access_policy_rails 0.0.1

data/spec/acceptance/dummy/config/environments/test.rb

@@ -0,0 +1,36 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
+
+  # Configure static asset server for tests with Cache-Control for performance.
+  config.serve_static_assets  = true
+  config.static_cache_control = "public, max-age=3600"
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates.
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+end

data/spec/acceptance/dummy/config/initializers/backtrace_silencers.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!

data/spec/acceptance/dummy/config/initializers/filter_parameter_logging.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]

data/spec/acceptance/dummy/config/initializers/inflections.rb

@@ -0,0 +1,16 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# These inflection rules are supported but not enabled by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.acronym 'RESTful'
+# end

data/spec/acceptance/dummy/config/initializers/mime_types.rb

@@ -0,0 +1,5 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf
+# Mime::Type.register_alias "text/html", :iphone

data/spec/acceptance/dummy/config/initializers/secret_token.rb

@@ -0,0 +1,12 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
+
+# Make sure your secret_key_base is kept private
+# if you're sharing your code publicly.
+Dummy::Application.config.secret_key_base = '16ce008690d50afa9e7eabb77bb6ee1ea25c92a18998c91f1f2248fe249750113fb37b055d4665f77c2a62a354dfb4eb3b2273c8feb46bdf7c5ec5164f011d05'

data/spec/acceptance/dummy/config/initializers/session_store.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Dummy::Application.config.session_store :cookie_store, key: '_dummy_session'

data/spec/acceptance/dummy/config/initializers/wrap_parameters.rb

@@ -0,0 +1,9 @@
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+end

data/spec/acceptance/dummy/config/locales/en.yml

@@ -0,0 +1,23 @@
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"

data/spec/acceptance/dummy/config/routes.rb

@@ -0,0 +1,56 @@
+Dummy::Application.routes.draw do
+  # The priority is based upon order of creation: first created -> highest priority.
+  # See how all your routes lay out with "rake routes".
+
+  # You can have the root of your site routed with "root"
+  # root 'welcome#index'
+
+  # Example of regular route:
+  #   get 'products/:id' => 'catalog#view'
+
+  # Example of named route that can be invoked with purchase_url(id: product.id)
+  #   get 'products/:id/purchase' => 'catalog#purchase', as: :purchase
+
+  # Example resource route (maps HTTP verbs to controller actions automatically):
+  #   resources :products
+
+  # Example resource route with options:
+  #   resources :products do
+  #     member do
+  #       get 'short'
+  #       post 'toggle'
+  #     end
+  #
+  #     collection do
+  #       get 'sold'
+  #     end
+  #   end
+
+  # Example resource route with sub-resources:
+  #   resources :products do
+  #     resources :comments, :sales
+  #     resource :seller
+  #   end
+
+  # Example resource route with more complex sub-resources:
+  #   resources :products do
+  #     resources :comments
+  #     resources :sales do
+  #       get 'recent', on: :collection
+  #     end
+  #   end
+
+  # Example resource route with concerns:
+  #   concern :toggleable do
+  #     post 'toggle'
+  #   end
+  #   resources :posts, concerns: :toggleable
+  #   resources :photos, concerns: :toggleable
+
+  # Example resource route within a namespace:
+  #   namespace :admin do
+  #     # Directs /admin/products/* to Admin::ProductsController
+  #     # (app/controllers/admin/products_controller.rb)
+  #     resources :products
+  #   end
+end

data/spec/acceptance/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Rails.application

data/spec/acceptance/dummy/public/404.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <h1>The page you were looking for doesn't exist.</h1>
+    <p>You may have mistyped the address or the page may have moved.</p>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

data/spec/acceptance/dummy/public/422.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <h1>The change you wanted was rejected.</h1>
+    <p>Maybe you tried to change something you didn't have access to.</p>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

data/spec/acceptance/dummy/public/500.html

@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <h1>We're sorry, but something went wrong.</h1>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

