aki-operations 1.0.0

data/lib/operations/act_as_operationable.rb

@@ -0,0 +1,26 @@
+module Operations
+  module ActAsOperationable extend ActiveSupport::Concern
+    class_methods do
+      def acts_as_operationable(options={})
+      end
+    end
+
+    def get_operations
+      unless respond_to?(:operations)
+        raise Operations::Errors::NotImplementedError.new(self.class, :operations)
+      end
+      unless self.operations.nil? || self.operations.class == String
+        raise Operations::Errors::InvalidFieldError.new(:operations, self.class, String)
+      end
+      self.operations.to_s.to_operations
+    end
+
+    def named_scope
+      Operations.user_role_name_from(role || 2)
+    end
+
+    def as_json(options={})
+      super.as_json(options).merge({scope: named_scope, operations: get_operations})
+    end
+  end
+end

data/lib/operations/config.rb

@@ -0,0 +1,64 @@
+module Operations
+  module Config
+    # Returns a list of user roles straight from the config file
+    mattr_accessor :user_roles
+    @@user_roles = [
+      {name: :admin, description: 'Administrator', value: 0, db_value: 0},
+      {name: :guest, description: 'Anyone', value: 3, db_value: 1},
+      {name: :regular, description: 'Regular user', value: 2, db_value: 2},
+      {name: :technician, description: 'Technician', value: 1, db_value: 3},
+      {name: :all, description: 'Anyone on the system', value: -1},
+      {name: :nobody, description: 'No one on the system', value: -2}
+    ]
+
+    mattr_accessor :operation_name_regex
+    @@operation_name_regex = %r{\w}
+
+    mattr_accessor :operation_uuid_algorithm
+    @@operation_uuid_algorithm = OpenSSL::Digest::SHA256
+
+    # Returns a list of Operation instances for convenience
+    mattr_accessor :operations_list
+    @@operations_list = []
+
+    # Specifies how the operations should be enforced within the app
+    mattr_accessor :enforcements
+    @@enforcements = []
+
+    # Defines the default path to go to should the user not be logged in
+    mattr_accessor :sign_in_path
+    @@sign_in_path = nil
+
+    class << self
+      def operation_scope_regex
+        %r{\A(#{user_roles.map{|o| o[:name]}.join('|')})\z}
+      end
+
+      def operation_scope_regex=(*args)
+        raise 'Operations::Config does not allow to set the variable operation_name_regex'
+      end
+
+      def get_sign_in_path
+        if sign_in_path.nil?
+          warn "Warning! You have not set the Operations::Config.sign_in_path variable!"
+          return nil
+        end
+        Rails.application.routes.recognize_path sign_in_path
+      rescue ActionController::RoutingError
+        {controller: nil, action: nil}
+      end
+    end
+
+    # A simple way to setup Operations.
+    def self.setup
+      yield self
+    end
+
+    def self.get_operations_list
+      operations_list
+          .map{|operation|
+            Operations::Operation.new(**operation)}
+          .select{|operation| operation.is_valid?}
+    end
+  end
+end

data/lib/operations/core_ext.rb

@@ -0,0 +1,28 @@
+class String
+  def to_operations
+    real_size = self.blank? ? 0 : self.strip.size
+    return [] if real_size == 0
+
+    by_uuid = Operations.from_uuid(self)
+    return by_uuid unless by_uuid.nil?
+
+    operations_list = []
+
+    begin
+      json_operations = JSON.parse(self)
+    rescue JSON::ParserError
+      raise Operations::Errors::InvalidOperationError.new('Could not parsel this String into a Operations::Operation object')
+    end
+    if json_operations.class == Array
+      json_operations.each do |json_value|
+        operations_list.append(json_value.to_s.to_operations)
+      end
+    elsif json_operations.class == Hash # OK
+      json_operations.deep_symbolize_keys!
+      operations_list = Operations::Operation.new(**json_operations)
+    end
+
+    operations_list
+  end
+  alias :to_operation :to_operations
+end

