arrthorizer 0.1.0.pre

data/lib/arrthorizer/version.rb

@@ -0,0 +1,3 @@
+module Arrthorizer
+  VERSION = "0.1.0.pre"
+end

data/lib/arrthorizer.rb

@@ -0,0 +1,28 @@
+require "arrthorizer/version"
+
+module Arrthorizer
+  autoload :ArrthorizerException,     "arrthorizer/arrthorizer_exception"
+
+  autoload :Registry,                 "arrthorizer/registry"
+
+  autoload :Role,                     "arrthorizer/role"
+  autoload :ContextRole,              "arrthorizer/context_role"
+
+  autoload :Permission,               "arrthorizer/permission"
+  autoload :Privilege,                "arrthorizer/privilege"
+
+  autoload :ContextBuilder,           "arrthorizer/context_builder"
+
+  autoload :Rails,                    "arrthorizer/rails"
+
+  require 'arrthorizer/context'
+  require 'arrthorizer/roles'
+
+  if defined?(::Rails)
+    Arrthorizer::Rails.initialize!
+  end
+
+  def self.configure(&block)
+    self.tap(&block)
+  end
+end

data/lib/generators/arrthorizer/install/USAGE

@@ -0,0 +1,9 @@
+Description:
+    Generates all the files that are needed to use Arrthorizer in your application.
+
+Usage:
+    rails generate arrthorizer:install
+
+    This will create:
+        config/arrthorizer.yml
+        app/roles/.gitkeep

data/lib/generators/arrthorizer/install/install_generator.rb

@@ -0,0 +1,62 @@
+module Arrthorizer
+  module Generators
+    class InstallGenerator < ::Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      def create_roles_dir
+        create_file gitkeep_for(roles_dir), ''
+      end
+
+      def create_config_file
+        copy_file "config.yml", "config/arrthorizer.yml"
+      end
+
+      def activate_filter
+        insert_into_file 'app/controllers/application_controller.rb', filter_code, after: /class ApplicationController.*$/
+        insert_into_file 'app/controllers/application_controller.rb', context_preparation_code, before: /end$\s*\z/
+      end
+
+    protected
+      def filter_code
+        <<-FILTER_CODE
+
+  # Activate Arrthorizer's authorization checks for each
+  # request to this controller's actions
+  requires_authorization
+        FILTER_CODE
+      end
+
+      def context_preparation_code
+        <<-PREPARATION_CODE
+
+  # By default, configure Arrthorizer to provide all params,
+  # except for :controller and :action, as context to all
+  # ContextRoles.
+  to_prepare_context do |c|
+    c.defaults do
+      # this block must return a Hash-like object. It is
+      # advisable to put actual objects in this hash instead
+      # of ids and such. The block is executed within the
+      # controller, so all methods defined on the controller
+      # are available in this block.
+      params.except(:controller, :action)
+    end
+
+    # for specific actions, additional context can be defined
+    # c.for_action(:new) do
+    #   arrthorizer_defaults.merge(key: 'value')
+    # end
+  end
+        PREPARATION_CODE
+      end
+
+      def gitkeep_for(directory)
+        directory.join('.gitkeep')
+      end
+
+      def roles_dir
+        ::Rails.root.join('app', 'roles')
+      end
+    end
+  end
+end

data/lib/generators/arrthorizer/install/templates/config.yml

@@ -0,0 +1,49 @@
+---
+# This file contains the configuration for Arrthorizer. It defines privileges and links them to
+# both Controller Actions and the Roles that are allowed to use them.
+#
+# Say we're writing a forum, and we have a Forum::TopicsController with the default REST actions.
+# We might want to split these REST actions into Create, Read, Update and Delete privileges
+# (Let's call them 'create_forum_topic', 'read_forum_topic', 'update_forum_topic' and
+# 'delete_forum_topic'. None of these names are magically generated - *you* get to choose the
+# names).
+#
+# Let's also assume that we have Roles for Forum::TopicStarter and Forum::Administrators.
+# ForumTopicStarters may be allowed to delete any topics they started and update them in
+# whatever way they deem relevant, but not change any topics they did not start themselves. This
+# means the role would be a ContextRole.
+# Let's also assume you have a LoggedInUser role which allows anyone to see any topic or start a
+# new one, as # long as they're logged in.
+#
+# We would define these privileges as follows:
+#
+# read_forum_topic:
+#   actions:
+#     - forum/topics:
+#       - show
+#       - index
+#   roles:
+#     - LoggedInUser
+#
+# create_forum_topic:
+#   actions:
+#     - forum/topics:
+#       - new
+#       - create
+#   roles:
+#     - LoggedInUser
+#
+# delete_forum_topic:
+#   actions:
+#     - forum/topics:
+#       - destroy
+#   roles:
+#     - Forum::TopicStarter
+#
+# update_forum_topic:
+#   actions:
+#     - forum/topics:
+#       - edit
+#       - update
+#   roles:
+#     - Forum::TopicStarter

