tcs-ldap-permission 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d2025fb81cee1f349807d52ca15b280a46cb1176
+  data.tar.gz: 22e2e6c8d17d5c273cc300abd0e7993994b63264
+SHA512:
+  metadata.gz: 463819ac04e04f5a5703e0fea5b4fbade157a1e0f5bf27a40116df6599b5507917c0dba5ceb3bfa0689f20f716dc0209e9e17826d3696f5466ccc21c3d4e1d3f
+  data.tar.gz: 16fef793d951f59c0d42fc8749a1c11acb38e7d406673d41a567412519ac1e68dc927131498d1fb315c81ba1d59f2a90f64ab159d3136ff16add0765738716ac

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# Ignore RubyMine
+/.idea
+
+# Ignore mac files
+.DS_Store

data/.rubocop.yml

@@ -0,0 +1,7 @@
+inherit_gem:
+  tcs-rubocop:
+    - default.yml
+
+AllCops:
+  Exclude:
+    - bin/*

data/Gemfile

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in tcs-ldap-permission.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,40 @@
+PATH
+  remote: .
+  specs:
+    tcs-ldap-permission (1.0.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.0)
+    minitest (5.11.3)
+    parallel (1.12.1)
+    parser (2.5.0.3)
+      ast (~> 2.4.0)
+    powerpack (0.1.1)
+    rainbow (3.0.0)
+    rake (10.5.0)
+    rubocop (0.52.1)
+      parallel (~> 1.10)
+      parser (>= 2.4.0.2, < 3.0)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    ruby-progressbar (1.9.0)
+    tcs-rubocop (0.3.0)
+      rubocop (= 0.52.1)
+    unicode-display_width (1.3.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  minitest (~> 5.0)
+  rake (~> 10.0)
+  tcs-ldap-permission!
+  tcs-rubocop
+
+BUNDLED WITH
+   1.16.0

data/README.md

@@ -0,0 +1,79 @@
+# Tcs::Ldap::Permission Gem
+An easy way to map LDAP groups to application roles
+
+## Installation
+
+This supports Rails 4.2 and above.
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'tcs-ldap-permission'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install tcs-ldap-permission
+
+## Usage
+
+Add a `config/ldap_perimissions.yml` configuration file, e.g.
+```yaml
+<%= Rails.env %>:
+  groups:
+    PAYROLL_LINK_KRONOS SEC:
+    - manage_job_codes
+    IS Directors:
+    - superuser
+  users:
+    jonny@appleseed.com:
+      - approve_job_codes
+```
+
+In your `User` class, include the `Tcs::Ldap::Permission` module
+
+```ruby
+class User
+  include Tcs::Ldap::Permission
+  ...
+```
+
+Now you can check authorization in your controller
+```ruby
+before_action :authorize!
+...
+def authorize!
+  unless current_user.can?(:manage_job_codes)
+    flash[:error] = I18n.t "devise.failure.unauthorized"
+    redirect_to(root_path)
+  end
+end
+
+```
+
+### Configuration
+
+The `config/ldap_perimissions.yml` file specifies what actions are available to a group or user.
+It is preferable to only use groups so that the `config/ldap_perimissions.yml` doesn't
+need to be updated every time a person moves into or out of a role.
+In situations where it doesn't make sense to create a group, you can specify individual
+users by their login.   
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies.
+Then, run `rake test` to run the tests.
+You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`,
+which will create a git tag for the version, push git commits and tags,
+and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/the-container-store/Tcs-Ldap-Permission-Gem.

