ae_declarative_authorization 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,508 @@
1
+ require 'test_helper'
2
+
3
+ # TODO: remove this conditional when rails 4 support is removed
4
+ if defined?(Grape)
5
+ class LoadMockObject < MockDataObject
6
+ def self.name
7
+ "LoadMockObject"
8
+ end
9
+ end
10
+
11
+ ##################
12
+ class SpecificMocks < MocksAPI
13
+ filter_access_to 'GET /specific_mocks/test_action', :require => :test, :context => :permissions
14
+ filter_access_to 'GET /specific_mocks/test_action_2', :require => :test, :context => :permissions_2
15
+ filter_access_to 'GET /specific_mocks/show'
16
+ filter_access_to 'GET /specific_mocks/edit', 'POST /specific_mocks/create', :require => :test, :context => :permissions
17
+ filter_access_to 'GET /specific_mocks/edit2', :require => :test, :context => :permissions,
18
+ :attribute_check => true, :model => LoadMockObject
19
+ filter_access_to 'GET /specific_mocks/new', :require => :test, :context => :permissions
20
+
21
+ filter_access_to ['GET /specific_mocks/action_group_action_1', 'GET /specific_mocks/action_group_action_2']
22
+ define_action_methods :test_action, :test_action_2, :show, :edit, :create,
23
+ :edit_2, :new, :unprotected_action, :action_group_action_1, :action_group_action_2
24
+ end
25
+
26
+ class BasicAPITest < ApiTestCase
27
+ tests SpecificMocks
28
+
29
+ def test_filter_access_to_receiving_an_explicit_array
30
+ reader = Authorization::Reader::DSLReader.new
31
+
32
+ reader.parse %{
33
+ authorization do
34
+ role :test_action_group_2 do
35
+ has_permission_on :specific_mocks, :to => 'GET /specific_mocks/action_group_action_2'
36
+ end
37
+ end
38
+ }
39
+
40
+ request!(MockUser.new(:test_action_group_2), "/specific_mocks/action_group_action_2", reader)
41
+ assert last_endpoint.authorized?
42
+ request!(MockUser.new(:test_action_group_2), "/specific_mocks/action_group_action_1", reader)
43
+ assert !last_endpoint.authorized?
44
+ request!(nil, "/specific_mocks/action_group_action_2", reader)
45
+ assert !last_endpoint.authorized?
46
+ end
47
+
48
+ def test_filter_access
49
+ assert SpecificMocks.top_level_setting.namespace_stackable[:befores].any?
50
+
51
+ reader = Authorization::Reader::DSLReader.new
52
+ reader.parse %{
53
+ authorization do
54
+ role :test_role do
55
+ has_permission_on :permissions, :to => :test
56
+ has_permission_on :specific_mocks, :to => 'GET /specific_mocks/show'
57
+ end
58
+ end
59
+ }
60
+
61
+ request!(MockUser.new(:test_role), "/specific_mocks/test_action", reader)
62
+ assert last_endpoint.authorized?
63
+
64
+ request!(MockUser.new(:test_role), "/specific_mocks/test_action_2", reader)
65
+ assert !last_endpoint.authorized?
66
+
67
+ request!(MockUser.new(:test_role_2), "/specific_mocks/test_action", reader)
68
+ assert_equal 403, last_response.status
69
+ assert !last_endpoint.authorized?
70
+
71
+ request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
72
+ assert last_endpoint.authorized?
73
+ end
74
+
75
+ def test_filter_access_multi_actions
76
+ reader = Authorization::Reader::DSLReader.new
77
+ reader.parse %{
78
+ authorization do
79
+ role :test_role do
80
+ has_permission_on :permissions, :to => :test
81
+ end
82
+ end
83
+ }
84
+ request!(MockUser.new(:test_role), "/specific_mocks/create", reader)
85
+ assert last_endpoint.authorized?
