vert-core 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 802f4618d6763aeb190d05eb6bd29218d07ae0b3c229e968366a7c200bc08fb3
+  data.tar.gz: cf5140dd8bfb233db4163479ca714ac30049c69524a1139c36140b0046bc3091
+SHA512:
+  metadata.gz: 9e1afa0a09e98a12da919ab46ee34535eacc15d4e74e47edfe7da199b3b3f36895375abd360e7efb0ff87421bece811e0488ca7ddb10ed0dfffceb0f63387e57
+  data.tar.gz: ef379164049f6887b3748fdaa06b481e18c1836fa81172c5a63e28d8999d77c58bf08aaeda418f1ccf7be9cbcf94bf2f9b0c37cf3ad6a9d6df0b7bc43f9e3b88

data/CHANGELOG.md

@@ -0,0 +1,14 @@
+# Changelog
+
+## [1.0.0] - 2025-03-14
+
+### Added
+
+- Initial release.
+- Configuration via `Vert.configure` (optional RLS, Outbox, Health, Authorization, concerns).
+- Concerns: Current, UuidPrimaryKey, MultiTenant, Auditable, SoftDeletable, CompanyScoped, DocumentStoreable.
+- Outbox: Event, Publisher, PublisherJob.
+- RLS: ConnectionHandler, ContextMiddleware, JobContext, BaseConsumer.
+- Health: Checker, Routes, ControllerMixin.
+- Authorization: PermissionResolver, DynamicPolicy, PolicyFinder, ControllerMethods.
+- Generators: `vert:install`, `vert:rls_migration`.

data/README.md

@@ -0,0 +1,126 @@
+# Vert
+
+Gem genérica de padrões para aplicações Rails: contexto de request, RLS, Outbox, Health, autorização RBAC/ABAC e concerns opcionais (multi-tenant, auditável, soft delete, UUID, document store). Tudo é **opcional** e configurável via initializer.
+
+## Instalação
+
+Adicione ao `Gemfile`:
+
+```ruby
+gem "vert"
+```
+
+Execute:
+
+```bash
+bundle install
+rails generate vert:install
+```
+
+Edite `config/initializers/vert.rb` e ative apenas os recursos que precisar.
+
+## Configuração
+
+Em `config/initializers/vert.rb`:
+
+```ruby
+Vert.configure do |config|
+  config.enable_rls = true
+  config.enable_outbox = true
+  config.enable_health = true
+  config.auto_mount_health_routes = false
+  config.rabbitmq_url = ENV.fetch("RABBITMQ_URL", "amqp://guest:guest@localhost:5672/")
+  config.exchange_name = "vert.events"
+  config.document_service_url = ENV["DOCUMENT_SERVICE_URL"]
+  config.enable_authorization = true
+end
+```
+
+| Opção | Descrição | Padrão |
+|-------|-----------|--------|
+| `enable_rls` | Row Level Security (PostgreSQL) | `false` |
+| `enable_outbox` | Publicação de eventos via Outbox | `false` |
+| `enable_health` | Endpoints e checks de health | `true` |
+| `auto_mount_health_routes` | Montar rotas de health automaticamente | `false` |
+| `enable_authorization` | RBAC/ABAC com Pundit | `false` |
+| `health_check_database` | Incluir check de DB no health | `true` |
+| `health_check_redis` | Incluir check de Redis | `false` |
+| `health_check_rabbitmq` | Incluir check de RabbitMQ | `false` |
+| `health_check_sidekiq` | Incluir check de Sidekiq | `false` |
+
+## Uso
+
+### Contexto de request (Current)
+
+Sempre disponível. Defina o contexto após autenticação:
+
+```ruby
+Vert::Current.set_context(tenant_id: "...", user_id: "...", company_id: "...")
+```
+
+Leitura: `Vert::Current.tenant_id`, `Vert::Current.user_id`, `Vert::Current.company_set?`, `Vert::Current.require_tenant!`.
+
+Para herdar no app: `class Current < Vert::Current; end` (gerado pelo `vert:install`).
+
+### RLS (Row Level Security)
+
+1. `config.enable_rls = true`
+2. Gere migrações: `rails generate vert:rls_migration --tables orders items`
+3. No `ApplicationController`: `include Vert::Rls::ControllerContext`
+4. Configure `Vert::Current` antes de cada request (ex.: no auth).
