alberich 0.2.0

data/app/controllers/alberich/privileges_controller.rb

@@ -0,0 +1,105 @@
+require_dependency "alberich/application_controller"
+
+module Alberich
+  class PrivilegesController < Alberich::ApplicationController
+    # GET /privileges
+    # GET /privileges.json
+    def index
+      require_privilege(Privilege::PERM_VIEW)
+      @privileges = Privilege.all
+  
+      respond_to do |format|
+        format.html # index.html.erb
+        format.json { render json: @privileges }
+      end
+    end
+  
+    # GET /privileges/1
+    # GET /privileges/1.json
+    def show
+      require_privilege(Privilege::PERM_VIEW)
+      @privilege = Privilege.find(params[:id])
+  
+      respond_to do |format|
+        format.html # show.html.erb
+        format.json { render json: @role }
+      end
+    end
+  
+    # GET /privileges/new
+    # GET /privileges/new.json
+    def new
+      require_privilege(Privilege::PERM_SET)
+      @privilege = Privilege.new(:role_id => params[:role_id])
+      @target_type_list = Privilege::TARGET_TYPES
+      @action_list = Privilege::ACTIONS
+      respond_to do |format|
+        format.html # new.html.erb
+        format.json { render json: @privilege }
+      end
+    end
+  
+    # POST /privileges
+    # POST /privileges.json
+    def create
+      require_privilege(Privilege::PERM_SET)
+      @privilege = Privilege.new(params[:privilege])
+      @target_type_list = Privilege::TARGET_TYPES
+      @action_list = Privilege::ACTIONS
+  
+      respond_to do |format|
+        if @privilege.save
+          format.html { redirect_to @privilege.role, notice: "New privilege added" }
+          format.json { render json: @privilege, status: :created, location: @privilege }
+        else
+          format.html { render action: "new" }
+          format.json { render json: @privilege.errors, status: :unprocessable_entity }
+        end
+      end
+    end
+  
+    # GET /privileges/1/edit
+    def edit
+      require_privilege(Privilege::PERM_SET)
+      @privilege = Privilege.find(params[:id])
+      @target_type_list = Privilege::TARGET_TYPES
+      @action_list = Privilege::ACTIONS
+      respond_to do |format|
+        format.html # new.html.erb
+        format.json { render json: @privilege }
+      end
+    end
+  
+    # PUT /privileges/1
+    # PUT /privileges/1.json
+    def update
+      require_privilege(Privilege::PERM_SET)
+      @privilege = Privilege.find(params[:id])
+      @target_type_list = Privilege::TARGET_TYPES
+      @action_list = Privilege::ACTIONS
+      respond_to do |format|
+        if @privilege.update_attributes(params[:privilege])
+          format.html { redirect_to @privilege.role, notice: "New privilege added"}
+          format.json { head :no_content }
+        else
+          format.html { render action: "edit" }
+          format.json { render json: @privilege.errors, status: :unprocessable_entity }
+        end
+      end
+    end
+  
+    # DELETE /privileges/1
+    # DELETE /privileges/1.json
+    def destroy
+      require_privilege(Privilege::PERM_SET)
+      @privilege = Privilege.find(params[:id])
+      role = @privilege.role
+      @privilege.destroy
+  
+      respond_to do |format|
+        format.html { redirect_to role }
+        format.json { head :no_content }
+      end
+    end
+  end
+end

data/app/controllers/alberich/roles_controller.rb

@@ -0,0 +1,97 @@
+require_dependency "alberich/application_controller"
+
+module Alberich
+  class RolesController < Alberich::ApplicationController
+
+    before_filter :require_user
+    # GET /roles
+    # GET /roles.json
+    def index
+      require_privilege(Privilege::PERM_VIEW)
+      @roles = Role.all
+  
+      respond_to do |format|
+        format.html # index.html.erb
+        format.json { render json: @roles }
+      end
+    end
+  
+    # GET /roles/1
+    # GET /roles/1.json
+    def show
+      require_privilege(Privilege::PERM_VIEW)
+      @role = Role.find(params[:id])
+  
+      respond_to do |format|
+        format.html # show.html.erb
+        format.json { render json: @role }
+      end
+    end
+  
+    # GET /roles/new
+    # GET /roles/new.json
+    def new
+      require_privilege(Privilege::PERM_SET)
+      @role = Role.new
+      @scope_list = Role::VALID_SCOPES
+      respond_to do |format|
+        format.html # new.html.erb
+        format.json { render json: @role }
+      end
+    end
+  
+    # GET /roles/1/edit
+    def edit
+      require_privilege(Privilege::PERM_SET)
+      @role = Role.find(params[:id])
+      @scope_list = Role::VALID_SCOPES
+    end
+  
+    # POST /roles
+    # POST /roles.json
+    def create
+      require_privilege(Privilege::PERM_SET)
+      @role = Role.new(params[:role])
+  
+      respond_to do |format|
+        if @role.save
+          format.html { redirect_to @role, notice: "New role added"}
+          format.json { render json: @role, status: :created, location: @role }
+        else
+          format.html { render action: "new" }
+          format.json { render json: @role.errors, status: :unprocessable_entity }
+        end
+      end
+    end
+  
+    # PUT /roles/1
+    # PUT /roles/1.json
+    def update
+      require_privilege(Privilege::PERM_SET)
+      @role = Role.find(params[:id])
+  
+      respond_to do |format|
+        if @role.update_attributes(params[:role])
+          format.html { redirect_to @role, notice: "Role updated successfully"}
+          format.json { head :no_content }
+        else
+          format.html { render action: "edit" }
+          format.json { render json: @role.errors, status: :unprocessable_entity }
+        end
+      end
+    end
+  
+    # DELETE /roles/1
+    # DELETE /roles/1.json
+    def destroy
+      require_privilege(Privilege::PERM_SET)
+      @role = Role.find(params[:id])
+      @role.destroy
+  
+      respond_to do |format|
+        format.html { redirect_to roles_url }
+        format.json { head :no_content }
+      end
+    end
+  end
+end

