verikloak-pundit 0.1.1 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9062ddd03a6b118971608756c82d1299dc4b509d7219d289aefbeaf381c8e49e
-  data.tar.gz: f2c2a0e9a236c454aabd9316b04ee6e1e98860f6d2db3d8e3863fb826d92a29f
+  metadata.gz: 59ac975927d056e25dc3c468292b45622d0e5646c508fa0038c3df03158125e7
+  data.tar.gz: 15fbc3548ed4670ecbdc11ea11e39bb279a11bad273b8202209739842de7f3d8
 SHA512:
-  metadata.gz: b2a830375513deb2e8d4b350ffb7960fb95a6c58d5b45af7c519b45cd6086ffd21230af26a89921fca57528e48275e4bf4be59d96a2c45794a11d262c7fe80c3
-  data.tar.gz: deebae419df84ced4bb9ff0a9181847155db0adeb08f6b8cfb8319c6b2f50cd99cbd8e2dc2fa89417d15f2ab198c8e262503be630ab9ec3daf1ca58c5de7aeef
+  metadata.gz: a50e8038e0e72719bce60eeeebd3d6e028bd93b86ab59b25667d06857e9767e781831ad15d92687999223861221fd5d4c9db207922bf91cac7d377a5bf002ec9
+  data.tar.gz: cba11eb87bf8d77e6f265007b721c6ff1d672f21d5c245a6a9aa458e481b1c2ac4c52354ad9c04737bb41cf8506e644a842043f4f2f1fe15c200b3da7f3204dd

data/CHANGELOG.md

@@ -7,6 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.2.1] - 2025-09-22
+
+### Added
+- `Verikloak::Pundit.reset!` helper to restore default configuration, easing test teardown.
+- `Verikloak::Pundit::Delegations` shared module consolidating role and permission helper methods.
+- `Verikloak::Pundit::ClaimUtils` for consistent claim normalization across entry points.
+
+### Changed
+- `UserContext` memoizes role lookups and caches mapped permissions to reduce repeated work inside policies.
+- `UserContext` now normalizes inputs via `ClaimUtils` and supports symbolized permission comparison for mixed role map values.
+- Configuration duplication derives from a unified `deep_dup`, ensuring hash keys are copied and nested structures remain isolated.
+- README documents the new delegations module, configuration reset helper, and deprecation guidance.
+
+## [0.2.0] - 2025-09-21
+
+### Added
+- Allow `permission_role_scope = :all_resources` to respect the new
+  `permission_resource_clients` whitelist so only approved clients contribute
+  to permission checks.
+- Document verikloak-bff and verikloak-audience integration patterns,
+  including `env_claims_key` examples and role naming guidance.
+
+### Changed
+- `UserContext` now snapshots the configuration at initialization to keep
+  behavior consistent even if `Verikloak::Pundit.configure` runs mid-request.
+- Bump the minimum `verikloak` runtime dependency to `>= 0.1.5` to pick up
+  client whitelist support.
+
 ## [0.1.1] - 2025-09-20
 
 ### Added

data/README.md

@@ -14,7 +14,7 @@ Pundit integration for the **Verikloak** family. This gem maps **Keycloak roles*
 ## Features
 
 - **UserContext**: lightweight wrapper around JWT claims
-- **Helpers**: `has_role?`, `in_group?`, `resource_role?(client, role)`
+- **Delegations**: `has_role?`, `in_group?`, `resource_role?(client, role)` helpers for controllers and policies
 - **RoleMapper**: optional map from Keycloak roles → domain permissions
 - **Controller integration**: `pundit_user` provider for Rails controllers
 - **Generator**: `rails g verikloak:pundit:install` creates initializer + policy template (with `has_permission?` support for realm roles plus the configured resource scope)
@@ -89,12 +89,35 @@ Verikloak::Pundit.configure do |c|
   #                         (enabling this broadens permissions to every resource client;
   #                          review the upstream role assignments before turning it on)
   c.permission_role_scope = :default_resource
+  # Optional whitelist of resource clients when `permission_role_scope = :all_resources`.
+  # Leaving this as nil keeps the legacy "all clients" behavior, while providing
+  # an explicit list (e.g., %w[rails-api verikloak-bff]) limits which clients can
+  # contribute roles to permission checks.
+  c.permission_resource_clients = nil
 
