alberich 0.2.0

data/spec/factories/alberich/permission.rb

@@ -0,0 +1,51 @@
+FactoryGirl.define do
+
+  factory :permission, :class => Alberich::Permission
+
+  factory :admin_permission, :parent => :permission do
+    role { |r| Alberich::Role.first(:conditions => ['name = ?', 'Site Admin']) || FactoryGirl.create(:admin_role) }
+    permission_object { |r| Alberich::BasePermissionObject.general_permission_scope }
+    entity { |r| Alberich::Entity.for_target(FactoryGirl.create(:admin_user)) }
+  end
+
+  factory :group_admin_permission, :parent => :permission do
+    role { |r| Alberich::Role.first(:conditions => ['name = ?', 'Site Admin']) || FactoryGirl.create(:admin_role) }
+    permission_object { |r| Alberich::BasePermissionObject.general_permission_scope }
+    entity { |r| Alberich::Entity.for_target(FactoryGirl.create(:user_group)) }
+  end
+
+  factory :global_permission, :parent => :permission do
+    role { |r| FactoryGirl.create(:role) }
+    permission_object { |r| Alberich::BasePermissionObject.general_permission_scope }
+    entity { |r| Alberich::Entity.for_target(FactoryGirl.create(:user)) }
+  end
+
+  factory :global_resource_permission, :parent => :permission do
+    role { |r| Alberich::Role.first(:conditions => ['name = ?', 'GlobalResource Admin']) || FactoryGirl.create(:global_resource_role) }
+    permission_object { |r| Alberich::BasePermissionObject.general_permission_scope }
+    entity { |r| Alberich::Entity.for_target(FactoryGirl.create(:user)) }
+  end
+
+  factory :standalone_creator_permission, :parent => :permission do
+    role { |r| Alberich::Role.first(:conditions => ['name = ?', 'StandaloneResource Creator']) || FactoryGirl.create(:standalone_creator_role) }
+    permission_object { |r| Alberich::BasePermissionObject.general_permission_scope }
+    entity { |r| Alberich::Entity.for_target(FactoryGirl.create(:user)) }
+  end
+  factory :standalone_owner_permission, :parent => :permission do
+    role { |r| Alberich::Role.first(:conditions => ['name = ?', 'StandaloneResource Owner']) || FactoryGirl.create(:standalone_owner_role) }
+    permission_object { |r| FactoryGirl.create(:standalone_resource) }
+    entity { |r| Alberich::Entity.for_target(FactoryGirl.create(:user)) }
+  end
+
+  factory :parent_owner_permission, :parent => :permission do
+    role { |r| Alberich::Role.first(:conditions => ['name = ?', 'ParentResource Owner']) || FactoryGirl.create(:parent_owner_role) }
+    permission_object { |r| FactoryGirl.create(:parent_resource2) }
+    entity { |r| Alberich::Entity.for_target(FactoryGirl.create(:user)) }
+  end
+  factory :child_owner_permission, :parent => :permission do
+    role { |r| Alberich::Role.first(:conditions => ['name = ?', 'ChildResource Owner']) || FactoryGirl.create(:child_owner_role) }
+    permission_object { |r| FactoryGirl.create(:child_resource2) }
+    entity { |r| Alberich::Entity.for_target(FactoryGirl.create(:user)) }
+  end
+
+end

data/spec/factories/alberich/permission_session.rb

@@ -0,0 +1,7 @@
+
+FactoryGirl.define do
+  factory :permission_session, :class => Alberich::PermissionSession do
+    session_id 'ee73441902cb9445483e498cb05dc398'
+  end
+
+end

data/spec/factories/alberich/privilege.rb

@@ -0,0 +1,6 @@
+FactoryGirl.define do
+  factory :privilege, :class => Alberich::Privilege do
+    target_type 'Alberich::BasePermissionObject'
+    action 'view'
+  end
+end