+
+### Outbox
+
+1. `config.enable_outbox = true`
+2. Model `OutboxEvent` e migration criados pelo `vert:install`
+3. Dentro de uma transação: `OutboxEvent.publish_for(record, event_type: "order.created", payload: { ... })`
+4. Agende `Vert::Outbox::PublisherJob` (ex.: Sidekiq-Cron a cada 10s).
+
+### Health
+
+- `GET /health` → `Vert::Health.check_all`
+- `GET /health/live` → liveness
+- `GET /health/ready` → readiness (DB)
+
+Rotas podem ser montadas pelo generator ou com `Vert.config.auto_mount_health_routes = true`. Checks customizados:
+
+```ruby
+Vert::Health.add_check(:external_api) do
+  # return { status: "ok" } or { status: "error", message: "..." }
+end
+```
+
+### Autorização (Pundit)
+
+1. `config.enable_authorization = true`
+2. No `ApplicationController`: `include Pundit::Authorization` e `include Vert::Authorization::ControllerMethods`
+3. Políticas: herde de `Vert::Authorization::DynamicPolicy` e use `has_permission?("resource.action")`
+4. No controller: `authorize_with_context(record)` ou `authorize_with_context(record, :approve?)`
+
+### Concerns em models
+
+Inclua conforme necessário (não dependem de flags, exceto document_storeable que usa `config.document_service_url`):
+
+- `Vert::Concerns::UuidPrimaryKey`
+- `Vert::Concerns::MultiTenant`
+- `Vert::Concerns::Auditable`
+- `Vert::Concerns::SoftDeletable`
+- `Vert::Concerns::CompanyScoped`
+- `Vert::Concerns::DocumentStoreable` (requer document service)
+
+### Jobs e contexto
+
+Para propagar tenant/user em jobs Sidekiq:
+
+```ruby
+class MyJob < ApplicationJob
+  include Vert::Rls::JobContext
+  def perform(id)
+    # Vert::Current.tenant_id disponível
+  end
+end
+```
+
+## Licença
+
+MIT.

data/lib/vert/authorization/controller_methods.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+module Vert
+  module Authorization
+    module ControllerMethods
+      extend ActiveSupport::Concern
+
+      included do
+        rescue_from Pundit::NotAuthorizedError, with: :render_forbidden if defined?(Pundit)
+      end
+
+      def authorize_with_context(record, query = nil, context = {})
+        return record unless Vert.config.enable_authorization && defined?(Pundit)
+        query ||= "#{action_name}?"
+        policy_context = authorization_context.merge(context)
+        policy = policy_with_context(record, policy_context)
+        unless policy.public_send(query)
+          raise Pundit::NotAuthorizedError, query: query, record: record, policy: policy
+        end
+        record
+      end
+
+      def policy_with_context(record, context = {})
+        policy_class = PolicyFinder.new(record).policy
+        policy_class.new(current_user, record, context)
+      end
+
+      def has_permission?(permission_code, context = {})
+        return false unless Vert.config.enable_authorization
+        PermissionResolver.has_permission?(current_user, permission_code, authorization_context.merge(context))
+      end
+
+      def can_see_field?(resource, field)
+        allowed = PermissionResolver.get_allowed_fields(current_user, "#{resource}.read", authorization_context)
+        denied = PermissionResolver.get_denied_fields(current_user, "#{resource}.read", authorization_context)
+        return false if denied.include?(field.to_s)
+        return true if allowed.nil?
+        allowed.include?(field.to_s)
+      end
+
+      def allowed_fields_for(resource)
+        PermissionResolver.get_allowed_fields(current_user, "#{resource}.read", authorization_context)
+      end
+
+      def denied_fields_for(resource)
+        PermissionResolver.get_denied_fields(current_user, "#{resource}.read", authorization_context)
+      end
+
+      def current_user_permissions
+        PermissionResolver.user_permissions(current_user, authorization_context)
+      end
+
+      protected
+
+      def authorization_context
+        {
+          tenant_id: current_tenant_id,
+          company_id: current_company_id,
+          user_id: current_user&.id,
+          action: action_name
+        }
+      end
+
+      def current_tenant_id
+        Vert::Current.tenant_id
+      end
+
+      def current_company_id
+        Vert::Current.company_id
+      end
+
+      private
+
+      def render_forbidden(exception)
+        render json: {
+          error: "Access denied",
+          message: "You do not have permission to perform this action",
+          permission: exception.query&.to_s&.delete_suffix("?"),
+          resource: exception.record.is_a?(Class) ? exception.record.name : exception.record.class.name
+        }, status: :forbidden
+      end
+    end
+  end
+end

data/lib/vert/authorization/dynamic_policy.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+module Vert
+  module Authorization
+    class DynamicPolicy
+      attr_reader :user, :record, :context
+
+      def initialize(user, record, context = {})
+        @user = user
+        @record = record
+        @context = default_context.merge(context)
+      end
+
+      def index?