data/app/helpers/alberich/application_helper.rb

@@ -0,0 +1,4 @@
+module Alberich
+  module ApplicationHelper
+  end
+end

data/app/helpers/alberich/permissions_helper.rb

@@ -0,0 +1,4 @@
+module Alberich
+  module PermissionsHelper
+  end
+end

data/app/helpers/alberich/privileges_helper.rb

@@ -0,0 +1,4 @@
+module Alberich
+  module PrivilegesHelper
+  end
+end

data/app/helpers/alberich/roles_helper.rb

@@ -0,0 +1,4 @@
+module Alberich
+  module RolesHelper
+  end
+end

data/app/models/alberich/base_permission_object.rb

@@ -0,0 +1,42 @@
+module Alberich
+  class BasePermissionObject < ActiveRecord::Base
+    attr_accessible :name
+
+    include Alberich::PermissionedObject
+    validates_presence_of :name
+    validates_uniqueness_of :name
+
+    GENERAL_PERMISSION_SCOPE = "general_permission_scope"
+
+    def self.general_permission_scope
+      base_permission = self.find_by_name(GENERAL_PERMISSION_SCOPE)
+      unless base_permission
+        base_permission = self.create!(:name => GENERAL_PERMISSION_SCOPE)
+      end
+      base_permission
+    end
+
+    def permissions_for_type(obj_type)
+      role_ids = Role.where(:scope => "BasePermissionObject").
+        select { |role| role.privilege_target_match(obj_type)}.collect {|r| r.id}
+      permissions.where("role_id in (:role_ids)", {:role_ids => role_ids})
+    end
+
+    def self.additional_privilege_target_types
+      Alberich.permissioned_object_classes.collect {|x| Kernel.const_get(x)}
+    end
+
+    def self.global_admin_permission_count
+      self.general_permission_scope.permissions.includes(:role => :privileges).
+        where("alberich_privileges.target_type" => "Alberich::BasePermissionObject",
+              "alberich_privileges.action" => Privilege::PERM_SET).size
+    end
+
+    def self.is_global_admin_perm(permission)
+      permission.role.privileges.where("alberich_privileges.target_type" =>
+                                       "Alberich::BasePermissionObject",
+                                       "alberich_privileges.action" =>
+                                       Privilege::PERM_SET).size > 0
+    end
+  end
+end

data/app/models/alberich/derived_permission.rb

@@ -0,0 +1,25 @@
+module Alberich
+  class DerivedPermission < ActiveRecord::Base
+    attr_accessible :entity_id, :permission_id, :role_id, :permission_object
+    attr_accessible :permission
+
+    # the source permission for the denormalized object
+    belongs_to :permission
+    validates_presence_of :permission_id
+
+    # this is the object used for permission checks
+    belongs_to :permission_object,      :polymorphic => true
+
+    belongs_to :role
+    validates_presence_of :role_id
+
+    # entity is copied from source permission
+    belongs_to :entity
+    validates_presence_of :entity_id
+
+    validates_uniqueness_of :permission_id, :scope => [:permission_object_id,
+                                                       :permission_object_type]
+
+
+  end
+end

