annotation_security 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.md +14 -0
- data/HOW-TO.md +275 -0
- data/{MIT-LICENSE → LICENSE} +1 -1
- data/README.md +39 -0
- data/Rakefile +62 -55
- data/assets/app/helpers/annotation_security_helper.rb +8 -8
- data/assets/config/initializers/annotation_security.rb +11 -11
- data/assets/config/security/relations.rb +20 -20
- data/assets/vendor/plugins/annotation_security/init.rb +13 -13
- data/bin/annotation_security +7 -7
- data/lib/annotation_security/exceptions.rb +124 -124
- data/lib/annotation_security/exec.rb +188 -188
- data/lib/annotation_security/filters.rb +37 -37
- data/lib/annotation_security/includes/action_controller.rb +144 -143
- data/lib/annotation_security/includes/active_record.rb +27 -27
- data/lib/annotation_security/includes/helper.rb +215 -215
- data/lib/annotation_security/includes/resource.rb +84 -84
- data/lib/annotation_security/includes/role.rb +30 -30
- data/lib/annotation_security/includes/user.rb +26 -26
- data/lib/annotation_security/manager/policy_factory.rb +29 -29
- data/lib/annotation_security/manager/policy_manager.rb +79 -79
- data/lib/annotation_security/manager/relation_loader.rb +272 -272
- data/lib/annotation_security/manager/resource_manager.rb +36 -36
- data/lib/annotation_security/manager/right_loader.rb +87 -87
- data/lib/annotation_security/model_observer.rb +61 -61
- data/lib/annotation_security/policy/abstract_policy.rb +344 -344
- data/lib/annotation_security/policy/abstract_static_policy.rb +75 -75
- data/lib/annotation_security/policy/all_resources_policy.rb +20 -20
- data/lib/annotation_security/policy/rule.rb +340 -340
- data/lib/annotation_security/policy/rule_set.rb +138 -138
- data/lib/annotation_security/rails.rb +38 -38
- data/lib/annotation_security/user_wrapper.rb +73 -73
- data/lib/annotation_security/utils.rb +141 -141
- data/lib/annotation_security/version.rb +10 -0
- data/lib/annotation_security.rb +102 -97
- data/lib/extensions/action_controller.rb +32 -32
- data/lib/extensions/active_record.rb +34 -34
- data/lib/extensions/filter.rb +133 -133
- data/lib/extensions/object.rb +10 -10
- data/lib/security_context.rb +589 -551
- data/spec/annotation_security/exceptions_spec.rb +16 -16
- data/spec/annotation_security/includes/helper_spec.rb +82 -82
- data/spec/annotation_security/manager/policy_manager_spec.rb +15 -15
- data/spec/annotation_security/manager/resource_manager_spec.rb +17 -17
- data/spec/annotation_security/manager/right_loader_spec.rb +17 -17
- data/spec/annotation_security/policy/abstract_policy_spec.rb +16 -16
- data/spec/annotation_security/policy/all_resources_policy_spec.rb +24 -24
- data/spec/annotation_security/policy/rule_set_spec.rb +112 -112
- data/spec/annotation_security/policy/rule_spec.rb +77 -77
- data/spec/annotation_security/policy/test_policy_spec.rb +80 -80
- data/spec/annotation_security/security_context_spec.rb +78 -78
- data/spec/annotation_security/utils_spec.rb +73 -73
- data/spec/helper/test_controller.rb +65 -65
- data/spec/helper/test_helper.rb +5 -5
- data/spec/helper/test_relations.rb +6 -6
- data/spec/helper/test_resource.rb +38 -38
- data/spec/helper/test_role.rb +21 -21
- data/spec/helper/test_user.rb +31 -31
- data/spec/rails_stub.rb +37 -37
- metadata +94 -72
- data/CHANGELOG +0 -2
- data/HOW-TO +0 -261
- data/README +0 -39
@@ -1,78 +1,78 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
-
|
