annotation_security 1.0.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG.md +14 -0
- data/HOW-TO.md +275 -0
- data/{MIT-LICENSE → LICENSE} +1 -1
- data/README.md +39 -0
- data/Rakefile +62 -55
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +13 -13
- data/bin/annotation_security +7 -7
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/filters.rb +37 -37
- data/lib/annotation_security/includes/action_controller.rb +144 -143
- data/lib/annotation_security/includes/active_record.rb +27 -27
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +79 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/model_observer.rb +61 -61
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +38 -38
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/annotation_security/version.rb +10 -0
- data/lib/annotation_security.rb +102 -97
- data/lib/extensions/action_controller.rb +32 -32
- data/lib/extensions/active_record.rb +34 -34
- data/lib/extensions/filter.rb +133 -133
- data/lib/extensions/object.rb +10 -10
- data/lib/security_context.rb +589 -551
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +78 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +37 -37
- metadata +94 -72
- data/CHANGELOG +0 -2
- data/HOW-TO +0 -261
- data/README +0 -39
@@ -1,78 +1,78 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
-
|
3
|
-
describe AnnotationSecurity::Rule do
|
4
|
-
|
5
|
-
before(:all) do
|
6
|
-
AnnotationSecurity.define_relations(:rule_test_res) do
|
7
|
-
res_dummy
|
8
|
-
sys_dummy(:system) { false }
|
9
|
-
pre_dummy :pretest
|
10
|
-
noc_dummy :system, :require_credential => false
|
11
|
-
|
12
|
-
res_dummy_test { has_res_dummy }
|
13
|
-
sys_dummy_test "if is_sys_dummy"
|
14
|
-
end
|
15
|
-
end
|
16
|
-
|
17
|
-
it 'should create valid dynamic relations' do
|
18
|
-
rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
|
19
|
-
rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
|
20
|
-
rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
|
21
|
-
rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
|
22
|
-
end
|
23
|
-
|
24
|
-
it 'should create valid static relations' do
|
25
|
-
rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
|
26
|
-
rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
|
27
|
-
end
|
28
|
-
|
29
|
-
it 'should create valid pretest relations' do
|
30
|
-
rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
|
31
|
-
rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
|
32
|
-
end
|
33
|
-
|
34
|
-
it 'should create valid relations without user' do
|
35
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
|
36
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
|
37
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
38
|
-
:system, :require_credential => false)
|
39
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
|
40
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
41
|
-
:pretest, :require_credential => false)
|
42
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
|
43
|
-
end
|
44
|
-
|
45
|
-
it 'should create valid rights' do
|
46
|
-
{
|
47
|
-
'if res_dummy' => '-du',
|
48
|
-
'if sys_dummy' => 's-u',
|
49
|
-
'if pre_dummy' => 'sdu',
|
50
|
-
'if res_dummy or sys_dummy' => '-du',
|
51
|
-
'if res_dummy or pre_dummy' => '-du',
|
52
|
-
'if sys_dummy or pre_dummy' => 'sdu',
|
53
|
-
'if noc_dummy' => 's--',
|
54
|
-
'if noc_dummy or sys_dummy' => 's-u',
|
55
|
-
'if noc_dummy or res_dummy' => '-du',
|
56
|
-
'if self' => '-du',
|
57
|
-
'if other_right: resource_property' => '-du',
|
58
|
-
'true' => 's--',
|
59
|
-
'false or nil' => 's--'
|
60
|
-
}.each_pair do |condition,flags|
|
61
|
-
right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
|
62
|
-
right.flag_s.should == 'r???'
