annotation_security 1.0.1

data/lib/annotation_security/utils.rb

@@ -0,0 +1,142 @@
+#
+# = lib/annotation_security/utils.rb
+#
+# Provides some methods that are needed at several locations in the plug-in.
+#
+
+class AnnotationSecurity::Utils # :nodoc:
+
+  PREFIXES = /\A(may|is|can|has)_/
+  SUFFIXES = /(_(for|in|of|to)|\?)\Z/
+
+  # Removes pre- and suffixes from +method+,
+  # returns +nil+ if no change was made.
+  #
+  def self.method_body(method)
+    body = method.to_s.gsub(PREFIXES,'').gsub(SUFFIXES,'')
+    method.to_s == body ? nil : body
+  end
+
+  # Parses a description string
+  # * +description+ description of a controller action
+  # * +allow_binding+ if false, an exception is raised if the description
+  #                   contains a variable
+  # Returns right, resource and binding
+  #
+  def self.parse_description(description,allow_binding=false)
+    ActionAnnotation::Utils.parse_description(description,allow_binding)
+  end
+
+  # Parses arguments provided to #apply_policy or #allowed? and returns
+  # [ [:action, :resource_type, resource || nil], ... ]
+  #
+  # See SecurityContext#allowed? for details.
+  #
+  # Each element of the result can be send to a policy using
+  #  policy_of_res_type.allowed?(rule, resource)
+  # or
+  #   policy_of_res_type.static_policy.allowed?(rule, nil)
+  #
+  # Raises ArgumentError if args could not be parsed.
+  #
+  def self.parse_policy_arguments(args)
+    if args.first.is_a? String
+      hash = AnnotationSecurity::Utils.parse_description(args.first)
+    elsif args.first.is_a? Hash
+      hash = args.first
+    end
+    if hash
+      action = hash.delete(:action) || hash.delete('action')
+      resource = hash.delete(:resource) || hash.delete('resource')
+      unless resource.__is_resource?
+        resource_type = resource
+        resource = nil
+      end
+      resource_type ||= hash.delete(:resource_type) 
+      resource_type ||= resource ? resource.resource_type : nil
+      a = [action, resource_type]
+      a << resource if resource
+      args = a + args[1..-1]
+    end
+
+    args << :all_resources unless args.size > 1
+
+    action, resource = args
+
+    if resource.__is_resource?
+      args = [action, resource.resource_type] + args[1..-1]
+    end
+#      if args.size > 2 && args.third == nil
+#        raise ArgumentError, "Did not expect nil as resource"
+#      end
+    args
+  end
+
+  # returns resource type and resource object without action
+  # expects [resource object], [resource type], or both
+  def self.parse_resource_arguments(args)
+    parse_policy_arguments([:r]+args)[1..2]
+  end
+
+  # Returns controller, action, objects and parameters
+  def self.parse_action_args(args)
+    controller = parse_controller(args.first)
+    action = args.second.to_sym
+
+    objects = args.third || []
+    objects = [objects] unless objects.is_a? Array
+    prepare_objects_resources(controller, objects)
+
+    params = args.fourth || {}
+    prepare_params_resources(controller, params)
+
+    objects += params.values
+
+    objects = objects.select { |o| o and o.__is_resource? }
+    return [controller, action, objects, params]
+  end
+
+  # Try to find the controller class from a name.
+  # Looks for [name](s)Controller.
+  #
+  #  parse_controller :welcome #=> WelcomeController
+  #  parse_controller :user # => UsersController
+  #
+  def self.parse_controller(controller) # :nodoc:
+    begin
+      "#{controller.to_s.camelize}Controller".constantize
+    rescue NameError
+      "#{controller.to_s.pluralize.camelize}Controller".constantize
+    end
+  rescue NameError
+    raise NameError, "Controller '#{controller}' was not found"
+  end
+
+  # if there are non-resources in objects, use the values to get resources
+  # from the controllers default resource type
+  #
+  def self.prepare_objects_resources(controller, objects)
+    res_type = controller.default_resource
+    objects.collect! do |o|
+      if o.__is_resource?
+        o
+      else
+        AnnotationSecurity::ResourceManager.get_resource(res_type, o)
+      end
+    end
+  end
+
+  # if there are non-resources in objects, use the values to get resources
+  # assuming the keys are the resource types (:id is defalut resource)
+  #
+  def self.prepare_params_resources(controller, params)
+    params.each do |k, v|
+      unless v.__is_resource?
+        res_type = k == :id ? controller.default_resource : k
+        v = AnnotationSecurity::ResourceManager.get_resource(res_type, v)
+        params[k] = v
+      end
+    end
+  end
+
+end

