ae_declarative_authorization 0.10.1 → 0.12.1.tim1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.circleci/config.yml +29 -0
- data/.gitignore +32 -0
- data/.ruby-version +1 -0
- data/Appraisals +18 -23
- data/Gemfile +3 -1
- data/declarative_authorization.gemspec +2 -2
- data/lib/declarative_authorization/controller/grape.rb +15 -4
- data/lib/declarative_authorization/controller_permission.rb +1 -5
- data/lib/declarative_authorization/test/helpers.rb +8 -2
- data/lib/declarative_authorization/version.rb +1 -1
- metadata +11 -76
- data/Gemfile.lock +0 -138
- data/gemfiles/ruby_2.3.3_rails507.gemfile +0 -12
- data/gemfiles/ruby_2.3.3_rails507.gemfile.lock +0 -164
- data/gemfiles/ruby_2.3.3_rails516.gemfile +0 -12
- data/gemfiles/ruby_2.3.3_rails516.gemfile.lock +0 -164
- data/gemfiles/ruby_2.3.3_rails521.gemfile +0 -12
- data/gemfiles/ruby_2.3.3_rails521.gemfile.lock +0 -172
- data/gemfiles/ruby_2.3.3_rails522.gemfile +0 -12
- data/gemfiles/ruby_2.3.3_rails522.gemfile.lock +0 -172
- data/gemfiles/ruby_2.5.3_rails507.gemfile +0 -12
- data/gemfiles/ruby_2.5.3_rails507.gemfile.lock +0 -164
- data/gemfiles/ruby_2.5.3_rails516.gemfile +0 -12
- data/gemfiles/ruby_2.5.3_rails516.gemfile.lock +0 -164
- data/gemfiles/ruby_2.5.3_rails521.gemfile +0 -12
- data/gemfiles/ruby_2.5.3_rails521.gemfile.lock +0 -172
- data/gemfiles/ruby_2.5.3_rails522.gemfile +0 -12
- data/gemfiles/ruby_2.5.3_rails522.gemfile.lock +0 -172
- data/gemfiles/ruby_2.6.2_rails507.gemfile +0 -12
- data/gemfiles/ruby_2.6.2_rails507.gemfile.lock +0 -164
- data/gemfiles/ruby_2.6.2_rails516.gemfile +0 -12
- data/gemfiles/ruby_2.6.2_rails516.gemfile.lock +0 -164
- data/gemfiles/ruby_2.6.2_rails521.gemfile +0 -12
- data/gemfiles/ruby_2.6.2_rails521.gemfile.lock +0 -172
- data/gemfiles/ruby_2.6.2_rails522.gemfile +0 -12
- data/gemfiles/ruby_2.6.2_rails522.gemfile.lock +0 -172
- data/log/test.log +0 -89694
- data/pkg/ae_declarative_authorization-0.10.0.gem +0 -0
- data/pkg/ae_declarative_authorization-0.9.0.gem +0 -0
- data/pkg/ae_declarative_authorization-0.9.0.tim1.gem +0 -0
- data/pkg/ae_declarative_authorization-0.9.1.gem +0 -0
- data/pkg/ae_declarative_authorization-0.9.2.gem +0 -0
- data/test/authorization_test.rb +0 -1189
- data/test/controller_filter_resource_access_test.rb +0 -573
- data/test/database.yml +0 -3
- data/test/dsl_reader_test.rb +0 -178
- data/test/functional/filter_access_to_with_id_in_scope_test.rb +0 -88
- data/test/functional/no_filter_access_to_test.rb +0 -79
- data/test/functional/params_block_arity_test.rb +0 -39
- data/test/grape_api_test.rb +0 -508
- data/test/helper_test.rb +0 -248
- data/test/maintenance_test.rb +0 -46
- data/test/model_test.rb +0 -1840
- data/test/profiles/access_checking +0 -100
- data/test/rails_controller_test.rb +0 -478
- data/test/schema.sql +0 -60
- data/test/test_helper.rb +0 -117
- data/test/test_support/grape.rb +0 -93
- data/test/test_support/minitest_compatibility.rb +0 -27
- data/test/test_support/rails.rb +0 -69
data/test/database.yml
DELETED
data/test/dsl_reader_test.rb
DELETED
@@ -1,178 +0,0 @@
|
|
1
|
-
require 'test_helper'
|
2
|
-
|
3
|
-
class DSLReaderTest < Test::Unit::TestCase
|
4
|
-
def test_privileges
|
5
|
-
reader = Authorization::Reader::DSLReader.new
|
6
|
-
reader.parse %{
|
7
|
-
privileges do
|
8
|
-
privilege :test_priv do
|
9
|
-
includes :lower_priv
|
10
|
-
end
|
11
|
-
end
|
12
|
-
}
|
13
|
-
assert_equal 2, reader.privileges_reader.privileges.length
|
14
|
-
assert_equal [[:lower_priv, nil]],
|
15
|
-
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
16
|
-
end
|
17
|
-
|
18
|
-
def test_privileges_with_context
|
19
|
-
reader = Authorization::Reader::DSLReader.new
|
20
|
-
reader.parse %{
|
21
|
-
privileges do
|
22
|
-
privilege :test_priv, :test_context do
|
23
|
-
includes :lower_priv
|
24
|
-
end
|
25
|
-
end
|
26
|
-
}
|
27
|
-
assert_equal [[:lower_priv, :test_context]],
|
28
|
-
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
29
|
-
end
|
30
|
-
|
31
|
-
def test_privileges_one_line
|
32
|
-
reader = Authorization::Reader::DSLReader.new
|
33
|
-
reader.parse %{
|
34
|
-
privileges do
|
35
|
-
privilege :test_priv, :test_context, :includes => :lower_priv
|
36
|
-
privilege :test_priv_2, :test_context, :includes => [:lower_priv]
|
37
|
-
privilege :test_priv_3, :includes => [:lower_priv]
|
38
|
-
end
|
39
|
-
}
|
40
|
-
assert_equal [[:lower_priv, :test_context]],
|
41
|
-
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
42
|
-
assert_equal [[:lower_priv, :test_context]],
|
43
|
-
reader.privileges_reader.privilege_hierarchy[:test_priv_2]
|
44
|
-
