api_authorization 0.1.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 94acc2d7dd25207a51d40cfb954a679042f15a0b9d9b68c4fd36f75cfea3fbd9
+  data.tar.gz: cdef5a4d61e6f6d83f8787016281ff959bd2e0e820fd45d9eb4c7030239dac98
+SHA512:
+  metadata.gz: ecf08b501bf862dcef4b1bb603c2255aee2c5db3d724a3aeafc171829d1cf303582cca2568aae82a85519e682a0809c8345880a2e6a62729663fea2ed06b8be4
+  data.tar.gz: 46fd8d2142abd9038bbffd6c232a9a68df34c1beca042f3c0adfd07de2587f6b7675a71dc11957c1500621d9fcc289f9ebb4f2096ebac804f38c1b9f294ba368

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2020 Azdren Ymeri
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,51 @@
+# Api Authorization (The gem is in development)
+A multiple role-based authorization, based on controller actions.
+
+![Tests](https://github.com/montedelgallo/api-authorization/workflows/Ruby/badge.svg?branch=master)
+![Ruby Gem](https://github.com/montedelgallo/api-authorization/workflows/Ruby%20Gem/badge.svg?branch=master)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+
+##### Database Model
+![db_model](model.jpg)
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'api_authorization'
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install api_authorization
+```
+
+## Usage
+1. After you have created your users_table(through devise or manually) next run 
+```bash
+$ rails api_auth:initialize
+```
+2. Next populate permissions table with your controllers and actions run:
+```bash
+$ rails api_auth:create_permissions
+```
+3. Include the Authorization module on your `ApplicationController` :
+```ruby
+  include ActionController::Helpers
+  include ApiAuthorization
+  enable_role_authorization
+```
+4. DONE
+
+##### More CLI commands will be published soon
+
+## Contributing
+Feel free to suggest a feature or report a bug.
+#### [Code Of Conduct](CODE_OF_CONDUCT.md)
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ApiAuthorization'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |_t|
+  # t.libs << 'spec'
+  # t.pattern = 'test/**/*_test.rb'
+  # t.verbose = true
+  sh 'rspec --format documentation'
+end
+
+task default: :test
+Rake.add_rakelib 'lib/tasks'

data/bin/api_auth

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+rake api_auth: init

data/lib/api_authorization.rb

@@ -0,0 +1,5 @@
+require "api_authorization/railtie"
+
+module ApiAuthorization
+  # Your code goes here...
+end

data/lib/api_authorization/railtie.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module ApiAuthorization
+  extend ActiveSupport::Concern
+
+  included do |_mod|
+    helper_method :check_role
+
+    def self.enable_role_authorization
+      before_action :check_role
+    end
+
+    # Filter the request with by controller and action to know if a user
+    # can execute that action in that controller
+    #
+    # @return when the user is allowed
+    def check_role
+      puts 'AUTHORIZATION: Checking user roles' if Rails.env == 'development'
+      roles = current_user.try(:roles)
+      return if roles.find { |role| role.try(:name).try(:downcase) == 'superadmin' }
+
+      return render json: { error: 'You are not authorized' }, status: 403 if current_user.roles.empty?
+
+      current_user.roles.each do |role|
+        return if role.permissions.where(controller: params['controller'], action: params['action']).count.positive?
+      end
+
+      render json: { error: 'You are not authorized' }, status: 403
+    rescue StandardError => e
+      render json: { error: 'You are not authorized' }, status: 403
+    end
+
+    # Filter the request params to know wether or not a user has
+    # the right to push a certain value as a parameter.
+    #
+    # example:
+    #
+    # allowed_params = { anno: [2019] }
+    # will remove from the params if the params hash contain a key :anno
+    # with a value which is not 2019
+    #
+    # @params [Action::Parameters]
+    # @return [Action::Parameters] without the disallowed key/values.
+    def check_allowed_params(params, controller, action)
+      puts 'AUTHORIZATION: Checking the request params' if Rails.env == 'development'
+
+      roles = current_user.try(:permissions)
+      return params if roles.find { |role| role.try(:name).try(:downcase) == 'superadmin' }
+
+      rules = roles.where('controller = ? AND action = ? AND allowed_params IS NOT NULL', controller, action)
+
+      return params if rules.nil? || rules.empty?
+
+      rules.each do |rule|
+        next if rule.allowed_params.nil?
+
+        # puts "####### ruleS => #{rule.allowed_params.inspect}"
+        rule.allowed_params.each do |k, v|
+          puts " key: #{k}, value: #{v}"
+          params.delete(k) unless Array(v).include?(params[k]) || v == params[k]
+        end
+      end
+
+      params
+    end
+  end
+
+  class Railtie < ::Rails::Railtie
+    # exportin rake tasks
+    rake_tasks do
+      load 'tasks/initialize.rake'
+      load 'tasks/user_tasks.rake'
+    end
+  end
+end

