11 +1,22 @@
 Sequel.migration do
-  change do
-    create_table?(:super_auth_groups) do
+  up do
+    is_postgres = self.database_type == :postgres
+
+    create_table(:super_auth_groups) do
       primary_key :id
       String :name, null: false
-      foreign_key :parent_id, :super_auth_groups, deferrable: true, type: :integer
+      # deferrable constraints only supported in PostgreSQL
+      if is_postgres
+        foreign_key :parent_id, :super_auth_groups, deferrable: true, type: :integer
+      else
+        foreign_key :parent_id, :super_auth_groups, type: :integer
+      end
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_groups)
+  end
 end

data/db/migrate/3_permissions.rb

@@ -1,10 +1,14 @@
 Sequel.migration do
-  change do
-    create_table?(:super_auth_permissions) do
+  up do
+    create_table(:super_auth_permissions) do
       primary_key :id
       String :name, null: false
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_permissions)
+  end
 end

data/db/migrate/4_roles.rb

@@ -1,11 +1,22 @@
 Sequel.migration do
-  change do
-    create_table?(:super_auth_roles) do
+  up do
+    is_postgres = self.database_type == :postgres
+
+    create_table(:super_auth_roles) do
       primary_key :id
       String :name, null: false
-      foreign_key :parent_id, :super_auth_roles, deferrable: true, type: :integer
+      # deferrable constraints only supported in PostgreSQL
+      if is_postgres
+        foreign_key :parent_id, :super_auth_roles, deferrable: true, type: :integer
+      else
+        foreign_key :parent_id, :super_auth_roles, type: :integer
+      end
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_roles)
+  end
 end

data/db/migrate/5_resources.rb

@@ -1,13 +1,16 @@
 Sequel.migration do
-  change do
-    create_table?(:super_auth_resources) do
+  up do
+    create_table(:super_auth_resources) do
       primary_key :id
-
       String :name
       String :external_id # , null: false
-
+      String :external_type # , null: false
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_resources)
+  end
 end

data/db/migrate/6_edge.rb

@@ -1,16 +1,18 @@
 Sequel.migration do
-  change do
-    create_table?(:super_auth_edges) do
+  up do
+    create_table(:super_auth_edges) do
       primary_key :id
-
       foreign_key :user_id,       :super_auth_users,       null: true
       foreign_key :group_id,      :super_auth_groups,      null: true
       foreign_key :permission_id, :super_auth_permissions, null: true
       foreign_key :role_id,       :super_auth_roles,       null: true
       foreign_key :resource_id,   :super_auth_resources,   null: true
-
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end
   end
+
+  down do
+    drop_table(:super_auth_edges)
+  end
 end

data/db/migrate/7_authorization.rb

@@ -0,0 +1,41 @@
+Sequel.migration do
+  up do
+    create_table(:super_auth_authorizations) do
+      Integer :user_id, null: true
+      String :user_name, null: true
+      String :user_external_id, null: true
+      String :user_external_type, null: true
+      DateTime :user_created_at, null: true
+      DateTime :user_updated_at, null: true
+      Integer :group_id, null: true
+      String :group_name, null: true
+      String :group_path, null: true
+      String :group_name_path, null: true
+      String :group_parent_name, null: true
+      String :group_parent_id, null: true
+      DateTime :group_created_at, null: true
+      DateTime :group_updated_at, null: true
+      Integer :role_id, null: true
+      String :role_name, null: true
+      String :role_path, null: true
+      String :role_name_path, null: true
+      String :role_parent_id, null: true
+      DateTime :role_created_at, null: true
+      DateTime :role_updated_at, null: true
+      Integer :permission_id, null: true
+      String :permission_name, null: true
+      DateTime :permission_created_at, null: true
+      DateTime :permission_updated_at, null: true
+      Integer :resource_id, null: true
+      String :resource_name, null: true
+      String :resource_external_id, null: true
+      String :resource_external_type, null: true
+      DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
+      DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
+    end
+  end
+
+  down do
+    drop_table(:super_auth_authorizations)
+  end
+end

