active_entry 1.1.0 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1e6ea0fd23af731840ed3e6f003c7b6beff6a14b2922bbb96444a5bfbeec58ae
-  data.tar.gz: b4a47cede63aa58e6f1675ab704fce6b7a7e4c4b46fc791330c4e770158bc6db
+  metadata.gz: 68c5d6e98c46a35b4ef4e32f6987bd0c412326aad17db589e45dd671a6d3e1b7
+  data.tar.gz: 48d4b700fdff06bd94ab4fc2b9d34c73142b21a91641be20fd080287f11c16f4
 SHA512:
-  metadata.gz: c1dba6e952921afc6260b4a7e54878f2db97235f5d5c531dc769a34daf8bb65682f8d377670265000697e8715495f9a152a2be25aa05211a5916109e0db18e69
-  data.tar.gz: 5e813dd7d89ec9eb0514b470fcc3b1a7ffb256ea5d20f3f53e75bfc029a072dbff813a9413127cf83818e3d2d173f22240c7d91f0c3c2da335d069f0edd8b1e8
+  metadata.gz: 4efc966d6cc59cf94da405cdd583afb3e3954ed73dbb97b9c83876cd04ffe5965e7d67850b903318acbf9af342ea0933c837b65773bf74deb7c8664c0e58d3ff
+  data.tar.gz: ac48a14a4a6b0761b3d35516caa11254c8b637dda53498b6b603d16ba1b800e5d09e44af8383ea9141777907288381648b0b39db033f55db84899e1e671e084f

data/README.md

@@ -1,8 +1,74 @@
-[<img src="active_entry_logo.png" alt="Active Entry Logo" width="250px"/>](https://github.com/TFM-Agency/active_entry)
+<p align="center">
+  <a href="https://github.com/TFM-Agency/active_entry">
+    <img src="https://raw.githubusercontent.com/TFM-Agency/active_entry/main/active_entry_logo.svg" alt="Active Entry Logo" width="350px"/>
+  </a>
+</p>
 
 # Active Entry - Simple and flexible authentication and authorization
+[![Gem Version](https://badge.fury.io/rb/active_entry.svg)](https://badge.fury.io/rb/active_entry)
+[![Ruby](https://github.com/TFM-Agency/active_entry/actions/workflows/ci-rspec.yml/badge.svg)](https://github.com/TFM-Agency/active_entry/actions/workflows/ci-rspec.yml)
+![Coverage](https://raw.githubusercontent.com/TFM-Agency/active_entry/main/coverage/coverage_badge_total.svg)
+[![Maintainability](https://api.codeclimate.com/v1/badges/3db0f653be6bdfe0fdac/maintainability)](https://codeclimate.com/github/TFM-Agency/active_entry/maintainability)
+[![Documentation](https://img.shields.io/badge/docs-rdoc.info-blue.svg)](https://rubydoc.info/github/TFM-Agency/active_entry/main)
 
-Active Entry is a simple and secure authentication and authorization system for your Rails application, which lets you to authenticate and authorize directly in your controllers.
+Active Entry is a secure way to check for authentication and authorization before an action is performed. It's currently only compatible with Rails. But in later versions will ActiveEntry be Framework independent.
+
+Active Entry works like many other Authorization Systems like [Pundit](https://github.com/varvet/pundit) or [Action Policy](https://github.com/palkan/action_policy) with **Policies**. However in Active Entry it's all about the method calling the auth mechanism. For every method that needs authentication or authorization, a decision maker method counterpart has to be created in the policy of the class.
+
+## Example
+
+Let's say we have an Users controller in our application:
+
+```ruby
+# app/controllers/users_controller.rb
+class UsersController < ApplicationController
+  include ActiveEntry::ControllerConcern   # Glue for the controller and Active Entry
+
+  def index
+    pass!   # The auth happens here
+    load_users
+  end
+end
+```
+
+We have to create the UsersPolicy in order for Active Entry to know who is authenticated and authorized and who not.
+
+```ruby
+# app/policies/users_policy.rb
+module UsersPolicy
+  class Authentication < ActiveEntry::Base::Authentication
+    def index?
+      Current.user_signed_in?  # Only signed in users are considered to be authenticated.
+    end
+  end
+
+  class Authorization < ActiveEntry::Base::Authorization
+    def index?
+      Current.user.admin?  # Only admins are authorized to perform this action
+    end
+  end
+end
+```
+
+Now every time somebody calls the `users#index` endpoint, he or she has to be signed in and an admin. Otherwise `ActiveEntry::NotAuthenticatedError` or `ActiveEntry::NotAuthorizedError` are raised.
+You can catch them easily in your controller by using Rails' `rescue_from`.
+
+```ruby
+class ApplicationController < ActionController::Base
+  rescue_from ActiveEntry::NotAuthenticatedError, with: :not_authenticated
+  rescue_from ActiveEntry::NotAuthorizedError, with: :not_authorized
+
+  def not_authenticated
+    flash[:danger] = "Not authenticated. Please sign in."
+    redirect_to sign_in_path
+  end
+
+  def not_authorized
+    flash[:danger] = "Not authorized."
+    redirect_to root_path
+  end
+end
+```
 