data/spec/arrthorizer_exception/inner_spec.rb

@@ -0,0 +1,21 @@
+require "spec_helper"
+
+describe Arrthorizer::ArrthorizerException do
+  describe :inner do
+    let(:inner_exception) { Class.new(StandardError).new }
+
+    context "when an ArrthorizerException is raised from a rescue block" do
+      it "wraps the rescued exception and exposes it via the #inner method" do
+        begin
+          raise inner_exception
+        rescue
+          begin
+            raise Arrthorizer::ArrthorizerException
+          rescue Exception => e
+            e.inner.should be inner_exception
+          end
+        end
+      end
+    end
+  end
+end

data/spec/context/equals_spec.rb

@@ -0,0 +1,44 @@
+require "spec_helper"
+
+describe Arrthorizer::Context do
+  let(:context_hash) { { some_key: 'some_value' } }
+  let(:context) { Arrthorizer::Context.new(context_hash) }
+
+  describe :== do
+    context "when an Arrthorizer::Context is provided" do
+      context "and that context has the same contents" do
+        let(:other) { Arrthorizer::Context.new(context_hash) }
+
+        it "returns true" do
+          expect(context).to eq(other)
+        end
+      end
+
+      context "but that context has different contents" do
+        let(:other) { Arrthorizer::Context.new(some_key: 'other_value') }
+
+        it "returns false" do
+          expect(context).not_to eq(other)
+        end
+      end
+    end
+
+    context "when a hashlike object is provided" do
+      context "and that object has the same contents" do
+        let(:other) { context_hash.dup }
+
+        it "returns true" do
+          expect(context).to eq(other)
+        end
+      end
+
+      context "but that object has different contents" do
+        let(:other) { { some_key: 'some_other_value' } }
+
+        it "returns false" do
+          expect(context).not_to eq(other)
+        end
+      end
+    end
+  end
+end

data/spec/context/merge_spec.rb

@@ -0,0 +1,37 @@
+require "spec_helper"
+
+describe Arrthorizer::Context do
+  describe :merge do
+    let(:base_hash) { { key: 'value' } }
+    let(:base_context) { Arrthorizer::Context.new(base_hash) }
+    let(:other_hash) { { other_key: 'other_value' } }
+    let(:merged_hash) { base_hash.merge(other_hash) }
+
+    shared_examples_for "the return value of Arrthorizer::Context#merge" do
+      it "returns an Arrthorizer::Context" do
+        result.should be_an Arrthorizer::Context
+      end
+
+      describe "the returned Arrthorizer::Context" do
+        it "contains the merged contents" do
+          merged_hash.each_pair do |key, value|
+            result.send(key).should == value
+          end
+        end
+      end
+    end
+
+    context "when another Arrthorizer::Context is provided" do
+      let(:other_context) { Arrthorizer::Context.new(other_hash) }
+      let(:result) { base_context.merge(other_context) }
+
+      include_examples "the return value of Arrthorizer::Context#merge"
+    end
+
+    context "when a Hash is provided" do
+      let(:result) { base_context.merge(other_hash) }
+
+      include_examples "the return value of Arrthorizer::Context#merge"
+    end
+  end
+end

data/spec/context_builder/build_spec.rb

@@ -0,0 +1,12 @@
+require "spec_helper"
+
+describe Arrthorizer::ContextBuilder do
+  let(:builder) { Arrthorizer::ContextBuilder.new do end }
+
+  describe :build do
+    it "returns an Arrthorizer::Context" do
+      builder.build.should be_an Arrthorizer::Context
+    end
+  end
+end
+

data/spec/context_role/to_key_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe Arrthorizer::ContextRole do
+  describe :to_key do
+    context "when the context role is not namespaced" do
+      let(:role) { UnnamespacedContextRole.instance }
+
+      it "returns a snake_cased version of the class name" do
+        expect(role.to_key).to eql "UnnamespacedContextRole"
+      end
+    end
+
+    context "when the context role is namespaced" do
+      let(:role) { Namespaced::ContextRole.instance }
+
+      specify "the namespace is taken into account" do
+        expect(role.to_key).to eql "Namespaced::ContextRole"
+      end
+    end
+  end
+end

