aclatraz 0.0.1

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,22 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC
+*.rdb

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Kriss 'nu7hatch' Kowalik
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,107 @@
+= ACLatraz
+
+Extremaly fast and flexible access control mechanism inspired by *nix ACLs, 
+powered by fast key value stores like Redis or TokyoCabinet. 
+
+== Installation
+
+You can install ACLatraz via rubygems:
+
+  sudo gem install ACLatraz
+  
+== Basic usage
+
+First of all you have to setup store for ACL data. ACLatraz for now uses only 
+Redis database for storage. Store can be set like below:
+
+  Aclatraz.store :redis, "redis://localhost:6379/0"
+  
+Then you have to define your suspects:  
+
+  class Account < ActiveRecord::Base
+    include Aclatraz::Suspect
+  end
+  
+Now you suspect have few methods which will helps you with managing permissions:
+
+  @account = Account.create
+  @account.has_role?(:foo)     # => false
+  @account.is.foo?             # syntactic sugar for #has_role?
+  @account.assign_role!(foo)   # or @account.is.foo!
+  @account.is.foo?             # => true
+  @account.delete_role!(foo)   # or @account.is_not.foo!
+  @account.is.foo?             # => false
+  @account.is_not.foo?         # => true
+  
+Last step is create you access control list and set guards:
+
+  class Foo
+    include Aclatraz::Guard
+    
+    suspect :account do 
+      allow all
+      
+      on :manage do 
+        allow :root
+        allow :manager
+      end
+      
+      on :delete do 
+        deny :manager
+        allow :owner_of => "@project" 
+      end
+    end
+    
+    # The #suspect method allows to pass String, Symbol or Object as suspect. 
+    # When String given (eg. "account" or "@account") then value of given 
+    # instance variable will be treated as suspect. When Symbol given, then 
+    # system will take value from given instance method. Otherwise given object
+    # will be treated as suspect if possible. 
+    #
+    # Similar situation is with permission arguments. To #allow and #deny 
+    # methods you can pass symbol or hash. Symbol given represents
+    # single role, the hash represents ownership of assigned object or class.
+    # Assigned object declaration behaves the same as suspects' one. 
+    
+    def account
+      @account ||= Account.find(ENV['MYAPP_ACCOUNT'])
+    end
+    
+    def index
+      guard!
+      # ... everybody are allowed to see this
+    end
+    
+    def create
+      guard!(:manage)
+      # ... only managers and root will see this
+    end
+    
+    def delete(id)
+      @product = Product.find(id)
+      guard!(:manage, :delete)
+      # ... only root or or @product owner will see this
+    end
+    
+    def product(id)
+      @product.find(id)
+      account.is.owner_of?(@product) do
+        return @product
+      end
+      return nil
+    end
+  end
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Copyright
+
+Copyright (c) 2010 Kriss 'nu7hatch' Kowalik. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,46 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "aclatraz"
+    gem.summary = %Q{Flexible access control that doesn't sucks!}
+    gem.description = %Q{Extremaly fast and flexible access control mechanism inspired by *nix ACLs, powered by fast key value stores like Redis or TokyoCabinet.}
+    gem.email = "kriss.kowalik@gmail.com"
+    gem.homepage = "http://github.com/nu7hatch/aclatraz"
+    gem.authors = ["Kriss 'nu7hatch' Kowalik"]
+    gem.add_development_dependency "rspec", ">= 1.2.9"
+    gem.add_development_dependency "mocha", ">= 0.9"
+    gem.add_development_dependency "redis", "~> 2.0"
+    #gem.add_development_dependency "tokyocabinet", ">= XX"
+    gem.add_dependency "dictionary", "~> 1.0"
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'spec/rake/spectask'
+Spec::Rake::SpecTask.new(:spec) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :spec => :check_dependencies
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "ACLatraz #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.0.1

