yes-auth 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b8e3b75db27fa4e2079f268a02bbb3a3d3321a65dc25d7d167888cf8d7f222e
-  data.tar.gz: 3def0c48b89e0a3b42032d215d574c6cfb388a8ca40b08d3d07045665520e907
+  metadata.gz: '014009744d8d8f4feb38d63ed996bbc9b7d28884b45e9ad8acbee77214013d09'
+  data.tar.gz: 906951c894c99d3135c3efff97df909354fd1c942b54ca0f7db587c587fc699b
 SHA512:
-  metadata.gz: 60b40d20b625ca87978ed8238d7bb4f5d571217afeca6eb809cfaaff960d9278ff05c88d888740ae7dca9f059d90a07f8e2e552eb5f09ff762ee13df91a3e828
-  data.tar.gz: 6f7bccb82e4c9b9f4074e76e9595454e1153a3cbb6147fc1dbe86aaf29c4e525aaf84580749dba78a08c6ac259ac44fe78ae1dae1072431f7d5e3d8a2a9db7d0
+  metadata.gz: 0d9bbc394efc60af86ced946a884a7cc6278181182434a4bd217cb81885aadb63edc3601efb8e34d8d5cef0c91f4f69f58e6a537a6a8217e22293114c69df9f6
+  data.tar.gz: 810e25ed15de0d2612916524d31c22c7b008b83f1d6a18b08dec9821980ec238921276b1e6efa8b93947c863ce3ccff5c04bb39a81afcf6294e94d17881e5c70

data/CHANGELOG.md

@@ -1,9 +1,9 @@
 # Changelog
 
-## [1.0.0] - 2026-03-25
+## [1.1.0] - 2026-04-28
+
+- See root CHANGELOG.md for details.
 
-### Added
+## [1.0.0] - 2026-03-25
 
-- Initial release
-- Authorization principal models (User, Role, ReadResourceAccess, WriteResourceAccess)
-- Cerbos principal data builders for read and write resource access
+- Initial open-source release (see root CHANGELOG.md for details)