assert_equal [[:lower_priv, nil]],
|
45
|
-
reader.privileges_reader.privilege_hierarchy[:test_priv_3]
|
46
|
-
end
|
47
|
-
|
48
|
-
def test_auth_role
|
49
|
-
reader = Authorization::Reader::DSLReader.new
|
50
|
-
reader.parse %{
|
51
|
-
authorization do
|
52
|
-
role :test_role do
|
53
|
-
includes :lesser_role
|
54
|
-
has_permission_on :items, :to => :read
|
55
|
-
end
|
56
|
-
end
|
57
|
-
}
|
58
|
-
assert_equal 1, reader.auth_rules_reader.roles.length
|
59
|
-
assert_equal [:lesser_role], reader.auth_rules_reader.role_hierarchy[:test_role]
|
60
|
-
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
61
|
-
end
|
62
|
-
|
63
|
-
def test_auth_role_permit_on
|
64
|
-
reader = Authorization::Reader::DSLReader.new
|
65
|
-
reader.parse %|
|
66
|
-
authorization do
|
67
|
-
role :test_role do
|
68
|
-
has_permission_on :test_context do
|
69
|
-
to :test_perm, :manage
|
70
|
-
if_attribute :test_attr => is { user.test_attr }
|
71
|
-
end
|
72
|
-
end
|
73
|
-
end
|
74
|
-
|
|
75
|
-
assert_equal 1, reader.auth_rules_reader.roles.length
|
76
|
-
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
77
|
-
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test_perm], :test_context)
|
78
|
-
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:manage], :test_context)
|
79
|
-
end
|
80
|
-
|
81
|
-
def test_permit_block
|
82
|
-
reader = Authorization::Reader::DSLReader.new
|
83
|
-
reader.parse %|
|
84
|
-
authorization do
|
85
|
-
role :test_role do
|
86
|
-
has_permission_on :perms, :to => :test do
|
87
|
-
if_attribute :test_attr => is { user.test_attr }
|
88
|
-
if_attribute :test_attr_2 => is_not { user.test_attr }
|
89
|
-
if_attribute :test_attr_3 => contains { user.test_attr }
|
90
|
-
if_attribute :test_attr_4 => does_not_contain { user.test_attr }
|
91
|
-
if_attribute :test_attr_5 => is_in { user.test_attr }
|
92
|
-
if_attribute :test_attr_5 => is_not_in { user.test_attr }
|
93
|
-
if_attribute :test_attr_6 => lt { user.test_attr }
|
94
|
-
if_attribute :test_attr_6 => lte { user.test_attr }
|
95
|
-
if_attribute :test_attr_6 => gt { user.test_attr }
|
96
|
-
if_attribute :test_attr_6 => gte { user.test_attr }
|
97
|
-
end
|
98
|
-
end
|
99
|
-
end
|
100
|
-
|
|
101
|
-
assert_equal 1, reader.auth_rules_reader.roles.length
|
102
|
-
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
103
|
-
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
|
104
|
-
end
|
105
|
-
|
106
|
-
def test_has_permission_to_with_context
|
107
|
-
reader = Authorization::Reader::DSLReader.new
|
108
|
-
reader.parse %|
|
109
|
-
authorization do
|
110
|
-
role :test_role do
|
111
|
-
has_permission_on :perms, :to => :test
|
112
|
-
end
|
113
|
-
end
|
114
|
-
|
|
115
|
-
assert_equal 1, reader.auth_rules_reader.roles.length
|
116
|
-
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
117
|
-
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
|
118
|
-
end
|
119
|
-
|
120
|
-
def test_context
|
121
|
-
reader = Authorization::Reader::DSLReader.new
|
122
|
-
reader.parse %{
|
123
|
-
contexts do
|
124
|
-
context :high_level_context do
|
125
|
-
includes :low_level_context_1, :low_level_context_2
|
126
|
-
end
|
127
|
-
end
|
128
|
-
}
|
129
|
-
end
|
130
|
-
|
131
|
-
def test_dsl_error
|
132
|
-
reader = Authorization::Reader::DSLReader.new
|
133
|
-
assert_raise(Authorization::Reader::DSLError) do
|
134
|
-
reader.parse %{
|
135
|
-
authorization do
|
136
|
-
includes :lesser_role
|
137
|
-
end
|
138
|
-
}
|
139
|
-
end
|
140
|
-
end
|
141
|
-
|
142
|
-
def test_syntax_error
|
143
|
-
reader = Authorization::Reader::DSLReader.new
|
144
|
-
assert_raise(Authorization::Reader::DSLSyntaxError) do
|
145
|
-
reader.parse %{
|
146
|
-
authorizations do
|
147
|
-
end
|
148
|
-
}
|
149
|
-
end
|
150
|
-
end
|
151
|
-
|
152
|
-
def test_syntax_error_2
|
153
|
-
reader = Authorization::Reader::DSLReader.new
|
154
|
-
assert_raise(Authorization::Reader::DSLSyntaxError) do
|
155
|
-
reader.parse %{
|
156
|
-
authorizations
|
157
|
-
end
|
158
|
-
}
|
159
|
-
end
|
160
|
-
end
|
161
|
-
|
162
|
-
def test_factory_returns_self
|
163
|
-
reader = Authorization::Reader::DSLReader.new
|
164
|
-
assert_equal(Authorization::Reader::DSLReader.factory(reader).object_id, reader.object_id)
|
165
|
-
end
|
166
|
-
|
167
|
-
def test_factory_loads_file
|
168
|
-
reader = Authorization::Reader::DSLReader.factory((DA_ROOT + "authorization_rules.dist.rb").to_s)
|
169
|
-
assert_equal(Authorization::Reader::DSLReader, reader.class)
|
170
|
-
end
|
171
|
-
|
172
|
-
def test_load_file_not_found
|
173
|
-
