action_policy 0.4.4 → 0.5.4

data/README.md

@@ -1,5 +1,6 @@
 [![Gem Version](https://badge.fury.io/rb/action_policy.svg)](https://badge.fury.io/rb/action_policy)
-[![Build Status](https://travis-ci.org/palkan/action_policy.svg?branch=master)](https://travis-ci.org/palkan/action_policy)
+![Build](https://github.com/palkan/action_policy/workflows/Build/badge.svg)
+![JRuby Build](https://github.com/palkan/action_policy/workflows/JRuby%20Build/badge.svg)
 [![Documentation](https://img.shields.io/badge/docs-link-brightgreen.svg)](https://actionpolicy.evilmartians.io)
 
 # Action Policy
@@ -21,7 +22,6 @@ Composable. Extensible. Performant.
 
 - RailsConf, 2018 "Access Denied" talk ([video](https://www.youtube.com/watch?v=NVwx0DARDis), [slides](https://speakerdeck.com/palkan/railsconf-2018-access-denied-the-missing-guide-to-authorization-in-rails))
 
-
 ## Integrations
 
 - GraphQL Ruby ([`action_policy-graphql`](https://github.com/palkan/action_policy-graphql))
@@ -36,7 +36,9 @@ gem "action_policy", "~> 0.4.0"
 
 And then execute:
 
-    $ bundle
+```sh
+bundle install
+```
 
 ## Usage
 
@@ -89,7 +91,6 @@ end
 
 \* See [Non-Rails Usage](docs/non_rails.md) on how to add `authorize!` to any Ruby project.
 
-
 When authorization is successful (i.e., the corresponding rule returns `true`), nothing happens, but in case of authorization failure `ActionPolicy::Unauthorized` error is raised.
 
 There is also an `allowed_to?` method which returns `true` or `false`, and could be used, in views, for example:

data/config/rubocop-rspec.yml

@@ -0,0 +1,17 @@
+RSpec:
+  Language:
+    ExampleGroups:
+      Regular:
+        - describe_rule
+      Focused:
+        - fdescribe_rule
+      Skipped:
+        - xdescribe_rule
+    Includes:
+      Examples:
+        - succeed
+        - failed
+        - fsucceed
+        - ffailed
+        - xsucceed
+        - xfailed

data/lib/.rbnext/2.7/action_policy/behaviours/policy_for.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  module Behaviours
+    # Adds `policy_for` method
+    module PolicyFor
+      require "action_policy/ext/policy_cache_key"
+      using ActionPolicy::Ext::PolicyCacheKey
+
+      # Returns policy instance for the record.
+      def policy_for(record:, with: nil, namespace: authorization_namespace, context: authorization_context, allow_nil: false, default: default_authorization_policy_class)
+        policy_class = with || ::ActionPolicy.lookup(
+          record,
+          **{namespace: namespace, context: context, allow_nil: allow_nil, default: default}
+        )
+        policy_class&.new(record, **context)
+      end
+
+      def authorization_context
+        raise NotImplementedError, "Please, define `authorization_context` method!"
+      end
+
+      def authorization_namespace
+        # override to provide specific authorization namespace
+      end
+
+      def default_authorization_policy_class
+        # override to provide a policy class use when no policy found
+      end
+
+      # Override this method to provide implicit authorization target
+      # that would be used in case `record` is not specified in
+      # `authorize!` and `allowed_to?` call.
+      #
+      # It is also used to infer a policy for scoping (in `authorized_scope` method).
+      def implicit_authorization_target
+        # no-op
+      end
+
+      # Return implicit authorization target or raises an exception if it's nil
+      def implicit_authorization_target!
+        implicit_authorization_target || raise(
+          NotFound,
+          [
+            self,
+            "Couldn't find implicit authorization target " \
+            "for #{self.class}. " \
+            "Please, provide policy class explicitly using `with` option or " \
+            "define the `implicit_authorization_target` method."
+          ]
+        )
+      end
+
+      def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **)
+        record_key = record._policy_cache_key(use_object_id: true)
+        context_key = context.values.map { |_1| _1._policy_cache_key(use_object_id: true) }.join(".")
+
+        "#{namespace}/#{with}/#{context_key}/#{record_key}"
+      end
+    end
+  end
+end

data/lib/.rbnext/2.7/action_policy/i18n.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  module I18n # :nodoc:
+    DEFAULT_UNAUTHORIZED_MESSAGE = "You are not authorized to perform this action"
+
+    class << self
+      def full_message(policy_class, rule, details = nil)
+        candidates = candidates_for(policy_class, rule)
+
+        options = {scope: :action_policy}
+        options.merge!(details) unless details.nil?
+
+        ::I18n.t(
+          candidates.shift,
+          default: candidates,
+          **options
+        )
+      end
+
+      private
+
+      def candidates_for(policy_class, rule)
+        policy_hierarchy = policy_class.ancestors.select { |_1| _1.respond_to?(:identifier) }
+        [
+          *policy_hierarchy.map { |klass| :"policy.#{klass.identifier}.#{rule}" },
+          :"policy.#{rule}",
+          :unauthorized,
+          DEFAULT_UNAUTHORIZED_MESSAGE
+        ]
+      end
+    end
+
+    ActionPolicy::Policy::FailureReasons.prepend(Module.new do
+      def full_messages
+        reasons.flat_map do |policy_klass, rules|
+          rules.flat_map do |rule|
+            if rule.is_a?(::Hash)
+              rule.map do |key, details|
+                ActionPolicy::I18n.full_message(policy_klass, key, details)
+              end
+            else
+              ActionPolicy::I18n.full_message(policy_klass, rule)
+            end
+          end
+        end
+      end
+    end)
+
+    ActionPolicy::Policy::ExecutionResult.prepend(Module.new do
+      def message
+        ActionPolicy::I18n.full_message(policy, rule, details)
+      end
+    end)
+  end
+end