data/lib/aclatraz.rb

@@ -0,0 +1,30 @@
+require 'dictionary'
+
+require 'aclatraz/helpers'
+require 'aclatraz/store'
+require 'aclatraz/acl'
+require 'aclatraz/guard'
+require 'aclatraz/suspect'
+
+module Aclatraz
+  class AccessDenied < Exception; end 
+  class InvalidSuspect < ArgumentError; end
+  class InvalidPermission < ArgumentError; end
+  class InvalidStore < ArgumentError; end
+  class StoreNotInitialized < Exception; end
+  
+  extend Helpers
+  
+  def self.store(klass=nil, *args)
+    if klass
+      begin
+        klass = eval("Aclatraz::Store::#{camelize(klass.to_s)}") unless klass.is_a?(Class)
+        @store = klass.new(*args)
+      rescue NameError
+        raise InvalidStore, "The #{klass.inspect} ACL store is not defined!"
+      end
+    else
+      @store or raise StoreNotInitialized, "ACL store is not initialized!"
+    end
+  end
+end

data/lib/aclatraz/acl.rb

@@ -0,0 +1,53 @@
+module Aclatraz
+  class ACL
+    class Action
+      attr_reader :permissions
+      
+      def initialize(parent, &block)
+        @parent = parent
+        @permissions = Dictionary.new
+        instance_eval(&block)
+      end
+
+      def allow(permission)
+        @permissions[permission] = true
+      end
+    
+      def deny(permission)
+        @permissions[permission] = false
+      end
+      
+      def all
+        true
+      end
+      
+      def on(*args, &block)
+        @parent.on(*args, &block)
+      end
+    end    
+    
+    attr_reader :actions
+    
+    def initialize(&block)
+      @actions = {}
+      on(:_, &block)
+    end
+    
+    def permissions
+      @actions[:_] ? @actions[:_].permissions : Dictionary.new
+    end
+    
+    def [](action)
+      @actions[action]
+    end
+    
+    def on(action, &block)
+      raise ArgumentError, "No block given" unless block_given?
+      if @actions.key?(action)
+        @actions[action].instance_eval(&block)
+      else
+        @actions[action] = Action.new(self, &block)
+      end
+    end
+  end
+end

data/lib/aclatraz/guard.rb

@@ -0,0 +1,87 @@
+module Aclatraz
+  module Guard
+    def self.included(base)
+      base.send :extend, ClassMethods
+      base.send :include, InstanceMethods
+    end
+    
+    module ClassMethods
+      attr_reader :acl_suspect
+      attr_reader :acl_permissions
+      
+      def suspects(name, &block)
+        @acl_suspect = name
+        @acl_permissions = ACL.new(&block)
+      end
+      alias_method :access_control, :suspects
+    end
+    
+    module InstanceMethods
+      def current_suspect
+        case self.class.acl_suspect
+        when Symbol
+          @current_suspect ||= send(self.class.acl_suspect)
+        when String
+          @current_suspect ||= instance_variable_get("@#{self.class.acl_suspect}")
+        else
+          @current_suspect ||= self.class.acl_suspect     
+        end
+      end
+      
+      def guard!(*actions)
+        if current_suspect.respond_to?(:acl_suspect?)
+          actions.unshift(:_)
+          authorized = false
+          permissions = Dictionary.new
+          
+          actions.each do |action| 
+            self.class.acl_permissions.actions[action].permissions.each_pair do |key, value|     
+              permissions.delete(key)
+              permissions.push(key, value)
+            end
+          end
+          
+          permissions.each do |permission, allow|
+            has_permission = check_permission(permission)
+            if permission == true
+              authorized = allow ? true : false
+              next
+            end
+            if allow
+              authorized ||= has_permission  
+            else
+              authorized = false if has_permission
+            end
+          end
+          
+          raise Aclatraz::AccessDenied unless authorized
+          true
+        else
+          raise Aclatraz::InvalidSuspect
+        end
+      end
+      alias_method :authorize!, :guard!
+      
+      def check_permission(permission)
+        case permission
+        when String, Symbol, true
+          current_suspect.has_role?(permission)
+        when Hash
+          permission.each do |role, object| 
+            case object
+            when String
+              object = "@#{object}" unless object[0] == "@"
+              object = instance_variable_get(object) 
+            when Symbol
+              object = send(object)
+            end
+            return true if current_suspect.has_role?(role, object)
+          end
+          false
+        else
+          raise Aclatraz::InvalidPermission
+        end
+      end
+    end
+  end
+end

