ae_declarative_authorization 0.8.0 → 0.9.0

data/test/grape_api_test.rb

@@ -0,0 +1,508 @@
+require 'test_helper'
+
+# TODO: remove this conditional when rails 4 support is removed
+if defined?(Grape)
+  class LoadMockObject < MockDataObject
+    def self.name
+      "LoadMockObject"
+    end
+  end
+
+  ##################
+  class SpecificMocks < MocksAPI
+    filter_access_to 'GET /specific_mocks/test_action', :require => :test, :context => :permissions
+    filter_access_to 'GET /specific_mocks/test_action_2', :require => :test, :context => :permissions_2
+    filter_access_to 'GET /specific_mocks/show'
+    filter_access_to 'GET /specific_mocks/edit', 'POST /specific_mocks/create', :require => :test, :context => :permissions
+    filter_access_to 'GET /specific_mocks/edit2', :require => :test, :context => :permissions,
+      :attribute_check => true, :model => LoadMockObject
+    filter_access_to 'GET /specific_mocks/new', :require => :test, :context => :permissions
+
+    filter_access_to ['GET /specific_mocks/action_group_action_1', 'GET /specific_mocks/action_group_action_2']
+    define_action_methods :test_action, :test_action_2, :show, :edit, :create,
+      :edit_2, :new, :unprotected_action, :action_group_action_1, :action_group_action_2
+  end
+
+  class BasicAPITest < ApiTestCase
+    tests SpecificMocks
+
+    def test_filter_access_to_receiving_an_explicit_array
+      reader = Authorization::Reader::DSLReader.new
+
+      reader.parse %{
+        authorization do
+          role :test_action_group_2 do
+            has_permission_on :specific_mocks, :to => 'GET /specific_mocks/action_group_action_2'
+          end
+        end
+      }
+
+      request!(MockUser.new(:test_action_group_2), "/specific_mocks/action_group_action_2", reader)
+      assert last_endpoint.authorized?
+      request!(MockUser.new(:test_action_group_2), "/specific_mocks/action_group_action_1", reader)
+      assert !last_endpoint.authorized?
+      request!(nil, "/specific_mocks/action_group_action_2", reader)
+      assert !last_endpoint.authorized?
+    end
+
+    def test_filter_access
+      assert SpecificMocks.top_level_setting.namespace_stackable[:befores].any?
+
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :permissions, :to => :test
+            has_permission_on :specific_mocks, :to => 'GET /specific_mocks/show'
+          end
+        end
+      }
+
+      request!(MockUser.new(:test_role), "/specific_mocks/test_action", reader)
+      assert last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role), "/specific_mocks/test_action_2", reader)
+      assert !last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role_2), "/specific_mocks/test_action", reader)
+      assert_equal 403, last_response.status
+      assert !last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
+      assert last_endpoint.authorized?
+    end
+
+    def test_filter_access_multi_actions
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :permissions, :to => :test
+          end
+        end
+      }
+      request!(MockUser.new(:test_role), "/specific_mocks/create", reader)
+      assert last_endpoint.authorized?
+    end
+
+    def test_filter_access_unprotected_actions
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+          end
+        end
+      }
+      request!(MockUser.new(:test_role), "/specific_mocks/unprotected_action", reader)
+      assert last_endpoint.authorized?
+    end
+
+    def test_filter_access_priv_hierarchy
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        privileges do
+          privilege :read do
+            includes "GET /specific_mocks/list", "GET /specific_mocks/show"
+          end
+        end
+        authorization do
+          role :test_role do
+            has_permission_on :specific_mocks, :to => :read
+          end
+        end
+      }
+      request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
+      assert last_endpoint.authorized?
+    end
+
+    def test_filter_access_skip_attribute_test
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :permissions, :to => :test do
+              if_attribute :id => is { user }
+            end
+          end
+        end
+      }
+      request!(MockUser.new(:test_role), "/specific_mocks/new", reader)
+      assert last_endpoint.authorized?
+    end
+
+    def test_existing_instance_var_remains_unchanged
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :permissions, :to => :test do
+              if_attribute :id => is { 5 }
+            end
+          end
+        end
+      }
+      mock_object = MockDataObject.new(:id => 5)
+
+      request!(MockUser.new(:test_role), "/specific_mocks/edit_2", reader) do |endpoint|
+        endpoint.send(:instance_variable_set, :"@load_mock_object", mock_object)
+      end
+      assert_equal mock_object, last_endpoint.send(:instance_variable_get, :"@load_mock_object")
+      assert last_endpoint.authorized?