data/spec/acceptance/enables_permission_query_spec.rb

@@ -0,0 +1,49 @@
+require 'acceptance_spec_helper'
+
+feature 'Enables permission query', %q{
+   In order to execute command depended on permissions
+   as a developer
+   I want to be able to query permissions
+} do
+
+  given(:a_controller){
+    Class.new(ProtectControllerActionsSpec::DummyController) do
+
+    end.new.tap {|c|
+      c.current_user = a_user
+    }
+  }
+
+  given(:a_user){
+    double('user', create_allowed?: false, show_allowed?: true)
+  }
+
+  given(:service_object){
+    Class.new() do
+      include AccessPolicy
+
+      def self.policy_class
+        Struct.new(:current_user, :service_object) do
+          def create?
+            !!(current_user && current_user.create_allowed?)
+          end
+
+          def show?
+            !!(current_user && current_user.show_allowed?)
+          end
+        end
+      end
+
+    end.new
+  }
+
+  scenario 'action is allowed' do
+    expect(a_controller.policy_for(service_object).allow?(:show)).to be_truthy
+  end
+
+  scenario 'action is forbidden' do
+    expect(a_controller.policy_for(service_object).allow?(:create)).to be_falsy
+  end
+
+
+end

data/spec/acceptance/enforce_authorize_outside_of_action_spec.rb

@@ -0,0 +1,67 @@
+require 'acceptance_spec_helper'
+
+feature 'Enforce authorize outside of a controller action', %q{
+   In order to enforce authorization in service objects
+   as a developer
+   I want to be able to mark actions as authorization needed but not self authorized
+} do
+
+  given(:a_controller_with_guarded_actions){
+    Class.new(ProtectControllerActionsSpec::DummyController) do
+      attr_accessor :service_object
+
+      def self.policy_class
+        ProtectControllerActionsSpec::DummyControllerPolicy
+      end
+
+      guarded_action :update, authorize_action: false do
+        service_object.call
+      end
+
+      guarded_action :post, authorize_action: false do
+        service_object.post
+      end
+
+    end.new.tap {|c|
+      c.current_user = a_user
+      c.service_object = service_object
+    }
+  }
+
+  given(:a_user){
+    double('user', create_allowed?: false, show_allowed?: false)
+  }
+
+  given(:service_object){
+    Class.new() do
+      include AccessPolicy
+
+      def self.policy_class
+        Struct.new(:current_user, :service_object) do
+          def call?
+            true
+          end
+        end
+      end
+
+      policy_guarded_method "call" do
+
+      end
+
+      def post
+
+      end
+
+    end.new
+  }
+
+  scenario 'action is authorized in service object' do
+    expect{a_controller_with_guarded_actions.update}.not_to raise_error
+  end
+
+  scenario 'action is not authorized in service object' do
+    expect{a_controller_with_guarded_actions.post}.to raise_error AccessPolicy::AuthorizeNotCalledError
+  end
+
+
+end

data/spec/acceptance/protect_controller_actions_spec.rb

@@ -0,0 +1,25 @@
+require 'acceptance_spec_helper'
+
+feature 'Protect controller actions', %q{
+   In order to secure my rails application
+   as a developer
+   I want to protect some actions
+} do
+
+  given(:a_controller_with_guarded_actions){
+    ProtectControllerActionsSpec::DummyController.new.tap {|c| c.current_user = a_user}
+  }
+
+  given(:a_user){
+    double('user', create_allowed?: false, show_allowed?: true)
+  }
+
+  scenario "access protected actions without permission" do
+    expect{a_controller_with_guarded_actions.create}.to raise_error AccessPolicy::NotAuthorizedError
+  end
+
+  scenario "access protected actions with permission" do
+    expect{a_controller_with_guarded_actions.show}.not_to raise_error
+  end
+
+end