data/lib/.rbnext/2.7/action_policy/policy/cache.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+require "action_policy/version"
+
+module ActionPolicy # :nodoc:
+  using RubyNext
+
+  # By default cache namespace (or prefix) contains major and minor version of the gem
+  CACHE_NAMESPACE = "acp:#{ActionPolicy::VERSION.split(".").take(2).join(".")}"
+
+  require "action_policy/ext/policy_cache_key"
+
+  using ActionPolicy::Ext::PolicyCacheKey
+
+  module Policy
+    # Provides long-lived cache through ActionPolicy.cache_store.
+    #
+    # NOTE: if cache_store is nil then we silently skip all the caching.
+    module Cache
+      class << self
+        def included(base)
+          base.extend ClassMethods
+        end
+      end
+
+      def cache_namespace() ;  ActionPolicy::CACHE_NAMESPACE; end
+
+      def cache_key(*parts)
+        [
+          cache_namespace,
+          *parts
+        ].map { |_1| _1._policy_cache_key }.join("/")
+      end
+
+      def rule_cache_key(rule)
+        cache_key(
+          context_cache_key,
+          record,
+          self.class,
+          rule
+        )
+      end
+
+      def context_cache_key
+        authorization_context.map { |_1, _2| _2._policy_cache_key.to_s }.join("/")
+      end
+
+      def apply_with_cache(rule)
+        options = self.class.cached_rules.fetch(rule)
+        key = rule_cache_key(rule)
+
+        ActionPolicy.cache_store.then do |store|
+          @result = store.read(key)
+          unless result.nil?
+            result.cached!
+            next result.value
+          end
+          yield
+          store.write(key, result, options)
+          result.value
+        end
+      end
+
+      def apply(rule)
+        return super if ActionPolicy.cache_store.nil? ||
+          !self.class.cached_rules.key?(rule)
+
+        apply_with_cache(rule) { super }
+      end
+
+      def cache(*parts, **options)
+        key = cache_key(*parts)
+        ActionPolicy.cache_store.then do |store|
+          res = store.read(key)
+          next res unless res.nil?
+          res = yield
+          store.write(key, res, options)
+          res
+        end
+      end
+
+      module ClassMethods # :nodoc:
+        def cache(*rules, **options)
+          rules.each do |rule|
+            cached_rules[rule] = options
+          end
+        end
+
+        def cached_rules
+          return @cached_rules if instance_variable_defined?(:@cached_rules)
+
+          @cached_rules = if superclass.respond_to?(:cached_rules)
+            superclass.cached_rules.dup
+          else
+            {}
+          end
+        end
+      end
+    end
+  end
+end