data/README.md

@@ -110,15 +110,47 @@ Yes::Core.configure do |config|
 end
 ```
 
-## Database Schema
+## Database Setup
 
-The gem expects the following tables to exist:
+Generate the required auth principal migrations:
 
-- `auth_principals_users` - stores user principals
+```bash
+rails generate yes:auth:install
+```
+
+This creates migrations for all principal tables. You can also generate them individually:
+
+```bash
+rails generate yes:auth:principals:user
+rails generate yes:auth:principals:role
+rails generate yes:auth:principals:user_role
+rails generate yes:auth:principals:read_resource_access
+rails generate yes:auth:principals:write_resource_access
+```
+
+Then run the migrations:
+
+```bash
+rails db:migrate
+```
+
+This creates the following tables:
+
+- `auth_principals_users` - stores user principals with identity and auth attributes
 - `auth_principals_roles` - stores named roles
 - `auth_principals_read_resource_accesses` - stores read resource access records
 - `auth_principals_write_resource_accesses` - stores write resource access records
-- A join table for the users-roles HABTM association
+- A join table for the users-roles HABTM association with UUID foreign keys
+
+### Subscriptions
+
+The auth principal read models are kept in sync via event subscriptions. Register them in your subscription setup (e.g., in a Rake task or initializer):
+
+```ruby
+Yes::Auth::Subscriptions.call(subscriptions)
+```
+
+This subscribes builders for all four principal models to their respective authorization events (e.g., `Authorization::PrincipalRoleAdded`, `Authorization::WriteResourceAccessAttributeChanged`, etc.).
 
 ## Development
 

data/lib/yes/auth/generators/base_generator.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
+
+module Yes
+  module Auth
+    module Generators
+      # Base class for auth principal migration generators
+      #
+      # Provides shared migration generation logic including timestamp calculation,
+      # existence checking, and template rendering.
+      #
+      # @abstract Subclass and implement {#_table_name} and {#_source_template}
+      class BaseGenerator < Rails::Generators::Base
+        include ::Rails::Generators::Migration
+
+        hide!
+
+        # Calculates the next migration number based on existing migrations
+        #
+        # @param migrations_root [String] path to the migrations directory
+        # @return [String] the next migration number as a timestamp string
+        def self.next_migration_number(migrations_root)
+          paths = Dir["#{migrations_root}/*.rb"].map do |path|
+            File.basename(path)
+          end
+          timestamps = paths.map { |name| name.split('_').first }
+          latest = timestamps.max || '0'
+          [Time.now.utc.strftime('%Y%m%d%H%M%S'), format('%.14d', latest.next)].max
+        end
+
+        def create
+          raise "Migration already exists in #{_migration_dir}" if self.class.migration_exists?(_migration_dir, _migration_file_name)
+
+          migration_template(_source_template, _destination)
+        end
+
+        def _table_name
+          raise NotImplementedError
+        end
+
+        def _source_template
+          raise NotImplementedError
+        end
+
+        def _destination
+          "#{_migration_dir}/#{_migration_file_name}"
+        end
+
+        def _migration_file_name
+          "create_#{_table_name.singularize}.rb"
+        end
+
+        def _migration_dir
+          'db/migrate'
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/generators/install_generator.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module Generators
+      # Generates all auth principal migrations at once
+      #
+      # @example
+      #   rails generate yes:auth:install
+      class InstallGenerator < Rails::Generators::Base
+        namespace 'yes:auth:install'
+        desc 'Create all migrations for Yes::Auth principals'
+
+        def run_generators
+          invoke 'yes:auth:principals:read_resource_access'
+          invoke 'yes:auth:principals:write_resource_access'
+          invoke 'yes:auth:principals:role'
+          invoke 'yes:auth:principals:user'
+          invoke 'yes:auth:principals:user_role'
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/generators/principals/read_resource_access_generator.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative '../base_generator'
+
+module Yes
+  module Auth
+    module Generators
+      module Principals
+        # Generates the migration for the read resource access principals table
+        #
+        # @example
+        #   rails generate yes:auth:principals:read_resource_access
+        class ReadResourceAccessGenerator < BaseGenerator
+          source_root File.expand_path('../templates', __dir__)
+
+          namespace 'yes:auth:principals:read_resource_access'
+          desc 'Create migration for Yes::Auth::Principals::ReadResourceAccess'
+
+          def _table_name
+            Yes::Auth::Principals::ReadResourceAccess.table_name
+          end
+
+          def _source_template
+            'read_resource_access.erb'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/generators/principals/role_generator.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative '../base_generator'
+
+module Yes
+  module Auth
+    module Generators
+      module Principals
+        # Generates the migration for the roles principals table
+        #
+        # @example
+        #   rails generate yes:auth:principals:role
+        class RoleGenerator < BaseGenerator
+          source_root File.expand_path('../templates', __dir__)
+
+          namespace 'yes:auth:principals:role'
+          desc 'Create migration for Yes::Auth::Principals::Role'
+
+          def _table_name
+            Yes::Auth::Principals::Role.table_name
+          end
+
+          def _source_template
+            'role.erb'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/generators/principals/user_generator.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative '../base_generator'
+
+module Yes
+  module Auth
+    module Generators
+      module Principals
+        # Generates the migration for the user principals table
+        #
+        # @example
+        #   rails generate yes:auth:principals:user
+        class UserGenerator < BaseGenerator
+          source_root File.expand_path('../templates', __dir__)
+
+          namespace 'yes:auth:principals:user'
+          desc 'Create migration for Yes::Auth::Principals::User'
+
+          def _table_name
+            Yes::Auth::Principals::User.table_name
+          end
+
+          def _source_template
+            'user.erb'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/generators/principals/user_role_generator.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require_relative '../base_generator'
+
+module Yes
+  module Auth
+    module Generators
+      module Principals
+        # Generates the migration for the user-role join table
+        #
+        # This generator creates a join table for the HABTM association between
