active_security 1.0.0

data/lib/active_security/scoped.rb

@@ -0,0 +1,100 @@
+module ActiveSecurity
+  # @guide begin
+  #
+  # ## Required Scope
+  #
+  # The {ActiveSecurity::Scoped} module allows ActiveSecurity to enforce querying
+  # within a scope.
+  #
+  # This allows, for example:
+  #
+  #     class Restaurant < ActiveRecord::Base
+  #       extend ActiveSecurity
+  #       belongs_to :city
+  #       active_security use: :scoped, scope: :city
+  #     end
+  #
+  #     class City < ActiveRecord::Base
+  #       extend ActiveSecurity
+  #       has_many :restaurants
+  #     end
+  #
+  #     City.find_by(name: "seattle").restaurants.restricted.find(23)
+  #     City.find_by(name: "chicago").restaurants.restricted.find(23)
+  #
+  # The value for the `:scope` option can be the name of a `belongs_to` relation, or
+  # a column.
+  #
+  # Additionally, the `:scope` option can receive an array of scope values:
+  #
+  #     class Cuisine < ActiveRecord::Base
+  #       extend ActiveSecurity
+  #       has_many :restaurants
+  #     end
+  #
+  #     class City < ActiveRecord::Base
+  #       extend ActiveSecurity
+  #       has_many :restaurants
+  #     end
+  #
+  #     class Restaurant < ActiveRecord::Base
+  #       extend ActiveSecurity
+  #       belongs_to :city
+  #       active_security use: :scoped, scope: [:city, :cuisine]
+  #     end
+  #
+  # All supplied values will be used to determine scope.
+  #
+  # ### Finding Records
+  #
+  # It's best to query through the relation:
+  #
+  #     @city.restaurants.restricted.find(23)
+  #
+  # Alternatively, you could pass the scope value as a query parameter:
+  #
+  #     Restaurant.where(city_id: @city.id).restricted.find(23)
+  #
+  # @guide end
+  module Scoped
+    class << self
+      # Sets up behavior and configuration options for scoped feature.
+      def included(model_class)
+        model_class.class_eval do
+          active_security_config.class.send(:include, Configuration)
+        end
+      end
+    end
+
+    # This module adds the `:scope` configuration option to
+    # {ActiveSecurity::Configuration ActiveSecurity::Configuration}.
+    module Configuration
+      # Gets the scope value.
+      #
+      # When setting this value, the argument should be a symbol referencing a
+      # `belongs_to` relation, or a column.
+      #
+      # @return Symbol The scope value
+      attr_accessor :scope
+
+      # Gets the scope columns.
+      #
+      # Checks to see if the `:scope` option passed to
+      # {ActiveSecurity::Base#active_security} refers to a relation, and if so, returns
+      # the relation's foreign key. Otherwise it assumes the option value was
+      # the name of column and returns it cast to a String.
+      #
+      # @return String The scope column
+      def scope_columns
+        [@scope].flatten.map { |s| (reflection_foreign_key(s) or s).to_s }
+      end
+
+      private
+
+      def reflection_foreign_key(scope)
+        reflection = model_class.reflections[scope] || model_class.reflections[scope.to_s]
+        reflection.try(:foreign_key)
+      end
+    end
+  end
+end

data/lib/active_security/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module ActiveSecurity
+  module Version
+    VERSION = "1.0.0"
+  end
+end