|
63
|
-
right.static? # trigger lazy initialization
|
64
|
-
right.flag_s.should == 'r'+flags
|
65
|
-
end
|
66
|
-
end
|
67
|
-
|
68
|
-
it 'should call referred rules when being executed' do
|
69
|
-
policy = RuleTestResPolicy.new(:user,:res)
|
70
|
-
|
71
|
-
policy.expects(:res_dummy).returns(true)
|
72
|
-
policy.res_dummy_test.should be_true
|
73
|
-
|
74
|
-
policy.expects(:sys_dummy).returns(false)
|
75
|
-
policy.sys_dummy_test?.should be_false
|
76
|
-
end
|
77
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
+
|
3
|
+
describe AnnotationSecurity::Rule do
|
4
|
+
|
5
|
+
before(:all) do
|
6
|
+
AnnotationSecurity.define_relations(:rule_test_res) do
|
7
|
+
res_dummy
|
8
|
+
sys_dummy(:system) { false }
|
9
|
+
pre_dummy :pretest
|
10
|
+
noc_dummy :system, :require_credential => false
|
11
|
+
|
12
|
+
res_dummy_test { has_res_dummy }
|
13
|
+
sys_dummy_test "if is_sys_dummy"
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
it 'should create valid dynamic relations' do
|
18
|
+
rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
|
19
|
+
rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
|
20
|
+
rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
|
21
|
+
rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
|
22
|
+
end
|
23
|
+
|
24
|
+
it 'should create valid static relations' do
|
25
|
+
rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
|
26
|
+
rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
|
27
|
+
end
|
28
|
+
|
29
|
+
it 'should create valid pretest relations' do
|
30
|
+
rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
|
31
|
+
rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
|
32
|
+
end
|
33
|
+
|
34
|
+
it 'should create valid relations without user' do
|
35
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
|
36
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
|
37
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
38
|
+
:system, :require_credential => false)
|
39
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
|
40
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
41
|
+
:pretest, :require_credential => false)
|
42
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
|
43
|
+
end
|
44
|
+
|
45
|
+
it 'should create valid rights' do
|
46
|
+
{
|
47
|
+
'if res_dummy' => '-du',
|
48
|
+
'if sys_dummy' => 's-u',
|
49
|
+
'if pre_dummy' => 'sdu',
|
50
|
+
'if res_dummy or sys_dummy' => '-du',
|
51
|
+
'if res_dummy or pre_dummy' => '-du',
|
52
|
+
'if sys_dummy or pre_dummy' => 'sdu',
|
53
|
+
'if noc_dummy' => 's--',
|
54
|
+
'if noc_dummy or sys_dummy' => 's-u',
|
55
|
+
'if noc_dummy or res_dummy' => '-du',
|
56
|
+
'if self' => '-du',
|
57
|
+
'if other_right: resource_property' => '-du',
|
58
|
+
'true' => 's--',
|
59
|
+
'false or nil' => 's--'
|
60
|
+
}.each_pair do |condition,flags|
|
61
|
+
right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
|
62
|
+
right.flag_s.should == 'r???'
|
63
|
+
right.static? # trigger lazy initialization
|
64
|
+
right.flag_s.should == 'r'+flags
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
it 'should call referred rules when being executed' do
|
69
|
+
policy = RuleTestResPolicy.new(:user,:res)
|
70
|
+
|
71
|
+
policy.expects(:res_dummy).returns(true)
|
72
|
+
policy.res_dummy_test.should be_true
|
73
|
+
|
74
|
+
policy.expects(:sys_dummy).returns(false)
|
75
|
+
policy.sys_dummy_test?.should be_false
|
76
|
+
end
|
77
|
+
|
78
78
|
end
|
@@ -1,81 +1,81 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
-
|
3
|
-
AnnotationSecurity.define_relations(:a_test) do
