admission 0.1.6

data/README.md

@@ -0,0 +1,2 @@
+write-me
+(sorry, work in progress)

data/admission.gemspec

@@ -0,0 +1,18 @@
+require_relative 'lib/admission/version'
+
+Gem::Specification.new do |spec|
+
+  spec.name = 'admission'
+  spec.version = Admission::VERSION
+  spec.summary = 'admission library'
+  spec.license = 'GPL-3.0'
+
+  spec.homepage = 'https://github.com/doooby/admission'
+  spec.author = 'doooby'
+  spec.description = 'update-me'
+  spec.email = 'zelazk.o@email.cz'
+
+  library_files = (`git ls-files -z`).split "\x0"
+  spec.files = library_files
+
+end

data/bin/rspec

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
+
+load Gem.bin_path('rspec-core', 'rspec')

data/lib/admission.rb

@@ -0,0 +1,9 @@
+require_relative 'admission/admission'
+require_relative 'admission/version'
+
+require_relative 'admission/privilege'
+require_relative 'admission/status'
+require_relative 'admission/arbitration'
+require_relative 'admission/resource_arbitration'
+
+require_relative 'admission/denied'

data/lib/admission/ability.rb

@@ -0,0 +1,140 @@
+# class Admission::Ability
+#
+#   attr_reader :status
+#
+#   def initialize status, arbiter=Admission::RequestArbitration
+#     @status = status
+#     @no_privileges = @status.privileges.nil? || @status.privileges.empty?
+#     @arbiter = arbiter
+#   end
+#
+#   # def can? *agrs
+#   #   return false if @no_privileges
+#   #   # subject, object = subject_and_object subject
+#   #   process @arbiter.new(status)
+#   #   process Arbitration.new(status.user, action), subject, object
+#   # end
+#
+#   def cannot? *args
+#     !can?(*args)
+#   end
+#
+#   class << self
+#
+#     # attr_reader :rules_index
+#
+#     # def define_for_privileges privileges, &block
+#     # end
+#
+#     # def set_up_rules &block
+#     #   @rules_index = []
+#     #   self.instance_exec &block
+#     #   remove_instance_variable :@privilege
+#     #
+#     #   @rules_index = @rules_index.reduce Hash.new do |index, allowance|
+#     #     privilege = allowance[:privilege]
+#     #
+#     #     actions = allowance[:actions]
+#     #     *actions = actions unless Array === actions
+#     #     actions = %i[all] if actions.include? :all
+#     #
+#     #     subject_index = (index[allowance[:subject]] ||= {})
+#     #     resource_index = (index[allowance[:resource_type]] ||= {} if allowance[:resource_type])
+#     #
+#     #     actions.each do |action|
+#     #       subject_arbiter = allowance[:arbiter]
+#     #
+#     #       if resource_index
+#     #         action_index = (resource_index[action] ||= {})
+#     #         action_index[privilege] = allowance[:arbiter]
+#     #
+#     #         subject_arbiter = true
+#     #       end
+#     #
+#     #       action_index = (subject_index[action] ||= {})
+#     #       action_index[privilege] = subject_arbiter
+#     #     end
+#     #
+#     #     index
+#     #   end
+#     # end
+#
+#     # def privilege name, level=nil, &block
+#     #   @rules_index || raise('must be called within `set_rules` block')
+#     #   @privilege = Admission.get_privilege(name, level) || raise("no such privilege: #{name}-#{level}")
+#     #   self.instance_exec &block
+#     #   @privilege = nil
+#     # end
+#     #
+#     # def allow subject, actions=:all
+#     #   raise 'must be called within `privilege` block' unless @privilege
+#     #   @rules_index << {
+#     #       privilege: @privilege,
+#     #       subject: subject,
+#     #       actions: actions,
+#     #       arbiter: true
+#     #   }
+#     # end
+#     #
+#     # def forbid subject, actions=:all
+#     #   raise 'must be called within `privilege` block' unless @privilege
+#     #   @rules_index << {
+#     #       privilege: @privilege,
+#     #       subject: subject,
+#     #       actions: actions,
+#     #       arbiter: :forbid
+#     #   }
+#     # end
+#     #
+#     # def allow_resource type, actions=:all, lambda=nil, &block
+#     #   raise 'must be called within `privilege` block' unless @privilege
+#     #   @rules_index << {
+#     #       privilege: @privilege,
+#     #       subject: resource_type_to_subject(type),
+#     #       resource_type: type,
+#     #       actions: actions,
+#     #       arbiter: lambda || block || true
+#     #   }
+#     # end
+#
+#     private
+#
+#     # def resource_type_to_subject type
+#     #   raise "bad resource type, must respond to `#name` (should be class)" unless type.respond_to? :name
+#     #   name = type.name.downcase
+#     #   if name.respond_to? :pluralize
+#     #     name.pluralize
+#     #   else
+#     #     raise 'Not implemented: unable to make subject id from resource without active_support'
+#     #   end
+#     #
+#     # end
+#
+#   end
+#
+#   private
+#
+#   # def subject_and_object object
+#   #   Symbol === object ? object : [objec.class, object]
+#   # end
+#
+#   # def process arbitration, subject, object
+#   #   all_index = self.class.rules_index[:all]
+#   #   subject_index = self.class.rules_index[subject]
+#   #   type_index = (self.class.rules_index[object] if object)
+#   #   arbitration.introduce_indices all_index, subject_index, type_index
+#   #
+#   #   status.privileges.any? do |privilege|
+#   #     arbitration.prepare_sitting object, *privilege.context
+#   #     TrueClass === arbitration.rule(privilege)
+#   #   end
+#   # end
+#
+#   def process arbitration
+#     status.privileges.any? do |privilege|
+#       arbitration.prepare_sitting object, *privilege.context
+#       arbitration.rule_per_privilege(privilege).eql? true
+#     end
+#   end
+#
+# end

