action_policy 0.4.4 → 0.5.4

data/lib/.rbnext/3.0/action_policy/rspec/be_authorized_to.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require "action_policy/testing"
+
+module ActionPolicy
+  module RSpec
+    # Authorization matcher `be_authorized_to`.
+    #
+    # Verifies that a block of code has been authorized using specific policy.
+    #
+    # Example:
+    #
+    #   # in controller/request specs
+    #   subject { patch :update, id: product.id }
+    #
+    #   it "is authorized" do
+    #     expect { subject }
+    #       .to be_authorized_to(:manage?, product)
+    #       .with(ProductPolicy)
+    #   end
+    #
+    class BeAuthorizedTo < ::RSpec::Matchers::BuiltIn::BaseMatcher
+      attr_reader :rule, :target, :policy, :actual_calls
+
+      def initialize(rule, target)
+        @rule = rule
+        @target = target
+      end
+
+      def with(policy)
+        @policy = policy
+        self
+      end
+
+      def match(_expected, actual)
+        raise "This matcher only supports block expectations" unless actual.is_a?(Proc)
+
+        @policy ||= ::ActionPolicy.lookup(target)
+
+        begin
+          ActionPolicy::Testing::AuthorizeTracker.tracking { actual.call }
+        rescue ActionPolicy::Unauthorized
+          # we don't want to care about authorization result
+        end
+
+        @actual_calls = ActionPolicy::Testing::AuthorizeTracker.calls
+
+        actual_calls.any? { _1.matches?(policy, rule, target) }
+      end
+
+      def does_not_match?(*)
+        raise "This matcher doesn't support negation"
+      end
+
+      def supports_block_expectations?() ;  true; end
+
+      def failure_message
+        "expected #{formatted_record} " \
+        "to be authorized with #{policy}##{rule}, " \
+        "but #{actual_calls_message}"
+      end
+
+      def actual_calls_message
+        if actual_calls.empty?
+          "no authorization calls have been made"
+        else
+          "the following calls were encountered:\n" \
+          "#{formatted_calls}"
+        end
+      end
+
+      def formatted_calls
+        actual_calls.map do
+          " - #{_1.inspect}"
+        end.join("\n")
+      end
+
+      def formatted_record(record = target) ;  ::RSpec::Support::ObjectFormatter.format(record); end
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include(Module.new do
+    def be_authorized_to(rule, target)
+      ActionPolicy::RSpec::BeAuthorizedTo.new(rule, target)
+    end
+  end)
+end

data/lib/.rbnext/3.0/action_policy/rspec/have_authorized_scope.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+require "action_policy/testing"
+
+module ActionPolicy
+  module RSpec
+    # Implements `have_authorized_scope` matcher.
+    #
+    # Verifies that a block of code applies authorization scoping using specific policy.
+    #
+    # Example:
+    #
+    #   # in controller/request specs
+    #   subject { get :index }
+    #
+    #   it "has authorized scope" do
+    #     expect { subject }
+    #       .to have_authorized_scope(:active_record_relation)
+    #       .with(ProductPolicy)
+    #   end
+    #
+    class HaveAuthorizedScope < ::RSpec::Matchers::BuiltIn::BaseMatcher
+      attr_reader :type, :name, :policy, :scope_options, :actual_scopes,
+        :target_expectations
+
+      def initialize(type)
+        @type = type
+        @name = :default
+        @scope_options = nil
+      end
+
+      def with(policy)
+        @policy = policy
+        self
+      end
+
+      def as(name)
+        @name = name
+        self
+      end
+
+      def with_scope_options(scope_options)
+        @scope_options = scope_options
+        self
+      end
+
+      def with_target(&block)
+        @target_expectations = block
+        self
+      end
+
+      def match(_expected, actual)
+        raise "This matcher only supports block expectations" unless actual.is_a?(Proc)
+
+        ActionPolicy::Testing::AuthorizeTracker.tracking { actual.call }
+
+        @actual_scopes = ActionPolicy::Testing::AuthorizeTracker.scopings
+
+        matching_scopes = actual_scopes.select { _1.matches?(policy, type, name, scope_options) }
+
+        return false if matching_scopes.empty?
+
+        return true unless target_expectations
+
+        if matching_scopes.size > 1
+          raise "Too many matching scopings (#{matching_scopes.size}), " \
+                "you can run `.with_target` only when there is the only one match"
+        end
+
+        target_expectations.call(matching_scopes.first.target)
+        true
+      end
+
+      def does_not_match?(*)
+        raise "This matcher doesn't support negation"
+      end
+
+      def supports_block_expectations?() ;  true; end
+
+      def failure_message
+        "expected a scoping named :#{name} for type :#{type} " \
+        "#{scope_options_message} " \
+        "from #{policy} to have been applied, " \
+        "but #{actual_scopes_message}"
+      end
+
+      def scope_options_message
+        if scope_options
+          if defined?(::RSpec::Matchers::Composable) &&
+              scope_options.is_a?(::RSpec::Matchers::Composable)
+            "with scope options #{scope_options.description}"
+          else
+            "with scope options #{scope_options}"
+          end
+        else
+          "without scope options"
+        end
+      end
+
+      def actual_scopes_message
+        if actual_scopes.empty?
+          "no scopings have been made"
+        else
+          "the following scopings were encountered:\n" \
+          "#{formatted_scopings}"
+        end
+      end
+
+      def formatted_scopings
+        actual_scopes.map do
+          " - #{_1.inspect}"
+        end.join("\n")
+      end
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include(Module.new do
+    def have_authorized_scope(type)
+      ActionPolicy::RSpec::HaveAuthorizedScope.new(type)
+    end
+  end)
+end

