verikloak-pundit 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6ece87ad9829b8123230d55d270c57bf399c3b16a5c8d38e7e89e3c2e31a3f63
+  data.tar.gz: 511d923d115ebe33105099ab61b0390e46288e013ecca8a455c9b896abf9d5e7
+SHA512:
+  metadata.gz: acf8d7d1a12e3b12ce152deb35c4c506adbb6a9002cbc30aa9293ed8c5577c838692795c27edc332802db689a5af9ae55dcf6e9b06abd18f8b3cf77e06f1a331
+  data.tar.gz: 9a514dcdd539c3a9e1ef7abbcfb858df7a8899ecb71985972b8a9199d2153efd434f06e3cbb798daf5ea9a990c7e41b750f189dbf01b0149208ead90b0f39072

data/CHANGELOG.md

@@ -0,0 +1,16 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+## [0.1.0] - 2025-09-20
+
+### Added
+- Initial public release of `verikloak-pundit`.
+- `Verikloak::Pundit::UserContext` for working with Keycloak JWT claims.
+- Rails controller helpers and generator for installing the initializer and base `ApplicationPolicy`.
+- Role mapping configuration (`role_map`, `realm_roles_path`, `resource_roles_path`, `permission_role_scope`).

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2025 taiyaky
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,135 @@
+# verikloak-pundit
+
+[![CI](https://github.com/taiyaky/verikloak-pundit/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/taiyaky/verikloak-pundit/actions/workflows/ci.yml)
+[![Gem Version](https://img.shields.io/gem/v/verikloak-pundit)](https://rubygems.org/gems/verikloak-pundit)
+![Ruby Version](https://img.shields.io/badge/ruby-%3E%3D%203.1-blue)
+[![Downloads](https://img.shields.io/gem/dt/verikloak-pundit)](https://rubygems.org/gems/verikloak-pundit)
+
+Pundit integration for the **Verikloak** family. This gem maps **Keycloak roles** from JWT claims (e.g., `realm_access.roles`, `resource_access[client].roles`) into a convenient **UserContext** that Pundit policies can consume.
+
+- Requires [`verikloak`](https://rubygems.org/gems/verikloak) at runtime and pairs well with [`verikloak-rails`](https://rubygems.org/gems/verikloak-rails) for Rails integrations.
+- Provides a `pundit_user` hook so policies can use `user.has_role?(:admin)` etc.
+- Keeps role mapping **configurable** (project-specific mappings differ).
+
+
+
+## Features
+
+- **UserContext**: lightweight wrapper around JWT claims
+- **Helpers**: `has_role?`, `in_group?`, `resource_role?(client, role)`
+- **RoleMapper**: optional map from Keycloak roles → domain permissions
+- **Controller integration**: `pundit_user` provider for Rails controllers
+- **Generator**: `rails g verikloak:pundit:install` creates initializer + policy template (with `has_permission?` support for realm roles plus the configured resource scope)
+
+## Installation
+
+```bash
+bundle add verikloak-pundit
+```
+
+If you're on Rails:
+
+```bash
+rails g verikloak:pundit:install
+```
+
+This generates:
+
+- `config/initializers/verikloak_pundit.rb`
+- `app/policies/application_policy.rb` (template if missing; optional)
+
+For error-handling guidance, see [ERRORS.md](ERRORS.md).
+
+## Quick Start (Rails)
+
+```ruby
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::API
+  include Pundit
+  include Verikloak::Pundit::Controller  # provides pundit_user
+
+  # If you're also using verikloak-rails:
+  # before_action :authenticate_user!
+end
+```
+
+Your policy can then do:
+
+```ruby
+class NotePolicy < ApplicationPolicy
+  def update?
+    user.has_role?(:admin) || user.resource_role?(:'rails-api', :editor)
+  end
+end
+```
+
+Where `user` is the **UserContext** provided by `pundit_user`.
+
+## Configuration
+
+```ruby
+# config/initializers/verikloak_pundit.rb
+Verikloak::Pundit.configure do |c|
+  c.resource_client = "rails-api"   # default client for resource roles