data/lib/aclatraz/helpers.rb

@@ -0,0 +1,18 @@
+module Aclatraz
+  module Helpers
+    def pack(prefix, object=nil)
+      case object
+      when nil
+        "#{prefix}"
+      when Class 
+        "#{prefix}/#{object.name}"
+      else 
+        "#{prefix}/#{object.class.name}/#{object.id}"
+      end
+    end
+    
+    def camelize(str)
+      str.split('_').map {|w| w.capitalize}.join
+    end
+  end
+end

data/lib/aclatraz/store.rb

@@ -0,0 +1,11 @@
+module Aclatraz
+  module Store
+    #autoload :Memcached,     'aclatraz/store/memcached'
+    autoload :Redis,        'aclatraz/store/redis'
+    #autoload :TokyoCabinet, 'aclatraz/store/tokyocabinet'
+  
+    class Base
+      include Aclatraz::Helpers            
+    end
+  end
+end

data/lib/aclatraz/store/redis.rb

@@ -0,0 +1,52 @@
+begin
+  require 'redis'
+rescue LoadError
+  raise "You must install redis to use the Redis store backend"
+end
+
+module Aclatraz
+  module Store
+    class Redis < Base
+      ROLES_KEY = "aclatraz.roles"
+      MEMBER_ROLES_KEY = "member.%s.roles"
+      
+      def initialize(*args)
+        @backend = ::Redis.new(*args)
+      end
+
+      def set(role, owner, object=nil)
+        @backend.multi do
+          unless object
+            @backend.hset(ROLES_KEY, role, 1)
+            @backend.hset(MEMBER_ROLES_KEY % owner.id.to_s, role, 1)
+          end
+          @backend.sadd(role.to_s, pack(owner.id, object))
+        end
+      end
+      
+      def permissions(role)
+        @backend.smembers(role.to_s)
+      end
+      
+      def roles(member=nil)
+        if member
+          @backend.hkeys(MEMBER_ROLES_KEY % member.id.to_s)
+        else
+          @backend.hkeys(ROLES_KEY)
+        end
+      end
+      
+      def check(role, owner, object=nil)
+        @backend.sismember(role.to_s, pack(owner.id, object))
+      end
+      
+      def delete(role, owner, object=nil)
+        @backend.srem(role.to_s, pack(owner.id, object))
+      end
+      
+      def clear
+        @backend.flushdb
+      end
+    end
+  end
+end

