annotation_security 1.0.2 → 1.3.1

data/spec/annotation_security/policy/rule_spec.rb

@@ -1,78 +1,78 @@
-require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
-
-describe AnnotationSecurity::Rule do
-
-  before(:all) do
-    AnnotationSecurity.define_relations(:rule_test_res) do
-      res_dummy
-      sys_dummy(:system) { false }
-      pre_dummy :pretest
-      noc_dummy :system, :require_credential => false
-
-      res_dummy_test { has_res_dummy }
-      sys_dummy_test "if is_sys_dummy"
-    end
-  end
-
-  it 'should create valid dynamic relations' do
-    rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
-    rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
-    rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
-    rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
-  end
-
-  it 'should create valid static relations' do
-    rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
-    rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
-  end
-
-  it 'should create valid pretest relations' do
-    rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
-    rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
-  end
-
-  it 'should create valid relations without user' do
-    rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
-    rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
-    rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
-                              :system, :require_credential => false)
-    rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
-    rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
-                              :pretest, :require_credential => false)
-    rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
-  end
-
-  it 'should create valid rights' do
-    {
-      'if res_dummy' => '-du',
-      'if sys_dummy' => 's-u',
-      'if pre_dummy' => 'sdu',
-      'if res_dummy or sys_dummy' => '-du',
-      'if res_dummy or pre_dummy' => '-du',
-      'if sys_dummy or pre_dummy' => 'sdu',
-      'if noc_dummy' => 's--',
-      'if noc_dummy or sys_dummy' => 's-u',
-      'if noc_dummy or res_dummy' => '-du',
-      'if self' => '-du',
-      'if other_right: resource_property' => '-du',
-      'true' => 's--',
-      'false or nil' => 's--'
-    }.each_pair do |condition,flags|
-      right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
-      right.flag_s.should == 'r???'
-      right.static? # trigger lazy initialization
-      right.flag_s.should == 'r'+flags
-    end
-  end
-
-  it 'should call referred rules when being executed' do
-    policy = RuleTestResPolicy.new(:user,:res)
-    
-    policy.expects(:res_dummy).returns(true)
-    policy.res_dummy_test.should be_true
-
-    policy.expects(:sys_dummy).returns(false)
-    policy.sys_dummy_test?.should be_false
-  end
-
+require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
+
+describe AnnotationSecurity::Rule do
+
+  before(:all) do
+    AnnotationSecurity.define_relations(:rule_test_res) do
+      res_dummy
+      sys_dummy(:system) { false }
+      pre_dummy :pretest
+      noc_dummy :system, :require_credential => false
+
+      res_dummy_test { has_res_dummy }
+      sys_dummy_test "if is_sys_dummy"
+    end
+  end
+
+  it 'should create valid dynamic relations' do
+    rule = AnnotationSecurity::Rule.new(:res_proc, RuleTestResPolicy) { |u,r| true }
+    rule.to_s.should == '<RuleTestResPolicy#res_proc[--du]>'
+    rule = AnnotationSecurity::Rule.new(:res, RuleTestResPolicy, :resource)
+    rule.to_s.should == '<RuleTestResPolicy#res[--du]>'
+  end
+
+  it 'should create valid static relations' do
+    rule = AnnotationSecurity::Rule.new(:sys_proc, RuleTestResPolicy, :system) { true }
+    rule.to_s.should == '<RuleTestResPolicy#sys_proc[-s-u]>'
+  end
+
+  it 'should create valid pretest relations' do
+    rule = AnnotationSecurity::Rule.new(:pre_proc, RuleTestResPolicy, :pretest) { true }
+    rule.to_s.should == '<RuleTestResPolicy#pre_proc[-sdu]>'
+  end
+
+  it 'should create valid relations without user' do
+    rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy, :require_credential => false)
+    rule.to_s.should == '<RuleTestResPolicy#no_u[--d-]>'
+    rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
+                              :system, :require_credential => false)
+    rule.to_s.should == '<RuleTestResPolicy#no_u[-s--]>'
+    rule = AnnotationSecurity::Rule.new(:no_u, RuleTestResPolicy,
+                              :pretest, :require_credential => false)
+    rule.to_s.should == '<RuleTestResPolicy#no_u[-sd-]>'
+  end
+
+  it 'should create valid rights' do
+    {
+      'if res_dummy' => '-du',
+      'if sys_dummy' => 's-u',
+      'if pre_dummy' => 'sdu',
+      'if res_dummy or sys_dummy' => '-du',
+      'if res_dummy or pre_dummy' => '-du',
+      'if sys_dummy or pre_dummy' => 'sdu',
+      'if noc_dummy' => 's--',
+      'if noc_dummy or sys_dummy' => 's-u',
+      'if noc_dummy or res_dummy' => '-du',
+      'if self' => '-du',
+      'if other_right: resource_property' => '-du',
+      'true' => 's--',
+      'false or nil' => 's--'
+    }.each_pair do |condition,flags|
+      right = AnnotationSecurity::Rule.new(:right, RuleTestResPolicy, :right, condition)
+      right.flag_s.should == 'r???'