|
4
|
-
sys_relation :system
|
5
|
-
res_relation :resource
|
6
|
-
pre_relation :pretest
|
7
|
-
end
|
8
|
-
|
9
|
-
describe ATestPolicy do
|
10
|
-
|
11
|
-
it 'should be dynamic' do
|
12
|
-
ATestPolicy.static?.should be_false
|
13
|
-
end
|
14
|
-
|
15
|
-
it 'should have a static partner' do
|
16
|
-
ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
|
17
|
-
end
|
18
|
-
|
19
|
-
it 'should know its resource type' do
|
20
|
-
ATestPolicy.resource_type.should eql(:a_test)
|
21
|
-
end
|
22
|
-
|
23
|
-
it 'should have all rules' do
|
24
|
-
ATestPolicy.has_rule?(:sys_relation).should be_true
|
25
|
-
ATestPolicy.has_rule?(:res_relation).should be_true
|
26
|
-
ATestPolicy.has_rule?(:pre_relation).should be_true
|
27
|
-
end
|
28
|
-
|
29
|
-
it 'should be aware of the evaluation time of a rule' do
|
30
|
-
ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
|
31
|
-
ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
|
32
|
-
ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
|
33
|
-
|
34
|
-
ATestPolicy.has_static_rule?(:sys_relation).should be_true
|
35
|
-
ATestPolicy.has_static_rule?(:res_relation).should be_false
|
36
|
-
ATestPolicy.has_static_rule?(:pre_relation).should be_true
|
37
|
-
end
|
38
|
-
|
39
|
-
it 'should have access to rules defined for all resources' do
|
40
|
-
ATestPolicy.has_rule?(:__self__).should be_true
|
41
|
-
ATestPolicy.has_rule?(:logged_in).should be_true
|
42
|
-
end
|
43
|
-
#
|
44
|
-
# it 'should be possible to add rules'
|
45
|
-
#
|
46
|
-
# it 'should be possible to evaluate a list of rules (static/dynamic/both)'
|
47
|
-
|
48
|
-
end
|
49
|
-
|
50
|
-
describe ATestStaticPolicy do
|
51
|
-
|
52
|
-
it 'should be static' do
|
53
|
-
ATestStaticPolicy.static?.should be_true
|
54
|
-
end
|
55
|
-
|
56
|
-
it 'should not have a static partner' do
|
57
|
-
lambda {
|
58
|
-
ATestStaticPolicy.static_policy_class
|
59
|
-
}.should raise_error(NameError)
|
60
|
-
end
|
61
|
-
|
62
|
-
it 'should know its resource type' do
|
63
|
-
ATestStaticPolicy.resource_type.should eql(:a_test)
|
64
|
-
end
|
65
|
-
|
66
|
-
it 'should use the rule set of the dynamic policy' do
|
67
|
-
ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
|
68
|
-
end
|
69
|
-
|
70
|
-
it 'should have all static rules' do
|
71
|
-
ATestStaticPolicy.has_rule?(:sys_relation).should be_true
|
72
|
-
ATestStaticPolicy.has_rule?(:res_relation).should be_false
|
73
|
-
ATestStaticPolicy.has_rule?(:pre_relation).should be_true
|
74
|
-
end
|
75
|
-
|
76
|
-
it 'should have access to static rules defined for all resources' do
|
77
|
-
ATestStaticPolicy.has_rule?(:__self__).should be_false
|
78
|
-
ATestStaticPolicy.has_rule?(:logged_in).should be_true
|
79
|
-
end
|
80
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
+
|
3
|
+
AnnotationSecurity.define_relations(:a_test) do
|
4
|
+
sys_relation :system
|
5
|
+
res_relation :resource
|
6
|
+
pre_relation :pretest
|
7
|
+
end
|
8
|
+
|
9
|
+
describe ATestPolicy do
|
10
|
+
|
11
|
+
it 'should be dynamic' do
|
12
|
+
ATestPolicy.static?.should be_false
|
13
|
+
end
|
14
|
+
|
15
|
+
it 'should have a static partner' do
|
16
|
+
ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
|
17
|
+
end
|
18
|
+
|
19
|
+
it 'should know its resource type' do
|
20
|
+
ATestPolicy.resource_type.should eql(:a_test)
|
21
|
+
end
|
22
|
+
|
23
|
+
it 'should have all rules' do
|
24
|
+
ATestPolicy.has_rule?(:sys_relation).should be_true
|
25
|
+
ATestPolicy.has_rule?(:res_relation).should be_true
|
26
|
+
ATestPolicy.has_rule?(:pre_relation).should be_true
|
27
|
+
end
|
28
|
+
|
29
|
+
it 'should be aware of the evaluation time of a rule' do
|
30
|
+
ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
|
31
|
+
ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
|
32
|
+
ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
|
33
|
+
|
34
|
+
ATestPolicy.has_static_rule?(:sys_relation).should be_true
|
35
|
+
ATestPolicy.has_static_rule?(:res_relation).should be_false
|
36
|
+
ATestPolicy.has_static_rule?(:pre_relation).should be_true
|
37
|
+
end
|
38
|
+
|
39
|
+
it 'should have access to rules defined for all resources' do
|
40
|
+
ATestPolicy.has_rule?(:__self__).should be_true
|
41
|
+
ATestPolicy.has_rule?(:logged_in).should be_true
|
42
|
+
end
|
43
|
+
#
|
44
|
+
# it 'should be possible to add rules'
|
45
|
+
#
|
46
|
+
# it 'should be possible to evaluate a list of rules (static/dynamic/both)'
|
47
|
+
|
48
|
+
end
|
49
|
+
|
50
|
+
describe ATestStaticPolicy do
|
51
|
+
|
52
|
+
it 'should be static' do
|
53
|
+
ATestStaticPolicy.static?.should be_true
|
54
|
+
end
|
55
|
+
|
56
|
+
it 'should not have a static partner' do
|
57
|
+
lambda {
|
58
|
+
ATestStaticPolicy.static_policy_class
|
59
|
+
}.should raise_error(NameError)
|
60
|
+
end
|
61
|
+
|
62
|
+
it 'should know its resource type' do
|
63
|
+
ATestStaticPolicy.resource_type.should eql(:a_test)
|
64
|
+
end
|
65
|
+
|
66
|
+
it 'should use the rule set of the dynamic policy' do
|
67
|
+
ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
|
68
|
+
end
|
69
|
+
|
70
|
+
it 'should have all static rules' do
|
71
|
+
ATestStaticPolicy.has_rule?(:sys_relation).should be_true
|
72
|
+
ATestStaticPolicy.has_rule?(:res_relation).should be_false
|
73
|
+
ATestStaticPolicy.has_rule?(:pre_relation).should be_true
|
74
|
+
end
|
75
|
+
|
76
|
+
it 'should have access to static rules defined for all resources' do
|
77
|
+
ATestStaticPolicy.has_rule?(:__self__).should be_false
|
78
|
+
ATestStaticPolicy.has_rule?(:logged_in).should be_true
|
79
|
+
end
|
80
|
+
|
81
81
|
end
|
@@ -1,78 +1,78 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
-
|
3
|
-
describe SecurityContext do
|
4
|
-
|
5
|
-
before(:each) do
|
6
|
-
@user1 = TestUser.new 'theuser'
|
7
|
-
@user2 = TestUser.new 'otheruser'
|
8
|
-
end
|
9
|
-
|
10
|
-
it "should check 'logged_in' for 'show'" do
|
11
|
-
request(@user1, :show, { :id => 'theuser' }).should succeed
|
12
|
-
request(@user2, :show, { :id => 'theuser' }).should succeed
|
13
|
-
request(nil, :show, { :id => 'theuser' }).should fail
|
14
|
-
end
|
15
|
-
|
16
|
-
it "should check 'owner' for 'edit'" do
|
17
|
-
request(@user1, :edit, { :id => 'theuser' }).should succeed
|
18
|
-
request(@user2, :edit, { :id => 'theuser' }).should fail
|
19
|
-
end
|
20
|
-
|
21
|
-
it "should check 'logged_in' and 'owner' for 'show_edit'" do
|
22
|
-
request(@user1, :show_edit, { :id => 'theuser' }).should succeed
|
23
|
-
request(@user2, :show_edit, { :id => 'theuser' }).should fail
|
24
|
-
end
|
25
|
-
|
26
|
-
it "should check 'owner' for 'delete' based on :id" do
|
27
|
-
request(@user1, :delete, { :id => 'theuser' }).should succeed
|
28
|
-
request(@user2, :delete, { :id => 'theuser' }).should fail
|
29
|
-
end
|
30
|
-
|
31
|
-
it "should not call action if check based on :id fails" do
|
32
|
-
TestController.expects(:enter_delete).never
|
33
|
-
request(@user2, :delete, { :id => 'theuser' }).should fail
|
34
|
-
end
|
35
|
-
|
36
|
-
it "should check 'owner' for 'list' based on @list" do
|
37
|
-
request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
38
|
-
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
39
|
-
request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
40
|
-
end
|
41
|
-
|
42
|
-
it "should not be disturbed by calls to #render" do
|
43
|
-
TestController.expects(:exit_render).twice
|
44
|
-
request(@user1, :edit_with_render,
|
45
|
-
{ :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
46
|
-
request(@user1, :edit_with_render,
|
47
|
-
{ :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
48
|
-
end
|
49
|
-
|
50
|
-
it "should check rules before #render" do
|
51
|
-
TestController.expects(:exit_render).never
|
52
|
-
request(@user1, :edit_with_render,
|
53
|
-
{ :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
54
|
-
end
|
55
|
-
|
56
|
-
# simulates an action invokation in rails
|
57
|
-
def request(user, action, params)
|
58
|
-
controller = TestController.new
|
59
|
-
controller.test_init(action, params)
|
60
|
-
SecurityContext.initialize(controller)
|
61
|
-
SecurityContext.credential = user
|
62
|
-
rules = controller.class.descriptions_of(action)
|
63
|
-
SecurityContext.current.send_with_security(rules, controller, action)
|
64
|
-
'no_error'
|
65
|
-
rescue SecurityViolationError => sve
|
66
|
-
sve
|
67
|
-
end
|
68
|
-
|
69
|
-
def succeed
|
70
|
-
eql 'no_error'
|
71
|
-
end
|
72
|
-
|
73
|
-
def fail
|
74
|
-
be_instance_of SecurityViolationError
|
75
|
-
end
|
76
|
-
|
77
|
-
end
|
78
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
+
|
3
|
+
describe SecurityContext do
|
4
|
+
|
5
|
+
before(:each) do
|
6
|
+
@user1 = TestUser.new 'theuser'
|
7
|
+
@user2 = TestUser.new 'otheruser'
|
8
|
+
end
|
9
|
+
|
10
|
+
it "should check 'logged_in' for 'show'" do
|
11
|
+
request(@user1, :show, { :id => 'theuser' }).should succeed
|
12
|
+
request(@user2, :show, { :id => 'theuser' }).should succeed
|
13
|
+
request(nil, :show, { :id => 'theuser' }).should fail
|
14
|
+
end
|
15
|
+
|
16
|
+
it "should check 'owner' for 'edit'" do
|
17
|
+
request(@user1, :edit, { :id => 'theuser' }).should succeed
|
18
|
+
request(@user2, :edit, { :id => 'theuser' }).should fail
|
19
|
+
end
|
20
|
+
|
21
|
+
it "should check 'logged_in' and 'owner' for 'show_edit'" do
|
22
|
+
request(@user1, :show_edit, { :id => 'theuser' }).should succeed
|
23
|
+
request(@user2, :show_edit, { :id => 'theuser' }).should fail
|
24
|
+
end
|
25
|
+
|
26
|
+
it "should check 'owner' for 'delete' based on :id" do
|
27
|
+
request(@user1, :delete, { :id => 'theuser' }).should succeed
|
28
|
+
request(@user2, :delete, { :id => 'theuser' }).should fail
|
29
|
+
end
|
30
|
+
|
31
|
+
it "should not call action if check based on :id fails" do
|
32
|
+
TestController.expects(:enter_delete).never
|
33
|
+
request(@user2, :delete, { :id => 'theuser' }).should fail
|
34
|
+
end
|
35
|
+
|
36
|
+
it "should check 'owner' for 'list' based on @list" do
|
37
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
38
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
39
|
+
request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
40
|
+
end
|
41
|
+
|
42
|
+
it "should not be disturbed by calls to #render" do
|
43
|
+
TestController.expects(:exit_render).twice
|
44
|
+
request(@user1, :edit_with_render,
|
45
|
+
{ :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
46
|
+
request(@user1, :edit_with_render,
|
47
|
+
{ :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
48
|
+
end
|
49
|
+
|
50
|
+
it "should check rules before #render" do
|
51
|
+
TestController.expects(:exit_render).never
|
52
|
+
request(@user1, :edit_with_render,
|
53
|
+