data/spec/context_spec.rb

@@ -0,0 +1,49 @@
+require "spec_helper"
+
+# explicitly require the right file since
+# Context() is not an autoloaded constant
+require "arrthorizer/context"
+
+describe Arrthorizer do
+  describe 'Context()' do
+    let(:key) { 'key' }
+    let(:value) { 'value' }
+    let(:arg) { Object.new }
+
+    context "when an object that does not support #to_hash is provided" do
+      it "raises an Arrthorizer::ContextConversionError" do
+        expect {
+          Arrthorizer::Context(arg)
+        }.to raise_error(Arrthorizer::Context::ConversionError)
+      end
+    end
+
+    context "when an object responding to #to_hash is provided" do
+      before :each do
+        arg.stub(:to_hash).and_return({ key => value })
+      end
+
+      it "returns an Arrthorizer::Context" do
+        result = Arrthorizer::Context(arg)
+
+        result.should be_an Arrthorizer::Context
+      end
+
+      describe "the returned Arrthorizer::Context" do
+        let(:result) { Arrthorizer::Context(arg) }
+
+        specify "it contains the same key-value pairs" do
+          result.send(key).should == value
+        end
+      end
+    end
+
+    context "when an Arrthorizer::Context is provided" do
+      let(:param) { Arrthorizer::Context.new }
+
+      specify "that context is returned unmodified" do
+        Arrthorizer::Context(param).should be(param)
+      end
+    end
+  end
+end

data/spec/controllers/some_controller_spec.rb

@@ -0,0 +1,79 @@
+require 'spec_helper'
+
+describe SomeController do
+  let(:action) { Arrthorizer::Rails::ControllerAction.fetch("some#some_action") }
+  let(:other_action) { Arrthorizer::Rails::ControllerAction.fetch("some#other_action") }
+
+  describe :some_action do
+    let!(:privilege) { action.privilege }
+    let!(:current_user) { double("user") }
+
+    before do
+      controller.stub(:current_user) { current_user }
+    end
+
+    describe "context roles" do
+      let!(:context_role) do
+        configure_context_role do |user, context|
+          # This can be any type of check, e.g.:
+          #   blog = Blog.find(context[:id])
+          #   blog.author == user
+
+          # For the purpose of this test, just do a simple check:
+          # is the param :some_param equal to true.
+          context.some_param == true
+        end
+      end
+
+      context "when the role is linked to the privilege" do
+        before do
+          Arrthorizer::Permission.grant(privilege, to: context_role)
+        end
+
+        context "when I supply the correct 'some_param' param" do
+          let(:allow_request) { true }
+
+          it "succeeds" do
+            get :some_action, some_param: allow_request
+
+            response.should be_success
+          end
+        end
+
+        context "when I do not supply the correct 'some_param' param" do
+          let(:allow_request) { "something else" }
+
+          it "succeeds" do
+            get :some_action, some_param: allow_request
+
+            response.should be_forbidden
+          end
+        end
+      end
+
+      context "when the role is linked to a different privilege" do
+        before do
+          other_privilege = other_action.privilege
+          Arrthorizer::Permission.grant(other_privilege, to: context_role)
+        end
+
+        context "when I supply the correct 'some_param' param" do
+          let(:allow_request) { true }
+
+          it "still fails" do
+            get :some_action, some_param: allow_request
+
+            response.should be_forbidden
+          end
+        end
+      end
+    end
+  end
+
+  private
+  def configure_context_role(&block)
+    UnnamespacedContextRole.instance.tap do |role|
+      role.stub(:applies_to_user?, &block)
+    end
+  end
+end

data/spec/integration/registry/missing_handler_spec.rb

@@ -0,0 +1,25 @@
+require "spec_helper"
+
+describe Arrthorizer::Registry do
+  subject(:registry) { Arrthorizer::Registry.new }
+
+  context "when the requested value is not in the Registry" do
+    context "and no default value was specified" do
+      it "raises an Arrthorizer::Registry::NotFound" do
+        expect {
+          registry.fetch("some_value")
+        }.to raise_error(Arrthorizer::Registry::NotFound)
+      end
+    end
+
+    context "and a default value was specified" do
+      subject(:registry) { Arrthorizer::Registry.new }
+      let(:default) { :default }
+
+      it "returns the default" do
+        actual = registry.fetch("some_value") { default }
+        expect(actual).to eq(default)
+      end
+    end
+  end
+end

data/spec/integration/role_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe Arrthorizer::Role do
+  context "when a new ContextRole class is created" do
+    let(:context_role) { class TestRole < Arrthorizer::ContextRole; end; TestRole.instance }
+
+    specify "that role is stored" do
+      Arrthorizer::Role.get(context_role.to_key).should be context_role
+    end
+
+    after :each do
+      if defined?(TestRole)
+        Object.send(:remove_const, :TestRole)
+      end
+    end
+  end
+end

data/spec/internal/app/assets/javascripts/application.js

@@ -0,0 +1,15 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// the compiled file.
+//
+// WARNING: THE FIRST BLANK LINE MARKS THE END OF WHAT'S TO BE PROCESSED, ANY BLANK LINE SHOULD
+// GO AFTER THE REQUIRES BELOW.
+//
+//= require jquery
+//= require jquery_ujs
+//= require_tree .