+      right.static? # trigger lazy initialization
+      right.flag_s.should == 'r'+flags
+    end
+  end
+
+  it 'should call referred rules when being executed' do
+    policy = RuleTestResPolicy.new(:user,:res)
+    
+    policy.expects(:res_dummy).returns(true)
+    policy.res_dummy_test.should be_true
+
+    policy.expects(:sys_dummy).returns(false)
+    policy.sys_dummy_test?.should be_false
+  end
+
 end

data/spec/annotation_security/policy/test_policy_spec.rb

@@ -1,81 +1,81 @@
-require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
-
-AnnotationSecurity.define_relations(:a_test) do
-  sys_relation :system
-  res_relation :resource
-  pre_relation :pretest
-end
-
-describe ATestPolicy do
-
-  it 'should be dynamic' do
-    ATestPolicy.static?.should be_false
-  end
-
-  it 'should have a static partner' do
-    ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
-  end
-
-  it 'should know its resource type' do
-    ATestPolicy.resource_type.should eql(:a_test)
-  end
-
-  it 'should have all rules' do
-    ATestPolicy.has_rule?(:sys_relation).should be_true
-    ATestPolicy.has_rule?(:res_relation).should be_true
-    ATestPolicy.has_rule?(:pre_relation).should be_true
-  end
-
-  it 'should be aware of the evaluation time of a rule' do
-    ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
-    ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
-    ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
-    
-    ATestPolicy.has_static_rule?(:sys_relation).should be_true
-    ATestPolicy.has_static_rule?(:res_relation).should be_false
-    ATestPolicy.has_static_rule?(:pre_relation).should be_true
-  end
-
-  it 'should have access to rules defined for all resources' do
-    ATestPolicy.has_rule?(:__self__).should be_true
-    ATestPolicy.has_rule?(:logged_in).should be_true
-  end
-#
-#  it 'should be possible to add rules'
-#
-#  it 'should be possible to evaluate a list of rules (static/dynamic/both)'
-
-end
-
-describe ATestStaticPolicy do
-
-  it 'should be static' do
-    ATestStaticPolicy.static?.should be_true
-  end
-
-  it 'should not have a static partner' do
-    lambda {
-      ATestStaticPolicy.static_policy_class
-    }.should raise_error(NameError)
-  end
-
-  it 'should know its resource type' do
-    ATestStaticPolicy.resource_type.should eql(:a_test)
-  end
-
-  it 'should use the rule set of the dynamic policy' do
-    ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
-  end
-
-  it 'should have all static rules' do
-    ATestStaticPolicy.has_rule?(:sys_relation).should be_true
-    ATestStaticPolicy.has_rule?(:res_relation).should be_false
-    ATestStaticPolicy.has_rule?(:pre_relation).should be_true
-  end
-
-  it 'should have access to static rules defined for all resources' do
-    ATestStaticPolicy.has_rule?(:__self__).should be_false
-    ATestStaticPolicy.has_rule?(:logged_in).should be_true
-  end
-  
+require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
+
+AnnotationSecurity.define_relations(:a_test) do
+  sys_relation :system
+  res_relation :resource
+  pre_relation :pretest
+end
+
+describe ATestPolicy do
+
+  it 'should be dynamic' do
+    ATestPolicy.static?.should be_false
+  end
+
+  it 'should have a static partner' do
+    ATestPolicy.static_policy_class.should eql(ATestStaticPolicy)
+  end
+
+  it 'should know its resource type' do
+    ATestPolicy.resource_type.should eql(:a_test)
+  end
+
+  it 'should have all rules' do
+    ATestPolicy.has_rule?(:sys_relation).should be_true
+    ATestPolicy.has_rule?(:res_relation).should be_true
+    ATestPolicy.has_rule?(:pre_relation).should be_true
+  end
+
+  it 'should be aware of the evaluation time of a rule' do
+    ATestPolicy.has_dynamic_rule?(:sys_relation).should be_false
+    ATestPolicy.has_dynamic_rule?(:res_relation).should be_true
+    ATestPolicy.has_dynamic_rule?(:pre_relation).should be_true
+    
+    ATestPolicy.has_static_rule?(:sys_relation).should be_true
+    ATestPolicy.has_static_rule?(:res_relation).should be_false
+    ATestPolicy.has_static_rule?(:pre_relation).should be_true
+  end
+