+        has_permission?("#{resource_name}.list")
+      end
+
+      def show?
+        has_permission?("#{resource_name}.read")
+      end
+
+      def create?
+        has_permission?("#{resource_name}.create")
+      end
+
+      def new?
+        create?
+      end
+
+      def update?
+        has_permission?("#{resource_name}.update")
+      end
+
+      def edit?
+        update?
+      end
+
+      def destroy?
+        has_permission?("#{resource_name}.delete")
+      end
+
+      def export?
+        has_permission?("#{resource_name}.export")
+      end
+
+      def import?
+        has_permission?("#{resource_name}.import")
+      end
+
+      def approve?
+        has_permission?("#{resource_name}.approve")
+      end
+
+      def reject?
+        has_permission?("#{resource_name}.reject")
+      end
+
+      def cancel?
+        has_permission?("#{resource_name}.cancel")
+      end
+
+      def print?
+        has_permission?("#{resource_name}.print")
+      end
+
+      class Scope
+        attr_reader :user, :scope, :context
+
+        def initialize(user, scope, context = {})
+          @user = user
+          @scope = scope
+          @context = context
+        end
+
+        def resolve
+          if PermissionResolver.has_permission?(user, "#{resource_name}.list", context)
+            own_records_only? ? scope.where(created_by: user.id) : scope.all
+          else
+            scope.none
+          end
+        end
+
+        private
+
+        def resource_name
+          scope.model_name.plural
+        end
+
+        def own_records_only?
+          PermissionResolver.get_condition(user, "#{resource_name}.list", "own_records_only", context) == true
+        end
+      end
+
+      protected
+
+      def has_permission?(permission_code)
+        return true if user_super_admin?
+        PermissionResolver.has_permission?(user, permission_code, context)
+      end
+
+      def permission_condition(condition_key)
+        PermissionResolver.get_condition(user, "#{resource_name}.#{current_action}", condition_key, context)
+      end
+
+      def allowed_fields
+        PermissionResolver.get_allowed_fields(user, "#{resource_name}.read", context)
+      end
+
+      def denied_fields
+        PermissionResolver.get_denied_fields(user, "#{resource_name}.read", context)
+      end
+
+      def can_see_field?(field_name)
+        field = field_name.to_s
+        denied = denied_fields
+        return false if denied.include?(field)
+        allowed = allowed_fields
+        return true if allowed.nil?
+        allowed.include?(field)
+      end
+
+      def resource_name
+        @resource_name ||= begin
+          klass = record.is_a?(Class) ? record : record.class
+          klass.model_name.plural
+        end
+      end
+
+      def service_name
+        @service_name ||= resource_name.split("/").first
+      end
+
+      private
+
+      def default_context
+        {
+          tenant_id: Vert::Current.tenant_id,
+          company_id: Vert::Current.company_id,
+          user_id: user&.id
+        }
+      end
+
+      def current_action
+        context[:action] || caller_action
+      end
+
+      def caller_action
+        caller_locations(2, 1).first&.label&.delete_suffix("?")
+      end
+
+      def user_super_admin?
+        user.respond_to?(:super_admin?) && user.super_admin?
+      end
+    end
+  end
+end

data/lib/vert/authorization/permission_resolver.rb

@@ -0,0 +1,253 @@
+# frozen_string_literal: true
+
+module Vert
+  module Authorization
+    class PermissionResolver
+      CACHE_TTL = 5.minutes
+      CACHE_PREFIX = "vert:permissions"
+
+      class << self
+        def has_permission?(user, permission_code, context = {})
+          return false unless user
+          return true if super_admin?(user)
+
+          cached = get_cached_permission(user, permission_code, context)
+          return cached unless cached.nil?