data/lib/admission/admission.rb

@@ -0,0 +1,6 @@
+module Admission
+
+  VALID_DECISION = [true, false, :forbidden, nil]
+  ALL_ACTION = :all
+
+end

data/lib/admission/arbitration.rb

@@ -0,0 +1,126 @@
+class Admission::Arbitration
+
+
+  def initialize person, rules_index, request
+    @person = person
+    @rules_index = rules_index
+    @request = request.to_sym
+  end
+
+  def prepare_sitting *context
+    @context = context
+    @decisions = {}
+  end
+
+  def rule_per_privilege privilege
+    decision = @decisions[privilege]
+    return decision unless decision.nil?
+
+    decision = decide privilege
+
+    decision = false if decision.nil?
+    @decisions[privilege] = decision
+  end
+
+  def make_decision from_rules, privilege
+    if from_rules
+      decision = from_rules[privilege]
+      decision = @person.instance_exec *@context, &decision if Proc === decision
+
+      unless Admission::VALID_DECISION.include? decision
+        raise "invalid decision: #{decision}"
+      end
+
+      decision
+    end
+  end
+
+  def decide_per_inheritance privilege
+    inherited = privilege.inherited
+    return nil if inherited.nil? || inherited.empty?
+
+    explicit_allowance = false
+    inherited.each do |p|
+      rule = rule_per_privilege p
+      return rule if rule == :forbidden
+      explicit_allowance ||= rule
+    end
+    explicit_allowance
+  end
+
+  def decide privilege
+    decision = make_decision @rules_index[@request], privilege
+    return decision if decision.eql?(:forbidden) || decision.eql?(true)
+
+    decision = decide_per_inheritance privilege
+    return decision if decision.eql?(:forbidden) || decision.eql?(true)
+
+    make_decision @rules_index[Admission::ALL_ACTION], privilege
+  end
+
+  def self.define_rules privilege_order, &block
+    builder = self::RulesBuilder.new privilege_order
+    builder.instance_exec &block
+    builder.create_index
+  end
+
+  class RulesBuilder
+
+    attr_reader :privilege_order
+
+    def initialize privilege_order
+      @rules = []
+      @privilege_order = privilege_order
+    end
+
+    def privilege name, level=nil
+      @privilege = Admission::Privilege.get_from_order privilege_order, name, level
+      raise "no such privilege: #{name}-#{level}" unless @privilege
+      yield
+      @privilege = nil
+    end
+
+    def allow *actions, &block
+      raise "reserved action name #{Admission::ALL_ACTION}" if actions.include? Admission::ALL_ACTION
+      add_allowance_rule actions.flatten, (block || true)
+    end
+
+    def allow_all &block
+      add_allowance_rule [Admission::ALL_ACTION], (block || true)
+    end
+
+    def forbid *actions
+      raise "reserved action name #{Admission::ALL_ACTION}" if actions.include? Admission::ALL_ACTION
+      add_allowance_rule actions.flatten, :forbidden
+    end
+
+    def add_allowance_rule actions, arbiter, **options
+      raise 'must be called within `privilege` block' unless @privilege
+
+      @rules << options.merge!(
+          privilege: @privilege,
+          actions: actions,
+          arbiter: arbiter
+      )
+    end
+
+    def create_index
+      index_instance = @rules.reduce Hash.new do |index, allowance|
+        privilege = allowance[:privilege]
+        actions = allowance[:actions]
+        arbiter = allowance[:arbiter]
+
+        actions.each do |action|
+          action_index = (index[action] ||= {})
+          action_index[privilege] = arbiter
+        end
+
+        index
+      end
+
+      index_instance.freeze
+    end
+
+  end
+
+end