assert_raise(Authorization::Reader::DSLFileNotFoundError) do
|
174
|
-
Authorization::Reader::DSLReader.new.load!("nonexistent_file.rb")
|
175
|
-
end
|
176
|
-
end
|
177
|
-
end
|
178
|
-
|
@@ -1,88 +0,0 @@
|
|
1
|
-
require 'test_helper'
|
2
|
-
|
3
|
-
class UsersController < MocksController
|
4
|
-
before_action :initialize_user
|
5
|
-
filter_access_to :all, attribute_check: true
|
6
|
-
define_action_methods :show
|
7
|
-
|
8
|
-
def initialize_user
|
9
|
-
@user = User.find(params[:id])
|
10
|
-
end
|
11
|
-
end
|
12
|
-
|
13
|
-
class FilterAccessToWithIdInScopeTest < ActionController::TestCase
|
14
|
-
include DeclarativeAuthorization::Test::Helpers
|
15
|
-
|
16
|
-
tests UsersController
|
17
|
-
|
18
|
-
access_tests do
|
19
|
-
params :user do |old_user, new_user|
|
20
|
-
assert_equal :old_user, old_user
|
21
|
-
assert_equal :new_user, new_user
|
22
|
-
{ id: User.create! }
|
23
|
-
end
|
24
|
-
|
25
|
-
role :users do
|
26
|
-
privilege :read do
|
27
|
-
allowed to: :show, with: :user
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
31
|
-
|
32
|
-
AUTHORIZATION_RULES = <<-RULES.freeze
|
33
|
-
authorization do
|
34
|
-
role :users__read do
|
35
|
-
has_permission_on :users, :to => [:show] do
|
36
|
-
if_attribute :id => id_in_scope { User.visible_by(user) }
|
37
|
-
end
|
38
|
-
end
|
39
|
-
end
|
40
|
-
RULES
|
41
|
-
|
42
|
-
setup do
|
43
|
-
@reader = Authorization::Reader::DSLReader.new
|
44
|
-
@reader.parse(AUTHORIZATION_RULES)
|
45
|
-
Authorization::Engine.instance(@reader)
|
46
|
-
end
|
47
|
-
|
48
|
-
def test_id_in_scope__filter_access_to__has_access
|
49
|
-
with_routing do |map|
|
50
|
-
setup_routes(map)
|
51
|
-
|
52
|
-
current_user = User.create!(role_symbols: [:users__read])
|
53
|
-
different_user = User.create!
|
54
|
-
|
55
|
-
request!(current_user, :show, @reader, id: current_user.id)
|
56
|
-
assert @controller.authorized?
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
def test_id_in_scope__filter_access_to__does_not_have_access
|
61
|
-
with_routing do |map|
|
62
|
-
setup_routes(map)
|
63
|
-
|
64
|
-
current_user = User.create!(role_symbols: [:users__read])
|
65
|
-
different_user = User.create!
|
66
|
-
|
67
|
-
request!(current_user, :show, @reader, id: different_user.id)
|
68
|
-
assert !@controller.authorized?
|
69
|
-
end
|
70
|
-
end
|
71
|
-
|
72
|
-
private
|
73
|
-
|
74
|
-
def setup_routes(map)
|
75
|
-
map.draw do
|
76
|
-
get '/users', controller: 'users', action: :show
|
77
|
-
end
|
78
|
-
end
|
79
|
-
|
80
|
-
def access_test_user(role, privilege)
|
81
|
-
User.new(role_symbols: [ :"#{role}__#{privilege}" ])
|
82
|
-
end
|
83
|
-
|
84
|
-
def access_test_params_for_param_methods
|
85
|
-
[:old_user, :new_user]
|
86
|
-
end
|
87
|
-
end
|
88
|
-
|
@@ -1,79 +0,0 @@
|
|
1
|
-
require 'test_helper'
|
2
|
-
|
3
|
-
class NoFilterAccessObject < MockDataObject
|
4
|
-
def self.name
|
5
|
-
"NoFilterAccessObject"
|
6
|
-
end
|
7
|
-
end
|
8
|
-
|
9
|
-
class NoFilterAccessObjectsController < MocksController
|
10
|
-
filter_access_to :all, attribute_check: true, load_method: :find_no_filter_access_object
|
11
|
-
no_filter_access_to :index
|
12
|
-
|
13
|
-
define_action_methods :index, :show
|
14
|
-
|
15
|
-
private
|
16
|
-
|
17
|
-
def find_no_filter_access_object
|
18
|
-
NoFilterAccessObject.find_or_initialize_by(params.permit(:id, :special_attribute).to_hash)
|
19
|
-
end
|
20
|
-
end
|
21
|
-
|
22
|
-
class NoFilterAccessToTest < ActionController::TestCase
|
23
|
-
include DeclarativeAuthorization::Test::Helpers
|
24
|
-
tests NoFilterAccessObjectsController
|
25
|
-
|
26
|
-
access_tests_not_required
|
27
|
-
|
28
|
-
AUTHORIZATION_RULES = <<-RULES.freeze
|
29
|
-
authorization do
|
30
|
-
role :allowed_role do
|
31
|
-
has_permission_on :no_filter_access_objects, to: :index do
|
32
|
-
if_attribute special_attribute: is { 'secret' }
|
33
|
-
end
|
34
|
-
has_permission_on :no_filter_access_objects, to: :show do
|
35
|
-
if_attribute id: is { '1' }
|
36
|
-
end
|
37
|
-
end
|
38
|
-
end
|
39
|
-
RULES
|
40
|
-
|
41
|
-
setup do
|
42
|
-
@reader = Authorization::Reader::DSLReader.new
|
43
|
-
@reader.parse(AUTHORIZATION_RULES)
|
44
|
-
Authorization::Engine.instance(@reader)
|
45
|
-
end
|
46
|
-
|
47
|
-
def test_filter_access_to
|
48
|
-
with_routing do |map|
|
49
|
-
map.draw do
|
50
|
-
resources :no_filter_access_objects, only: [:index, :show]
|
51
|
-
end
|
52
|
-
|
53
|
-
disallowed_user = MockUser.new
|
54
|
-
allowed_user = MockUser.new(:allowed_role)
|
55
|
-
|
56
|
-
request!(disallowed_user, :show, @reader, id: '1')
|
57
|
-
assert !@controller.authorized?
