aclatraz 0.1.0 → 0.1.1

data/CHANGELOG.rdoc

@@ -1,3 +1,9 @@
+== Version 0.1.1
+
+* Riak store [Thanks seven1m]
+* Optimized Redis store
+* Fixed tests
+
 == Version 0.1.0
 
 * Inherited access control lists

data/README.rdoc

@@ -26,7 +26,7 @@ Suspects are objects which we can assign specific permissions. There is only
 one condition which object have to meet to be suspect - it must have the #id
 method which returns an unique identifier after which we will be able to
 reference this object. To enable suspect behaviour you have to include the
-+Aclatraz::Suspect+ module to specified class, eg:
+<tt>Aclatraz::Suspect</tt> module to specified class, eg:
 
   class Account < ActiveRecord::Base
     include Aclatraz::Suspect
@@ -38,24 +38,22 @@ Now your suspect have few methods which will helps you manage it permissions.
 
 ACLatraz distinguishes between three types of roles:
 
-*global* :: 
-  simple roles, which are most commonly assigned to many users. We can say that 
-  they are kind of groups. Global roles are eg. _guest_, _admin_, _customer_.
-*class-related* :: 
-  roles that affects management of a particular class. Example of this kind
-  of role can be *manager* of +Pages+, *admin* of +Products+, etc.  
-*object-related* ::
-  roles that affects management of an object. For example *author* of 
-  _specified page_, *owner* of _specified product_, etc. 
+* <b>global:</b> simple roles, which are most commonly assigned to many users. 
+  We can say that they are kind of groups. Global roles are eg. _guest_, _admin_, 
+  _customer_.
+* <b>class-related:</b> roles that affects management of a particular class. 
+  Example of this kind of role can be *manager* of +Pages+, *admin* of +Products+, etc.  
+* <b>object-related:</b> roles that affects management of an object. For example 
+  *author* of <em>specified page</em>, *owner* of <em>specified product</em>, etc. 
 
-Now there is two ways for managing roles. You can use +#roles+ or semanticaly 
-look like +#is+ and +#is_not+ proxies. 
+Now there is two ways for managing roles. You can use <tt>#roles</tt> or semanticaly 
+look like <tt>#is</tt> and <tt>#is_not</tt> proxies. 
 
 ==== Assigning
 
-To add given role you can use +#assign+ method from +#roles+ proxy or use
-semantic shortcuts. Semantic shortcut have to ends with *!*, and can have
-optional suffixes: <em>_on</em>, <em>_of</em>, <em>_at</em>, <em>_for</em>,
+To add given role you can use <tt>#assign</tt> method from <tt>#roles</tt> proxy 
+or use semantic shortcuts. Semantic shortcut have to ends with <b>"!"</b>, and 
+can have optional suffixes: <em>_on</em>, <em>_of</em>, <em>_at</em>, <em>_for</em>,
 <em>_in</em>, <em>_by</em>. Take a look at the following examples to get 
 everything to be clear: 
 
@@ -67,51 +65,58 @@ everything to be clear:
   @account.roles.assign(:responsible, Foo) # or...
   @account.is.responsible_for!(Foo)
  
-...will assign to the account _responsible_ role related with Foo class. 
+...will assign to the account _responsible_ role related with +Foo+ class. 
 
   @account.roles.assign(:author, Page.find(15)) # or...
   @account.is.author_of!(Page.find(15))
   
-...will assign to the account _author_ role related with given page object. 
+...will assign to the account _author_ role related with given +Page+ object. 
 
