verikloak-pundit 0.2.4 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8a9cbde30c7f580f43089a171707034fc1d476bdc63cf358ee00a7e2ceffe48c
|
|
4
|
+
data.tar.gz: 4bda6971e321a4a46045523f1dd01a610cb6a95b28e47a01c665d24a38bdaaf8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 26364d453900ef0bd915eedda4567343b65d8e9adfd7c61e02e926c954ad8bcc778042c7432ea4878a8fa1173a7f7eedccd5cea009f384b042044a65fadd53ca
|
|
7
|
+
data.tar.gz: 57494f3d1b8de679d2fb81b3a3ba7eff5d8635cadf0f4ef19110f8bd9d6bc70010629ed7c64b6584524c580e8968041d3c0581cc7d0468f067c13f45e4bdc254
|
data/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
---
|
|
9
9
|
|
|
10
|
+
## [0.3.0] - 2026-01-01
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
- **ENV fallback preservation**: `Configuration#dup` now correctly preserves the `nil` state of `resource_client`, allowing ENV fallback to remain dynamic after duplication. Previously, duplicating a config would freeze the resolved ENV value.
|
|
14
|
+
- **Non-hash resource_access entries**: `resource_roles_all_clients` now guards against malformed `resource_access` entries that are not hashes, preventing potential `NoMethodError`.
|
|
15
|
+
|
|
16
|
+
### Changed
|
|
17
|
+
- **role_map key normalization**: `role_map` keys are now automatically normalized to symbols when set. This allows users to configure with string keys (e.g., from YAML) while maintaining consistent symbol-based lookup in `RoleMapper`.
|
|
18
|
+
- **pundit_user memoization**: `Controller#pundit_user` is now memoized with `@pundit_user ||=` to avoid creating multiple `UserContext` instances per request.
|
|
19
|
+
|
|
20
|
+
---
|
|
21
|
+
|
|
10
22
|
## [0.2.4] - 2026-01-01
|
|
11
23
|
|
|
12
24
|
### Added
|
|
@@ -22,13 +22,22 @@ module Verikloak
|
|
|
22
22
|
# @!attribute expose_helper_method
|
|
23
23
|
# @return [Boolean] whether to register `verikloak_claims` as a Rails helper method
|
|
24
24
|
class Configuration
|
|
25
|
-
attr_accessor :
|
|
25
|
+
attr_accessor :env_claims_key,
|
|
26
26
|
:realm_roles_path, :resource_roles_path,
|
|
27
27
|
:permission_role_scope, :permission_resource_clients,
|
|
28
28
|
:expose_helper_method
|
|
29
29
|
|
|
30
|
+
attr_reader :role_map
|
|
30
31
|
attr_writer :resource_client
|
|
31
32
|
|
|
33
|
+
# Set the role map, normalizing keys to symbols for consistent lookup.
|
|
34
|
+
#
|
|
35
|
+
# @param value [Hash]
|
|
36
|
+
# @return [void]
|
|
37
|
+
def role_map=(value)
|
|
38
|
+
@role_map = normalize_role_map(value)
|
|
39
|
+
end
|
|
40
|
+
|
|
32
41
|
# Returns the resource client, falling back to ENV['KEYCLOAK_RESOURCE_CLIENT'] if not set.
|
|
33
42
|
#
|
|
34
43
|
# @return [String]
|
|
@@ -99,12 +108,23 @@ module Verikloak
|
|
|
99
108
|
@expose_helper_method = true
|
|
100
109
|
end
|
|
101
110
|
|
|
111
|
+
# Normalize role_map keys to symbols for consistent lookup.
|
|
112
|
+
#
|
|
113
|
+
# @param map [Hash, nil]
|
|
114
|
+
# @return [Hash]
|
|
115
|
+
def normalize_role_map(map)
|
|
116
|
+
return {} unless map.is_a?(Hash)
|
|
117
|
+
|
|
118
|
+
map.transform_keys(&:to_sym)