data/Rakefile

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+task default: :test

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "tcs/ldap/permission"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/tcs/ldap/group.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+# models an LDAP group specifier, like
+# CN=pbadmins,OU=Security Groups,OU=Group Accounts,DC=containerstore,DC=com
+# as an array of two-element arrays, with lowest-level nodes being first
+# in the array
+# [
+#   ['CN', 'pbadmins'],
+#   ['OU', 'Security Groups'],
+#   ['OU', 'Group Accounts'],
+#   ['DC', 'containerstore'],
+#   ['DC', 'com']
+# ]
+class Tcs::Ldap::Group
+  def initialize(group_string)
+    @original_string = group_string
+    # CN=pb\, admins,OU=Security Groups\=good,OU=Group Accounts,DC=containerstore,DC=com
+    string_with_escaped_commas_replaced = group_string.gsub(/\\,/, ";;")
+    # CN=pb$$ admins,OU=Security Groups\=good,OU=Group Accounts,DC=containerstore,DC=com
+    nodes_with_commas_replaced = string_with_escaped_commas_replaced.split(",")
+    # ['CN=pb$$ admins', 'OU=Security Groups\=good', 'OU=Group Accounts', 'DC=containerstore', 'DC=com']
+    node_strings = nodes_with_commas_replaced.collect { |n| n.gsub(/;;/, ",") }
+    # ['CN=pb, admins', 'OU=Security Groups\=good', 'OU=Group Accounts', 'DC=containerstore', 'DC=com']
+    node_strings_with_equals_replaced = node_strings.collect { |n| n.gsub(/\\=/, ";;") }
+    # ['CN=pb, admins', 'OU=Security Groups$$good', 'OU=Group Accounts', 'DC=containerstore', 'DC=com']
+    nodes_with_equals_replaced = node_strings_with_equals_replaced.collect { |n| n.split("=") }
+    # [['CN', 'pb, admins'], ['OU', 'Security Groups$$good'],
+    # ['OU', 'Group Accounts'], ['DC', 'containerstore'], ['DC', 'com']]
+    @nodes = nodes_with_equals_replaced.collect { |n| [n.first, n.last.gsub(/;;/, "=")] }
+  end
+
+  def cn
+    @nodes.first.last
+  end
+end

data/lib/tcs/ldap/permission.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+require "tcs/ldap/permission/version"
+require "tcs/ldap/group"
+
+module Tcs
+  module Ldap
+    module Permission
+      module ClassMethods
+        def ldap_permissions
+          @ldap_permissions ||= read_ldap_permissions_config
+        end
+
+        def configured_ldap_groups
+          ldap_permissions[:groups].keys
+        end
+
+        private
+        def read_ldap_permissions_config
+          Rails.application.config_for(:ldap_permissions).symbolize_keys
+        end
+      end
+
+      def self.included(klass)
+        klass.extend(ClassMethods)
+      end
+
+      def groups
+        @groups ||= fetch_groups
+      end
+
+      def authorized_actions
+        @authorized_actions ||= determine_authorized_actions
+      end
+
+      def can?(action)
+        superuser? || authorized_actions.include?(action.to_sym)
+      end
+
+      def superuser?
+        authorized_actions.include?(:superuser)
+      end
+
+      private
+
+      def fetch_groups
+        ldap_array = ldap(:memberof)
+        return [] if ldap_array.nil?
+        groups = ldap_array.collect { |g| Tcs::Ldap::Group.new(g) }
+        groups.collect(&:cn) & self.class.configured_ldap_groups
+      end
+
+      def ldap(attr)
+        Devise::LDAP::Adapter.get_ldap_param(username, attr.to_s)
+      end
+
+      def determine_authorized_actions
+        actions = groups.map {|group| self.class.ldap_permissions.dig(:groups, group)}
+        actions << user_specific_actions
+        actions.flatten.compact.uniq.map(&:to_sym)
+      end
+
+      def user_specific_actions
+        self.class.ldap_permissions.dig(:users, username)
+      end
+    end
+  end
+end

data/lib/tcs/ldap/permission/version.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module Tcs
+  module Ldap
+    module Permission
+      VERSION = "1.0.0"
+    end
+  end
+end

data/tcs-ldap-permission.gemspec

@@ -0,0 +1,27 @@
+
+# frozen_string_literal: true
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "tcs/ldap/permission/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "tcs-ldap-permission"
+  spec.version       = Tcs::Ldap::Permission::VERSION
+  spec.authors       = ["Ed Wagner"]
+  spec.email         = ["ewwagner@containerstore.com"]
+
+  spec.summary       = %q{An easy way to map LDAP groups to application roles}
+  spec.homepage      = "https://github.com/the-container-store/Tcs-Ldap-Permission-Gem"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "minitest", "~> 5.0"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "tcs-rubocop"
+end

metadata

@@ -0,0 +1,111 @@
+--- !ruby/object:Gem::Specification
+name: tcs-ldap-permission
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Ed Wagner
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-04-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: tcs-rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- ewwagner@containerstore.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/tcs/ldap/group.rb
+- lib/tcs/ldap/permission.rb
+- lib/tcs/ldap/permission/version.rb
+- tcs-ldap-permission.gemspec
+homepage: https://github.com/the-container-store/Tcs-Ldap-Permission-Gem
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14
+signing_key: 
+specification_version: 4
+summary: An easy way to map LDAP groups to application roles
+test_files: []