annotation_security 1.0.2 → 1.3.1

data/lib/annotation_security/policy/rule_set.rb

@@ -1,139 +1,139 @@
-#
-# = lib/annotation_security/policy/rule_set.rb
-#
-
-# = AnnotationSecurity::RuleSet
-# Contains all rule objects for a policy
-#
-class AnnotationSecurity::RuleSet # :nodoc:
-
-  # Initializes the rule set
-  # * +pclass+ Policy class this rule set belongs to
-  #
-  def initialize(pclass)
-    super()
-    @pclass = pclass
-    @rights = {}
-    @static = {}
-    @dynamic = {}
-  end
-
-  def to_s
-    "<RuleSet of #@pclass>"
-  end
-
-  # Returns a rule object or nil if the rule does not exist.
-  # * +symbol+ name of the rule
-  # * +static+ boolean specifing whether the rule is static or dynamic
-  def get_rule(symbol,static)
-    static ? get_static_rule(symbol) : get_dynamic_rule(symbol)
-  end
-
-  # Returns a dynamic rule or nil if the rule does not exist.
-  # * +symbol+ name of the rule
-  def get_dynamic_rule(symbol)
-    # If no rule is available, maybe there is a right that can be used
-    @dynamic[symbol] ||= get_dynamic_right(symbol)
-  end
-
-  # Returns a static rule or nil if the rule does not exist.
-  # * +symbol+ name of the rule
-  def get_static_rule(symbol)
-    # If no rule is available, maybe there is a right that can be used
-    @static[symbol] ||= get_static_right(symbol)
-  end
-
-  # Copies a rule from another rule set.
-  # Returns the newly created rule or nil if the operation had no effect.
-  # * +symbol+ name of the rule
-  # * +source+ rule set to copy from
-  # * +static+ boolean specifing whether the rule is static or dynamic
-  def copy_rule_from(symbol,source,static)
-    add_copy(source.get_rule(symbol,static))
-  end
-
-  # Creates a dynamic rule that redirects to a static rule with the same name.
-  # Returns the newly created rule or nil if the operation had no effect.
-  # * +symbol+ name of the rule
-  def create_dynamic_copy(symbol)
-    rule = get_static_rule(symbol)
-    if rule
-      add_rule(symbol,
-          "static_policy.#{symbol}(*args)",
-          :resource,
-          :require_credential => rule.requires_credential?)
-    end
-  end
-
-  # Adds a new rule to this rule set. The rule will be classified either
-  # as dynamic, static, both or right.
-  # Returns the newly create rule.
-  # For an explainition of the parameters see AnnotationSecurity::Rule#initialize.
-  def add_rule(symbol,*args,&block)
-    __add__ AnnotationSecurity::Rule.new(symbol,@pclass,*args,&block)
-  end
-
-  private
-
-  # Copies a rule object to this rule set.
-  # Returns the newly created rule or nil.
-  # * +rule+ rule object to copy or nil.
-  def add_copy(rule)
-    __add__(rule.copy(@pclass)) if rule
-  end
-
-  # Adds a new rule to this rule set. The rule will be classified either
-  # as dynamic, static, both or right.
-  # * +rule+ rule object
-  def __add__(rule)
-    if rule.right?
-      # if the rule is a right, its not clear yet whether
-      # it is static or dynamic. These rules will be analyzed later.
-      raise_if_forbidden_name 'right', rule
-      raise_if_exists 'right', @rights[rule.name]
-      @rights[rule.name] = rule
-    else
-      raise_if_forbidden_name 'relation', rule
-      if rule.dynamic?
-        raise_if_exists 'dynamic relation', @dynamic[rule.name]
-        @dynamic[rule.name] = rule
-      end
-      if rule.static?
-        raise_if_exists 'static relation', @static[rule.name]
-        @static[rule.name] = rule
-      end
-    end
-    rule
-  end
-
-  # Raises an error if +rule+ is not nil.
-  # * +type+ type of rule, like 'right' or 'dynamic relation'
-  # * +rule+ existing rule object or nil
-  def raise_if_exists(type,rule)
-    raise AnnotationSecurity::RuleError.defined_twice(type,rule) if rule
-  end
-
-  # Raises an error if +rule+ has a forbidden name.
