action_policy 0.3.4 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 272123a33fae55ffd9e6e09b1098862fbbf353a6ed5ff71d090bc5fd01396244
-  data.tar.gz: ec53e2634999660b46c95dddc85bcf71055e336fdae5a8ea47023a671bba55ce
+  metadata.gz: 4dadd0bd9a76357e15ca389c572fcf3bdc3f78c56482652d364a08015e4b5c7a
+  data.tar.gz: e38e115067ad978de53354ad29fd378e04871fd05b9853c2123c8d2514ea5f04
 SHA512:
-  metadata.gz: 62353ff2be45386257efcd127a43c7eac61d1cb7fc3cfcbf1acc6d6563e6d0a0a91873a0593b8ff62d51adc70b730e1799eb5a1565e3a1ed3c1f2593d46a05ff
-  data.tar.gz: 837e717de9323e7131c535a41fe848aaa9501ad8f10471f082ff1355ae824afa7691b44bb9c8db71cb0b33898ad126963f3518b8cfcc1207e34469a282648d62
+  metadata.gz: 2036718d582c6a55fe8ad1242b9971c1563e9a83673f7ae608f818c2930409ac32bb43517e28847916a02c3aaa75f927c8bf9be05b8893e0ceb163e5dbbf4c1e
+  data.tar.gz: c90eb2088ce0ea1c1b6271f5c8fa03757f720294521f7ad6c70224ac79bb0a474e6b1a57c6d2f0f458cc3073085a052ed81dde61ece1ca797fc21a3e118b786a

data/.travis.yml

@@ -16,7 +16,7 @@ matrix:
   include:
     - rvm: ruby-head
       gemfile: gemfiles/railsmaster.gemfile
-    - rvm: jruby-9.2.5.0
+    - rvm: jruby-9.2.8.0
       gemfile: gemfiles/jruby.gemfile
     - rvm: 2.6.0
       gemfile: gemfiles/rails6.gemfile
@@ -27,5 +27,5 @@ matrix:
   allow_failures:
     - rvm: ruby-head
       gemfile: gemfiles/railsmaster.gemfile
-    - rvm: jruby-9.2.5.0
+    - rvm: jruby-9.2.8.0
       gemfile: gemfiles/jruby.gemfile

data/CHANGELOG.md

@@ -1,5 +1,26 @@
+# Change log
+
 ## master
 
+## 0.4.0 (2019-12-11)
+
+- Add `action_policy.init` instrumentation event. ([@palkan][])
+
+  Triggered every time a new policy object is initialized.
+
+- Fix policy memoization with explicit context. ([@palkan][])
+
+  Explicit context (`authorize! context: {}`) wasn't considered during
+  policies memoization. Not this is fixed.
+
+- Support composed matchers for authorization target testing. ([@palkan][])
+
+  Now you can write tests like this:
+
+  ```ruby
+  expect { subject }.to be_authorized_to(:show?, an_instance_of(User))
+  ```
+
 ## 0.3.4 (2019-11-27)
 
 - Fix Rails generators. ([@palkan][])

data/README.md

@@ -15,9 +15,11 @@ Composable. Extensible. Performant.
 
 ## Resources
 
-- Seattle.rb, 2019 "A Denial!" talk [[slides](https://speakerdeck.com/palkan/seattle-dot-rb-2019-a-denial)]
+- RubyRussia, 2019 "Welcome, or access denied?" talk ([video](https://www.youtube.com/watch?v=y15a2g7v8i0) [RU], [slides](https://speakerdeck.com/palkan/rubyrussia-2019-welcome-or-access-denied))
 
-- RailsConf, 2018 "Access Denied" talk [[video](https://www.youtube.com/watch?v=NVwx0DARDis), [slides](https://speakerdeck.com/palkan/railsconf-2018-access-denied-the-missing-guide-to-authorization-in-rails)]
+- Seattle.rb, 2019 "A Denial!" talk ([slides](https://speakerdeck.com/palkan/seattle-dot-rb-2019-a-denial))
+
+- RailsConf, 2018 "Access Denied" talk ([video](https://www.youtube.com/watch?v=NVwx0DARDis), [slides](https://speakerdeck.com/palkan/railsconf-2018-access-denied-the-missing-guide-to-authorization-in-rails))
 
 
 ## Integrations
@@ -29,7 +31,7 @@ Composable. Extensible. Performant.
 Add this line to your application's `Gemfile`:
 
 ```ruby
-gem "action_policy", "~> 0.3.0"
+gem "action_policy", "~> 0.4.0"
 ```
 
 And then execute:

data/docs/instrumentation.md

@@ -47,6 +47,17 @@ permitted to do that).
 
 The `action_policy.apply_rule` might have a large number of failures, 'cause it also tracks the usage of non-raising applications (i.e. `allowed_to?`).
 