data/lib/aclatraz/suspect.rb

@@ -0,0 +1,90 @@
+module Aclatraz
+  module Suspect
+    class SemanticRoles
+      class Base
+        ROLE_SUFFIXES = /(_(of|at|on|by|for|in))?(\?|\!)\Z/
+    
+        attr_reader :suspect
+    
+        def initialize(suspect)
+          @suspect = suspect
+        end
+      end
+      
+      class Yes < Base
+        def method_missing(meth, *args, &blk)
+          meth = meth.to_s
+          if meth =~ ROLE_SUFFIXES
+            setter = meth[-1].chr == "!" 
+            role = meth.gsub(ROLE_SUFFIXES, '')
+            if setter
+              suspect.assign_role!(*args.unshift(role))
+            else
+              authorized = suspect.has_role?(*args.unshift(role.to_sym))
+              blk.call if authorized && block_given?
+              authorized
+            end
+          else
+            # super doesn't work here, so...
+            raise NoMethodError, "undefined local variable or method method `#{meth}' for #{inspect}:#{self.class.name}"
+          end
+        end
+      end
+      
+      class Not < Base
+        def method_missing(meth, *args, &blk)
+          meth = meth.to_s
+          if meth =~ ROLE_SUFFIXES
+            deleter = meth[-1].chr == "!"
+            role = meth.gsub(ROLE_SUFFIXES, '')
+            if deleter 
+              suspect.delete_role!(*args.unshift(role))
+            else
+              authorized = suspect.has_role?(*args.unshift(role.to_sym))
+              blk.call if !authorized && block_given?
+              !authorized
+            end
+          else
+            raise NoMethodError, "undefined local variable or method method `#{meth}' for #{inspect}:#{self.class.name}"
+          end
+        end
+      end
+    end
+  
+    def self.included(base)
+      base.send :include, InstanceMethods
+    end
+    
+    module InstanceMethods
+      ACL_ROLE_SUFFIXES = /(_(of|at|on|by|for|in))?\Z/
+    
+      def acl_suspect?
+        true
+      end
+      
+      def has_role?(role, object=nil)
+        Aclatraz.store.check(role.to_s.gsub(ACL_ROLE_SUFFIXES, ''), self, object)
+      end
+      
+      def assign_role!(role, object=nil)
+        Aclatraz.store.set(role.to_s.gsub(ACL_ROLE_SUFFIXES, ''), self, object)
+      end 
+      
+      def delete_role!(role, object=nil)
+        Aclatraz.store.delete(role.to_s.gsub(ACL_ROLE_SUFFIXES, ''), self, object)
+      end
+      
+      def roles
+        Aclatraz.store.roles(self)
+      end
+      
+      def is
+        @acl_is ||= SemanticRoles::Yes.new(self)
+      end
+      
+      def is_not
+        @acl_is_not ||= SemanticRoles::Not.new(self)
+      end
+    end
+  end
+end

data/spec/aclatraz/acl_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+describe "Aclatraz ACL" do 
+  before(:all) { Aclatraz.store(:redis, "redis://localhost:6379/0") }
+  
+  it "should properly store flat access control lists" do
+    acl = Aclatraz::ACL.new {} 
+    acl.actions[:_].allow :foo
+    acl.permissions[:foo].should be_true
+    acl.actions[:_].deny :foo
+    acl.permissions[:foo].should be_false
+    acl.actions[:_].allow :foo => :bar
+    acl.permissions[{:foo=>:bar}].should be_true
+  end
+  
+  it "should allow for define seperated lists which are inherit from main block" do 
+    acl = Aclatraz::ACL.new do 
+      allow :foo
+      on(:spam) { allow :spam }
+      on(:eggs) { allow :eggs }
+      on(:spam) { allow :boo }
+    end
+    
+    acl.permissions[:foo].should be_true
+    acl.permissions[:spam].should_not be_true
+    acl.permissions[:eggs].should_not be_true
+    acl.permissions[:boo].should_not be_true
+    acl[:spam].permissions[:foo].should be_nil
+    acl[:spam].permissions[:spam].should be_true
+    acl[:spam].permissions[:eggs].should be_nil
+    acl[:spam].permissions[:boo].should be_true
+    acl[:eggs].permissions[:foo].should be_nil
+    acl[:eggs].permissions[:eggs].should be_true
+    acl[:eggs].permissions[:spam].should be_nil
+  end
+  
+  it "should raise ArgumentError when no block given" do 
+    lambda { Aclatraz::ACL.new }.should raise_error(ArgumentError)
+  end
+end

