arrthorizer 0.1.0.pre

data/.gitignore

@@ -0,0 +1,21 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+spec/internal/db/*.sqlite3
+
+.ruby-version
+.ruby-gemset

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+cache: bundler
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0

data/Gemfile

@@ -0,0 +1,10 @@
+source 'https://rubygems.org'
+
+gem 'rails', '~> 3.2.16'
+
+# Specify your gem's dependencies in arrthorizer.gemspec
+gemspec
+
+group :test do
+  gem 'rake'
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 René van den Berg
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,32 @@
+[![Build Status](https://travis-ci.org/ReneB/arrthorizer.png?branch=fyfbd_118)](https://travis-ci.org/ReneB/arrthorizer)
+(The build is currently supposed to fail, since the gem is not in a releasable state yet)
+
+# Arrthorizer
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'arrthorizer'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install arrthorizer
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+RSpec::Core::RakeTask.new(:test)
+
+task :default => :spec

data/arrthorizer.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'arrthorizer/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "arrthorizer"
+  gem.version       = Arrthorizer::VERSION
+  gem.authors       = ["René van den Berg", "Lennaert Meijvogel"]
+  gem.email         = ["rene.vandenberg@ogd.nl", "lennaert.meijvogel@ogd.nl"]
+  gem.description   = %q{Contextual authorization for your Rails (3+) application}
+  gem.summary       = %q{Contextual authorization for your Rails (3+) application}
+  gem.homepage      = "https://github.com/BUS-ogd/arrthorizer"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency             'rails'
+  gem.add_development_dependency 'combustion', '~> 0.5.1'
+  gem.add_development_dependency 'sqlite3'
+  gem.add_development_dependency 'rspec-rails'
+end

data/config.ru

@@ -0,0 +1,7 @@
+require 'rubygems'
+require 'bundler'
+
+Bundler.require :default, :development
+
+Combustion.initialize!
+run Combustion::Application

data/lib/arrthorizer/arrthorizer_exception.rb

@@ -0,0 +1,11 @@
+module Arrthorizer
+  class ArrthorizerException < StandardError
+    attr_reader :inner
+
+    def initialize(message = "Exception occurred", inner = $!)
+      super(message)
+
+      @inner = inner
+    end
+  end
+end

data/lib/arrthorizer/context.rb

@@ -0,0 +1,65 @@
+require 'ostruct'
+
+module Arrthorizer
+  # Make it possible to specify the context that Arrthorizer can evaluate from inside the controller:
+  #
+  # class MyController
+  #   to_prepare_context do |c|
+  #     c.defaults do
+  #       { bookcase: Cms::Bookcase.find(params[:id]) }
+  #     end
+  #
+  #     c.for_action(:some_action) do
+  #       arrthorizer_defaults.merge({ bookcase: Cms::Book.find(params[:id]).bookcase })
+  #     end
+  #   end
+  # end
+  #
+  # class MyController
+  #   to_prepare_context do |c|
+  #     c.defaults do
+  #       params
+  #     end
+  #   end
+  # end
+  #
+  # In non-Rails environments:
+  #
+  # class MySomething
+  #   # probably include something like Arrthorizer::Config
+  #   to_prepare_context do |c|
+  #     c.defaults do
+  #       { bookcase: Cms::Bookcase.find(params[:id]) }
+  #     end
+  #
+  #     if params[:action] == :edit
+  #       arrthorizer_defaults.merge { author: User.find(params[:author_id] }
+  #     end
+  #   end
+  # end
+
+  class Context < OpenStruct
+    ConversionError = Class.new(Arrthorizer::ArrthorizerException)
+
+    def merge(hash)
+      self.class.new(to_hash.merge(hash))
+    end
+
+    def to_hash
+      marshal_dump
+    end
+
+    def ==(other)
+      to_hash == other.to_hash
+    end
+  end
+
+module_function
+  def Context(contents)
+    return contents if contents.is_a? Context
+
+    return Context.new(contents.to_hash)
+  rescue NoMethodError
+    raise Arrthorizer::Context::ConversionError, "Can't convert #{contents} to an Arrthorizer::Context"
+  end
+end