data/app/models/alberich/entity.rb

@@ -0,0 +1,27 @@
+module Alberich
+  class Entity < ActiveRecord::Base
+    attr_accessible :entity_target, :entity_target_id, :name
+
+    belongs_to :entity_target, :polymorphic => true
+    validates_presence_of :entity_target_id
+    has_many :session_entities, :dependent => :destroy
+    has_many :permissions, :dependent => :destroy
+    has_many :derived_permissions, :dependent => :destroy
+
+    # type-specific associations
+    belongs_to :user, :class_name => Alberich.user_class, :foreign_key => "entity_target_id"
+    belongs_to :user_group, :class_name => Alberich.user_group_class,
+                            :foreign_key => "entity_target_id"
+
+    def self.for_target(obj)
+      self.find_by_entity_target_id_and_entity_target_type(obj.id,
+                                                           obj.class.name)
+    end
+
+    def self.find_or_create_for_target(obj)
+      self.find_or_create_by_entity_target_id_and_entity_target_type(obj.id,
+                                                                 obj.class.name)
+    end
+
+  end
+end

data/app/models/alberich/entity_target_observer.rb

@@ -0,0 +1,16 @@
+module Alberich
+  class EntityTargetObserver < ActiveRecord::Observer
+    observe Alberich.user_class.underscore.to_sym,  Alberich.user_group_class.underscore.to_sym
+
+    def after_save(obj)
+      entity = Entity.find_or_create_for_target(obj)
+      entity.name = obj.to_s
+      entity.save!
+    end
+
+    def after_destroy(obj)
+      entity = Entity.for_target(obj)
+      entity.destroy if entity
+    end
+  end
+end

data/app/models/alberich/permission.rb

@@ -0,0 +1,59 @@
+module Alberich
+  class Permission < ActiveRecord::Base
+    attr_accessible :entity, :role, :entity_id, :role_id, :permission_object
+
+    belongs_to :role
+    belongs_to :entity
+
+    validates_presence_of :role_id
+
+    validates_presence_of :entity_id
+    validates_uniqueness_of :entity_id, :scope => [:permission_object_id,
+                                                   :permission_object_type,
+                                                   :role_id]
+
+    belongs_to :permission_object,      :polymorphic => true
+    # type-specific associations (FIXME: do we still need this?
+    belongs_to :base_permission_object, :class_name => "BasePermissionObject",
+                                        :foreign_key => "permission_object_id"
+
+    has_many :derived_permissions, :dependent => :destroy
+
+    after_save :update_derived_permissions
+
+    def user
+      entity.user
+    end
+    def user_group
+      entity.user_group
+    end
+
+    def update_derived_permissions
+      new_derived_permission_objects = permission_object.derived_subtree(role)
+      old_derived_permissions = derived_permissions
+      old_derived_permissions.each do |derived_perm|
+        if new_derived_permission_objects.delete(derived_perm.permission_object)
+          # object is in both old and new list -- update as necessary
+          derived_perm.role = role
+          derived_perm.entity_id = entity_id
+          derived_perm.save!
+        else
+          # object is in old but not new list -- remove it
+          derived_perm.destroy
+        end
+      end
+      new_derived_permission_objects.each do |perm_obj|
+        unless DerivedPermission.where(:permission_id => id,
+                                       :permission_object_id => perm_obj.id,
+                                       :permission_object_type =>
+                                         perm_obj.class.name).any?
+          derived_perm = DerivedPermission.new(:entity_id => entity_id,
+                                               :role_id => role_id,
+                                               :permission_object => perm_obj,
+                                               :permission => self)
+          derived_perm.save!
+        end
+      end
+    end
+  end
+end

data/app/models/alberich/permission_session.rb

@@ -0,0 +1,33 @@
+module Alberich
+  class PermissionSession < ActiveRecord::Base
+    attr_accessible :session_id, :user_id, :user
+
+    belongs_to :user, :class_name => Alberich.user_class
+    has_many :session_entities
+
+    validates_presence_of :user_id
+    validates_presence_of :session_id
+
+    def update_session_entities(user)
+      SessionEntity.transaction do
+        # skips callbacks, which should be fine here
+        SessionEntity.delete_all(:permission_session_id => self.id)
+        add_to_session(user)
+      end
+    end
+
+    def add_to_session(user)
+      return unless user
+      # create mapping for user-level permissions
+      SessionEntity.create!(:permission_session_id => self.id,
+                            :user => user,
+                            :entity => Entity.for_target(user))
+      # create mappings for groups
+      user.send(Alberich.groups_for_user_method).each do |ug|
+        SessionEntity.create!(:permission_session_id => self.id,
+                              :user => user,
+                              :entity => Entity.for_target(ug))
+      end
+    end
+  end
+end