+
+          result = resolve_permission(user, permission_code, context)
+          cache_permission(user, permission_code, context, result)
+          result
+        end
+
+        def get_condition(user, permission_code, condition_key, context = {})
+          return nil unless user
+          conditions = get_permission_conditions(user, permission_code, context)
+          conditions&.dig(condition_key.to_s)
+        end
+
+        def get_allowed_fields(user, permission_code, context = {})
+          return nil if super_admin?(user)
+          fields = get_field_restrictions(user, permission_code, context)
+          fields&.dig("granted_fields")
+        end
+
+        def get_denied_fields(user, permission_code, context = {})
+          return [] if super_admin?(user)
+          fields = get_field_restrictions(user, permission_code, context)
+          fields&.dig("denied_fields") || []
+        end
+
+        def user_permissions(user, context = {})
+          return [] unless user
+          return ["*"] if super_admin?(user)
+
+          cache_key = user_permissions_cache_key(user, context)
+          cached = redis_get(cache_key)
+          return cached if cached
+
+          permissions = collect_user_permissions(user, context)
+          redis_set(cache_key, permissions, CACHE_TTL)
+          permissions
+        end
+
+        def invalidate_user_cache(user_id)
+          pattern = "#{CACHE_PREFIX}:#{user_id}:*"
+          redis_delete_pattern(pattern)
+        end
+
+        def invalidate_role_cache(role_id)
+          if defined?(UserRole)
+            UserRole.where(role_id: role_id).pluck(:user_id).each { |user_id| invalidate_user_cache(user_id) }
+          end
+        end
+
+        private
+
+        def resolve_permission(user, permission_code, context)
+          company_id = context[:company_id]
+          return false if has_direct_deny?(user, permission_code, company_id)
+          return true if has_direct_grant?(user, permission_code, company_id)
+
+          effective_roles(user, company_id).each do |role|
+            return true if role_has_permission?(role, permission_code)
+          end
+          false
+        end
+
+        def has_direct_deny?(user, permission_code, company_id)
+          return false unless defined?(UserPermission)
+          UserPermission
+            .joins(:permission)
+            .where(user_id: user.id, grant_type: "deny")
+            .where("permissions.code = ?", permission_code)
+            .where("company_id IS NULL OR company_id = ?", company_id)
+            .where("valid_from <= ? AND (valid_until IS NULL OR valid_until >= ?)", Time.current, Time.current)
+            .exists?
+        end
+
+        def has_direct_grant?(user, permission_code, company_id)
+          return false unless defined?(UserPermission)
+          UserPermission
+            .joins(:permission)
+            .where(user_id: user.id, grant_type: "grant")
+            .where("permissions.code = ?", permission_code)
+            .where("company_id IS NULL OR company_id = ?", company_id)
+            .where("valid_from <= ? AND (valid_until IS NULL OR valid_until >= ?)", Time.current, Time.current)
+            .exists?
+        end
+
+        def effective_roles(user, company_id)
+          return [] unless defined?(UserRole)
+          role_ids = UserRole
+            .where(user_id: user.id)
+            .where("company_id IS NULL OR company_id = ?", company_id)
+            .where("valid_from <= ? AND (valid_until IS NULL OR valid_until >= ?)", Time.current, Time.current)
+            .pluck(:role_id)
+          return [] if role_ids.empty?
+          Role.where(id: role_ids).or(Role.where(id: inherited_role_ids(role_ids))).where(is_active: true).order(priority: :desc)
+        end
+
+        def inherited_role_ids(role_ids, collected = [])
+          return collected if role_ids.empty?
+          parent_ids = Role.where(id: role_ids).where.not(parent_role_id: nil).pluck(:parent_role_id)
+          new_parents = parent_ids - collected
+          return collected if new_parents.empty?
+          inherited_role_ids(new_parents, collected + new_parents)
+        end
+
+        def role_has_permission?(role, permission_code)
+          return false unless defined?(RolePermission)
+          RolePermission.joins(:permission).where(role_id: role.id).where("permissions.code = ?", permission_code).exists?