 ==== Checking
 
-Using #roles proxy you can call +#has?+ method on it, eg: 
+Using #roles proxy you can call <tt>#has?</t> method on it, eg: 
 
   @account.roles.has?(:admin)                # => true
   @account.roles.has?(:responsible, Foo)     # => true
   @account.roles.has?(:author, Page.find(15) # => true
 
-With semantic shortcuts your method name have to ends with *?* and can contain 
+With semantic shortcuts your method name have to ends with <b>"?"</b> and can contain 
 any of suffixes listed above, eg:
 
-  @account.is.admin?                   # => true
-  @account.is.responsible_for?(Foo)    # => true
-  @account.is.author_of(Page.find(15)) # => true
+  @account.is.admin?                    # => true
+  @account.is.responsible_for?(Foo)     # => true
+  @account.is.author_of?(Page.find(15)) # => true
 
 Few more examples with semantic negation:
 
-  @account.is_not.admin?               # => false
-  @account.is_not.responsible_for(Foo) # => false
+  @account.is_not.admin?                # => false
+  @account.is_not.responsible_for?(Foo) # => false
+
+You can also check permissions using nice block-style syntax. The code inside
+the block will be executed only when object has given role. An quick example:
+
+  @account.is.admin? do 
+    # only admins can se this...
+  end
 
 ==== Deleting
 
-To unassign given role from object use +#delete+ method from +#roles+, eg:
+To unassign given role from object use <tt>#delete</tt> method from <tt>#roles</tt>, eg:
 
   @account.roles.delete(:admin)
   @account.roles.delete(:responsible, Foo)
   
-Another way is to use semantic negation, where method name have to ends with *!* 
+Another way is to use semantic negation, where method name have to ends with <b>"!"</b> 
 and can contain one of allowed suffixes, eg:
 
   @account.is_not.admin!
-  @account.is_not.author_of(Page.find(15))
+  @account.is_not.author_of!(Page.find(15))
   
 == Guards
 
 To enable access control in your for your objects you have to include to it the 
-+Aclatraz::Guard+ module. This module provides methods for defining and checking
-permissions of an suspected object. Take a look for this basic example:
+<tt>Aclatraz::Guard</tt> module. This module provides methods for defining and 
+checking permissions of an suspected object. Take a look for this basic example:
 
   class Foo
     include Aclatraz::Guard
@@ -122,23 +127,23 @@ permissions of an suspected object. Take a look for this basic example:
     end
   end 
  
-The +#suspects+ block is passing one argument - suspected object. When there is
-symbol given, like in example above, then will treat #account instance method
-result as suspected object. When you will use string, eg:
+The <tt>#suspects</tt> block is passing one argument - suspected object. When 
+there is symbol given, like in example above, then will treat <tt>#account</tt>
+instance method result as suspected object. When you will use string, eg:
 
   suspects "account" do # or suspects "@account" do ...
   
-... it will treat @account instance variable as suspect. You can also specify 
-suspected object directly, eg:
+... it will treat <tt>@account</tt> instance variable as suspect. You can also 
+specify suspected object directly, eg:
 
   account = Account.find(1)
   suspects account do # ...
   
-=== Allowing and denying access
+=== Setting up permissions
 
 As you probably noticed, there is two methods responsible for access control, 
-namely +#allow+ and +#deny+. As its argument you can pass simple name of role
-or permission statement, eg:
+namely <tt>#allow</tt> and <tt>#deny</tt>. As its argument you can pass simple 
+name of role or permission statement, eg:
 
   allow :admin
   deny :guest
@@ -146,8 +151,8 @@ or permission statement, eg:
   allow :author_of => "@page"  
  
 Like you see, you can easy specify access for each kind of role. The object-related
-permissions behaviour is similar to +#suspects+ method. When given related object
-is string then applies permissions for an instance variable, when symbol then 
+permissions behaviour is similar to <tt>#suspects</tt> method. When given related 
+object is string then applies permissions for an instance variable, when symbol then 
 applies it for instance method, otherwise directly for given object.
 
 === Actions
@@ -172,9 +177,10 @@ Obviously all actions inherits all permissions from main block.
  
