ae_declarative_authorization 0.8.0 → 0.9.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,508 @@
1
+ require 'test_helper'
2
+
3
+ # TODO: remove this conditional when rails 4 support is removed
4
+ if defined?(Grape)
5
+ class LoadMockObject < MockDataObject
6
+ def self.name
7
+ "LoadMockObject"
8
+ end
9
+ end
10
+
11
+ ##################
12
+ class SpecificMocks < MocksAPI
13
+ filter_access_to 'GET /specific_mocks/test_action', :require => :test, :context => :permissions
14
+ filter_access_to 'GET /specific_mocks/test_action_2', :require => :test, :context => :permissions_2
15
+ filter_access_to 'GET /specific_mocks/show'
16
+ filter_access_to 'GET /specific_mocks/edit', 'POST /specific_mocks/create', :require => :test, :context => :permissions
17
+ filter_access_to 'GET /specific_mocks/edit2', :require => :test, :context => :permissions,
18
+ :attribute_check => true, :model => LoadMockObject
19
+ filter_access_to 'GET /specific_mocks/new', :require => :test, :context => :permissions
20
+
21
+ filter_access_to ['GET /specific_mocks/action_group_action_1', 'GET /specific_mocks/action_group_action_2']
22
+ define_action_methods :test_action, :test_action_2, :show, :edit, :create,
23
+ :edit_2, :new, :unprotected_action, :action_group_action_1, :action_group_action_2
24
+ end
25
+
26
+ class BasicAPITest < ApiTestCase
27
+ tests SpecificMocks
28
+
29
+ def test_filter_access_to_receiving_an_explicit_array
30
+ reader = Authorization::Reader::DSLReader.new
31
+
32
+ reader.parse %{
33
+ authorization do
34
+ role :test_action_group_2 do
35
+ has_permission_on :specific_mocks, :to => 'GET /specific_mocks/action_group_action_2'
36
+ end
37
+ end
38
+ }
39
+
40
+ request!(MockUser.new(:test_action_group_2), "/specific_mocks/action_group_action_2", reader)
41
+ assert last_endpoint.authorized?
42
+ request!(MockUser.new(:test_action_group_2), "/specific_mocks/action_group_action_1", reader)
43
+ assert !last_endpoint.authorized?
44
+ request!(nil, "/specific_mocks/action_group_action_2", reader)
45
+ assert !last_endpoint.authorized?
46
+ end
47
+
48
+ def test_filter_access
49
+ assert SpecificMocks.top_level_setting.namespace_stackable[:befores].any?
50
+
51
+ reader = Authorization::Reader::DSLReader.new
52
+ reader.parse %{
53
+ authorization do
54
+ role :test_role do
55
+ has_permission_on :permissions, :to => :test
56
+ has_permission_on :specific_mocks, :to => 'GET /specific_mocks/show'
57
+ end
58
+ end
59
+ }
60
+
61
+ request!(MockUser.new(:test_role), "/specific_mocks/test_action", reader)
62
+ assert last_endpoint.authorized?
63
+
64
+ request!(MockUser.new(:test_role), "/specific_mocks/test_action_2", reader)
65
+ assert !last_endpoint.authorized?
66
+
67
+ request!(MockUser.new(:test_role_2), "/specific_mocks/test_action", reader)
68
+ assert_equal 403, last_response.status
69
+ assert !last_endpoint.authorized?
70
+
71
+ request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
72
+ assert last_endpoint.authorized?
73
+ end
74
+
75
+ def test_filter_access_multi_actions
76
+ reader = Authorization::Reader::DSLReader.new
77
+ reader.parse %{
78
+ authorization do
79
+ role :test_role do
80
+ has_permission_on :permissions, :to => :test
81
+ end
82
+ end
83
+ }
84
+ request!(MockUser.new(:test_role), "/specific_mocks/create", reader)
85
+ assert last_endpoint.authorized?