data/spec/acceptance/support/dummy_controller.rb

@@ -0,0 +1,13 @@
+module ProtectControllerActionsSpec
+  class DummyController < ActionController::Base
+    attr_accessor :current_user
+
+    guarded_action :create do
+
+    end
+
+    guarded_action :show do
+
+    end
+  end
+end

data/spec/acceptance/support/dummy_controller_policy.rb

@@ -0,0 +1,11 @@
+module ProtectControllerActionsSpec
+  DummyControllerPolicy = Struct.new(:current_user, :controller) do
+    def create?
+      current_user && current_user.create_allowed?
+    end
+
+    def show?
+      current_user && current_user.show_allowed?
+    end
+  end
+end

data/spec/acceptance/support/feature.rb

@@ -0,0 +1,30 @@
+#
+# taken from https://github.com/jnicklas/capybara/blob/master/lib/capybara/rspec/features.rb
+#
+module Capybara
+  module Features
+    def self.included(base)
+      base.instance_eval do
+        alias :background :before
+        alias :scenario :it
+        alias :xscenario :xit
+        alias :given :let
+        alias :given! :let!
+        alias :feature :describe
+      end
+    end
+  end
+end
+
+
+def self.feature(*args, &block)
+  options = if args.last.is_a?(Hash) then args.pop else {} end
+  options[:capybara_feature] = true
+  options[:type] = :feature
+  options[:caller] ||= caller
+  args.push(options)
+
+  describe(*args, &block)
+end
+
+RSpec.configuration.include Capybara::Features, :capybara_feature => true

data/spec/acceptance/use_different_user_for_policy_checks_spec.rb

@@ -0,0 +1,40 @@
+require 'acceptance_spec_helper'
+
+feature 'Use different user for policy checks', %q{
+   In order to use another user then the current user
+   as a developer
+   I want to be able to override policy_check_user
+} do
+
+  given(:a_controller_with_guarded_actions){
+    Class.new(ProtectControllerActionsSpec::DummyController) do
+      attr_accessor :other_user
+
+      def self.policy_class
+        ProtectControllerActionsSpec::DummyControllerPolicy
+      end
+
+      protected
+      def policy_check_user
+        other_user
+      end
+    end.new.tap {|c|
+      c.current_user = a_user
+      c.other_user = a_user_with_permissions
+    }
+  }
+
+  given(:a_user){
+    double('user', create_allowed?: false, show_allowed?: false)
+  }
+
+  given(:a_user_with_permissions){
+    double('a_user_with_permissions', create_allowed?: true, show_allowed?: true)
+  }
+
+  scenario 'policy check user is overridden' do
+    expect{a_controller_with_guarded_actions.create}.not_to raise_error
+  end
+
+
+end

data/spec/acceptance_spec_helper.rb

@@ -0,0 +1,12 @@
+require 'spec_helper'
+
+# Configure Rails Environment
+ENV["RAILS_ENV"] = "test"
+require File.join(File.expand_path(__dir__ ),"acceptance/dummy/config/environment.rb")
+
+#require "action_controller/railtie"
+#require "action_mailer/railtie"
+
+require 'rspec/rails'
+
+Dir[File.join(File.expand_path(__dir__), "acceptance/support/**/*.rb")].each { |f| require f }

data/spec/spec_helper.rb

@@ -0,0 +1,42 @@
+require 'bundler/setup'
+Bundler.require(:development)
+
+require 'coveralls'
+Coveralls.wear! unless ENV["SIMPLE_COVERAGE"]
+
+begin
+  if ENV["SIMPLE_COVERAGE"]
+    require 'simplecov'
+    SimpleCov.start do
+      add_group "Lib", "lib"
+
+      add_filter "/spec/"
+    end
+  end
+rescue LoadError
+  warn "=" * 80
+  warn 'simplecov not installed. No coverage report'
+  warn "=" * 80
+end
+
+require 'access_policy_rails'
+
+Dir[File.join(File.expand_path(__dir__ ), "support/**/*.rb")].each { |f| require f }
+
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end