|
58
|
-
|
59
|
-
request!(allowed_user, :show, @reader, id: '100', clear: [:@no_filter_access_object])
|
60
|
-
assert !@controller.authorized?
|
61
|
-
|
62
|
-
request!(allowed_user, :show, @reader, id: '1', clear: [:@no_filter_access_object])
|
63
|
-
assert @controller.authorized?
|
64
|
-
end
|
65
|
-
end
|
66
|
-
|
67
|
-
def test_no_filter_access_to
|
68
|
-
with_routing do |map|
|
69
|
-
map.draw do
|
70
|
-
resources :no_filter_access_objects, only: [:index, :show]
|
71
|
-
end
|
72
|
-
|
73
|
-
non_special_user = MockUser.new
|
74
|
-
|
75
|
-
request!(non_special_user, :index, @reader, id: '1', special_attribute: 'wrong')
|
76
|
-
assert @controller.authorized?
|
77
|
-
end
|
78
|
-
end
|
79
|
-
end
|
@@ -1,39 +0,0 @@
|
|
1
|
-
require 'test_helper'
|
2
|
-
|
3
|
-
class ParamsBlockArityTest < ActionController::TestCase
|
4
|
-
include DeclarativeAuthorization::Test::Helpers
|
5
|
-
|
6
|
-
class ParamsBlockArityTestController < ApplicationController
|
7
|
-
|
8
|
-
end
|
9
|
-
|
10
|
-
tests ParamsBlockArityTestController
|
11
|
-
|
12
|
-
access_tests do
|
13
|
-
|
14
|
-
params :less_than_max_arguments do | one |
|
15
|
-
{ this: :works }
|
16
|
-
end
|
17
|
-
|
18
|
-
params :too_many_arguments do | one, two, three |
|
19
|
-
{ what: :ever }
|
20
|
-
end
|
21
|
-
|
22
|
-
end
|
23
|
-
|
24
|
-
def test_params_arity
|
25
|
-
assert_raises(InvalidParamsBlockArity) do
|
26
|
-
access_test_params(:too_many_arguments)
|
27
|
-
end
|
28
|
-
|
29
|
-
assert_equal({ this: :works }, access_test_params(:less_than_max_arguments))
|
30
|
-
end
|
31
|
-
|
32
|
-
private
|
33
|
-
|
34
|
-
def access_test_params_for_param_methods
|
35
|
-
[:old_user, :new_user]
|
36
|
-
end
|
37
|
-
|
38
|
-
end
|
39
|
-
|
data/test/grape_api_test.rb
DELETED
@@ -1,508 +0,0 @@
|
|
1
|
-
require 'test_helper'
|
2
|
-
|
3
|
-
# TODO: remove this conditional when rails 4 support is removed
|
4
|
-
if defined?(Grape)
|
5
|
-
class LoadMockObject < MockDataObject
|
6
|
-
def self.name
|
7
|
-
"LoadMockObject"
|
8
|
-
end
|
9
|
-
end
|
10
|
-
|
11
|
-
##################
|
12
|
-
class SpecificMocks < MocksAPI
|
13
|
-
filter_access_to 'GET /specific_mocks/test_action', :require => :test, :context => :permissions
|
14
|
-
filter_access_to 'GET /specific_mocks/test_action_2', :require => :test, :context => :permissions_2
|
15
|
-
filter_access_to 'GET /specific_mocks/show'
|
16
|
-
filter_access_to 'GET /specific_mocks/edit', 'POST /specific_mocks/create', :require => :test, :context => :permissions
|
17
|
-
filter_access_to 'GET /specific_mocks/edit2', :require => :test, :context => :permissions,
|
18
|
-
:attribute_check => true, :model => LoadMockObject
|
19
|
-
filter_access_to 'GET /specific_mocks/new', :require => :test, :context => :permissions
|
20
|
-
|
21
|
-
filter_access_to ['GET /specific_mocks/action_group_action_1', 'GET /specific_mocks/action_group_action_2']
|
22
|
-
define_action_methods :test_action, :test_action_2, :show, :edit, :create,
|
23
|
-
:edit_2, :new, :unprotected_action, :action_group_action_1, :action_group_action_2
|
24
|
-
end
|
25
|
-
|
26
|
-
class BasicAPITest < ApiTestCase
|
27
|
-
tests SpecificMocks
|
28
|
-
|
29
|
-
def test_filter_access_to_receiving_an_explicit_array
|
30
|
-
reader = Authorization::Reader::DSLReader.new
|
31
|
-
|
32
|
-
reader.parse %{
|
33
|
-
authorization do
|
34
|
-
role :test_action_group_2 do
|
35
|
-
has_permission_on :specific_mocks, :to => 'GET /specific_mocks/action_group_action_2'
|
36
|
-
end
|
37
|
-
end
|
38
|
-
}
|
39
|
-
|
40
|
-
request!(MockUser.new(:test_action_group_2), "/specific_mocks/action_group_action_2", reader)
|
41
|
-
assert last_endpoint.authorized?