86
+ end
87
+
88
+ def test_filter_access_unprotected_actions
89
+ reader = Authorization::Reader::DSLReader.new
90
+ reader.parse %{
91
+ authorization do
92
+ role :test_role do
93
+ end
94
+ end
95
+ }
96
+ request!(MockUser.new(:test_role), "/specific_mocks/unprotected_action", reader)
97
+ assert last_endpoint.authorized?
98
+ end
99
+
100
+ def test_filter_access_priv_hierarchy
101
+ reader = Authorization::Reader::DSLReader.new
102
+ reader.parse %{
103
+ privileges do
104
+ privilege :read do
105
+ includes "GET /specific_mocks/list", "GET /specific_mocks/show"
106
+ end
107
+ end
108
+ authorization do
109
+ role :test_role do
110
+ has_permission_on :specific_mocks, :to => :read
111
+ end
112
+ end
113
+ }
114
+ request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
115
+ assert last_endpoint.authorized?
116
+ end
117
+
118
+ def test_filter_access_skip_attribute_test
119
+ reader = Authorization::Reader::DSLReader.new
120
+ reader.parse %{
121
+ authorization do
122
+ role :test_role do
123
+ has_permission_on :permissions, :to => :test do
124
+ if_attribute :id => is { user }
125
+ end
126
+ end
127
+ end
128
+ }
129
+ request!(MockUser.new(:test_role), "/specific_mocks/new", reader)
130
+ assert last_endpoint.authorized?
131
+ end
132
+
133
+ def test_existing_instance_var_remains_unchanged
134
+ reader = Authorization::Reader::DSLReader.new
135
+ reader.parse %{
136
+ authorization do
137
+ role :test_role do
138
+ has_permission_on :permissions, :to => :test do
139
+ if_attribute :id => is { 5 }
140
+ end
141
+ end
142
+ end
143
+ }
144
+ mock_object = MockDataObject.new(:id => 5)
145
+
146
+ request!(MockUser.new(:test_role), "/specific_mocks/edit_2", reader) do |endpoint|
147
+ endpoint.send(:instance_variable_set, :"@load_mock_object", mock_object)
148
+ end
149
+ assert_equal mock_object, last_endpoint.send(:instance_variable_get, :"@load_mock_object")
150
+ assert last_endpoint.authorized?
151
+ end
152
+
153
+ def test_permitted_to_without_context
154
+ reader = Authorization::Reader::DSLReader.new
155
+ reader.parse %{
156
+ authorization do
157
+ role :test_role do
158
+ has_permission_on :specific_mocks, :to => :test
159
+ end
160
+ end
161
+ }
162
+
163
+ # Make any request so we can get a reference to an endpoint
164
+ request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
165
+
166
+ assert last_endpoint.permitted_to?(:test)
167
+ end
168
+ end
169
+
170
+ ##################
171
+ class AllMocks < MocksAPI
172
+ filter_access_to :all
173
+ filter_access_to 'GET /all_mocks/view', :require => :test, :context => :permissions
174
+ define_action_methods :show, :view
175
+ end
176
+
177
+ class AllActionsAPITest < ApiTestCase
178
+ tests AllMocks
179
+
180
+ def test_filter_access_all
181
+ reader = Authorization::Reader::DSLReader.new
182
+ reader.parse %{
183
+ authorization do
184
+ role :test_role do
185
+ has_permission_on :permissions, :to => :test
186
+ has_permission_on :all_mocks, :to => 'GET /all_mocks/show'
187
+ end
188
+ end
189
+ }
190
+
191
+ request!(MockUser.new(:test_role), "/all_mocks/show", reader)
192
+ assert last_endpoint.authorized?
193
+
194
+ request!(MockUser.new(:test_role), "/all_mocks/view", reader)
195
+ assert last_endpoint.authorized?
196
+
197
+ request!(MockUser.new(:test_role_2), "/all_mocks/show", reader)
198
+ assert !last_endpoint.authorized?
