arsecurity 0.1.0

data/CHANGELOG

@@ -0,0 +1,3 @@
+Changes in version 0.1.0 (2009-03-16)
+-------------------------------------
+initial release

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,31 @@
+require 'rubygems'
+require 'rake/gempackagetask'
+PKG_NAME = "arsecurity"
+PKG_VERSION = "0.1.0"
+PKG_FILE_NAME = "#{PKG_NAME}-#{PKG_VERSION}"
+PKG_FILES = FileList[
+  '[A-Z]*',
+  'lib/**/*',
+  'examples/**/*'
+]
+spec = Gem::Specification.new do |s|
+  s.platform = Gem::Platform::RUBY
+  s.summary = "A security component for Activerecord"
+  s.name = PKG_NAME
+  s.version = PKG_VERSION
+  s.require_path = 'lib'
+  s.homepage = %q{http://arsecurity.rubyforge.org/}
+  s.rubyforge_project = 'Activerecord Security'
+  s.has_rdoc = false
+  s.authors = ["Leon Li"]
+  s.email = "scorpio_leon@hotmail.com"
+  s.files = PKG_FILES
+  s.description = <<-EOF
+    A security component for Activerecord, it can manage CRUD permissions with attribute level by configuration, you can implement RBAC easily with it. It depend on the AOP framework Rinter(Rinterceptor) and the OO query tool Rquerypad(Optinal)
+  EOF
+  s.add_dependency('rinterceptor', '>= 0.1.0')
+end
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.need_zip = true
+  pkg.need_tar = true
+end

data/examples/initializers/security.rb

@@ -0,0 +1,37 @@
+ActiveRecord::Base.class_eval do
+  include ArsecurityDefault
+  def self.rinter_skip?
+    !YourContext.security_check
+  end
+  def rinter_skip?
+    !YourContext.security_check
+  end
+end
+def free_access(&block)
+  old_security_check = YourContext.security_check
+  YourContext.security_check = false
+  result =  yield
+  YourContext.security_check = old_security_check
+  result
+end
+class YourSecurityHandler < DefaultArsecurityHandler
+  class << self
+    #override
+    def accept?
+      current_user && current_user.is_admin?
+    end
+    #override
+    def reject?
+      false
+    end
+    #override
+    def permissions
+      current_user && current_user.permissions
+    end
+    
+    def current_user
+      YourContext.your_user
+    end
+  end
+end
+ArsecurityUtil.handler = YourSecurityHandler

data/lib/arsecurity.rb

@@ -0,0 +1,58 @@
+require 'rinterceptor'
+module Arsecurity
+  CREATE = 'create'
+  READ = 'read'
+  UPDATE = 'update'
+  DELETE = 'delete'
+  def rinter_update_around(invocation)
+    if ArsecurityUtil.authorized?(UPDATE, invocation.object.class.name, invocation.object, invocation)
+      return invocation.invoke
+    else
+      raise ArsecurityNotAuthorizedException
+    end
+  end
+  def rinter_create_around(invocation)
+    if ArsecurityUtil.authorized?(CREATE, invocation.object.class.name, invocation.object, invocation)
+      return invocation.invoke
+    else
+      raise ArsecurityNotAuthorizedException
+    end
+  end
+  def rinter_delete_around(invocation)
+    if ArsecurityUtil.authorized?(DELETE, invocation.object.class.name, invocation.object, invocation)
+      return invocation.invoke
+    else
+      raise ArsecurityNotAuthorizedException
+    end
+  end
+  module ClassMethods
+    def rinter_update_around(invocation)
+      if ArsecurityUtil.authorized?(UPDATE, invocation.object.name, nil, invocation)
+        return invocation.invoke
+      else
+        raise ArsecurityNotAuthorizedException
+      end
+    end
+    def rinter_read_around(invocation)
+      if ArsecurityUtil.authorized?(READ, invocation.object.name, nil, invocation)
+        return invocation.invoke
+      else
+        raise ArsecurityNotAuthorizedException
+      end
+    end
+    def rinter_delete_around(invocation)
+      if ArsecurityUtil.authorized?(DELETE, invocation.object.name, nil, invocation)
+        return invocation.invoke
+      else
+        raise ArsecurityNotAuthorizedException
+      end
+    end
+  end
+  include Rinterceptor
+end
+
+class ArsecurityNotAuthorizedException < RuntimeError
+end
+
+class ArsecurityIllegalException < RuntimeError
+end

