admission 0.1.6

data/lib/admission/rails.rb

@@ -0,0 +1,94 @@
+# module Admission::Rails
+#
+#   class ActionsAdmission
+#
+#     attr_reader :resource_actions, :resource_loader
+#
+#     def initialize controller_class
+#       @controller_class = controller_class
+#     end
+#
+#     def authorize prepend:false, **options
+#       callback_name = prepend ? :prepend_before_action : :before_action
+#       options = options.slice(:only, :except, :if, :unless)
+#       admission = self
+#
+#       @controller_class.send callback_name, options  do |controller|
+#         ActionAbility.new(controller, admission).authorize!
+#       end
+#     end
+#
+#     def resource_actions *actions, loader:nil
+#       @resource_actions = actions.flatten
+#       @resource_loader = loader || :"find_#{@controller_class.controller_name.singularize}"
+#     end
+#
+#     def is_resource_action? action
+#       @resource_actions.present? && @resource_actions.include?(action)
+#     end
+#
+#   end
+#
+#   class ActionAbility
+#     attr_reader :controller
+#
+#     def initialize controller, admission
+#       @controller = controller
+#       @admission = admission
+#     end
+#
+#     def authorize!
+#       user.ability.can?(action_name, object) || (raise AccessDenied.new(self))
+#     end
+#
+#     def user
+#       @controller.current_user
+#     end
+#
+#     def object
+#       @object ||= if @admission.is_resource_action?(action_name)
+#         @controller.send @admission.resource_loader
+#       else
+#         @controller.class.controller_name
+#       end
+#     end
+#
+#     def action_name
+#       @action_name ||= @controller.params[:action].to_sym
+#     end
+#
+#     def object_to_s
+#       case object
+#         when String then ":#{object}"
+#         when ActiveRecord::Base
+#           "<#{object.class.name}>"
+#         else
+#           object.to_s
+#       end
+#     end
+#
+#   end
+#
+#   class AccessDenied < ::StandardError
+#     attr_reader :action_ability
+#
+#     def initialize ability
+#       @action_ability = ability
+#       @message = "Nemáte oprávnění pro tuto akci. (#{ability.action_name} - #{ability.object_to_s})"
+#     end
+#
+#     def to_s
+#       @message
+#     end
+#   end
+#
+# end
+#
+#
+# ActionController::Base.instance_exec do
+#   def actions_admission &block
+#     @actions_admission ||= Admission::Rails::ActionsAdmission.new(self)
+#     @actions_admission.instance_exec &block if block
+#     @actions_admission
+#   end
+# end

data/lib/admission/resource_arbitration.rb

@@ -0,0 +1,112 @@
+class Admission::ResourceArbitration < Admission::Arbitration
+
+  def initialize person, rules_index, request, scope_or_resource
+    @person = person
+    scope, @resource = scope_and_resource scope_or_resource
+    @rules_index = rules_index[scope] || {}
+    @request = request.to_sym
+  end
+
+  def make_decision from_rules, privilege
+    if from_rules
+      decision = from_rules[privilege]
+      if Proc === decision
+        if decision.instance_variable_get :@resource_arbiter
+          decision = @person.instance_exec @resource, *@context, &decision
+        else
+          decision = @person.instance_exec *@context, &decision
+        end
+      end
+
+      unless Admission::VALID_DECISION.include? decision
+        raise "invalid decision: #{decision}"
+      end
+
+      decision
+    end
+  end
+
+  def scope_and_resource scope_or_resource
+    if scope_or_resource.is_a? Symbol
+      [scope_or_resource]
+    else
+      [self.class.type_to_scope(scope_or_resource.class).to_sym, scope_or_resource]
+    end
+  end
+
+  def self.type_to_scope_resolution proc=nil, &block
+    @type_to_scope = proc || block
+  end
+
+  def self.type_to_scope type
+    scope = @type_to_scope && @type_to_scope.call(type)
+    scope ? scope.to_sym : :"#{type.name.downcase}s"
+  end
+
+  def self.nested_scope resource, scope
+    resource = type_to_scope resource unless resource.is_a? Symbol
+    "#{resource}:#{scope}".to_sym
+  end
+
+  class RulesBuilder < Admission::Arbitration::RulesBuilder
+
+    def allow scope, *actions, &block
+      raise "reserved action name #{Admission::ALL_ACTION}" if actions.include? Admission::ALL_ACTION
+      raise "invalid scope name" unless scope.respond_to? :to_sym
+      add_allowance_rule actions.flatten, (block || true), scope: scope.to_sym
+    end
+
+    def allow_all scope, &block
+      raise "invalid scope name" unless scope.respond_to? :to_sym
+      add_allowance_rule [Admission::ALL_ACTION], (block || true), scope: scope.to_sym
+    end
+
+    def forbid scope, *actions
+      raise "reserved action name #{Admission::ALL_ACTION}" if actions.include? Admission::ALL_ACTION
+      raise "invalid scope name" unless scope.respond_to? :to_sym
+      add_allowance_rule actions.flatten, :forbidden, scope: scope.to_sym
+    end
+
+    def allow_resource resource, *actions, &block
+      raise "reserved action name #{Admission::ALL_ACTION}" if actions.include? Admission::ALL_ACTION
+      raise "block not given" unless block
+      block.instance_variable_set :@resource_arbiter, true
+      scope = case resource
+        when Symbol then resource
+        when Array then nested_scope(*resource)
+        else type_to_scope(resource)
+      end
+      add_allowance_rule actions.flatten, block, scope: scope
+    end
+
+    def type_to_scope resource
+      Admission::ResourceArbitration.type_to_scope resource
+    end
+
+    def nested_scope resource, scope
+      Admission::ResourceArbitration.nested_scope resource, scope
+    end
+
+    def create_index
+      index_instance = @rules.reduce Hash.new do |index, allowance|
+        privilege = allowance[:privilege]
+        actions = allowance[:actions]
+        scope = allowance[:scope]
+        arbiter = allowance[:arbiter]
+
+        scope_index = (index[scope] ||= {})
+
+        actions.each do |action|
+          action_index = (scope_index[action] ||= {})
+          action_index[privilege] = arbiter
+        end
+
+        index
+      end
+
+      index_instance.freeze
+    end
+
+  end
+
+end