   # Expose `verikloak_claims` to views via helper_method (Rails only)
   c.expose_helper_method = true
 end
 ```
 
+### Working with other Verikloak gems
+
+- **verikloak-bff**: When your Rails application sits behind the BFF, the access
+  token presented to verikloak-pundit typically originates from the BFF
+  (e.g. via the `x-verikloak-user` header). Make sure your Rack stack stores the
+  decoded claims under the same `env_claims_key` configured above (the default
+  `"verikloak.user"` works out of the box with `verikloak-bff >= 0.3`). If the
+  BFF issues tokens for multiple downstream services, set
+  `permission_resource_clients` to the limited list of clients whose roles should
+  affect Rails-side authorization to avoid accidentally inheriting permissions
+  meant for other services.
+- **verikloak-audience**: Audience services often mint resource roles with a
+  service-specific prefix (for example, `audience-service:editor`). Align your
+  `role_map` keys with that naming convention so `user.has_permission?` resolves
+  correctly. If Audience adds its own client entry inside `resource_access`, add
+  that client id to `permission_resource_clients` when you need to consume those
+  roles from Rails.
+
 ## Non-Rails / custom usage
 
 ```ruby
@@ -117,6 +140,14 @@ docker compose run --rm dev rspec
 docker compose run --rm dev rubocop -a
 ```
 
+When writing specs, call `Verikloak::Pundit.reset!` in your test teardown to ensure configuration changes do not leak between examples:
+
+```ruby
+RSpec.configure do |config|
+  config.after { Verikloak::Pundit.reset! }
+end
+```
+
 An additional integration check exercises the gem together with the latest `verikloak` and `verikloak-rails` releases. This runs in CI automatically, and you can execute it locally with:
 
 ```bash
@@ -142,6 +173,10 @@ If you find a security vulnerability, please follow the instructions in [SECURIT
 
 ### Operational guidance
 - Enabling `permission_role_scope = :all_resources` pulls roles from every Keycloak client in `resource_access`. Review the granted roles carefully to ensure you are not expanding permissions beyond what the application expects.
+- Combine `permission_role_scope = :all_resources` with `permission_resource_clients`
+  to explicitly opt-in the clients that may contribute permissions. Leaving the
+  whitelist blank (the default) reverts to the legacy behavior of trusting
+  every client in the token.
 - Leaving `expose_helper_method = true` exposes `verikloak_claims` to the Rails view layer. If the claims include personal or sensitive data, consider switching it to `false` and pass only the minimum required information through controller-provided helpers.
 
 ## License

data/lib/generators/verikloak/pundit/install/install_generator.rb

@@ -11,7 +11,6 @@ module Verikloak
         desc 'Creates Verikloak Pundit initializer and a base ApplicationPolicy (optional).'
 
         # Skip creating application_policy.rb
-        # @return [Boolean]
         class_option :skip_policy, type: :boolean, default: false, desc: 'Do not create application_policy.rb'
 