 ## Installation
 Add this line to your application's Gemfile:
@@ -11,52 +77,112 @@ Add this line to your application's Gemfile:
 gem 'active_entry'
 ```
 
-And then execute:
+Or install it without bundler:
 ```bash
+$ gem install active_entry
+```
+
+Run Bundle:
+```shell
 $ bundle
 ```
 
-Or install it yourself as:
-```bash
-$ gem install active_entry
+And then install Active Entry:
+```shell
+$ rails g active_entry:install
 ```
 
+This will generate `app/policies/application_policy.rb`.
+
 ## Usage
-With Active Entry authentication and authorization is done in your Rails controllers. To enable authentication and authorization in one of your controllers, just add a before action for `authenticate!` and `authorize!` and the user has to authenticate and authorize on every call.
-You probably want to control authentication and authorization for every controller action you have in your app. To enable this, just add the before action to the `ApplicationController`.
+Active Entry works with Policies. You can generate policies the following way:
+
+Let's consider the example from above.
+We have an UsersController and we want a policy for that:
+
+```shell
+$ rails g policy Users
+```
+
+This generates a policy called `UsersPolicy` and is located in `app/policies/users_policy.rb`.
+
+The above generator call would generate something like this, but with a few comments to help you get started:
+
+```ruby
+module UsersPolicy
+  class Authentication < ActiveEntry::Base::Authentication
+  end
+
+  class Authorization < ActiveEntry::Base::Authorization
+  end
+end
+```
+
+### Verify authentication and authorization
+You probably want to control authentication and authorization for every controller action you have in your app. As a safeguard to ensure, that auth is performed in every request and the auth call is not forgotten in development, add the `verify_authentication!` and `verify_authorization!` to your `ApplicationController`:
 
 ```ruby
 class ApplicationController < ActionController::Base
-  before_action :authenticate!, :authorize!
+  verify_authentication!
+  verify_authorization!
   # ...
 end
 ```
+This ensures, that you perform auth in all your controllers and raises errors if not.
 
-If you try to open a page, you will get an `ActiveEntry::AuthenticationNotPerformedError` or `ActiveEntry::AuthorizationNotPerformedError`. This means that you have to instruct Active Entry when a user is authenticated/authorized and when not.
-You can do this by defining the methods `authenticated?` and `authorized?` in your controller.
+### Perform authentication and authorization
+in order to do the actual authentication and authorization, you have to use `authenticate!` and `authorize!` or `pass!` as in your actions.
 
 ```ruby
-class DashboardController < ApplicationController
-  # Actions ...
+class UsersController < ApplicationController
+  def authentication_only_action
+    authenticate!
+  end
 
-  private
+  def authorization_only_action
+    authorize!
+  end
 
-  def authenticated?
-    return true if user_signed_in?
+  def both_authentication_and_authorization_action
+    pass!
+  end
+end
+```
+
+If you try to open a page, Active Entry will raise `ActiveEntry::DecisionMakerMethodNotDefinedError`. This means we have to define the decision makers in our policy.
+
+```ruby
+module UsersPolicy
+  class Authentication < ApplicationPolicy::Authentication
+    def authentication_only_action?
+      success   # == true | Everybody is allowed
+    end
+
+    def both_authentication_and_authorization_action?
+      success
+    end
   end
 
-  def authorized?
-    return true if current_user.admin?
-  end 
+  class Authorization < ApplicationPolicy::Authorization
+    def authorization_only_action?
+      success
+    end
+
+    def both_authentication_and_authorization_action?
+      success
+    end
+  end
 end
 ```
 
-Active Entry expects boolean return values from `authenticated?` and `authorized?`. `true` signals successful authentication/authorization, everything else not.
+Every decision maker ends with an `?`. The name has to be the same as the name of the controller action. So `index` is going to be `index?`.
 
-### Rescuing from errors
+In order for Active Entry to not raise an auth error, the decision makers have to return `true`. In our above example we used `success`, which simply returns `true`.
 
-If the user is signed in, he is authenticated and authorized if he is an admin, otherwise an `ActiveEntry::NotAuthenticatedError` or `ActiveEntry::NotAuthorizedError` will be raised.
-Now you just have to catch this error and react accordingly. Rails has the convenient `rescue_from` for that.
+**Note:** It has to be an explicit `true` and not just a truthy value. A string or object return value would raise an auth error.
+
+### Rescuing from errors
+Catch the errors in your controllers to redirect the user or show them a message.
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -81,84 +207,70 @@ end
 
 In this example above, the user will be redirected with a flash message. But you can do whatever you want. For example logging.
 
