authorize 0.0.1

data/lib/authorize/redis/connection_specification.rb

@@ -0,0 +1,16 @@
+module Authorize
+  module Redis
+    class ConnectionSpecification
+      attr_reader :db_spec
+
+      def initialize(db_spec)
+        @db_spec = db_spec
+      end
+
+      # Factory method returning a new connection to the database conforming to the specification
+      def connect!
+        ::Redis.new(db_spec)
+      end
+    end
+  end
+end

data/lib/authorize/redis/factory.rb

@@ -0,0 +1,64 @@
+module Authorize
+  module Redis
+    # A Factory is designed to help build relevant test fixtures in the context of a test.  In order to preserve a high
+    # signal-to-noise ratio in the test, a factory needs to *concisely* build fixtures even at the expense of supporting
+    # cool features.  As a result, index management and references to other values are the responsibility of the programmer.
+    class Factory
+      attr_reader :db
+
+      def self.build(ns = nil, &block)
+        self.new.tap do |f|
+          f.namespace(ns, &block) if ns
+        end
+      end
+
+      def initialize(db = Base.db)
+        @namespace = nil
+        @db = db
+      end
+
+      def namespace(name, &block)
+        @old_namespace, @namespace = @namespace, subordinate_key(name)
+        if block_given?
+          self.instance_eval(&block)
+          @namespace = @old_namespace
+        else
+          self
+        end
+      end
+
+      def string(name, value = "")
+        key = subordinate_key(name)
+        db.set(key, value)
+        namespace(name){yield} if block_given?
+        Redis::String.load(key)
+      end
+
+      def hash(name, value = {})
+        key = subordinate_key(name)
+        value.each {|k, v| db.hset(key, k, v)}
+        namespace(name){yield} if block_given?
+        Redis::Hash.load(key)
+      end
+
+      def set(name, value = ::Set[])
+        key = subordinate_key(name)
+        value.each {|v| db.sadd(key, v)}
+        namespace(name){yield} if block_given?
+        Redis::Set.load(key)
+      end
+
+      def array(name, value = [])
+        key = subordinate_key(name)
+        value.each {|v| db.rpush(key, v)}
+        namespace(name){yield} if block_given?
+        Redis::Array.load(key)
+      end
+
+      private
+      def subordinate_key(key)
+        Authorize::Redis::Base.subordinate_key(@namespace, key)
+      end
+    end
+  end
+end

data/lib/authorize/redis/fixtures.rb

@@ -0,0 +1,22 @@
+module Authorize
+  module Redis
+    # Persist Ruby objects to Redis DB using natural type affinity
+    module Fixtures
+      def create_fixtures(db, pathname, flush = true)
+        db.flushdb if flush
+        fixtures = YAML.load(ERB.new(pathname.read).result)
+        fixtures.each do |node|
+          node.each_pair do |key, value|
+            case value
+              when ::Hash then value.each_pair {|k, v| db.hset(key, k, v)}
+              when ::Set then value.each {|v| db.sadd(key, v)}
+              when ::Array then value.each {|v| db.rpush(key, v)}
+              else db.set(key, value) # String, Fixnum, NilClass
+            end
+          end
+        end
+      end
+      module_function :create_fixtures
+    end
+  end
+end

data/lib/authorize/redis/hash.rb

@@ -0,0 +1,34 @@
+module Authorize
+  module Redis
+    class Hash < Base
+      undef to_a # In older versions of Ruby, Object#to_a is invoked and #method_missing is never called.
+
+      def valid?
+        %w(none hash).include?(db.type(id))
+      end
+
+      def get(k)
+        db.hget(id, k)
+      end
+      alias [] get
+
+      def set(k, v)
+        db.hset(id, k, v)
+      end
+      alias []= set
+
+      def merge(h)
+        return self if h.empty?
+        args = h.inject([]) do |m,(k,v)|
+          m << k
+          m << v
+        end
+        db.hmset(id, *args)
+      end
+
+      def __getobj__
+        db.hgetall(id)
+      end
+    end
+  end
+end

