andrewzielinski-lockdown 0.9.6

data/lib/lockdown/orms/active_record.rb

@@ -0,0 +1,68 @@
+module Lockdown
+  module Orms
+    module ActiveRecord
+      class << self
+        def use_me?
+          Object.const_defined?("ActiveRecord") && ::ActiveRecord.const_defined?("Base")
+        end
+
+        def included(mod)
+          mod.extend Lockdown::Orms::ActiveRecord::Helper
+          mixin
+        end
+
+        def mixin
+          Lockdown.orm_parent.class_eval do
+            include Lockdown::Orms::ActiveRecord::Stamps
+          end
+        end
+      end # class block
+
+      module Helper
+        def orm_parent
+          ::ActiveRecord::Base
+        end
+
+        def database_execute(query)
+          orm_parent.connection.execute(query)
+        end
+
+        def database_query(query)
+          orm_parent.connection.execute(query)
+        end
+
+        def database_table_exists?(klass)
+          klass.table_exists?
+        end
+      end
+
+      module Stamps
+        def self.included(base)
+          base.class_eval do
+            alias_method :create_without_stamps,  :create
+            alias_method :create,  :create_with_stamps
+            alias_method :update_without_stamps,  :update
+            alias_method :update,  :update_with_stamps
+          end
+        end
+
+        def current_who_did_it
+          Thread.current[:who_did_it]
+        end
+
+        def create_with_stamps
+          pid = current_who_did_it || Lockdown::System.fetch(:default_who_did_it)
+          self[:created_by] = pid if self.respond_to?(:created_by) 
+          self[:updated_by] = pid if self.respond_to?(:updated_by) 
+          create_without_stamps
+        end
+                  
+        def update_with_stamps
+          pid = current_who_did_it || Lockdown::System.fetch(:default_who_did_it)
+          self[:updated_by] = pid if self.respond_to?(:updated_by)
+          update_without_stamps
+        end
+      end
+    end
+  end
+end

data/lib/lockdown/permission.rb

@@ -0,0 +1,204 @@
+module Lockdown
+  class InvalidRuleContext < StandardError; end
+  class PermissionScopeCollision < StandardError; end
+
+  class Controller
+    attr_accessor :name, :access_methods
+
+    def initialize(name)
+      @name = name
+    end
+  end
+
+  class Model
+    attr_accessor :name, :controller_method, :model_method, :association
+
+    def initialize(name)
+      @name = name
+    end
+
+    def association=(type)
+      @assocation = type
+    end
+  end
+  
+  class Permission
+    attr_reader :name, :controllers, :models
+
+    # A Permission is a set of rules that are, through UserGroups, assigned
+    # to users to allow access to system resources.
+    #
+    # ==== Summary of controller oriented methods:
+    #
+    #   # defines which controller we're talking about
+    #   .with_controller(:controller_name)  #all_methods is the default
+    #
+    #   # only these methods on the controller
+    #   .only_methods(:meth1, :meth2)       
+    #
+    #   # all controller methods except these
+    #   .except_methods(:meth1, :meth2)
+    #
+    # ==== Summary of model oriented methods:
+    #
+    #   # defines which model we're talking about
+    #   .to_model(:model_name)         
+    #
+    #   # data_method must be available to the controller
+    #   .where(:data_method)           
+    #
+    #   # model_name.value_method must equal data_method
+    #   .equals(:value_method)         
+    #
+    #   # model_name.values_method.include?(data_method)
+    #   .is_in(:values_method)         
+    #   
+    #
+    # ==== Example:
+    #
+    #   # Define a permission called 'Manage Users' that allows users access
+    #   # all methods on the users_controller
+    #
+    #   set_permission(:manage_users).
+    #     with_controller(:users)
+    #
+    #   # Define a permission called "My Account" that only allows a user access
+    #   # to methods show and update and the current_user_id must match the id 
+    #   # of the user being modified
+    #
+    #   set_permission(:my_account).