+  it 'should have access to rules defined for all resources' do
+    ATestPolicy.has_rule?(:__self__).should be_true
+    ATestPolicy.has_rule?(:logged_in).should be_true
+  end
+#
+#  it 'should be possible to add rules'
+#
+#  it 'should be possible to evaluate a list of rules (static/dynamic/both)'
+
+end
+
+describe ATestStaticPolicy do
+
+  it 'should be static' do
+    ATestStaticPolicy.static?.should be_true
+  end
+
+  it 'should not have a static partner' do
+    lambda {
+      ATestStaticPolicy.static_policy_class
+    }.should raise_error(NameError)
+  end
+
+  it 'should know its resource type' do
+    ATestStaticPolicy.resource_type.should eql(:a_test)
+  end
+
+  it 'should use the rule set of the dynamic policy' do
+    ATestStaticPolicy.rule_set.should eql(ATestPolicy.rule_set)
+  end
+
+  it 'should have all static rules' do
+    ATestStaticPolicy.has_rule?(:sys_relation).should be_true
+    ATestStaticPolicy.has_rule?(:res_relation).should be_false
+    ATestStaticPolicy.has_rule?(:pre_relation).should be_true
+  end
+
+  it 'should have access to static rules defined for all resources' do
+    ATestStaticPolicy.has_rule?(:__self__).should be_false
+    ATestStaticPolicy.has_rule?(:logged_in).should be_true
+  end
+  
 end

data/spec/annotation_security/security_context_spec.rb

@@ -1,78 +1,129 @@
-require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
-
-describe SecurityContext do
-
-  before(:each) do
-    @user1 = TestUser.new 'theuser'
-    @user2 = TestUser.new 'otheruser'
-  end
-
-  it "should check 'logged_in' for 'show'" do
-    request(@user1, :show, { :id => 'theuser' }).should succeed
-    request(@user2, :show, { :id => 'theuser' }).should succeed
-    request(nil, :show, { :id => 'theuser' }).should fail
-  end
-
-  it "should check 'owner' for 'edit'" do
-    request(@user1, :edit, { :id => 'theuser' }).should succeed
-    request(@user2, :edit, { :id => 'theuser' }).should fail
-  end
-
-  it "should check 'logged_in' and 'owner' for 'show_edit'" do
-    request(@user1, :show_edit, { :id => 'theuser' }).should succeed
-    request(@user2, :show_edit, { :id => 'theuser' }).should fail
-  end
-
-  it "should check 'owner' for 'delete' based on :id" do
-    request(@user1, :delete, { :id => 'theuser' }).should succeed
-    request(@user2, :delete, { :id => 'theuser' }).should fail
-  end
-
-  it "should not call action if check based on :id fails" do
-    TestController.expects(:enter_delete).never
-    request(@user2, :delete, { :id => 'theuser' }).should fail
-  end
-
-  it "should check 'owner' for 'list' based on @list" do
-    request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
-    request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
-    request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
-  end
-
-  it "should not be disturbed by calls to #render" do
-    TestController.expects(:exit_render).twice
-    request(@user1, :edit_with_render,
-            { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
-    request(@user1, :edit_with_render,
-            { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
-  end
-
-  it "should check rules before #render" do
-    TestController.expects(:exit_render).never
-    request(@user1, :edit_with_render,
-            { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
-  end
-
-  # simulates an action invokation in rails
-  def request(user, action, params)
-    controller = TestController.new
-    controller.test_init(action, params)
-    SecurityContext.initialize(controller)
-    SecurityContext.credential = user
-    rules = controller.class.descriptions_of(action)
-    SecurityContext.current.send_with_security(rules, controller, action)
-    'no_error'
-  rescue SecurityViolationError => sve
-    sve
-  end
-
-  def succeed
-    eql 'no_error'
-  end
-
-  def fail
-    be_instance_of SecurityViolationError
-  end
-
-end
-
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+
+describe SecurityContext do
+
+  before(:each) do
+    @user1 = TestUser.new 'theuser'
+    @user2 = TestUser.new 'otheruser'
+  end
+