data/app/models/alberich/permissioned_object.rb

@@ -0,0 +1,139 @@
+module Alberich
+  module PermissionedObject
+    extend ActiveSupport::Concern
+    included do
+      has_many :permissions, :as => :permission_object,
+               :class_name => 'Alberich::Permission',
+               :dependent => :destroy,
+               :include => [:role],
+               :order => "alberich_permissions.id ASC"
+
+      has_many :derived_permissions, :as => :permission_object,
+               :class_name => 'Alberich::DerivedPermission',
+               :dependent => :destroy,
+               :include => [:role],
+               :order => "alberich_derived_permissions.id ASC"
+    end
+
+    def has_privilege(permission_session, user, action, target_type=nil)
+      return false if permission_session.nil? or user.nil? or action.nil?
+      target_type = self.class.default_privilege_target_type if target_type.nil?
+      if derived_permissions.includes(:role => :privileges,
+                                      :entity => :session_entities).where(
+        ["alberich_session_entities.user_id=:user and
+          alberich_session_entities.permission_session_id=:permission_session_id and
+          alberich_privileges.target_type=:target_type and
+          alberich_privileges.action=:action",
+          { :user => user.id,
+            :permission_session_id => permission_session.id,
+            :target_type => target_type.name,
+            :action => action}]).any?
+        return true
+      else
+        BasePermissionObject.general_permission_scope.permissions.
+          includes(:role => :privileges,
+                   :entity => :session_entities).where(
+        ["alberich_session_entities.user_id=:user and
+          alberich_session_entities.permission_session_id=:permission_session_id and
+          alberich_privileges.target_type=:target_type and
+          alberich_privileges.action=:action",
+          { :user => user.id,
+            :permission_session_id => permission_session,
+            :target_type => target_type.name,
+            :action => action}]).any?
+      end
+    end
+
+    # Returns the list of objects to check for permissions on -- by default
+    # this is empty (we don't denormalize Global permissions as they're
+    # handled as a separate case.)
+    def perm_ancestors
+      []
+    end
+    # Returns the list of objects to generate derived permissions for
+    # -- by default just this object
+    def derived_subtree(role = nil)
+      [self]
+    end
+    # on obj creation, set inherited permissions for new object
+    def update_derived_permissions_for_ancestors
+      # for create hook this should normally be empty
+      old_derived_permissions = Hash[derived_permissions.map{|p| [p.permission.id,p]}]
+      perm_ancestors.each do |perm_obj|
+        perm_obj.permissions.each do |permission|
+          if permission.role.privilege_target_match(self.class.default_privilege_target_type)
+            unless old_derived_permissions.delete(permission.id)
+              derived_permissions.create(:entity_id => permission.entity_id,
+                                         :role_id => permission.role_id,
+                                         :permission => permission)
+            end
+          end
+        end
+      end
+      # anything remaining in old_derived_permissions should be removed,
+      # as would be expected if this hook is triggered by removing a
+      # catalog entry for a deployable
+      old_derived_permissions.each do |id, derived_perm|
+        derived_perm.destroy
+      end
+      #reload
+    end
+    # assign owner role so that the creating user has permissions on the object
+    # Any roles defined on default_privilege_target_type with assign_to_owner==true
+    # will be assigned to the passed-in user on this object
+    def assign_owner_roles(user)
+      roles = Role.find(:all, :conditions => ["assign_to_owner =:assign and scope=:scope",
+                                              { :assign => true,
+                                                :scope => self.class.default_privilege_target_type.name}])
+      roles.each do |role|
+        Permission.create!(:role => role, :entity => Entity.for_target(user),
+                           :permission_object => self)
+      end
+      self.reload
+    end
+
+    # Any methods here will be able to use the context of the
+    # ActiveRecord model the module is included in.
+    def self.included(base)
+      base.class_eval do
+        after_create :update_derived_permissions_for_ancestors
+
+        # Returns the list of privilege target types that are relevant for
+        # permission checking purposes. This is used in setting derived
+        # permissions -- there's no need to create denormalized permissions
+        # for a role which only grants Provider privileges on a Pool
+        # object. By default, this is just the current object's type
+        def self.active_privilege_target_types
+          [self.default_privilege_target_type] + self.additional_privilege_target_types
+        end
+        def self.additional_privilege_target_types
+          []
+        end
+        def self.default_privilege_target_type
+          self
+        end
+        def self.list_for_user(permission_session, user, action,
+                               target_type=self.default_privilege_target_type)
+          if permission_session.nil? or user.nil? or action.nil? or target_type.nil?
+            return where("1=0")
+          end
+          if BasePermissionObject.general_permission_scope.
+              has_privilege(permission_session, user, action, target_type)
+            scoped
+          else
+            includes([:derived_permissions => {:role => :privileges,
+                                               :entity => :session_entities}]).
+              where("alberich_session_entities.user_id=:user and
+                     alberich_session_entities.permission_session_id=:permission_session_id and
+                     alberich_privileges.target_type=:target_type and
+                     alberich_privileges.action=:action",
+                    {:user => user.id,
+                     :permission_session_id => permission_session.id,
+                     :target_type => target_type.name,
+                     :action => action})
+          end
+        end
+      end
+    end
+  end
+end