|
42
|
-
request!(MockUser.new(:test_action_group_2), "/specific_mocks/action_group_action_1", reader)
|
43
|
-
assert !last_endpoint.authorized?
|
44
|
-
request!(nil, "/specific_mocks/action_group_action_2", reader)
|
45
|
-
assert !last_endpoint.authorized?
|
46
|
-
end
|
47
|
-
|
48
|
-
def test_filter_access
|
49
|
-
assert SpecificMocks.top_level_setting.namespace_stackable[:befores].any?
|
50
|
-
|
51
|
-
reader = Authorization::Reader::DSLReader.new
|
52
|
-
reader.parse %{
|
53
|
-
authorization do
|
54
|
-
role :test_role do
|
55
|
-
has_permission_on :permissions, :to => :test
|
56
|
-
has_permission_on :specific_mocks, :to => 'GET /specific_mocks/show'
|
57
|
-
end
|
58
|
-
end
|
59
|
-
}
|
60
|
-
|
61
|
-
request!(MockUser.new(:test_role), "/specific_mocks/test_action", reader)
|
62
|
-
assert last_endpoint.authorized?
|
63
|
-
|
64
|
-
request!(MockUser.new(:test_role), "/specific_mocks/test_action_2", reader)
|
65
|
-
assert !last_endpoint.authorized?
|
66
|
-
|
67
|
-
request!(MockUser.new(:test_role_2), "/specific_mocks/test_action", reader)
|
68
|
-
assert_equal 403, last_response.status
|
69
|
-
assert !last_endpoint.authorized?
|
70
|
-
|
71
|
-
request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
|
72
|
-
assert last_endpoint.authorized?
|
73
|
-
end
|
74
|
-
|
75
|
-
def test_filter_access_multi_actions
|
76
|
-
reader = Authorization::Reader::DSLReader.new
|
77
|
-
reader.parse %{
|
78
|
-
authorization do
|
79
|
-
role :test_role do
|
80
|
-
has_permission_on :permissions, :to => :test
|
81
|
-
end
|
82
|
-
end
|
83
|
-
}
|
84
|
-
request!(MockUser.new(:test_role), "/specific_mocks/create", reader)
|
85
|
-
assert last_endpoint.authorized?
|
86
|
-
end
|
87
|
-
|
88
|
-
def test_filter_access_unprotected_actions
|
89
|
-
reader = Authorization::Reader::DSLReader.new
|
90
|
-
reader.parse %{
|
91
|
-
authorization do
|
92
|
-
role :test_role do
|
93
|
-
end
|
94
|
-
end
|
95
|
-
}
|
96
|
-
request!(MockUser.new(:test_role), "/specific_mocks/unprotected_action", reader)
|
97
|
-
assert last_endpoint.authorized?
|
98
|
-
end
|
99
|
-
|
100
|
-
def test_filter_access_priv_hierarchy
|
101
|
-
reader = Authorization::Reader::DSLReader.new
|
102
|
-
reader.parse %{
|
103
|
-
privileges do
|
104
|
-
privilege :read do
|
105
|
-
includes "GET /specific_mocks/list", "GET /specific_mocks/show"
|
106
|
-
end
|
107
|
-
end
|
108
|
-
authorization do
|
109
|
-
role :test_role do
|
110
|
-
has_permission_on :specific_mocks, :to => :read
|
111
|
-
end
|
112
|
-
end
|
113
|
-
}
|
114
|
-
request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
|
115
|
-
assert last_endpoint.authorized?
|
116
|
-
end
|
117
|
-
|
118
|
-
def test_filter_access_skip_attribute_test
|
119
|
-
reader = Authorization::Reader::DSLReader.new
|
120
|
-
reader.parse %{
|
121
|
-
authorization do
|
122
|
-
role :test_role do
|
123
|
-
has_permission_on :permissions, :to => :test do
|
124
|
-
if_attribute :id => is { user }
|
125
|
-
end
|
126
|
-
end
|
127
|
-
end
|
128
|
-
}
|
129
|
-
request!(MockUser.new(:test_role), "/specific_mocks/new", reader)
|
130
|
-
assert last_endpoint.authorized?
|
131
|
-
end
|
132
|
-
|
133
|
-
def test_existing_instance_var_remains_unchanged
|
134
|
-
reader = Authorization::Reader::DSLReader.new
|
135
|
-
reader.parse %{
|
136
|
-
authorization do
|
137
|
-
role :test_role do
|
138
|
-
has_permission_on :permissions, :to => :test do
|
139
|
-
if_attribute :id => is { 5 }
|
140
|
-
end
|
141
|
-
end
|
142
|
-
end
|
143
|
-
}
|
144
|
-
mock_object = MockDataObject.new(:id => 5)
|
145
|
-
|
146
|
-
request!(MockUser.new(:test_role), "/specific_mocks/edit_2", reader) do |endpoint|
|
147
|
-
endpoint.send(:instance_variable_set, :"@load_mock_object", mock_object)
|
148
|
-
end
|
149
|
-
assert_equal mock_object, last_endpoint.send(:instance_variable_get, :"@load_mock_object")
|
150
|
-
assert last_endpoint.authorized?