data/lib/operations/enforcer.rb

@@ -0,0 +1,71 @@
+module Operations
+  module Enforcer
+    class << self
+      def default_operation
+        Operations::Operation.new do |operation|
+          operation.name = :default_enforced_operation
+          operation.scope = :admin
+        end
+      end
+
+      def application_actions
+
+      end
+
+      def check_for_pattern(rule, value)
+        rule = rule.to_s; value = value.to_s
+        value_ok = rule.nil? \
+              || rule == '*' \
+              || rule.to_s == value.to_s
+        unless value_ok
+          rule = rule.to_s
+          if rule.include?('*')
+            regex = Operations::Utils.parse_to_regex(rule)
+            value_ok = regex === value
+          end
+        end
+        value_ok
+      end
+
+      def get_operation(controller, action)
+        result = Operations::Config.enforcements.select do |rule|
+          check_for_pattern(rule[:controller], controller) && check_for_pattern(rule[:action], action)
+        end
+        rule = result[0]
+        return default_operation if rule.nil?
+        Operations.from_string(rule[:operation])
+      end
+
+      def enforce(controller, action, user)
+        operation = get_operation(controller, action)
+
+        if operation == :nobody
+          raise Operations::Errors::NotAuthorizedError.new(operation, 'no one is allowed to execute this action!')
+        end
+
+        return if operation == :all
+
+        if user.nil?
+          # Check if we are not already on the sign in page
+          sign_in_path = Operations::Config.get_sign_in_path
+          if sign_in_path && sign_in_path[:controller] && sign_in_path[:action]
+            return if sign_in_path[:controller].to_s == controller.to_s \
+                && sign_in_path[:action].to_s == action.to_s
+          end
+
+          # Case 1: There is no user and the operation was found
+          raise Operations::Errors::NotLoggedInError.new(operation)
+        end
+
+        # Case 2: The operation was found
+        if operation
+          unless operation.accepts_scope? user.named_scope
+            raise Operations::Errors::NotAuthorizedError.new(operation, 'insufficient privileges')
+          else
+            warn "Access granted for User##{user.id} (#{controller}:#{action})"; return
+          end
+        end
+      end
+    end
+  end
+end

data/lib/operations/engine.rb

@@ -0,0 +1,5 @@
+module Operations
+  class Engine < ::Rails::Engine
+    isolate_namespace Operations
+  end
+end

data/lib/operations/errors.rb

@@ -0,0 +1,6 @@
+require "operations/errors/base_exception"
+
+module Operations
+  module Errors
+  end
+end

data/lib/operations/errors/base_exception.rb

@@ -0,0 +1,12 @@
+module Operations
+  module Errors
+    class BaseException < StandardError
+    end
+  end
+end
+
+require "operations/errors/not_implemented_error"
+require "operations/errors/invalid_operation_error"
+require "operations/errors/invalid_field_error"
+require "operations/errors/not_authorized_error"
+require "operations/errors/not_logged_in_error"

data/lib/operations/errors/invalid_field_error.rb

@@ -0,0 +1,9 @@
+module Operations
+  module Errors
+    class InvalidFieldError < BaseException
+      def initialize(missing_method, klass, expected_class)
+        super("The field #{missing_method} for class #{klass} is not a #{expected_class}.")
+      end
+    end
+  end
+end

data/lib/operations/errors/invalid_operation_error.rb

@@ -0,0 +1,26 @@
+module Operations
+  module Errors
+    class InvalidOperationError < BaseException
+      def initialize(operation, msg=nil)
+        if operation.class == Operations::Operation
+          cause = "Cause:"
+          has_cause = false
+          unless operation.has_valid_name?
+            cause += " invalid name"
+            has_cause = true
+          end
+          unless operation.has_valid_scope?
+            cause += " invalid scope `#{operation.invalid_scope}'"
+            has_cause = true
+          end
+          cause "Unknown cause." unless has_cause
+          message = "The operation #{operation} is not valid. #{cause}"
+        else
+          message = "Invalid operation object. Cause: `#{operation}'."
+        end
+        message += " Additional info: #{msg}" if msg
+        super(message)
+      end
+    end
+  end
+end

data/lib/operations/errors/not_authorized_error.rb

@@ -0,0 +1,11 @@
+module Operations
+  module Errors
+    class NotAuthorizedError < BaseException
+      def initialize(operation=nil, msg=nil)
+        cause = msg || "unknown"
+        operation_name = operation ? operation.name : 'insufficient privileges'
+        super("Operation access denied: #{operation_name}. Cause: #{cause}")
+      end
+    end
+  end
+end

data/lib/operations/errors/not_implemented_error.rb

@@ -0,0 +1,9 @@
+module Operations
+  module Errors
+    class NotImplementedError < BaseException
+      def initialize(klass, missing_method)
+        super("The class #{klass} does not implement the method #{missing_method}")
+      end
+    end
+  end
+end