86
+ end
87
+
88
+ def test_filter_access_unprotected_actions
89
+ reader = Authorization::Reader::DSLReader.new
90
+ reader.parse %{
91
+ authorization do
92
+ role :test_role do
93
+ end
94
+ end
95
+ }
96
+ request!(MockUser.new(:test_role), "/specific_mocks/unprotected_action", reader)
97
+ assert last_endpoint.authorized?
98
+ end
99
+
100
+ def test_filter_access_priv_hierarchy
101
+ reader = Authorization::Reader::DSLReader.new
102
+ reader.parse %{
103
+ privileges do
104
+ privilege :read do
105
+ includes "GET /specific_mocks/list", "GET /specific_mocks/show"
106
+ end
107
+ end
108
+ authorization do
109
+ role :test_role do
110
+ has_permission_on :specific_mocks, :to => :read
111
+ end
112
+ end
113
+ }
114
+ request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
115
+ assert last_endpoint.authorized?
116
+ end
117
+
118
+ def test_filter_access_skip_attribute_test
119
+ reader = Authorization::Reader::DSLReader.new
120
+ reader.parse %{
121
+ authorization do
122
+ role :test_role do
123
+ has_permission_on :permissions, :to => :test do
124
+ if_attribute :id => is { user }
125
+ end
126
+ end
127
+ end
128
+ }
129
+ request!(MockUser.new(:test_role), "/specific_mocks/new", reader)
130
+ assert last_endpoint.authorized?
131
+ end
132
+
133
+ def test_existing_instance_var_remains_unchanged
134
+ reader = Authorization::Reader::DSLReader.new
135
+ reader.parse %{
136
+ authorization do
137
+ role :test_role do
138
+ has_permission_on :permissions, :to => :test do
139
+ if_attribute :id => is { 5 }
140
+ end
141
+ end
142
+ end
143
+ }
144
+ mock_object = MockDataObject.new(:id => 5)
145
+
146
+ request!(MockUser.new(:test_role), "/specific_mocks/edit_2", reader) do |endpoint|
147
+ endpoint.send(:instance_variable_set, :"@load_mock_object", mock_object)
148
+ end
149
+ assert_equal mock_object, last_endpoint.send(:instance_variable_get, :"@load_mock_object")
150
+ assert last_endpoint.authorized?
151
+ end
152
+
153
+ def test_permitted_to_without_context
154
+ reader = Authorization::Reader::DSLReader.new
155
+ reader.parse %{
156
+ authorization do
157
+ role :test_role do
158
+ has_permission_on :specific_mocks, :to => :test
159
+ end
160
+ end
161
+ }
162
+
163
+ # Make any request so we can get a reference to an endpoint
164
+ request!(MockUser.new(:test_role), "/specific_mocks/show", reader)
165
+
166
+ assert last_endpoint.permitted_to?(:test)
167
+ end
168
+ end
169
+
170
+ ##################
171
+ class AllMocks < MocksAPI
172
+ filter_access_to :all
173
+ filter_access_to 'GET /all_mocks/view', :require => :test, :context => :permissions
174
+ define_action_methods :show, :view
175
+ end
176
+
177
+ class AllActionsAPITest < ApiTestCase
178
+ tests AllMocks
179
+
180
+ def test_filter_access_all
181
+ reader = Authorization::Reader::DSLReader.new
182
+ reader.parse %{
183
+ authorization do
184
+ role :test_role do
185
+ has_permission_on :permissions, :to => :test
186
+ has_permission_on :all_mocks, :to => 'GET /all_mocks/show'
187
+ end
188
+ end
189
+ }
190
+
191
+ request!(MockUser.new(:test_role), "/all_mocks/show", reader)
192
+ assert last_endpoint.authorized?
193
+
194
+ request!(MockUser.new(:test_role), "/all_mocks/view", reader)
195
+ assert last_endpoint.authorized?
196
+
197
+ request!(MockUser.new(:test_role_2), "/all_mocks/show", reader)
198
+ assert !last_endpoint.authorized?