data/spec/aclatraz/guard_spec.rb

@@ -0,0 +1,148 @@
+require 'spec_helper'
+
+describe "Aclatraz guard" do 
+  include Aclatraz::Guard
+  
+  before(:all) { Aclatraz.store(:redis, "redis://localhost:6379/0") }
+  let(:foo) { @foo ||= StubSuspect.new }
+  let(:target) { StubTarget.new }
+  
+  suspects :foo do 
+    allow :role1
+    deny :role2
+    on :bar do
+      allow :role3
+      deny :role4 => StubTarget
+    end
+    on :bla do 
+      deny :role3
+      allow :role2 => :target
+      allow :role6 => 'bar'
+    end
+    on :deny_all do 
+      deny all
+    end
+    on :allow_all do 
+      allow all
+    end
+    allow :role5
+  end
+  
+  it "should properly store name of suspected object" do 
+    self.class.acl_suspect.should == :foo
+  end
+  
+  it "should properly store permissions" do 
+    self.class.acl_permissions.should be_kind_of(Aclatraz::ACL)
+  end
+  
+  it "should properly guard permissions" do
+    access_denied = Aclatraz::AccessDenied
+   
+    lambda { guard! }.should raise_error(access_denied)
+    foo.is.role1!
+    lambda { guard! }.should_not raise_error(access_denied)
+    foo.is.role2!
+    lambda { guard! }.should raise_error(access_denied) 
+    foo.is.role5!
+    lambda { guard! }.should_not raise_error(access_denied)
+    
+    lambda { guard!(:bar) }.should_not raise_error(access_denied)
+    foo.is_not.role5!
+    lambda { guard!(:bar) }.should raise_error(access_denied)
+    foo.is_not.role2!
+    lambda { guard!(:bar) }.should_not raise_error(access_denied)
+    foo.is_not.role1!
+    lambda { guard!(:bar) }.should raise_error(access_denied)
+    foo.is.role3!
+    lambda { guard!(:bar) }.should_not raise_error(access_denied)
+    foo.is.role4!(StubTarget)
+    lambda { guard!(:bar) }.should raise_error(access_denied)
+    
+    lambda { guard!(:bla) }.should raise_error(access_denied)
+    foo.is_not.role3!
+    foo.is.role1!
+    lambda { guard!(:bla) }.should_not raise_error(access_denied)
+    foo.is_not.role1!
+    lambda { guard!(:bla) }.should raise_error(access_denied)
+    foo.is.role2!(target)
+    lambda { guard!(:bla) }.should_not raise_error(access_denied)
+    foo.is_not.role2!(target)
+    @bar = StubTarget.new
+    foo.is.role6!(@bar)
+    lambda { guard!(:bla) }.should_not raise_error(access_denied)
+    foo.is.role3!
+    lambda { guard!(:bla) }.should_not raise_error(access_denied)
+    foo.is_not.role6!(@bar)
+    foo.is.role5!
+    lambda { guard!(:bla) }.should raise_error(access_denied)
+    foo.is_not.role3!
+    lambda { guard!(:bla) }.should_not raise_error(access_denied)
+    
+    foo.is_not.role5!
+    foo.is_not.role4!(StubTarget)
+    lambda { guard!(:bar, :bla) }.should raise_error(access_denied)
+    foo.is.role1!
+    lambda { guard!(:bar, :bla) }.should_not raise_error(access_denied)
+    foo.is.role4!(StubTarget)
+    lambda { guard!(:bar, :bla) }.should raise_error(access_denied)
+    foo.is.role2!(target)
+    lambda { guard!(:bar, :bla) }.should_not raise_error(access_denied)
+    
+    lambda { guard!(:allow_all) }.should_not raise_error(access_denied)
+    lambda { guard!(:deny_all) }.should raise_error(access_denied)
+    
+    lambda { guard!(:bar, :allow_all, :bla) }.should_not raise_error(access_denied)
+    foo.is_not.role2!(target)
+    lambda { guard!(:bar, :allow_all, :bla) }.should_not raise_error(access_denied)
+    foo.is.role3! 
+    lambda { guard!(:bar, :allow_all, :bla) }.should raise_error(access_denied)
+    
+    foo.is_not.role3!
+    lambda { guard!(:bar, :deny_all, :bla) }.should raise_error(access_denied)
+    foo.is.role2!(target)
+    lambda { guard!(:bar, :deny_all, :bla) }.should_not raise_error(access_denied)
+  end
+  
+  describe "ivalid permission" do 
+    suspects(:foo) { allow Object.new }
+    
+    it "#check_permissions should raise InvalidPermission error" do 
+      lambda { guard! }.should raise_error(Aclatraz::InvalidPermission)
+    end
+  end
+  
+  describe "invalid suspect" do 
+    suspects('bar') { }
+    
+    it "#guard! should raise InvalidSuspect error" do 
+      lambda { guard! }.should raise_error(Aclatraz::InvalidSuspect)
+    end
+  end
+  
+  describe "suspect object is symbol" do
+    suspects(:foo) {}
+
+    it "#current_suspect" do 
+      current_suspect.should == foo
+    end
+  end
+    
+  describe "suspect object is string" do
+    suspects('foo') {}
+    
+    it "#current_suspect" do 
+      @foo = StubSuspect.new
+      current_suspect.should == @foo
+    end
+  end
+  
+  describe "suspect object includes Suspect class" do 
+    bar = StubSuspect.new
+    suspects(bar) {}
+    
+    it "#current_suspect" do 
+      current_suspect.should == bar
+    end
+  end 
+end