199
+ end
200
+ end
201
+
202
+ ##################
203
+ class LoadMockObjects < MocksAPI
204
+ filter_access_to 'GET /load_mock_objects/:id', :attribute_check => true, :model => LoadMockObject
205
+ filter_access_to 'GET /load_mock_objects/:id/edit', :attribute_check => true
206
+ filter_access_to 'PUT /load_mock_objects/:id', 'DELETE /load_mock_objects/:id', :attribute_check => true,
207
+ :load_method => proc {MockDataObject.new(:test => 1)}
208
+ filter_access_to 'POST /load_mock_objects' do
209
+ permitted_to! 'GET /load_mock_objects/:id/edit', :load_mock_objects
210
+ end
211
+ filter_access_to 'GET /load_mock_objects/view', :attribute_check => true, :load_method => :load_method
212
+
213
+ helpers do
214
+ @load_method_call_count = 0
215
+
216
+ def load_method_call_count
217
+ @load_method_call_count || 0
218
+ end
219
+
220
+ def load_method
221
+ @load_method_call_count ||= 0
222
+ @load_method_call_count += 1
223
+ MockDataObject.new(:test => 2)
224
+ end
225
+ end
226
+
227
+ resources :load_mock_objects do
228
+ get :view do
229
+ @authorized = true
230
+ 'nothing'
231
+ end
232
+
233
+ route_param :id do
234
+ get do
235
+ @authorized = true
236
+ 'nothing'
237
+ end
238
+
239
+ get :edit do
240
+ @authorized = true
241
+ 'nothing'
242
+ end
243
+
244
+ put do
245
+ @authorized = true
246
+ 'nothing'
247
+ end
248
+
249
+ delete do
250
+ @authorized = true
251
+ 'nothing'
252
+ end
253
+ end
254
+
255
+ post do
256
+ @authorized = true
257
+ 'nothing'
258
+ end
259
+ end
260
+ end
261
+
262
+ class LoadObjectAPITest < ApiTestCase
263
+ tests LoadMockObjects
264
+
265
+ def test_filter_access_with_object_load
266
+ reader = Authorization::Reader::DSLReader.new
267
+ reader.parse %{
268
+ authorization do
269
+ role :test_role do
270
+ has_permission_on :load_mock_objects, :to => [
271
+ 'GET /load_mock_objects/:id',
272
+ 'GET /load_mock_objects/:id/edit'
273
+ ] do
274
+ if_attribute :id => 1
275
+ if_attribute :id => "1"
276
+ end
277
+ end
278
+ end
279
+ }
280
+
281
+ request!(MockUser.new(:test_role), "/load_mock_objects/2", reader)
282
+ assert !last_endpoint.authorized?
283
+
284
+ request!(MockUser.new(:test_role), "/load_mock_objects/1", reader,
285
+ :clear => [:@load_mock_object])
286
+ assert last_endpoint.authorized?
287
+
288
+ request!(MockUser.new(:test_role), "/load_mock_objects/1/edit", reader,
289
+ :clear => [:@load_mock_object])
290
+ assert last_endpoint.authorized?
291
+ assert last_endpoint.instance_variable_defined?(:@load_mock_object)
292
+ end
293
+
294
+ def test_filter_access_with_object_load_custom
295
+ reader = Authorization::Reader::DSLReader.new
296
+ reader.parse %{
297
+ authorization do
298
+ role :test_role do
299
+ has_permission_on :load_mock_objects, :to => 'GET /load_mock_objects/view' do
300
+ if_attribute :test => is {2}
301
+ end
302
+ has_permission_on :load_mock_objects, :to => 'PUT /load_mock_objects/:id' do
303
+ if_attribute :test => is {1}
304
+ end
305
+ has_permission_on :load_mock_objects, :to => 'DELETE /load_mock_objects/:id' do
306
+ if_attribute :test => is {2}
307
+ end
308
+ end
309
+ end
310
+ }
311
+
312
+ request!(MockUser.new(:test_role), "/load_mock_objects/1", reader, :method => :delete)
313
+ assert !last_endpoint.authorized?