data/lib/.rbnext/3.0/action_policy/utils/pretty_print.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+old_verbose = $VERBOSE
+
+begin
+  require "method_source"
+  # Ignore parse warnings when patch
+  # Ruby version mismatches
+  $VERBOSE = nil
+  require "parser/current"
+  require "unparser"
+rescue LoadError
+  # do nothing
+ensure
+  $VERBOSE = old_verbose
+end
+
+module ActionPolicy
+  using RubyNext
+
+  # Takes the object and a method name,
+  # and returns the "annotated" source code for the method:
+  # code is split into parts by logical operators and each
+  # part is evaluated separately.
+  #
+  # Example:
+  #
+  #  class MyClass
+  #    def access?
+  #      admin? && access_feed?
+  #    end
+  #  end
+  #
+  #  puts PrettyPrint.format_method(MyClass.new, :access?)
+  #
+  #  #=> MyClass#access?
+  #  #=> ↳ admin? #=> false
+  #  #=> AND
+  #  #=> access_feed? #=> true
+  module PrettyPrint
+    TRUE = "\e[32mtrue\e[0m"
+    FALSE = "\e[31mfalse\e[0m"
+
+    class Visitor
+      attr_reader :lines, :object
+      attr_accessor :indent
+
+      def initialize(object)
+        @object = object
+      end
+
+      def collect(ast)
+        @lines = []
+        @indent = 0
+
+        visit_node(ast)
+
+        lines.join("\n")
+      end
+
+      def visit_node(ast)
+        if respond_to?("visit_#{ast.type}")
+          send("visit_#{ast.type}", ast)
+        else
+          visit_missing ast
+        end
+      end
+
+      def expression_with_result(sexp)
+        expression = Unparser.unparse(sexp)
+        "#{expression} #=> #{PrettyPrint.colorize(eval_exp(expression))}"
+      end
+
+      def eval_exp(exp)
+        return "<skipped>" if ignore_exp?(exp)
+        object.instance_eval(exp)
+      rescue => e
+        "Failed: #{e.message}"
+      end
+
+      def visit_and(ast)
+        visit_node(ast.children[0])
+        lines << indented("AND")
+        visit_node(ast.children[1])
+      end
+
+      def visit_or(ast)
+        visit_node(ast.children[0])
+        lines << indented("OR")
+        visit_node(ast.children[1])
+      end
+
+      def visit_begin(ast)
+        #  Parens
+        if ast.children.size == 1
+          lines << indented("(")
+          self.indent += 2
+          visit_node(ast.children[0])
+          self.indent -= 2
+          lines << indented(")")
+        else
+          # Multiple expressions
+          ast.children.each do |node|
+            visit_node(node)
+            # restore indent after each expression
+            self.indent -= 2
+          end
+        end
+      end
+
+      def visit_missing(ast)
+        lines << indented(expression_with_result(ast))
+      end
+
+      def indented(str)
+        "#{indent.zero? ? "↳ " : ""}#{" " * indent}#{str}".tap do
+          # increase indent after the first expression
+          self.indent += 2 if indent.zero?
+        end
+      end
+
+      # Some lines should not be evaled
+      def ignore_exp?(exp)
+        PrettyPrint.ignore_expressions.any? { exp.match?(_1) }
+      end
+    end
+
+    class << self
+      attr_accessor :ignore_expressions
+
+      if defined?(::Unparser) && defined?(::MethodSource)
+        def available?() ;  true; end
+
+        def print_method(object, method_name)
+          ast = object.method(method_name).source.then(&Unparser.method(:parse))
+          # outer node is a method definition itself
+          body = ast.children[2]
+
+          Visitor.new(object).collect(body)
+        end
+      else
+        def available?() ;  false; end
+
+        def print_method(_, _) ;  ""; end
+      end
+
+      def colorize(val)
+        return val unless $stdout.isatty
+        return TRUE if val.eql?(true)
+        return FALSE if val.eql?(false)
+        val
+      end
+    end
+
+    self.ignore_expressions = [
+      /^\s*binding\.(pry|irb)\s*$/s
+    ]
+  end
+end