data/lib/active_security.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+# External Libraries
+require "version_gem"
+require "active_record"
+require "active_support"
+
+# This library
+require_relative "active_security/version"
+require_relative "active_security/base"
+require_relative "active_security/configuration"
+require_relative "active_security/finder_methods"
+require_relative "active_security/privileged_hooks"
+require_relative "active_security/restricted_hooks"
+
+module ActiveSecurity
+  class RestrictedAccessError < RuntimeError; end
+
+  class UnhandledArelPredicateError < RuntimeError; end
+
+  class InvalidConfig < ArgumentError; end
+
+  autoload :Finders, "active_security/finders"
+  autoload :Privileged, "active_security/privileged"
+  autoload :Restricted, "active_security/restricted"
+  autoload :Scoped, "active_security/scoped"
+
+  class << self
+    # ActiveSecurity takes advantage of `extended` to do basic model setup, primarily
+    # extending {ActiveSecurity::Base} to add {ActiveSecurity::Base#active_security
+    # active_security} as a class method.
+    #
+    # In addition to adding {ActiveSecurity::Base#active_security active_security}, the class
+    # instance variable +@active_security_config+ is added. This variable is an
+    # instance of an anonymous subclass of {ActiveSecurity::Configuration}. This
+    # allows subsequently loaded modules like {ActiveSecurity::Scoped} to add
+    # functionality to the configuration class only for the current class,
+    # rather than monkey patching {ActiveSecurity::Configuration} directly.
+    # This isolates other models from large feature changes an addon to
+    # ActiveSecurity could potentially introduce.
+    #
+    # The upshot of this is, you can have two Active Record models that both have
+    # a @active_security_config, but each config object can have different methods
+    # and behaviors depending on what modules have been loaded, without
+    # conflicts.  Keep this in mind if you're hacking on ActiveSecurity.
+    #
+    # For examples of this, see the source for {Scoped.included}.
+    def extended(model_class)
+      return if model_class.respond_to?(:active_security)
+      class << model_class
+        alias_method :relation_without_active_security, :relation
+      end
+      model_class.class_eval do
+        extend(Base)
+        @active_security_config = Class.new(Configuration).new(self) # rubocop:disable ThreadSafety/InstanceVariableInClassMethod
+        ActiveSecurity.defaults.call(@active_security_config) # rubocop:disable ThreadSafety/InstanceVariableInClassMethod
+      end
+    end
+
+    # Allow developers to `include` ActiveSecurity or `extend` it.
+    def included(model_class)
+      model_class.extend(self)
+    end
+
+    # Set global defaults for all models using ActiveSecurity.
+    #
+    # The default defaults are to use the `:restricted` module and nothing else.
+    #
+    # @example
+    #   ActiveSecurity.defaults do |config|
+    #     config.base :name
+    #     config.use :something_else
+    #   end
+    def defaults(&block)
+      @defaults = block if block # rubocop:disable ThreadSafety/InstanceVariableInClassMethod
+      @defaults ||= ->(config) { config.use(:restricted) } # rubocop:disable ThreadSafety/InstanceVariableInClassMethod
+    end
+
+    # If you need to reset the defaults to original defaults, just call without a block:
+    #
+    #   ActiveSecurity.reset_defaults
+    #
+    def reset_defaults
+      @defaults = nil # rubocop:disable ThreadSafety/InstanceVariableInClassMethod
+    end
+  end
+end
+
+ActiveSecurity::Version.class_eval do
+  extend VersionGem::Basic
+end