|
151
|
-
end
|
152
|
-
|
153
|
-
def test_permitted_to_without_context
|
154
|
-
reader = Authorization::Reader::DSLReader.new
|
155
|
-
reader.parse %{
|
156
|
-
authorization do
|
157
|
-
role :test_role do
|
158
|
-
has_permission_on :specific_mocks, :to => :test
|
159
|
-
end
|
160
|
-
end
|
161
|
-
}
|
162
|
-
|
163
|
-
# Make any request so we can get a reference to an endpoint
|
164
|
-
request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
|
165
|
-
|
166
|
-
assert last_endpoint.permitted_to?(:test)
|
167
|
-
end
|
168
|
-
end
|
169
|
-
|
170
|
-
##################
|
171
|
-
class AllMocks < MocksAPI
|
172
|
-
filter_access_to :all
|
173
|
-
filter_access_to 'GET /all_mocks/view', :require => :test, :context => :permissions
|
174
|
-
define_action_methods :show, :view
|
175
|
-
end
|
176
|
-
|
177
|
-
class AllActionsAPITest < ApiTestCase
|
178
|
-
tests AllMocks
|
179
|
-
|
180
|
-
def test_filter_access_all
|
181
|
-
reader = Authorization::Reader::DSLReader.new
|
182
|
-
reader.parse %{
|
183
|
-
authorization do
|
184
|
-
role :test_role do
|
185
|
-
has_permission_on :permissions, :to => :test
|
186
|
-
has_permission_on :all_mocks, :to => 'GET /all_mocks/show'
|
187
|
-
end
|
188
|
-
end
|
189
|
-
}
|
190
|
-
|
191
|
-
request!(MockUser.new(:test_role), "/all_mocks/show", reader)
|
192
|
-
assert last_endpoint.authorized?
|
193
|
-
|
194
|
-
request!(MockUser.new(:test_role), "/all_mocks/view", reader)
|
195
|
-
assert last_endpoint.authorized?
|
196
|
-
|
197
|
-
request!(MockUser.new(:test_role_2), "/all_mocks/show", reader)
|
198
|
-
assert !last_endpoint.authorized?
|
199
|
-
end
|
200
|
-
end
|
201
|
-
|
202
|
-
##################
|
203
|
-
class LoadMockObjects < MocksAPI
|
204
|
-
filter_access_to 'GET /load_mock_objects/:id', :attribute_check => true, :model => LoadMockObject
|
205
|
-
filter_access_to 'GET /load_mock_objects/:id/edit', :attribute_check => true
|
206
|
-
filter_access_to 'PUT /load_mock_objects/:id', 'DELETE /load_mock_objects/:id', :attribute_check => true,
|
207
|
-
:load_method => proc {MockDataObject.new(:test => 1)}
|
208
|
-
filter_access_to 'POST /load_mock_objects' do
|
209
|
-
permitted_to! 'GET /load_mock_objects/:id/edit', :load_mock_objects
|
210
|
-
end
|
211
|
-
filter_access_to 'GET /load_mock_objects/view', :attribute_check => true, :load_method => :load_method
|
212
|
-
|
213
|
-
helpers do
|
214
|
-
@load_method_call_count = 0
|
215
|
-
|
216
|
-
def load_method_call_count
|
217
|
-
@load_method_call_count || 0
|
218
|
-
end
|
219
|
-
|
220
|
-
def load_method
|
221
|
-
@load_method_call_count ||= 0
|
222
|
-
@load_method_call_count += 1
|
223
|
-
MockDataObject.new(:test => 2)
|
224
|
-
end
|
225
|
-
end
|
226
|
-
|
227
|
-
resources :load_mock_objects do
|
228
|
-
get :view do
|
229
|
-
@authorized = true
|
230
|
-
'nothing'
|
231
|
-
end
|
232
|
-
|
233
|
-
route_param :id do
|
234
|
-
get do
|
235
|
-
@authorized = true
|
236
|
-
'nothing'
|
237
|
-
end
|
238
|
-
|
239
|
-
get :edit do
|
240
|
-
@authorized = true
|
241
|
-
'nothing'
|
242
|
-
end
|
243
|
-
|
244
|
-
put do
|
245
|
-
@authorized = true
|
246
|
-
'nothing'
|
247
|
-
end
|
248
|
-
|
249
|
-
delete do
|
250
|
-
@authorized = true
|
251
|
-
'nothing'
|
252
|
-
end
|
253
|
-
end
|
254
|
-
|
255
|
-
post do
|
256
|
-
@authorized = true
|
257
|
-
'nothing'
|
258
|
-
end
|
259
|
-
end
|
260
|
-
end
|
261
|
-
|
262
|
-
class LoadObjectAPITest < ApiTestCase
|
263
|
-
tests LoadMockObjects
|
264
|
-
|
265
|
-
def test_filter_access_with_object_load
|
266
|
-
reader = Authorization::Reader::DSLReader.new
|
267
|
-
reader.parse %{
|
268
|
-
authorization do
|
269
|
-
role :test_role do
|
270
|
-
has_permission_on :load_mock_objects, :to => [
|
271
|
-
'GET /load_mock_objects/:id',
|
272
|
-
'GET /load_mock_objects/:id/edit'
|
273
|
-
] do
|
274
|
-
if_attribute :id => 1
|
275
|
-
if_attribute :id => "1"
|
276
|
-
end
|
277
|
-
end
|
278
|
-
end
|
279
|
-
}
|
280
|
-
|
281
|
-
request!(MockUser.new(:test_role), "/load_mock_objects/2", reader)
|
282
|
-
assert !last_endpoint.authorized?
|
283
|
-
|
284
|
-
request!(MockUser.new(:test_role), "/load_mock_objects/1", reader,
|
285
|
-
:clear => [:@load_mock_object])
|
286
|
-
assert last_endpoint.authorized?