data/lib/arrthorizer/context_builder.rb

@@ -0,0 +1,11 @@
+module Arrthorizer
+  class ContextBuilder
+    def build
+      Arrthorizer::Context.new
+    end
+
+    def build_from_hash(hash)
+      Arrthorizer::Context(hash)
+    end
+  end
+end

data/lib/arrthorizer/context_role.rb

@@ -0,0 +1,31 @@
+require 'singleton'
+
+##
+# This is the superclass for all ContextRoles that the application may contain.
+# A ContextRole is a role that a User may or may not have, depending on the
+# current context. This can be things like 'the author of a certain post' or 'a
+# member of the current group'
+module Arrthorizer
+  class ContextRole < Role
+    include Singleton
+
+    def to_key
+      self.class.to_key
+    end
+
+    def self.to_key
+      name
+    end
+
+    def self.applies_to_user?(*args)
+      instance.applies_to_user?(*args)
+    end
+
+    def self.inherited(klass)
+      super
+
+      Role.register(klass.instance)
+    end
+  end
+end
+

data/lib/arrthorizer/permission.rb

@@ -0,0 +1,14 @@
+module Arrthorizer
+  module Permission
+    InvalidPermission = Class.new(ArrthorizerException)
+
+    def self.grant(privilege, config = {})
+      privilege = Privilege.get(privilege)
+      role          = Role.get(config[:to])
+
+      privilege.make_accessible_to(role)
+    rescue Registry::NotFound => e
+      raise InvalidPermission, e.message
+    end
+  end
+end

data/lib/arrthorizer/privilege.rb

@@ -0,0 +1,44 @@
+module Arrthorizer
+  class Privilege
+    attr_reader :name
+
+    def initialize(attrs)
+      @name = attrs[:name].to_s
+
+      (attrs[:roles] || []).each do |role|
+        self.make_accessible_to(role)
+      end
+
+      self.class.register(self)
+    end
+
+    def self.get(name_or_privilege)
+      registry.fetch(name_or_privilege)
+    end
+
+    def make_accessible_to(role)
+      permitted_roles.add(role)
+    end
+
+    def accessible_to?(role)
+      !!permitted_roles.fetch(role) { false }
+    end
+
+    def permitted_roles
+      @permitted_roles ||= Registry.new
+    end
+
+    def to_key
+      name
+    end
+
+    protected
+    def self.register(privilege)
+      registry.add(privilege)
+    end
+
+    def self.registry
+      @registry ||= Registry.new
+    end
+  end
+end

data/lib/arrthorizer/rails/configuration.rb

@@ -0,0 +1,67 @@
+module Arrthorizer
+  module Rails
+    class Configuration
+      FileNotFound = Class.new(Arrthorizer::ArrthorizerException)
+
+      mattr_accessor :config_file
+      self.config_file = "config/arrthorizer.yml"
+
+      def self.load
+        Parser.new.process(config)
+      end
+
+    private
+      def self.config
+        @config ||= YAML.load(config_file_contents) || {}
+      end
+
+      def self.config_file_contents
+        File.read(config_file_location)
+      rescue Errno::ENOENT
+        raise FileNotFound, "Arrthorizer requires a config file at #{config_file}"
+      end
+
+      def self.config_file_location
+        ::Rails.root.join config_file
+      end
+
+      class Parser
+        def process(config)
+          config.each_pair do |privilege_name, configuration|
+            parse_privilege_node(privilege_name, OpenStruct.new(configuration))
+          end
+        end
+
+      private
+        def parse_privilege_node(name, description)
+          privilege = Arrthorizer::Privilege.new(name: name, roles: roles_from(description))
+
+          description.actions.each do |node|
+            controller_name = controller_from(node)
+
+            actions_from(node, controller_name).each do |action|
+              action.privilege = privilege
+            end
+          end
+        end
+
+        # node looks like this: { "actions" => { "controller_name" => ["namespaced/action_name"] }, roles: [ "Namespaced::Role" ] }
+        def roles_from(node)
+          (node.roles || []).map(&:constantize)
+        end
+
+        # node looks like this: { "controller_name" => ["namespaced/action_name", "another_action_name"] }
+        def controller_from(node)
+          node.keys.first
+        end
+
+        # node looks like this: { "controller_name" => ["namespaced/action_name", "another_action_name"] }
+        def actions_from(node, controller_name)
+          node[controller_name].map do |action_name|
+            Arrthorizer::Rails::ControllerAction.new(controller: controller_name, action: action_name)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/arrthorizer/rails/controller_action.rb