+### `action_policy.init`
+
+This event is triggered every time a new policy object is initialized.
+
+The event contains the following information:
+
+- `:policy` – policy class name.
+
+This event is useful if you want to track the number of initialized policies per _action_ (for example, when you want to ensure that
+the [memoization](caching.md) works as expected).
+
 ## Turn off instrumentation
 
 Instrumentation is enabled by default. To turn it off add to your configuration:

data/docs/quick_start.md

@@ -34,9 +34,11 @@ class ApplicationPolicy < ActionPolicy::Base
 end
 ```
 
-You could use the following command to generate it.
+You could use the following command to generate it when using Rails:
 
-    $ rails generate action_policy:install
+```sh
+rails generate action_policy:install
+```
 
 **NOTE:** it is not necessary to inherit from `ActionPolicy::Base`; instead, you can [construct basic policy](custom_policy.md) choosing only the components you need.
 

data/docs/rails.md

@@ -6,6 +6,13 @@ In most cases, you do not have to do anything except writing policy files and ad
 
 **NOTE:** both controllers and channels extensions are built on top of the Action Policy [behaviour](./behaviour.md) mixin.
 
+## Generators
+
+Action Policy provides a couple of useful Rails generators:
+
+- `rails g action_policy:install` — adds `app/policies/application_policy.rb` file
+- `rails g action_policy:policy MODEL_NAME` — adds a policy file and a policy test file for a given model (also creates an `application_policy.rb` if it's missing)
+
 ## Controllers integration
 
 Action Policy assumes that you have a `current_user` method which specifies the current authenticated subject (`user`).

data/docs/testing.md

@@ -230,6 +230,12 @@ end
 
 If you omit `.with(PostPolicy)` then the inferred policy for the target (`post`) would be used.
 
+RSpec composed matchers are available as target:
+
+```ruby
+expect { subject }.to be_authorized_to(:show?, an_instance_of(Post))
+```
+
 ## Testing scoping
 
 Action Policy provides a way to test that a correct scoping has been applied during the code execution.

data/docs/writing_policies.md

@@ -56,7 +56,7 @@ You can also specify all the usual options (such as `with`).
 
 There is also a `check?` method which is just an "alias"\* for `allowed_to?` added for better readability:
 
-```
+```ruby
 class PostPolicy < ApplicationPolicy
   def show?
     user.admin? || check?(:publicly_visible?)

data/lib/action_policy.rb

@@ -31,7 +31,7 @@ module ActionPolicy
 
     # Find a policy class for a target
     def lookup(target, allow_nil: false, **options)
-      LookupChain.call(target, options) ||
+      LookupChain.call(target, **options) ||
         (allow_nil ? nil : raise(NotFound, target))
     end
   end

data/lib/action_policy/behaviour.rb

@@ -38,6 +38,8 @@ module ActionPolicy
       record = implicit_authorization_target! if record == :__undef__
       raise ArgumentError, "Record must be specified" if record.nil?
 
+      options[:context] && (options[:context] = authorization_context.merge(options[:context]))
+
       policy = policy_for(record: record, **options)
 
       Authorizer.call(policy, authorization_rule_for(policy, to))
@@ -50,6 +52,8 @@ module ActionPolicy
       record = implicit_authorization_target! if record == :__undef__
       raise ArgumentError, "Record must be specified" if record.nil?
 
+      options[:context] && (options[:context] = authorization_context.merge(options[:context]))
+
       policy = policy_for(record: record, **options)
 
       policy.apply(authorization_rule_for(policy, rule))

data/lib/action_policy/behaviours/memoized.rb

@@ -19,9 +19,6 @@ module ActionPolicy
     #
     #   policy.equal?(policy_for(record, with: CustomPolicy)) #=> false
     module Memoized
-      require "action_policy/ext/policy_cache_key"
-      using ActionPolicy::Ext::PolicyCacheKey
-
       class << self
         def prepended(base)
           base.prepend InstanceMethods
@@ -32,13 +29,12 @@ module ActionPolicy
 
       module InstanceMethods # :nodoc:
         def policy_for(record:, **opts)
-          __policy_memoize__(record, opts) { super(record: record, **opts) }
+          __policy_memoize__(record, **opts) { super(record: record, **opts) }
         end
       end
 
-      def __policy_memoize__(record, with: nil, namespace: nil, **_opts)
-        record_key = record._policy_cache_key(use_object_id: true)
-        cache_key = "#{namespace}/#{with}/#{record_key}"
+      def __policy_memoize__(record, **options)
+        cache_key = policy_for_cache_key(record: record, **options)
 
         return __policies_cache__[cache_key] if
           __policies_cache__.key?(cache_key)

data/lib/action_policy/behaviours/policy_for.rb

