alberich 0.2.0

data/Gemfile

@@ -0,0 +1,18 @@
+source "http://rubygems.org"
+
+# Declare your gem's dependencies in alberich.gemspec.
+# Bundler will treat runtime dependencies like base dependencies, and
+# development dependencies will be added by default to the :development group.
+gemspec
+
+# jquery-rails is used by the dummy application
+gem "jquery-rails"
+
+# Declare any dependencies that are still in development here instead of in
+# your gemspec. These might include edge Rails or gems from your path or
+# Git. Remember to move these dependencies to your gemspec before releasing
+# your gem to rubygems.org.
+
+# To use debugger
+# gem 'debugger'
+gem 'rails_warden'

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2013 Red Hat, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,37 @@
+= Alberich
+
+Alberich is a model-integrated permissions engine that allows access
+control, and list filtering based on  user and group-assigned
+permissions both globally and at an individual resouce level.
+
+== Running Tests
+
+Tests are run from the project root directory.  But are run in the
+context of the dummy app located under test/dummy.  In order to run
+the tests you must first setup dummy app database.
+
+rake db:setup; rake -f test/dummy/Rakefile test:prepare
+
+Once you have done this cd to the project root and run the following:
+
+rake spec
+
+== Running the Dummy app
+
+This will allow you to run the commands below to test out the engine
+in isolation (if mounted in another application, the main difference
+will just be where the engine gets mounted, so adjust your url
+accordingly).
+
+cd test/dummy; rails s
+
+== Installation notes
+
+When alberich is installed, an 'entity' object will be created for
+each user and user group in your system. This is a placeholder object
+which is used as the target for permission grants that can be applied
+to either a user or a group.
+
+== License
+
+Alberich is released under the MIT license.

data/Rakefile

@@ -0,0 +1,34 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Alberich'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../test/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+Bundler::GemHelper.install_tasks
+
+
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new('spec')
+
+task :default => :spec

data/alberich.gemspec

@@ -0,0 +1,34 @@
+$:.push File.expand_path("../lib", __FILE__)
+
+# Maintain your gem's version:
+require "alberich/version"
+
+# Describe your gem and declare its dependencies:
+Gem::Specification.new do |s|
+  s.name        = "alberich"
+  s.version     = Alberich::VERSION
+  s.authors     = ["Scott Seago"]
+  s.email       = ["aeolus-devel@lists.fedorahosted.org"]
+  s.homepage    = "https://github.com/aeolus-incubator/alberich"
+  s.license     = 'MIT'
+  s.summary     = "Model-integrated permissions infrastructure for Rails projects."
+  s.description = "Alberich is a model-integrated permissions engine that allows access control, and list filtering based on user and group-assigned permissions both globally and at an individual resouce level."
+
+  s.files = Dir["{app,config,db,lib}/**/*"] + ["MIT-LICENSE", "Rakefile", "README.rdoc", "alberich.gemspec", "Gemfile"]
+  s.test_files = Dir["{spec,test}/**/*"]
+  s.test_files.reject! { |fn| fn.match(/sqlite|tmp|log/) }
+
+  s.add_dependency "rails", "~> 3.2.11"
+  s.add_dependency "haml"
+  s.add_dependency "haml-rails"
+  s.add_dependency "nokogiri"
+  s.add_dependency "jquery-rails"
+  s.add_dependency "rails_warden"
+
+  s.add_development_dependency "sqlite3"
+  s.add_development_dependency "rspec-rails"
+  s.add_development_dependency "database_cleaner"
+  s.add_development_dependency "factory_girl_rails", "~> 4.1.0"
+  s.add_development_dependency "minitest"
+
+end

data/app/assets/javascripts/alberich/application.js

@@ -0,0 +1,15 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// the compiled file.
+//
+// WARNING: THE FIRST BLANK LINE MARKS THE END OF WHAT'S TO BE PROCESSED, ANY BLANK LINE SHOULD
+// GO AFTER THE REQUIRES BELOW.
+//
+//= require jquery
+//= require jquery_ujs
+//= require_tree .

data/app/assets/javascripts/alberich/permissions.js

@@ -0,0 +1,2 @@
+// Place all the behaviors and hooks related to the matching controller here.
+// All this logic will automatically be available in application.js.

data/app/assets/javascripts/alberich/privileges.js

@@ -0,0 +1,2 @@
+// Place all the behaviors and hooks related to the matching controller here.
+// All this logic will automatically be available in application.js.

data/app/assets/javascripts/alberich/roles.js

@@ -0,0 +1,2 @@
+// Place all the behaviors and hooks related to the matching controller here.
+// All this logic will automatically be available in application.js.