-### Scoped decision makers
-
-Instead of putting all authentication/authorization logic into `authenticated?` and `authorized?` you can create scoped decision makers:
+### Authenticate/authorize outside the action
+You can authenticate and authorize outside the action:
 
 ```ruby
-class DashboardController < ApplicationController
-  before_action :authenticate!, :authorize!
-
-  def index_authenticated?
-    # Do your authentication for the index action only
-  end
-  def index_authorized?
-    # Do your authorization for the index action only
-  end
-  def index
-    # Actual action
-  end
+class UsersController < ApplicationController
+  authenticate_now!
+  authorize_now!
+  # pass_now!  # Does both, authentication and authorization
 end
 ```
 
-This puts authentication/authorization logic a lot closer to the actual action that is performed and you don't get lost in endlessly long `authenticated?` or `authorized?` decision maker methods.
-
-**Note:** The scoped authentication/authorization decision maker methods take precendence over the general ones. That means if you have an `index_authenticated?` for your index action defined, the general `authenticated?` gets ignored.
-
-### Controller helper methods
-
-Active Entry also has a few helper methods which help you to distinguish between controller actions. You can check if a specific action got called, by adding `_action?` to the action name in your `authenticated?` or `authorized?`.
-For an action `show` this would be `show_action?`.
+Access control on class level will ensure that every action performs it.
 
-**Note:** A `NoMethodError` gets raised if you try to call `_action?` if the actual action hasn't been implemented. For example `missing_implementation_action?` raises an error as long as `#missing_implementation` hasn't been implemented as action.
+**Note:** Don't use the class methods if the controller is inherited in other controllers. Best, don't use them at all and use the methods in the actions conciously.
 
-The are some more helpers that check for more than one RESTful action:
-
- * `read_action?` - If the called action just read. Actions: `index`, `show`
- * `write_action?` - If the called action writes something. Actions: `new`, `create`, `edit`, `update`, `destroy`
- * `change_action?` - If something will be updated or destroyed. Actions: `edit`, `update`, `destroy`
- * `create_action?` - If something will be created. Actions: `new`, `create`
- * `update_action?` - If something will be updated. Actions: `edit`, `update`
- * `destroy_action?` - If something will be destroyed. Action: `destroy`
- * `delete_action?` - Alias for `destroy_action?`. Action: `destroy`
-
-So you can for example do:
+## Variables
+You can pass variables to the decision maker.
 
 ```ruby
-class ApplicationController < ActionController::Base
-  # ...
-
+class UsersController < ApplicationController
   def show
+    @user = User.find params[:id]
+    pass! user: @user
   end
+end
+```
 
-  def custom
-  end
-
-  private
-
-  def authorized?
-    return true if read_action?    # Everybody is authorized to call read actions
+You can now access the user object as instance variable in your decision maker.
 
-    if write_action?
-      return true if admin_signed_in?		# Just admins are allowed to call write actions
+```ruby
+module Users
+  class Authentication < ApplicationPolicy::Authentication
+    def show?
+      @user  # == <User:Instance>
     end
+  end
 
-    if custom_action?   # For custom/non-RESTful actions
-      return true
+  class Authorization < ApplicationPolicy::Authorization
+    def show?
+      @user  # == <User:Instance>
     end
   end
 end
 ```
 
-This is pretty much everything you have to do for basic authentication or authorization!
-
-## Pass a custom error hash
-You can pass an error hash to the exception and use this in your rescue method:
+## Custom error data
+If you write something into `@error` in our decision maker, you can access it in your rescue methods in the controller:
 
 ```ruby
+module UsersPolicy
+  class Authentication < ApplicationPolicy::Authentication
+    def show?
+      @error = { code: 100 }
+    end
+  end
+
+  class Authorization < ApplicationPolicy::Authorization
+    def show?
+      @error = { code: 100 }
+    end
+  end
+end
+
 class ApplicationController < ActionController::Base
-  before_action :authenticate!, :authorize!
-	
   # ...
 
   rescue_from ActiveEntry::NotAuthenticatedError, with: :not_authenticated
@@ -166,59 +278,134 @@ class ApplicationController < ActionController::Base
 
   private
 
-  def not_authenticated(exception)
+  def not_authenticated exception
     flash[:danger] = "You are not authenticated! Code: #{exception.error[:code]}"
     redirect_to root_path
   end
 
-  def not_authorized(exception)
+  def not_authorized exception
     flash[:danger] = "You are not authorized to call this action! Code: #{exception.error[:code]}"
     redirect_to root_path
   end
+end
+```
 
-  def authenticated?(error)
-    error[:code] = "ERROR"
+But you can pass in whatever you want into your error hash.
 
-    return true if user_signed_in?
-  end
-	
-  def authorized?(error)
-    error[:code] = "ERROR"
+## Testing
+You can easily test your policies in RSpec. Let's start with the generator:
 
-    return true if read_action?    # Everybody is authorized to call read actions
+```shell
+$ rails g rspec:policy Users
+```
 
-    if write_action?
-      return true if admin_signed_in?		# Just admins are allowed to call write actions
-    end
-  end
+This will generate a spec for the `UsersPolicy` located in `spec/policies/users_policy_spec.rb`
+
+```ruby
+require "rails_helper"
+
+RSpec.describe UsersPolicy, type: :policy do
+  pending "add some examples to (or delete) #{__FILE__}"
 end
 ```
 