data/lib/arsecurity_default.rb

@@ -0,0 +1,53 @@
+
+
+module ArsecurityDefault
+  #value can be regexp, symbol or string
+  CLASS_READ_METHOD = ["find_every", "count"]
+  CLASS_DELETE_METHOD = "delete_all"
+  CLASS_UPDATE_METHOD = "update_all"
+  INSTANCE_CREATE = {:create => :create}
+  INSTANCE_DELETE = {:delete => /^destroy$/}
+  INSTANCE_UPDATE = {:update => :update}
+  CLASS_READ = {:read => CLASS_READ_METHOD}
+  CLASS_DELETE = {:delete => CLASS_DELETE_METHOD}
+  CLASS_UPDATE = {:update => CLASS_UPDATE_METHOD}
+  INCLUDE_I_METHODS = INSTANCE_CREATE.merge(INSTANCE_UPDATE).merge(INSTANCE_DELETE)
+  INCLUDE_S_METHODS = CLASS_READ.merge(CLASS_UPDATE).merge(CLASS_DELETE)
+  def self.rinter_before_include_class(base)
+    base.instance_variable_set(:@include_i_methods, INCLUDE_I_METHODS)
+    base.instance_variable_set(:@include_s_methods, INCLUDE_S_METHODS)
+  end
+  include Arsecurity
+end
+
+class DefaultArsecurityHandler < ArsecurityHandler
+  class << self
+    def get_conditions(invocation)
+      case invocation.method
+        when *ArsecurityDefault::CLASS_READ_METHOD
+        args = invocation.args || []
+        options = args.extract_options!
+        invocation.args = args
+        invocation.options = options
+        conditions = options[:conditions]
+        when ArsecurityDefault::CLASS_DELETE_METHOD
+        conditions = invocation.args[0]
+        when ArsecurityDefault::CLASS_UPDATE_METHOD
+        conditions = invocation.args[1]
+      end
+      conditions
+    end
+    
+    def set_conditions(invocation, conditions)
+      case invocation.method
+        when *ArsecurityDefault::CLASS_READ_METHOD
+        options = invocation.options
+        options[:conditions] = conditions 
+        when ArsecurityDefault::CLASS_DELETE_METHOD
+        invocation.args[0] = conditions 
+        when ArsecurityDefault::CLASS_UPDATE_METHOD
+        invocation.args[1] = conditions
+      end
+    end
+  end
+end

data/lib/arsecurity_handler.rb

@@ -0,0 +1,24 @@
+class ArsecurityHandler
+  class << self
+    #for customize logic, such as for administrator
+    def accept?
+      raise ArsecurityIllegalException.new("ArsecurityHandler.accept? should be implemented")
+    end
+    #for customize logic, such as for time restriction
+    def reject?
+      raise ArsecurityIllegalException.new("ArsecurityHandler.reject? should be implemented")
+    end
+    def permissions
+      raise ArsecurityIllegalException.new("ArsecurityHandler.permissions should be implemented")
+    end
+    
+    #for changing conditions
+    def get_conditions(invocation)
+      raise ArsecurityIllegalException.new("ArsecurityHandler.get_conditions should be implemented")
+    end
+    
+    def set_conditions(invocation, conditions)
+      raise ArsecurityIllegalException.new("ArsecurityHandler.set_conditions should be implemented")
+    end
+  end
+end

data/lib/arsecurity_permission.rb

@@ -0,0 +1,9 @@
+class ArsecurityPermission
+  attr_accessor :type, :method, :instance_condition, :sql_condition
+  def initialize(permission)
+    @type = permission[:type]
+    @method = permission[:method]
+    @instance_condition = permission[:instance_condition]
+    @sql_condition = permission[:sql_condition]
+  end
+end