+  c.role_map = {                    # optional role → permission mapping
+    admin:  :manage_all,
+    editor: :write_notes,
+    reader: :read_notes
+  }
+  # Where to find claims in Rack env (when using verikloak/verikloak-rails)
+  c.env_claims_key = "verikloak.user"
+
+  # How to traverse JWT for roles
+  c.realm_roles_path    = %w[realm_access roles]                      # => claims["realm_access"]["roles"]
+  # Lambdas in the path may accept (cfg) or (cfg, client)
+  # where `client` is the argument passed to `user.resource_roles(client)`
+  c.resource_roles_path = ["resource_access", ->(cfg){ cfg.resource_client }, "roles"]
+
+  # Permission mapping scope for `user.has_permission?`:
+  #   :default_resource => realm roles + default client roles (recommended)
+  #   :all_resources    => realm roles + roles from all clients in resource_access
+  c.permission_role_scope = :default_resource
+end
+```
+
+## Non-Rails / custom usage
+
+```ruby
+claims = { "sub" => "123", "email" => "a@b", "realm_access" => {"roles" => ["admin"]} }
+ctx = Verikloak::Pundit::UserContext.new(claims, resource_client: "rails-api")
+
+ctx.has_role?(:admin)             # => true
+ctx.resource_role?(:"rails-api", :writer) # depends on resource_access
+ctx.has_permission?(:manage_all)  # from role_map, realm or resource roles
+```
+
+## Testing
+All pull requests and pushes are automatically tested with [RSpec](https://rspec.info/) and [RuboCop](https://rubocop.org/) via GitHub Actions.
+See the CI badge at the top for current build status.
+
+To run the test suite locally:
+
+```bash
+docker compose run --rm dev rspec
+docker compose run --rm dev rubocop -a
+```
+
+## Contributing
+Bug reports and pull requests are welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for details.
+
+## Security
+If you find a security vulnerability, please follow the instructions in [SECURITY.md](SECURITY.md).
+
+## License
+This project is licensed under the [MIT License](LICENSE).
+
+## Publishing (for maintainers)
+Gem release instructions are documented separately in [MAINTAINERS.md](MAINTAINERS.md).
+
+## Changelog
+See [CHANGELOG.md](CHANGELOG.md) for release history.
+
+## References
+- Verikloak (core): https://github.com/taiyaky/verikloak
+- verikloak-rails (Rails integration): https://github.com/taiyaky/verikloak-rails
+- verikloak-pundit on RubyGems: https://rubygems.org/gems/verikloak-pundit

data/lib/generators/verikloak/pundit/install/install_generator.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
+
+module Verikloak
+  module Pundit
+    module Generators
+      # Generator to install initializer and base ApplicationPolicy template.
+      class InstallGenerator < ::Rails::Generators::Base
+        source_root File.expand_path('templates', __dir__)
+        desc 'Creates Verikloak Pundit initializer and a base ApplicationPolicy (optional).'
+
+        # Skip creating application_policy.rb
+        # @return [Boolean]
+        class_option :skip_policy, type: :boolean, default: false, desc: 'Do not create application_policy.rb'
+
+        # Create the initializer file under config/initializers.
+        def create_initializer
+          template 'initializer.rb', 'config/initializers/verikloak_pundit.rb'
+        end
+
+        # Create app/policies/application_policy.rb unless present.
+        def create_application_policy
+          return if options[:skip_policy]
+
+          dest = 'app/policies/application_policy.rb'
+          return if File.exist?(dest)
+
+          template 'application_policy.rb', dest
+        end
+      end
+    end
+  end
+end