3
|
-
describe AnnotationSecurity::Rule do
|
4
|
-
|
5
|
-
before(:all) do
|
6
|
-
AnnotationSecurity.define_relations(:rule_test_res) do
|
7
|
-
res_dummy
|
8
|
-
sys_dummy(:system) { false }
|
9
|
-
pre_dummy :pretest
|
10
|
-
noc_dummy :system, :require_credential => false
|
11
|
-
|
12
|
-
res_dummy_test { has_res_dummy }
|
13
|
-
sys_dummy_test "if is_sys_dummy"
|
14
|
-
end
|
15
|
-
end
|
16
|
-
|
17
|
-
it 'should create valid dynamic relations' do
|
18
|
-
rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
|
19
|
-
rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
|
20
|
-
rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
|
21
|
-
rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
|
22
|
-
end
|
23
|
-
|
24
|
-
it 'should create valid static relations' do
|
25
|
-
rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
|
26
|
-
rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
|
27
|
-
end
|
28
|
-
|
29
|
-
it 'should create valid pretest relations' do
|
30
|
-
rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
|
31
|
-
rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
|
32
|
-
end
|
33
|
-
|
34
|
-
it 'should create valid relations without user' do
|
35
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
|
36
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
|
37
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
38
|
-
:system, :require_credential => false)
|
39
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
|
40
|
-
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
41
|
-
:pretest, :require_credential => false)
|
42
|
-
rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
|
43
|
-
end
|
44
|
-
|
45
|
-
it 'should create valid rights' do
|
46
|
-
{
|
47
|
-
'if res_dummy' => '-du',
|
48
|
-
'if sys_dummy' => 's-u',
|
49
|
-
'if pre_dummy' => 'sdu',
|
50
|
-
'if res_dummy or sys_dummy' => '-du',
|
51
|
-
'if res_dummy or pre_dummy' => '-du',
|
52
|
-
'if sys_dummy or pre_dummy' => 'sdu',
|
53
|
-
'if noc_dummy' => 's--',
|
54
|
-
'if noc_dummy or sys_dummy' => 's-u',
|
55
|
-
'if noc_dummy or res_dummy' => '-du',
|
56
|
-
'if self' => '-du',
|
57
|
-
'if other_right: resource_property' => '-du',
|
58
|
-
'true' => 's--',
|
59
|
-
'false or nil' => 's--'
|
60
|
-
}.each_pair do |condition,flags|
|
61
|
-
right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
|
62
|
-
right.flag_s.should == 'r???'
|
63
|
-
right.static? # trigger lazy initialization
|
64
|
-
right.flag_s.should == 'r'+flags
|
65
|
-
end
|
66
|
-
end
|
67
|
-
|
68
|
-
it 'should call referred rules when being executed' do
|
69
|
-
policy = RuleTestResPolicy.new(:user,:res)
|
70
|
-
|
71
|
-
policy.expects(:res_dummy).returns(true)
|
72
|
-
policy.res_dummy_test.should be_true
|
73
|
-
|
74
|
-
policy.expects(:sys_dummy).returns(false)
|
75
|
-
policy.sys_dummy_test?.should be_false
|
76
|
-
end
|
77
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
+
|
3
|
+
describe AnnotationSecurity::Rule do
|
4
|
+
|
5
|
+
before(:all) do
|
6
|
+
AnnotationSecurity.define_relations(:rule_test_res) do
|
7
|
+
res_dummy
|
8
|
+
sys_dummy(:system) { false }
|
9
|
+
pre_dummy :pretest
|
10
|
+
noc_dummy :system, :require_credential => false
|
11
|
+
|
12
|
+
res_dummy_test { has_res_dummy }
|
13
|
+
sys_dummy_test "if is_sys_dummy"
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
it 'should create valid dynamic relations' do
|
