authoreyes 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c692f2b44a5992e6ed48d9edb77cda2accfa2bc1
+  data.tar.gz: 63e2a6282929830fa130217e901c2a55e1c9897e
+SHA512:
+  metadata.gz: 7086240162b0a8734af9922554d20b9867706bbe9619917642d72f2531596c13229a97d16f59831fac56820bd94547bc367c6c3862f525ac248cbca8a58ec1f9
+  data.tar.gz: 77bb72a8bf572b7c06595993985f48e896c68327681b563cb6cd2fd1429da4af2fe2b4c77a710e94364d626a6d1d34f1430aade2b56eda9ef6bebd50caf45313

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.gem

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.3.0
+before_install: gem install bundler -v 1.12.5

data/Gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'rails', '~> 5.0'
+
+group :test do
+  gem "codeclimate-test-reporter", require: nil
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Xavier Bick
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,53 @@
+# Authoreyes
+
+[![Gem Version](https://badge.fury.io/rb/authoreyes.svg)](https://badge.fury.io/rb/authoreyes) [![Build Status](https://travis-ci.org/tektite-software/authoreyes.svg?branch=master)](https://travis-ci.org/tektite-software/authoreyes) [![Code Climate](https://codeclimate.com/github/tektite-software/authoreyes/badges/gpa.svg)](https://codeclimate.com/github/tektite-software/authoreyes) [![Test Coverage](https://codeclimate.com/github/tektite-software/authoreyes/badges/coverage.svg)](https://codeclimate.com/github/tektite-software/authoreyes/coverage) [![Inline docs](http://inch-ci.org/github/tektite-software/authoreyes.svg?branch=master)](http://inch-ci.org/github/tektite-software/authoreyes)
+
+#### Warning! This gem is an alpha!
+
+_Authoreyes_ (pronounced "authorize") is intended to be a modern, Rails 5 compatible replacement for [Declarative Authorization](https://github.com/stffn/declarative_authorization/).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'authoreyes'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install authoreyes
+
+## Usage
+
+For Rails authorization in Rails versions 4 and below, please use [Declarative Authorization](https://github.com/stffn/declarative_authorization) or one of its forks.
+
+__Warning! This gem is not finished!__ Although authorization functionality _does_ work, you will need to do a few things to actually use it in your application...
+
+At this point, to use Authoreyes, you must do the following:
+  1. Add an `authorization_rules.rb` file.
+  2. Create an Authoreyes DSL Parser object.
+  3. Use the DSL Parser object to parse your authorization rules.
+  4. Create an Authoreyes Authorization Engine object passing in the Parser object.
+  5. Use the Engine's `permit!` and `permit?` methods in your application.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/tektite-software/authoreyes.
+
+__Please check out the wiki for guides on contributing to this project.__
+
+## Acknowledgements
+
+This gem was originally based on [stffn](https://github.com/stffn)'s gem [Declarative_Authorization](https://github.com/stffn/declarative_authorization).  Many thanks to stffn and all who contributed to Declarative Authorization for a great gem!
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+
+:copyright: 2016 Tektite Software

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.libs << 'lib'
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task :default => :test

data/authoreyes.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'authoreyes/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'authoreyes'
+  spec.version       = Authoreyes::VERSION
+  spec.authors       = ['Tektite Software', 'Xavier Bick']
+  spec.email         = ['fxb9500@gmail.com']
+
+  spec.summary       = 'A modern authorization plugin for Rails.'
+  spec.description   = 'A powerful, modern authorization plugin for Ruby on
+                        Rails featuring a declarative DSL for centralized
+                        authorization roles.
+                        Based on Declarative Authorization.'
+  spec.homepage      = 'https://www.github.com/tektite-software/authoreyes'
+  spec.license       = 'MIT'
+
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.12'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'minitest', '~> 5.0'
+end

data/authorization_rules.dist.rb

@@ -0,0 +1,20 @@
+authorization do
+  role :guest do
+    # add permissions for guests here, e.g.
+    #has_permission_on :conferences, :to => :read
+  end
+  
+  # permissions on other roles, such as
+  #role :admin do
+  #  has_permission_on :conferences, :to => :manage
+  #end
+end
+
+privileges do
+  # default privilege hierarchies to facilitate RESTful Rails apps
+  privilege :manage, :includes => [:create, :read, :update, :delete]
+  privilege :read, :includes => [:index, :show]
+  privilege :create, :includes => :new
+  privilege :update, :includes => :edit
+  privilege :delete, :includes => :destroy
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "authoreyes"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/authoreyes.rb