data/lib/generators/verikloak/pundit/install/templates/application_policy.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+# Base Pundit policy for applications using verikloak-pundit.
+#
+# This class is intended as a starting point. Override per-action
+# predicates (e.g., show?, update?) in your concrete policies.
+class ApplicationPolicy
+  attr_reader :user, :record
+
+  # `user` is a Verikloak::Pundit::UserContext
+  # @param user [Object] Pundit user (UserContext when using verikloak-pundit)
+  # @param record [Object] The resource being authorized
+  def initialize(user, record)
+    @user = user
+    @record = record
+  end
+
+  # @return [Boolean]
+  def index?    = false
+  # @return [Boolean]
+  def show?     = false
+  # @return [Boolean]
+  def create?   = false
+  # @return [Boolean]
+  def new?      = create?
+  # @return [Boolean]
+  def update?   = false
+  # @return [Boolean]
+  def edit?     = update?
+  # @return [Boolean]
+  def destroy?  = false
+
+  # Default scope for application policies.
+  class Scope
+    attr_reader :user, :scope
+
+    # @param user [Object] Pundit user (UserContext)
+    # @param scope [Class,Array] model class or dataset
+    def initialize(user, scope)
+      @user = user
+      @scope = scope
+    end
+
+    # @return [Object] resolved scope
+    def resolve
+      scope.all
+    end
+  end
+end

data/lib/generators/verikloak/pundit/install/templates/initializer.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# Verikloak::Pundit initializer
+# Configure how to read roles from Keycloak claims and how to map them
+# into application permissions.
+Verikloak::Pundit.configure do |c|
+  c.resource_client = ENV.fetch('KEYCLOAK_RESOURCE_CLIENT', 'rails-api')
+  c.role_map = {
+    # admin:  :manage_all,
+    # editor: :write_notes,
+    # reader: :read_notes
+  }
+  c.env_claims_key = 'verikloak.user'
+  # claims['realm_access']['roles']
+  c.realm_roles_path    = %w[realm_access roles]
+  # rubocop:disable Style/SymbolProc -- we need a Proc object here, not block pass
+  # claims['resource_access'][resource_client]['roles']
+  c.resource_roles_path = ['resource_access', ->(cfg) { cfg.resource_client }, 'roles']
+  # rubocop:enable Style/SymbolProc
+  # Permission mapping scope:
+  #   :default_resource => realm roles + default client roles (recommended)
+  #   :all_resources    => realm roles + roles from all clients in resource_access
+  c.permission_role_scope = :default_resource
+end

data/lib/verikloak/pundit/configuration.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Verikloak
+  module Pundit
+    # Runtime configuration for verikloak-pundit.
+    #
+    # @!attribute resource_client
+    #   @return [String] default Keycloak resource client used for resource roles
+    # @!attribute role_map
+    #   @return [Hash{Symbol=>Symbol,String}] mapping from roles to permissions
+    # @!attribute env_claims_key
+    #   @return [String] Rack env key where claims are stored (when using verikloak/verikloak-rails)
+    # @!attribute realm_roles_path
+    #   @return [Array<String,Proc>] path inside JWT claims to reach realm roles
+    # @!attribute resource_roles_path
+    #   @return [Array<String,Proc>] path inside JWT claims to reach resource roles
+    # @!attribute permission_role_scope
+    #   @return [Symbol] :default_resource or :all_resources for permission mapping scope
+    class Configuration
+      attr_accessor :resource_client, :role_map, :env_claims_key,
+                    :realm_roles_path, :resource_roles_path,
+                    :permission_role_scope
+
+      # Initialize default configuration values.
+      def initialize
+        @resource_client   = 'rails-api'
+        @role_map          = {} # e.g., { admin: :manage_all }
+        @env_claims_key    = 'verikloak.user'
+        @realm_roles_path  = %w[realm_access roles]
+        # rubocop:disable Style/SymbolProc -- we need a Proc object here, not block pass
+        @resource_roles_path = ['resource_access', ->(cfg) { cfg.resource_client }, 'roles']
+        # rubocop:enable Style/SymbolProc
+        # :default_resource (realm + default client), :all_resources (realm + all clients)
+        @permission_role_scope = :default_resource
+      end
+    end
+  end
+end