data/lib/annotation_security.rb

@@ -0,0 +1,98 @@
+#
+# = lib/annotation_security.rb
+#
+# This modul provides the AnnotationSecurity security layer. 
+#
+
+# = AnnotationSecurity
+module AnnotationSecurity; end
+
+# Load annotation security files
+dir = File.dirname(__FILE__)
+require dir + '/annotation_security/manager/policy_manager'
+require dir + '/annotation_security/manager/policy_factory'
+require dir + '/annotation_security/manager/relation_loader'
+require dir + '/annotation_security/manager/right_loader'
+require dir + '/annotation_security/manager/resource_manager'
+require dir + '/annotation_security/policy/abstract_policy'
+require dir + '/annotation_security/policy/abstract_static_policy'
+require dir + '/annotation_security/policy/rule_set'
+require dir + '/annotation_security/policy/rule'
+require dir + '/annotation_security/includes/resource'
+require dir + '/annotation_security/includes/action_controller'
+require dir + '/annotation_security/includes/active_record'
+require dir + '/annotation_security/includes/role'
+require dir + '/annotation_security/includes/user'
+require dir + '/annotation_security/includes/helper'
+require dir + '/annotation_security/exceptions'
+require dir + '/annotation_security/filters'
+require dir + '/annotation_security/model_observer'
+require dir + '/annotation_security/user_wrapper'
+require dir + '/annotation_security/utils'
+
+require dir + '/security_context'
+
+module AnnotationSecurity
+
+  # Load the file specified by +fname+.
+  # The file will be reloaded automatically if reset is called.
+  #
+  # See AnnotationSecurity::RightLoader for details.
+  #
+  def self.load_rights(fname, ext = 'yml')
+    # The file is expected to be a yaml file.
+    # However, it is also possible to use a ruby file that uses
+    # AnnotationSecurity.define_rights. In this case, ext should be 'rb'.
+    PolicyManager.add_file(fname, ext)
+  end
+
+  # Load the file specified by +fname+.
+  # The file will be reloaded automatically if reset is called.
+  #
+  # See AnnotationSecurity::RelationLoader for details.
+  #
+  def self.load_relations(fname)
+    PolicyManager.add_file(fname, 'rb')
+  end
+
+  # Defines relations specified in +block+.
+  #
+  # See AnnotationSecurity::RelationLoader for details
+  #
+  def self.define_relations(*resources,&block)
+    RelationLoader.define_relations(*resources,&block)
+  end
+
+  # Defines rights specified in +hash+.
+  #
+  # See AnnotationSecurity::RightLoader for details
+  #
+  def self.define_rights(hash)
+    RightLoader.define_rights(hash)
+  end
+
+  # Reloads all files that were loaded with load_rights or load_relations.
+  #
+  # In development mode, reset is being executed before each request.
+  #
+  def self.reset
+    PolicyManager.reset
+  end
+
+  # Initializes AnnotationSecurity for a Rails application and loads
+  # Rails specific parts of the library.
+  #
+  # This method is called by `init.rb`,
+  # which is run by Rails on startup.
+  #
+  # * +binding+ [Binding] The context of the `init.rb` file.
+  def self.init_rails(binding)
+    puts "Initializing AnnotationSecurity security layer"
+
+    %w{annotation_security/rails extensions/object extensions/action_controller
+       extensions/active_record extensions/filter }.each { |f| require f }
+    
+    config = eval("config", binding)
+    AnnotationSecurity::Rails.init!(config)
+  end
+end

data/lib/extensions/action_controller.rb

@@ -0,0 +1,33 @@
+#
+# = lib/extensions/action_controller.rb
+#
+
+module ActionController # :nodoc:
+  
+  # Extends ActionController::Base for security.
+  #
+  class Base # :nodoc:
+
+    # Include required security functionality
+    include AnnotationSecurity::ActionController
+
+    alias render_without_security render
+
+    # Before rendering, evaluates the bounded rules of the current action.
+    #
+    def render(*args, &block)
+      SecurityContext.apply_rules_after_action
+      render_without_security(*args, &block)
+    end
+
+    alias redirect_to_without_security redirect_to
+
+    # Before redirecting, evaluates the bounded rules of the current action.
+    #
+    def redirect_to(*args, &block)
+      SecurityContext.apply_rules_after_action
+      redirect_to_without_security(*args, &block)
+    end
+  end
+
+end