+    end
+
+    def test_permitted_to_without_context
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :specific_mocks, :to => :test
+          end
+        end
+      }
+
+      # Make any request so we can get a reference to an endpoint
+      request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
+
+      assert last_endpoint.permitted_to?(:test)
+    end
+  end
+
+  ##################
+  class AllMocks < MocksAPI
+    filter_access_to :all
+    filter_access_to 'GET /all_mocks/view', :require => :test, :context => :permissions
+    define_action_methods :show, :view
+  end
+
+  class AllActionsAPITest < ApiTestCase
+    tests AllMocks
+
+    def test_filter_access_all
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :permissions, :to => :test
+            has_permission_on :all_mocks, :to => 'GET /all_mocks/show'
+          end
+        end
+      }
+
+      request!(MockUser.new(:test_role), "/all_mocks/show", reader)
+      assert last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role), "/all_mocks/view", reader)
+      assert last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role_2), "/all_mocks/show", reader)
+      assert !last_endpoint.authorized?
+    end
+  end
+
+  ##################
+  class LoadMockObjects < MocksAPI
+    filter_access_to 'GET /load_mock_objects/:id', :attribute_check => true, :model => LoadMockObject
+    filter_access_to 'GET /load_mock_objects/:id/edit', :attribute_check => true
+    filter_access_to 'PUT /load_mock_objects/:id', 'DELETE /load_mock_objects/:id', :attribute_check => true,
+                     :load_method => proc {MockDataObject.new(:test => 1)}
+    filter_access_to 'POST /load_mock_objects' do
+      permitted_to! 'GET /load_mock_objects/:id/edit', :load_mock_objects
+    end
+    filter_access_to 'GET /load_mock_objects/view', :attribute_check => true, :load_method => :load_method
+
+    helpers do
+      @load_method_call_count = 0
+
+      def load_method_call_count
+        @load_method_call_count || 0
+      end
+
+      def load_method
+        @load_method_call_count ||= 0
+        @load_method_call_count += 1
+        MockDataObject.new(:test => 2)
+      end
+    end
+
+    resources :load_mock_objects do
+      get :view do
+        @authorized = true
+        'nothing'
+      end
+
+      route_param :id do
+        get do
+          @authorized = true
+          'nothing'
+        end
+
+        get :edit do
+          @authorized = true
+          'nothing'
+        end
+
+        put do
+          @authorized = true
+          'nothing'
+        end
+
+        delete do
+          @authorized = true
+          'nothing'
+        end
+      end
+
+      post do
+        @authorized = true
+        'nothing'
+      end
+    end
+  end
+
+  class LoadObjectAPITest < ApiTestCase
+    tests LoadMockObjects
+
+    def test_filter_access_with_object_load
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :load_mock_objects, :to => [
+              'GET /load_mock_objects/:id',
+              'GET /load_mock_objects/:id/edit'
+            ] do
+              if_attribute :id => 1
+              if_attribute :id => "1"
+            end
+          end
+        end
+      }
+
+      request!(MockUser.new(:test_role), "/load_mock_objects/2", reader)
+      assert !last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role), "/load_mock_objects/1", reader,
+        :clear => [:@load_mock_object])
+      assert last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role), "/load_mock_objects/1/edit", reader,
+        :clear => [:@load_mock_object])
+      assert last_endpoint.authorized?
+      assert last_endpoint.instance_variable_defined?(:@load_mock_object)
+    end
+
+    def test_filter_access_with_object_load_custom
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :load_mock_objects, :to => 'GET /load_mock_objects/view' do
+              if_attribute :test => is {2}
+            end
+            has_permission_on :load_mock_objects, :to => 'PUT /load_mock_objects/:id' do
+              if_attribute :test => is {1}
+            end
+            has_permission_on :load_mock_objects, :to => 'DELETE /load_mock_objects/:id' do
+              if_attribute :test => is {2}
+            end
+          end
+        end
+      }
+
+      request!(MockUser.new(:test_role), "/load_mock_objects/1", reader, :method => :delete)
+      assert !last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role), "/load_mock_objects/view", reader)
+      assert last_endpoint.authorized?
+      assert_equal 1, last_endpoint.load_method_call_count
+
+      request!(MockUser.new(:test_role_2), "/load_mock_objects/view", reader)
+      assert !last_endpoint.authorized?
+      assert_equal 1, last_endpoint.load_method_call_count
+
+      # Test the custom load_object method on the `PUT /load_mock_objects/:id` action
+      request!(MockUser.new(:test_role), "/load_mock_objects/123", reader, :method => :put)
+      assert last_endpoint.authorized?
+    end
+
+    def test_filter_access_custom
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :load_mock_objects, :to => 'GET /load_mock_objects/:id/edit'
+          end
+          role :test_role_2 do
+            has_permission_on :load_mock_objects, :to => 'POST /load_mock_objects'
+          end
+        end
+      }
+
+      request!(MockUser.new(:test_role), "/load_mock_objects", reader, :method => :post)
+      assert last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role_2), "/load_mock_objects", reader, :method => :post)
+      assert !last_endpoint.authorized?