data/lib/verikloak/pundit/controller.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Verikloak
+  module Pundit
+    # Rails controller mixin providing `pundit_user` and claims accessor.
+    module Controller
+      # Hook used by Rails to include helper methods in views when available.
+      # @param base [Class]
+      def self.included(base)
+        base.helper_method :verikloak_claims if base.respond_to?(:helper_method)
+      end
+
+      # Pundit hook returning the UserContext built from Rack env claims.
+      # @return [UserContext]
+      def pundit_user
+        Verikloak::Pundit::UserContext.from_env(request.env)
+      end
+
+      # Access raw Verikloak claims from Rack env.
+      # @return [Hash, nil]
+      def verikloak_claims
+        request.env[Verikloak::Pundit.config.env_claims_key]
+      end
+    end
+  end
+end

data/lib/verikloak/pundit/helpers.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Verikloak
+  module Pundit
+    # Helpers expose convenient delegations to the policy `user`.
+    module Helpers
+      # Check whether the user has a realm role.
+      # @param role [String, Symbol]
+      # @return [Boolean]
+      def has_role?(role) = user.has_role?(role) # rubocop:disable Naming/PredicatePrefix
+
+      # Check whether the user belongs to a group (alias to role).
+      # @param group [String, Symbol]
+      # @return [Boolean]
+      def in_group?(group) = user.in_group?(group)
+
+      # Check whether the user has a role for a specific resource client.
+      # @param client [String, Symbol]
+      # @param role [String, Symbol]
+      # @return [Boolean]
+      def resource_role?(client, role) = user.resource_role?(client, role)
+
+      # Check whether the user has a mapped permission.
+      # @param perm [String, Symbol]
+      # @return [Boolean]
+      def has_permission?(perm) = user.has_permission?(perm) # rubocop:disable Naming/PredicatePrefix
+    end
+  end
+end

data/lib/verikloak/pundit/policy.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Verikloak
+  module Pundit
+    # Policy mixin to delegate common helpers to the `user` context.
+    module Policy
+      def self.included(base)
+        base.extend(ClassMethods)
+      end
+
+      # Placeholder for future class-level helpers
+      module ClassMethods; end
+
+      # Check whether the user has a realm role.
+      # @param role [String, Symbol]
+      # @return [Boolean]
+      def has_role?(role) = user.has_role?(role) # rubocop:disable Naming/PredicatePrefix
+
+      # Check whether the user belongs to a group (alias to role).
+      # @param group [String, Symbol]
+      # @return [Boolean]
+      def in_group?(group) = user.in_group?(group)
+
+      # Check whether the user has a role for a specific resource client.
+      # @param client [String, Symbol]
+      # @param role [String, Symbol]
+      # @return [Boolean]
+      def resource_role?(client, role) = user.resource_role?(client, role)
+
+      # Check whether the user has a mapped permission.
+      # @param perm [String, Symbol]
+      # @return [Boolean]
+      def has_permission?(perm) = user.has_permission?(perm) # rubocop:disable Naming/PredicatePrefix
+    end
+  end
+end

data/lib/verikloak/pundit/railtie.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'rails/railtie'
+
+module Verikloak
+  module Pundit
+    # Railtie to auto-include Controller helpers in Rails.
+    class Railtie < ::Rails::Railtie
+      # Include controller helpers into ActionController when it loads.
+      initializer 'verikloak_pundit.controller' do
+        ActiveSupport.on_load(:action_controller) do
+          include Verikloak::Pundit::Controller
+        end
+      end
+    end
+  end
+end