-## Known Issues
-The authentication/authorization is done in a before action. These Rails controller before callbacks are done in defined order. If you set an instance variable which is needed in the `authenticated?` or `authorized?` method, you have to call the before action after the other method again.
-
-For example if you set `@user` in your controller in the `set_user` before action and you want to use the variable in `authorized?` action, you have to add the `authenticate!` or `authorize!` method after the `set_user` again, otherwise `@user` won't be available in `authenticate!` or `authorized?` yet.
+Now you can easily test every decision maker with the `be_authenticated_for` and `be_authorized_for` matchers.
 
 ```ruby
-class UsersController < ApplicationController
-  before_action :set_user
-  before_action :authenticate!, :authorize!
+require "rails_helper"
+
+RSpec.describe UsersPolicy, type: :policy do
+  describe UsersPolicy::Authentication do
+    subject { UsersPolicy::Authentication }
+
+    context "anonymous" do
+      it { is_expected.to_not be_authenticated_for :index }
+      it { is_expected.to be_authenticated_for :new }
+      it { is_expected.to be_authenticated_for :create }
+      it { is_expected.to_not be_authenticated_for :edit }
+      it { is_expected.to_not be_authenticated_for :update }
+      it { is_expected.to_not be_authenticated_for :destroy }
+      it { is_expected.to_not be_authenticated_for :restore }
+    end
 
-  def show
+    context "signed in" do
+      before { Current.user = build :user }
+      
+      it { is_expected.to be_authenticated_for :index }
+      it { is_expected.to be_authenticated_for :new }
+      it { is_expected.to be_authenticated_for :create }
+      it { is_expected.to be_authenticated_for :edit }
+      it { is_expected.to be_authenticated_for :update }
+      it { is_expected.to be_authenticated_for :destroy }
+      it { is_expected.to be_authenticated_for :restore }
+    end
   end
 
-  private
+  describe UsersPolicy::Authorization do
+    subject { UsersPolicy::Authorization }
+
+    let(:user) { build :user }
+    
+    context "anonymous" do
+      it { is_expected.to be_authorized_for :index }
+      it { is_expected.to be_authorized_for :new }
+      it { is_expected.to be_authorized_for :create }
+      it { is_expected.to be_authorized_for :show, user: user }
+      it { is_expected.to_not be_authorized_for :edit, user: user }
+      it { is_expected.to_not be_authorized_for :update, user: user }
+      it { is_expected.to_not be_authorized_for :destroy, user: user }
+      it { is_expected.to_not be_authorized_for :restore, user: user }
+    end
 
-  def authenticated?
-    return true if user_signed_in?
+    context "if @user is Current.user" do
+      before { Current.user = user }
+      
+      it { is_expected.to be_authorized_for :show, user: user }
+      it { is_expected.to be_authorized_for :edit, user: user }
+      it { is_expected.to be_authorized_for :update, user: user }
+      it { is_expected.to be_authorized_for :destroy, user: user }
+      it { is_expected.to be_authorized_for :restore, user: user }
+    end
+
+    context "if @user is not Current.user" do
+      before { Current.user = build :user }
+
+      it { is_expected.to be_authorized_for :show, user: user }
+      it { is_expected.to_not be_authorized_for :edit, user: user }
+      it { is_expected.to_not be_authorized_for :update, user: user }
+      it { is_expected.to_not be_authorized_for :destroy, user: user }
+      it { is_expected.to_not be_authorized_for :restore, user: user }
+    end
   end
+end
+```
 
-  def authorized?
-    return true if current_user == @user
+## Differences to Action Policy
+[Action Policy](https://github.com/palkan/action_policy) is an awesome gem which works pretty similar to Active Entry. But there are some differences:
+
+### Action Policy expects a performing subject and a target object
+```ruby
+class PostPolicy < ApplicationPolicy
+  def update?
+    # `user` is a performing subject,
+    # `record` is a target object (post we want to update)
+    user.admin? || (user.id == record.user_id)
   end
 end
 ```
 
+In Active Entry you can pass in anything you want into the decision maker, which is accessible as instance variables. See Variables.
+
+One strategy is not better than the other. It's just our preference.
+
+### Policies in Action Policy are for Resources/Models
+If you have a `Post` model, you have a `PostPolicy` in Action Policy. In Active Entry you create policies for controllers. So if you have a `PostsController`, you have a `PostsPolicy`.
+We like to build access control logic around controller endpoints.
+
+### Action Policy performs only authorization
+Active Entry does technically also not provide authentication mechanisms. It's just that you place your authentication logic in an authentication decision maker.
+We like both authentication and authorization logic in the same place but seperated hence `UsersPolicy::Authentication` and `UsersPolicy::Authorization`.
+
 ## Contributing
 Create pull requests on Github and help us to improve this Gem. There are some guidelines to follow:
 
@@ -227,4 +414,4 @@ Create pull requests on Github and help us to improve this Gem. There are some g
  * Document methods that aren't self-explaining (we are using [YARD](http://yardoc.org/))
 