18
|
+
rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
|
19
|
+
rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
|
20
|
+
rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
|
21
|
+
rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
|
22
|
+
end
|
23
|
+
|
24
|
+
it 'should create valid static relations' do
|
25
|
+
rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
|
26
|
+
rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
|
27
|
+
end
|
28
|
+
|
29
|
+
it 'should create valid pretest relations' do
|
30
|
+
rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
|
31
|
+
rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
|
32
|
+
end
|
33
|
+
|
34
|
+
it 'should create valid relations without user' do
|
35
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
|
36
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
|
37
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
38
|
+
:system, :require_credential => false)
|
39
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
|
40
|
+
rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
|
41
|
+
:pretest, :require_credential => false)
|
42
|
+
rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
|
43
|
+
end
|
44
|
+
|
45
|
+
it 'should create valid rights' do
|
46
|
+
{
|
47
|
+
'if res_dummy' => '-du',
|
48
|
+
'if sys_dummy' => 's-u',
|
49
|
+
'if pre_dummy' => 'sdu',
|
50
|
+
'if res_dummy or sys_dummy' => '-du',
|
51
|
+
'if res_dummy or pre_dummy' => '-du',
|
52
|
+
'if sys_dummy or pre_dummy' => 'sdu',
|
53
|
+
'if noc_dummy' => 's--',
|
54
|
+
'if noc_dummy or sys_dummy' => 's-u',
|
55
|
+
'if noc_dummy or res_dummy' => '-du',
|
56
|
+
'if self' => '-du',
|
57
|
+
'if other_right: resource_property' => '-du',
|
58
|
+
'true' => 's--',
|
59
|
+
'false or nil' => 's--'
|
60
|
+
}.each_pair do |condition,flags|
|
61
|
+
right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
|
62
|
+
right.flag_s.should == 'r???'
|
63
|
+
right.static? # trigger lazy initialization
|
64
|
+
right.flag_s.should == 'r'+flags
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
it 'should call referred rules when being executed' do
|
69
|
+
policy = RuleTestResPolicy.new(:user,:res)
|
70
|
+
|
71
|
+
policy.expects(:res_dummy).returns(true)
|
72
|
+
policy.res_dummy_test.should be_true
|
73
|
+
|
74
|
+
policy.expects(:sys_dummy).returns(false)
|
75
|
+
policy.sys_dummy_test?.should be_false
|
76
|
+
end
|
77
|
+
|
78
78
|
end
|
@@ -1,81 +1,81 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
-
|
3
|
-
AnnotationSecurity.define_relations(:a_test) do
|
4
|
-
sys_relation :system
|
5
|
-
res_relation :resource
|
6
|
-
pre_relation :pretest
|
7
|
-
end
|
8
|
-
|
9
|
-
describe ATestPolicy do
|
10
|
-
|
11
|
-
it 'should be dynamic' do
|
12
|
-
ATestPolicy.static?.should be_false
|
13
|
-
end
|
14
|
-
|
15
|
-
it 'should have a static partner' do
|
16
|
-
ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
|
17
|
-
end
|
18
|
-
|
19
|
-
it 'should know its resource type' do
|
20
|
-
ATestPolicy.resource_type.should eql(:a_test)
|
21
|
-
end
|
22
|
-
|
23
|
-
it 'should have all rules' do
|
24
|
-
ATestPolicy.has_rule?(:sys_relation).should be_true
|
25
|
-
ATestPolicy.has_rule?(:res_relation).should be_true
|
26
|
-
ATestPolicy.has_rule?(:pre_relation).should be_true
|
27
|
-
end
|
28
|
-
|
29
|
-
it 'should be aware of the evaluation time of a rule' do
|
30
|
-
ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
|
31
|
-
ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
|
32
|
-
ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
|
33
|
-
|
34
|
-
ATestPolicy.has_static_rule?(:sys_relation).should be_true
|
35
|
-
ATestPolicy.has_static_rule?(:res_relation).should be_false
|
36
|
-
ATestPolicy.has_static_rule?(:pre_relation).should be_true
|
37
|
-
end
|
38
|
-
|
39
|
-
it 'should have access to rules defined for all resources' do
|
40
|
-
ATestPolicy.has_rule?(:__self__).should be_true
|
41
|
-
ATestPolicy.has_rule?(:logged_in).should be_true
|
42
|
-
end
|
43
|
-
#
|
44
|
-
# it 'should be possible to add rules'
|
45
|
-
#
|
46
|
-
# it 'should be possible to evaluate a list of rules (static/dynamic/both)'
|
47
|
-
|
48
|
-
end
|
49
|
-
|
50
|
-
describe ATestStaticPolicy do
|
51
|
-
|
52
|
-
it 'should be static' do
|
53
|
-
ATestStaticPolicy.static?.should be_true
|
54
|
-
end
|
55
|
-
|
56
|
-
it 'should not have a static partner' do
|
57
|
-
lambda {
|
58
|
-
ATestStaticPolicy.static_policy_class
|
59
|
-
}.should raise_error(NameError)
|
60
|
-
end
|
61
|
-
|
62
|
-
it 'should know its resource type' do
|
63
|
-
ATestStaticPolicy.resource_type.should eql(:a_test)
|
64
|
-
end
|
65
|
-
|
66
|
-
it 'should use the rule set of the dynamic policy' do
|
67
|
-
ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
|
68
|
-
end
|
69
|
-
|
70
|
-
it 'should have all static rules' do
|
71
|
-
ATestStaticPolicy.has_rule?(:sys_relation).should be_true
|
72
|
-
ATestStaticPolicy.has_rule?(:res_relation).should be_false
|
73
|
-
ATestStaticPolicy.has_rule?(:pre_relation).should be_true
|
74
|
-
end
|
75
|
-
|
76
|
-
it 'should have access to static rules defined for all resources' do
|
77
|
-
ATestStaticPolicy.has_rule?(:__self__).should be_false
|
78
|
-
ATestStaticPolicy.has_rule?(:logged_in).should be_true
|
79
|
-
end
|
80
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
|
2
|
+
|
3
|
+
AnnotationSecurity.define_relations(:a_test) do
|
4
|
+
sys_relation :system
|
5
|
+
res_relation :resource
|
6
|
+
pre_relation :pretest
|
7
|
+
end
|
8
|
+
|
9
|
+
describe ATestPolicy do
|
10
|
+
|
11
|
+
it 'should be dynamic' do
|
12
|
+
ATestPolicy.static?.should be_false
|
13
|
+
end
|
14
|
+
|
15
|
+
it 'should have a static partner' do
|
16
|
+
ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
|
17
|
+
end
|
18
|
+
|
19
|
+
it 'should know its resource type' do
|
20
|
+
ATestPolicy.resource_type.should eql(:a_test)
|
21
|
+
end
|
22
|
+
|
23
|
+
it 'should have all rules' do
|
24
|
+
ATestPolicy.has_rule?(:sys_relation).should be_true
|
25
|
+
ATestPolicy.has_rule?(:res_relation).should be_true
|
26
|
+
ATestPolicy.has_rule?(:pre_relation).should be_true
|
27
|
+
end
|
28
|
+
|
29
|
+
it 'should be aware of the evaluation time of a rule' do
|
30
|
+
ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
|
31
|
+
ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
|
32
|
+
ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
|
33
|
+
|
34
|
+
ATestPolicy.has_static_rule?(:sys_relation).should be_true
|
35
|
+
ATestPolicy.has_static_rule?(:res_relation).should be_false
|
36
|
+
ATestPolicy.has_static_rule?(:pre_relation).should be_true
|
37
|
+
end
|
38
|
+
|
39
|
+
it 'should have access to rules defined for all resources' do
|
40
|
+
ATestPolicy.has_rule?(:__self__).should be_true
|
41
|
+