data/spec/aclatraz/helpers_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe "Aclatraz helpers" do 
+  include Aclatraz::Helpers
+  
+  it "#camelize should return a camel cased word" do 
+    camelize("foo_bar_bla").should == "FooBarBla"
+    camelize("foo").should == "Foo"
+  end
+  
+  it "#pack should return packed permission" do 
+    pack(10).should == "10"
+    
+    class StubTarget; def id; 10; end; end
+    pack(10, StubTarget).should == "10/StubTarget" 
+
+    target = StubTarget.new
+    pack(20, target).should == "20/StubTarget/10"
+  end
+end

data/spec/aclatraz/stores_spec.rb

@@ -0,0 +1,88 @@
+require 'spec_helper'
+
+STORE_SPECS = proc do
+  it "should properly assign given roles to owner and check permissions" do
+    subject.set("foo", owner)
+    subject.check("foo", owner).should be_true
+    
+    subject.set("bar", owner, StubTarget)
+    subject.check("bar", owner, StubTarget).should be_true
+    
+    subject.set("bla", owner, target)
+    subject.check("bla", owner, target).should be_true
+    
+    subject.check("foo", owner, target).should be_false
+    subject.check("foo", owner, StubTarget).should be_false
+    subject.check("bar", owner).should be_false
+  end
+  
+  it "should properly delete given permission" do
+    subject.set("foo", owner)
+    subject.set("bar", owner, StubTarget)
+    subject.set("bla", owner, target)
+    
+    subject.delete("bar", owner)
+    subject.delete("bar", owner, StubTarget)
+    subject.delete("bar", owner, target)
+    
+    subject.check("bar", owner).should be_false
+    subject.check("bar", owner, StubTarget).should be_false
+    subject.check("bar", owner, target).should be_false
+  end
+  
+  it "should allow to fetch list of permissions for current role" do 
+    subject.set("bar", owner)
+    subject.set("bar", owner, target)
+    class << owner; def id; 20; end; end
+    subject.set("bar", owner, StubTarget)
+    
+    (subject.permissions("bar") - ["15", "15/StubTarget/10", "20/StubTarget"]).should be_empty
+    subject.permissions("lala").should be_empty
+  end 
+  
+  it "should allow to fetch whole list of roles" do 
+    subject.set("foo", owner)
+    subject.set("bar", owner)
+    subject.set("bla", owner)
+    
+    (subject.roles - ["foo", "bar", "bla"]).should be_empty 
+  end
+  
+  it "should allow to fetch list of roles for specified member" do 
+    subject.set("foo", owner)
+    subject.set("bar", owner)
+    subject.set("bla", owner)
+    
+    (subject.roles(owner.id) - ["foo", "bar", "bla"]).should be_empty
+    subject.roles(33).should be_empty
+  end
+end
+
+describe "Aclatraz" do
+  it "should raise InvalidStore error when given store doesn't exists" do 
+    lambda { Aclatraz.store(:fooobar) }.should raise_error(Aclatraz::InvalidStore)
+  end
+  
+  it "should raise StoreNotInitialized error when store has not been set yet" do 
+    Aclatraz.instance_variable_set('@store', nil)
+    lambda { Aclatraz.store }.should raise_error(Aclatraz::StoreNotInitialized)
+  end
+  
+  it "should properly set datastore when class given" do 
+    class TestStore; end
+    lambda { Aclatraz.store(TestStore) }.should_not raise_error
+    Aclatraz.store.should be_kind_of(TestStore)
+  end
+  
+  let(:owner) { StubOwner.new }
+  let(:target) { StubTarget.new }
+  
+  describe "Redis store" do 
+    before(:all) { @redis = Thread.new { `redis-server` } }
+    after(:all) { @redis.exit! }
+    subject { Aclatraz.store(:redis, "redis://localhost:6379/0") }
+    before(:each) { subject.clear }
+    
+    class_eval &STORE_SPECS
+  end
+end