|
287
|
-
|
288
|
-
request!(MockUser.new(:test_role), "/load_mock_objects/1/edit", reader,
|
289
|
-
:clear => [:@load_mock_object])
|
290
|
-
assert last_endpoint.authorized?
|
291
|
-
assert last_endpoint.instance_variable_defined?(:@load_mock_object)
|
292
|
-
end
|
293
|
-
|
294
|
-
def test_filter_access_with_object_load_custom
|
295
|
-
reader = Authorization::Reader::DSLReader.new
|
296
|
-
reader.parse %{
|
297
|
-
authorization do
|
298
|
-
role :test_role do
|
299
|
-
has_permission_on :load_mock_objects, :to => 'GET /load_mock_objects/view' do
|
300
|
-
if_attribute :test => is {2}
|
301
|
-
end
|
302
|
-
has_permission_on :load_mock_objects, :to => 'PUT /load_mock_objects/:id' do
|
303
|
-
if_attribute :test => is {1}
|
304
|
-
end
|
305
|
-
has_permission_on :load_mock_objects, :to => 'DELETE /load_mock_objects/:id' do
|
306
|
-
if_attribute :test => is {2}
|
307
|
-
end
|
308
|
-
end
|
309
|
-
end
|
310
|
-
}
|
311
|
-
|
312
|
-
request!(MockUser.new(:test_role), "/load_mock_objects/1", reader, :method => :delete)
|
313
|
-
assert !last_endpoint.authorized?
|
314
|
-
|
315
|
-
request!(MockUser.new(:test_role), "/load_mock_objects/view", reader)
|
316
|
-
assert last_endpoint.authorized?
|
317
|
-
assert_equal 1, last_endpoint.load_method_call_count
|
318
|
-
|
319
|
-
request!(MockUser.new(:test_role_2), "/load_mock_objects/view", reader)
|
320
|
-
assert !last_endpoint.authorized?
|
321
|
-
assert_equal 1, last_endpoint.load_method_call_count
|
322
|
-
|
323
|
-
# Test the custom load_object method on the `PUT /load_mock_objects/:id` action
|
324
|
-
request!(MockUser.new(:test_role), "/load_mock_objects/123", reader, :method => :put)
|
325
|
-
assert last_endpoint.authorized?
|
326
|
-
end
|
327
|
-
|
328
|
-
def test_filter_access_custom
|
329
|
-
reader = Authorization::Reader::DSLReader.new
|
330
|
-
reader.parse %{
|
331
|
-
authorization do
|
332
|
-
role :test_role do
|
333
|
-
has_permission_on :load_mock_objects, :to => 'GET /load_mock_objects/:id/edit'
|
334
|
-
end
|
335
|
-
role :test_role_2 do
|
336
|
-
has_permission_on :load_mock_objects, :to => 'POST /load_mock_objects'
|
337
|
-
end
|
338
|
-
end
|
339
|
-
}
|
340
|
-
|
341
|
-
request!(MockUser.new(:test_role), "/load_mock_objects", reader, :method => :post)
|
342
|
-
assert last_endpoint.authorized?
|
343
|
-
|
344
|
-
request!(MockUser.new(:test_role_2), "/load_mock_objects", reader, :method => :post)
|
345
|
-
assert !last_endpoint.authorized?
|
346
|
-
end
|
347
|
-
end
|
348
|
-
|
349
|
-
##################
|
350
|
-
class AccessOverwrites < MocksAPI
|
351
|
-
filter_access_to 'GET /access_overwrites/test_action', 'GET /access_overwrites/test_action_2',
|
352
|
-
:require => :test, :context => :permissions_2
|
353
|
-
filter_access_to 'GET /access_overwrites/test_action', :require => :test, :context => :permissions
|
354
|
-
define_action_methods :test_action, :test_action_2
|
355
|
-
end
|
356
|
-
|
357
|
-
class AccessOverwritesAPITest < ApiTestCase
|
358
|
-
tests AccessOverwrites
|
359
|
-
|
360
|
-
def test_filter_access_overwrite
|
361
|
-
reader = Authorization::Reader::DSLReader.new
|
362
|
-
reader.parse %{
|
363
|
-
authorization do
|
364
|
-
role :test_role do
|
365
|
-
has_permission_on :permissions, :to => :test
|
366
|
-
end
|
367
|
-
end
|
368
|
-
}
|
369
|
-
request!(MockUser.new(:test_role), "/access_overwrites/test_action_2", reader)
|
370
|
-
assert !last_endpoint.authorized?
|
371
|
-
|
372
|
-
request!(MockUser.new(:test_role), "/access_overwrites/test_action", reader)
|
373
|
-
assert last_endpoint.authorized?
|
374
|
-
end
|
375
|
-
end
|
376
|
-
|
377
|
-
##################
|
378
|
-
class People < MocksAPI
|
379
|
-
filter_access_to :all
|
380
|
-
define_action_methods :show
|
381
|
-
end
|
382
|
-
|
383
|
-
class PeopleAPITest < ApiTestCase
|
384
|
-
tests People
|
385
|
-
|
386
|
-
def test_filter_access_people_controller
|
387
|
-
reader = Authorization::Reader::DSLReader.new
|
388
|
-
reader.parse %{
|
389
|
-
authorization do
|
390
|
-
role :test_role do
|
391
|
-
has_permission_on :people, :to => 'GET /people/show'
|
392
|
-
end
|
393
|
-
end
|
394
|
-
}
|
395
|
-
request!(MockUser.new(:test_role), "/people/show", reader)
|
396
|
-
assert last_endpoint.authorized?