@@ -0,0 +1,45 @@
+module Arrthorizer
+  module Rails
+    class ControllerAction
+      ControllerNotDefined = Class.new(Arrthorizer::ArrthorizerException)
+      ActionNotDefined = Class.new(Arrthorizer::ArrthorizerException)
+
+      attr_accessor :privilege
+      attr_reader :controller_path, :action_name
+
+      def self.get_current(controller)
+        fetch(key_for(controller))
+      end
+
+      def initialize(attrs)
+        self.controller_path = attrs.fetch(:controller) { raise ControllerNotDefined }
+        self.action_name = attrs.fetch(:action) { raise ActionNotDefined }
+
+        self.class.register(self)
+      end
+
+      def to_key
+        "#{controller_path}##{action_name}"
+      end
+
+    private
+      attr_writer :controller_path, :action_name
+
+      def self.key_for(controller)
+        "#{controller.controller_path}##{controller.action_name}"
+      end
+
+      def self.fetch(key)
+        registry.fetch(key)
+      end
+
+      def self.register(controller_action)
+        registry.add(controller_action)
+      end
+
+      def self.registry
+        @registry ||= Registry.new
+      end
+    end
+  end
+end

data/lib/arrthorizer/rails/controller_concern.rb

@@ -0,0 +1,70 @@
+module Arrthorizer
+  module Rails
+    module ControllerConcern
+      extend ActiveSupport::Concern
+
+      included do
+      protected
+        class_attribute :arrthorizer_configuration, instance_writer: false
+
+        ##
+        # This is a hook method that provides access to the context for a
+        # given HTTP request. For each request, an Arrthorizer::Context object is
+        # built and provided to all ContextRoles that are configured as having
+        # access to the given controller action.
+        def arrthorizer_context
+          arrthorizer_context_builder.build_for_action
+        end
+
+        def arrthorizer_defaults
+          arrthorizer_context_builder.build_default
+        end
+
+        def authorize
+          action = Arrthorizer::Rails::ControllerAction.get_current(self)
+          roles = action.privilege.permitted_roles
+
+          roles.any? do |role|
+            role.applies_to_user?(current_user, arrthorizer_context)
+          end || forbidden
+        end
+
+        def forbidden
+          render text: 'Access Denied', status: :forbidden
+        end
+
+        def arrthorizer_context_builder
+          @context_builder ||= Arrthorizer::Rails::ControllerContextBuilder.new(self, arrthorizer_configuration)
+        end
+      end
+
+      module ClassMethods
+        ##
+        # This method sets up Arrthorizer to verify that a user has the proper
+        # rights to access a # given controller action. Options can be provided
+        # and are passed to before_filter.
+        def requires_authorization(options = {})
+          before_filter :authorize, options
+        end
+
+        ##
+        # This method sets up Arrthorizer to not verify requests to all (when
+        # no options are provided) or selected (when :only or :except are
+        # provided) actions in this controller and its subclasses.
+        # Options can be provided and are passed to skip_filter.
+        def does_not_require_authorization(options = {})
+          skip_filter :authorize, options
+        end
+
+        ##
+        # This is the configuration method for building Arrthorizer contexts from HTTP requests.
+        # The developer specifies how contexts for authorization checks should be built
+        # by providing a block to this method. For more information, check the documentation
+        # on Arrthorizer::Rails::ControllerConfiguration
+        def to_prepare_context(&block)
+          self.arrthorizer_configuration = Arrthorizer::Rails::ControllerConfiguration.new(&block)
+        end
+      end
+    end
+  end
+end

data/lib/arrthorizer/rails/controller_configuration.rb

@@ -0,0 +1,36 @@
+module Arrthorizer
+  module Rails
+    class ControllerConfiguration
+      Error = Class.new(Arrthorizer::ArrthorizerException)
+
+      def initialize(&block)
+        yield self
+      rescue LocalJumpError
+        raise Error, "No builder block provided to ContextBuilder.new"
+      end
+
+      def defaults(&block)
+        self.defaults_block = block
+      end
+
+      def for_action(action, &block)
+        add_action_block(action, &block)
+      end
+
+      def block_for(action)
+        action_blocks.fetch(action) { defaults_block }
+      end
+
+    private
+      attr_accessor :defaults_block
+
+      def add_action_block(action, &block)
+        action_blocks[action] = block
+      end
+
+      def action_blocks
+        @action_blocks ||= HashWithIndifferentAccess.new
+      end
+    end
+  end
+end