data/lib/admission/status.rb

@@ -0,0 +1,38 @@
+class Admission::Status
+
+  attr_reader :person, :privileges, :rules
+
+  def initialize person, privileges, rules, arbiter
+    @person = person
+    @privileges = (privileges.nil? || privileges.empty?) ? nil : privileges
+    @rules = rules
+    @arbiter = arbiter
+  end
+
+  def can? *args
+    return false unless @privileges
+    process_request @arbiter.new(person, rules, *args)
+  end
+
+  def cannot? *args
+    !can?(*args)
+  end
+
+  def request! *args
+    can?(*args) || begin
+      exception = Admission::Denied.new self, *args
+      yield exception if block_given?
+      raise exception
+    end
+  end
+
+  private
+
+  def process_request arbitration
+    privileges.any? do |privilege|
+      arbitration.prepare_sitting *privilege.context
+      arbitration.rule_per_privilege(privilege).eql? true
+    end
+  end
+
+end

data/lib/admission/version.rb

@@ -0,0 +1,3 @@
+module Admission
+  VERSION = '0.1.6'
+end

data/spec/integration/_helper.rb

@@ -0,0 +1,2 @@
+require_relative '../spec_helper'
+require_relative '../test_context/index'

data/spec/integration/action_arbitrating_spec.rb

@@ -0,0 +1,119 @@
+require_relative '_helper'
+
+RSpec.describe 'actions_arbitrating' do
+
+  def arbitration request, context=nil
+    person = Person.new 'person', Person::MALE, [:czech]
+    arbitration = Admission::Arbitration.new person, ACTIONS_RULES, request
+    arbitration.prepare_sitting *context
+    arbitration
+  end
+
+  def privilege *args, context: nil
+    p = Admission::Privilege.get_from_order PRIVILEGES_ORDER, *args
+    p = p.dup_with_context context if context
+    p
+  end
+
+  def rule request, privilege
+    arbitration(request, privilege.context).rule_per_privilege privilege
+  end
+
+  it 'allows human to do anything' do
+    expect(
+        rule :anything, privilege(:human)
+    ).to eql(true)
+  end
+
+  it 'disallows woman to do anything' do
+    person = Person.new 'person', Person::FEMALE, [:czech]
+    arbitration = Admission::Arbitration.new person, ACTIONS_RULES, :anything
+    arbitration.prepare_sitting
+    expect(
+        arbitration.rule_per_privilege privilege(:human)
+    ).to eql(false)
+  end
+
+  it 'allow woman-count to do anything in her country' do
+    person = Person.new 'person', Person::FEMALE, [:czech]
+    arbitration = Admission::Arbitration.new person, ACTIONS_RULES, :anything
+    arbitration.prepare_sitting :czech
+    expect(
+        arbitration.rule_per_privilege privilege(:human, :count, context: [:czech])
+    ).to eql(true)
+  end
+
+  it 'allows only king to raise taxes' do
+    expect(
+        rule :raise_taxes, privilege(:human)
+    ).to eql(:forbidden)
+
+    expect(
+        rule :raise_taxes, privilege(:human, :count)
+    ).to eql(:forbidden)
+
+    expect(
+        rule :raise_taxes, privilege(:human, :king)
+    ).to eql(true)
+  end
+
+  it 'allows count and king to impose corvee in his countries' do
+    expect(
+        rule :impose_corvee,
+            privilege(:human, :count, context: [:czech])
+    ).to eql(true)
+
+    expect(
+        rule :impose_corvee,
+            privilege(:human, :king, context: [:czech])
+    ).to eql(true)
+  end
+
+  it 'forbids count and king to impose corvee outside his countries' do
+    expect(
+        rule :impose_corvee,
+            privilege(:human, :count, context: [:taiwan])
+    ).to eql(:forbidden)
+
+    expect(
+        rule :impose_corvee,
+            privilege(:human, :king, context: [:taiwan])
+    ).to eql(:forbidden)
+  end
+
+  it 'forbids any human to impose a draft' do
+    expect(
+        rule :impose_draft, privilege(:human)
+    ).to eql(:forbidden)
+
+    expect(
+        rule :impose_draft, privilege(:human, :count)
+    ).to eql(:forbidden)
+
+    expect(
+        rule :impose_draft, privilege(:human, :king)
+    ).to eql(:forbidden)
+  end
+
+  it 'allows lord to impose draft' do
+    expect(
+        rule :impose_draft,
+            privilege(:vassal, :lord)
+    ).to eql(true)
+  end
+
+  it 'forbids emperor to impose draft because of inheritance' do
+    expect(
+        rule :impose_draft,
+            privilege(:emperor)
+    ).to eql(:forbidden)
+  end
+
+  it 'allows emperor to act as god' do
+    expect(
+        rule :act_as_god,
+            privilege(:emperor)
+    ).to eql(true)
+  end
+
+end