data/spec/aclatraz/suspect_spec.rb

@@ -0,0 +1,103 @@
+require 'spec_helper'
+
+describe "Aclatraz suspect" do 
+  before(:all) { Aclatraz.store(:redis, "redis://localhost:6379/0") }
+  subject { StubSuspect.new }
+  let(:target) { StubTarget.new }
+  
+  its(:acl_suspect?) { should be_true }
+  
+  it "1: should properly set given role" do 
+    subject.assign_role!(:foobar1)
+    subject.assign_role!(:foobar2, StubTarget)
+    subject.assign_role!(:foobar3, target) 
+    
+    Aclatraz.store.permissions(:foobar1).should include("10")
+    Aclatraz.store.permissions(:foobar2).should include("10/StubTarget")
+    Aclatraz.store.permissions(:foobar3).should include("10/StubTarget/10")
+  end
+  
+  it "2: should properly check given permissions" do 
+    subject.has_role?(:foobar1).should be_true
+    subject.has_role?(:foobar2, StubTarget).should be_true
+    subject.has_role?(:foobar3, target).should be_true
+    subject.has_role?(:foobar1, StubTarget).should be_false
+  end
+  
+  it "3: should allow to get list of roles assigned to user" do 
+    (subject.roles - ["foobar1", "foobar2", "foobar3"]) .should be_empty
+  end
+  
+  it "4: should properly remove given permissions" do 
+    subject.delete_role!(:foobar1)
+    subject.delete_role!(:foobar2, StubTarget)
+    subject.delete_role!(:foobar3, target) 
+    
+    subject.has_role?(:foobar1).should be_false
+    subject.has_role?(:foobar2, StubTarget).should be_false
+    subject.has_role?(:foobar3, target).should be_false
+  end
+  
+  describe "syntactic sugars" do 
+    it "1: should properly set given role" do 
+      subject.is.foobar1!
+      subject.is.foobar2_of!(StubTarget)
+      subject.is.foobar3_for!(target)
+      subject.is.foobar4_on!(target) 
+      subject.is.foobar5_at!(target)
+      subject.is.foobar6_by!(target)
+      subject.is.foobar7_in!(target)
+      
+      subject.has_role?(:foobar1).should be_true
+      subject.has_role?(:foobar2_of, StubTarget).should be_true
+      subject.has_role?(:foobar3_for, target).should be_true
+      subject.has_role?(:foobar4_of, target).should be_true
+      subject.has_role?(:foobar5_at, target).should be_true
+      subject.has_role?(:foobar6_by, target).should be_true
+      subject.has_role?(:foobar7_in, target).should be_true
+    end
+    
+    it "2: should properly check given permissions" do 
+      subject.is.foobar1?.should be_true
+      subject.is.foobar2_of?(StubTarget).should be_true
+      subject.is.foobar3_for?(target).should be_true
+      subject.is.foobar4_on?(target).should be_true
+      subject.is.foobar5_at?(target).should be_true
+      subject.is.foobar6_by?(target).should be_true
+      subject.is.foobar7_in?(target).should be_true
+      subject.is.foobar8_in?.should be_false
+      
+      subject.is_not.foobar1?.should be_false
+      subject.is_not.foobar2_of?(StubTarget).should be_false
+      subject.is_not.foobar3_for?(target).should be_false
+      subject.is_not.foobar4_on?(target).should be_false
+      subject.is_not.foobar5_at?(target).should be_false
+      subject.is_not.foobar6_by?(target).should be_false
+      subject.is_not.foobar7_in?(target).should be_false
+      subject.is_not.foobar8_in?.should be_true
+    end
+    
+    it "3: should properly remove given permissions" do 
+      subject.is_not.foobar1!
+      subject.is_not.foobar2_of!(StubTarget)
+      subject.is_not.foobar3_for!(target)
+      subject.is_not.foobar4_on!(target) 
+      subject.is_not.foobar5_at!(target)
+      subject.is_not.foobar6_by!(target)
+      subject.is_not.foobar7_in!(target)
+      
+      subject.is.foobar1?.should be_false
+      subject.is.foobar2_of?(StubTarget).should be_false
+      subject.is.foobar3_for?(target).should be_false
+      subject.is.foobar4_on?(target).should be_false
+      subject.is.foobar5_at?(target).should be_false
+      subject.is.foobar6_by?(target).should be_false
+      subject.is.foobar7_in?(target).should be_false
+    end
+    
+    it "4: should raise NoMethodError when there is not checker or setter/deleter called" do
+      lambda { subject.is.foobar }.should raise_error(NoMethodError)
+      lambda { subject.is_not.foobar }.should raise_error(NoMethodError)
+    end
+  end
+end