         # Create the initializer file under config/initializers.

data/lib/verikloak/pundit/claim_utils.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Verikloak
+  module Pundit
+    # Helpers for coercing incoming claims payloads into safe Hashes.
+    module ClaimUtils
+      module_function
+
+      # Normalize incoming claims to a Hash to guard against odd payload types.
+      #
+      # @param claims [Object]
+      # @return [Hash]
+      def normalize(claims)
+        return {} if claims.nil?
+        return claims if claims.is_a?(Hash)
+
+        if claims.respond_to?(:to_hash)
+          coerced = claims.to_hash
+          return coerced if coerced.is_a?(Hash)
+        end
+
+        {}
+      rescue StandardError
+        {}
+      end
+    end
+  end
+end

data/lib/verikloak/pundit/configuration.rb

@@ -16,12 +16,16 @@ module Verikloak
     #   @return [Array<String,Proc>] path inside JWT claims to reach resource roles
     # @!attribute permission_role_scope
     #   @return [Symbol] :default_resource or :all_resources for permission mapping scope
+    # @!attribute permission_resource_clients
+    #   @return [Array<String>, nil] list of resource clients allowed when
+    #     {#permission_role_scope} is `:all_resources`. `nil` permits every client.
     # @!attribute expose_helper_method
     #   @return [Boolean] whether to register `verikloak_claims` as a Rails helper method
     class Configuration
       attr_accessor :resource_client, :role_map, :env_claims_key,
                     :realm_roles_path, :resource_roles_path,
-                    :permission_role_scope, :expose_helper_method
+                    :permission_role_scope, :permission_resource_clients,
+                    :expose_helper_method
 
       # Build a new configuration, optionally copying values from another
       # configuration so callers can mutate a safe duplicate.
@@ -64,6 +68,7 @@ module Verikloak
         @role_map = dup_hash(@role_map).freeze
         @realm_roles_path = dup_array(@realm_roles_path).freeze
         @resource_roles_path = dup_array(@resource_roles_path).freeze
+        @permission_resource_clients = freeze_permission_clients(@permission_resource_clients)
         @expose_helper_method = !@expose_helper_method.nil? && @expose_helper_method
         freeze
       end
@@ -81,6 +86,7 @@ module Verikloak
         # rubocop:enable Style/SymbolProc
         # :default_resource (realm + default client), :all_resources (realm + all clients)
         @permission_role_scope = :default_resource
+        @permission_resource_clients = nil
         @expose_helper_method = true
       end
 
@@ -95,6 +101,7 @@ module Verikloak
         @realm_roles_path = dup_array(other.realm_roles_path)
         @resource_roles_path = dup_array(other.resource_roles_path)
         @permission_role_scope = other.permission_role_scope
+        @permission_resource_clients = dup_array(other.permission_resource_clients)
         @expose_helper_method = other.expose_helper_method
       end
 
@@ -108,29 +115,33 @@ module Verikloak
         dup_string(value).freeze
       end
 
-      # Recursively duplicate a hash, cloning nested structures so the copy can
-      # be mutated safely.
+      # Deep duplicate any object, handling nested structures recursively.
+      #
+      # @param value [Object] The value to duplicate
+      # @return [Object] A deep copy of the value
+      def deep_dup(value)
+        case value
+        when nil
+          nil
+        when Hash
+          value.each_with_object({}) do |(key, element), copy|
+            copy[deep_dup(key)] = deep_dup(element)
+          end
+        when Array
+          value.map { |element| deep_dup(element) }
+        when String
+          value.dup
+        else
+          duplicable?(value) ? value.dup : value
+        end
+      end
+
+      # Duplicate a hash using deep duplication.
       #
       # @param value [Hash, nil]
       # @return [Hash, nil]
       def dup_hash(value)
-        return nil if value.nil?
-
-        copy = value.dup
-        copy.each do |key, element|
-          copy[key] =
-            case element
-            when Hash
-              dup_hash(element)
-            when Array
-              dup_array(element)
-            when String
-              dup_string(element)
-            else
-              duplicable?(element) ? element.dup : element
-            end
-        end
-        copy
+        deep_dup(value)
       end
 
       # Duplicate a string guardingly, returning `nil` when no value is present.
@@ -138,33 +149,15 @@ module Verikloak
       # @param value [String, nil]
       # @return [String, nil]
       def dup_string(value)
-        return nil if value.nil?
-
-        value.dup
+        deep_dup(value)
       end
 