199
+ end
200
+ end
201
+
202
+ ##################
203
+ class LoadMockObjects < MocksAPI
204
+ filter_access_to 'GET /load_mock_objects/:id', :attribute_check => true, :model => LoadMockObject
205
+ filter_access_to 'GET /load_mock_objects/:id/edit', :attribute_check => true
206
+ filter_access_to 'PUT /load_mock_objects/:id', 'DELETE /load_mock_objects/:id', :attribute_check => true,
207
+ :load_method => proc {MockDataObject.new(:test => 1)}
208
+ filter_access_to 'POST /load_mock_objects' do
209
+ permitted_to! 'GET /load_mock_objects/:id/edit', :load_mock_objects
210
+ end
211
+ filter_access_to 'GET /load_mock_objects/view', :attribute_check => true, :load_method => :load_method
212
+
213
+ helpers do
214
+ @load_method_call_count = 0
215
+
216
+ def load_method_call_count
217
+ @load_method_call_count || 0
218
+ end
219
+
220
+ def load_method
221
+ @load_method_call_count ||= 0
222
+ @load_method_call_count += 1
223
+ MockDataObject.new(:test => 2)
224
+ end
225
+ end
226
+
227
+ resources :load_mock_objects do
228
+ get :view do
229
+ @authorized = true
230
+ 'nothing'
231
+ end
232
+
233
+ route_param :id do
234
+ get do
235
+ @authorized = true
236
+ 'nothing'
237
+ end
238
+
239
+ get :edit do
240
+ @authorized = true
241
+ 'nothing'
242
+ end
243
+
244
+ put do
245
+ @authorized = true
246
+ 'nothing'
247
+ end
248
+
249
+ delete do
250
+ @authorized = true
251
+ 'nothing'
252
+ end
253
+ end
254
+
255
+ post do
256
+ @authorized = true
257
+ 'nothing'
258
+ end
259
+ end
260
+ end
261
+
262
+ class LoadObjectAPITest < ApiTestCase
263
+ tests LoadMockObjects
264
+
265
+ def test_filter_access_with_object_load
266
+ reader = Authorization::Reader::DSLReader.new
267
+ reader.parse %{
268
+ authorization do
269
+ role :test_role do
270
+ has_permission_on :load_mock_objects, :to => [
271
+ 'GET /load_mock_objects/:id',
272
+ 'GET /load_mock_objects/:id/edit'
273
+ ] do
274
+ if_attribute :id => 1
275
+ if_attribute :id => "1"
276
+ end
277
+ end
278
+ end
279
+ }
280
+
281
+ request!(MockUser.new(:test_role), "/load_mock_objects/2", reader)
282
+ assert !last_endpoint.authorized?
283
+
284
+ request!(MockUser.new(:test_role), "/load_mock_objects/1", reader,
285
+ :clear => [:@load_mock_object])
286
+ assert last_endpoint.authorized?
287
+
288
+ request!(MockUser.new(:test_role), "/load_mock_objects/1/edit", reader,
289
+ :clear => [:@load_mock_object])
290
+ assert last_endpoint.authorized?
291
+ assert last_endpoint.instance_variable_defined?(:@load_mock_object)
292
+ end
293
+
294
+ def test_filter_access_with_object_load_custom
295
+ reader = Authorization::Reader::DSLReader.new
296
+ reader.parse %{
297
+ authorization do
298
+ role :test_role do
299
+ has_permission_on :load_mock_objects, :to => 'GET /load_mock_objects/view' do
300
+ if_attribute :test => is {2}
301
+ end
302
+ has_permission_on :load_mock_objects, :to => 'PUT /load_mock_objects/:id' do
303
+ if_attribute :test => is {1}
304
+ end
305
+ has_permission_on :load_mock_objects, :to => 'DELETE /load_mock_objects/:id' do
306
+ if_attribute :test => is {2}
307
+ end
308
+ end
309
+ end
310
+ }
311
+
312
+ request!(MockUser.new(:test_role), "/load_mock_objects/1", reader, :method => :delete)
313
+ assert !last_endpoint.authorized?