data/db/migrate/8_add_indexes_to_edges.rb

@@ -0,0 +1,17 @@
+Sequel.migration do
+  up do
+    add_index :super_auth_edges, :user_id
+    add_index :super_auth_edges, :group_id
+    add_index :super_auth_edges, :role_id
+    add_index :super_auth_edges, :permission_id
+    add_index :super_auth_edges, :resource_id
+  end
+
+  down do
+    drop_index :super_auth_edges, :user_id
+    drop_index :super_auth_edges, :group_id
+    drop_index :super_auth_edges, :role_id
+    drop_index :super_auth_edges, :permission_id
+    drop_index :super_auth_edges, :resource_id
+  end
+end

data/db/migrate_activerecord/20250101000001_create_super_auth_users.rb

@@ -0,0 +1,10 @@
+class CreateSuperAuthUsers < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_users do |t|
+      t.string :external_id
+      t.string :external_type
+      t.string :name
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+  end
+end

data/db/migrate_activerecord/20250101000002_create_super_auth_groups.rb

@@ -0,0 +1,11 @@
+class CreateSuperAuthGroups < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_groups do |t|
+      t.string :name, null: false
+      t.bigint :parent_id
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+
+    add_foreign_key :super_auth_groups, :super_auth_groups, column: :parent_id
+  end
+end

data/db/migrate_activerecord/20250101000003_create_super_auth_permissions.rb

@@ -0,0 +1,8 @@
+class CreateSuperAuthPermissions < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_permissions do |t|
+      t.string :name, null: false
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+  end
+end

data/db/migrate_activerecord/20250101000004_create_super_auth_roles.rb

@@ -0,0 +1,11 @@
+class CreateSuperAuthRoles < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_roles do |t|
+      t.string :name, null: false
+      t.bigint :parent_id
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+
+    add_foreign_key :super_auth_roles, :super_auth_roles, column: :parent_id
+  end
+end

data/db/migrate_activerecord/20250101000005_create_super_auth_resources.rb

@@ -0,0 +1,10 @@
+class CreateSuperAuthResources < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_resources do |t|
+      t.string :name
+      t.string :external_id
+      t.string :external_type
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+  end
+end

data/db/migrate_activerecord/20250101000006_create_super_auth_edges.rb

@@ -0,0 +1,12 @@
+class CreateSuperAuthEdges < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_edges do |t|
+      t.references :user, foreign_key: { to_table: :super_auth_users }, null: true
+      t.references :group, foreign_key: { to_table: :super_auth_groups }, null: true
+      t.references :permission, foreign_key: { to_table: :super_auth_permissions }, null: true
+      t.references :role, foreign_key: { to_table: :super_auth_roles }, null: true
+      t.references :resource, foreign_key: { to_table: :super_auth_resources }, null: true
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+  end
+end

data/db/migrate_activerecord/20250101000007_create_super_auth_authorizations.rb

@@ -0,0 +1,41 @@
+class CreateSuperAuthAuthorizations < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_authorizations do |t|
+      t.integer :user_id
+      t.string :user_name
+      t.string :user_external_id
+      t.string :user_external_type
+      t.datetime :user_created_at
+      t.datetime :user_updated_at
+
+      t.integer :group_id
+      t.string :group_name
+      t.string :group_path
+      t.string :group_name_path
+      t.string :group_parent_name
+      t.string :group_parent_id
+      t.datetime :group_created_at
+      t.datetime :group_updated_at
+
+      t.integer :role_id
+      t.string :role_name
+      t.string :role_path
+      t.string :role_name_path
+      t.string :role_parent_id
+      t.datetime :role_created_at
+      t.datetime :role_updated_at
+
+      t.integer :permission_id
+      t.string :permission_name
+      t.datetime :permission_created_at
+      t.datetime :permission_updated_at
+
+      t.integer :resource_id
+      t.string :resource_name
+      t.string :resource_external_id
+      t.string :resource_external_type
+
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+  end
+end