-      # Recursively duplicate an array while copying nested structures.
+      # Duplicate an array using deep duplication.
       #
       # @param value [Array, nil]
       # @return [Array, nil]
       def dup_array(value)
-        return nil if value.nil?
-
-        copy = value.dup
-        return copy unless copy.respond_to?(:map)
-
-        copy.map do |element|
-          case element
-          when Hash
-            dup_hash(element)
-          when Array
-            dup_array(element)
-          when String
-            dup_string(element)
-          else
-            duplicable?(element) ? element.dup : element
-          end
-        end
+        deep_dup(value)
       end
 
       # Check whether a value can be safely duplicated using `dup`.
@@ -178,6 +171,17 @@ module Verikloak
 
         value.respond_to?(:dup)
       end
+
+      # Normalize and freeze the configured permission clients list.
+      #
+      # @param value [Array<String, Symbol>, nil]
+      # @return [Array<String>, nil]
+      def freeze_permission_clients(value)
+        array = dup_array(value)
+        return nil if array.nil?
+
+        array.compact.map(&:to_s).uniq.freeze
+      end
     end
   end
 end

data/lib/verikloak/pundit/delegations.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Verikloak
+  module Pundit
+    # Shared role/permission delegations to expose consistent helpers.
+    module Delegations
+      # Check whether the user has a realm role.
+      # @param role [String, Symbol]
+      # @return [Boolean]
+      def has_role?(role) = user.has_role?(role) # rubocop:disable Naming/PredicatePrefix
+
+      # Check whether the user belongs to a group (alias to role).
+      # @param group [String, Symbol]
+      # @return [Boolean]
+      def in_group?(group) = user.in_group?(group)
+
+      # Check whether the user has a role for a specific resource client.
+      # @param client [String, Symbol]
+      # @param role [String, Symbol]
+      # @return [Boolean]
+      def resource_role?(client, role) = user.resource_role?(client, role)
+
+      # Check whether the user has a mapped permission.
+      # @param perm [String, Symbol]
+      # @return [Boolean]
+      def has_permission?(perm) = user.has_permission?(perm) # rubocop:disable Naming/PredicatePrefix
+    end
+  end
+end

data/lib/verikloak/pundit/helpers.rb

@@ -3,27 +3,21 @@
 module Verikloak
   module Pundit
     # Helpers expose convenient delegations to the policy `user`.
+    #
+    # @deprecated Use {Delegations} directly instead. This module will be removed in v1.0.0.
     module Helpers
-      # Check whether the user has a realm role.
-      # @param role [String, Symbol]
-      # @return [Boolean]
-      def has_role?(role) = user.has_role?(role) # rubocop:disable Naming/PredicatePrefix
+      include Delegations
 
-      # Check whether the user belongs to a group (alias to role).
-      # @param group [String, Symbol]
-      # @return [Boolean]
-      def in_group?(group) = user.in_group?(group)
-
-      # Check whether the user has a role for a specific resource client.
-      # @param client [String, Symbol]
-      # @param role [String, Symbol]
-      # @return [Boolean]
-      def resource_role?(client, role) = user.resource_role?(client, role)
-
-      # Check whether the user has a mapped permission.
-      # @param perm [String, Symbol]
-      # @return [Boolean]
-      def has_permission?(perm) = user.has_permission?(perm) # rubocop:disable Naming/PredicatePrefix
+      # Warn consumers when the deprecated helper module is included.
+      #
+      # @param base [Module] module or class including this helper
+      # @return [void]
+      def self.included(base)
+        warn '[DEPRECATED] Verikloak::Pundit::Helpers is deprecated. ' \
+             'Include Verikloak::Pundit::Delegations directly instead. ' \
+             'This will be removed in v1.0.0.'
+        super
+      end
     end
   end
 end