314
+
315
+ request!(MockUser.new(:test_role), "/load_mock_objects/view", reader)
316
+ assert last_endpoint.authorized?
317
+ assert_equal 1, last_endpoint.load_method_call_count
318
+
319
+ request!(MockUser.new(:test_role_2), "/load_mock_objects/view", reader)
320
+ assert !last_endpoint.authorized?
321
+ assert_equal 1, last_endpoint.load_method_call_count
322
+
323
+ # Test the custom load_object method on the `PUT /load_mock_objects/:id` action
324
+ request!(MockUser.new(:test_role), "/load_mock_objects/123", reader, :method => :put)
325
+ assert last_endpoint.authorized?
326
+ end
327
+
328
+ def test_filter_access_custom
329
+ reader = Authorization::Reader::DSLReader.new
330
+ reader.parse %{
331
+ authorization do
332
+ role :test_role do
333
+ has_permission_on :load_mock_objects, :to => 'GET /load_mock_objects/:id/edit'
334
+ end
335
+ role :test_role_2 do
336
+ has_permission_on :load_mock_objects, :to => 'POST /load_mock_objects'
337
+ end
338
+ end
339
+ }
340
+
341
+ request!(MockUser.new(:test_role), "/load_mock_objects", reader, :method => :post)
342
+ assert last_endpoint.authorized?
343
+
344
+ request!(MockUser.new(:test_role_2), "/load_mock_objects", reader, :method => :post)
345
+ assert !last_endpoint.authorized?
346
+ end
347
+ end
348
+
349
+ ##################
350
+ class AccessOverwrites < MocksAPI
351
+ filter_access_to 'GET /access_overwrites/test_action', 'GET /access_overwrites/test_action_2',
352
+ :require => :test, :context => :permissions_2
353
+ filter_access_to 'GET /access_overwrites/test_action', :require => :test, :context => :permissions
354
+ define_action_methods :test_action, :test_action_2
355
+ end
356
+
357
+ class AccessOverwritesAPITest < ApiTestCase
358
+ tests AccessOverwrites
359
+
360
+ def test_filter_access_overwrite
361
+ reader = Authorization::Reader::DSLReader.new
362
+ reader.parse %{
363
+ authorization do
364
+ role :test_role do
365
+ has_permission_on :permissions, :to => :test
366
+ end
367
+ end
368
+ }
369
+ request!(MockUser.new(:test_role), "/access_overwrites/test_action_2", reader)
370
+ assert !last_endpoint.authorized?
371
+
372
+ request!(MockUser.new(:test_role), "/access_overwrites/test_action", reader)
373
+ assert last_endpoint.authorized?
374
+ end
375
+ end
376
+
377
+ ##################
378
+ class People < MocksAPI
379
+ filter_access_to :all
380
+ define_action_methods :show
381
+ end
382
+
383
+ class PeopleAPITest < ApiTestCase
384
+ tests People
385
+
386
+ def test_filter_access_people_controller
387
+ reader = Authorization::Reader::DSLReader.new
388
+ reader.parse %{
389
+ authorization do
390
+ role :test_role do
391
+ has_permission_on :people, :to => 'GET /people/show'
392
+ end
393
+ end
394
+ }
395
+ request!(MockUser.new(:test_role), "/people/show", reader)
396
+ assert last_endpoint.authorized?
397
+ end
398
+ end
399
+
400
+ ##################
401
+ class CommonAPI < MocksAPI
402
+ filter_access_to :delete, :context => :common
403
+ filter_access_to :all
404
+ end
405
+ class CommonChild1API < CommonAPI
406
+ filter_access_to :all, :context => :context_1
407
+ end
408
+ class CommonChild2 < CommonAPI
409
+ filter_access_to :delete
410
+ define_action_methods :show, :delete
411
+ end
412
+
413
+ class HierachicalAPITest < ApiTestCase
414
+ tests CommonChild2
415
+
416
+ def test_controller_hierarchy
417
+ reader = Authorization::Reader::DSLReader.new
418
+ reader.parse %{
419
+ authorization do
420
+ role :test_role do
421
+ has_permission_on :mocks, :to => ["GET /common_child_2/delete", "GET /common_child_2/show"]
422
+ end
423
+ end
424
+ }
425
+
426
+ request!(MockUser.new(:test_role), "/common_child2/show", reader)
427
+ assert !last_endpoint.authorized?