@@ -4,11 +4,13 @@ module ActionPolicy
   module Behaviours
     # Adds `policy_for` method
     module PolicyFor
+      require "action_policy/ext/policy_cache_key"
+      using ActionPolicy::Ext::PolicyCacheKey
+
       # Returns policy instance for the record.
-      def policy_for(record:, with: nil, namespace: nil, context: nil, **options)
-        namespace ||= authorization_namespace
-        policy_class = with || ::ActionPolicy.lookup(record, namespace: namespace, **options)
-        policy_class&.new(record, authorization_context.tap { |ctx| ctx.merge!(context) if context })
+      def policy_for(record:, with: nil, namespace: authorization_namespace, context: authorization_context, allow_nil: false)
+        policy_class = with || ::ActionPolicy.lookup(record, namespace: namespace, context: context, allow_nil: allow_nil)
+        policy_class&.new(record, **context)
       end
 
       def authorization_context
@@ -41,6 +43,13 @@ module ActionPolicy
           ]
         )
       end
+
+      def policy_for_cache_key(record:, with: nil, namespace: nil, context: authorization_context, **)
+        record_key = record._policy_cache_key(use_object_id: true)
+        context_key = context.values.map { |v| v._policy_cache_key(use_object_id: true) }.join(".")
+
+        "#{namespace}/#{with}/#{context_key}/#{record_key}"
+      end
     end
   end
 end

data/lib/action_policy/behaviours/scoping.rb

@@ -11,6 +11,8 @@ module ActionPolicy
       #   - secondly, try to infer policy class from `target` (non-raising lookup)
       #   - use `implicit_authorization_target` if none of the above works.
       def authorized_scope(target, type: nil, as: :default, scope_options: nil, **options)
+        options[:context] && (options[:context] = authorization_context.merge(options[:context]))
+
         policy = policy_for(record: target, allow_nil: true, **options)
         policy ||= policy_for(record: implicit_authorization_target!, **options)
 

data/lib/action_policy/behaviours/thread_memoized.rb

@@ -37,9 +37,6 @@ module ActionPolicy
     #
     # NOTE: don't forget to clear thread cache with ActionPolicy::PerThreadCache.clear_all
     module ThreadMemoized
-      require "action_policy/ext/policy_cache_key"
-      using ActionPolicy::Ext::PolicyCacheKey
-
       class << self
         def prepended(base)
           base.prepend InstanceMethods
@@ -50,13 +47,12 @@ module ActionPolicy
 
       module InstanceMethods # :nodoc:
         def policy_for(record:, **opts)
-          __policy_thread_memoize__(record, opts) { super(record: record, **opts) }
+          __policy_thread_memoize__(record, **opts) { super(record: record, **opts) }
         end
       end
 
-      def __policy_thread_memoize__(record, with: nil, namespace: nil, **_opts)
-        record_key = record._policy_cache_key(use_object_id: true)
-        cache_key = "#{namespace}/#{with}/#{record_key}"
+      def __policy_thread_memoize__(record, **options)
+        cache_key = policy_for_cache_key(record: record, **options)
 
         ActionPolicy::PerThreadCache.fetch(cache_key) { yield }
       end

data/lib/action_policy/lookup_chain.rb

@@ -45,7 +45,7 @@ module ActionPolicy
 
       def call(record, **opts)
         chain.each do |probe|
-          val = probe.call(record, opts)
+          val = probe.call(record, **opts)
           return val unless val.nil?
         end
         nil
@@ -88,12 +88,12 @@ module ActionPolicy
       !ENV["RACK_ENV"].nil? ? ENV["RACK_ENV"] == "production" : true
 
     # By self `policy_class` method
-    INSTANCE_POLICY_CLASS = ->(record, _) {
+    INSTANCE_POLICY_CLASS = ->(record, **) {
       record.policy_class if record.respond_to?(:policy_class)
     }
 
     # By record's class `policy_class` method
-    CLASS_POLICY_CLASS = ->(record, _) {
+    CLASS_POLICY_CLASS = ->(record, **) {
       record.class.policy_class if record.class.respond_to?(:policy_class)
     }
 
@@ -106,7 +106,7 @@ module ActionPolicy
     }
 
     # Infer from class name
-    INFER_FROM_CLASS = ->(record, _) {
+    INFER_FROM_CLASS = ->(record, **) {
       policy_class_name_for(record).safe_constantize
     }
 

data/lib/action_policy/policy/core.rb

@@ -66,7 +66,7 @@ module ActionPolicy
       attr_reader :record, :result
 
       # NEXT_RELEASE: deprecate `record` arg, migrate to `record: nil`
-      def initialize(record = nil, _opts = nil)
+      def initialize(record = nil, *)
         @record = record
       end
 
@@ -101,7 +101,7 @@ module ActionPolicy
       #
       # If record is `nil` then we uses the current policy.
       def allowed_to?(rule, record = :__undef__, **options)
-        if record == :__undef__ && options.empty?