data/lib/verikloak/pundit/policy.rb

@@ -3,34 +3,25 @@
 module Verikloak
   module Pundit
     # Policy mixin to delegate common helpers to the `user` context.
+    #
+    # @deprecated Use {Delegations} directly instead. This module will be removed in v1.0.0.
     module Policy
+      # Warn consumers when the deprecated policy mixin is included.
+      #
+      # @param base [Module] module or class including this policy mixin
+      # @return [void]
       def self.included(base)
+        warn '[DEPRECATED] Verikloak::Pundit::Policy is deprecated. ' \
+             'Include Verikloak::Pundit::Delegations directly instead. ' \
+             'This will be removed in v1.0.0.'
         base.extend(ClassMethods)
+        super
       end
 
       # Placeholder for future class-level helpers
       module ClassMethods; end
 
-      # Check whether the user has a realm role.
-      # @param role [String, Symbol]
-      # @return [Boolean]
-      def has_role?(role) = user.has_role?(role) # rubocop:disable Naming/PredicatePrefix
-
-      # Check whether the user belongs to a group (alias to role).
-      # @param group [String, Symbol]
-      # @return [Boolean]
-      def in_group?(group) = user.in_group?(group)
-
-      # Check whether the user has a role for a specific resource client.
-      # @param client [String, Symbol]
-      # @param role [String, Symbol]
-      # @return [Boolean]
-      def resource_role?(client, role) = user.resource_role?(client, role)
-
-      # Check whether the user has a mapped permission.
-      # @param perm [String, Symbol]
-      # @return [Boolean]
-      def has_permission?(perm) = user.has_permission?(perm) # rubocop:disable Naming/PredicatePrefix
+      include Delegations
     end
   end
 end

data/lib/verikloak/pundit/user_context.rb

@@ -1,37 +1,50 @@
 # frozen_string_literal: true
 
+require 'set'
+
 module Verikloak
   module Pundit
     # Lightweight wrapper around Keycloak claims for Pundit policies.
     class UserContext
-      attr_reader :claims, :resource_client
+      # JWT claim keys used internally
+      CLAIM_SUB = 'sub'
+      CLAIM_EMAIL = 'email'
+      CLAIM_PREFERRED_USERNAME = 'preferred_username'
+      CLAIM_RESOURCE_ACCESS = 'resource_access'
+      CLAIM_ROLES = 'roles'
+
+      attr_reader :claims, :resource_client, :config
 
       # Create a new user context from JWT claims.
       #
       # @param claims [Hash] JWT claims issued by Keycloak
       # @param resource_client [String] default resource client name for resource roles
-      def initialize(claims, resource_client: Verikloak::Pundit.config.resource_client)
-        @claims = claims || {}
-        @resource_client = resource_client.to_s
+      # @param config [Verikloak::Pundit::Configuration] configuration snapshot to use
+      def initialize(claims, resource_client: nil, config: nil)
+        @config = config || Verikloak::Pundit.config
+        @claims = ClaimUtils.normalize(claims)
+        @resource_client = (resource_client || @config.resource_client).to_s
       end
 
       # Subject identifier from claims.
       # @return [String, nil]
       def sub
-        claims['sub']
+        claims[CLAIM_SUB]
       end
 
       # Email or preferred username from claims.
       # @return [String, nil]
       def email
-        claims['email'] || claims['preferred_username']
+        claims[CLAIM_EMAIL] || claims[CLAIM_PREFERRED_USERNAME]
       end
 
       # Realm-level roles from claims based on configuration path.
       # @return [Array<String>]
       def realm_roles
-        path = resolve_path(Verikloak::Pundit.config.realm_roles_path)
-        Array(claims.dig(*path))
+        @realm_roles ||= begin
+          path = resolve_path(config.realm_roles_path)
+          Array(claims.dig(*path)).map(&:to_s).uniq.freeze
+        end
       end
 