data/lib/arrthorizer/rails/controller_context_builder.rb

@@ -0,0 +1,39 @@
+module Arrthorizer
+  module Rails
+    class ControllerContextBuilder < Arrthorizer::ContextBuilder
+      attr_accessor :controller, :configuration
+
+      def initialize(controller, configuration)
+        self.controller = controller
+        self.configuration = configuration
+      end
+
+      def build_default
+        config = config_for_action(nil)
+
+        build_from_block(&config)
+      end
+
+      def build_for_action
+        config = config_for_action(controller.action_name)
+
+        build_from_block(&config)
+      end
+
+    protected
+      def build_from_block(&config)
+        if block_given?
+          context_hash = controller.instance_eval(&config)
+
+          build_from_hash(context_hash)
+        else
+          build_from_hash({})
+        end
+      end
+
+      def config_for_action(action)
+        configuration.try(:block_for, action)
+      end
+    end
+  end
+end

data/lib/arrthorizer/rails.rb

@@ -0,0 +1,24 @@
+module Arrthorizer
+  module Rails
+    autoload :ControllerAction,         "arrthorizer/rails/controller_action"
+    autoload :ControllerConfiguration,  "arrthorizer/rails/controller_configuration"
+    autoload :ControllerConcern,        "arrthorizer/rails/controller_concern"
+    autoload :ControllerContextBuilder, "arrthorizer/rails/controller_context_builder"
+    autoload :Configuration,            "arrthorizer/rails/configuration"
+
+    class Engine < ::Rails::Engine
+      config.to_prepare do
+        Arrthorizer::Rails::Configuration.load
+      end
+    end
+
+  module_function
+    def initialize!
+      ActionController::Base.send(:include, ControllerConcern)
+
+      if defined?(ActionController::API)
+        ActionController::API.send(:include, ControllerConcern)
+      end
+    end
+  end
+end

data/lib/arrthorizer/registry.rb

@@ -0,0 +1,30 @@
+module Arrthorizer
+  class Registry
+    include Enumerable
+
+    NotFound = Class.new(ArrthorizerException)
+
+    def each(&block)
+      storage.values.each(&block)
+    end
+
+    def initialize
+      self.storage = Hash.new
+    end
+
+    def add(object)
+      storage[object.to_key] = object
+    end
+
+    def fetch(key, &block)
+      block ||= proc { raise NotFound, "Could not find value for #{key.inspect}" }
+
+      formatted_key = key.respond_to?(:to_key) ? key.to_key : key
+
+      storage.fetch(formatted_key, &block)
+    end
+
+    private
+    attr_accessor :storage
+  end
+end

data/lib/arrthorizer/role.rb

@@ -0,0 +1,31 @@
+# This is the abstract superclass for all roles in the hierarchy.
+module Arrthorizer
+  class Role
+    # Template method: This method is implemented in the
+    # ContextRole subclasses.
+    def applies_to_user?(user, context = {})
+      raise NotImplementedError, "#{self.name} does not implement #applies_to_user?(user, context)"
+    end
+
+    def self.get(name_or_role)
+      if name_or_role.respond_to?(:instance)
+        get(name_or_role.instance)
+      else
+        registry.fetch(name_or_role)
+      end
+    end
+
+    def self.register(role)
+      registry.add(role)
+    end
+
+    def self.registry
+      @registry ||= Registry.new
+    end
+
+    def to_key
+      name
+    end
+  end
+end
+

data/lib/arrthorizer/roles.rb

@@ -0,0 +1,19 @@
+module Arrthorizer
+  class Everybody < Arrthorizer::ContextRole
+    def applies_to_user?(*args)
+      true
+    end
+  end
+
+  class Nobody < Arrthorizer::ContextRole
+    def applies_to_user?(*args)
+      false
+    end
+  end
+
+  class LoggedInUser < Arrthorizer::ContextRole
+    def applies_to_user?(user, context)
+      !user.nil?
+    end
+  end
+end