action_policy 0.2.4 → 0.3.0.beta1

data/lib/action_policy/rails/scope_matchers/active_record.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  module ScopeMatchers
+    # Adds `relation_scope` method as an alias
+    # for `scope_for :active_record_relation`
+    module ActiveRecord
+      def relation_scope(*args, &block)
+        scope_for :active_record_relation, *args, &block
+      end
+    end
+  end
+end
+
+# Register relation scope matcher
+ActionPolicy::Base.scope_matcher :active_record_relation, ActiveRecord::Relation
+
+# Add alias to base policy
+ActionPolicy::Base.extend ActionPolicy::ScopeMatchers::ActiveRecord
+
+ActiveRecord::Relation.include(Module.new do
+  def policy_name
+    if model.respond_to?(:policy_name)
+      model.policy_name.to_s
+    else
+      "#{model}Policy"
+    end
+  end
+end)

data/lib/action_policy/railtie.rb

@@ -30,6 +30,10 @@ module ActionPolicy # :nodoc:
         # Enabled only in production by default.
         attr_accessor :namespace_cache_enabled
 
+        # Define whether to include instrumentation functionality.
+        # Enabled by default.
+        attr_accessor :instrumentation_enabled
+
         def cache_store=(store)
           # Handle both:
           #   store = :memory
@@ -46,13 +50,14 @@ module ActionPolicy # :nodoc:
       self.controller_authorize_current_user = true
       self.auto_inject_into_channel = true
       self.channel_authorize_current_user = true
-      self.namespace_cache_enabled = Rails.env.production?
+      self.namespace_cache_enabled = ::Rails.env.production?
+      self.instrumentation_enabled = true
     end
 
     config.action_policy = Config
 
     initializer "action_policy.clear_per_thread_cache" do |app|
-      if Rails::VERSION::MAJOR >= 5
+      if ::Rails::VERSION::MAJOR >= 5
         app.executor.to_run { ActionPolicy::PerThreadCache.clear_all }
         app.executor.to_complete { ActionPolicy::PerThreadCache.clear_all }
       else
@@ -61,29 +66,46 @@ module ActionPolicy # :nodoc:
       end
     end
 
+    config.after_initialize do
+      next unless ::Rails.application.config.action_policy.instrumentation_enabled
+
+      require "action_policy/rails/policy/instrumentation"
+      require "action_policy/rails/authorizer"
+
+      ActionPolicy::Base.prepend ActionPolicy::Policy::Rails::Instrumentation
+      ActionPolicy::Authorizer.singleton_class.prepend ActionPolicy::Rails::Authorizer
+    end
+
     config.to_prepare do |_app|
       ActionPolicy::LookupChain.namespace_cache_enabled =
-        Rails.application.config.action_policy.namespace_cache_enabled
+        ::Rails.application.config.action_policy.namespace_cache_enabled
 
       ActiveSupport.on_load(:action_controller) do
-        next unless Rails.application.config.action_policy.auto_inject_into_controller
+        require "action_policy/rails/scope_matchers/action_controller_params"
+
+        next unless ::Rails.application.config.action_policy.auto_inject_into_controller
 
         ActionController::Base.include ActionPolicy::Controller
 
-        next unless Rails.application.config.action_policy.controller_authorize_current_user
+        next unless ::Rails.application.config.action_policy.controller_authorize_current_user
 
         ActionController::Base.authorize :user, through: :current_user
       end
 
       ActiveSupport.on_load(:action_cable) do
-        next unless Rails.application.config.action_policy.auto_inject_into_channel
+        next unless ::Rails.application.config.action_policy.auto_inject_into_channel
 
         ActionCable::Channel::Base.include ActionPolicy::Channel
 
-        next unless Rails.application.config.action_policy.channel_authorize_current_user
+        next unless ::Rails.application.config.action_policy.channel_authorize_current_user
 
         ActionCable::Channel::Base.authorize :user, through: :current_user
       end
+
+      ActiveSupport.on_load(:active_record) do
+        require "action_policy/rails/ext/active_record"
+        require "action_policy/rails/scope_matchers/active_record"
+      end
     end
   end
 end

data/lib/action_policy/rspec.rb

@@ -1,3 +1,4 @@
 # frozen_string_literal: true
 
 require "action_policy/rspec/be_authorized_to"
+require "action_policy/rspec/have_authorized_scope"

data/lib/action_policy/rspec/be_authorized_to.rb

@@ -39,7 +39,7 @@ module ActionPolicy
 
         begin
           ActionPolicy::Testing::AuthorizeTracker.tracking { actual.call }
-        rescue ActionPolicy::Unauthorized # rubocop: disable Lint/HandleExceptions
+        rescue ActionPolicy::Unauthorized
           # we don't want to care about authorization result
         end
 