+  it "should check 'logged_in' for 'show'" do
+    request(@user1, :show, { :id => 'theuser' }).should succeed
+    request(@user2, :show, { :id => 'theuser' }).should succeed
+    request(nil, :show, { :id => 'theuser' }).should fail
+  end
+
+  it "should check 'owner' for 'edit'" do
+    request(@user1, :edit, { :id => 'theuser' }).should succeed
+    request(@user2, :edit, { :id => 'theuser' }).should fail
+  end
+
+  it "should check 'logged_in' and 'owner' for 'show_edit'" do
+    request(@user1, :show_edit, { :id => 'theuser' }).should succeed
+    request(@user2, :show_edit, { :id => 'theuser' }).should fail
+  end
+
+  it "should check 'owner' for 'delete' based on :id" do
+    request(@user1, :delete, { :id => 'theuser' }).should succeed
+    request(@user2, :delete, { :id => 'theuser' }).should fail
+  end
+
+  it "should not call action if check based on :id fails" do
+    TestController.expects(:enter_delete).never
+    request(@user2, :delete, { :id => 'theuser' }).should fail
+  end
+
+  it "should check 'owner' for 'list' based on @list" do
+    request(@user1, :list, { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
+    request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
+    request(@user1, :list, { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
+  end
+
+  it "should not be disturbed by calls to #render" do
+    TestController.expects(:exit_render).twice
+    request(@user1, :edit_with_render,
+            { :id1 => 'theuser', :id2 => 'theuser' }).should succeed
+    request(@user1, :edit_with_render,
+            { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
+  end
+
+  it "should check rules before #render" do
+    TestController.expects(:exit_render).never
+    request(@user1, :edit_with_render,
+            { :id1 => 'otheruser', :id2 => 'theuser' }).should fail
+  end
+
+  it "should disable security inside #without_security!" do
+    request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }).should fail
+
+    block = proc do |rules, controller, action|
+      SecurityContext.without_security! do
+        SecurityContext.current.enabled?.should be_false
+        SecurityContext.current.send_with_security(rules, controller, action)
+      end
+      SecurityContext.current.enabled?.should be_true
+    end
+    
+    request(@user1, :list, { :id1 => 'theuser', :id2 => 'otheruser' }, &block).should succeed
+  end
+
+  # simulates an action invokation in rails
+  def request(user, action, params, &block)
+    controller = TestController.new
+    controller.test_init(action, params)
+    SecurityContext.initialize(controller)
+    SecurityContext.credential = user
+    rules = controller.class.descriptions_of(action)
+    if block
+      yield(rules, controller, action)
+    else
+      SecurityContext.current.send_with_security(rules, controller, action)
+    end
+    
+    'no_error'
+  rescue SecurityViolationError => sve
+    sve
+  end
+
+  def succeed
+    eql 'no_error'
+  end
+
+  def fail
+    be_instance_of SecurityViolationError
+  end
+
+end
+
+describe 'SecurityContext#allowed?' do
+
+  before(:each) do
+    controller = TestController.new
+    SecurityContext.initialize(controller)
+    SecurityContext.credential = TestUser.new 'theuser'
+    @res1 = TestResource.new 'theuser'
+    @res2 = TestResource.new 'otheruser'
+  end
+
+  it "should accept symbol and object" do
+    SecurityContext.allowed?(:edit, @res1).should be_true
+    SecurityContext.allowed?(:edit, @res2).should be_false
+  end
+
+  it "should accept string and object" do
+    SecurityContext.allowed?('edit', @res1).should be_true
+    SecurityContext.allowed?('edit', @res2).should be_false
+  end
+
+  it "should accept description strings " do
+    SecurityContext.allowed?('edits a test_resource', @res1).should be_true
+    SecurityContext.allowed?('edits the test_resource (in @res2 which should fail)', @res2).should be_false
+  end
+
+  it "should not accept description strings with a source" do
+    lambda {
+      SecurityContext.allowed?('edits test_resource in @res1', @res1)
+    }.should raise_error(ArgumentError)
+  end
+
+end