data/lib/.rbnext/2.7/action_policy/policy/pre_check.rb

@@ -0,0 +1,162 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  module Policy
+    # Adds callback-style checks to policies to
+    # extract common checks from rules.
+    #
+    #    class ApplicationPolicy < ActionPolicy::Base
+    #      authorize :user
+    #      pre_check :allow_admins
+    #
+    #      private
+    #        # Allow every action for admins
+    #        def allow_admins
+    #          allow! if user.admin?
+    #        end
+    #    end
+    #
+    # You can specify conditional pre-checks (through `except` / `only`) options
+    # and skip already defined pre-checks if necessary.
+    #
+    #    class UserPolicy < ApplicationPolicy
+    #      skip_pre_check :allow_admins, only: :destroy?
+    #
+    #      def destroy?
+    #        user.admin? && !record.admin?
+    #      end
+    #    end
+    module PreCheck
+      # Single pre-check instance.
+      #
+      # Implements filtering logic.
+      class Check
+        attr_reader :name, :policy_class
+
+        def initialize(policy, name, except: nil, only: nil)
+          if !except.nil? && !only.nil?
+            raise ArgumentError,
+              "Only one of `except` and `only` may be specified for pre-check"
+          end
+
+          @policy_class = policy
+          @name = name
+          @blacklist = Array(except) unless except.nil?
+          @whitelist = Array(only) unless only.nil?
+
+          rebuild_filter
+        end
+
+        def applicable?(rule)
+          return true if filter.nil?
+          filter.call(rule)
+        end
+
+        def call(policy) ;  policy.send(name); end
+
+        def skip!(except: nil, only: nil)
+          if !except.nil? && !only.nil?
+            raise ArgumentError,
+              "Only one of `except` and `only` may be specified when skipping pre-check"
+          end
+
+          if except.nil? && only.nil?
+            raise ArgumentError,
+              "At least one of `except` and `only` must be specified when skipping pre-check"
+          end
+
+          if except
+            @whitelist = Array(except)
+            @whitelist -= blacklist if blacklist
+            @blacklist = nil
+          else
+            # only
+            @blacklist += Array(only) if blacklist
+            @whitelist -= Array(only) if whitelist
+            @blacklist = Array(only) if filter.nil?
+          end
+
+          rebuild_filter
+        end
+        # rubocop: enable
+        # rubocop: enable
+
+        def dup
+          self.class.new(
+            policy_class,
+            name,
+            except: blacklist&.dup,
+            only: whitelist&.dup
+          )
+        end
+
+        private
+
+        attr_reader :whitelist, :blacklist, :filter
+
+        def rebuild_filter
+          @filter =
+            if whitelist
+              proc { |rule| whitelist.include?(rule) }
+            elsif blacklist
+              proc { |rule| !blacklist.include?(rule) }
+            end
+        end
+      end
+
+      class << self
+        def included(base)
+          base.extend ClassMethods
+        end
+      end
+
+      def run_pre_checks(rule)
+        self.class.pre_checks.each do |check|
+          next unless check.applicable?(rule)
+          check.call(self)
+        end
+
+        yield if block_given?
+      end
+
+      def __apply__(rule)
+        run_pre_checks(rule) { super }
+      end
+
+      module ClassMethods # :nodoc:
+        def pre_check(*names, **options)
+          names.each do |name|
+            # do not allow pre-check override
+            check = pre_checks.find { |_1| _1.name == name }
+            raise "Pre-check already defined: #{name}" unless check.nil?
+
+            pre_checks << Check.new(self, name, **options)
+          end
+        end
+
+        def skip_pre_check(*names, **options)
+          names.each do |name|
+            check = pre_checks.find { |_1| _1.name == name }
+            raise "Pre-check not found: #{name}" if check.nil?
+
+            # when no options provided we remove this check completely
+            next pre_checks.delete(check) if options.empty?
+
+            # otherwise duplicate and apply skip options
+            pre_checks[pre_checks.index(check)] = check.dup.tap { |_1| _1.skip!(**options) }
+          end
+        end
+
+        def pre_checks
+          return @pre_checks if instance_variable_defined?(:@pre_checks)
+
+          @pre_checks = if superclass.respond_to?(:pre_checks)
+            superclass.pre_checks.dup
+          else
+            []
+          end
+        end
+      end
+    end
+  end
+end

data/lib/.rbnext/2.7/action_policy/rspec/be_authorized_to.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require "action_policy/testing"
+
+module ActionPolicy
+  module RSpec
+    # Authorization matcher `be_authorized_to`.
+    #
+    # Verifies that a block of code has been authorized using specific policy.
+    #
+    # Example:
+    #
+    #   # in controller/request specs
+    #   subject { patch :update, id: product.id }
+    #
+    #   it "is authorized" do
+    #     expect { subject }
+    #       .to be_authorized_to(:manage?, product)
+    #       .with(ProductPolicy)
+    #   end
+    #
+    class BeAuthorizedTo < ::RSpec::Matchers::BuiltIn::BaseMatcher
+      attr_reader :rule, :target, :policy, :actual_calls
+
+      def initialize(rule, target)
+        @rule = rule
+        @target = target
+      end
+
+      def with(policy)
+        @policy = policy
+        self
+      end
+
+      def match(_expected, actual)
+        raise "This matcher only supports block expectations" unless actual.is_a?(Proc)
+
+        @policy ||= ::ActionPolicy.lookup(target)
+
+        begin
+          ActionPolicy::Testing::AuthorizeTracker.tracking { actual.call }
+        rescue ActionPolicy::Unauthorized
+          # we don't want to care about authorization result
+        end
+
+        @actual_calls = ActionPolicy::Testing::AuthorizeTracker.calls
+
+        actual_calls.any? { |_1| _1.matches?(policy, rule, target) }
+      end
+
+      def does_not_match?(*)
+        raise "This matcher doesn't support negation"
+      end
+
+      def supports_block_expectations?() ;  true; end
+
+      def failure_message
+        "expected #{formatted_record} " \
+        "to be authorized with #{policy}##{rule}, " \
+        "but #{actual_calls_message}"
+      end
+
+      def actual_calls_message
+        if actual_calls.empty?
+          "no authorization calls have been made"
+        else
+          "the following calls were encountered:\n" \
+          "#{formatted_calls}"
+        end
+      end
+
+      def formatted_calls
+        actual_calls.map do |_1|
+          " - #{_1.inspect}"
+        end.join("\n")
+      end
+
+      def formatted_record(record = target) ;  ::RSpec::Support::ObjectFormatter.format(record); end
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include(Module.new do
+    def be_authorized_to(rule, target)
+      ActionPolicy::RSpec::BeAuthorizedTo.new(rule, target)
+    end
+  end)
+end