data/lib/action_policy/rspec/dsl.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  module RSpec # :nodoc: all
+    module DSL
+      %w[describe fdescribe xdescribe].each do |meth|
+        class_eval <<~CODE, __FILE__, __LINE__ + 1
+          def #{meth}_rule(rule, *args, &block)
+            find_and_eval_shared("context", "action_policy:policy_rule_context", caller.first, rule, *args, method: :#{meth}, block: block)
+          end
+        CODE
+      end
+
+      ["", "f", "x"].each do |prefix|
+        class_eval <<~CODE, __FILE__, __LINE__ + 1
+          def #{prefix}succeed(msg = "succeeds", *args, **kwargs)
+            the_caller = caller
+            #{prefix}context(msg, *args, **kwargs) do
+              instance_eval(&Proc.new) if block_given?
+              find_and_eval_shared("examples", "action_policy:policy_rule_example", the_caller.first, true, the_caller)
+            end
+          end
+
+          def #{prefix}failed(msg = "fails", *args, **kwargs)
+            the_caller = caller
+            #{prefix}context(msg, *args, **kwargs) do
+              instance_eval(&Proc.new) if block_given?
+              find_and_eval_shared("examples", "action_policy:policy_rule_example", the_caller.first, false, the_caller)
+            end
+          end
+        CODE
+      end
+    end
+
+    module PolicyExampleGroup
+      def self.included(base)
+        base.metadata[:type] = :policy
+        base.extend ActionPolicy::RSpec::DSL
+        super
+      end
+
+      def formatted_policy(policy)
+        "#{policy.result.inspect}\n#{policy.inspect_rule(policy.result.rule)}"
+      end
+    end
+  end
+end
+
+if defined?(::RSpec)
+  ::RSpec.shared_context "action_policy:policy_context" do
+    let(:record) { nil }
+    let(:context) { {} }
+    let(:policy) { described_class.new(record, context) }
+  end
+
+  ::RSpec.shared_context "action_policy:policy_rule_context" do |policy_rule, *args, method: "describe", block: nil|
+    public_send(method, policy_rule.to_s, *args) do
+      let(:rule) { policy_rule }
+
+      let(:subject) do
+        policy.apply(rule)
+        policy.result
+      end
+
+      instance_eval(&block) if block
+    end
+  end
+
+  ::RSpec.shared_examples_for "action_policy:policy_rule_example" do |success, the_caller|
+    if success
+      specify do
+        next if subject.success?
+        raise(
+          RSpec::Expectations::ExpectationNotMetError,
+          "Expected to succeed but failed:\n#{formatted_policy(policy)}",
+          the_caller
+        )
+      end
+    else
+      specify do
+        next if subject.fail?
+        raise(
+          RSpec::Expectations::ExpectationNotMetError,
+          "Expected to fail but succeed:\n#{formatted_policy(policy)}",
+          the_caller
+        )
+      end
+    end
+  end
+
+  ::RSpec.configure do |config|
+    config.include(
+      ActionPolicy::RSpec::PolicyExampleGroup,
+      type: :policy,
+      file_path: %r{spec/policies}
+    )
+    config.include_context(
+      "action_policy:policy_context",
+      type: :policy,
+      file_path: %r{spec/policies}
+    )
+  end
+end

data/lib/action_policy/rspec/have_authorized_scope.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require "action_policy/testing"
+
+module ActionPolicy
+  module RSpec
+    # Implements `have_authorized_scope` matcher.
+    #
+    # Verifies that a block of code applies authorization scoping using specific policy.
+    #
+    # Example:
+    #
+    #   # in controller/request specs
+    #   subject { get :index }
+    #
+    #   it "has authorized scope" do
+    #     expect { subject }
+    #       .to have_authorized_scope(:active_record_relation)
+    #       .with(ProductPolicy)
+    #   end
+    #
+    class HaveAuthorizedScope < ::RSpec::Matchers::BuiltIn::BaseMatcher
+      attr_reader :type, :name, :policy, :scope_options, :actual_scopes,
+                  :target_expectations
+
+      def initialize(type)
+        @type = type
+        @name = :default
+        @scope_options = nil
+      end
+
+      def with(policy)
+        @policy = policy
+        self
+      end
+
+      def as(name)
+        @name = name
+        self
+      end
+
+      def with_scope_options(scope_options)
+        @scope_options = scope_options
+        self
+      end
+
+      def with_target
+        @target_expectations = Proc.new
+        self
+      end
+
+      def match(_expected, actual)
+        raise "This matcher only supports block expectations" unless actual.is_a?(Proc)
+
+        ActionPolicy::Testing::AuthorizeTracker.tracking { actual.call }
+
+        @actual_scopes = ActionPolicy::Testing::AuthorizeTracker.scopings
+
+        matching_scopes = actual_scopes.select { |scope| scope.matches?(policy, type, name, scope_options) }
+
+        return false if matching_scopes.empty?
+
+        return true unless target_expectations
+
+        if matching_scopes.size > 1
+          raise "Too many matching scopings (#{matching_scopes.size}), " \
+                "you can run `.with_target` only when there is the only one match"
+        end
+
+        target_expectations.call(matching_scopes.first.target)
+        true
+      end
+
+      def does_not_match?(*)
+        raise "This matcher doesn't support negation"
+      end
+
+      def supports_block_expectations?
+        true
+      end
+
+      def failure_message
+        "expected a scoping named :#{name} for type :#{type} " \
+        "#{scope_options_message} " \
+        "from #{policy} to have been applied, " \
+        "but #{actual_scopes_message}"
+      end
+
+      def scope_options_message
+        if scope_options
+          if defined?(::RSpec::Matchers::Composable) &&
+              scope_options.is_a?(::RSpec::Matchers::Composable)
+            "with scope options #{scope_options.description}"
+          else
+            "with scope options #{scope_options}"
+          end
+        else
+          "without scope options"
+        end
+      end
+
+      def actual_scopes_message
+        if actual_scopes.empty?
+          "no scopings have been made"
+        else
+          "the following scopings were encountered:\n" \
+          "#{formatted_scopings}"
+        end
+      end
+
+      def formatted_scopings
+        actual_scopes.map do |ascope|
+          " - #{ascope.inspect}"
+        end.join("\n")
+      end
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include(Module.new do
+    def have_authorized_scope(type)
+      ActionPolicy::RSpec::HaveAuthorizedScope.new(type)
+    end
+  end)
+end