metadata

@@ -0,0 +1,394 @@
+--- !ruby/object:Gem::Specification
+name: active_security
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Peter Boling
+autorequire:
+bindir: exe
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIEgDCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMRUwEwYDVQQDDAxwZXRl
+  ci5ib2xpbmcxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkW
+  A2NvbTAeFw0yMzA5MjAxNzMwMjhaFw0yNDA5MTkxNzMwMjhaMEMxFTATBgNVBAMM
+  DHBldGVyLmJvbGluZzEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPy
+  LGQBGRYDY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA+a9UvHo3
+  84k96WgU5Kk5HB+cLZs/modjorsTfqY67MJF5nNvAoqcKTUBW4uG+Zpfnm3jaDO5
+  GxhJEIZWfndYzycHT2KMVQ1uTP82ba8ZaKrPlPIafkbui3mdds47qsmqHiblKERg
+  U532lkwfqHDlJwE7OBZQ59EwWWLynlT/yAUHpOBbqIuHKUxdpmBI+sIjrZcD1e05
+  WmjkO6fwIdC5oM757aoPxIgXD587VOViH11Vkm2doskj4T8yONtwVHlcrrhJ9Bzd
+  /zdp6vEn7GZQrABvpOlqwWxQ72ZnFhJe/RJZf6CXOPOh69Ai0QKYl2a1sYuCJKS3
+  nsBnxXJINEEznjR7rZjNUmYD+CZqfjzgPqedRxTlASe7iA4w7xZOqMDzcuhNwcUQ
+  tMEH6BTktxKP3jXZPXRfHCf6s+HRVb6vezAonTBVyydf5Xp5VwWkd6cwm+2BzHl5
+  7kc/3lLxKMcsyEUprAsk8LdHohwZdC267l+RS++AP6Cz6x+nB3oGob19AgMBAAGj
+  fzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQCSSas60GqqMjt
+  xR7LoY1gucEvtzAhBgNVHREEGjAYgRZwZXRlci5ib2xpbmdAZ21haWwuY29tMCEG
+  A1UdEgQaMBiBFnBldGVyLmJvbGluZ0BnbWFpbC5jb20wDQYJKoZIhvcNAQELBQAD
+  ggGBAMl9ifcw5p+PdvB7dCPoNKoVdp/2LbC9ztETHuYL2gUMJB6UoS3o9c/piSuR
+  V3ZMQaijmNu6ms1bWAtJ66LjmYrVflJtf9yp31Kierr9LpisMSUx2qbMOHGa8d2Z
+  vCUWPF8E9Cg0mP3GAyZ6qql8jDh/anUKeksPXqJvNxNPDu2DVYsa/IWdl96whzS4
+  Bl7SwB1E7agps40UcshCSKaVDOU0M+XN6SrnJMElnBic+KSAkBkVFbzS0BE4ODZM
+  BgE6nYzQ05qhuvbE+oGdACTlemNtDDWCh0uw+7x0q2PocGIDU5zsPn/WNTkCXPmB
+  CHGvqDNWq4M7ncTKAaS2XExgyb7uPdq9fKiOW8nmH+zCiGzJXzBWwZlKf7L4Ht9E
+  a3f0e5C+zvee9Z5Ng9ciyfav9/fcXgYt5MjoBv27THr5XfBhgOCIHSYW2tqJmWKi
+  KuxrfYrN+9HvMdm+nZ6TypmKftHY3Gj+/uu+g8Icm/zrvTWAEE0mcJOkfrIoNPJb
+  pF8dMA==
+  -----END CERTIFICATE-----
+date: 2024-07-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+- !ruby/object:Gem::Dependency
+  name: version_gem
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.1.4
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '13'
+- !ruby/object:Gem::Dependency
+  name: anonymous_active_record
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.8
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.8
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: rspec-block_is_expected
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.5
+- !ruby/object:Gem::Dependency
+  name: rspec-pending_for
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.16
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.16
+- !ruby/object:Gem::Dependency
+  name: silent_stream
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.8
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.8
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.9
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.9
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: kettle-soup-cover
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+- !ruby/object:Gem::Dependency
+  name: rubocop-lts
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '18.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 18.2.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '18.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 18.2.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-packaging
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.5.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.5.2
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.10'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.9.34
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.9.34
+- !ruby/object:Gem::Dependency
+  name: yard-junk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.0'
+description: Disallow insecure, unscoped, finds
+email:
+- peter.boling@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
+- LICENSE.txt
+- README.md
+- SECURITY.md
+- lib/active_security.rb
+- lib/active_security/base.rb
+- lib/active_security/configuration.rb
+- lib/active_security/finder_methods.rb
+- lib/active_security/finders.rb
+- lib/active_security/privileged.rb
+- lib/active_security/privileged_hooks.rb
+- lib/active_security/restricted.rb
+- lib/active_security/restricted_hooks.rb
+- lib/active_security/scoped.rb
+- lib/active_security/version.rb
+homepage: https://github.com/pboling/active_security
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/pboling/active_security
+  source_code_uri: https://github.com/pboling/active_security/tree/v1.0.0
+  changelog_uri: https://github.com/pboling/active_security/blob/v1.0.0/CHANGELOG.md
+  bug_tracker_uri: https://github.com/pboling/active_security/issues
+  documentation_uri: https://www.rubydoc.info/gems/active_security/1.0.0
+  wiki_uri: https://github.com/pboling/active_security/wiki
+  funding_uri: https://liberapay.com/pboling
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.14
+signing_key:
+specification_version: 4
+summary: Prevent insecure, unscoped, finds
+test_files: []