data/spec/integration/resource_arbitrating_spec.rb

@@ -0,0 +1,246 @@
+require_relative '_helper'
+
+RSpec.describe 'resources_arbitrating' do
+
+  let(:person){ Person.new 'person', Person::MALE, [:czech] }
+  let(:female){ Person.new 'female', Person::FEMALE, [:czech] }
+
+  def arbitration scope, action, context=nil
+    arbitration = Admission::ResourceArbitration.new person, RESOURCE_RULES, action, scope
+    arbitration.prepare_sitting *context
+    arbitration
+  end
+
+  def privilege *args, context: nil
+    p = Admission::Privilege.get_from_order PRIVILEGES_ORDER, *args
+    p = p.dup_with_context context if context
+    p
+  end
+
+  def actions_rule action, privilege
+    arbitration(:actions, action, privilege.context).rule_per_privilege privilege
+  end
+
+  def rule scope, action, privilege
+    arbitration(scope, action, privilege.context).rule_per_privilege privilege
+  end
+
+  describe 'actions scope' do
+
+    it 'allows human to do anything' do
+      expect(
+          actions_rule :anything, privilege(:human)
+      ).to eql(true)
+    end
+
+    it 'disallows woman to do anything' do
+      arbitration = Admission::ResourceArbitration.new female, RESOURCE_RULES,
+          :anything, :actions
+      arbitration.prepare_sitting
+      expect(
+          arbitration.rule_per_privilege privilege(:human)
+      ).to eql(false)
+    end
+
+    it 'allow woman-count to do anything in her country' do
+      arbitration = Admission::ResourceArbitration.new female, RESOURCE_RULES,
+          :anything, :actions
+      arbitration.prepare_sitting :czech
+      expect(
+          arbitration.rule_per_privilege privilege(:human, :count, context: [:czech])
+      ).to eql(true)
+    end
+
+    it 'allows only king to raise taxes' do
+      expect(
+          actions_rule :raise_taxes, privilege(:human)
+      ).to eql(:forbidden)
+
+      expect(
+          actions_rule :raise_taxes, privilege(:human, :count)
+      ).to eql(:forbidden)
+
+      expect(
+          actions_rule :raise_taxes, privilege(:human, :king)
+      ).to eql(true)
+    end
+
+    it 'allows count and king to impose corvee in his countries' do
+      expect(
+          actions_rule :impose_corvee,
+              privilege(:human, :count, context: [:czech])
+      ).to eql(true)
+
+      expect(
+          actions_rule :impose_corvee,
+              privilege(:human, :king, context: [:czech])
+      ).to eql(true)
+    end
+
+    it 'forbids count and king to impose corvee outside his countries' do
+      expect(
+          actions_rule :impose_corvee,
+              privilege(:human, :count, context: [:taiwan])
+      ).to eql(:forbidden)
+
+      expect(
+          actions_rule :impose_corvee,
+              privilege(:human, :king, context: [:taiwan])
+      ).to eql(:forbidden)
+    end
+
+    it 'forbids any human to impose a draft' do
+      expect(
+          actions_rule :impose_draft, privilege(:human)
+      ).to eql(:forbidden)
+
+      expect(
+          actions_rule :impose_draft, privilege(:human, :count)
+      ).to eql(:forbidden)
+
+      expect(
+          actions_rule :impose_draft, privilege(:human, :king)
+      ).to eql(:forbidden)
+    end
+
+    it 'allows lord to impose draft' do
+      expect(
+          actions_rule :impose_draft, privilege(:vassal, :lord)
+      ).to eql(true)
+    end
+
+    it 'forbids emperor to impose draft because of inheritance' do
+      expect(
+          actions_rule :impose_draft, privilege(:emperor)
+      ).to eql(:forbidden)
+    end
+