data/lib/admission/denied.rb

@@ -0,0 +1,15 @@
+class Admission::Denied < ::StandardError
+
+  attr_reader :status, :request_args
+  attr_accessor :message
+
+  def initialize status, *request_args
+    @status = status
+    @request_args = request_args
+  end
+
+  def to_s
+    @message || 'Admission denied.'
+  end
+
+end

data/lib/admission/privilege.rb

@@ -0,0 +1,129 @@
+class Admission::Privilege
+
+  RESERVED_ID = :'^'
+  TOP_LEVEL_KEY = RESERVED_ID
+  BASE_LEVEL_NAME = :base
+
+  attr_reader :name, :level, :hash
+  attr_reader :inherited, :context
+
+  def initialize name, level=nil
+    name = name.to_sym
+    @name = name
+    level = level ? level.to_sym : BASE_LEVEL_NAME
+    @level = level
+    @hash = [name, level].hash
+  end
+
+  def inherits_from *privileges
+    @inherited = privileges
+  end
+
+  def dup_with_context *context
+    context = context.flatten.compact
+    return self if context.empty?
+    with_context = dup
+    with_context.instance_variable_set :@context, context
+    with_context
+  end
+
+  def eql? other
+    hash == other.hash
+  end
+
+  def text_key
+    level == BASE_LEVEL_NAME ? name.to_s : "#{name}-#{level}"
+  end
+
+  def to_s
+    "<#{[
+        'Privilege',
+        "key=#{text_key}",
+        (inherited && "inherited=[#{inherited.map(&:text_key).join ','}]")
+    ].compact.join ' '}>"
+  end
+  alias :inspect :to_s
+
+  def self.define_order &block
+    Admission::Privilege::OrderDefiner.define &block
+  end
+
+  def self.get_from_order index, name, level=nil
+    levels = index[name.to_sym] || return
+    if level && !level.empty?
+      levels[level.to_sym]
+    else
+      levels[Admission::Privilege::BASE_LEVEL_NAME]
+    end
+  end
+
+  class OrderDefiner
+
+    attr_reader :definitions
+
+    def initialize
+      @definitions = {}
+    end
+
+    def privilege name, levels: [], inherits: nil
+      name = name.to_sym
+      if ([name] + levels).any?{|id| id == Admission::Privilege::RESERVED_ID }
+        raise "reserved name `#{Admission::Privilege::RESERVED_ID}` !"
+      end
+
+      levels.unshift Admission::Privilege::BASE_LEVEL_NAME
+      levels.map!{|level| Admission::Privilege.new name, level}
+
+      inherits = nil if inherits && inherits.empty?
+      if inherits
+        inherits = *inherits
+        inherits = inherits.map(&:to_sym).uniq
+      end
+
+      @definitions[name] = {levels: levels, inherits: inherits}
+    end
+
+    def self.define &block
+      definer = new
+      definer.instance_exec &block
+
+      definer.send :setup_inheritance
+      definer.send :build_index
+    end
+
+    private
+
+    def setup_inheritance
+      # set inheritance for all privileges
+      definitions.values.each do |levels:, inherits:|
+        levels.each_with_index do |privilege, index|
+          if index > 0 # higher level of privilege, inherits one step lower level
+            privilege.inherits_from levels[index - 1]
+
+          elsif inherits # lowest level, inherits top level of other privileges
+            inherits = inherits.map{|name| definitions[name][:levels].last if definitions.has_key? name}
+            privilege.inherits_from *inherits
+
+          end
+        end
+      end
+    end
+
+    def build_index
+      definitions.each_pair.reduce({}) do |h, pair|
+        name = pair[0]
+        levels = pair[1][:levels]
+
+        levels_hash = levels.reduce({Admission::Privilege::TOP_LEVEL_KEY => levels.last}) do |lh, privilege|
+          lh[privilege.level] = privilege
+          lh
+        end.freeze
+
+        h[name] = levels_hash
+        h
+      end.freeze
+    end
+
+  end
+
+end