 === Authorizing
 
-The +Aclatraz::Guards+ module provides +#guard!+ method for checking permissions.
-When suspected object don't have any of allowed permissions or have any of defnied
-then it will raise the +Aclatraz::AccessDenied+ error. Here's an comprehensive example:
+The <tt>Aclatraz::Guards</tt> module provides <tt>#guard!</tt> method for checking 
+permissions. When suspected object don't have any of allowed permissions or have 
+any of defnied then it will raise the <tt>Aclatraz::AccessDenied</tt> error. 
+Here's an comprehensive example:
 
   class Foo
     suspects "@account" do 
@@ -215,7 +221,7 @@ then it will raise the +Aclatraz::AccessDenied+ error. Here's an comprehensive e
   end
  
 There is also a very nice feature. You can define additional permissions directly
-in +#guard!+ block, eg:
+in <tt>#guard!</tt> block, eg:
 
   def foo
     guard! do
@@ -253,8 +259,8 @@ in each child class you can freely modify permissions. Here's an example:
   
 === Aliases
 
-If you prefer you can use aliases: +#access_control+ instead of +#suspects+ and 
-+#authorize!+ instead of +#guard!+.   
+If you prefer you can use aliases: <tt>#access_control</tt> instead of 
+<tt>#suspects</tt> and <tt>#authorize!</tt> instead of <tt>#guard!</tt>.   
 
 == Note on Patches/Pull Requests
  

data/Rakefile

@@ -16,6 +16,7 @@ begin
     gem.add_development_dependency "rspec", ">= 1.2.9"
     gem.add_development_dependency "mocha", ">= 0.9"
     gem.add_development_dependency "redis", "~> 2.0"
+    gem.add_development_dependency "riak-client", "~> 0.8"
     gem.add_dependency "dictionary", "~> 1.0"
   end
   Jeweler::GemcutterTasks.new

data/VERSION

@@ -1 +1 @@
-0.1.0
+0.1.1

data/aclatraz.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{aclatraz}
-  s.version = "0.1.0"
+  s.version = "0.1.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Kriss 'nu7hatch' Kowalik"]
-  s.date = %q{2010-09-16}
+  s.date = %q{2010-09-17}
   s.description = %q{      Extremaly fast and flexible access control mechanism inspired by *nix ACLs, 
       powered by fast key value stores like Redis or TokyoCabinet.
 }
@@ -35,6 +35,7 @@ Gem::Specification.new do |s|
      "lib/aclatraz/helpers.rb",
      "lib/aclatraz/store.rb",
      "lib/aclatraz/store/redis.rb",
+     "lib/aclatraz/store/riak.rb",
      "lib/aclatraz/suspect.rb",
      "spec/aclatraz/acl_spec.rb",
      "spec/aclatraz/guard_spec.rb",
@@ -71,17 +72,20 @@ Gem::Specification.new do |s|
       s.add_development_dependency(%q<rspec>, [">= 1.2.9"])
       s.add_development_dependency(%q<mocha>, [">= 0.9"])
       s.add_development_dependency(%q<redis>, ["~> 2.0"])
+      s.add_development_dependency(%q<riak-client>, ["~> 0.8"])
       s.add_runtime_dependency(%q<dictionary>, ["~> 1.0"])
     else
       s.add_dependency(%q<rspec>, [">= 1.2.9"])
       s.add_dependency(%q<mocha>, [">= 0.9"])
       s.add_dependency(%q<redis>, ["~> 2.0"])
+      s.add_dependency(%q<riak-client>, ["~> 0.8"])
       s.add_dependency(%q<dictionary>, ["~> 1.0"])
     end
   else
     s.add_dependency(%q<rspec>, [">= 1.2.9"])
     s.add_dependency(%q<mocha>, [">= 0.9"])
     s.add_dependency(%q<redis>, ["~> 2.0"])
+    s.add_dependency(%q<riak-client>, ["~> 0.8"])
     s.add_dependency(%q<dictionary>, ["~> 1.0"])
   end
 end