314
+
315
+ request!(MockUser.new(:test_role), "/load_mock_objects/view", reader)
316
+ assert last_endpoint.authorized?
317
+ assert_equal 1, last_endpoint.load_method_call_count
318
+
319
+ request!(MockUser.new(:test_role_2), "/load_mock_objects/view", reader)
320
+ assert !last_endpoint.authorized?
321
+ assert_equal 1, last_endpoint.load_method_call_count
322
+
323
+ # Test the custom load_object method on the `PUT /load_mock_objects/:id` action
324
+ request!(MockUser.new(:test_role), "/load_mock_objects/123", reader, :method => :put)
325
+ assert last_endpoint.authorized?
326
+ end
327
+
328
+ def test_filter_access_custom
329
+ reader = Authorization::Reader::DSLReader.new
330
+ reader.parse %{
331
+ authorization do
332
+ role :test_role do
333
+ has_permission_on :load_mock_objects, :to => 'GET /load_mock_objects/:id/edit'
334
+ end
335
+ role :test_role_2 do
336
+ has_permission_on :load_mock_objects, :to => 'POST /load_mock_objects'
337
+ end
338
+ end
339
+ }
340
+
341
+ request!(MockUser.new(:test_role), "/load_mock_objects", reader, :method => :post)
342
+ assert last_endpoint.authorized?
343
+
344
+ request!(MockUser.new(:test_role_2), "/load_mock_objects", reader, :method => :post)
345
+ assert !last_endpoint.authorized?
346
+ end
347
+ end
348
+
349
+ ##################
350
+ class AccessOverwrites < MocksAPI
351
+ filter_access_to 'GET /access_overwrites/test_action', 'GET /access_overwrites/test_action_2',
352
+ :require => :test, :context => :permissions_2
353
+ filter_access_to 'GET /access_overwrites/test_action', :require => :test, :context => :permissions
354
+ define_action_methods :test_action, :test_action_2
355
+ end
356
+
357
+ class AccessOverwritesAPITest < ApiTestCase
358
+ tests AccessOverwrites
359
+
360
+ def test_filter_access_overwrite
361
+ reader = Authorization::Reader::DSLReader.new
362
+ reader.parse %{
363
+ authorization do
364
+ role :test_role do
365
+ has_permission_on :permissions, :to => :test
366
+ end
367
+ end
368
+ }
369
+ request!(MockUser.new(:test_role), "/access_overwrites/test_action_2", reader)
370
+ assert !last_endpoint.authorized?
371
+
372
+ request!(MockUser.new(:test_role), "/access_overwrites/test_action", reader)
373
+ assert last_endpoint.authorized?
374
+ end
375
+ end
376
+
377
+ ##################
378
+ class People < MocksAPI
379
+ filter_access_to :all
380
+ define_action_methods :show
381
+ end
382
+
383
+ class PeopleAPITest < ApiTestCase
384
+ tests People
385
+
386
+ def test_filter_access_people_controller
387
+ reader = Authorization::Reader::DSLReader.new
388
+ reader.parse %{
389
+ authorization do
390
+ role :test_role do
391
+ has_permission_on :people, :to => 'GET /people/show'
392
+ end
393
+ end
394
+ }
395
+ request!(MockUser.new(:test_role), "/people/show", reader)
396
+ assert last_endpoint.authorized?
397
+ end
398
+ end
399
+
400
+ ##################
401
+ class CommonAPI < MocksAPI
402
+ filter_access_to :delete, :context => :common
403
+ filter_access_to :all
404
+ end
405
+ class CommonChild1API < CommonAPI
406
+ filter_access_to :all, :context => :context_1
407
+ end
408
+ class CommonChild2 < CommonAPI
409
+ filter_access_to :delete
410
+ define_action_methods :show, :delete
411
+ end
412
+
413
+ class HierachicalAPITest < ApiTestCase
414
+ tests CommonChild2
415
+
416
+ def test_controller_hierarchy
417
+ reader = Authorization::Reader::DSLReader.new
418
+ reader.parse %{
419
+ authorization do
420
+ role :test_role do
421
+ has_permission_on :mocks, :to => ["GET /common_child_2/delete", "GET /common_child_2/show"]
422
+ end
423
+ end
424
+ }
425
+
426
+ request!(MockUser.new(:test_role), "/common_child2/show", reader)
427
+ assert !last_endpoint.authorized?