data/app/assets/stylesheets/alberich/application.css

@@ -0,0 +1,13 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the top of the
+ * compiled file, but it's generally better to create a new file per style scope.
+ *
+ *= require_self
+ *= require_tree .
+ */

data/app/assets/stylesheets/alberich/permissions.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/assets/stylesheets/alberich/privileges.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/assets/stylesheets/alberich/roles.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/assets/stylesheets/scaffold.css

@@ -0,0 +1,56 @@
+body { background-color: #fff; color: #333; }
+
+body, p, ol, ul, td {
+  font-family: verdana, arial, helvetica, sans-serif;
+  font-size:   13px;
+  line-height: 18px;
+}
+
+pre {
+  background-color: #eee;
+  padding: 10px;
+  font-size: 11px;
+}
+
+a { color: #000; }
+a:visited { color: #666; }
+a:hover { color: #fff; background-color:#000; }
+
+div.field, div.actions {
+  margin-bottom: 10px;
+}
+
+#notice {
+  color: green;
+}
+
+.field_with_errors {
+  padding: 2px;
+  background-color: red;
+  display: table;
+}
+
+#error_explanation {
+  width: 450px;
+  border: 2px solid red;
+  padding: 7px;
+  padding-bottom: 0;
+  margin-bottom: 20px;
+  background-color: #f0f0f0;
+}
+
+#error_explanation h2 {
+  text-align: left;
+  font-weight: bold;
+  padding: 5px 5px 5px 15px;
+  font-size: 12px;
+  margin: -7px;
+  margin-bottom: 0px;
+  background-color: #c00;
+  color: #fff;
+}
+
+#error_explanation ul li {
+  font-size: 12px;
+  list-style: square;
+}

data/app/controllers/alberich/application_controller.rb

@@ -0,0 +1,4 @@
+module Alberich
+  class ApplicationController < ::ApplicationController
+  end
+end

data/app/controllers/alberich/application_controller_helper.rb

@@ -0,0 +1,118 @@
+module Alberich
+  module ApplicationControllerHelper
+    class PermissionError < RuntimeError; end
+    def self.included(c)
+      c.helper_method :current_session, :current_user, :check_privilege
+    end
+
+    def current_session
+      @current_session ||= Alberich::PermissionSession.
+        find_by_id(session[:permission_session_id])
+    end
+
+    def add_profile_permissions_inline(entity, path_prefix = '')
+      @entity = entity
+      @path_prefix = path_prefix
+      @roles = Role.all_by_scope
+      @inline = true
+      set_permissions_header(@entity)
+      # filter permissions if method provided
+      @permissions = filter_permissions_for_profile(@permissions)
+    end
+    # Override this in application_controller if application does filtering
+    # on permissions list for profile UI
+    def filter_permissions_for_profile(perms)
+      perms
+    end
+    # Override this in application_controller if application does filtering
+    # on permissions list
+    def filter_permissions(perms)
+      perms
+    end
+    def add_permissions_common(inline, perm_obj, path_prefix = '',
+                               polymorphic_path_extras = {})
+      @permission_object = perm_obj
+      # FIXME find a way to remove the @inline bit here
+      @inline = inline
+      @path_prefix = path_prefix
+      @polymorphic_path_extras = polymorphic_path_extras
+      if check_privilege(Privilege::PERM_VIEW, perm_obj)
+        @roles = Role.find_all_by_scope(@permission_object.class.name)
+      end
+      set_permissions_header
+      @permissions = filter_permissions(@permissions)
+    end
+    def add_permissions_inline(perm_obj, path_prefix = '',
+                               polymorphic_path_extras = {})
+      add_permissions_common(true, perm_obj, path_prefix,
+                             polymorphic_path_extras)
+      require_privilege(Privilege::VIEW, @permission_object)
+    end
+
+    def set_permissions_header(perm_obj = @permission_object)
+      unless perm_obj == BasePermissionObject.general_permission_scope
+        @show_inherited = params[:show_inherited]
+        @show_global = params[:show_global]
+      end
+      if @show_inherited
+        @permissions = perm_obj.derived_permissions
+      elsif @show_global
+        @permissions = BasePermissionObject.general_permission_scope.
+          permissions_for_type(perm_obj.class)
+      else
+        @permissions = perm_obj.permissions
+      end
+
+      @permission_list_header = []
+      unless (@show_inherited or @show_global)
+        @permission_list_header <<
+          { :name => 'checkbox', :class => 'checkbox', :sortable => false }
+      end
+      @permission_list_header += [
+        { :name => "Type"},
+        { :name => "Name"},
+        { :name => "Role", :sort_attr => :role},
+      ]
+      if @show_inherited
+        @permission_list_header <<
+          { :name => "Inherited from", :sortable => false }
+      end
+    end
+
+    def check_privilege(action, *type_and_perm_obj)
+      target_type = nil
+      perm_obj = nil
+      type_and_perm_obj.each do |obj|
+        target_type=obj if obj.class==Class
+        perm_obj=obj if obj.is_a?(ActiveRecord::Base)
+      end
+      perm_obj=@perm_obj if perm_obj.nil?
+      perm_obj=BasePermissionObject.general_permission_scope if perm_obj.nil?
+      perm_obj.has_privilege(current_session, current_user, action, target_type)
+    end
+
+    # Require a given privilege level to view this page
+    #   1. action is required -- what action to check (in Privilege::ACTIONS)
+    #   2. perm_obj is optional -- This is the resource on which to look for
+    #      permission records. If omitted, check for site-wide permissions on
+    #      BasePermissionObject
+    #   3. type is also optional -- if omitted it's taken from perm_obj.
+    #        For example, if action is 'view', perm_obj is a Pool and type is
+    #        omitted, then check for current user's "view pool" permission on
+    #        this pool. if action is 'view', perm_obj is a Pool and type is
+    #        Quota, then check for current user's "view quota" permission on 
+    #        this pool.
+    def require_privilege(action, *type_and_perm_obj)
+      perm_obj = nil
+      type_and_perm_obj.each do |obj|
+        perm_obj=obj if obj.is_a?(ActiveRecord::Base)
+      end
+      @perm_obj = perm_obj
+      unless check_privilege(action, *type_and_perm_obj)
+        raise PermissionError.new(
+               "You do not have permission to access this resource")
+      end
+    end
+
+  end
+end