@@ -0,0 +1,7 @@
+require 'authoreyes/version'
+require 'authoreyes/authorization'
+require 'authoreyes/parser'
+
+module Authoreyes
+  # Your code goes here...
+end

data/lib/authoreyes/authorization.rb

@@ -0,0 +1,80 @@
+# Authorization
+require 'rails'
+require 'authoreyes/authorization/engine'
+require 'authoreyes/authorization/authorization_rule_set'
+require 'authoreyes/authorization/authorization_rule'
+require 'authoreyes/authorization/attribute'
+require 'authoreyes/authorization/attribute_with_permission'
+require 'authoreyes/authorization/anonymous_user'
+
+require "set"
+require "forwardable"
+
+module Authoreyes
+  module Authorization
+    # An exception raised if anything goes wrong in the Authorization realm
+    class AuthorizationError < StandardError ; end
+    # NotAuthorized is raised if the current user is not allowed to perform
+    # the given operation possibly on a specific object.
+    class NotAuthorized < AuthorizationError ; end
+    # AttributeAuthorizationError is more specific than NotAuthorized, signaling
+    # that the access was denied on the grounds of attribute conditions.
+    class AttributeAuthorizationError < NotAuthorized ; end
+    # AuthorizationUsageError is used whenever a situation is encountered
+    # in which the application misused the plugin.  That is, if, e.g.,
+    # authorization rules may not be evaluated.
+    class AuthorizationUsageError < AuthorizationError ; end
+    # NilAttributeValueError is raised by Attribute#validate? when it hits a nil attribute value.
+    # The exception is raised to ensure that the entire rule is invalidated.
+    class NilAttributeValueError < AuthorizationError ; end
+
+    AUTH_DSL_FILES = [Pathname.new(Rails.root || '').join("config", "authorization_rules.rb").to_s] unless defined? AUTH_DSL_FILES
+
+    # Controller-independent method for retrieving the current user.
+    # Needed for model security where the current controller is not available.
+    def self.current_user
+      Thread.current["current_user"] || AnonymousUser.new
+    end
+
+    # Controller-independent method for setting the current user.
+    def self.current_user=(user)
+      Thread.current["current_user"] = user
+    end
+
+    # For use in test cases only
+    def self.ignore_access_control(state = nil) # :nodoc:
+      Thread.current["ignore_access_control"] = state unless state.nil?
+      Thread.current["ignore_access_control"] || false
+    end
+
+    def self.activate_authorization_rules_browser? # :nodoc:
+      ::Rails.env.development?
+    end
+
+    @@dot_path = "dot"
+    def self.dot_path
+      @@dot_path
+    end
+
+    def self.dot_path= (path)
+      @@dot_path = path
+    end
+
+    @@default_role = :guest
+    def self.default_role
+      @@default_role
+    end
+
+    def self.default_role= (role)
+      @@default_role = role.to_sym
+    end
+
+    def self.is_a_association_proxy? (object)
+      if Rails.version < "3.2"
+        object.respond_to?(:proxy_reflection)
+      else
+        object.respond_to?(:proxy_association)
+      end
+    end
+  end
+end

data/lib/authoreyes/authorization/anonymous_user.rb

@@ -0,0 +1,11 @@
+module Authoreyes
+  module Authorization
+    # Represents a pseudo-user to facilitate anonymous users in applications
+    class AnonymousUser
+      attr_reader :role_symbols
+      def initialize (roles = [Authorization.default_role])
+        @role_symbols = roles
+      end
+    end
+  end
+end