|
|
119
|
+
end
|
|
120
|
+
|
|
102
121
|
# Copy configuration fields from another instance, duplicating mutable
|
|
103
122
|
# structures so future writes do not leak across instances.
|
|
104
123
|
#
|
|
105
124
|
# @param other [Configuration]
|
|
106
125
|
def initialize_from(other)
|
|
107
|
-
|
|
126
|
+
# Copy the raw instance variable, not the getter, to preserve ENV fallback behavior
|
|
127
|
+
@resource_client = dup_string(other.instance_variable_get(:@resource_client))
|
|
108
128
|
@role_map = dup_hash(other.role_map)
|
|
109
129
|
@env_claims_key = dup_string(other.env_claims_key)
|
|
110
130
|
@realm_roles_path = dup_array(other.realm_roles_path)
|
|
@@ -14,9 +14,10 @@ module Verikloak
|
|
|
14
14
|
end
|
|
15
15
|
|
|
16
16
|
# Pundit hook returning the UserContext built from Rack env claims.
|
|
17
|
+
# Memoized to avoid creating multiple instances per request.
|
|
17
18
|
# @return [UserContext]
|
|
18
19
|
def pundit_user
|
|
19
|
-
Verikloak::Pundit::UserContext.from_env(request.env)
|
|
20
|
+
@pundit_user ||= Verikloak::Pundit::UserContext.from_env(request.env)
|
|
20
21
|
end
|
|
21
22
|
|
|
22
23
|
# Access raw Verikloak claims from Rack env.
|
|
@@ -16,7 +16,7 @@ module Verikloak
|
|
|
16
16
|
# Synchronize configuration with verikloak-rails when available.
|
|
17
17
|
# Runs after verikloak-rails configuration is applied.
|
|
18
18
|
initializer 'verikloak_pundit.sync_configuration', after: 'verikloak.configure' do
|
|
19
|
-
sync_with_verikloak_rails if defined?(Verikloak::Rails)
|
|
19
|
+
Verikloak::Pundit::Railtie.sync_with_verikloak_rails if defined?(Verikloak::Rails)
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
class << self
|
|
@@ -43,7 +43,7 @@ module Verikloak
|
|
|
43
43
|
def realm_roles
|
|
44
44
|
@realm_roles ||= begin
|
|
45
45
|
path = resolve_path(config.realm_roles_path)
|
|
46
|
-
|
|
46
|
+
extract_roles(path)
|
|
47
47
|
end
|
|
48
48
|
end
|
|
49
49
|
|
|
@@ -55,7 +55,7 @@ module Verikloak
|
|
|
55
55
|
client = client.to_s
|
|
56
56
|
(@resource_roles_cache ||= {})[client] ||= begin
|
|
57
57
|
path = resolve_path(config.resource_roles_path, client: client)
|
|
58
|
-
|
|
58
|
+
extract_roles(path)
|
|
59
59
|
end
|
|
60
60
|
end
|
|
61
61
|
|
|
@@ -107,6 +107,14 @@ module Verikloak
|
|
|
107
107
|
|
|
108
108
|
private
|
|
109
109
|
|
|
110
|
+
# Extract roles from claims at the given path.
|
|
111
|
+
#
|
|
112
|
+
# @param path [Array<String>]
|
|
113
|
+
# @return [Array<String>]
|
|
114
|
+
def extract_roles(path)
|
|
115
|
+
Array(claims.dig(*path)).map(&:to_s).uniq.freeze
|
|
116
|
+
end
|
|
117
|
+
|
|
110
118
|
# Resolve a configured path into concrete dig segments.
|
|
111
119
|
#
|
|
112
120
|
# @param path_config [Array<String, Proc>]
|
|
@@ -146,6 +154,7 @@ module Verikloak
|
|
|
146
154
|
access = claims[CLAIM_RESOURCE_ACCESS]
|
|
147
155
|
if access.is_a?(Hash)
|
|
148
156
|
roles = access.each_with_object([]) do |(client_id, entry), acc|
|
|
157
|
+
next unless entry.is_a?(Hash)
|
|
149
158
|
next unless permission_client_allowed?(client_id)
|
|
150
159
|
|
|
151
160
|
acc.concat(Array(entry[CLAIM_ROLES]))
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: verikloak-pundit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- taiyaky
|
|
@@ -94,7 +94,7 @@ metadata:
|
|
|
94
94
|
source_code_uri: https://github.com/taiyaky/verikloak-pundit
|
|
95
95
|
changelog_uri: https://github.com/taiyaky/verikloak-pundit/blob/main/CHANGELOG.md
|
|
96
96
|
bug_tracker_uri: https://github.com/taiyaky/verikloak-pundit/issues
|
|
97
|
-
documentation_uri: https://rubydoc.info/gems/verikloak-pundit/0.
|
|
97
|
+
documentation_uri: https://rubydoc.info/gems/verikloak-pundit/0.3.0
|
|
98
98
|
rubygems_mfa_required: 'true'
|
|
99
99
|
rdoc_options: []
|
|
100
100
|
require_paths:
|