 ## License
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/app/controllers/concerns/active_entry/concern.rb

@@ -0,0 +1,57 @@
+require "active_support/concern"
+
+module ActiveEntry
+  module ControllerConcern
+    extend ActiveSupport::Concern
+
+    class_methods do
+      # Methods .authenticate_now!, .authorize_now!, and .pass_now!
+      [:authenticate, :authorize, :pass].each do |method_name|
+        define_method "#{method_name}_now!" do
+          before_action do
+            args = {}
+            instance_variables.collect{ |v| v.to_s.remove("@").to_sym }.each do |name|
+              value = instance_variable_get ["@", name].join
+              next if value.nil?
+              args[name] = value
+            end
+            send "#{method_name}!", **args
+          end
+        end
+      end
+
+      def verify_authentication!
+        after_action do
+          raise AuthenticationNotPerformedError.new(self.class, action_name) unless @__authentication_done
+        end
+      end
+
+      def verify_authorization!
+        after_action do
+          raise AuthorizationNotPerformedError.new(self.class, action_name) unless @__authorization_done
+        end
+      end
+    end
+
+    def pass! **args
+      authenticate! **args
+      authorize! **args
+    end
+    
+    def authenticate! **args
+      policy_class::Authentication.pass! action_name, **args unless @__authentication_done
+      @__authentication_done = true
+    end
+
+    def authorize! **args
+      policy_class::Authorization.pass! action_name, **args unless @__authorization_done
+      @__authorization_done = true
+    end
+
+    private
+
+    def policy_class
+      PolicyFinder.policy_for self.class.name.remove("Controller")
+    end
+  end
+end

data/app/helpers/active_entry/view_helper.rb

@@ -0,0 +1,20 @@
+module ActiveEntry
+  module ViewHelper
+    def authorized_for? controller_name, action, **args
+      controller_name = controller_name.to_s.camelize.remove "Controller"
+      policy = ActiveEntry::PolicyFinder.policy_for controller_name
+      policy::Authorization.pass? action, **args
+    end
+
+    def link_to_if_authorized name = nil, options = nil, html_options = nil, **args, &block
+      url = url_for options
+      method = options&.is_a?(Hash) && options[:method] ? options[:method].to_s.upcase : "GET"
+
+      recognized_path = Rails.application.routes.recognize_path(url, method: method)
+
+      authorized = authorized_for? recognized_path[:controller], recognized_path[:action], **args
+      
+      link_to name, options, html_options, &block if authorized
+    end
+  end
+end

data/lib/active_entry.rb

@@ -1,76 +1,13 @@
 require "active_entry/version"
+require "active_entry/generators"
 require "active_entry/errors"
-require "active_entry/controller_methods"
-require "active_entry/railtie" if defined? Rails::Railtie
+require "active_entry/base"
+require "active_entry/policy_finder"
 
-module ActiveEntry
-  # Authenticates the user
-  def authenticate!
-    general_decision_maker_method_name = :authenticated?
-    scoped_decision_maker_method_name = [action_name, :authenticated?].join("_").to_sym
-
-    general_decision_maker_defined = respond_to? general_decision_maker_method_name, true
-    scoped_decision_maker_defined = respond_to? scoped_decision_maker_method_name, true
-
-    # Check if a scoped decision maker method is defined and use it over
-    # general decision maker method.
-    decision_maker_to_use = scoped_decision_maker_defined ? scoped_decision_maker_method_name : general_decision_maker_method_name
-
-    # Raise an error if the #authenticate? action isn't defined.
-    #
-    # This ensures that you actually do authentication in your controller.
-    if !scoped_decision_maker_defined && !general_decision_maker_defined 
-      raise ActiveEntry::AuthenticationNotPerformedError
-    end
-    
-    error = {}
-
-    if method(decision_maker_to_use).arity > 0
-      is_authenticated = send decision_maker_to_use, error
-    else
-      is_authenticated = send decision_maker_to_use
-    end
-    
-    # If the authenticated? method returns not true
-    # it raises the ActiveEntry::NotAuthenticatedError.
-    #
-    # Use the .rescue_from method from ActionController::Base
-    # to catch the exception and show the user a proper error message.
-    raise ActiveEntry::NotAuthenticatedError.new(error) unless is_authenticated == true
-  end
-  
-  # Authorizes the user.
-  def authorize!
-    general_decision_maker_method_name = :authorized?
-    scoped_decision_maker_method_name = [action_name, :authorized?].join("_").to_sym
+require_relative "../app/controllers/concerns/active_entry/concern" if defined?(ActionController::Base)
+require 'active_entry/railtie' if defined?(Rails)
 
-    general_decision_maker_defined = respond_to? general_decision_maker_method_name, true
-    scoped_decision_maker_defined = respond_to? scoped_decision_maker_method_name, true
+require "active_support/inflector"
 