+    #     with_controller(:users).
+    #     only_methods(:show, :update).
+    #     to_model(:user).
+    #       where(:current_user_id).
+    #       equals(:id)
+    #
+    def initialize(name_symbol)
+      @name         = name_symbol
+      @controllers  = {}
+      @models       = {}
+      @current_context = Lockdown::RootContext.new(name_symbol)
+    end
+
+    def with_controller(name_symbol)
+      validate_context
+
+      controller = Controller.new(name_symbol)
+      controller.access_methods = paths_for(name_symbol)
+      @controllers[name_symbol] = controller
+      @current_context = Lockdown::ControllerContext.new(name_symbol)
+      self
+    end
+
+    alias_method :and_controller, :with_controller
+
+    def only_methods(*methods)
+      validate_context
+
+      current_controller.access_methods = paths_for(current_controller.name, 
+                                                    *methods)
+      @current_context = Lockdown::RootContext.new(@name)
+      self
+    end
+
+    def except_methods(*methods)
+      validate_context
+
+      current_controller.access_methods = current_controller.access_methods - paths_for(current_controller.name, *methods)
+
+      @current_context = Lockdown::RootContext.new(@name)
+      self
+    end
+
+    def to_model(name_symbol)
+      validate_context
+
+      @models[name_symbol] = Model.new(name_symbol)
+      @current_context = Lockdown::ModelContext.new(name_symbol)
+      self
+    end
+
+    def where(controller_method)
+      validate_context
+
+      @current_context = Lockdown::ModelWhereContext.new(current_context.name)
+      self
+    end
+
+    def equals(model_method)
+      validate_context
+
+      associate_model_method(model_method, :equals)
+      @current_context = Lockdown::RootContext.new(@name)
+      self
+    end
+
+    def is_in(model_method)
+      validate_context
+
+      associate_model_method(model_method, :includes)
+      @current_context = Lockdown::RootContext.new(@name)
+      self
+    end
+
+    alias_method :includes, :is_in
+
+    def public_access?
+      @public_access
+    end
+
+    def protected_access?
+      @protected_access
+    end
+
+    def set_as_public_access
+      if protected_access?
+        raise PermissionScopeCollision, "Permission: #{name} already marked as protected and trying to set as public."
+      end
+      @public_access = true
+    end
+
+    def set_as_protected_access
+      if public_access?
+        raise PermissionScopeCollision, "Permission: #{name} already marked as public and trying to set as protected."
+      end
+      @protected_access = true
+    end
+
+    def current_context
+      @current_context
+    end
+
+    def current_controller
+      @controllers[current_context.name]
+    end
+
+    def current_model
+      @models[current_context.name]
+    end
+
+    def ==(other)
+      name == other.name
+    end
+
+    private
+
+    def associate_model_method(model_method, association)
+      current_model.model_method = model_method
+      current_model.association = association
+      @current_context = Lockdown::RootContext.new(@name)
+    end
+
+    def validate_context
+      method_trace = caller.first;  
+      calling_method = caller.first[/#{__FILE__}:(\d+):in `(.*)'/,2]
+      unless current_context.allows?(calling_method)
+        raise InvalidRuleContext, "Method: #{calling_method} was called on wrong context #{current_context}. Allowed methods are: #{current_context.allowed_methods.join(',')}."