data/lib/authoreyes/authorization/attribute.rb

@@ -0,0 +1,164 @@
+module Authoreyes
+  module Authorization
+    class Attribute
+      # attr_conditions_hash of form
+      # { :object_attribute => [operator, value_block], ... }
+      # { :object_attribute => { :attr => ... } }
+      def initialize (conditions_hash)
+        @conditions_hash = conditions_hash
+      end
+
+      def initialize_copy (from)
+        @conditions_hash = deep_hash_clone(@conditions_hash)
+      end
+
+      def validate? (attr_validator, object = nil, hash = nil)
+        object ||= attr_validator.object
+        return false unless object
+
+        if ( Authorization.is_a_association_proxy?(object) &&
+             object.respond_to?(:empty?) )
+          return false if object.empty?
+          object.each do |member|
+            return true if validate?(attr_validator, member, hash)
+          end
+          return false
+        end
+
+        (hash || @conditions_hash).all? do |attr, value|
+          attr_value = object_attribute_value(object, attr)
+          if value.is_a?(Hash)
+            if attr_value.is_a?(Enumerable)
+              attr_value.any? do |inner_value|
+                validate?(attr_validator, inner_value, value)
+              end
+            elsif attr_value == nil
+              raise NilAttributeValueError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
+            else
+              validate?(attr_validator, attr_value, value)
+            end
+          elsif value.is_a?(Array) and value.length == 2 and value.first.is_a?(Symbol)
+            evaluated = if value[1].is_a?(Proc)
+                          attr_validator.evaluate(value[1])
+                        else
+                          value[1]
+                        end
+            case value[0]
+            when :is
+              attr_value == evaluated
+            when :is_not
+              attr_value != evaluated
+            when :contains
+              begin
+                attr_value.include?(evaluated)
+              rescue NoMethodError => e
+                raise AuthorizationUsageError, "Operator contains requires a " +
+                    "subclass of Enumerable as attribute value, got: #{attr_value.inspect} " +
+                    "contains #{evaluated.inspect}: #{e}"
+              end
+            when :does_not_contain
+              begin
+                !attr_value.include?(evaluated)
+              rescue NoMethodError => e
+                raise AuthorizationUsageError, "Operator does_not_contain requires a " +
+                    "subclass of Enumerable as attribute value, got: #{attr_value.inspect} " +
+                    "does_not_contain #{evaluated.inspect}: #{e}"
+              end
+            when :intersects_with
+              begin
+                !(evaluated.to_set & attr_value.to_set).empty?
+              rescue NoMethodError => e
+                raise AuthorizationUsageError, "Operator intersects_with requires " +
+                    "subclasses of Enumerable, got: #{attr_value.inspect} " +
+                    "intersects_with #{evaluated.inspect}: #{e}"
+              end
+            when :is_in
+              begin
+                evaluated.include?(attr_value)
+              rescue NoMethodError => e
+                raise AuthorizationUsageError, "Operator is_in requires a " +
+                    "subclass of Enumerable as value, got: #{attr_value.inspect} " +
+                    "is_in #{evaluated.inspect}: #{e}"
+              end
+            when :is_not_in
+              begin
+                !evaluated.include?(attr_value)
+              rescue NoMethodError => e
+                raise AuthorizationUsageError, "Operator is_not_in requires a " +
+                    "subclass of Enumerable as value, got: #{attr_value.inspect} " +
+                    "is_not_in #{evaluated.inspect}: #{e}"
+              end
+            when :lt
+              attr_value && attr_value < evaluated
+            when :lte
+              attr_value && attr_value <= evaluated
+            when :gt
+              attr_value && attr_value > evaluated
+            when :gte
+              attr_value && attr_value >= evaluated
+            else
+              raise AuthorizationError, "Unknown operator #{value[0]}"
+            end
+          else
+            raise AuthorizationError, "Wrong conditions hash format"
+          end
+        end
+      end
+
+      # resolves all the values in condition_hash
+      def obligation (attr_validator, hash = nil)
+        hash = (hash || @conditions_hash).clone
+        hash.each do |attr, value|
+          if value.is_a?(Hash)
+            hash[attr] = obligation(attr_validator, value)
+          elsif value.is_a?(Array) and value.length == 2
+            hash[attr] = [value[0], attr_validator.evaluate(value[1])]
+          else
+            raise AuthorizationError, "Wrong conditions hash format"
+          end
+        end
+        hash
+      end
+
+      def to_long_s (hash = nil)
+        if hash
+          hash.inject({}) do |memo, key_val|
+            key, val = key_val
+            memo[key] = case val
+                        when Array then "#{val[0]} { #{val[1].respond_to?(:to_ruby) ? val[1].to_ruby.gsub(/^proc \{\n?(.*)\n?\}$/m, '\1') : "..."} }"
+                        when Hash then to_long_s(val)
+                        end
+            memo
+          end
+        else
+          "if_attribute #{to_long_s(@conditions_hash).inspect}"
+        end
+      end
+
+      protected
+      def object_attribute_value (object, attr)
+        begin
+          object.send(attr)
+        rescue ArgumentError, NoMethodError => e
+          raise AuthorizationUsageError, "Error occurred while validating attribute ##{attr} on #{object.inspect}: #{e}.\n" +
+            "Please check your authorization rules and ensure the attribute is correctly spelled and \n" +
+            "corresponds to a method on the model you are authorizing for."
+        end
+      end
+
+      def deep_hash_clone (hash)
+        hash.inject({}) do |memo, (key, val)|
+          memo[key] = case val
+                      when Hash
+                        deep_hash_clone(val)
+                      when NilClass, Symbol
+                        val
+                      else
+                        val.clone
+                      end
+          memo
+        end
+      end
+    end
+  end
+end