-    # Check if a scoped decision maker method is defined and use it over
-    # general decision maker method.
-    decision_maker_to_use = scoped_decision_maker_defined ? scoped_decision_maker_method_name : general_decision_maker_method_name
-
-    # Raise an error if the #authorize? action isn't defined.
-    #
-    # This ensures that you actually do authorization in your controller. 
-    if !scoped_decision_maker_defined && !general_decision_maker_defined 
-      raise ActiveEntry::AuthorizationNotPerformedError
-    end
-    
-    error = {}
-
-    if method(decision_maker_to_use).arity > 0
-      is_authorized = send(decision_maker_to_use, error)
-    else
-      is_authorized = send(decision_maker_to_use)
-    end
-
-    # If the authorized? method does not return true
-    # it raises the ActiveEntry::NotAuthorizedError
-    #
-    # Use the .rescue_from method from ActionController::Base
-    # to catch the exception and show the user a proper error message.
-    raise ActiveEntry::NotAuthorizedError.new(error) unless is_authorized == true
-  end
+module ActiveEntry
 end

data/lib/active_entry/base.rb

@@ -0,0 +1,66 @@
+module ActiveEntry
+  class Base
+    class Authentication < Base
+      AUTH_ERROR = NotAuthenticatedError
+      
+      def self.pass! method_name, **args
+        new(method_name, **args).pass!
+      end
+
+      def self.pass? method_name, **args
+        new(method_name, **args).pass?
+      end
+    end
+
+    class Authorization < Base
+      AUTH_ERROR = NotAuthorizedError
+      
+      def self.pass! method_name, **args
+        new(method_name, **args).pass!
+      end
+
+      def self.pass? method_name, **args
+        new(method_name, **args).pass?
+      end
+    end
+
+    def initialize method_name, **args
+      @_method_name_to_entrify = method_name
+      @_args = args
+      @_args.each { |name, value| instance_variable_set ["@", name].join, value }
+    end
+
+    class << self
+      def pass! method_name, **args
+        Authentication.pass! method_name, **args
+        Authorization.pass! method_name, **args
+      end
+
+      def pass? method_name, **args
+        Authentication.pass? method_name, **args
+        Authorization.pass? method_name, **args
+      end
+    end
+
+
+    def pass!
+      pass? or raise self.class::AUTH_ERROR.new(@error, @_method_name_to_entrify, @_args)
+    end
+
+    def pass?
+      decision_maker_method.call == true
+    end
+
+    def success
+      true
+    end
+
+    private
+
+    def decision_maker_method
+      decision_maker_method_name = [@_method_name_to_entrify, "?"].join
+      raise DecisionMakerMethodNotDefinedError.new(self.class, decision_maker_method_name) unless respond_to?(decision_maker_method_name)
+      method decision_maker_method_name
+    end
+  end
+end

data/lib/active_entry/errors.rb

@@ -1,66 +1,65 @@
-# @author Tobias Feistmantl
 module ActiveEntry
-  # Generic authorization error.
-  # Other, more specific, errors inherit from this one.
-  #
-  # @raise [AuthorizationError]
-  #    if something generic is happening.
-  class AuthorizationError < StandardError
+  class Error < StandardError
   end
 
-  # Error for controllers in which authorization isn't handled.
-  #
-  # @raise [AuthorizationNotPerformedError]
-  #    if the #authorized? method isn't defined
-  #    in the controller class.
-  class AuthorizationNotPerformedError < AuthorizationError
+  class AuthError < Error
+    attr_reader :error, :method, :arguments
+
+    def initialize error, method, arguments
+      @error = error
+      @method = method 
+      @arguments = arguments
+      @message = "Not authenticated/authorized for method ##{@method}"
+
+      super @message
+    end
   end
 
-  # Error if user unauthorized.
-  #
-  # @raise [NotAuthorizedError]
-  #    if authorized? isn't returning true.
-  #
-  # @note
-  #    Should always be called at the end
-  #    of the #authorize! method.
-  class NotAuthorizedError < AuthorizationError
-    attr_reader :error
+  class NotAuthenticatedError < AuthError
+  end
 
-    def initialize(error={})
-      @error = error
+  class NotAuthorizedError < AuthError
+  end
+
+  class NotPerformedError < Error
+    attr_reader :class_name, :method
+
+    def initialize class_name, method
+      @class_name = class_name
+      @method = method
+      @message = "Auth not performed for #{@class_name}##{@method}."
+      
+      super @message
     end
   end
 
+  class AuthenticationNotPerformedError < NotPerformedError
+  end
 
-  # Base class for authentication errors.
-  #
-  # @raise [AuthenticationError]
-  #    if something generic happens.
-  class AuthenticationError < StandardError
+  class AuthorizationNotPerformedError < NotPerformedError
   end
 
-  # Error for controllers in which authentication isn't handled.
-  #
-  # @raise [AuthenticationNotPerformedError]
-  #    if the #authenticated? method isn't defined
-  #    in the controller class.
-  class AuthenticationNotPerformedError < AuthenticationError
+  class NotDefinedError < Error
+    attr_reader :policy_name, :class_name
+
+    def initialize policy_name, class_name
+      @policy_name = policy_name
+      @class_name = class_name
+      @message = "Policy #{policy_name} for class #{@class_name} not defined."
+
+      super @message
+    end
   end
 
-  # Error if user not authenticated
-  #
-  # @raise [NotAuthenticatedError]
-  #    if authenticated? isn't returning true.
-  #
-  # @note
-  #    Should always be called at the end
-  #    of the #authenticate! method.
-  class NotAuthenticatedError < AuthenticationError
-    attr_reader :error
+  class DecisionMakerMethodNotDefinedError < Error
+    attr_reader :policy_name, :decision_maker_method_name
 