+      end
+    end
+
+    def paths_for(controller, *methods)
+      Lockdown::System.paths_for(controller, *methods)
+    end
+  end
+end

data/lib/lockdown/rules.rb

@@ -0,0 +1,289 @@
+module Lockdown
+  class InvalidRuleAssignment < StandardError; end
+
+  module Rules
+    attr_accessor :options
+    attr_accessor :permissions
+    attr_accessor :user_groups
+    attr_accessor :controller_classes
+
+    attr_reader :protected_access 
+    attr_reader :public_access
+
+    attr_reader :permission_objects
+ 
+    def set_defaults
+      @permissions  = {}
+      @user_groups  = {}
+      @options      = {}
+
+      @permission_objects = {}
+
+      @controller_classes = []
+      @public_access      = []
+      @protected_access   = []
+
+      @options = {
+        :session_timeout => (60 * 60),
+        :who_did_it => :current_user_id,
+        :default_who_did_it => 1,
+        :logout_on_access_violation => false,
+        :access_denied_path => "/",
+        :successful_login_path => "/",
+        :subdirectory => nil,
+        :skip_db_sync_in => ["test"],
+        :link_separator => ' | '
+      }
+    end
+
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Rule defining methods.  e.g. Methods used in lib/lockdown/init.rb
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    # Creates new permission object 
+    #   Refer to the Permission object for the full functionality
+    def set_permission(name)
+      @permission_objects[name] = Lockdown::Permission.new(name)
+    end
+
+    # Defines public access by the permission symbols
+    #
+    # ==== Example
+    #   set_public_access(:permission_one, :permission_two)
+    #
+    def set_public_access(*perms)
+      perms.each do |perm_symbol|
+        perm = permission_objects.find{|name, pobj| pobj.name == perm_symbol}
+        if perm
+          perm[1].set_as_public_access 
+        else
+          msg = "Permission not found: #{perm_symbol}"
+          raise InvalidRuleAssigment, msg
+        end
+      end
+    end
+
+    # Defines protected access by the permission symbols
+    #
+    # ==== Example
+    #   set_public_access(:permission_one, :permission_two)
+    #
+    def set_protected_access(*perms)
+      perms.each do |perm_symbol|
+        perm = permission_objects.find{|name, pobj| pobj.name == perm_symbol}
+        if perm
+          perm[1].set_as_protected_access 
+        else
+          msg = "Permission not found: #{perm_symbol}"
+          raise InvalidRuleAssigment, msg
+        end
+      end
+    end
+
+    # Define a user groups by name and permission symbol(s)
+    #
+    # ==== Example
+    #   set_user_group(:managment_group, :permission_one, :permission_two)
+    #
+    def set_user_group(name, *perms)
+      user_groups[name] ||= []
+      perms.each do |perm|
+        user_groups[name].push(perm)
+      end
+    end
+ 
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Convenience methods for permissions and user groups
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    
+    # Returns array of permission names as symbols
+    def get_permissions
+      permissions.keys
+    end
+
+    # Is the permission defined?
+    def permission_exists?(permission_symbol)
+      get_permissions.include?(permission_symbol)
+    end
+
+    alias_method :has_permission?, :permission_exists?
+    
+    # returns true if the permission is public
+    def public_access?(permmision_symbol)
+      public_access.include?(permmision_symbol)
+    end
+
+    # returns true if the permission is public
+    def protected_access?(permmision_symbol)
+      protected_access.include?(permmision_symbol)
+    end
+
+    # These permissions are assigned by the system 
+    def permission_assigned_automatically?(permmision_symbol)
+      public_access?(permmision_symbol) || protected_access?(permmision_symbol)
+    end
+
+    # Returns array of user group names as symbols
+    def get_user_groups
+      user_groups.keys
+    end
+
+    # Is the user group defined?
+    #   The :administrators user group always exists
+    def user_group_exists?(user_group_symbol)
+      return true if user_group_symbol == Lockdown.administrator_group_symbol
+      get_user_groups.include?(user_group_symbol)
+    end
+
+    alias_method :has_user_group?, :user_group_exists?
+
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    # =Convenience methods for permissions and user groups
+    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    # Pass in a user object to be associated to the administrator user group 
+    # The group will be created if it doesn't exist
+    def make_user_administrator(usr)
+      usr.user_groups << UserGroup.
+        find_or_create_by_name(Lockdown.administrator_group_string)
+    end
+
+
+    # Returns array of controller/action values all logged in users can access.