+        if (record == :__undef__ || record == self.record) && options.empty?
           __apply__(rule)
         else
           policy_for(record: record, **options).apply(rule)

data/lib/action_policy/policy/pre_check.rb

@@ -168,7 +168,7 @@ module ActionPolicy
             check = pre_checks.find { |c| c.name == name }
             raise "Pre-check already defined: #{name}" unless check.nil?
 
-            pre_checks << Check.new(self, name, options)
+            pre_checks << Check.new(self, name, **options)
           end
         end
 
@@ -181,7 +181,7 @@ module ActionPolicy
             next pre_checks.delete(check) if options.empty?
 
             # otherwise duplicate and apply skip options
-            pre_checks[pre_checks.index(check)] = check.dup.tap { |c| c.skip! options }
+            pre_checks[pre_checks.index(check)] = check.dup.tap { |c| c.skip!(**options) }
           end
         end
 

data/lib/action_policy/policy/reasons.rb

@@ -179,7 +179,7 @@ module ActionPolicy
 
       def allowed_to?(rule, record = :__undef__, **options)
         res =
-          if record == :__undef__
+          if (record == :__undef__ || record == self.record) && options.empty?
             policy = self
             with_clean_result { apply(rule) }
           else

data/lib/action_policy/rails/policy/instrumentation.rb

@@ -6,12 +6,19 @@ module ActionPolicy # :nodoc:
       # Add ActiveSupport::Notifications support.
       #
       # Fires `action_policy.apply_rule` event on every `#apply` call.
+      # Fires `action_policy.init` event on every policy initialization.
       module Instrumentation
-        EVENT_NAME = "action_policy.apply_rule"
+        INIT_EVENT_NAME = "action_policy.init"
+        APPLY_EVENT_NAME = "action_policy.apply_rule"
+
+        def initialize(*)
+          event = {policy: self.class.name}
+          ActiveSupport::Notifications.instrument(INIT_EVENT_NAME, event) { super }
+        end
 
         def apply(rule)
           event = {policy: self.class.name, rule: rule.to_s}
-          ActiveSupport::Notifications.instrument(EVENT_NAME, event) do
+          ActiveSupport::Notifications.instrument(APPLY_EVENT_NAME, event) do
             res = super
             event[:cached] = result.cached?
             event[:value] = result.value

data/lib/action_policy/rspec/dsl.rb

@@ -13,18 +13,18 @@ module ActionPolicy
 
       ["", "f", "x"].each do |prefix|
         class_eval <<~CODE, __FILE__, __LINE__ + 1
-          def #{prefix}succeed(msg = "succeeds", *args, **kwargs)
+          def #{prefix}succeed(msg = "succeeds", *args, **kwargs, &block)
             the_caller = caller
             #{prefix}context(msg, *args, **kwargs) do
-              instance_eval(&Proc.new) if block_given?
+              instance_eval(&block) if block_given?
               find_and_eval_shared("examples", "action_policy:policy_rule_example", the_caller.first, true, the_caller)
             end
           end
 
-          def #{prefix}failed(msg = "fails", *args, **kwargs)
+          def #{prefix}failed(msg = "fails", *args, **kwargs, &block)
             the_caller = caller
             #{prefix}context(msg, *args, **kwargs) do
-              instance_eval(&Proc.new) if block_given?
+              instance_eval(&block) if block_given?
               find_and_eval_shared("examples", "action_policy:policy_rule_example", the_caller.first, false, the_caller)
             end
           end

data/lib/action_policy/rspec/have_authorized_scope.rb

@@ -44,8 +44,8 @@ module ActionPolicy
         self
       end
 
-      def with_target
-        @target_expectations = Proc.new
+      def with_target(&block)
+        @target_expectations = block
         self
       end
 

data/lib/action_policy/testing.rb

@@ -15,7 +15,7 @@ module ActionPolicy
 
         def matches?(policy_class, actual_rule, target)
           policy_class == policy.class &&
-            target == policy.record &&
+            target === policy.record &&
             rule == actual_rule
         end
 
@@ -107,8 +107,8 @@ module ActionPolicy
         super
       end
 
-      def scopify(*args)
-        AuthorizeTracker.track_scope(*args)
+      def scopify(*args, **kwargs)
+        AuthorizeTracker.track_scope(*args, **kwargs)
         super
       end
     end

data/lib/action_policy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ActionPolicy
-  VERSION = "0.3.4"
+  VERSION = "0.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: action_policy
 version: !ruby/object:Gem::Version
-  version: 0.3.4
+  version: 0.4.0
 platform: ruby
 authors:
 - Vladimir Dementyev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-27 00:00:00.000000000 Z
+date: 2019-12-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ammeter