data/lib/extensions/active_record.rb

@@ -0,0 +1,35 @@
+#
+# = lib/extensions/active_record.rb
+#
+
+module ActiveRecord # :nodoc: 
+
+  # Extends ActiveRecord::Base so that model classes 
+  # can be tagged as resources.
+  #
+  # To associate a model class with a resource type, use #resource in the class
+  # definition.
+  #
+  #  class MyResource < ActiveRecord::Base
+  #    resource :my_resource
+  #
+  #    # ...
+  #  end
+  #
+  # If you don't pass an argument to #resource, the resource name will be
+  # the underscored class name.
+  #
+  # See AnnotationSecurity::Resource if you want to use non-model classes as resources.
+  #
+  class Base
+
+    # Declares a model class to be a resource.
+    # * +resource_type+ (optional) Symbol of the resource type (like :course)
+    def self.resource(resource_type = nil)
+      include ::AnnotationSecurity::ActiveRecord
+      self.resource_type = resource_type if resource_type
+      self.resource_type
+    end
+  end
+
+end

data/lib/extensions/filter.rb

@@ -0,0 +1,134 @@
+#
+# = lib/extensions/filter.rb
+#
+# Adds security filters to the Rails filter mechanism.
+# 
+# Modifies ActionController::Filter::FilterChain. Might not work with other
+# gems modifying this class.
+#
+
+# Extends ActiveRecord::Base and patches ActionController::Filters
+#
+# Performs additions to the rails filter chain. It basically adds two
+# filters which may not be removed:
+#
+#  1) Before Fiter to initialize SecurityContext
+#  2) Around Filter around actions
+#
+# The altered filter chain looks like this:
+#
+#  * AnnotationSecurity::Filters::InitializeSecurity
+#  * ... other before filters
+#  * around filters ...
+#  * AnnotationSecurity::Filters::ApplySecurity
+#  * after filters
+#
+module ActionController # :nodoc:
+  module Filters # :nodoc:
+    class FilterChain # :nodoc:
+      def self.new(&block)
+        returning super do |filter_chain|
+          filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::InitializeSecurity], :security, &block)
+          filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::ApplySecurity], :action_security, &block)
+        end
+      end
+
+      private
+
+      def find_filter_append_position(filters, filter_type)
+        # appending an after filter puts it at the end of the call chain
+        # before and around filters go after security filters and
+        # before the first after or action_security filter
+        #
+        return -1 if filter_type == :after
+
+        if filter_type == :security
+          #security filters are first filters in chain
+          each_with_index do |f,i|
+            return i unless f.security?
+          end
+        else
+          each_with_index do |f,i|
+            return i if f.after? or f.action_security?
+          end
+        end
+        return -1
+      end
+
+      def find_filter_prepend_position(filters, filter_type)
+        if filter_type == :after
+          # after filters go before the first after filter in the chain
+          each_with_index do |f,i|
+            return i if f.after?
+          end
+          return -1
+        elsif filter_type == :security
+          return 0
+        else
+          # prepending a before or around filter puts it at the front of the call chain
+          each_with_index do |f,i|
+            return i unless f.security?
+          end
+        end
+        return 0 # Since first filter is security initialization filter
+      end
+
+      def find_or_create_filter(filter, filter_type, options = {})
+        update_filter_in_chain([filter], options)
+
+        if found_filter = find(filter) { |f| f.type == filter_type }
+          found_filter
+        else
+          filter_kind = case
+          when filter.respond_to?(:before) && filter_type == :before
+            :before
+          when filter.respond_to?(:after) && filter_type == :after
+            :after
+          else
+            :filter
+          end
+
+          case filter_type
+          when :before
+            BeforeFilter.new(filter_kind, filter, options)
+          when :after
+            AfterFilter.new(filter_kind, filter, options)
+          when :security
+            SecurityFilter.new(filter_kind, filter, options)
+          when :action_security
+            ActionSecurityFilter.new(filter_kind, filter, options)
+          else
+            AroundFilter.new(filter_kind, filter, options)
+          end
+        end
+      end
+    end
+
+    class Filter # :nodoc:
+
+      # override to return true in appropriate subclass
+      def security?
+        false
+      end
+
+      def action_security?
+        false
+      end
+    end
+
+    # the customized security filter that sets the current user
+    # and catches security exceptions
+    class SecurityFilter < AroundFilter # :nodoc:
+      def security?
+        true
+      end
+    end
+
+    # filter used to activate security for actions
+    class ActionSecurityFilter < AroundFilter # :nodoc:
+      def action_security?
+        true
+      end
+    end
+  end
+end

data/lib/extensions/object.rb

@@ -0,0 +1,11 @@
+#
+# = lib/extensions/object.rb
+#
+
+class Object # :nodoc:
+
+  def __is_resource? # :nodoc:
+    false
+  end
+
+end