data/lib/aclatraz/helpers.rb

@@ -1,26 +1,16 @@
 module Aclatraz
   module Helpers
-    # Pack given permission data.
-    #
-    #   pack(10)               # => "10"
-    #   pack(10, "FooClass")   # => "10/FooClass"
-    #   pack(10, FooClass.new) # => "10/FooClass/{foo_object_ID}"
-    def pack(owner, object=nil)
-      case object
-      when nil
-        "#{owner}"
-      when Class 
-        "#{owner}/#{object.name}"
-      else 
-        "#{owner}/#{object.class.name}/#{object.id}"
-      end
-    end
-    
     # Given underscored word, returns camelized version of it. 
     #
     #   camelize(foo_bar_bla) # => "FooBarBla"
     def camelize(str)
       str.split('_').map {|w| w.capitalize}.join
     end
+    
+    # If given object is kind of string or integer then returns it, otherwise
+    # it tries to return its ID.
+    def member_id(member)
+      member.is_a?(String) || member.is_a?(Integer) ? member.to_s : member.id.to_s
+    end
   end # Helpers
 end # Aclatraz

data/lib/aclatraz/store.rb

@@ -1,6 +1,7 @@
 module Aclatraz
   module Store
     autoload :Redis,        'aclatraz/store/redis'
+    autoload :Riak,         'aclatraz/store/riak'
     #autoload :Memcached,    'aclatraz/store/memcached'
     #autoload :TokyoCabinet, 'aclatraz/store/tokyocabinet'
   end # Store

data/lib/aclatraz/store/redis.rb

@@ -6,47 +6,78 @@ end
 
 module Aclatraz
   module Store
+    # List of global roles are stored in ROLES set. Each member has its 
+    # own key, which contains list of assigned roles. Roles are stored in
+    # following format:
+    #
+    #   member.{:member_id}.roles:
+    #     "role_name"
+    #     "role_name/ClassName"
+    #     "role_name/ObjectClass/object_id"
     class Redis
       include Aclatraz::Helpers
       
-      ROLES_KEY = "aclatraz.roles"
-      MEMBER_ROLES_KEY = "member.%s.roles"
+      ROLES = "roles"
+      MEMBER_ROLES = "member.%s.roles"
       
       def initialize(*args) # :nodoc:
         @backend = ::Redis.new(*args)
       end
 
-      def set(role, owner, object=nil)
+      def set(role, member, object=nil)
         @backend.multi do
-          unless object
-            @backend.hset(ROLES_KEY, role, 1)
-            @backend.hset(MEMBER_ROLES_KEY % owner.id.to_s, role, 1)
-          end
-          @backend.sadd(role.to_s, pack(owner.id, object))
+          @backend.sadd(ROLES, role.to_s) unless object
+          @backend.sadd(MEMBER_ROLES % member_id(member), pack(role.to_s, object))
         end
       end
       
       def roles(member=nil)
         if member
-          @backend.hkeys(MEMBER_ROLES_KEY % member.id.to_s)
+          @backend.smembers(MEMBER_ROLES % member_id(member)).map {|role|
+            role = unpack(role)
+            role[0] if role.size == 1
+          }.compact.uniq
         else
-          @backend.hkeys(ROLES_KEY)
+          @backend.smembers(ROLES)
         end
       end
       
-      def check(role, owner, object=nil)
-        @backend.sismember(role.to_s, pack(owner.id, object)) or begin
-          object && !object.is_a?(Class) ? check(role, owner, object.class) : false
+      def check(role, member, object=nil)
+        @backend.sismember(MEMBER_ROLES % member_id(member), pack(role.to_s, object)) or begin
+          object && !object.is_a?(Class) ? check(role, member, object.class) : false
         end
       end
       