+    it 'allows emperor to act as god' do
+      expect(
+          actions_rule :act_as_god, privilege(:emperor)
+      ).to eql(true)
+    end
+
+  end
+
+  describe 'resources scope' do
+
+    it 'allows vassal to see only himself' do
+      expect(
+          rule person, :show, privilege(:vassal)
+      ).to eql(true)
+
+      person = Person.new 'person', Person::FEMALE, [:czech]
+      expect(
+          rule person, :show, privilege(:vassal)
+      ).to eql(false)
+    end
+
+    it 'passes nil as argument if resource-arbiter accessed by name-scope' do
+      expect{
+        rule :persons, :show, privilege(:vassal)
+      }.to raise_error('person is nil')
+    end
+
+    it 'allows vassal to list persons only per his countries' do
+      expect(
+          rule :persons, :index, privilege(:vassal, context: [:czech])
+      ).to eql(true)
+
+      expect(
+          rule :persons, :index, privilege(:vassal, context: [:taiwan])
+      ).to eql(false)
+    end
+
+    it 'allows access scope-arbiter by resource' do
+      expect(
+          rule person, :index, privilege(:vassal, context: [:czech])
+      ).to eql(true)
+    end
+
+    it 'allows lord to see any person' do
+      expect(
+          rule person, :show, privilege(:vassal, :lord)
+      ).to eql(true)
+
+      expect(
+          rule female, :show, privilege(:vassal, :lord)
+      ).to eql(true)
+    end
+
+    it 'allows lord to list persons from his country' do
+      expect(
+          rule person, :index, privilege(:vassal, context: [:czech])
+      ).to eql(true)
+
+      expect(
+          rule :persons, :index, privilege(:vassal, context: [:czech])
+      ).to eql(true)
+
+      expect(
+          rule person, :index, privilege(:vassal, context: [:taiwan])
+      ).to eql(false)
+    end
+
+    it 'allows lord to update person that is from his country' do
+      expect(
+          rule female, :update,
+              privilege(:vassal, :lord, context: [:czech])
+      ).to eql(true)
+
+      expect(
+          rule female, :update, privilege(:vassal, :lord)
+      ).to eql(false)
+    end
+
+    it 'disallows lord to update person not from his country' do
+      female = Person.new 'person', Person::FEMALE, [:taiwan]
+
+      expect(
+          rule female, :update,
+              privilege(:vassal, :lord, context: [:czech])
+      ).to eql(false)
+
+      expect(
+          rule female, :update,
+              privilege(:vassal, :lord, context: [:taiwan])
+      ).to eql(false)
+    end
+
+    it 'ensures lord cannot update person accessing him by scope-name' do
+      expect(
+          rule :persons, :update, privilege(:vassal, :lord)
+      ).to eql(false)
+    end
+
+    it 'disallows vassal to update person' do
+      expect(
+          rule person, :update, privilege(:vassal, context: [:czech])
+      ).to eql(false)
+    end
+
+    it 'allows lord to destroy person from his country' do
+      female = Person.new 'person', Person::FEMALE, [:taiwan]
+
+      expect(
+          rule person, :destroy,
+              privilege(:vassal, :lord, context: [:czech])
+      ).to eql(true)
+
+      expect(
+          rule female, :destroy,
+              privilege(:vassal, :lord, context: [:czech])
+      ).to eql(false)
+    end
+
+    it 'disallows lord to destroy apache helicopter' do
+      helicopter = Person.new 'person', Person::APACHE_HELICOPTER, [:czech]
+      expect(
+      rule helicopter, :destroy,
+          privilege(:vassal, :lord, context: [:czech])
+      ).to eql(false)
+    end
+
+  end
+
+end