-    def initialize(error={})
-      @error = error
+    def initialize policy_name, decision_maker_method_name
+      @policy_name = policy_name
+      @decision_maker_method_name = decision_maker_method_name
+      @message = "Decision maker #{policy_name}##{decision_maker_method_name} is not defined."
+
+      super @message
     end
   end
 end

data/lib/active_entry/generators.rb

@@ -0,0 +1,4 @@
+module ActiveEntry
+  module Generators
+  end
+end

data/lib/active_entry/policy_finder.rb

@@ -0,0 +1,25 @@
+module ActiveEntry
+  class PolicyFinder
+    attr_reader :class_name
+
+    def initialize class_name
+      @class_name = class_name
+    end
+
+    class << self
+      def policy_for class_name
+        new(class_name).policy
+      end
+    end
+
+    def policy
+      policy_class_name.safe_constantize or raise NotDefinedError.new(policy_class_name, @class_name)
+    end
+
+    private
+
+    def policy_class_name
+      [@class_name, "Policy"].join
+    end
+  end
+end

data/lib/active_entry/railtie.rb

@@ -1,9 +1,9 @@
+require_relative '../../app/helpers/active_entry/view_helper'
+
 module ActiveEntry
-  class Railtie < ::Rails::Railtie
-    initializer 'active_entry.include_in_action_controller' do
-      ActiveSupport.on_load :action_controller do
-        ::ActionController::Base.include(ActiveEntry)
-      end
+  class Railtie < Rails::Railtie
+    initializer "active_entry.view_helper" do
+      ActiveSupport.on_load(:action_view) { include ActiveEntry::ViewHelper }
     end
   end
-end
+end

data/lib/active_entry/rspec.rb

@@ -0,0 +1,56 @@
+module ActiveEntry
+  module Rspec
+    module Matchers
+      extend ::RSpec::Matchers::DSL
+
+      matcher :be_authenticated_for do |action, **args|
+        match do |policy|
+          policy.pass? action, **args
+        end
+
+        description do
+          "be authenticated for #{action}"
+        end
+
+        failure_message do |policy|
+          "expected that #{policy} passes authentication for #{action}"
+        end
+      end
+
+      matcher :be_authorized_for do |action, **args|
+        match do |policy|
+          policy.pass? action, **args
+        end
+
+        description do
+          "be authorized for #{action}"
+        end
+
+        failure_message do |policy|
+          "expected that #{policy} passes authorization for #{action}"
+        end
+      end
+    end
+
+    module DSL
+    end
+
+    module PolicyExampleGroup
+      include ActiveEntry::Rspec::Matchers
+
+      def self.included(base)
+        base.metadata[:type] = :policy
+        base.extend ActiveEntry::Rspec::DSL
+        super
+      end
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include(
+    ActiveEntry::Rspec::PolicyExampleGroup,
+    type: :policy,
+    file_path: %r{spec/policies}
+  )
+end

data/lib/active_entry/version.rb

@@ -1,3 +1,3 @@
 module ActiveEntry
-  VERSION = '1.1.0'
+  VERSION = '2.0.1'
 end

data/lib/generators/active_entry/install/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Installs Active Entry. Generates an ApplicationPolicy.
+
+Example:
+    bin/rails generate active_entry:install
+
+    This will create:
+        app/policies/application_policy.rb

data/lib/generators/active_entry/install/install_generator.rb

@@ -0,0 +1,9 @@
+module ActiveEntry
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path('templates', __dir__)
+
+    def create_application_policy
+      template "application_policy.rb", File.join("app/policies/application_policy.rb"), skip: true
+    end
+  end
+end

data/lib/generators/active_entry/install/templates/application_policy.rb

@@ -0,0 +1,7 @@
+module ApplicationPolicy
+  class Authentication < ActiveEntry::Base::Authentication
+  end
+
+  class Authorization < ActiveEntry::Base::Authorization
+  end
+end

data/lib/generators/policy/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Generates a new policy class for authentication/authorization.
+
+Example:
+    bin/rails generate policy Users
+
+    This will create:
+        app/policies/users_policy.rb

data/lib/generators/policy/policy_generator.rb

@@ -0,0 +1,7 @@
+class PolicyGenerator < Rails::Generators::NamedBase
+  source_root File.expand_path('templates', __dir__)
+
+  def create_policy
+    template "policy.rb", File.join("app/policies", class_path, "#{file_name}_policy.rb")
+  end
+end

data/lib/generators/policy/templates/policy.rb

@@ -0,0 +1,53 @@
+module <%= class_name %>Policy
+  class Authentication < ApplicationPolicy::Authentication
+    # It's all about decision makers. In your decision makers you tell
+    # Active Entry when and if somebody is authenticated/authorized.
+    #
+    # You can declare decision makers for any method you want.
+    # Just use the same name as your action and add a ? at the end.
+
+    # def index?
+    # end
+
+    # def new?
+    # end
+
+    # def create?
+    # end
+
+    # def show?
+    # end
+
+    # def edit?
+    # end
+
+    # def update?
+    # end
+
+    # def destroy?
+    # end
+  end
+
+  class Authorization < ApplicationPolicy::Authorization
+    # def index?
+    # end
+
+    # def new?
+    # end
+
+    # def create?
+    # end
+
+    # def show?
+    # end
+
+    # def edit?
+    # end
+
+    # def update?
+    # end
+
+    # def destroy?
+    # end
+  end
+end

