ucb_rails_user 4.0.7 → 4.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3a8118f9d0b261b1ad04181b2fa0211c30535bedb47b75b1438275b6ef7c5af0
-  data.tar.gz: 7eee880cef304680125f21beaffeab8a6c95525beda0bfdb750920ab4c996f2e
+  metadata.gz: 7a1de8958c36cbeeb3541649d812e7288468672f9352ec84749810fccaf81005
+  data.tar.gz: e2262f788179205abf8dc7d4558a434f3826130f6d713448ef90a783e2341fe1
 SHA512:
-  metadata.gz: 9567b7aa7b943fd70cfe138345d191a84d36a92455e1eb0b6d1d472eb1bc17d09beea6c854804a7e8facea817ed8e2616ece9e27df6dda10bf95fc51e88911b8
-  data.tar.gz: 7e074a6ae931a175285882810cede02a0e83d0322d1c50302d2139df7e9230af1891e8015df91e59132cb27071e4e479b30bc1b0cacb1786b93452c2612e4e30
+  metadata.gz: 27314e556fa6987b12779ea570dacbd3f5089a7cfdef91a316020f13754ceb147cd74de4e3e468a298109cc1336beef659708507bde98605743242e9cd4f6c91
+  data.tar.gz: dbb93ff5a2cde7347e2b5441155edafae6f18557cbaf584ac6f89fdb34adda7b67dc36b8f43a5c571e2fb0b6de8eefd71dacb6f3a3e6cd04458a56acd1d417fe

data/README.md

@@ -105,6 +105,20 @@ For example, if the admin screens for your app are under the `/backend` path rat
 resources :users, controller: "ucb_rails_user/users", path: "backend/users", as: :backend_users
 ```
 
+## Session Managers
+
+Authentication during login is handled by UCB's central auth system and this gem uses the [omniauth-cas](https://github.com/dlindahl/omniauth-cas) to manage the handshake. Once that is completed, we're handed the LDAP uid of the authenticated user, and, by default, this gem will attempt to pull the user's employee data and create or update a `User` record for them in the local database.
+
+This behavior can be customized by writing your own user session manager. There are two steps to do this:
+
+   1. Create a subclass of [`UcbRailsUser::UserSessionManager::Base`](https://github.com/ucb-ist-eas/ucb_rails_user/blob/main/app/models/ucb_rails_user/user_session_manager/base.rb). At a minimum you need to implement a `login` method that accepts the user's LDAP uid and returns a `User` instance (or raises an error if the process fails), and a `current_user` method that returns the `User` instance for the currently-logged-in user. [Several implementations](https://github.com/ucb-ist-eas/ucb_rails_user/tree/main/app/models/ucb_rails_user/user_session_manager) are included so you can look to these to base yours off of.
+
+   1. Open `config/initializers/ucb_rails_user.rb` in your host app and change the `user_session_manager` config setting to the class your custom implementation:
+
+```
+    config.user_session_manager = "MyApp::MyCustomUserSessionManager"
+```
+
 ## User Impersonation
 
 The impersonation feature allows admins to be logged in as a different user in the system. This is useful when trying to diagnose data-specific problems, as the admin can see exactly what the user sees.