-  # * +type+ type of rule, like 'right' or 'relation'
-  # * +rule+ rule object
-  def raise_if_forbidden_name(type,rule)
-    if AnnotationSecurity::AbstractPolicy.forbidden_rule_names.include? rule.name.to_s
-      raise AnnotationSecurity::RuleError.forbidden_name(type,rule)
-    end
-  end
-
-  # Returns a dynamic rule that was defined as right
-  # * +symbol+ name of the rule
-  def get_dynamic_right(symbol)
-    r = @rights[symbol]
-    r and r.dynamic? ? r : nil
-  end
-
-  # Returns a static rule that was defined as right
-  # * +symbol+ name of the rule
-  def get_static_right(symbol)
-    r = @rights[symbol]
-    r and r.static? ? r : nil
-  end
-
+#
+# = lib/annotation_security/policy/rule_set.rb
+#
+
+# = AnnotationSecurity::RuleSet
+# Contains all rule objects for a policy
+#
+class AnnotationSecurity::RuleSet # :nodoc:
+
+  # Initializes the rule set
+  # * +pclass+ Policy class this rule set belongs to
+  #
+  def initialize(pclass)
+    super()
+    @pclass = pclass
+    @rights = {}
+    @static = {}
+    @dynamic = {}
+  end
+
+  def to_s
+    "<RuleSet of #@pclass>"
+  end
+
+  # Returns a rule object or nil if the rule does not exist.
+  # * +symbol+ name of the rule
+  # * +static+ boolean specifing whether the rule is static or dynamic
+  def get_rule(symbol,static)
+    static ? get_static_rule(symbol) : get_dynamic_rule(symbol)
+  end
+
+  # Returns a dynamic rule or nil if the rule does not exist.
+  # * +symbol+ name of the rule
+  def get_dynamic_rule(symbol)
+    # If no rule is available, maybe there is a right that can be used
+    @dynamic[symbol] ||= get_dynamic_right(symbol)
+  end
+
+  # Returns a static rule or nil if the rule does not exist.
+  # * +symbol+ name of the rule
+  def get_static_rule(symbol)
+    # If no rule is available, maybe there is a right that can be used
+    @static[symbol] ||= get_static_right(symbol)
+  end
+
+  # Copies a rule from another rule set.
+  # Returns the newly created rule or nil if the operation had no effect.
+  # * +symbol+ name of the rule
+  # * +source+ rule set to copy from
+  # * +static+ boolean specifing whether the rule is static or dynamic
+  def copy_rule_from(symbol,source,static)
+    add_copy(source.get_rule(symbol,static))
+  end
+
+  # Creates a dynamic rule that redirects to a static rule with the same name.
+  # Returns the newly created rule or nil if the operation had no effect.
+  # * +symbol+ name of the rule
+  def create_dynamic_copy(symbol)
+    rule = get_static_rule(symbol)
+    if rule
+      add_rule(symbol,
+          "static_policy.#{symbol}(*args)",
+          :resource,
+          :require_credential => rule.requires_credential?)
+    end
+  end
+
+  # Adds a new rule to this rule set. The rule will be classified either
+  # as dynamic, static, both or right.
+  # Returns the newly create rule.
+  # For an explainition of the parameters see AnnotationSecurity::Rule#initialize.
+  def add_rule(symbol,*args,&block)
+    __add__ AnnotationSecurity::Rule.new(symbol,@pclass,*args,&block)
+  end
+
+  private
+
+  # Copies a rule object to this rule set.
+  # Returns the newly created rule or nil.
+  # * +rule+ rule object to copy or nil.
+  def add_copy(rule)
+    __add__(rule.copy(@pclass)) if rule
+  end
+
+  # Adds a new rule to this rule set. The rule will be classified either
+  # as dynamic, static, both or right.
+  # * +rule+ rule object
+  def __add__(rule)
+    if rule.right?
+      # if the rule is a right, its not clear yet whether
+      # it is static or dynamic. These rules will be analyzed later.
+      raise_if_forbidden_name 'right', rule
+      raise_if_exists 'right', @rights[rule.name]
+      @rights[rule.name] = rule
+    else
+      raise_if_forbidden_name 'relation', rule
+      if rule.dynamic?
+        raise_if_exists 'dynamic relation', @dynamic[rule.name]
+        @dynamic[rule.name] = rule
+      end
+      if rule.static?
+        raise_if_exists 'static relation', @static[rule.name]
+        @static[rule.name] = rule
+      end
+    end
+    rule
+  end
+
+  # Raises an error if +rule+ is not nil.
+  # * +type+ type of rule, like 'right' or 'dynamic relation'
+  # * +rule+ existing rule object or nil
+  def raise_if_exists(type,rule)
+    raise AnnotationSecurity::RuleError.defined_twice(type,rule) if rule
+  end
+
+  # Raises an error if +rule+ has a forbidden name.