data/lib/.rbnext/3.0/action_policy/utils/suggest_message.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module ActionPolicy
+  # Adds `suggest` method which uses did_you_mean
+  # to generate a suggestion message
+  module SuggestMessage
+    if defined?(::DidYouMean::SpellChecker)
+      def suggest(needle, heystack)
+        suggestion = ::DidYouMean::SpellChecker.new(
+          dictionary: heystack
+        ).correct(needle).first
+
+        suggestion ? "\nDid you mean? #{suggestion}" : ""
+      end
+    else
+      def suggest(*) ;  ""; end
+    end
+  end
+end

data/lib/action_policy.rb

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+require "ruby-next"
+
+require "ruby-next/language/setup"
+RubyNext::Language.setup_gem_load_path(transpile: true)
+
 # ActionPolicy is an authorization framework for Ruby/Rails applications.
 #
 # It provides a way to write access policies and helpers to check these policies
@@ -30,8 +35,9 @@ module ActionPolicy
     attr_accessor :cache_store
 
     # Find a policy class for a target
-    def lookup(target, allow_nil: false, **options)
+    def lookup(target, allow_nil: false, default: nil, **options)
       LookupChain.call(target, **options) ||
+        default ||
         (allow_nil ? nil : raise(NotFound, target))
     end
   end

data/lib/action_policy/behaviour.rb

@@ -35,12 +35,7 @@ module ActionPolicy
     #
     # Raises `ActionPolicy::Unauthorized` if check failed.
     def authorize!(record = :__undef__, to:, **options)
-      record = implicit_authorization_target! if record == :__undef__
-      raise ArgumentError, "Record must be specified" if record.nil?
-
-      options[:context] && (options[:context] = authorization_context.merge(options[:context]))
-
-      policy = policy_for(record: record, **options)
+      policy = lookup_authorization_policy(record, **options)
 
       Authorizer.call(policy, authorization_rule_for(policy, to))
     end
@@ -49,14 +44,17 @@ module ActionPolicy
     #
     # Returns true of false.
     def allowed_to?(rule, record = :__undef__, **options)
-      record = implicit_authorization_target! if record == :__undef__
-      raise ArgumentError, "Record must be specified" if record.nil?
+      policy = lookup_authorization_policy(record, **options)
 
-      options[:context] && (options[:context] = authorization_context.merge(options[:context]))
+      policy.apply(authorization_rule_for(policy, rule))
+    end
 
-      policy = policy_for(record: record, **options)
+    # Returns the authorization result object after applying a specified rule to a record.
+    def allowance_to(rule, record = :__undef__, **options)
+      policy = lookup_authorization_policy(record, **options)
 
       policy.apply(authorization_rule_for(policy, rule))
+      policy.result
     end
 
     def authorization_context
@@ -75,6 +73,15 @@ module ActionPolicy
       policy.resolve_rule(rule)
     end
 
+    def lookup_authorization_policy(record, **options) # :nodoc:
+      record = implicit_authorization_target! if record == :__undef__
+      raise ArgumentError, "Record must be specified" if record.nil?
+
+      options[:context] && (options[:context] = authorization_context.merge(options[:context]))
+
+      policy_for(record: record, **options)
+    end
+
     module ClassMethods # :nodoc:
       # Configure authorization context.
       #
@@ -97,12 +104,11 @@ module ActionPolicy
       def authorization_targets
         return @authorization_targets if instance_variable_defined?(:@authorization_targets)
 
-        @authorization_targets =
-          if superclass.respond_to?(:authorization_targets)
-            superclass.authorization_targets.dup
-          else
-            {}
-          end
+        if superclass.respond_to?(:authorization_targets)
+          superclass.authorization_targets.dup
+        else
+          {}
+        end => @authorization_targets
       end
     end
   end