data/spec/factories/alberich/role.rb

@@ -0,0 +1,103 @@
+FactoryGirl.define do
+  factory :role, :class => Alberich::Role do
+    sequence(:name) { |n| "role#{n}" }
+    scope 'Alberich::BasePermissionObject'
+  end
+
+  factory :admin_role, :parent => :role do
+    name 'Site Admin'
+    after(:create) do |role, evaluator|
+      priv_data = [["Alberich::BasePermissionObject", "create"],
+                   ["Alberich::BasePermissionObject", "modify"],
+                   ["Alberich::BasePermissionObject", "use"],
+                   ["Alberich::BasePermissionObject", "set_perms"],
+                   ["Alberich::BasePermissionObject", "view_perms"],
+                   ["Alberich::BasePermissionObject", "view"],
+                   ["User", "view_perms"],
+                   ["User", "set_perms"],
+                   [ "User", "view"],
+                   [ "User", "create"],
+                   ["User", "modify"],
+                   ["GlobalResource", "view"],
+                   ["GlobalResource", "modify"],
+                   ["GlobalResource", "create"],
+                   ["StandaloneResource", "create"],
+                   ["StandaloneResource", "view"],
+                   ["StandaloneResource", "modify"],
+                   ["ParentResource", "create"],
+                   ["ParentResource", "view"],
+                   ["ParentResource", "modify"],
+                   ["ChildResource", "create"],
+                   ["ChildResource", "view"],
+                   ["ChildResource", "modify"]]
+      priv_data.each do |target_type, action|
+        FactoryGirl.create(:privilege, :target_type => target_type,
+                           :action => action, :role_id => role.id)
+      end
+    end
+  end
+
+  factory :global_resource_role, :parent => :role do
+    name 'GlobalResource Admin'
+    after(:create) do |role, evaluator|
+      priv_data = [["GlobalResource", "view"],
+                   ["GlobalResource", "modify"],
+                   ["GlobalResource", "create"]]
+      priv_data.each do |target_type, action|
+        FactoryGirl.create(:privilege, :target_type => target_type,
+                           :action => action, :role_id => role.id)
+      end
+    end
+  end
+
+  factory :standalone_creator_role, :parent => :role do
+    name 'StandaloneResource Creator'
+    after(:create) do |role, evaluator|
+      priv_data = [["StandaloneResource", "create"]]
+      priv_data.each do |target_type, action|
+        FactoryGirl.create(:privilege, :target_type => target_type,
+                           :action => action, :role_id => role.id)
+      end
+    end
+  end
+  factory :standalone_owner_role, :parent => :role do
+    name 'StandaloneResource Owner'
+    scope 'StandaloneResource'
+    after(:create) do |role, evaluator|
+      priv_data = [["StandaloneResource", "view"],
+                  ["StandaloneResource", "modify"]]
+      priv_data.each do |target_type, action|
+        FactoryGirl.create(:privilege, :target_type => target_type,
+                           :action => action, :role_id => role.id)
+      end
+    end
+  end
+
+  factory :parent_owner_role, :parent => :role do
+    name 'ParentResource Owner'
+    scope 'ParentResource'
+    after(:create) do |role, evaluator|
+      priv_data = [["ChildResource", "view"],
+                  ["ChildResource", "modify"],
+                  ["ChildResource", "create"],
+                  ["ParentResource", "view"],
+                  ["ParentResource", "modify"]]
+      priv_data.each do |target_type, action|
+        FactoryGirl.create(:privilege, :target_type => target_type,
+                           :action => action, :role_id => role.id)
+      end
+    end
+  end
+  factory :child_owner_role, :parent => :role do
+    name 'ChildResource Owner'
+    scope 'ChildResource'
+    after(:create) do |role, evaluator|
+      priv_data = [["ChildResource", "view"],
+                  ["ChildResource", "modify"]]
+      priv_data.each do |target_type, action|
+        FactoryGirl.create(:privilege, :target_type => target_type,
+                           :action => action, :role_id => role.id)
+      end
+    end
+  end
+end

data/spec/factories/child_resource.rb

@@ -0,0 +1,14 @@
+FactoryGirl.define do
+
+  factory :child_resource do |u|
+    sequence(:name) { |n| "child_resource#{n}" }
+    association :parent_resource, :factory => :parent_resource
+    description 'The Description'
+  end
+
+  factory :child_resource2, :parent => :child_resource do |u|
+    sequence(:name) { |n| "child_resource_test" }
+    parent_resource { |r| ParentResource.first(:conditions => ['name = ?', 'parent_resource_test']) || FactoryGirl.create(:parent_resource2) }
+    description 'The Description'
+  end
+end

data/spec/factories/child_resource.rb~

@@ -0,0 +1,7 @@
+FactoryGirl.define do
+
+  factory :child_resource do |u|
+    sequence(:name) { |n| "child_resource#{n}" }
+    description 'The Description'
+  end
+end

data/spec/factories/global_resource.rb

@@ -0,0 +1,11 @@
+FactoryGirl.define do
+
+  factory :global_resource do |u|
+    sequence(:name) { |n| "global_resource#{n}" }
+    description 'The Description'
+  end
+
+  factory :global_resource2 , :parent => :global_resource do
+    name 'Test global resoource'
+  end
+end