+        # User and Role principals, with UUID foreign keys and cascade deletes.
+        #
+        # @example
+        #   rails generate yes:auth:principals:user_role
+        class UserRoleGenerator < BaseGenerator
+          source_root File.expand_path('../templates', __dir__)
+
+          namespace 'yes:auth:principals:user_role'
+          desc 'Create migration for the User-Role join table'
+
+          def _table_name
+            "#{Yes::Auth::Principals::User.reflect_on_association(:roles).table_name}_" \
+              "#{Yes::Auth::Principals::Role.reflect_on_association(:users).plural_name}"
+          end
+
+          def _migration_file_name
+            "create_join_table_#{_user_table_name.singularize}_#{_role_table_name.singularize}.rb"
+          end
+
+          def _user_table_name
+            Yes::Auth::Principals::User.table_name
+          end
+
+          def _role_table_name
+            Yes::Auth::Principals::Role.table_name
+          end
+
+          def _user_primary_key
+            Yes::Auth::Principals::Role.reflect_on_association(:users).foreign_key
+          end
+
+          def _role_primary_key
+            Yes::Auth::Principals::User.reflect_on_association(:roles).foreign_key
+          end
+
+          def _source_template
+            'user_role.erb'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/generators/principals/write_resource_access_generator.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative '../base_generator'
+
+module Yes
+  module Auth
+    module Generators
+      module Principals
+        # Generates the migration for the write resource access principals table
+        #
+        # @example
+        #   rails generate yes:auth:principals:write_resource_access
+        class WriteResourceAccessGenerator < BaseGenerator
+          source_root File.expand_path('../templates', __dir__)
+
+          namespace 'yes:auth:principals:write_resource_access'
+          desc 'Create migration for Yes::Auth::Principals::WriteResourceAccess'
+
+          def _table_name
+            Yes::Auth::Principals::WriteResourceAccess.table_name
+          end
+
+          def _source_template
+            'write_resource_access.erb'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/generators/templates/read_resource_access.erb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class Create<%= _table_name.singularize.camelcase %> < ActiveRecord::Migration[7.0]
+  def change
+    create_table <%= _table_name.to_sym.inspect %>, id: :uuid do |t|
+      t.uuid :principal_id
+      t.uuid :role_id
+      t.string :service
+      t.string :scope
+      t.string :resource_type
+      t.string :resource_id
+      t.jsonb :auth_attributes, default: {}
+
+      t.timestamps
+    end
+
+    add_index <%= _table_name.to_sym.inspect %>, :principal_id
+    add_index <%= _table_name.to_sym.inspect %>, :role_id
+    add_index <%= _table_name.to_sym.inspect %>, :resource_id
+    add_index <%= _table_name.to_sym.inspect %>, :service
+  end
+end

data/lib/yes/auth/generators/templates/role.erb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class Create<%= _table_name.singularize.camelcase %> < ActiveRecord::Migration[7.0]
+  def change
+    create_table <%= _table_name.to_sym.inspect %>, id: :uuid do |t|
+      t.string :name
+
+      t.timestamps
+    end
+
+    add_index <%= _table_name.to_sym.inspect %>, :name, unique: true
+  end
+end

data/lib/yes/auth/generators/templates/user.erb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class Create<%= _table_name.singularize.camelcase %> < ActiveRecord::Migration[7.0]
+  def change
+    create_table <%= _table_name.to_sym.inspect %>, id: :uuid do |t|
+      t.jsonb :auth_attributes, default: {}
+      t.uuid :identity_id
+
+      t.timestamps
+    end
+
+    add_index <%= _table_name.to_sym.inspect %>, :identity_id
+  end
+end

data/lib/yes/auth/generators/templates/user_role.erb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+class CreateJoinTable<%= _user_table_name.singularize.camelcase %><%= _role_table_name.singularize.camelcase %> < ActiveRecord::Migration[7.0]
+  def up
+    create_join_table(:<%= _role_table_name %>, :<%= _user_table_name %>, column_options: { type: :uuid, foreign_key: { on_delete: :cascade } }) do |t|
+      t.index %i[<%= _user_primary_key%> <%= _role_primary_key %>], name: :<%= _user_table_name %>_<%= _role_table_name %>, unique: true
+      t.index %i[<%= _role_primary_key %> <%= _user_primary_key%>], name: :<%= _role_table_name %>_<%= _user_table_name %>
+    end
+
+    Yes::Auth::Principals::User.find_each do |user|
+      user.role_ids.each do |role_id|
+        role = Yes::Auth::Principals::Role.find_by(id: role_id)
+        next unless role
+
+        user.roles << role
+      end
+    end
+
+    remove_column :<%= _user_table_name %>, :role_ids, if_exists: true
+  end
+
+  def down
+    add_column :<%= _user_table_name %>, :role_ids, :uuid, array: true, default: [], null: false
+
+    Yes::Auth::Principals::User.find_each do |user|
+      user.role_ids = user.roles.map(&:auth_principals_role_id)
+      user.save!
+    end
+
+    drop_table :<%= _table_name %>
+  end
+end

data/lib/yes/auth/generators/templates/write_resource_access.erb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class Create<%= _table_name.singularize.camelcase %> < ActiveRecord::Migration[7.0]
+  def change
+    create_table <%= _table_name.to_sym.inspect %>, id: :uuid do |t|
+      t.uuid :principal_id
+      t.uuid :role_id
+      t.string :context
+      t.string :resource_id
+      t.string :resource_type
+      t.jsonb :auth_attributes, default: {}
+
+      t.timestamps
+    end
+
+    add_index <%= _table_name.to_sym.inspect %>, :principal_id
+    add_index <%= _table_name.to_sym.inspect %>, :role_id
+    add_index <%= _table_name.to_sym.inspect %>, :resource_id
+  end
+end

data/lib/yes/auth/version.rb

@@ -2,6 +2,6 @@
 
 module Yes
   module Auth
-    VERSION = '1.0.0'
+    VERSION = '1.1.0'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: yes-auth
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Nico Ritsche
@@ -53,6 +53,18 @@ files:
 - lib/yes/auth/cerbos/read_resource_access/principal_data.rb
 - lib/yes/auth/cerbos/write_resource_access/principal_attributes.rb
 - lib/yes/auth/cerbos/write_resource_access/principal_data.rb
+- lib/yes/auth/generators/base_generator.rb
+- lib/yes/auth/generators/install_generator.rb
+- lib/yes/auth/generators/principals/read_resource_access_generator.rb
+- lib/yes/auth/generators/principals/role_generator.rb
+- lib/yes/auth/generators/principals/user_generator.rb
+- lib/yes/auth/generators/principals/user_role_generator.rb
+- lib/yes/auth/generators/principals/write_resource_access_generator.rb
+- lib/yes/auth/generators/templates/read_resource_access.erb
+- lib/yes/auth/generators/templates/role.erb
+- lib/yes/auth/generators/templates/user.erb
+- lib/yes/auth/generators/templates/user_role.erb
+- lib/yes/auth/generators/templates/write_resource_access.erb
 - lib/yes/auth/principals/read_resource_access.rb
 - lib/yes/auth/principals/role.rb
 - lib/yes/auth/principals/user.rb