data/lib/action_policy/rspec/pundit_syntax.rb

@@ -43,6 +43,6 @@ RSpec.configure do |config|
   config.include(
     ActionPolicy::RSpec::PunditSyntax::PolicyExampleGroup,
     type: :policy,
-    example_group: { file_path: %r{spec/policies} }
+    example_group: {file_path: %r{spec/policies}}
   )
 end

data/lib/action_policy/test_helper.rb

@@ -5,6 +5,22 @@ require "action_policy/testing"
 module ActionPolicy
   # Provides assertions for policies usage
   module TestHelper
+    class WithScopeTarget
+      attr_reader :scopes
+
+      def initialize(scopes)
+        @scopes = scopes
+      end
+
+      def with_target
+        if scopes.size > 1
+          raise "Too many matching scopings (#{scopes.size}), " \
+                "you can run `.with_target` only when there is the only one match"
+        end
+
+        yield scopes.first.target
+      end
+    end
     # Asserts that the given policy was used to authorize the given target.
     #
     #   def test_authorize
@@ -19,7 +35,6 @@ module ActionPolicy
     #       get :show, id: user.id
     #     end
     #
-    # rubocop: disable Metrics/MethodLength
     def assert_authorized_to(rule, target, with: nil)
       raise ArgumentError, "Block is required" unless block_given?
 
@@ -27,7 +42,7 @@ module ActionPolicy
 
       begin
         ActionPolicy::Testing::AuthorizeTracker.tracking { yield }
-      rescue ActionPolicy::Unauthorized # rubocop: disable Lint/HandleExceptions
+      rescue ActionPolicy::Unauthorized
         # we don't want to care about authorization result
       end
 
@@ -38,9 +53,59 @@ module ActionPolicy
         "Expected #{target.inspect} to be authorized with #{policy}##{rule}, " \
         "but no such authorization has been made.\n" \
         "Registered authorizations: " \
-        "#{actual_calls.empty? ? 'none' : actual_calls.map(&:inspect).join(',')}"
+        "#{actual_calls.empty? ? "none" : actual_calls.map(&:inspect).join(",")}"
+      )
+    end
+
+    # Asserts that the given policy was used for scoping.
+    #
+    #   def test_authorize
+    #     assert_have_authorized_scope(type: :active_record_relation, with: UserPolicy) do
+    #       get :index
+    #     end
+    #   end
+    #
+    # You can also specify `as` option.
+    #
+    # NOTE: `type` and `with` must be specified.
+    #
+    # You can run additional assertions for the matching target (the object passed
+    # to the `authorized_scope` method) by calling `with_target`:
+    #
+    #   def test_authorize
+    #     assert_have_authorized_scope(type: :active_record_relation, with: UserPolicy) do
+    #       get :index
+    #     end.with_target do |target|
+    #       assert_equal User.all, target
+    #     end
+    #   end
+    #
+    def assert_have_authorized_scope(type:, with:, as: :default, scope_options: nil)
+      raise ArgumentError, "Block is required" unless block_given?
+
+      policy = with
+
+      ActionPolicy::Testing::AuthorizeTracker.tracking { yield }
+
+      actual_scopes = ActionPolicy::Testing::AuthorizeTracker.scopings
+
+      scope_options_message = if scope_options
+        "with scope options #{scope_options}"
+      else
+        "without scope options"
+      end
+
+      assert(
+        actual_scopes.any? { |scope| scope.matches?(policy, type, as, scope_options) },
+        "Expected a scoping named :#{as} for :#{type} type " \
+        "#{scope_options_message} " \
+        "from #{policy} to have been applied, " \
+        "but no such scoping has been made.\n" \
+        "Registered scopings: " \
+        "#{actual_scopes.empty? ? "none" : actual_scopes.map(&:inspect).join(",")}"
       )
+
+      WithScopeTarget.new(actual_scopes)
     end
-    # rubocop: enable Metrics/MethodLength
   end
 end