data/lib/api_authorization/version.rb

@@ -0,0 +1,3 @@
+module ApiAuthorization
+  VERSION = '0.1.2'
+end

data/lib/app_routes/application_routes.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module AppRoutes
+  class ApplicationRoutes
+    def initialize
+      @routes = []
+
+      Rails.application.routes.routes.map do |r|
+        route = {
+          url: r.defaults[:controller],
+          controller: r.defaults[:controller],
+          action: r.defaults[:action],
+          method: r.verb
+        }
+        # rotta_finale = {
+        #   controller: r.defaults[:controller],
+        #   action: r.defaults[:action]
+        # }
+        # check = rotta[:controller]
+        # verb = rotta[:method]
+        # action = rotta[:action]
+        # if check && verb != 'PATCH' && action != 'new' && action != 'edit'
+        #   @routes.push(rotta_finale) if check.include? 'api/v1'
+        # end
+
+        @routes.push(route)
+      end
+      generate_routes
+    end
+
+    def call
+      @routes.group_by { |n| n[:controller] }.each { |_k, v| v.uniq! }
+    end
+
+    def generate_routes
+      puts 'Populating permissions_table with routes of the application' if Rails.env == 'development'
+      Permission.destroy_all
+      @routes.each do |k|
+        Permission.create!(controller: k[:controller], action: k[:action])
+      end
+      puts 'Done!' if Rails.env == 'development'
+    end
+
+    private
+
+    attr_accessor :routes
+  end
+end

data/lib/tasks/initialize.rake

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require_relative './../app_routes/application_routes.rb'
+
+namespace :api_auth do
+  desc 'Create the initial tables and populate the permissions table'
+  task :init, %i[tenant single_role] => [:environment] do |_t, args|
+    Apartment::Tenant.switch! args[:tenant] if args[:tenant]
+
+    puts 'Initializing'
+    # TODO: before creating the migration make sure to check that there is
+    #  no roles tables or permissions tables
+    if ActiveRecord::Base.connection.table_exists? 'users'
+
+      if args[:single_role].nil?
+        # creating roles table
+        sh 'rails g model role name:string description:text'
+        Rake::Task['db:migrate'].invoke
+
+        # creating a join table between users and roles
+        sh 'rails g migration CreateJoinTableUserRole user role'
+        sh 'rails db:migrate'
+
+      else
+        sh 'rails g model role name:string description:text user:references'
+        sh 'rails db:migrate'
+      end
+
+      # creating permissions table
+      sh 'rails g model permission controller:string action:string allowed_params:json'
+      sh 'rails db:migrate'
+
+      # creating a join table between roles and permissions
+      sh 'rails g migration CreateJoinTableRolePermission role permission'
+      sh 'rails db:migrate'
+
+    else
+      puts 'users table does not exist !'
+      next
+    end
+    puts 'Done !'
+  end
+
+  desc 'Populate the permissions table with all the controllers and actions of the application'
+  task :create_permissions, %i[tenant] => [:environment] do |_t, args|
+    Apartment::Tenant.switch! args[:tenant] if args[:tenant]
+    AppRoutes::ApplicationRoutes.new
+  end
+end