data/spec/aclatraz_spec.rb

@@ -0,0 +1,6 @@
+require 'spec_helper'
+
+describe "Aclatraz" do
+
+end
+

data/spec/spec.opts

@@ -0,0 +1,2 @@
+--color
+--backtrace

data/spec/spec_helper.rb

@@ -0,0 +1,26 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+
+$VERBOSE = nil
+
+require 'rubygems'
+require 'aclatraz'
+require 'spec'
+require 'spec/autorun'
+
+Spec::Runner.configure do |config|
+  config.mock_with :mocha
+end
+
+class StubSuspect
+  include Aclatraz::Suspect
+  def id; 10; end 
+end
+
+class StubTarget
+  def id; 10; end
+end
+
+class StubOwner
+  def id; 15; end
+end

metadata

@@ -0,0 +1,154 @@
+--- !ruby/object:Gem::Specification 
+name: aclatraz
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Kriss 'nu7hatch' Kowalik
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-09-10 00:00:00 +02:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 13
+        segments: 
+        - 1
+        - 2
+        - 9
+        version: 1.2.9
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: mocha
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 9
+        version: "0.9"
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: redis
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 2
+        - 0
+        version: "2.0"
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: dictionary
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 1
+        - 0
+        version: "1.0"
+  type: :runtime
+  version_requirements: *id004
+description: Extremaly fast and flexible access control mechanism inspired by *nix ACLs, powered by fast key value stores like Redis or TokyoCabinet.
+email: kriss.kowalik@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- .gitignore
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/aclatraz.rb
+- lib/aclatraz/acl.rb
+- lib/aclatraz/guard.rb
+- lib/aclatraz/helpers.rb
+- lib/aclatraz/store.rb
+- lib/aclatraz/store/redis.rb
+- lib/aclatraz/suspect.rb
+- spec/aclatraz/acl_spec.rb
+- spec/aclatraz/guard_spec.rb
+- spec/aclatraz/helpers_spec.rb
+- spec/aclatraz/stores_spec.rb
+- spec/aclatraz/suspect_spec.rb
+- spec/aclatraz_spec.rb
+- spec/spec.opts
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/nu7hatch/aclatraz
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Flexible access control that doesn't sucks!
+test_files: 
+- spec/spec_helper.rb
+- spec/aclatraz/guard_spec.rb
+- spec/aclatraz/helpers_spec.rb
+- spec/aclatraz/acl_spec.rb
+- spec/aclatraz/stores_spec.rb
+- spec/aclatraz/suspect_spec.rb
+- spec/aclatraz_spec.rb