data/app/controllers/alberich/permissions_controller.rb

@@ -0,0 +1,211 @@
+require_dependency "alberich/application_controller"
+
+module Alberich
+  class PermissionsController < ApplicationController
+    # GET /permissions
+    # GET /permissions.json
+    def index
+      set_permission_object(Privilege::PERM_VIEW)
+      @roles = Role.find_all_by_scope(@permission_object.class.name)
+      respond_to do |format|
+        format.html
+        format.json { render :json => @permission_object.as_json }
+        format.js { render :partial => 'permissions' }
+      end
+    end
+  
+    # GET /permissions/new
+    # GET /permissions/new.json
+    def new
+      set_permission_object
+      @users = Alberich.user_class.constantize.all
+      @roles = Role.find_all_by_scope(@permission_object.class.name)
+      if @permission_object == BasePermissionObject.general_permission_scope
+        @return_text = "Global Role Grants"
+        @summary_text =  "Choose Global Role"
+      else
+        @return_text =  "#{@permission_object.name} " +
+          @permission_object.class.model_name.human
+        @summary_text = "Choose roles for " +
+          @permission_object.class.model_name.human
+      end
+      load_headers
+      load_entities
+      respond_to do |format|
+        format.html
+        format.js { render :partial => 'new' }
+      end
+    end
+
+    # POST /permissions
+    # POST /permissions.json
+    def create
+      set_permission_object
+      added=[]
+      not_added=[]
+      params[:entity_role_selected].each do |entity_role|
+        entity_id,role_id = entity_role.split(",")
+        unless role_id.nil?
+          permission = Permission.new(:entity_id => entity_id,
+                                      :role_id => role_id,
+                                      :permission_object => @permission_object)
+          if permission.save
+            added << "#{permission.entity.name} (#{permission.role.name})"
+          else
+            not_added << "#{permission.entity.name} (#{permission.role.name})"
+          end
+        end
+      end
+      unless added.empty?
+        flash[:notice] = "Added the following permission grants: #{added.to_sentence}"
+      end
+      unless not_added.empty?
+        flash[:error] = "Could not add the following permission grants: #{not_added.to_sentence}"
+      end
+      if added.empty? and not_added.empty?
+        flash[:error] = "No users or groups selected"
+      end
+      respond_to do |format|
+        format.html { redirect_to @return_path }
+        format.js { render :partial => 'index',
+                    :permission_object_type => @permission_object.class.name,
+                    :permission_object_id => @permission_object.id }
+      end
+    end
+  
+    def multi_update
+      set_permission_object
+      modified=[]
+      not_modified=[]
+      params[:permission_role_selected].each do |permission_role|
+        permission_id,role_id = permission_role.split(",")
+        unless role_id.nil?
+          permission = Permission.find(permission_id)
+          role = Role.find(role_id)
+          old_role = permission.role
+          unless permission.role == role
+            permission.role = role
+            if permission.save
+              modified << "%{permission.entity.name} (from %{old_role.name} to %{permission.role.name})"
+            else
+              not_modified << "%{permission.entity.name} (from %{old_role.name} to %{permission.role.name})"
+            end
+          end
+        end
+      end
+      unless modified.empty?
+        flash[:notice] = "Successfully modified the following permission records #{modified.to_sentence}"
+      end
+      unless not_modified.empty?
+        flash[:error] = "Could not add these permission records #{not_modified.to_sentence}"
+      end
+      if modified.empty? and not_modified.empty?
+        flash[:notice] = "All permission records already set; no changes needed"
+      end
+      respond_to do |format|
+        format.html { redirect_to @return_path }