data/lib/operations/errors/not_logged_in_error.rb

@@ -0,0 +1,10 @@
+module Operations
+  module Errors
+    class NotLoggedInError < BaseException
+      def initialize(operation=nil)
+        operation_name = operation.nil? ? 'unknown' : (operation.description || operation.name)
+        super("You must log in before running this action. Attempted operation `#{operation_name}'.")
+      end
+    end
+  end
+end

data/lib/operations/operation.rb

@@ -0,0 +1,167 @@
+module Operations
+  class Operation
+    OperationValue = Struct.new :name, :scope, :description
+
+    def initialize(**options, &block)
+      if block_given?
+        yield values
+      else
+        options.each do |key, value|
+          if values.respond_to?(key)
+            values.send(key.to_s + '=', value)
+          end
+        end
+      end
+      ensure_operation_is_valid!
+      self
+    end
+
+    def values
+      @values ||= OperationValue.new(nil, :nobody)
+    end
+
+    def name
+      has_valid_name? ? values.name : 'N/A (Invalid operation name)'
+    end
+
+    def description
+      values.description
+    end
+
+    def users
+      return User.where(id: []) if scope == :nobody
+      return User.all if scope == :all
+      @users ||= Operations.users_acting_as(scope)
+    end
+
+    # def user
+    #   return nil if values.user_id.nil?
+    #   @user ||= User.find_by(id: values.user_id)
+    # end
+
+    # def save
+    #   return false if user.nil?
+    #   ensure_operation_is_valid!("Cannot save user #{user}")
+    #   result = user.update_attribute :operations, self.to_json
+    # end
+
+    def is_valid?
+      has_valid_name? && has_valid_scope? # && !user.nil?
+    end
+
+    def has_valid_name?
+      Operations::Config.operation_name_regex === values.name
+    end
+
+    def has_valid_scope?
+      Operations::Config.operation_scope_regex === scope
+    end
+
+    def invalid_scope
+      return scope unless has_valid_scope?
+    end
+
+    def is_scope?(scope_name)
+      scope.to_s == scope_name.to_s
+    end
+
+    def accepts_scope?(scope_name)
+      scope_name = scope_name.to_sym
+      return true if scope == :all
+      return false if scope == :nobody
+      return true if is_scope?(scope_name)
+      Operations.allowed_named_roles_for(scope).include?(scope_name)
+    end
+
+    def allowed_roles
+      Operations.user_roles
+    end
+
+    def denied_roles
+    end
+
+    def as_json(options={})
+      additional_hash = {uuid: uuid, users_count: users.count}
+      if (methods = options[:methods])
+        if methods.class != Array
+          methods = [methods]
+        end
+        methods.each do |method|
+          begin
+            additional_hash[method] = send(method)
+          rescue NoMethodError
+            # ignore
+            next
+          end
+        end
+      end
+      values
+          .as_json(options)
+          .merge(additional_hash)
+          .as_json
+    end
+
+    def uuid
+      alg = Operations::Config.operation_uuid_algorithm
+      return Operations::Errors::BaseException("The UUID Algorithm has be a class") unless alg.class == Class
+      alg.new(name.to_s).to_s
+    end
+
+    def to_json
+      as_json.to_json
+    end
+
+    def inspect
+      "\#<#{self.class.name} `#{self.name}' allowed for `#{scope}'>"
+    end
+
+    def ==(sc_op)
+      if sc_op.class == self.class
+        sc_op.name == name && sc_op.uuid == uuid
+      else
+        is_scope?(sc_op)
+      end
+    end
+
+    def >(sc_op)
+      if sc_op.class == self.class
+        return false if self == sc_op
+        return !sc_op.accepts_scope?(scope)
+      elsif sc_op.class == Symbol
+        accepts_scope?(sc_op)
+      else
+        false
+      end
+    end
+
+    def <(sc_op)
+      if sc_op.class == self.class
+        return false if self == sc_op
+        return sc_op.accepts_scope?(scope)
+      elsif sc_op.class == Symbol
+        !accepts_scope?(sc_op)
+      else
+        false
+      end
+    end
+
+    def >=(sc_op)
+      self == sc_op || self > sc_op
+    end
+
+    def <=(sc_op)
+      self == sc_op || self < sc_op
+    end
+
+    private
+
+    def ensure_operation_is_valid!(msg=nil)
+      raise Operations::Errors::InvalidOperationError.new(self, nil) unless is_valid?
+    end
+
+    # Hide the scope for security reasons
+    def scope
+      self.values.scope || :nobody
+    end
+  end
+end