+  # * +type+ type of rule, like 'right' or 'relation'
+  # * +rule+ rule object
+  def raise_if_forbidden_name(type,rule)
+    if AnnotationSecurity::AbstractPolicy.forbidden_rule_names.include? rule.name.to_s
+      raise AnnotationSecurity::RuleError.forbidden_name(type,rule)
+    end
+  end
+
+  # Returns a dynamic rule that was defined as right
+  # * +symbol+ name of the rule
+  def get_dynamic_right(symbol)
+    r = @rights[symbol]
+    r and r.dynamic? ? r : nil
+  end
+
+  # Returns a static rule that was defined as right
+  # * +symbol+ name of the rule
+  def get_static_right(symbol)
+    r = @rights[symbol]
+    r and r.static? ? r : nil
+  end
+
 end

data/lib/annotation_security/rails.rb

@@ -1,39 +1,22 @@
-#
-# = annotation_security/rails/init.rb
-#
-# Loads the annotation security layer for a rails app
-
-require "action_controller/dispatcher"
-require "action_controller/base"
-
-module AnnotationSecurity
-
-  # Contains rails specific initializer
-  class Rails
-    def self.init!(config)
-      
-      # Policy files are situated under RAILS_ROOT/config/security
-      # Default policy file is internal, load it
-      ::AnnotationSecurity.load_relations(File.dirname(__FILE__) + '/policy/all_resources_policy')
-
-      # Add AnnotationSecurity::ModelObserver to observe changes in models.
-      # See http://riotprojects.com/2009/1/18/active-record-observers-in-gems-plugins
-      #
-      config.after_initialize do
-        # Set up a dummy security context that does not interfer with script
-        ::SecurityContext.initialize nil
-
-        ::ActiveRecord::Base.observers << ::AnnotationSecurity::ModelObserver
-
-        # In development mode, the models we observe get reloaded with each request. Using
-        # this hook allows us to reload the observer relationships each time as well.
-        ::ActionController::Dispatcher.to_prepare(:cache_advance_reload) do
-          ::AnnotationSecurity.reset
-          ::AnnotationSecurity::ModelObserver.instance.reload_model_observer
-        end
-      end
-
-      puts "Security layer initialized"
-    end
-  end
-end
+#
+# = lib/annotation_security/rails.rb
+#
+# This modul provides the rails extensions contained in the
+# AnnotationSecurity security layer.
+#
+
+#
+# Contains rails specific extensions
+#
+module AnnotationSecurity::Rails; end
+
+# Load annotation security files
+rails_version = Rails::VERSION::MAJOR
+dir = File.dirname(__FILE__)
+
+require dir + "/rails/#{rails_version}/includes/action_controller"
+require dir + "/rails/#{rails_version}/includes/active_record"
+
+require dir + "/rails/#{rails_version}/model_observer"
+require dir + "/rails/#{rails_version}/initializer"
+require dir + "/rails/filters"

data/lib/{extensions → annotation_security/rails/2/extensions}/filter.rb

@@ -1,134 +1,132 @@
-#
-# = lib/extensions/filter.rb
-#
-# Adds security filters to the Rails filter mechanism.
-# 
-# Modifies ActionController::Filter::FilterChain. Might not work with other
-# gems modifying this class.
-#
-
-# Extends ActiveRecord::Base and patches ActionController::Filters
-#
-# Performs additions to the rails filter chain. It basically adds two
-# filters which may not be removed:
-#
-#  1) Before Fiter to initialize SecurityContext
-#  2) Around Filter around actions
-#
-# The altered filter chain looks like this:
-#
-#  * AnnotationSecurity::Filters::InitializeSecurity
-#  * ... other before filters
-#  * around filters ...
-#  * AnnotationSecurity::Filters::ApplySecurity
-#  * after filters
-#
-module ActionController # :nodoc:
-  module Filters # :nodoc:
-    class FilterChain # :nodoc:
-      def self.new(&block)
-        super.tap do |filter_chain|
-          filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::InitializeSecurity], :security, &block)
-          filter_chain.append_filter_to_chain([AnnotationSecurity::Filters::ApplySecurity], :action_security, &block)
-        end
-      end
-
-      private
-
-      def find_filter_append_position(filters, filter_type)
-        # appending an after filter puts it at the end of the call chain
-        # before and around filters go after security filters and
-        # before the first after or action_security filter
-        #
-        return -1 if filter_type == :after
-
-        if filter_type == :security
-          #security filters are first filters in chain
-          each_with_index do |f,i|
-            return i unless f.security?
-          end
-        else
-          each_with_index do |f,i|
-            return i if f.after? or f.action_security?
-          end
-        end
-        return -1
-      end
-
-      def find_filter_prepend_position(filters, filter_type)
-        if filter_type == :after
-          # after filters go before the first after filter in the chain
-          each_with_index do |f,i|
-            return i if f.after?
-          end
-          return -1
-        elsif filter_type == :security
-          return 0
-        else
-          # prepending a before or around filter puts it at the front of the call chain
-          each_with_index do |f,i|
-            return i unless f.security?