-      def delete(role, owner, object=nil)
-        @backend.srem(role.to_s, pack(owner.id, object))
+      def delete(role, member, object=nil)
+        @backend.srem(MEMBER_ROLES % member_id(member), pack(role.to_s, object))
       end
       
       def clear
         @backend.flushdb
       end
+      
+      private
+      
+      # Pack given permission data.
+      #
+      #   pack(foo)               # => "foo"
+      #   pack(foo, "FooClass")   # => "foo/FooClass"
+      #   pack(foo, FooClass.new) # => "foo/FooClass/{foo_object_ID}"
+      def pack(role, object=nil)
+        case object
+        when nil
+          "#{role}"
+        when Class 
+          "#{role}/#{object.name}"
+        else 
+          "#{role}/#{object.class.name}/#{object.id}"
+        end
+      end
+      
+      # Unpack given permission data.
+      def unpack(data)
+        data.to_s.split("/")
+      end
     end # Redis
   end # Store
 end # Aclatraz

data/lib/aclatraz/store/riak.rb

@@ -0,0 +1,83 @@
+require 'yaml'
+
+begin
+  require "riak"
+rescue LoadError
+  raise "You must install the redis-client gem to use the Riak store"
+end
+
+module Aclatraz
+  module Store
+    # The most optimal way to store roles in riak database is pack everything
+    # in a single key name, eg:
+    #
+    #   :suspect_id/:role_name 
+    #   :suspect_id/:role_name/:ClassName 
+    #   :suspect_id/:role_name/:ObjectClass/object_id
+    class Riak
+      include Aclatraz::Helpers
+
+      def initialize(bucket_name, *args) # :nodoc:
+        @backend = ::Riak::Client.new(*args).bucket(bucket_name)
+      end
+
+      def set(role, member, object=nil)
+        obj = @backend.new(pack(role.to_s, member_id(member), object))
+        obj.content_type = "text/plain"
+        obj.data = "1"
+        obj.store
+      end
+
+      def roles(member=nil)
+        roles = []
+        # Also this can be a little bit slow...
+        @backend.keys.each do |key|
+          @backend.exists?(key) ? perm = unpack(key) : next
+          if perm.size == 2 && (!member || (member && perm[0].to_s == member_id(member)))
+            roles.push(perm[1])
+          end
+        end
+        roles.compact.uniq
+      end
+
+      def check(role, member, object=nil)
+        @backend.exists?(pack(role.to_s, member_id(member), object)) or begin
+          object && !object.is_a?(Class) ? check(role, member, object.class) : false
+        end
+      end
+
+      def delete(role, member, object=nil)
+        @backend.delete(pack(role.to_s, member_id(member), object))
+      end
+
+      def clear
+        # not optimal... yea but there is no other way to clear all keys 
+        # in the riak bucket -_-"
+        @backend.keys.each {|key| @backend.delete(key) }
+      end
+
+      private
+
+      # Pack given permission data.
+      #
+      #   pack("foo", 10)               # => "10/foo"
+      #   pack("foo", 10, "FooClass")   # => "10/foo/FooClass"
+      #   pack("foo", 10, FooClass.new) # => "10/foo/FooClass/{foo_object_ID}"
+      def pack(role, member, object=nil)
+        case object
+        when nil
+          "#{member}/#{role}"
+        when Class 
+          "#{member}/#{role}/#{object.name}"
+        else 
+          "#{member}/#{role}/#{object.class.name}/#{object.id}"
+        end
+      end
+      
+      # Unpack given permission data.
+      def unpack(data)
+        data.to_s.split("/")
+      end
+    end # Riak
+  end # Store
+end # Aclatraz

data/spec/aclatraz/helpers_spec.rb

@@ -7,14 +7,4 @@ describe "Aclatraz helpers" do
     camelize("foo_bar_bla").should == "FooBarBla"
     camelize("foo").should == "Foo"
   end
-  
-  it "#pack should return packed permission" do 
-    pack(10).should == "10"
-    
-    class StubTarget; def id; 10; end; end
-    pack(10, StubTarget).should == "10/StubTarget" 
-
-    target = StubTarget.new
-    pack(20, target).should == "20/StubTarget/10"
-  end
 end

data/spec/aclatraz/stores_spec.rb

@@ -2,6 +2,7 @@ require 'spec_helper'
 