428
+
429
+ request!(MockUser.new(:test_role), "/common_child2/delete", reader)
430
+ assert !last_endpoint.authorized?
431
+ end
432
+ end
433
+
434
+ ##################
435
+ module Name
436
+ class SpacedThings < MocksAPI
437
+ filter_access_to 'GET /name/spaced_things/show'
438
+ filter_access_to 'GET /name/spaced_things/update', :context => :spaced_things
439
+ define_action_methods :show, :update
440
+ end
441
+ end
442
+
443
+ class NameSpacedAPITest < ApiTestCase
444
+ tests Name::SpacedThings
445
+
446
+ def test_context
447
+ reader = Authorization::Reader::DSLReader.new
448
+ reader.parse %{
449
+ authorization do
450
+ role :permitted_role do
451
+ has_permission_on :name_spaced_things, :to => "GET /name/spaced_things/show"
452
+ has_permission_on :spaced_things, :to => "GET /name/spaced_things/update"
453
+ end
454
+ role :prohibited_role do
455
+ has_permission_on :name_spaced_things, :to => "GET /name/spaced_things/update"
456
+ has_permission_on :spaced_things, :to => "GET /name/spaced_things/show"
457
+ end
458
+ end
459
+ }
460
+ request!(MockUser.new(:permitted_role), "/name/spaced_things/show", reader)
461
+ assert last_endpoint.authorized?
462
+ request!(MockUser.new(:prohibited_role), "/name/spaced_things/show", reader)
463
+ assert !last_endpoint.authorized?
464
+ request!(MockUser.new(:permitted_role), "/name/spaced_things/update", reader)
465
+ assert last_endpoint.authorized?
466
+ request!(MockUser.new(:prohibited_role), "/name/spaced_things/update", reader)
467
+ assert !last_endpoint.authorized?
468
+ end
469
+ end
470
+
471
+ module Deep
472
+ module NameSpaced
473
+ class Things < MocksAPI
474
+ filter_access_to 'GET /deep/name_spaced/things/show'
475
+ filter_access_to 'GET /deep/name_spaced/things/update', :context => :things
476
+ define_action_methods :show, :update
477
+ end
478
+ end
479
+ end
480
+
481
+ class DeepNameSpacedAPITest < ApiTestCase
482
+ tests Deep::NameSpaced::Things
483
+
484
+ def test_context
485
+ reader = Authorization::Reader::DSLReader.new
486
+ reader.parse %{
487
+ authorization do
488
+ role :permitted_role do
489
+ has_permission_on :deep_name_spaced_things, :to => 'GET /deep/name_spaced/things/show'
490
+ has_permission_on :things, :to => 'GET /deep/name_spaced/things/update'
491
+ end
492
+ role :prohibited_role do
493
+ has_permission_on :deep_name_spaced_things, :to => 'GET /deep/name_spaced/things/update'
494
+ has_permission_on :things, :to => 'GET /deep/name_spaced/things/show'
495
+ end
496
+ end
497
+ }
498
+ request!(MockUser.new(:permitted_role), "/deep/name_spaced/things/show", reader)
499
+ assert last_endpoint.authorized?
500
+ request!(MockUser.new(:prohibited_role), "/deep/name_spaced/things/show", reader)
501
+ assert !last_endpoint.authorized?
502
+ request!(MockUser.new(:permitted_role), "/deep/name_spaced/things/update", reader)
503
+ assert last_endpoint.authorized?
504
+ request!(MockUser.new(:prohibited_role), "/deep/name_spaced/things/update", reader)
505
+ assert !last_endpoint.authorized?
506
+ end
507
+ end
508
+ end