       # Resource-level roles for a given client from claims based on configuration path.
@@ -40,8 +53,10 @@ module Verikloak
       # @return [Array<String>]
       def resource_roles(client = resource_client)
         client = client.to_s
-        path = resolve_path(Verikloak::Pundit.config.resource_roles_path, client: client)
-        Array(claims.dig(*path))
+        (@resource_roles_cache ||= {})[client] ||= begin
+          path = resolve_path(config.resource_roles_path, client: client)
+          Array(claims.dig(*path)).map(&:to_s).uniq.freeze
+        end
       end
 
       # Check whether the user has a realm role.
@@ -49,8 +64,7 @@ module Verikloak
       # @param role [String, Symbol]
       # @return [Boolean]
       def has_role?(role) # rubocop:disable Naming/PredicatePrefix
-        r = role.to_s
-        realm_roles.include?(r)
+        realm_roles.include?(role.to_s)
       end
 
       # Alias to has_role? to align with group-based naming.
@@ -67,9 +81,7 @@ module Verikloak
       # @param role [String, Symbol]
       # @return [Boolean]
       def resource_role?(client, role)
-        client = client.to_s
-        r = role.to_s
-        resource_roles(client).include?(r)
+        resource_roles(client).include?(role.to_s)
       end
 
       # Check whether the user has a mapped permission.
@@ -80,10 +92,7 @@ module Verikloak
       # @param perm [String, Symbol] permission to check
       # @return [Boolean]
       def has_permission?(perm) # rubocop:disable Naming/PredicatePrefix
-        pr = perm.to_sym
-        roles = realm_roles + resource_roles_scope
-        mapped = roles.map { |r| RoleMapper.map(r, Verikloak::Pundit.config) }
-        mapped.map(&:to_sym).include?(pr)
+        permission_set.include?(normalize_to_symbol(perm))
       end
 
       # Build a user context from Rack env using configured claims key.
@@ -91,8 +100,9 @@ module Verikloak
       # @param env [Hash] Rack environment
       # @return [UserContext]
       def self.from_env(env)
-        claims = env[Verikloak::Pundit.config.env_claims_key]
-        new(claims)
+        config = Verikloak::Pundit.config
+        claims = env&.fetch(config.env_claims_key, nil)
+        new(claims, config: config)
       end
 
       private
@@ -108,9 +118,9 @@ module Verikloak
           when Proc
             # Support lambdas that accept (config) or (config, client)
             if seg.arity >= 2
-              seg.call(Verikloak::Pundit.config, client).to_s
+              seg.call(config, client).to_s
             else
-              seg.call(Verikloak::Pundit.config).to_s
+              seg.call(config).to_s
             end
           else
             seg.to_s
@@ -121,7 +131,7 @@ module Verikloak
       # Resolve resource roles based on configured permission scope.
       # @return [Array<String>]
       def resource_roles_scope
-        case Verikloak::Pundit.config.permission_role_scope&.to_sym
+        case config.permission_role_scope&.to_sym
         when :all_resources
           resource_roles_all_clients
         else
@@ -132,12 +142,76 @@ module Verikloak
       # Collect resource roles from all clients under resource_access.
       # @return [Array<String>]
       def resource_roles_all_clients
-        access = claims['resource_access']
-        return [] unless access.is_a?(Hash)
+        @resource_roles_all_clients ||= begin
+          access = claims[CLAIM_RESOURCE_ACCESS]
+          if access.is_a?(Hash)
+            roles = access.each_with_object([]) do |(client_id, entry), acc|
+              next unless permission_client_allowed?(client_id)
+
+              acc.concat(Array(entry[CLAIM_ROLES]))
+            end
+            roles.map(&:to_s).uniq.freeze
+          else
+            [].freeze
+          end
+        end
+      end
+
+      # Check whether the given client is allowed for permission scope.
+      #
+      # @param client_id [String]
+      # @return [Boolean]
+      def permission_client_allowed?(client_id)
+        whitelist = config.permission_resource_clients
+        return true if whitelist.nil?
 
