yes-auth 1.0.0

data/lib/yes/auth/read_models/principals/read_resource_access/on_read_resource_access_role_changed.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module ReadResourceAccess
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnReadResourceAccessRoleChanged < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              read_model.update_columns(role_id: event.data['role_id'])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/read_resource_access/on_read_resource_access_scope_changed.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module ReadResourceAccess
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnReadResourceAccessScopeChanged < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              read_model.update_columns(scope: event.data['scope'])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/read_resource_access/on_read_resource_access_service_changed.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module ReadResourceAccess
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnReadResourceAccessServiceChanged < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              read_model.update_columns(service: event.data['service'])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/role/builder.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module Role
+          # @see Yes::Core::ReadModel::Builder
+          class Builder < Yes::Core::ReadModel::Builder
+            private
+
+            def default_read_model_class
+              Yes::Auth::Principals::Role
+            end
+
+            def aggregate_id_key
+              'role_id'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/role/on_role_name_changed.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module Role
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnRoleNameChanged < Yes::Core::ReadModel::EventHandler
+            def call(event)
+              super
+
+              read_model.update_columns(name: event.data['name'])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/user/builder.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module User
+          # @see Yes::Core::ReadModel::Builder
+          class Builder < Yes::Core::ReadModel::Builder
+            private
+
+            def default_read_model_class
+              Yes::Auth::Principals::User
+            end
+
+            def aggregate_id_key
+              'principal_id'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/user/on_principal_attribute_changed.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module User
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnPrincipalAttributeChanged < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              auth_attributes = read_model.auth_attributes || {}
+              auth_attributes[event.data['name']] = event.data['value']
+
+              read_model.update_columns(auth_attributes:)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/user/on_principal_identity_assigned.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module User
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnPrincipalIdentityAssigned < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              read_model.update_columns(identity_id: event.data['identity_id'])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/user/on_principal_removed.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module User
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnPrincipalRemoved < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(_event)
+              read_model.delete
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/user/on_principal_role_added.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module User
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnPrincipalRoleAdded < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              user = Yes::Auth::Principals::User.find_or_create_by(id: event.data['principal_id'])
+              role = Yes::Auth::Principals::Role.find_or_create_by(id: event.data['role_id'])
+              user.roles << role
+            rescue ActiveRecord::RecordNotUnique
+              Rails.logger.info("Role(#{event.data['role_id']}) already added to user(#{event.data['principal_id']})")
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/user/on_principal_role_removed.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module User
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnPrincipalRoleRemoved < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              user = Yes::Auth::Principals::User.find_by(id: event.data['principal_id'])
+              role = Yes::Auth::Principals::Role.find_by(id: event.data['role_id'])
+              return unless user && role
+
+              user.roles.delete(role)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/write_resource_access/builder.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module WriteResourceAccess
+          # @see Yes::Core::ReadModel::Builder
+          class Builder < Yes::Core::ReadModel::Builder
+            private
+
+            def default_read_model_class
+              Yes::Auth::Principals::WriteResourceAccess
+            end
+
+            def aggregate_id_key
+              'write_resource_access_id'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_attribute_changed.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module WriteResourceAccess
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnWriteResourceAccessAttributeChanged < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              auth_attributes = read_model.auth_attributes || {}
+              auth_attributes[event.data['name']] = event.data['value']
+
+              read_model.update_columns(auth_attributes:)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_context_changed.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module WriteResourceAccess
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnWriteResourceAccessContextChanged < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              read_model.update_columns(context: event.data['context'])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_principal_assigned.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module WriteResourceAccess
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnWriteResourceAccessPrincipalAssigned < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              read_model.update_columns(principal_id: event.data['principal_id'])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_removed.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module WriteResourceAccess
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnWriteResourceAccessRemoved < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(_event)
+              read_model.delete
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_resource_assigned.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module WriteResourceAccess
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnWriteResourceAccessResourceAssigned < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              read_model.update_columns(resource_id: event.data['resource_id'])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_resource_type_changed.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module WriteResourceAccess
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnWriteResourceAccessResourceTypeChanged < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              read_model.update_columns(resource_type: event.data['resource_type'])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_role_changed.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    module ReadModels
+      module Principals
+        module WriteResourceAccess
+          # @see Yes::Core::ReadModel::EventHandler
+          class OnWriteResourceAccessRoleChanged < Yes::Core::ReadModel::EventHandler
+            # @param event [Yes::Core::Event]
+            # @return [void]
+            def call(event)
+              read_model.update_columns(role_id: event.data['role_id'])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/yes/auth/subscriptions.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    # Wires authorization event builders to the appropriate subscriptions.
+    #
+    # Role, User, WriteResourceAccess, and ReadResourceAccess builders
+    # are registered via the yes-core ReadModel::Builder pattern.
+    class Subscriptions
+      # @param subscriptions [Object] the subscription registry
+      # @return [void]
+      def self.call(subscriptions)
+        subscriptions.subscribe_to_all(
+          Yes::Auth::ReadModels::Principals::Role::Builder.new,
+          { event_types: ['Authorization::RoleNameChanged'] }
+        )
+
+        subscriptions.subscribe_to_all(
+          Yes::Auth::ReadModels::Principals::User::Builder.new,
+          { event_types: [
+            'Authorization::PrincipalRoleAdded',
+            'Authorization::PrincipalRoleRemoved',
+            'Authorization::PrincipalAttributeChanged',
+            'Authorization::PrincipalIdentityAssigned',
+            'Authorization::PrincipalRemoved'
+          ] }
+        )
+
+        subscriptions.subscribe_to_all(
+          Yes::Auth::ReadModels::Principals::WriteResourceAccess::Builder.new,
+          { event_types: [
+            'Authorization::WriteResourceAccessAttributeChanged',
+            'Authorization::WriteResourceAccessContextChanged',
+            'Authorization::WriteResourceAccessPrincipalAssigned',
+            'Authorization::WriteResourceAccessRemoved',
+            'Authorization::WriteResourceAccessResourceAssigned',
+            'Authorization::WriteResourceAccessResourceTypeChanged',
+            'Authorization::WriteResourceAccessRoleChanged'
+          ] }
+        )
+
+        subscriptions.subscribe_to_all(
+          Yes::Auth::ReadModels::Principals::ReadResourceAccess::Builder.new,
+          { event_types: [
+            'Authorization::ReadResourceAccessPrincipalAssigned',
+            'Authorization::ReadResourceAccessResourceTypeChanged',
+            'Authorization::ReadResourceAccessRemoved',
+            'Authorization::ReadResourceAccessResourceAssigned',
+            'Authorization::ReadResourceAccessRoleChanged',
+            'Authorization::ReadResourceAccessScopeChanged',
+            'Authorization::ReadResourceAccessServiceChanged'
+          ] }
+        )
+      end
+    end
+  end
+end

data/lib/yes/auth/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Yes
+  module Auth
+    VERSION = '1.0.0'
+  end
+end

data/lib/yes/auth.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'yes/core'
+require 'zeitwerk'
+
+module Yes
+  module Auth
+    class << self
+      # @return [Zeitwerk::Loader] the configured Zeitwerk loader for yes-auth
+      def loader
+        @loader ||= begin
+          loader = Zeitwerk::Loader.new
+          loader.tag = 'yes-auth'
+          loader.push_dir(File.expand_path('..', __dir__))
+          loader.ignore("#{__dir__}/auth/version.rb")
+          loader.ignore("#{__dir__}/auth/railtie.rb")
+          loader.setup
+          loader
+        end
+      end
+    end
+  end
+end
+
+require_relative 'auth/version'
+require_relative 'auth/railtie' if defined?(Rails::Railtie)
+Yes::Auth.loader.eager_load

metadata

@@ -0,0 +1,112 @@
+--- !ruby/object:Gem::Specification
+name: yes-auth
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Nico Ritsche
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
+- !ruby/object:Gem::Dependency
+  name: yes-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: Provides authorization principal models (User, Role, ResourceAccess)
+  and Cerbos integration for the Yes framework
+email:
+- nico.ritsche@yousty.ch
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- lib/yes/auth.rb
+- lib/yes/auth/cerbos/read_resource_access/principal_attributes.rb
+- lib/yes/auth/cerbos/read_resource_access/principal_data.rb
+- lib/yes/auth/cerbos/write_resource_access/principal_attributes.rb
+- lib/yes/auth/cerbos/write_resource_access/principal_data.rb
+- lib/yes/auth/principals/read_resource_access.rb
+- lib/yes/auth/principals/role.rb
+- lib/yes/auth/principals/user.rb
+- lib/yes/auth/principals/write_resource_access.rb
+- lib/yes/auth/railtie.rb
+- lib/yes/auth/read_models/principals/read_resource_access/builder.rb
+- lib/yes/auth/read_models/principals/read_resource_access/on_read_resource_access_principal_assigned.rb
+- lib/yes/auth/read_models/principals/read_resource_access/on_read_resource_access_removed.rb
+- lib/yes/auth/read_models/principals/read_resource_access/on_read_resource_access_resource_assigned.rb
+- lib/yes/auth/read_models/principals/read_resource_access/on_read_resource_access_resource_type_changed.rb
+- lib/yes/auth/read_models/principals/read_resource_access/on_read_resource_access_role_changed.rb
+- lib/yes/auth/read_models/principals/read_resource_access/on_read_resource_access_scope_changed.rb
+- lib/yes/auth/read_models/principals/read_resource_access/on_read_resource_access_service_changed.rb
+- lib/yes/auth/read_models/principals/role/builder.rb
+- lib/yes/auth/read_models/principals/role/on_role_name_changed.rb
+- lib/yes/auth/read_models/principals/user/builder.rb
+- lib/yes/auth/read_models/principals/user/on_principal_attribute_changed.rb
+- lib/yes/auth/read_models/principals/user/on_principal_identity_assigned.rb
+- lib/yes/auth/read_models/principals/user/on_principal_removed.rb
+- lib/yes/auth/read_models/principals/user/on_principal_role_added.rb
+- lib/yes/auth/read_models/principals/user/on_principal_role_removed.rb
+- lib/yes/auth/read_models/principals/write_resource_access/builder.rb
+- lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_attribute_changed.rb
+- lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_context_changed.rb
+- lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_principal_assigned.rb
+- lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_removed.rb
+- lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_resource_assigned.rb
+- lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_resource_type_changed.rb
+- lib/yes/auth/read_models/principals/write_resource_access/on_write_resource_access_role_changed.rb
+- lib/yes/auth/subscriptions.rb
+- lib/yes/auth/version.rb
+homepage: https://github.com/yousty/yes
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/yousty/yes
+  source_code_uri: https://github.com/yousty/yes/tree/main/yes-auth
+  changelog_uri: https://github.com/yousty/yes/blob/main/yes-auth/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: Authorization principals for the Yes event sourcing framework
+test_files: []