+    end
+  end
+
+  ##################
+  class AccessOverwrites < MocksAPI
+    filter_access_to 'GET /access_overwrites/test_action', 'GET /access_overwrites/test_action_2',
+      :require => :test, :context => :permissions_2
+    filter_access_to 'GET /access_overwrites/test_action', :require => :test, :context => :permissions
+    define_action_methods :test_action, :test_action_2
+  end
+
+  class AccessOverwritesAPITest < ApiTestCase
+    tests AccessOverwrites
+
+    def test_filter_access_overwrite
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :permissions, :to => :test
+          end
+        end
+      }
+      request!(MockUser.new(:test_role), "/access_overwrites/test_action_2", reader)
+      assert !last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role), "/access_overwrites/test_action", reader)
+      assert last_endpoint.authorized?
+    end
+  end
+
+  ##################
+  class People < MocksAPI
+    filter_access_to :all
+    define_action_methods :show
+  end
+
+  class PeopleAPITest < ApiTestCase
+    tests People
+
+    def test_filter_access_people_controller
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :people, :to => 'GET /people/show'
+          end
+        end
+      }
+      request!(MockUser.new(:test_role), "/people/show", reader)
+      assert last_endpoint.authorized?
+    end
+  end
+
+  ##################
+  class CommonAPI < MocksAPI
+    filter_access_to :delete, :context => :common
+    filter_access_to :all
+  end
+  class CommonChild1API < CommonAPI
+    filter_access_to :all, :context => :context_1
+  end
+  class CommonChild2 < CommonAPI
+    filter_access_to :delete
+    define_action_methods :show, :delete
+  end
+
+  class HierachicalAPITest < ApiTestCase
+    tests CommonChild2
+
+    def test_controller_hierarchy
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :test_role do
+            has_permission_on :mocks, :to => ["GET /common_child_2/delete", "GET /common_child_2/show"]
+          end
+        end
+      }
+
+      request!(MockUser.new(:test_role), "/common_child2/show", reader)
+      assert !last_endpoint.authorized?
+
+      request!(MockUser.new(:test_role), "/common_child2/delete", reader)
+      assert !last_endpoint.authorized?
+    end
+  end
+
+  ##################
+  module Name
+    class SpacedThings < MocksAPI
+      filter_access_to 'GET /name/spaced_things/show'
+      filter_access_to 'GET /name/spaced_things/update', :context => :spaced_things
+      define_action_methods :show, :update
+    end
+  end
+
+  class NameSpacedAPITest < ApiTestCase
+    tests Name::SpacedThings
+
+    def test_context
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :permitted_role do
+            has_permission_on :name_spaced_things, :to => "GET /name/spaced_things/show"
+            has_permission_on :spaced_things, :to => "GET /name/spaced_things/update"
+          end
+          role :prohibited_role do
+            has_permission_on :name_spaced_things, :to => "GET /name/spaced_things/update"
+            has_permission_on :spaced_things, :to => "GET /name/spaced_things/show"
+          end
+        end
+      }
+      request!(MockUser.new(:permitted_role), "/name/spaced_things/show", reader)
+      assert last_endpoint.authorized?
+      request!(MockUser.new(:prohibited_role), "/name/spaced_things/show", reader)
+      assert !last_endpoint.authorized?
+      request!(MockUser.new(:permitted_role), "/name/spaced_things/update", reader)
+      assert last_endpoint.authorized?
+      request!(MockUser.new(:prohibited_role), "/name/spaced_things/update", reader)
+      assert !last_endpoint.authorized?
+    end
+  end
+
+  module Deep
+    module NameSpaced
+      class Things < MocksAPI
+        filter_access_to 'GET /deep/name_spaced/things/show'
+        filter_access_to 'GET /deep/name_spaced/things/update', :context => :things
+        define_action_methods :show, :update
+      end
+    end
+  end
+
+  class DeepNameSpacedAPITest < ApiTestCase
+    tests Deep::NameSpaced::Things
+
+    def test_context
+      reader = Authorization::Reader::DSLReader.new
+      reader.parse %{
+        authorization do
+          role :permitted_role do
+            has_permission_on :deep_name_spaced_things, :to => 'GET /deep/name_spaced/things/show'
+            has_permission_on :things, :to => 'GET /deep/name_spaced/things/update'
+          end
+          role :prohibited_role do
+            has_permission_on :deep_name_spaced_things, :to => 'GET /deep/name_spaced/things/update'
+            has_permission_on :things, :to => 'GET /deep/name_spaced/things/show'
+          end
+        end
+      }
+      request!(MockUser.new(:permitted_role), "/deep/name_spaced/things/show", reader)
+      assert last_endpoint.authorized?
+      request!(MockUser.new(:prohibited_role), "/deep/name_spaced/things/show", reader)
+      assert !last_endpoint.authorized?
+      request!(MockUser.new(:permitted_role), "/deep/name_spaced/things/update", reader)
+      assert last_endpoint.authorized?
+      request!(MockUser.new(:prohibited_role), "/deep/name_spaced/things/update", reader)
+      assert !last_endpoint.authorized?
+    end
+  end
+end