data/lib/verikloak/pundit/role_mapper.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Verikloak
+  module Pundit
+    # Maps roles to permissions using project configuration.
+    module RoleMapper
+      module_function
+
+      # Map a Keycloak role to a domain permission via configuration.
+      #
+      # @param role [String, Symbol] Role name from JWT claims
+      # @param config [Configuration] Configuration providing the role_map
+      # @return [String, Symbol] Mapped permission (or the role itself if unmapped)
+      def map(role, config)
+        return role unless config.role_map && !config.role_map.empty?
+
+        config.role_map[role.to_sym] || role
+      end
+    end
+  end
+end

data/lib/verikloak/pundit/user_context.rb

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+module Verikloak
+  module Pundit
+    # Lightweight wrapper around Keycloak claims for Pundit policies.
+    class UserContext
+      attr_reader :claims, :resource_client
+
+      # Create a new user context from JWT claims.
+      #
+      # @param claims [Hash] JWT claims issued by Keycloak
+      # @param resource_client [String] default resource client name for resource roles
+      def initialize(claims, resource_client: Verikloak::Pundit.config.resource_client)
+        @claims = claims || {}
+        @resource_client = resource_client.to_s
+      end
+
+      # Subject identifier from claims.
+      # @return [String, nil]
+      def sub
+        claims['sub']
+      end
+
+      # Email or preferred username from claims.
+      # @return [String, nil]
+      def email
+        claims['email'] || claims['preferred_username']
+      end
+
+      # Realm-level roles from claims based on configuration path.
+      # @return [Array<String>]
+      def realm_roles
+        path = resolve_path(Verikloak::Pundit.config.realm_roles_path)
+        Array(claims.dig(*path))
+      end
+
+      # Resource-level roles for a given client from claims based on configuration path.
+      #
+      # @param client [String] resource client id (defaults to configured resource_client)
+      # @return [Array<String>]
+      def resource_roles(client = resource_client)
+        client = client.to_s
+        path = resolve_path(Verikloak::Pundit.config.resource_roles_path, client: client)
+        Array(claims.dig(*path))
+      end
+
+      # Check whether the user has a realm role.
+      #
+      # @param role [String, Symbol]
+      # @return [Boolean]
+      def has_role?(role) # rubocop:disable Naming/PredicatePrefix
+        r = role.to_s
+        realm_roles.include?(r)
+      end
+
+      # Alias to has_role? to align with group-based naming.
+      #
+      # @param group [String, Symbol]
+      # @return [Boolean]
+      def in_group?(group)
+        has_role?(group)
+      end
+
+      # Check whether the user has a role for a specific resource client.
+      #
+      # @param client [String, Symbol]
+      # @param role [String, Symbol]
+      # @return [Boolean]
+      def resource_role?(client, role)
+        client = client.to_s
+        r = role.to_s
+        resource_roles(client).include?(r)
+      end
+
+      # Check whether the user has a mapped permission.
+      #
+      # Uses realm roles and resource roles depending on
+      # {Configuration#permission_role_scope}.
+      #
+      # @param perm [String, Symbol] permission to check
+      # @return [Boolean]
+      def has_permission?(perm) # rubocop:disable Naming/PredicatePrefix
+        pr = perm.to_sym
+        roles = realm_roles + resource_roles_scope
+        mapped = roles.map { |r| RoleMapper.map(r, Verikloak::Pundit.config) }
+        mapped.map(&:to_sym).include?(pr)
+      end
+
+      # Build a user context from Rack env using configured claims key.
+      #
+      # @param env [Hash] Rack environment
+      # @return [UserContext]
+      def self.from_env(env)
+        claims = env[Verikloak::Pundit.config.env_claims_key]
+        new(claims)
+      end
+
+      private
+
+      # Resolve a configured path into concrete dig segments.
+      #
+      # @param path_config [Array<String, Proc>]
+      # @param client [String, nil]
+      # @return [Array<String>]
+      def resolve_path(path_config, client: nil)
+        Array(path_config).map do |seg|
+          case seg
+          when Proc
+            # Support lambdas that accept (config) or (config, client)
+            if seg.arity >= 2
+              seg.call(Verikloak::Pundit.config, client).to_s
+            else
+              seg.call(Verikloak::Pundit.config).to_s
+            end
+          else
+            seg.to_s
+          end
+        end
+      end
+
+      # Resolve resource roles based on configured permission scope.
+      # @return [Array<String>]
+      def resource_roles_scope
+        case Verikloak::Pundit.config.permission_role_scope&.to_sym
+        when :all_resources
+          resource_roles_all_clients
+        else
+          resource_roles
+        end
+      end
+
+      # Collect resource roles from all clients under resource_access.
+      # @return [Array<String>]
+      def resource_roles_all_clients
+        access = claims['resource_access']
+        return [] unless access.is_a?(Hash)
+
+        # Bypass configured path lambda (which targets the default client)
+        # and gather roles from all clients explicitly.
+        access.values.flat_map { |entry| Array(entry['roles']) }
+      end
+    end
+  end
+end