data/lib/authorize/redis/model_reference.rb

@@ -0,0 +1,21 @@
+module Authorize
+  module Redis
+    # Support foreign keys that reference Redis::Base-like models.
+    module ModelReference
+      # Load the model whose key is held in the given string key.
+      def load_reference(key, klass)
+        reference = klass.db.get(key)
+        reference && klass.load(reference)
+      end
+
+      def set_reference(key, model)
+        if model
+          Authorize::Redis::String.db.set(key, model.id)
+        else
+          Authorize::Redis::String.db.del(key) && nil
+        end
+      end
+      module_function :load_reference, :set_reference
+    end
+  end
+end

data/lib/authorize/redis/model_set.rb

@@ -0,0 +1,19 @@
+module Authorize
+  module Redis
+    # A persistent set of homomorphic Redis-like models
+    class ModelSet < Redis::Set
+      def initialize(klass)
+        super()
+        @klass = klass
+      end
+
+      [:add, :delete, :include?].each do |m|
+        define_method(m) {|v| super(v.id)}
+      end
+
+      def __getobj__
+        super.map{|eid| @klass.load(eid)}.to_set.freeze
+      end
+    end
+  end
+end

data/lib/authorize/redis/set.rb

@@ -0,0 +1,42 @@
+module Authorize
+  module Redis
+    class Set < Base
+      undef to_a # In older versions of Ruby, Object#to_a is invoked and #method_missing is never called.
+
+      def valid?
+        %w(none set).include?(db.type(id))
+      end
+
+      def add(v)
+        db.sadd(id, v)
+      end
+
+      def <<(v)
+        add(v)
+      end
+
+      def delete(v)
+        db.srem(id, v)
+      end
+
+      def include?(v)
+        db.sismember(id, v)
+      end
+      alias member? include?
+
+      def sample(n = 1)
+        return method_missing(:sample, n) unless n == 1
+        db.srandmember(id)
+      end
+
+      def first(n = 1)
+        return method_missing(:first, n) unless n == 1
+        sample(n)
+      end
+
+      def __getobj__
+        db.smembers(id).to_set
+      end
+    end
+  end
+end

data/lib/authorize/redis/string.rb

@@ -0,0 +1,17 @@
+module Authorize
+  module Redis
+    class String < Base
+      def valid?
+        %w(none string).include?(db.type(id))
+      end
+
+      def __getobj__
+        db.get(id)
+      end
+
+      def set(v)
+        db.set(id, v)
+      end
+    end
+  end
+end