+    def standard_authorized_user_rights
+      public_access + protected_access 
+    end
+
+    # Return array of controller/action values user can access.
+    def access_rights_for_user(usr)
+      return unless usr
+      return :all if administrator?(usr)
+
+      rights = standard_authorized_user_rights
+        
+      usr.user_groups.each do |grp|
+        permissions_for_user_group(grp).each do |perm|
+          rights += access_rights_for_permission(perm) 
+        end
+      end
+      rights
+    end
+
+    # Return array of controller/action for a permission
+    def access_rights_for_permission(perm)
+      sym = Lockdown.get_symbol(perm)
+
+      permissions[sym]
+    rescue 
+      raise SecurityError, "Permission requested is not defined: #{sym}"
+    end
+
+
+    # Test user for administrator rights
+    def administrator?(usr)
+      user_has_user_group?(usr, Lockdown.administrator_group_symbol)
+    end
+
+    # Pass in user object and symbol for name of user group
+    def user_has_user_group?(usr, sym)
+      usr.user_groups.any? do |ug|
+        Lockdown.convert_reference_name(ug.name) == sym
+      end
+    end
+
+    # Use this for the management screen to restrict user group list to the
+    # user.  This will prevent a user from creating a user with more power than
+    # him/her self.
+    def user_groups_assignable_for_user(usr)
+      return [] if usr.nil?
+        
+      if administrator?(usr)
+        UserGroup.find_by_sql <<-SQL
+          select user_groups.* from user_groups order by user_groups.name
+        SQL
+      else
+        UserGroup.find_by_sql <<-SQL
+            select user_groups.* from user_groups, user_groups_users
+             where user_groups.id = user_groups_users.user_group_id
+             and user_groups_users.user_id = #{usr.id}	 
+             order by user_groups.name
+        SQL
+      end
+    end
+
+    # Similar to user_groups_assignable_for_user, this method should be
+    # used to restrict users from creating a user group with more power than
+    # they have been allowed.
+    def permissions_assignable_for_user(usr)
+      return [] if usr.nil?
+      if administrator?(usr)
+        get_permissions.collect do |k| 
+          ::Permission.find_by_name(Lockdown.get_string(k))
+        end.compact
+      else
+        user_groups_assignable_for_user(usr).collect do |g| 
+          g.permissions
+        end.flatten.compact
+      end
+    end
+
+    # Returns and array of permission symbols for the user group
+    def permissions_for_user_group(ug)
+      sym = Lockdown.get_symbol(ug)
+      perm_array = []  
+
+      if has_user_group?(sym)
+        permissions = user_groups[sym] || []
+      else
+        permissions = ug.permissions
+      end
+
+
+      permissions.each do |perm|
+        perm_sym = Lockdown.get_symbol(perm)
+
+        unless permission_exists?(perm_sym)
+          msg = "Permission associated to User Group is invalid: #{perm}"
+          raise SecurityError, msg
+        end
+
+        perm_array << perm_sym
+      end
+
+      perm_array 
+    end
+
+    def process_rules
+      parse_permissions
+      validate_user_groups
+    end
+
+    private
+
+    def parse_permissions
+      permission_objects.each do |name, perm|
+        @permissions[perm.name] ||= []
+        perm.controllers.each do |name, controller|
+          @permissions[perm.name] |= controller.access_methods
+
+          if perm.public_access?
+            @public_access |= controller.access_methods
+          elsif perm.protected_access?
+            @protected_access |= controller.access_methods
+          end
+        end
+      end
+    end
+
+    def validate_user_groups
+      user_groups.each do |user_group, perms|
+        perms.each do |perm|
+          unless permission_exists?(perm)
+            msg ="User Group: #{user_group}, permission not found: #{perm}"
+            raise InvalidRuleAssignment, msg
+          end
+        end
+      end
+    end
+  end
+end