data/db/seeds/sample_data.rb

@@ -0,0 +1,193 @@
+# Sample data based on the README examples
+# This seed file creates a complete authorization graph for demonstration
+
+puts "Creating sample data for SuperAuth..."
+
+# Initialize SuperAuth
+require 'super_auth'
+SuperAuth.load
+
+# Detect which ORM we're using
+if defined?(SuperAuth::ActiveRecord::User)
+  User = SuperAuth::ActiveRecord::User
+  Group = SuperAuth::ActiveRecord::Group
+  Role = SuperAuth::ActiveRecord::Role
+  Permission = SuperAuth::ActiveRecord::Permission
+  Resource = SuperAuth::ActiveRecord::Resource
+  Edge = SuperAuth::ActiveRecord::Edge
+else
+  User = SuperAuth::User
+  Group = SuperAuth::Group
+  Role = SuperAuth::Role
+  Permission = SuperAuth::Permission
+  Resource = SuperAuth::Resource
+  Edge = SuperAuth::Edge
+end
+
+# Clear existing data (optional - comment out if you don't want this)
+puts "Clearing existing data..."
+Edge.delete_all
+Group.update_all(parent_id: nil)
+Role.update_all(parent_id: nil)
+User.delete_all
+Group.delete_all
+Role.delete_all
+Permission.delete_all
+Resource.delete_all
+
+# Create users
+puts "Creating users..."
+peter = User.create!(name: 'Peter')
+michael = User.create!(name: 'Michael')
+bethany = User.create!(name: 'Bethany')
+eloise = User.create!(name: 'Eloise')
+anna = User.create!(name: 'Anna')
+dillon = User.create!(name: 'Dillon')
+guest = User.create!(name: 'Guest')
+
+# Create group hierarchy
+puts "Creating groups..."
+company = Group.create!(name: 'Company')
+engineering_dept = Group.create!(name: 'Engineering_dept', parent: company)
+backend = Group.create!(name: 'Backend', parent: engineering_dept)
+frontend = Group.create!(name: 'Frontend', parent: engineering_dept)
+sales_department = Group.create!(name: 'Sales Department', parent: company)
+marketing_department = Group.create!(name: 'Marketing Department', parent: company)
+customers = Group.create!(name: 'Customers')
+customer_a = Group.create!(name: 'CustomerA', parent: customers)
+customer_b = Group.create!(name: 'CustomerB', parent: customers)
+vendors = Group.create!(name: 'Vendors')
+vendor_a = Group.create!(name: 'VendorA', parent: vendors)
+vendor_b = Group.create!(name: 'VendorB', parent: vendors)
+
+# Create role hierarchy
+puts "Creating roles..."
+employee = Role.create!(name: 'Employee')
+engineering = Role.create!(name: 'Engineering', parent: employee)
+senor_software_dev = Role.create!(name: 'Señor Software Developer', parent: engineering)
+senor_designer = Role.create!(name: 'Señor Designer', parent: engineering)
+software_developer = Role.create!(name: 'Software Developer', parent: engineering)
+production_support = Role.create!(name: 'Production Support', parent: engineering)
+sales_and_marketing = Role.create!(name: 'Sales and Marketing', parent: employee)
+marketing_manager = Role.create!(name: 'Marketing Manager', parent: sales_and_marketing)
+marketing_associate = Role.create!(name: 'Marketing Associate', parent: sales_and_marketing)
+customer_role = Role.create!(name: 'CustomerRole')
+
+# Create permissions
+puts "Creating permissions..."
+create_perm = Permission.create!(name: 'create')
+read_perm = Permission.create!(name: 'read')
+update_perm = Permission.create!(name: 'update')
+delete_perm = Permission.create!(name: 'delete')
+invoice_perm = Permission.create!(name: 'invoice')
+login_perm = Permission.create!(name: 'login')
+reboot_perm = Permission.create!(name: 'reboot')
+deploy_perm = Permission.create!(name: 'deploy')
+sign_contract_perm = Permission.create!(name: 'sign_contract')
+subscribe_perm = Permission.create!(name: 'subscribe')
+unsubscribe_perm = Permission.create!(name: 'unsubscribe')
+publish_design_perm = Permission.create!(name: 'publish_design')
+
+# Create resources
+puts "Creating resources..."
+app1 = Resource.create!(name: 'app1')
+app2 = Resource.create!(name: 'app2')
+staging = Resource.create!(name: 'staging')
+db1 = Resource.create!(name: 'db1')
+db2 = Resource.create!(name: 'db2')
+core_design_template = Resource.create!(name: 'core_design_template')
+customer_profile = Resource.create!(name: 'customer_profile')
+marketing_website = Resource.create!(name: 'marketing_website')
+customer_post1 = Resource.create!(name: 'customer_post1')