data/lib/generators/rspec/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Generates a new policy spec to test authentication/authorization.
+
+Example:
+    bin/rails generate rspec:policy Users
+
+    This will create:
+        spec/policies/users_policy_spec.rb

data/lib/generators/rspec/policy_generator.rb

@@ -0,0 +1,11 @@
+module Rspec
+  module Generators
+    class PolicyGenerator < Rails::Generators::NamedBase
+      source_root File.expand_path("templates", __dir__)
+
+      def create_policy_spec
+        template "policy_spec.rb", File.join("spec/policies", class_path, "#{file_name}_policy_spec.rb")
+      end
+    end
+  end
+end

data/lib/generators/rspec/templates/policy_spec.rb

@@ -0,0 +1,5 @@
+require "<%= File.exists?('spec/rails_helper.rb') ? 'rails_helper' : 'spec_helper' %>"
+
+RSpec.describe <%= class_name %>Policy, type: :policy do
+  pending "add some examples to (or delete) #{__FILE__}"
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: active_entry
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.1
 platform: ruby
 authors:
 - TFM Agency GmbH
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-03 00:00:00.000000000 Z
+date: 2021-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -81,8 +81,8 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: An easy and flexible access control system. No need for policies, abilities,
-  etc. Do authentication and authorization directly in your controller.
+description: An easy and flexible access control system. Authentication and authorization
+  before a method/action is executed.
 email:
 - hello@tfm.agency
 executables: []
@@ -92,11 +92,25 @@ files:
 - MIT-LICENSE
 - README.md
 - Rakefile
+- app/controllers/concerns/active_entry/concern.rb
+- app/helpers/active_entry/view_helper.rb
 - lib/active_entry.rb
-- lib/active_entry/controller_methods.rb
+- lib/active_entry/base.rb
 - lib/active_entry/errors.rb
+- lib/active_entry/generators.rb
+- lib/active_entry/policy_finder.rb
 - lib/active_entry/railtie.rb
+- lib/active_entry/rspec.rb
 - lib/active_entry/version.rb
+- lib/generators/active_entry/install/USAGE
+- lib/generators/active_entry/install/install_generator.rb
+- lib/generators/active_entry/install/templates/application_policy.rb
+- lib/generators/policy/USAGE
+- lib/generators/policy/policy_generator.rb
+- lib/generators/policy/templates/policy.rb
+- lib/generators/rspec/USAGE
+- lib/generators/rspec/policy_generator.rb
+- lib/generators/rspec/templates/policy_spec.rb
 - lib/tasks/active_entry_tasks.rake
 homepage: https://github.com/TFM-Agency/active_entry
 licenses:

data/lib/active_entry/controller_methods.rb

@@ -1,82 +0,0 @@
-# @author Tobias Feistmantl
-#
-# Helper methods for your controller
-# to identify RESTful actions.
-module ActiveEntry
-  def method_missing method_name, *args
-    method_name_str = method_name.to_s
-    
-    if methods.include?(:action_name) && method_name_str.include?("_action?")
-      method_name_str.slice! "_action?"
-      
-      if methods.include? method_name_str.to_sym
-        return method_name_str == action_name
-      end
-    end
-
-    super
-  end
-
-  # @return [Boolean]
-  #    True if the called action
-  #    is a only-read action.
-  def read_action?
-    action_name == 'index' ||
-    action_name == 'show'
-  end
-
-  # @return [Boolean]
-  #    True if the called action
-  #    is a write action.
-  def write_action?
-    action_name == 'new' ||
-    action_name == 'create' ||
-    action_name == 'edit' ||
-    action_name == 'update' ||
-    action_name == 'destroy'
-  end
-
-  # @return [Boolean]
-  #    True if the called action
-  #    is a change action.
-  def change_action?
-    action_name == 'edit' ||
-    action_name == 'update' ||
-    action_name == 'destroy'
-  end
-
-  # @note
-  #    Also true for the pseudo
-  #    update action `new`.
-  #
-  # @note
-  #    Only true for create methods
-  #    such as new and create.
-  #
-  # @return [Boolean]
-  #    True if the called action
-  #    is a create action.
-  def create_action?
-    action_name == 'new' ||
-    action_name == 'create'
-  end
-
-  # @note
-  #    Also true for the pseudo
-  #    update action `edit`.
-  #
-  # @return [Boolean]
-  #    True if the called action
-  #    is a update action.
-  def update_action?
-    action_name == 'edit' ||
-    action_name == 'update'
-  end
-
-  # @return [Boolean]
-  #    True if it's a destroy action.
-  def destroy_action?
-    action_name == 'destroy'
-  end
-  alias delete_action? destroy_action?
-end