{ :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
54
|
+
end
|
55
|
+
|
56
|
+
# simulates an action invokation in rails
|
57
|
+
def request(user, action, params)
|
58
|
+
controller = TestController.new
|
59
|
+
controller.test_init(action, params)
|
60
|
+
SecurityContext.initialize(controller)
|
61
|
+
SecurityContext.credential = user
|
62
|
+
rules = controller.class.descriptions_of(action)
|
63
|
+
SecurityContext.current.send_with_security(rules, controller, action)
|
64
|
+
'no_error'
|
65
|
+
rescue SecurityViolationError => sve
|
66
|
+
sve
|
67
|
+
end
|
68
|
+
|
69
|
+
def succeed
|
70
|
+
eql 'no_error'
|
71
|
+
end
|
72
|
+
|
73
|
+
def fail
|
74
|
+
be_instance_of SecurityViolationError
|
75
|
+
end
|
76
|
+
|
77
|
+
end
|
78
|
+
|
@@ -1,74 +1,74 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
-
|
3
|
-
describe AnnotationSecurity::Utils do
|
4
|
-
|
5
|
-
it 'should remove prefixes of the method body' do
|
6
|
-
%w{may_rule is_rule can_rule has_rule}.each do |method|
|
7
|
-
AnnotationSecurity::Utils.method_body(method).should eql('rule')
|
8
|
-
end
|
9
|
-
end
|
10
|
-
|
11
|
-
it 'should remove suffixes of the method body' do
|
12
|
-
%w{rule_for rule_of rule_in rule_to rule?}.each do |method|
|
13
|
-
AnnotationSecurity::Utils.method_body(method).should eql('rule')
|
14
|
-
end
|
15
|
-
end
|
16
|
-
|
17
|
-
it 'should return nil if the method body is clean' do
|
18
|
-
AnnotationSecurity::Utils.method_body('rule').should be_nil
|
19
|
-
end
|
20
|
-
|
21
|
-
it 'should ignore prefixes and suffixes without underscore in method body' do
|
22
|
-
%w{mayrule isrule rulefor ruleof canrulein hasruleto}.each do |method|
|
23
|
-
AnnotationSecurity::Utils.method_body(method).should eql(nil)
|
24
|
-
end
|
25
|
-
end
|
26
|
-
|
27
|
-
it 'should remove only prefix or suffix from the method body at a time' do
|
28
|
-
AnnotationSecurity::Utils.method_body('may_is_rule').should eql('is_rule')
|
29
|
-
AnnotationSecurity::Utils.method_body('rule_of_for').should eql('rule_of')
|
30
|
-
AnnotationSecurity::Utils.method_body('can_has_rule_to?').should eql('has_rule_to')
|
31
|
-
end
|
32
|
-
|
33
|
-
it 'should parse descriptions without bindings correctly' do
|
34
|
-
['show a resource', 'show with some text ignored a resource',
|
35
|
-
'show pluralized resources', '(ignoring comments) show a resource',
|
36
|
-
'show a resource (with comment at the end)'].each do |s|
|
37
|
-
AnnotationSecurity::Utils.parse_description(s).
|
38
|
-
should == {:action => :show, :resource => :resource}
|
39
|
-
end
|
40
|
-
end
|
41
|
-
|
42
|
-
it 'should detect bindings of a description' do
|
43
|
-
{
|
44
|
-
'show the resource in @res' =>
|
45
|
-
{:action => :show,:resource => :resource, :source => '@res'},
|
46
|
-
'show the resource from :id' =>
|
47
|
-
{:action => :show,:resource => :resource, :source => :id},
|
48
|
-
}.each_pair do |key, value|
|
49
|
-
AnnotationSecurity::Utils.parse_description(key,true).should == value
|
50
|
-
end
|
51
|
-
end
|
52
|
-
|
53
|
-
it 'should raise an error if an unexpected binding is detected in a description' do
|
54
|
-
lambda {
|
55
|
-
AnnotationSecurity::Utils.parse_description('show the resource :id')
|
56
|
-
}.should raise_error(StandardError)
|
57
|
-
end
|
58
|
-
|
59
|
-
it 'should parse policy arguments like specified in SecurityContext.allowed?' do
|
60
|
-
obj = Object.new
|
61
|
-
def obj.__is_resource?; true; end
|
62
|
-
def obj.resource_type; :o_resource; end
|
63
|
-
{
|
64
|
-
[:show, :resource, obj] => [:show, :resource, obj],
|
65
|
-