|
397
|
-
end
|
398
|
-
end
|
399
|
-
|
400
|
-
##################
|
401
|
-
class CommonAPI < MocksAPI
|
402
|
-
filter_access_to :delete, :context => :common
|
403
|
-
filter_access_to :all
|
404
|
-
end
|
405
|
-
class CommonChild1API < CommonAPI
|
406
|
-
filter_access_to :all, :context => :context_1
|
407
|
-
end
|
408
|
-
class CommonChild2 < CommonAPI
|
409
|
-
filter_access_to :delete
|
410
|
-
define_action_methods :show, :delete
|
411
|
-
end
|
412
|
-
|
413
|
-
class HierachicalAPITest < ApiTestCase
|
414
|
-
tests CommonChild2
|
415
|
-
|
416
|
-
def test_controller_hierarchy
|
417
|
-
reader = Authorization::Reader::DSLReader.new
|
418
|
-
reader.parse %{
|
419
|
-
authorization do
|
420
|
-
role :test_role do
|
421
|
-
has_permission_on :mocks, :to => ["GET /common_child_2/delete", "GET /common_child_2/show"]
|
422
|
-
end
|
423
|
-
end
|
424
|
-
}
|
425
|
-
|
426
|
-
request!(MockUser.new(:test_role), "/common_child2/show", reader)
|
427
|
-
assert !last_endpoint.authorized?
|
428
|
-
|
429
|
-
request!(MockUser.new(:test_role), "/common_child2/delete", reader)
|
430
|
-
assert !last_endpoint.authorized?
|
431
|
-
end
|
432
|
-
end
|
433
|
-
|
434
|
-
##################
|
435
|
-
module Name
|
436
|
-
class SpacedThings < MocksAPI
|
437
|
-
filter_access_to 'GET /name/spaced_things/show'
|
438
|
-
filter_access_to 'GET /name/spaced_things/update', :context => :spaced_things
|
439
|
-
define_action_methods :show, :update
|
440
|
-
end
|
441
|
-
end
|
442
|
-
|
443
|
-
class NameSpacedAPITest < ApiTestCase
|
444
|
-
tests Name::SpacedThings
|
445
|
-
|
446
|
-
def test_context
|
447
|
-
reader = Authorization::Reader::DSLReader.new
|
448
|
-
reader.parse %{
|
449
|
-
authorization do
|
450
|
-
role :permitted_role do
|
451
|
-
has_permission_on :name_spaced_things, :to => "GET /name/spaced_things/show"
|
452
|
-
has_permission_on :spaced_things, :to => "GET /name/spaced_things/update"
|
453
|
-
end
|
454
|
-
role :prohibited_role do
|
455
|
-
has_permission_on :name_spaced_things, :to => "GET /name/spaced_things/update"
|
456
|
-
has_permission_on :spaced_things, :to => "GET /name/spaced_things/show"
|
457
|
-
end
|
458
|
-
end
|
459
|
-
}
|
460
|
-
request!(MockUser.new(:permitted_role), "/name/spaced_things/show", reader)
|
461
|
-
assert last_endpoint.authorized?
|
462
|
-
request!(MockUser.new(:prohibited_role), "/name/spaced_things/show", reader)
|
463
|
-
assert !last_endpoint.authorized?
|
464
|
-
request!(MockUser.new(:permitted_role), "/name/spaced_things/update", reader)
|
465
|
-
assert last_endpoint.authorized?
|
466
|
-
request!(MockUser.new(:prohibited_role), "/name/spaced_things/update", reader)
|
467
|
-
assert !last_endpoint.authorized?
|
468
|
-
end
|
469
|
-
end
|
470
|
-
|
471
|
-
module Deep
|
472
|
-
module NameSpaced
|
473
|
-
class Things < MocksAPI
|
474
|
-
filter_access_to 'GET /deep/name_spaced/things/show'
|
475
|
-
filter_access_to 'GET /deep/name_spaced/things/update', :context => :things
|
476
|
-
define_action_methods :show, :update
|
477
|
-
end
|
478
|
-
end
|
479
|
-
end
|
480
|
-
|
481
|
-
class DeepNameSpacedAPITest < ApiTestCase
|
482
|
-
tests Deep::NameSpaced::Things
|
483
|
-
|
484
|
-
def test_context
|
485
|
-
reader = Authorization::Reader::DSLReader.new
|
486
|
-
reader.parse %{
|
487
|
-
authorization do
|
488
|
-
role :permitted_role do
|
489
|
-
has_permission_on :deep_name_spaced_things, :to => 'GET /deep/name_spaced/things/show'
|
490
|
-
has_permission_on :things, :to => 'GET /deep/name_spaced/things/update'
|
491
|
-
end
|
492
|
-
role :prohibited_role do
|
493
|
-
has_permission_on :deep_name_spaced_things, :to => 'GET /deep/name_spaced/things/update'
|
494
|
-
has_permission_on :things, :to => 'GET /deep/name_spaced/things/show'
|
495
|
-
end
|
496
|
-
end
|
497
|
-
}
|
498
|
-
request!(MockUser.new(:permitted_role), "/deep/name_spaced/things/show", reader)
|
499
|
-
assert last_endpoint.authorized?
|
500
|
-
request!(MockUser.new(:prohibited_role), "/deep/name_spaced/things/show", reader)
|
501
|
-
assert !last_endpoint.authorized?
|
502
|
-
request!(MockUser.new(:permitted_role), "/deep/name_spaced/things/update", reader)
|
503
|
-
assert last_endpoint.authorized?
|
504
|
-
request!(MockUser.new(:prohibited_role), "/deep/name_spaced/things/update", reader)
|
505
|
-
assert !last_endpoint.authorized?
|
506
|
-
end
|
507
|
-
end
|
508
|
-
end
|