ATestPolicy.has_rule?(:logged_in).should be_true
|
42
|
+
end
|
43
|
+
#
|
44
|
+
# it 'should be possible to add rules'
|
45
|
+
#
|
46
|
+
# it 'should be possible to evaluate a list of rules (static/dynamic/both)'
|
47
|
+
|
48
|
+
end
|
49
|
+
|
50
|
+
describe ATestStaticPolicy do
|
51
|
+
|
52
|
+
it 'should be static' do
|
53
|
+
ATestStaticPolicy.static?.should be_true
|
54
|
+
end
|
55
|
+
|
56
|
+
it 'should not have a static partner' do
|
57
|
+
lambda {
|
58
|
+
ATestStaticPolicy.static_policy_class
|
59
|
+
}.should raise_error(NameError)
|
60
|
+
end
|
61
|
+
|
62
|
+
it 'should know its resource type' do
|
63
|
+
ATestStaticPolicy.resource_type.should eql(:a_test)
|
64
|
+
end
|
65
|
+
|
66
|
+
it 'should use the rule set of the dynamic policy' do
|
67
|
+
ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
|
68
|
+
end
|
69
|
+
|
70
|
+
it 'should have all static rules' do
|
71
|
+
ATestStaticPolicy.has_rule?(:sys_relation).should be_true
|
72
|
+
ATestStaticPolicy.has_rule?(:res_relation).should be_false
|
73
|
+
ATestStaticPolicy.has_rule?(:pre_relation).should be_true
|
74
|
+
end
|
75
|
+
|
76
|
+
it 'should have access to static rules defined for all resources' do
|
77
|
+
ATestStaticPolicy.has_rule?(:__self__).should be_false
|
78
|
+
ATestStaticPolicy.has_rule?(:logged_in).should be_true
|
79
|
+
end
|
80
|
+
|
81
81
|
end
|
@@ -1,78 +1,78 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
-
|
3
|
-
describe SecurityContext do
|
4
|
-
|
5
|
-
before(:each) do
|
6
|
-
@user1 = TestUser.new 'theuser'
|
7
|
-
@user2 = TestUser.new 'otheruser'
|
8
|
-
end
|
9
|
-
|
10
|
-
it "should check 'logged_in' for 'show'" do
|
11
|
-
request(@user1, :show, { :id => 'theuser' }).should succeed
|
12
|
-
request(@user2, :show, { :id => 'theuser' }).should succeed
|
13
|
-
request(nil, :show, { :id => 'theuser' }).should fail
|
14
|
-
end
|
15
|
-
|
16
|
-
it "should check 'owner' for 'edit'" do
|
17
|
-
request(@user1, :edit, { :id => 'theuser' }).should succeed
|
18
|
-
request(@user2, :edit, { :id => 'theuser' }).should fail
|
19
|
-
end
|
20
|
-
|
21
|
-
it "should check 'logged_in' and 'owner' for 'show_edit'" do
|
22
|
-
request(@user1, :show_edit, { :id => 'theuser' }).should succeed
|
23
|
-
request(@user2, :show_edit, { :id => 'theuser' }).should fail
|
24
|
-
end
|
25
|
-
|
26
|
-
it "should check 'owner' for 'delete' based on :id" do
|
27
|
-
request(@user1, :delete, { :id => 'theuser' }).should succeed
|
28
|
-
request(@user2, :delete, { :id => 'theuser' }).should fail
|
29
|
-
end
|
30
|
-
|
31
|
-
it "should not call action if check based on :id fails" do
|
32
|
-
TestController.expects(:enter_delete).never
|
33
|
-
request(@user2, :delete, { :id => 'theuser' }).should fail
|
34
|
-
end
|
35
|
-
|
36
|
-
it "should check 'owner' for 'list' based on @list" do
|
37
|
-
request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
38
|
-
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
39
|
-
request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
40
|
-
end
|
41
|
-
|
42
|
-
it "should not be disturbed by calls to #render" do
|
43
|
-
TestController.expects(:exit_render).twice
|
44
|
-
request(@user1, :edit_with_render,
|
45
|
-
{ :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
46
|
-
request(@user1, :edit_with_render,
|
47
|
-
{ :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
48
|
-
end
|
49
|
-
|
50
|
-