-        # Bypass configured path lambda (which targets the default client)
-        # and gather roles from all clients explicitly.
-        access.values.flat_map { |entry| Array(entry['roles']) }
+        whitelist.include?(client_id.to_s)
+      end
+
+      # Cached permission lookup set combining realm and configured resource scopes.
+      # @return [Set<Symbol>]
+      def permission_set
+        @permission_set ||= build_permission_set.freeze
+      end
+
+      # Build the permission set from roles and role mappings.
+      # @return [Set<Symbol>]
+      def build_permission_set
+        roles = realm_roles + resource_roles_scope
+        permissions = Set.new
+
+        roles.each do |role|
+          mapped_permission = RoleMapper.map(role, config)
+          symbol_permission = normalize_to_symbol(mapped_permission)
+          permissions << symbol_permission if symbol_permission
+        end
+
+        permissions
+      end
+
+      # Normalize a value to a symbol, handling various types safely.
+      # @param value [Object] The value to convert to a symbol
+      # @return [Symbol, nil] The symbol representation, or nil if not convertible
+      def normalize_to_symbol(value)
+        case value
+        when Symbol
+          value
+        when String
+          return nil if value.empty?
+
+          value.to_sym
+        else
+          if value.respond_to?(:to_sym)
+            value.to_sym
+          elsif value.respond_to?(:to_s)
+            text = value.to_s
+            return nil if text.empty?
+
+            text.to_sym
+          end
+        end
+      rescue StandardError
+        nil
       end
     end
   end

data/lib/verikloak/pundit/version.rb

@@ -5,6 +5,6 @@ module Verikloak
     # Gem version for verikloak-pundit.
     #
     # @return [String]
-    VERSION = '0.1.1'
+    VERSION = '0.2.1'
   end
 end

data/lib/verikloak/pundit.rb

@@ -4,6 +4,8 @@
 require_relative 'pundit/version'
 require_relative 'pundit/configuration'
 require_relative 'pundit/role_mapper'
+require_relative 'pundit/delegations'
+require_relative 'pundit/claim_utils'
 require_relative 'pundit/user_context'
 require_relative 'pundit/helpers'
 require_relative 'pundit/controller'
@@ -38,6 +40,15 @@ module Verikloak
         end
       end
 
+      # Reset configuration to defaults. Useful for test suites.
+      #
+      # @return [void]
+      def reset!
+        config_mutex.synchronize do
+          @config = nil
+        end
+      end
+
       private
 
       # Mutex protecting configuration reads/writes to maintain thread safety.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: verikloak-pundit
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.1
 platform: ruby
 authors:
 - taiyaky
@@ -49,20 +49,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.2.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: 1.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.2.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: 1.0.0
 description: Maps Keycloak JWT roles to a Pundit-friendly UserContext with helpers
   and a Rails generator.
 executables: []
@@ -77,8 +77,10 @@ files:
 - lib/generators/verikloak/pundit/install/templates/initializer.rb
 - lib/verikloak-pundit.rb
 - lib/verikloak/pundit.rb
+- lib/verikloak/pundit/claim_utils.rb
 - lib/verikloak/pundit/configuration.rb
 - lib/verikloak/pundit/controller.rb
+- lib/verikloak/pundit/delegations.rb
 - lib/verikloak/pundit/helpers.rb
 - lib/verikloak/pundit/policy.rb
 - lib/verikloak/pundit/railtie.rb
@@ -92,7 +94,7 @@ metadata:
   source_code_uri: https://github.com/taiyaky/verikloak-pundit
   changelog_uri: https://github.com/taiyaky/verikloak-pundit/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/taiyaky/verikloak-pundit/issues
-  documentation_uri: https://rubydoc.info/gems/verikloak-pundit/0.1.1
+  documentation_uri: https://rubydoc.info/gems/verikloak-pundit/0.2.1
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths: