Class: Legion::Rbac::Principal

Inherits:

Object

• Object
• Legion::Rbac::Principal

Extended by:

Logging::Helper

Includes:

Logging::Helper

Defined in:

lib/legion/rbac/principal.rb

Constant Summary

PROFILE_KEYS =

%i[
  first_name last_name email display_name cn title
  department company country country_code city state ad_created_at
].freeze

Instance Attribute Summary

• #ad_fqdn ⇒ Object readonly

  Returns the value of attribute ad_fqdn.

• #auth_method ⇒ Object readonly

  Returns the value of attribute auth_method.

• #id ⇒ Object readonly

  Returns the value of attribute id.

• #profile ⇒ Object readonly

  Returns the value of attribute profile.

• #roles ⇒ Object readonly

  Returns the value of attribute roles.

• #samaccountname ⇒ Object readonly

  Returns the value of attribute samaccountname.

• #team ⇒ Object readonly

  Returns the value of attribute team.

• #type ⇒ Object readonly

  Returns the value of attribute type.

Class Method Summary

• .anonymous ⇒ Object
• .from_claims(claims) ⇒ Object
• .local_admin ⇒ Object

Instance Method Summary

• #initialize(id:, type: :human, roles: [], team: nil, auth_method: nil, samaccountname: nil, ad_fqdn: nil, **extra) ⇒ Principal constructor

  rubocop:disable Metrics/ParameterLists.

Constructor Details

#initialize(id:, type: :human, roles: [], team: nil, auth_method: nil, samaccountname: nil, ad_fqdn: nil, **extra) ⇒ Principal

rubocop:disable Metrics/ParameterLists

# File 'lib/legion/rbac/principal.rb', line 22

def initialize(id:, type: :human, roles: [], team: nil, auth_method: nil, # rubocop:disable Metrics/ParameterLists
               samaccountname: nil, ad_fqdn: nil, **extra)
  @id = id
  @type = type.to_sym
  @roles = roles.map(&:to_s)
  @team = team
  @auth_method = auth_method
  @samaccountname = samaccountname
  @ad_fqdn = ad_fqdn
  @profile = extra.slice(*PROFILE_KEYS).compact
  log.debug("RBAC principal initialized id=#{@id} type=#{@type} roles=#{@roles.size} team=#{@team}")
end

Instance Attribute Details

#ad_fqdn ⇒ Object (readonly)

Returns the value of attribute ad_fqdn.

# File 'lib/legion/rbac/principal.rb', line 15

def ad_fqdn
  @ad_fqdn
end

#auth_method ⇒ Object (readonly)

Returns the value of attribute auth_method.

# File 'lib/legion/rbac/principal.rb', line 15

def auth_method
  @auth_method
end

#id ⇒ Object (readonly)

Returns the value of attribute id.

# File 'lib/legion/rbac/principal.rb', line 15

def id
  @id
end

#profile ⇒ Object (readonly)

Returns the value of attribute profile.

# File 'lib/legion/rbac/principal.rb', line 15

def profile
  @profile
end

#roles ⇒ Object (readonly)

Returns the value of attribute roles.

# File 'lib/legion/rbac/principal.rb', line 15

def roles
  @roles
end

#samaccountname ⇒ Object (readonly)

Returns the value of attribute samaccountname.

# File 'lib/legion/rbac/principal.rb', line 15

def samaccountname
  @samaccountname
end

#team ⇒ Object (readonly)

Returns the value of attribute team.

# File 'lib/legion/rbac/principal.rb', line 15

def team
  @team
end

#type ⇒ Object (readonly)

Returns the value of attribute type.

# File 'lib/legion/rbac/principal.rb', line 15

def type
  @type
end

Class Method Details

.anonymous ⇒ Object

# File 'lib/legion/rbac/principal.rb', line 75

def self.anonymous
  principal = new(id: 'anonymous', type: :human, roles: [])
  log.info('RBAC anonymous principal created')
  principal
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'rbac.principal.anonymous')
  raise
end

.from_claims(claims) ⇒ Object

# File 'lib/legion/rbac/principal.rb', line 39

def self.from_claims(claims)
  scope = claims[:scope] || claims['scope']
  common = {
    roles:          claims[:roles] || claims['roles'] || [],
    team:           claims[:team] || claims['team'],
    auth_method:    claims[:auth_method] || claims['auth_method'],
    samaccountname: claims[:samaccountname] || claims['samaccountname'],
    ad_fqdn:        claims[:ad_fqdn] || claims['ad_fqdn']
  }
  PROFILE_KEYS.each { |key| common[key] = claims[key] || claims[key.to_s] }

  principal = if scope == 'worker'
                new(id: claims[:worker_id] || claims['worker_id'], type: :worker, **common)
              else
                new(id: claims[:sub] || claims['sub'], type: :human, **common)
              end
  log.info(
    "RBAC principal mapped from claims id=#{principal.id} type=#{principal.type} " \
    "roles=#{principal.roles.size} team=#{principal.team}"
  )
  principal
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'rbac.principal.from_claims', scope: scope)
  raise
end

.local_admin ⇒ Object

# File 'lib/legion/rbac/principal.rb', line 65

def self.local_admin
  role = Legion::Settings[:rbac][:default_local_role] || 'admin'
  principal = new(id: 'local', type: :human, roles: [role])
  log.info("RBAC local_admin principal created role=#{role}")
  principal
rescue StandardError => e
  handle_exception(e, level: :error, operation: 'rbac.principal.local_admin')
  raise
end