[:show, obj] => [:show, :o_resource, obj],
|
66
|
-
['show resource', obj] => [:show, :resource, obj],
|
67
|
-
[:show, :resource] => [:show, :resource],
|
68
|
-
[:administrate] => [:administrate, :all_resources]
|
69
|
-
}.each_pair do |key, value|
|
70
|
-
AnnotationSecurity::Utils.parse_policy_arguments(key).should == value
|
71
|
-
end
|
72
|
-
end
|
73
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
+
|
3
|
+
describe AnnotationSecurity::Utils do
|
4
|
+
|
5
|
+
it 'should remove prefixes of the method body' do
|
6
|
+
%w{may_rule is_rule can_rule has_rule}.each do |method|
|
7
|
+
AnnotationSecurity::Utils.method_body(method).should eql('rule')
|
8
|
+
end
|
9
|
+
end
|
10
|
+
|
11
|
+
it 'should remove suffixes of the method body' do
|
12
|
+
%w{rule_for rule_of rule_in rule_to rule?}.each do |method|
|
13
|
+
AnnotationSecurity::Utils.method_body(method).should eql('rule')
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
it 'should return nil if the method body is clean' do
|
18
|
+
AnnotationSecurity::Utils.method_body('rule').should be_nil
|
19
|
+
end
|
20
|
+
|
21
|
+
it 'should ignore prefixes and suffixes without underscore in method body' do
|
22
|
+
%w{mayrule isrule rulefor ruleof canrulein hasruleto}.each do |method|
|
23
|
+
AnnotationSecurity::Utils.method_body(method).should eql(nil)
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
it 'should remove only prefix or suffix from the method body at a time' do
|
28
|
+
AnnotationSecurity::Utils.method_body('may_is_rule').should eql('is_rule')
|
29
|
+
AnnotationSecurity::Utils.method_body('rule_of_for').should eql('rule_of')
|
30
|
+
AnnotationSecurity::Utils.method_body('can_has_rule_to?').should eql('has_rule_to')
|
31
|
+
end
|
32
|
+
|
33
|
+
it 'should parse descriptions without bindings correctly' do
|
34
|
+
['show a resource', 'show with some text ignored a resource',
|
35
|
+
'show pluralized resources', '(ignoring comments) show a resource',
|
36
|
+
'show a resource (with comment at the end)'].each do |s|
|
37
|
+
AnnotationSecurity::Utils.parse_description(s).
|
38
|
+
should == {:action => :show, :resource => :resource}
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
it 'should detect bindings of a description' do
|
43
|
+
{
|
44
|
+
'show the resource in @res' =>
|
45
|
+
{:action => :show,:resource => :resource, :source => '@res'},
|
46
|
+
'show the resource from :id' =>
|
47
|
+
{:action => :show,:resource => :resource, :source => :id},
|
48
|
+
}.each_pair do |key, value|
|
49
|
+
AnnotationSecurity::Utils.parse_description(key,true).should == value
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
it 'should raise an error if an unexpected binding is detected in a description' do
|
54
|
+
lambda {
|
55
|
+
AnnotationSecurity::Utils.parse_description('show the resource :id')
|
56
|
+
}.should raise_error(StandardError)
|
57
|
+
end
|
58
|
+
|
59
|
+
it 'should parse policy arguments like specified in SecurityContext.allowed?' do
|
60
|
+
obj = Object.new
|
61
|
+
def obj.__is_resource?; true; end
|
62
|
+
def obj.resource_type; :o_resource; end
|
63
|
+
{
|
64
|
+
[:show, :resource, obj] => [:show, :resource, obj],
|
65
|
+
[:show, obj] => [:show, :o_resource, obj],
|
66
|
+
['show resource', obj] => [:show, :resource, obj],
|
67
|
+
[:show, :resource] => [:show, :resource],
|
68
|
+
[:administrate] => [:administrate, :all_resources]
|
69
|
+
}.each_pair do |key, value|
|
70
|
+
AnnotationSecurity::Utils.parse_policy_arguments(key).should == value
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
74
|
end
|