data/spec/factories/global_resource.rb~

@@ -0,0 +1,25 @@
+FactoryGirl.define do
+
+  factory :global_resource do |u|
+    sequence(:name) { |n| "global_resource#{n}" }
+    description 'The Description'
+  end
+
+  factory :email_user , :parent => :user do
+    email = :email
+  end
+
+  factory :other_named_user, :parent => :user do
+    first_name 'Jane'
+    last_name 'Doe'
+  end
+
+  factory :tuser, :parent => :user do
+    last_login_ip '192.168.1.1'
+  end
+
+  factory :admin_user, :parent => :user do
+    username 'admin'
+  end
+
+end

data/spec/factories/parent_resource.rb

@@ -0,0 +1,12 @@
+FactoryGirl.define do
+
+  factory :parent_resource do |u|
+    sequence(:name) { |n| "parent_resource#{n}" }
+    description 'The Description'
+  end
+
+  factory :parent_resource2, :parent => :parent_resource do |u|
+    sequence(:name) { |n| "parent_resource_test" }
+    description 'The Description'
+  end
+end

data/spec/factories/parent_resource.rb~

@@ -0,0 +1,7 @@
+FactoryGirl.define do
+
+  factory :parent_resource do |u|
+    sequence(:name) { |n| "parent_resource#{n}" }
+    description 'The Description'
+  end
+end

data/spec/factories/standalone_resource.rb

@@ -0,0 +1,7 @@
+FactoryGirl.define do
+
+  factory :standalone_resource do |u|
+    sequence(:name) { |n| "standalone_resource#{n}" }
+    description 'The Description'
+  end
+end

data/spec/factories/standalone_resource.rb~

@@ -0,0 +1,11 @@
+FactoryGirl.define do
+
+  factory :standalone_resource do |u|
+    sequence(:name) { |n| "standalone_resource#{n}" }
+    description 'The Description'
+  end
+
+  factory :standalone_resource2 , :parent => :standalone_resource do
+    name 'Test standalone resoource'
+  end
+end

data/spec/factories/user.rb

@@ -0,0 +1,30 @@
+FactoryGirl.define do
+
+  factory :user do |u|
+    sequence(:username) { |n| "user#{n}" }
+    password 'secret'
+    password_confirmation 'secret'
+    first_name 'John'
+    last_name 'Smith'
+    email "#{:username}@example.com"
+    #after_build { |u| u.email ||= "#{u.username}@example.com" }
+  end
+
+  factory :email_user , :parent => :user do
+    email = :email
+  end
+
+  factory :other_named_user, :parent => :user do
+    first_name 'Jane'
+    last_name 'Doe'
+  end
+
+  factory :tuser, :parent => :user do
+    last_login_ip '192.168.1.1'
+  end
+
+  factory :admin_user, :parent => :user do
+    username 'admin'
+  end
+
+end

data/spec/factories/user_group.rb

@@ -0,0 +1,8 @@
+FactoryGirl.define do
+
+  factory :user_group do |u|
+    sequence(:name) { |n| "group#{n}" }
+  end
+
+
+end

data/spec/models/alberich/derived_permission_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+
+module Alberich
+  describe DerivedPermission do
+    before(:each) do
+      @admin_permission = FactoryGirl.create :admin_permission
+      @permission = FactoryGirl.create :global_permission
+
+      @admin = @admin_permission.user
+      @user = @permission.user
+      @permission_session = FactoryGirl.create(:permission_session,
+                                               :user => @admin)
+      @permission_session.update_session_entities(@admin)
+      @permission_session.add_to_session(@user)
+
+    end
+
+    it "derived permissions created for global permission" do
+      derived_perms_count = BasePermissionObject.general_permission_scope.
+        derived_permissions.size
+      @global_perm = Permission.create(:entity => Entity.for_target(@admin),
+                                       :role => FactoryGirl.create(:role),
+                                       :permission_object =>
+                                       BasePermissionObject.general_permission_scope)
+      perm_sources = BasePermissionObject.general_permission_scope.
+        derived_permissions.collect {|p| p.permission}
+      perm_sources.size.should == (derived_perms_count + 1)
+      perm_sources.include?(@admin_permission).should be_true
+      perm_sources.include?(@global_perm).should be_true
+    end
+    #FIXME add obj-level tests with inheritence once dummy app gets permissioned object examples
+
+  end
+end

data/spec/models/alberich/entity_spec.rb

@@ -0,0 +1,15 @@
+require 'spec_helper'
+
+module Alberich
+  describe Entity do
+    it "should create entity on user creation" do
+      u = FactoryGirl.create(:user)
+      Entity.for_target(u).should be_a(Entity)
+    end
+
+    it "should create entity on user group creation" do
+      u = FactoryGirl.create(:user_group)
+      Entity.for_target(u).should be_a(Entity)
+    end
+  end
+end