 STORE_SPECS = proc do
   it "should properly assign given roles to owner and check permissions" do
+    subject.clear
     subject.set("foo", owner)
     subject.check("foo", owner).should be_true
     
@@ -17,13 +18,14 @@ STORE_SPECS = proc do
   end
   
   it "should properly delete given permission" do
+    subject.clear
     subject.set("foo", owner)
     subject.set("bar", owner, StubTarget)
     subject.set("bla", owner, target)
     
-    subject.delete("bar", owner)
+    subject.delete("foo", owner)
     subject.delete("bar", owner, StubTarget)
-    subject.delete("bar", owner, target)
+    subject.delete("bla", owner, target)
     
     subject.check("bar", owner).should be_false
     subject.check("bar", owner, StubTarget).should be_false
@@ -35,6 +37,7 @@ STORE_SPECS = proc do
     subject.set("bar", owner)
     subject.set("bla", owner)
     
+    subject.roles.should_not be_empty
     (subject.roles - ["foo", "bar", "bla"]).should be_empty 
   end
   
@@ -43,8 +46,8 @@ STORE_SPECS = proc do
     subject.set("bar", owner)
     subject.set("bla", owner)
     
-    (subject.roles(owner.id) - ["foo", "bar", "bla"]).should be_empty
-    subject.roles(33).should be_empty
+    subject.roles(owner).should_not be_empty
+    (subject.roles(owner) - ["foo", "bar", "bla"]).should be_empty
   end
 end
 
@@ -56,7 +59,14 @@ describe "Aclatraz" do
     before(:all) { @redis = Thread.new { `redis-server` } }
     after(:all) { @redis.exit! }
     subject { Aclatraz.init(:redis, "redis://localhost:6379/0") }
-    before(:each) { subject.clear }
+    
+    class_eval &STORE_SPECS
+  end
+
+  describe "Riak store" do 
+    before(:all) { @riak = Thread.new { `riak start` } }
+    after(:all) { @riak.exit! }
+    subject { Aclatraz.init(:riak, "roles") }
     
     class_eval &STORE_SPECS
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: aclatraz
 version: !ruby/object:Gem::Version 
-  hash: 27
+  hash: 25
   prerelease: false
   segments: 
   - 0
   - 1
-  - 0
-  version: 0.1.0
+  - 1
+  version: 0.1.1
 platform: ruby
 authors: 
 - Kriss 'nu7hatch' Kowalik
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-09-16 00:00:00 +02:00
+date: 2010-09-17 00:00:00 +02:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -65,9 +65,24 @@ dependencies:
   type: :development
   version_requirements: *id003
 - !ruby/object:Gem::Dependency 
-  name: dictionary
+  name: riak-client
   prerelease: false
   requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 27
+        segments: 
+        - 0
+        - 8
+        version: "0.8"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: dictionary
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -78,7 +93,7 @@ dependencies:
         - 0
         version: "1.0"
   type: :runtime
-  version_requirements: *id004
+  version_requirements: *id005
 description: "      Extremaly fast and flexible access control mechanism inspired by *nix ACLs, \n      powered by fast key value stores like Redis or TokyoCabinet.\n"
 email: kriss.kowalik@gmail.com
 executables: []
@@ -105,6 +120,7 @@ files:
 - lib/aclatraz/helpers.rb
 - lib/aclatraz/store.rb
 - lib/aclatraz/store/redis.rb
+- lib/aclatraz/store/riak.rb
 - lib/aclatraz/suspect.rb
 - spec/aclatraz/acl_spec.rb
 - spec/aclatraz/guard_spec.rb