+customer_post2 = Resource.create!(name: 'customer_post2')
+customer_post3 = Resource.create!(name: 'customer_post3')
+
+# Create edges (authorization relationships)
+puts "Creating authorization edges..."
+
+# Example 1: Peter can access core_design_template through Frontend -> Engineering -> CRUD
+Edge.create!(user: peter, group: frontend)
+Edge.create!(group: frontend, role: engineering)
+Edge.create!(role: engineering, permission: create_perm)
+Edge.create!(role: engineering, permission: read_perm)
+Edge.create!(role: engineering, permission: update_perm)
+Edge.create!(role: engineering, permission: delete_perm)
+Edge.create!(resource: core_design_template, permission: create_perm)
+Edge.create!(resource: core_design_template, permission: read_perm)
+Edge.create!(resource: core_design_template, permission: update_perm)
+Edge.create!(resource: core_design_template, permission: delete_perm)
+
+# Example 2: Michael can deploy to app1 through Backend -> Production Support
+Edge.create!(user: michael, group: backend)
+Edge.create!(group: backend, role: production_support)
+Edge.create!(role: production_support, permission: deploy_perm)
+Edge.create!(permission: deploy_perm, resource: app1)
+
+# Example 3: Anna can read customer posts through CustomerA -> CustomerRole
+Edge.create!(user: anna, group: customer_a)
+Edge.create!(group: customer_a, role: customer_role)
+Edge.create!(role: customer_role, permission: read_perm)
+Edge.create!(permission: read_perm, resource: customer_post1)
+Edge.create!(permission: read_perm, resource: customer_post2)
+
+# Additional scenarios for demonstration
+
+# Bethany has multiple authorization paths
+Edge.create!(user: bethany, group: engineering_dept)
+Edge.create!(group: engineering_dept, role: engineering)
+Edge.create!(permission: read_perm, resource: staging)
+
+# Bethany also has direct role assignment
+Edge.create!(user: bethany, role: production_support)
+Edge.create!(permission: deploy_perm, resource: staging)
+
+# Dillon has direct resource access (simplest path)
+Edge.create!(user: dillon, resource: db1)
+
+# Eloise has user -> permission -> resource path
+Edge.create!(user: eloise, permission: reboot_perm)
+Edge.create!(permission: reboot_perm, resource: db2)
+
+# Marketing department scenario
+Edge.create!(user: anna, group: marketing_department)
+Edge.create!(group: marketing_department, role: marketing_associate)
+Edge.create!(role: marketing_associate, permission: subscribe_perm)
+Edge.create!(role: marketing_associate, permission: unsubscribe_perm)
+Edge.create!(permission: subscribe_perm, resource: customer_profile)
+Edge.create!(permission: unsubscribe_perm, resource: customer_profile)
+
+# Vendor access
+Edge.create!(user: michael, group: vendor_a)
+Edge.create!(group: vendor_a, permission: invoice_perm)
+Edge.create!(permission: invoice_perm, resource: app1)
+
+# Company-wide access
+Edge.create!(user: bethany, group: company)
+Edge.create!(group: company, role: employee)
+Edge.create!(role: employee, permission: login_perm)
+Edge.create!(permission: login_perm, resource: app2)
+
+# Senior Designer role
+Edge.create!(user: peter, group: frontend) # Already created above, but illustrating
+Edge.create!(group: frontend, role: senor_designer)
+Edge.create!(role: senor_designer, permission: publish_design_perm)
+Edge.create!(permission: publish_design_perm, resource: marketing_website)
+
+# Backend developers sharing permissions
+Edge.create!(user: dillon, group: backend)
+Edge.create!(group: backend, role: software_developer)
+Edge.create!(role: software_developer, permission: update_perm)
+Edge.create!(permission: update_perm, resource: staging)
+
+# Senior software developer with multiple permissions
+# (Michael already has vendor_a group)
+Edge.create!(group: backend, role: senor_software_dev)
+Edge.create!(role: senor_software_dev, permission: read_perm)
+Edge.create!(role: senor_software_dev, permission: update_perm)
+Edge.create!(role: senor_software_dev, permission: deploy_perm)
+# Resources already connected above
+
+puts "Sample data created successfully!"
+puts "#{User.count} users, #{Group.count} groups, #{Role.count} roles"
+puts "#{Permission.count} permissions, #{Resource.count} resources"
+puts "#{Edge.count} authorization edges"