428
+
429
+ request!(MockUser.new(:test_role), "/common_child2/delete", reader)
430
+ assert !last_endpoint.authorized?
431
+ end
432
+ end
433
+
434
+ ##################
435
+ module Name
436
+ class SpacedThings < MocksAPI
437
+ filter_access_to 'GET /name/spaced_things/show'
438
+ filter_access_to 'GET /name/spaced_things/update', :context => :spaced_things
439
+ define_action_methods :show, :update
440
+ end
441
+ end
442
+
443
+ class NameSpacedAPITest < ApiTestCase
444
+ tests Name::SpacedThings
445
+
446
+ def test_context
447
+ reader = Authorization::Reader::DSLReader.new
448
+ reader.parse %{
449
+ authorization do
450
+ role :permitted_role do
451
+ has_permission_on :name_spaced_things, :to => "GET /name/spaced_things/show"
452
+ has_permission_on :spaced_things, :to => "GET /name/spaced_things/update"
453
+ end
454
+ role :prohibited_role do
455
+ has_permission_on :name_spaced_things, :to => "GET /name/spaced_things/update"
456
+ has_permission_on :spaced_things, :to => "GET /name/spaced_things/show"
457
+ end
458
+ end
459
+ }
460
+ request!(MockUser.new(:permitted_role), "/name/spaced_things/show", reader)
461
+ assert last_endpoint.authorized?
462
+ request!(MockUser.new(:prohibited_role), "/name/spaced_things/show", reader)
463
+ assert !last_endpoint.authorized?
464
+ request!(MockUser.new(:permitted_role), "/name/spaced_things/update", reader)
465
+ assert last_endpoint.authorized?
466
+ request!(MockUser.new(:prohibited_role), "/name/spaced_things/update", reader)
467
+ assert !last_endpoint.authorized?
468
+ end
469
+ end
470
+
471
+ module Deep
472
+ module NameSpaced
473
+ class Things < MocksAPI
474
+ filter_access_to 'GET /deep/name_spaced/things/show'
475
+ filter_access_to 'GET /deep/name_spaced/things/update', :context => :things
476
+ define_action_methods :show, :update
477
+ end
478
+ end
479
+ end
480
+
481
+ class DeepNameSpacedAPITest < ApiTestCase
482
+ tests Deep::NameSpaced::Things
483
+
484
+ def test_context
485
+ reader = Authorization::Reader::DSLReader.new
486
+ reader.parse %{
487
+ authorization do
488
+ role :permitted_role do
489
+ has_permission_on :deep_name_spaced_things, :to => 'GET /deep/name_spaced/things/show'
490
+ has_permission_on :things, :to => 'GET /deep/name_spaced/things/update'
491
+ end
492
+ role :prohibited_role do
493
+ has_permission_on :deep_name_spaced_things, :to => 'GET /deep/name_spaced/things/update'
494
+ has_permission_on :things, :to => 'GET /deep/name_spaced/things/show'
495
+ end
496
+ end
497
+ }
498
+ request!(MockUser.new(:permitted_role), "/deep/name_spaced/things/show", reader)
499
+ assert last_endpoint.authorized?
500
+ request!(MockUser.new(:prohibited_role), "/deep/name_spaced/things/show", reader)
501
+ assert !last_endpoint.authorized?
502
+ request!(MockUser.new(:permitted_role), "/deep/name_spaced/things/update", reader)
503
+ assert last_endpoint.authorized?
504
+ request!(MockUser.new(:prohibited_role), "/deep/name_spaced/things/update", reader)
505
+ assert !last_endpoint.authorized?
506
+ end
507
+ end
508
+ end