-          end
-        end
-        return 0 # Since first filter is security initialization filter
-      end
-
-      def find_or_create_filter(filter, filter_type, options = {})
-        update_filter_in_chain([filter], options)
-
-        if found_filter = find(filter) { |f| f.type == filter_type }
-          found_filter
-        else
-          filter_kind = case
-          when filter.respond_to?(:before) && filter_type == :before
-            :before
-          when filter.respond_to?(:after) && filter_type == :after
-            :after
-          else
-            :filter
-          end
-
-          case filter_type
-          when :before
-            BeforeFilter.new(filter_kind, filter, options)
-          when :after
-            AfterFilter.new(filter_kind, filter, options)
-          when :security
-            SecurityFilter.new(filter_kind, filter, options)
-          when :action_security
-            ActionSecurityFilter.new(filter_kind, filter, options)
-          else
-            AroundFilter.new(filter_kind, filter, options)
-          end
-        end
-      end
-    end
-
-    class Filter # :nodoc:
-
-      # override to return true in appropriate subclass
-      def security?
-        false
-      end
-
-      def action_security?
-        false
-      end
-    end
-
-    # the customized security filter that sets the current user
-    # and catches security exceptions
-    class SecurityFilter < AroundFilter # :nodoc:
-      def security?
-        true
-      end
-    end
-
-    # filter used to activate security for actions
-    class ActionSecurityFilter < AroundFilter # :nodoc:
-      def action_security?
-        true
-      end
-    end
-  end
+#
+# = lib/annotation_security/rails/extensions/filter/rails2.rb
+#
+# Patches rails 2 filter chain to allow security filters
+#
+
+# Extends ActiveRecord::Base and patches ActionController::Filters
+#
+# Performs additions to the rails filter chain. It basically adds two
+# filters which may not be removed:
+#
+#  1) Before Fiter to initialize SecurityContext
+#  2) Around Filter around actions
+#
+# The altered filter chain looks like this:
+#
+#  * AnnotationSecurity::Rails::Filters::InitializeSecurity
+#  * ... other before filters
+#  * around filters ...
+#  * AnnotationSecurity::Rails::Filters::ApplySecurity
+#  * after filters
+#
+
+module ActionController # :nodoc:
+  module Filters # :nodoc:
+    class FilterChain # :nodoc:
+      def self.new(&block)
+        returning super do |filter_chain|
+          filter_chain.append_filter_to_chain([AnnotationSecurity::Rails::Filters::InitializeSecurity], :security, &block)
+          filter_chain.append_filter_to_chain([AnnotationSecurity::Rails::Filters::ApplySecurity], :action_security, &block)
+        end
+      end
+
+      private
+
+      def find_filter_append_position(filters, filter_type)
+        # appending an after filter puts it at the end of the call chain
+        # before and around filters go after security filters and
+        # before the first after or action_security filter
+        #
+        return -1 if filter_type == :after
+
+        if filter_type == :security
+          #security filters are first filters in chain
+          each_with_index do |f,i|
+            return i unless f.security?
+          end
+        else
+          each_with_index do |f,i|
+            return i if f.after? or f.action_security?
+          end
+        end
+        return -1
+      end
+
+      def find_filter_prepend_position(filters, filter_type)
+        if filter_type == :after
+          # after filters go before the first after filter in the chain
+          each_with_index do |f,i|
+            return i if f.after?
+          end
+          return -1
+        elsif filter_type == :security
+          return 0
+        else
+          # prepending a before or around filter puts it at the front of the call chain
+          each_with_index do |f,i|
+            return i unless f.security?
+          end
+        end
+        return 0 # Since first filter is security initialization filter
+      end
+
+      def find_or_create_filter(filter, filter_type, options = {})
+        update_filter_in_chain([filter], options)
+
+        if found_filter = find(filter) { |f| f.type == filter_type }
+          found_filter
+        else
+          filter_kind = case
+          when filter.respond_to?(:before) && filter_type == :before
+            :before
+          when filter.respond_to?(:after) && filter_type == :after
+            :after
+          else
+            :filter
+          end
+
+          case filter_type
+          when :before
+            BeforeFilter.new(filter_kind, filter, options)
+          when :after
+            AfterFilter.new(filter_kind, filter, options)
+          when :security
+            SecurityFilter.new(filter_kind, filter, options)
+          when :action_security
+            ActionSecurityFilter.new(filter_kind, filter, options)
+          else
+            AroundFilter.new(filter_kind, filter, options)
+          end
+        end
+      end
+    end
+
+    class Filter # :nodoc:
+
+      # override to return true in appropriate subclass
+      def security?
+        false
+      end
+
+      def action_security?
+        false
+      end
+    end
+
+    # the customized security filter that sets the current user
+    # and catches security exceptions
+    class SecurityFilter < AroundFilter # :nodoc:
+      def security?
+        true
+      end
+    end
+
+    # filter used to activate security for actions
+    class ActionSecurityFilter < AroundFilter # :nodoc:
+      def action_security?
+        true
+      end
+    end
+  end
 end