+        format.js { render :partial => 'index',
+                      :permission_object_type => @permission_object.class.name,
+                      :permission_object_id => @permission_object.id }
+      end
+    end
+
+    def multi_destroy
+      set_permission_object
+      deleted=[]
+      not_deleted=[]
+
+      Permission.find(params[:permission_selected]).each do |p|
+        if check_privilege(Privilege::PERM_SET, p.permission_object) && p.destroy
+          deleted << "#{p.entity.name} #{p.role.name}"
+        else
+          not_deleted << "#{p.entity.name} #{p.role.name}"
+        end
+      end
+
+      unless deleted.empty?
+        flash[:notice] = "Deleted the following Permission Grants: #{deleted.to_sentence}"
+      end
+      unless not_deleted.empty?
+        flash[:error] = "Could not delete these Permission Grants: #{not_deleted.to_sentence}"
+      end
+      respond_to do |format|
+        format.html { redirect_to @return_path }
+        format.js { render :partial => 'index',
+                      :permission_object_type => @permission_object.class.name,
+                      :permission_object_id => @permission_object.id }
+          format.json { render :json => @permission, :status => :created }
+      end
+
+    end
+  
+    # DELETE /permissions/1
+    # DELETE /permissions/1.json
+    def destroy
+      if request.delete?
+        p = Permission.find(params[:id])
+        ptype, pid = [p.permission_object_type, p.permission_object_id]
+        require_privilege(Privilege::PERM_SET, p.permission_object)
+        p.destroy
+      end
+      redirect_to :action => "index",
+                  :permission_object_type => ptype,
+                  :permission_object_id => pid
+    end
+
+    def load_entities
+      @entities = Entity.order("name")
+    end
+
+    def load_headers
+      @header = [{ :name => '', :sortable => false },
+                 { :name => "Name"},
+                 { :name => "Role", :sortable => false }]
+    end
+
+    # this allows any controller actions needed in the application
+    # to set up additional elements for global permissions UI view
+    def global_permission_ui_hook
+    end
+    def set_permission_object (required_role=Privilege::PERM_SET)
+      obj_type = params[:permission_object_type]
+      id = params[:permission_object_id]
+      @return_path = params[:return_path]
+      @path_prefix = params[:path_prefix]
+      @polymorphic_path_extras = params[:polymorphic_path_extras]
+      @use_tabs = params[:use_tabs]
+      unless obj_type or id
+        @permission_object = BasePermissionObject.general_permission_scope
+      end
+      if obj_type && id
+        if klass = ActiveRecord::Base.send(:subclasses).
+            find{|c| c.name == obj_type}
+          @permission_object = klass.find(id)
+        else
+          raise RuntimeError, "invalid permission object type #{obj_type}"
+        end
+      end
+      raise RuntimeError, "invalid permission object" if @permission_object.nil?
+      unless @return_path
+        if @permission_object == BasePermissionObject.general_permission_scope
+          @return_path = permissions_path(:return_from_permission_change => true)
+          global_permission_ui_hook
+        else
+          @return_path = main_app.send("#{@path_prefix}polymorphic_path",
+                              @permission_object.respond_to?(
+                                :to_polymorphic_path_param) ?
+                              @permission_object.to_polymorphic_path_param(
+                                @polymorphic_path_extras) :
+                              @permission_object,
+                              @use_tabs == "yes" ? {:details_tab => :permissions,
+                                :only_tab => true,
+                                :return_from_permission_change => true} :
+                               {:return_from_permission_change => true})
+        end
+      end
+      require_privilege(required_role, @permission_object)
+      set_permissions_header
+    end
+
+  end
+end