it "should check rules before #render" do
|
51
|
-
TestController.expects(:exit_render).never
|
52
|
-
request(@user1, :edit_with_render,
|
53
|
-
{ :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
54
|
-
end
|
55
|
-
|
56
|
-
# simulates an action invokation in rails
|
57
|
-
def request(user, action, params)
|
58
|
-
controller = TestController.new
|
59
|
-
controller.test_init(action, params)
|
60
|
-
SecurityContext.initialize(controller)
|
61
|
-
SecurityContext.credential = user
|
62
|
-
rules = controller.class.descriptions_of(action)
|
63
|
-
SecurityContext.current.send_with_security(rules, controller, action)
|
64
|
-
'no_error'
|
65
|
-
rescue SecurityViolationError => sve
|
66
|
-
sve
|
67
|
-
end
|
68
|
-
|
69
|
-
def succeed
|
70
|
-
eql 'no_error'
|
71
|
-
end
|
72
|
-
|
73
|
-
def fail
|
74
|
-
be_instance_of SecurityViolationError
|
75
|
-
end
|
76
|
-
|
77
|
-
end
|
78
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
+
|
3
|
+
describe SecurityContext do
|
4
|
+
|
5
|
+
before(:each) do
|
6
|
+
@user1 = TestUser.new 'theuser'
|
7
|
+
@user2 = TestUser.new 'otheruser'
|
8
|
+
end
|
9
|
+
|
10
|
+
it "should check 'logged_in' for 'show'" do
|
11
|
+
request(@user1, :show, { :id => 'theuser' }).should succeed
|
12
|
+
request(@user2, :show, { :id => 'theuser' }).should succeed
|
13
|
+
request(nil, :show, { :id => 'theuser' }).should fail
|
14
|
+
end
|
15
|
+
|
16
|
+
it "should check 'owner' for 'edit'" do
|
17
|
+
request(@user1, :edit, { :id => 'theuser' }).should succeed
|
18
|
+
request(@user2, :edit, { :id => 'theuser' }).should fail
|
19
|
+
end
|
20
|
+
|
21
|
+
it "should check 'logged_in' and 'owner' for 'show_edit'" do
|
22
|
+
request(@user1, :show_edit, { :id => 'theuser' }).should succeed
|
23
|
+
request(@user2, :show_edit, { :id => 'theuser' }).should fail
|
24
|
+
end
|
25
|
+
|
26
|
+
it "should check 'owner' for 'delete' based on :id" do
|
27
|
+
request(@user1, :delete, { :id => 'theuser' }).should succeed
|
28
|
+
request(@user2, :delete, { :id => 'theuser' }).should fail
|
29
|
+
end
|
30
|
+
|
31
|
+
it "should not call action if check based on :id fails" do
|
32
|
+
TestController.expects(:enter_delete).never
|
33
|
+
request(@user2, :delete, { :id => 'theuser' }).should fail
|
34
|
+
end
|
35
|
+
|
36
|
+
it "should check 'owner' for 'list' based on @list" do
|
37
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
38
|
+
request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
39
|
+
request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
40
|
+
end
|
41
|
+
|
42
|
+
it "should not be disturbed by calls to #render" do
|
43
|
+
TestController.expects(:exit_render).twice
|
44
|
+
request(@user1, :edit_with_render,
|
45
|
+
{ :id1 => 'theuser', :id2 => 'theuser' }).should succeed
|
46
|
+
request(@user1, :edit_with_render,
|
47
|
+
{ :id1 => 'theuser', :id2 => 'otheruser' }).should fail
|
48
|
+
end
|
49
|
+
|
50
|
+
it "should check rules before #render" do
|
51
|
+
TestController.expects(:exit_render).never
|
52
|
+
request(@user1, :edit_with_render,
|
53
|
+
{ :id1 => 'otheruser', :id2 => 'theuser' }).should fail
|
54
|
+
end
|
55
|
+
|
56
|
+
# simulates an action invokation in rails
|
57
|
+
def request(user, action, params)
|
58
|
+
controller = TestController.new
|
59
|
+
controller.test_init(action, params)
|
60
|
+
SecurityContext.initialize(controller)
|
61
|
+
SecurityContext.credential = user
|