data/spec/internal/app/assets/javascripts/test.js.coffee

@@ -0,0 +1,3 @@
+# Place all the behaviors and hooks related to the matching controller here.
+# All this logic will automatically be available in application.js.
+# You can use CoffeeScript in this file: http://jashkenas.github.com/coffee-script/

data/spec/internal/app/assets/stylesheets/application.css

@@ -0,0 +1,13 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the top of the
+ * compiled file, but it's generally better to create a new file per style scope.
+ *
+ *= require_self
+ *= require_tree .
+*/

data/spec/internal/app/assets/stylesheets/test.css.scss

@@ -0,0 +1,3 @@
+// Place all the styles related to the test controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: http://sass-lang.com/

data/spec/internal/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+  protect_from_forgery
+end

data/spec/internal/app/controllers/some_controller.rb

@@ -0,0 +1,17 @@
+require 'arrthorizer/rails'
+
+class SomeController < ApplicationController
+  to_prepare_context do |c|
+    c.defaults do
+      { some_param: params[:some_param] }
+    end
+  end
+
+  before_filter :authorize
+
+  def some_action
+  end
+
+  def other_action
+  end
+end

data/spec/internal/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end

data/spec/internal/app/helpers/test_helper.rb

@@ -0,0 +1,2 @@
+module TestHelper
+end

data/spec/internal/app/roles/namespaced/context_role.rb

@@ -0,0 +1,9 @@
+module Namespaced
+  class ContextRole < Arrthorizer::ContextRole
+    # this can be overridden in the specs
+    def applies_to_user?(user, context)
+      false
+    end
+  end
+end
+

data/spec/internal/app/roles/unnamespaced_context_role.rb

@@ -0,0 +1,6 @@
+class UnnamespacedContextRole < Arrthorizer::ContextRole
+  # this can be overridden in the specs
+  def applies_to_user?(user, context)
+    false
+  end
+end

data/spec/internal/app/views/layouts/application.html.erb

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Test</title>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/spec/internal/app/views/some/some_action.html.erb

@@ -0,0 +1,2 @@
+<h1>Test#test</h1>
+<p>Find me in app/views/test/test.html.erb</p>

data/spec/internal/config/application.rb

@@ -0,0 +1,65 @@
+require File.expand_path('../boot', __FILE__)
+
+# Pick the frameworks you want:
+require "active_record/railtie"
+require "action_controller/railtie"
+require "action_mailer/railtie"
+require "active_resource/railtie"
+require "sprockets/railtie"
+# require "rails/test_unit/railtie"
+
+if defined?(Bundler)
+  # If you precompile assets before deploying to production, use this line
+  Bundler.require(*Rails.groups(:assets => %w(development test)))
+  # If you want your assets lazily compiled in production, use this line
+  # Bundler.require(:default, :assets, Rails.env)
+end
+
+module TestCbac
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Custom directories with classes and modules you want to be autoloadable.
+    # config.autoload_paths += %W(#{config.root}/extras)
+
+    # Only load the plugins named here, in the order given (default is alphabetical).
+    # :all can be used as a placeholder for all plugins not explicitly named.
+    # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
+
+    # Activate observers that should always be running.
+    # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+
+    # Configure the default encoding used in templates for Ruby 1.9.
+    config.encoding = "utf-8"
+
+    # Configure sensitive parameters which will be filtered from the log file.
+    config.filter_parameters += [:password]
+
+    # Use SQL instead of Active Record's schema dumper when creating the database.
+    # This is necessary if your schema can't be completely dumped by the schema dumper,
+    # like if you have constraints or database-specific column types
+    # config.active_record.schema_format = :sql
+
+    # Enforce whitelist mode for mass assignment.
+    # This will create an empty whitelist of attributes available for mass-assignment for all models
+    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
+    # parameters by using an attr_accessible or attr_protected declaration.
+    config.active_record.whitelist_attributes = true
+
+    # Enable the asset pipeline
+    config.assets.enabled = true
+
+    # Version of your assets, change this if you want to expire all your assets
+    config.assets.version = '1.0'
+  end
+end

data/spec/internal/config/arrthorizer.yml

@@ -0,0 +1,9 @@
+---
+get_some_action:
+  actions:
+    - some:
+      - some_action
+get_other_action:
+  actions:
+    - some:
+      - other_action

data/spec/internal/config/boot.rb

@@ -0,0 +1,6 @@
+require 'rubygems'
+
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+
+require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])