data/lib/basic_loader.rb

@@ -1,8 +1,8 @@
-# frozen_string_literal: true
-
 # File generated automatically, do not edit
 # See https://blog.pawelpokrywka.com/p/gem-with-zeitwerk-as-development-only-dependency
 
+require 'super_auth/active_record' if defined?(ActiveRecord::Base)
+require 'super_auth/authorization'
 require 'super_auth/edge'
 require 'super_auth/nestable'
 require 'super_auth/group'
@@ -11,3 +11,11 @@ require 'super_auth/railtie'
 require 'super_auth/resource'
 require 'super_auth/role'
 require 'super_auth/user'
+require 'super_auth/active_record/authorization' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/by_current_user' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/edge' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/group' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/permission' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/resource' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/role' if defined?(ActiveRecord::Base)
+require 'super_auth/active_record/user' if defined?(ActiveRecord::Base)

data/lib/generators/super_auth/install/install_generator.rb

@@ -0,0 +1,19 @@
+require 'rails/generators'
+
+module SuperAuth
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      desc "Creates a SuperAuth initializer"
+
+      def copy_initializer
+        template 'super_auth.rb', 'config/initializers/super_auth.rb'
+      end
+
+      def show_readme
+        readme 'README' if behavior == :invoke
+      end
+    end
+  end
+end

data/lib/generators/super_auth/install/templates/README

@@ -0,0 +1,29 @@
+===============================================================================
+
+SuperAuth initializer created at config/initializers/super_auth.rb
+
+Next steps:
+
+1. Run migrations to create the database tables:
+
+   SuperAuth.install_migrations
+
+   You can run this in the Rails console or add it to a rake task.
+
+2. Mount the engine in config/routes.rb:
+
+   mount SuperAuth::Engine => '/super_auth'
+
+3. (Optional) Load sample data to see the visualization in action:
+
+   rails runner "load File.join(SuperAuth::Engine.root, 'db/seeds/sample_data.rb')"
+
+4. Start your Rails server and visit:
+
+   http://localhost:3000/super_auth/visualization
+
+For more information, see:
+- VISUALIZATION.md for full documentation
+- README.md for usage examples
+
+===============================================================================

data/lib/generators/super_auth/install/templates/super_auth.rb

@@ -0,0 +1,7 @@
+# SuperAuth Initializer
+# The SuperAuth Railtie automatically connects to your database and loads all
+# models on boot. Use this file for any additional configuration.
+#
+# SuperAuth.setup do |config|
+#   # configuration options here
+# end

data/lib/super_auth/active_record/authorization.rb

@@ -0,0 +1,3 @@
+class SuperAuth::ActiveRecord::Authorization < ActiveRecord::Base
+  self.table_name = 'super_auth_authorizations'
+end