62
|
+
rules = controller.class.descriptions_of(action)
|
63
|
+
SecurityContext.current.send_with_security(rules, controller, action)
|
64
|
+
'no_error'
|
65
|
+
rescue SecurityViolationError => sve
|
66
|
+
sve
|
67
|
+
end
|
68
|
+
|
69
|
+
def succeed
|
70
|
+
eql 'no_error'
|
71
|
+
end
|
72
|
+
|
73
|
+
def fail
|
74
|
+
be_instance_of SecurityViolationError
|
75
|
+
end
|
76
|
+
|
77
|
+
end
|
78
|
+
|
@@ -1,74 +1,74 @@
|
|
1
|
-
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
-
|
3
|
-
describe AnnotationSecurity::Utils do
|
4
|
-
|
5
|
-
it 'should remove prefixes of the method body' do
|
6
|
-
%w{may_rule is_rule can_rule has_rule}.each do |method|
|
7
|
-
AnnotationSecurity::Utils.method_body(method).should eql('rule')
|
8
|
-
end
|
9
|
-
end
|
10
|
-
|
11
|
-
it 'should remove suffixes of the method body' do
|
12
|
-
%w{rule_for rule_of rule_in rule_to rule?}.each do |method|
|
13
|
-
AnnotationSecurity::Utils.method_body(method).should eql('rule')
|
14
|
-
end
|
15
|
-
end
|
16
|
-
|
17
|
-
it 'should return nil if the method body is clean' do
|
18
|
-
AnnotationSecurity::Utils.method_body('rule').should be_nil
|
19
|
-
end
|
20
|
-
|
21
|
-
it 'should ignore prefixes and suffixes without underscore in method body' do
|
22
|
-
%w{mayrule isrule rulefor ruleof canrulein hasruleto}.each do |method|
|
23
|
-
AnnotationSecurity::Utils.method_body(method).should eql(nil)
|
24
|
-
end
|
25
|
-
end
|
26
|
-
|
27
|
-
it 'should remove only prefix or suffix from the method body at a time' do
|
28
|
-
AnnotationSecurity::Utils.method_body('may_is_rule').should eql('is_rule')
|
29
|
-
AnnotationSecurity::Utils.method_body('rule_of_for').should eql('rule_of')
|
30
|
-
AnnotationSecurity::Utils.method_body('can_has_rule_to?').should eql('has_rule_to')
|
31
|
-
end
|
32
|
-
|
33
|
-
it 'should parse descriptions without bindings correctly' do
|
34
|
-
['show a resource', 'show with some text ignored a resource',
|
35
|
-
'show pluralized resources', '(ignoring comments) show a resource',
|
36
|
-
'show a resource (with comment at the end)'].each do |s|
|
37
|
-
AnnotationSecurity::Utils.parse_description(s).
|
38
|
-
should == {:action => :show, :resource => :resource}
|
39
|
-
end
|
40
|
-
end
|
41
|
-
|
42
|
-
it 'should detect bindings of a description' do
|
43
|
-
{
|
44
|
-
'show the resource in @res' =>
|
45
|
-
{:action => :show,:resource => :resource, :source => '@res'},
|
46
|
-
'show the resource from :id' =>
|
47
|
-
{:action => :show,:resource => :resource, :source => :id},
|
48
|
-
}.each_pair do |key, value|
|
49
|
-
AnnotationSecurity::Utils.parse_description(key,true).should == value
|
50
|
-
end
|
51
|
-
end
|
52
|
-
|
53
|
-
it 'should raise an error if an unexpected binding is detected in a description' do
|
54
|
-
lambda {
|
55
|
-
AnnotationSecurity::Utils.parse_description('show the resource :id')
|
56
|
-
}.should raise_error(StandardError)
|
57
|
-
end
|
58
|
-
|
59
|
-
it 'should parse policy arguments like specified in SecurityContext.allowed?' do
|
60
|
-
obj = Object.new
|
61
|
-
def obj.__is_resource?; true; end
|
62
|
-
def obj.resource_type; :o_resource; end
|
63
|
-
{
|
64
|
-
[:show, :resource, obj] => [:show, :resource, obj],
|
65
|
-
[:show, obj] => [:show, :o_resource, obj],
|
66
|
-
['show resource', obj] => [:show, :resource, obj],
|
67
|
-
[:show, :resource] => [:show, :resource],
|
68
|
-