+        end
+
+        def get_permission_conditions(user, permission_code, context)
+          company_id = context[:company_id]
+          conditions = {}
+          if defined?(UserPermission)
+            user_conditions = UserPermission
+              .joins(:permission)
+              .where(user_id: user.id, grant_type: "grant")
+              .where("permissions.code = ?", permission_code)
+              .where("company_id IS NULL OR company_id = ?", company_id)
+              .pluck(:conditions).compact
+            user_conditions.each { |c| conditions.merge!(c) if c.is_a?(Hash) }
+          end
+          effective_roles(user, company_id).each do |role|
+            if defined?(RolePermission)
+              role_conditions = RolePermission
+                .joins(:permission)
+                .where(role_id: role.id)
+                .where("permissions.code = ?", permission_code)
+                .pluck(:conditions).compact
+              role_conditions.each { |c| conditions.merge!(c) if c.is_a?(Hash) }
+            end
+          end
+          if defined?(Permission)
+            perm = Permission.find_by(code: permission_code)
+            conditions.merge!(perm.conditions) if perm&.conditions.is_a?(Hash)
+          end
+          conditions
+        end
+
+        def get_field_restrictions(user, permission_code, context)
+          company_id = context[:company_id]
+          if defined?(UserPermission)
+            user_perm = UserPermission
+              .joins(:permission)
+              .where(user_id: user.id)
+              .where("permissions.code = ?", permission_code)
+              .where("company_id IS NULL OR company_id = ?", company_id)
+              .first
+            return user_perm.attributes.slice("granted_fields", "denied_fields") if user_perm
+          end
+          effective_roles(user, company_id).each do |role|
+            if defined?(RolePermission)
+              role_perm = RolePermission
+                .joins(:permission)
+                .where(role_id: role.id)
+                .where("permissions.code = ?", permission_code)
+                .first
+              return role_perm.attributes.slice("granted_fields", "denied_fields") if role_perm
+            end
+          end
+          nil
+        end
+
+        def collect_user_permissions(user, context)
+          permissions = Set.new
+          company_id = context[:company_id]
+          if defined?(UserPermission)
+            UserPermission
+              .joins(:permission)
+              .where(user_id: user.id, grant_type: "grant")
+              .where("company_id IS NULL OR company_id = ?", company_id)
+              .where("valid_from <= ? AND (valid_until IS NULL OR valid_until >= ?)", Time.current, Time.current)
+              .pluck("permissions.code")
+              .each { |code| permissions.add(code) }
+          end
+          effective_roles(user, company_id).each do |role|
+            if defined?(RolePermission)
+              RolePermission.joins(:permission).where(role_id: role.id).pluck("permissions.code").each { |code| permissions.add(code) }
+            end
+          end
+          if defined?(UserPermission)
+            UserPermission
+              .joins(:permission)
+              .where(user_id: user.id, grant_type: "deny")
+              .where("company_id IS NULL OR company_id = ?", company_id)
+              .pluck("permissions.code")
+              .each { |code| permissions.delete(code) }
+          end
+          permissions.to_a
+        end
+
+        def super_admin?(user)
+          user.respond_to?(:super_admin?) && user.super_admin?
+        end
+
+        def cache_key(user, permission_code, context)
+          company_id = context[:company_id] || "all"
+          "#{CACHE_PREFIX}:#{user.id}:#{company_id}:#{permission_code}"
+        end
+
+        def user_permissions_cache_key(user, context)
+          company_id = context[:company_id] || "all"
+          "#{CACHE_PREFIX}:#{user.id}:#{company_id}:all"
+        end
+
+        def get_cached_permission(user, permission_code, context)
+          result = redis_get(cache_key(user, permission_code, context))
+          result.nil? ? nil : (result == "true")
+        end
+
+        def cache_permission(user, permission_code, context, result)
+          redis_set(cache_key(user, permission_code, context), result.to_s, CACHE_TTL)
+        end
+
+        def redis_get(key)
+          return nil unless redis_available?
+          value = redis.get(key)
+          value.nil? ? nil : (JSON.parse(value) rescue value)
+        end
+
+        def redis_set(key, value, ttl)
+          redis.setex(key, ttl.to_i, value.to_json) if redis_available?
+        end
+
+        def redis_delete_pattern(pattern)
+          return unless redis_available?
+          keys = redis.keys(pattern)
+          redis.del(*keys) if keys.any?
+        end
+
+        def redis_available?
+          defined?(Redis) && redis.present?
+        end
+
+        def redis
+          @redis ||= (Redis.new(url: ENV.fetch("REDIS_URL", "redis://localhost:6379/0")) if defined?(Redis))
+        end
+      end
+    end
+  end
+end