data/spec/models/alberich/permission_spec.rb

@@ -0,0 +1,133 @@
+require 'spec_helper'
+
+module Alberich
+  describe Permission do
+    before(:each) do
+      @admin_permission = FactoryGirl.create :admin_permission
+      @permission = FactoryGirl.create :global_permission
+
+      @admin = @admin_permission.user
+      @user = @permission.user
+      @permission_session = FactoryGirl.create(:permission_session,
+                                               :user => @admin)
+      @permission_session.update_session_entities(@admin)
+      @permission_session.add_to_session(@user)
+
+    end
+
+    it "Admin should be able to create users" do
+      BasePermissionObject.general_permission_scope.
+        has_privilege(@permission_session,
+                      @admin,
+                      Privilege::CREATE,
+                      User).should be_true
+    end
+
+    it "Non-admin should not be able to create users" do
+      BasePermissionObject.general_permission_scope.
+        has_privilege(@permission_session,
+                      @user,
+                      Privilege::CREATE,
+                      User).should be_false
+    end
+
+    it "User added to Admin group should be able to create users" do
+      newuser = FactoryGirl.create(:user)
+      group_admin_permission = FactoryGirl.create(:group_admin_permission)
+      user_group = group_admin_permission.user_group
+      @permission_session.update_session_entities(newuser)
+      BasePermissionObject.general_permission_scope.has_privilege(@permission_session,
+                                                                  newuser,
+                                                                  Privilege::CREATE,
+                                                                  User).should be_false
+      user_group.members << newuser
+      newuser.reload
+      @permission_session.update_session_entities(newuser)
+      BasePermissionObject.general_permission_scope.has_privilege(@permission_session,
+                                                                  newuser,
+                                                                  Privilege::CREATE,
+                                                                  User).should be_true
+
+    end
+
+    it "global permissions should be type-specific" do
+      global_resource_permission = FactoryGirl.create :global_resource_permission
+      global_resource_user = global_resource_permission.user
+      @permission_session.update_session_entities(global_resource_user)
+      BasePermissionObject.general_permission_scope.
+        has_privilege(@permission_session,
+                      global_resource_user,
+                      Privilege::CREATE,
+                      GlobalResource).should be_true
+      BasePermissionObject.general_permission_scope.
+        has_privilege(@permission_session,
+                      @user,
+                      Privilege::CREATE,
+                      GlobalResource).should be_false
+    end
+
+    it "standalone resource create permission should be limited by global roles" do
+      standalone_creator_permission = FactoryGirl.create :standalone_creator_permission
+      standalone_creator_user = standalone_creator_permission.user
+      @permission_session.update_session_entities(standalone_creator_user)
+      BasePermissionObject.general_permission_scope.
+        has_privilege(@permission_session,
+                      standalone_creator_user,
+                      Privilege::CREATE,
+                      StandaloneResource).should be_true
+      BasePermissionObject.general_permission_scope.
+        has_privilege(@permission_session,
+                      @user,
+                      Privilege::CREATE,
+                      StandaloneResource).should be_false
+    end
+
+    it "standalone resource access should be allowed for owner and admin" do
+      standalone_owner_permission = FactoryGirl.create :standalone_owner_permission
+      standalone_owner_user = standalone_owner_permission.user
+      standalone_resource = standalone_owner_permission.permission_object
+      @permission_session.add_to_session(standalone_owner_user)
+      standalone_resource.
+        has_privilege(@permission_session,
+                      standalone_owner_user,
+                      Privilege::VIEW).should be_true
+      standalone_resource.
+        has_privilege(@permission_session,
+                      @admin,
+                      Privilege::VIEW).should be_true
+      standalone_resource.
+        has_privilege(@permission_session,
+                      @user,
+                      Privilege::VIEW).should be_false
+    end
+
+    it "child resource access should inherit from parent" do
+      parent_owner_permission = FactoryGirl.create :parent_owner_permission
+      parent_owner_user = parent_owner_permission.user
+      parent_resource = parent_owner_permission.permission_object
+      @permission_session.add_to_session(parent_owner_user)
+
+      child_owner_permission = FactoryGirl.create :child_owner_permission
+      child_owner_user = child_owner_permission.user
+      child_resource = child_owner_permission.permission_object
+      @permission_session.add_to_session(child_owner_user)
+      child_resource.
+        has_privilege(@permission_session,
+                      child_owner_user,
+                      Privilege::VIEW).should be_true
+      child_resource.
+        has_privilege(@permission_session,
+                      parent_owner_user,
+                      Privilege::VIEW).should be_true
+      child_resource.
+        has_privilege(@permission_session,
+                      @admin,
+                      Privilege::VIEW).should be_true
+      child_resource.
+        has_privilege(@permission_session,
+                      @user,
+                      Privilege::VIEW).should be_false
+    end
+    #FIXME add obj-level tests once dummy app gets permissioned object examples
+  end
+end