data/lib/verikloak/pundit/version.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Verikloak
+  module Pundit
+    # Gem version for verikloak-pundit.
+    #
+    # @return [String]
+    VERSION = '0.1.0'
+  end
+end

data/lib/verikloak/pundit.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+# Verikloak::Pundit provides Pundit integration over Keycloak claims.
+require_relative 'pundit/version'
+require_relative 'pundit/configuration'
+require_relative 'pundit/role_mapper'
+require_relative 'pundit/user_context'
+require_relative 'pundit/helpers'
+require_relative 'pundit/controller'
+require_relative 'pundit/policy'
+require_relative 'pundit/railtie' if defined?(Rails::Railtie)
+
+module Verikloak
+  # Pundit integration namespace
+  module Pundit
+    class << self
+      # Configure the library at runtime.
+      #
+      # @yield [Configuration] Yields the configuration instance for mutation.
+      # @return [Configuration] the current configuration after applying changes
+      def configure
+        @config ||= Configuration.new
+        yield @config if block_given?
+        @config
+      end
+
+      # Access the current configuration without mutating it.
+      #
+      # @return [Configuration]
+      def config
+        @config ||= Configuration.new
+      end
+    end
+  end
+end

data/lib/verikloak-pundit.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+# Minimal shim to load the namespaced entrypoint.
+#
+# This file preserves compatibility with Bundler's default require
+# (`require 'verikloak-pundit'`) by delegating to the real entrypoint
+# under the namespaced path (`verikloak/pundit`).
+require 'verikloak/pundit'

metadata

@@ -0,0 +1,114 @@
+--- !ruby/object:Gem::Specification
+name: verikloak-pundit
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- taiyaky
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: pundit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: verikloak
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+description: Maps Keycloak JWT roles to a Pundit-friendly UserContext with helpers
+  and a Rails generator.
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE
+- README.md
+- lib/generators/verikloak/pundit/install/install_generator.rb
+- lib/generators/verikloak/pundit/install/templates/application_policy.rb
+- lib/generators/verikloak/pundit/install/templates/initializer.rb
+- lib/verikloak-pundit.rb
+- lib/verikloak/pundit.rb
+- lib/verikloak/pundit/configuration.rb
+- lib/verikloak/pundit/controller.rb
+- lib/verikloak/pundit/helpers.rb
+- lib/verikloak/pundit/policy.rb
+- lib/verikloak/pundit/railtie.rb
+- lib/verikloak/pundit/role_mapper.rb
+- lib/verikloak/pundit/user_context.rb
+- lib/verikloak/pundit/version.rb
+homepage: https://github.com/taiyaky/verikloak-pundit
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/taiyaky/verikloak-pundit
+  changelog_uri: https://github.com/taiyaky/verikloak-pundit/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/taiyaky/verikloak-pundit/issues
+  documentation_uri: https://rubydoc.info/gems/verikloak-pundit/0.1.0
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.1'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: Pundit integration for Keycloak roles via Verikloak
+test_files: []