data/app/assets/javascripts/ucb_rails_user/ucb_rails_user.js

@@ -32,7 +32,7 @@ var addDatatablesToUsersTable = function () {
     }],
   })
   var addNewHtml = '&nbsp;&nbsp;<a href="/admin/users/new" class="btn btn-primary">Add New</a>'
-  $('#DataTables_Table_0_filter').append(addNewHtml)
+  $('.ucb-rails-users-table-wrapper #DataTables_Table_0_filter').append(addNewHtml)
 }
 
 var resetImpersonateButton = function() {

data/app/models/ucb_rails_user/impersonation.rb

@@ -1,8 +1,8 @@
 class UcbRailsUser::Impersonation < ApplicationRecord
   include UcbRailsUser::Concerns::ImpersonationConcerns
 
-  # Don't add anything more here - any logic for the User class should go into
-  # UserConcerns. This will make it much easier for host apps to customize
+  # Don't add anything more here - any logic for the Impersonation class should go into
+  # ImpersonationConcerns. This will make it much easier for host apps to customize
   # behavior if they need to
   # http://guides.rubyonrails.org/engines.html#implementing-decorator-pattern-using-activesupport-concern
 

data/app/models/ucb_rails_user/user_session_manager/in_uc_path_add_to_users_table.rb

@@ -0,0 +1,39 @@
+# Session manager that attempts to pull the user record from UCPath, and
+# falls back to LDAP if needed
+
+module UcbRailsUser
+  module UserSessionManager
+
+    class InUcPathAddToUsersTable < ActiveInUserTable
+      def login(uid)
+        self.uid = uid
+
+        # try UCPath first
+        user = safely_load_user_from_api do
+          UcbRailsUser::UserUcPathService.create_or_update_user_from_ldap_uid(self.uid)
+        end
+
+        # if that doesn't work, try LDAP
+        user ||= safely_load_user_from_api do
+          UcbRailsUser::UserLdapService.create_or_update_user_from_entry(people_ou_entry)
+        end
+
+        user&.tap do |u|
+          u&.touch(:last_login_at)
+        end
+      end
+
+      private
+
+      def safely_load_user_from_api(&block)
+        begin
+          user = block.call
+        rescue StandardError
+          user = nil
+        end
+        user
+      end
+    end
+
+  end
+end

data/app/models/ucb_rails_user/user_uc_path_service.rb

@@ -0,0 +1,121 @@
+require "faraday"
+
+class UcbRailsUser::UserUcPathService
+
+  class << self
+
+    def create_or_update_user_from_employee_id(employee_id)
+      ucpath_entry = ucpath_client.fetch_employee_data_with_employee_id(employee_id)
+      return nil unless ucpath_entry.present?
+      user = User.find_or_initialize_by(employee_id: employee_id)
+      update_user_record_from_ucpath_entry!(user, ucpath_entry)
+    end
+
+    def create_or_update_user_from_ldap_uid(ldap_uid)
+      ucpath_entry = ucpath_client.fetch_employee_data_with_ldap_uid(ldap_uid)
+      return nil unless ucpath_entry.present?
+      user = User.find_or_initialize_by(ldap_uid: ldap_uid)
+      update_user_record_from_ucpath_entry!(user, ucpath_entry)
+    end
+
+    def ucpath_client
+      UcPathClient.new
+    end
+
+    def update_user_record_from_ucpath_entry!(user, ucpath_entry)
+      user.tap do |u|
+        name_entry = parse_name(ucpath_entry)
+        u.first_name = name_entry["givenName"]
+        u.last_name = name_entry["familyName"]
+        u.employee_id ||= ucpath_entry["identifiers"]&.detect do |id|
+          id["type"] == "hr-employee-id"
+        end&.fetch("id")
+        u.ldap_uid ||= ucpath_entry["identifiers"]&.detect do |id|
+          id["type"] == "campus-uid"
+        end&.fetch("id")
+        u.email = parse_email(ucpath_entry)
+        u.inactive_flag = false # any way to pull this from the API?
+        u.save!
+      end
+    end
+
+    def parse_name(entry)
+      return nil unless entry.present?
+      find_name_by_type(entry["names"], "PRF") ||
+        find_name_by_type(entry["names"], "PRI")
+    end
+
+    def find_name_by_type(names, type)
+      names&.detect do |n|
+        n.dig("type", "code") == type
+      end
+    end
+
+    def parse_email(entry)
+      email_entry =
+        entry["emails"]&.detect do |email|
+          email["primary"] == true
+        end
+      email_entry ||= entry["emails"]&.first # if there's no primary email, grab whatever we can
+      email_entry&.fetch("emailAddress")
+    end
+
+  end
+
+  class UcPathClient
+    attr_reader :app_id, :app_key, :endpoint
+
+    def initialize
+      base_credentials =
+        Rails.application.credentials.ucpath&.with_indifferent_access ||
+        Rails.application.credentials.hcm&.with_indifferent_access ||
+        Rails.application.credentials.fetch(:"ucb-hcm", {})&.with_indifferent_access
+      env_credentials = base_credentials&.fetch(Rails.env, {})
+      @app_id  = env_credentials&.fetch(:app_id, nil) || base_credentials&.fetch(:app_id, nil)
+      @app_key = env_credentials&.fetch(:app_key, nil) || base_credentials&.fetch(:app_key, nil)
+      @endpoint = env_credentials&.fetch(:endpoint, nil) || base_credentials&.fetch(:endpoint, nil)
+    end
+
+    def fetch_employee_data_with_ldap_uid(ldap_uid)
+      fetch_employee_data(ldap_uid, "campus-uid")
+    end
+
+    def fetch_employee_data_with_employee_id(employee_id)
+      fetch_employee_data(employee_id, "hr-employee-id")
+    end
+
+    def fetch_employee_data(id, id_type)
+      if [app_id, app_key, endpoint].any?(&:blank?)