data/lib/arsecurity_util.rb

@@ -0,0 +1,90 @@
+class ArsecurityUtil
+  class << self
+    attr_accessor :handler
+    def authorized?(method, type, instance, invocation)
+      return true if handler.accept?
+      return false if handler.reject?
+      result = false
+      permissions = handler.permissions
+      
+      unless permissions.nil? || permissions.empty?
+        result = check_permissions(permissions, method, type, instance, invocation)
+      end
+      result
+    end
+
+    def check_permissions(permissions, method, type, instance, invocation)
+      
+      permissions.each do |permission|
+        permission = ArsecurityPermission.new(permission) if permission.is_a?(Hash)
+        next if permission.type != type
+        unless permission.method.nil?
+          next if permission.method != method
+        end
+        #instance not nil mean persist
+        
+        unless instance.nil?
+          if  permission.instance_condition.nil? || permission.instance_condition.empty?
+            return true
+          else
+            result = ERB.new("<% result =  (#{permission.instance_condition}) ? true : false %><%= result %>").result(permission.send(:binding))
+            return true if result == 'true'
+          end
+        else
+          #singleton methods, mean has permission to do this action, but check if there is any restriction need be attached
+          unless permission.sql_condition.nil? || permission.sql_condition.empty?
+            conditions = handler.get_conditions(invocation)
+            if conditions.nil? || conditions.empty?
+              conditions = permission.sql_condition
+            elsif conditions.is_a?(String)
+              conditions = "(" << conditions << ") and (" << permission.sql_condition << ")"
+            elsif conditions.is_a?(Array)
+              conditions[0] = "(" << conditions[0] << ") and (" << permission.sql_condition << ")"
+            elsif conditions.is_a?(Hash)
+              new_conditions = []
+              new_conditions[0] = ""
+              conditions.each do |k, v|
+                new_conditions[0] << " #{k} = #{attribute_condition(v)}"
+                if v.is_a?(Range)
+                  new_conditions << v.first
+                  new_conditions << v.last
+                else
+                  new_conditions << v
+                end
+              end
+              conditions = new_conditions
+              conditions[0] = "(" << conditions[0] << ") and (" << permission.sql_condition << ")"
+            end
+            handler.set_conditions(invocation, conditions)
+          end
+          return true
+        end
+      end
+      false
+    end 
+    
+    def has_permission(permission, method, type, instance)
+      return false if permission.type != type
+      
+      unless permission.method.nil?
+        return false if permission.method != method
+      end
+      
+      if permission.instance_condition.blank?
+        return true      
+      else
+        result = ERB.new("<% result =  (#{permission.instance_condition}) ? true : false %><%= result %>").result(permission.send(:binding))
+        return result == 'true'
+      end
+    end
+    
+    def attribute_condition(argument)
+      case argument
+        when nil   then "IS ?"
+        when Array, ActiveRecord::Associations::AssociationCollection then "IN (?)"
+        when Range then "BETWEEN ? AND ?"
+      else            "= ?"
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,71 @@
+--- !ruby/object:Gem::Specification 
+name: arsecurity
+version: !ruby/object:Gem::Version 
+  version: 0.1.0
+platform: ruby
+authors: 
+- Leon Li
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-03-17 00:00:00 +08:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rinterceptor
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.1.0
+    version: 
+description: A security component for Activerecord, it can manage CRUD permissions with attribute level by configuration, you can implement RBAC easily with it. It depend on the AOP framework Rinter(Rinterceptor) and the OO query tool Rquerypad(Optinal)
+email: scorpio_leon@hotmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- MIT-LICENSE
+- Rakefile
+- CHANGELOG
+- lib/arsecurity.rb
+- lib/arsecurity_permission.rb
+- lib/arsecurity_handler.rb
+- lib/arsecurity_default.rb
+- lib/arsecurity_util.rb
+- examples/initializers
+- examples/initializers/security.rb
+has_rdoc: false
+homepage: http://arsecurity.rubyforge.org/
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: Activerecord Security
+rubygems_version: 1.3.1
+signing_key: 
+specification_version: 2
+summary: A security component for Activerecord
+test_files: []
+