data/lib/tasks/user_tasks.rake

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+namespace :api_auth do
+  desc 'Create a default user and make it superadmin'
+  task :create_superadmin, [:tenant] => [:environment] do |_t, args|
+    Apartment::Tenant.switch args[:tenant] do
+      user = User.find_by_email('giovanni@montedelgallo.com')
+      role = Role.find_by_name('superadmin')
+      if user
+        puts 'User giovanni@montedelgallo.com already exists'
+      else
+        user = User.create!(email: 'giovanni@montedelgallo.com', password: '123456')
+        puts "User created with email: 'giovanni@montedelgallo.com', password: '123456'"
+      end
+      role ||= Role.create!(name: 'superadmin')
+      user.roles << role
+    end
+    puts '###################################################'
+    puts '##'
+    puts '##   USER CREATED:'
+    puts '##'
+    puts '##   email: giovanni@montedelgallo.com'
+    puts '##   password: 123456'
+    puts "##   tenant: #{args[:tenant]}"
+    puts '##'
+    puts '###################################################'
+  end
+
+  desc 'create custom user'
+  task :create_user, %i[tenant email password] => [:environment] do |_t, args|
+    Apartment::Tenant.switch args[:tenant] do
+      User.create!(email: args[:email], password: args[:password])
+      puts '###################################################'
+      puts '##'
+      puts '##   USER CREATED:'
+      puts '##'
+      puts "##   email: #{args[:email]}"
+      puts "##   password: #{args[:password]}"
+      puts "##   tenant: #{args[:tenant]}"
+      puts '##'
+      puts '###################################################'
+    end
+  end
+
+  desc 'Reset user password'
+  task :reset_password, %i[tenant email new_password] => [:environment] do |_t, args|
+    # rails "auth:reset_password[uno, giovanni@montedelgallo.com, password]"
+    Apartment::Tenant.switch args[:tenant] do
+      user = User.find_by_email(args[:email])
+      user.password = args[:new_password]
+      user.save
+    end
+
+    puts '###################################################'
+    puts '##'
+    puts '##   USER PASSWORD RESET:'
+    puts '##'
+    puts "##   email: #{args[:email]}"
+    puts "##   password: #{args[:new_password]}"
+    puts "##   tenant: #{args[:tenant]}"
+    puts '##'
+    puts '###################################################'
+  end
+
+  desc 'Make a user superadmin'
+  task :promote_superadmin, %i[tenant email] => [:environment] do |_t, args|
+    # rails "auth:reset_password[uno, giovanni@montedelgallo.com, password]"
+    Apartment::Tenant.switch args[:tenant] do
+      user = User.find_by_email(args[:email])
+      role = Role.find_by_name('superadmin')
+      role ||= Role.create!(name: 'superadmin')
+      user.roles << role
+    end
+
+    puts '###################################################'
+    puts '##'
+    puts '##   USER PROMOTED TO SUPERADMIN:'
+    puts '##'
+    puts "##   email: #{args[:email]}"
+    puts "##   tenant: #{args[:tenant]}"
+    puts '##'
+    puts '###################################################'
+  end
+
+  desc 'create admin'
+  task :create_admin, %i[email password] => [:environment] do |_t, args|
+    Admin.create!(email: args[:email], password: args[:password])
+    puts '###################################################'
+    puts '##'
+    puts '##   ADMIN CREATED:'
+    puts '##'
+    puts "##   email: #{args[:email]}"
+    puts "##   password: #{args[:password]}"
+    puts '##'
+    puts '###################################################'
+  end
+end

metadata

@@ -0,0 +1,106 @@
+--- !ruby/object:Gem::Specification
+name: api_authorization
+version: !ruby/object:Gem::Version
+  version: 0.1.2
+platform: ruby
+authors:
+- Giovanni Panasiti
+- Azdren Ymeri
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-08-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.0.3
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.0.3.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.0.3
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.0.3.2
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Highly flexible authorization where a user can have more than 1 role
+  with differen permissions.
+email:
+- giovanni@montedelgallo.com
+- azdren.ymeri@montedelgallo.com
+executables:
+- api_auth
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- bin/api_auth
+- lib/api_authorization.rb
+- lib/api_authorization/railtie.rb
+- lib/api_authorization/version.rb
+- lib/app_routes/application_routes.rb
+- lib/tasks/initialize.rake
+- lib/tasks/user_tasks.rake
+homepage: https://montedelgallo.com/
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org/
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: A multi role bassed authorization
+test_files: []