+        Rails.logger.warn missing_api_values_message
+        return nil
+      end
+      response =
+        Faraday.get("#{endpoint}/employees/#{id}") do |req|
+          req.params["id-type"] = id_type
+          req.headers["Accept"] = "application/json"
+          req.headers["app_id"] = app_id
+          req.headers["app_key"] = app_key
+        end
+      parse_response(response)&.first
+    end
+
+    private
+
+    def parse_response(response)
+      return nil if !response.success? || response.body.empty?
+      JSON.parse(response.body)&.fetch("response")
+    end
+
+    def missing_api_values_message
+      <<~END_MSG.strip
+        It looks like you're trying to use the preferred user name feature of
+        ucb_rails_user, but the host app has not provided all of the expected
+        credentials to access the UCPath API.
+        To resolve this, add an "hcm" section to the Rails credentials file of
+        the host app, and provide values for app_id, app_key, and endpoint.
+      END_MSG
+    end
+  end
+
+end
+

data/app/views/ucb_rails_user/users/index.html.haml

@@ -2,7 +2,7 @@
   %h1
     Users
 
-.table-responsive
+.table-responsive.ucb-rails-users-table-wrapper
   %table.table.table-striped.table-bordered.table-hover.ucb-rails-users-table
     %thead
       %tr

data/lib/ucb_rails_user/version.rb

@@ -1,3 +1,3 @@
 module UcbRailsUser
-  VERSION = '4.0.7'
+  VERSION = '4.1.1'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ucb_rails_user
 version: !ruby/object:Gem::Version
-  version: 4.0.7
+  version: 4.1.1
 platform: ruby
 authors:
 - Steve Downey
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-07-14 00:00:00.000000000 Z
+date: 2022-09-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -19,14 +19,34 @@ dependencies:
     requirements:
     - - ">"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '5.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '5.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+- !ruby/object:Gem::Dependency
+  name: sprockets-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: haml
   requirement: !ruby/object:Gem::Requirement
@@ -87,16 +107,22 @@ dependencies:
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: omniauth-cas
   requirement: !ruby/object:Gem::Requirement
@@ -126,53 +152,61 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
-  name: puma
+  name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4.3'
-  type: :development
+        version: '1.0'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4.3'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: sqlite3
+  name: puma
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '5.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
-    - - "<"
+        version: '5.6'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: factory_bot_rails
   requirement: !ruby/object:Gem::Requirement
@@ -308,8 +342,10 @@ files:
 - app/models/ucb_rails_user/user_session_manager/base.rb
 - app/models/ucb_rails_user/user_session_manager/in_people_ou.rb
 - app/models/ucb_rails_user/user_session_manager/in_people_ou_add_to_users_table.rb
+- app/models/ucb_rails_user/user_session_manager/in_uc_path_add_to_users_table.rb
 - app/models/ucb_rails_user/user_session_manager/ldap_person_user_wrapper.rb
 - app/models/ucb_rails_user/user_session_manager/test_session_manager.rb
+- app/models/ucb_rails_user/user_uc_path_service.rb
 - app/models/user.rb
 - app/views/ucb_rails_user/home/logged_in.html.haml
 - app/views/ucb_rails_user/home/not_logged_in.html.haml
@@ -356,7 +392,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: Rails engine for UCB user accounts