[:administrate] => [:administrate, :all_resources]
|
69
|
-
}.each_pair do |key, value|
|
70
|
-
AnnotationSecurity::Utils.parse_policy_arguments(key).should == value
|
71
|
-
end
|
72
|
-
end
|
73
|
-
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
+
|
3
|
+
describe AnnotationSecurity::Utils do
|
4
|
+
|
5
|
+
it 'should remove prefixes of the method body' do
|
6
|
+
%w{may_rule is_rule can_rule has_rule}.each do |method|
|
7
|
+
AnnotationSecurity::Utils.method_body(method).should eql('rule')
|
8
|
+
end
|
9
|
+
end
|
10
|
+
|
11
|
+
it 'should remove suffixes of the method body' do
|
12
|
+
%w{rule_for rule_of rule_in rule_to rule?}.each do |method|
|
13
|
+
AnnotationSecurity::Utils.method_body(method).should eql('rule')
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
it 'should return nil if the method body is clean' do
|
18
|
+
AnnotationSecurity::Utils.method_body('rule').should be_nil
|
19
|
+
end
|
20
|
+
|
21
|
+
it 'should ignore prefixes and suffixes without underscore in method body' do
|
22
|
+
%w{mayrule isrule rulefor ruleof canrulein hasruleto}.each do |method|
|
23
|
+
AnnotationSecurity::Utils.method_body(method).should eql(nil)
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
it 'should remove only prefix or suffix from the method body at a time' do
|
28
|
+
AnnotationSecurity::Utils.method_body('may_is_rule').should eql('is_rule')
|
29
|
+
AnnotationSecurity::Utils.method_body('rule_of_for').should eql('rule_of')
|
30
|
+
AnnotationSecurity::Utils.method_body('can_has_rule_to?').should eql('has_rule_to')
|
31
|
+
end
|
32
|
+
|
33
|
+
it 'should parse descriptions without bindings correctly' do
|
34
|
+
['show a resource', 'show with some text ignored a resource',
|
35
|
+
'show pluralized resources', '(ignoring comments) show a resource',
|
36
|
+
'show a resource (with comment at the end)'].each do |s|
|
37
|
+
AnnotationSecurity::Utils.parse_description(s).
|
38
|
+
should == {:action => :show, :resource => :resource}
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
it 'should detect bindings of a description' do
|
43
|
+
{
|
44
|
+
'show the resource in @res' =>
|
45
|
+
{:action => :show,:resource => :resource, :source => '@res'},
|
46
|
+
'show the resource from :id' =>
|
47
|
+
{:action => :show,:resource => :resource, :source => :id},
|
48
|
+
}.each_pair do |key, value|
|
49
|
+
AnnotationSecurity::Utils.parse_description(key,true).should == value
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
it 'should raise an error if an unexpected binding is detected in a description' do
|
54
|
+
lambda {
|
55
|
+
AnnotationSecurity::Utils.parse_description('show the resource :id')
|
56
|
+
}.should raise_error(StandardError)
|
57
|
+
end
|
58
|
+
|
59
|
+
it 'should parse policy arguments like specified in SecurityContext.allowed?' do
|
60
|
+
obj = Object.new
|
61
|
+
def obj.__is_resource?; true; end
|
62
|
+
def obj.resource_type; :o_resource; end
|
63
|
+
{
|
64
|
+
[:show, :resource, obj] => [:show, :resource, obj],
|
65
|
+
[:show, obj] => [:show, :o_resource, obj],
|
66
|
+
['show resource', obj] => [:show, :resource, obj],
|
67
|
+
[:show, :resource] => [:show, :resource],
|
68
|
+
[:administrate] => [:administrate, :all_resources]
|
69
|
+
}.each_pair do |key, value|
|
70
|
+
AnnotationSecurity::Utils.parse_policy_arguments(key).should == value
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
74
|
end
|