data/lib/authorize/resource.rb

@@ -0,0 +1,4 @@
+module Authorize
+  module Resource
+  end
+end

data/lib/authorize/resource_pool.rb

@@ -0,0 +1,87 @@
+require 'monitor'
+require 'set'
+require 'forwardable'
+
+module Authorize
+  # Arbitrate thread-safe access to a limited set of expensive and perishable objects
+  class ResourcePool
+    extend Forwardable
+
+    def_delegators :@pool, :include?
+    def_delegators :@tokens, :empty?
+
+    attr_reader :num_waiting
+
+    # Create a new unfilled resource pool with a capacity of of at most max_size objects.  The pool
+    # is lazily filled by the factory lambda.
+    def initialize(max_size, factory)
+      @factory = factory
+      @pool = []
+      @tokens = []
+      @monitor = Monitor.new
+      @tokens_cv = @monitor.new_cond
+      @num_waiting = 0
+      max_size.times {|i| @tokens.unshift(i)}
+    end
+
+    def size
+      @pool.compact.length
+    end
+
+    def available
+      @tokens.size
+    end
+
+    # Checkout an object from the pool.  Arguments are passed unmolested to ConditionVariable#wait to manage timeouts.
+    def checkout(*args)
+      @monitor.synchronize do
+        until token = @tokens.pop
+          begin
+            @num_waiting += 1
+            raise "Timed out during checkout" unless @tokens_cv.wait(*args)
+          ensure
+            @num_waiting -= 1
+          end
+        end
+        @pool[token] ||= @factory.call
+      end
+    end
+
+    # Return an object to the pool
+    def checkin(obj)
+      @monitor.synchronize do
+        token = @pool.index(obj)
+        raise "#{obj} has not been checked out from this pool" unless token && !@tokens.include?(token)
+        @tokens.push(token) if token
+        @tokens_cv.signal
+      end
+    end
+
+    # Expire resources in inventory with the given block.  Available (not reserved) pool members are
+    # yielded to the block.  The object is expired (removed permanently from the pool) if the block
+    # returns a true-ish value.
+    def expire
+      @monitor.synchronize do
+        @tokens.each do |i|
+          next unless obj = @pool[i]
+          @pool[i] = nil if yield obj
+        end
+      end
+    end
+
+    # Freshen objects in inventory with the given block
+    def freshen
+      expire {|obj| yield(obj) ; return false}
+    end
+
+    # Remove all resources from the pool and revoke all tokens
+    # TODO: don't brutally/blindly revoke tokens -raise an exception or fire a callback, and address waiting threads.
+    def clear!
+      @monitor.synchronize do
+        @pool.each_index {|i| @tokens << i}
+        @tokens.uniq!
+        @pool.clear
+      end
+    end
+  end
+end

data/lib/authorize/role.rb

@@ -0,0 +1,115 @@
+require 'authorize/redis'
+
+class Authorize::Role < ActiveRecord::Base
+  set_table_name 'authorize_roles'
+  belongs_to :resource, :polymorphic => true
+  has_many :permissions, :class_name => "Authorize::Permission", :dependent => :delete_all
+  validates_uniqueness_of :name, :scope => [:resource_type, :resource_id]
+  validates_uniqueness_of :relation, :scope => [:resource_type, :resource_id]
+  after_create :create_vertex
+  before_destroy :destroy_vertex
+
+  named_scope :as, lambda{|relation| {:conditions => {:relation => relation}}}
+  named_scope :identity, {:conditions => {:relation => nil}}
+
+  GRAPH_ID = Authorize::Graph::DirectedAcyclicGraph.subordinate_key(Authorize::Role, 'graph')
+  VERTICES_ID_PREFIX = Authorize::Graph::DirectedAcyclicGraph.subordinate_key(Authorize::Role, 'vertices')
+
+  def self.const_missing(const)
+    if global_role = scoped(:conditions => {:resource_type => nil, :resource_id => nil}).find_by_relation(const.to_s)
+      const_set(const, global_role)
+    else
+      super
+    end
+  end
+
+  def self.graph
+    @graph ||= Authorize::Graph::DirectedGraph.load(GRAPH_ID).tap do |g|
+      g.vertex_namespace = VERTICES_ID_PREFIX
+    end
+  end
+
+  def create_vertex
+    self.class.graph.vertex(id)
+  end
+
+  def destroy_vertex
+    vertex.destroy
+  end
+
+  # Link from this role's vertex to other's vertex in the system role graph.  This role becomes the parent.
+  def link(other)
+    self.class.graph.join(nil, vertex, other.vertex)
+  end
+
+  # Unlink this role's vertex from other's vertex in the system role graph.
+  def unlink(other)
+    self.class.graph.disjoin(vertex, other.vertex)
+  end
+
+  # Creates or updates the unique permission for a given resource to have the given modes
+  # Example:  public.may(:list, :read, widget)
+  def may(*args)
+    p = permissions.for(args.pop).find_or_initialize_by_role_id(id) # need a #find_or_initialize_by_already_specified_scope
+    p.mask += Authorize::Permission::Mask[*args]
+    p.save
+    p.mask.complete
+  end
+
+  # Updates or deletes the unique permission for a given resource to not have the given modes
+  # Example:  public.may_not(:update, widget)
+  def may_not(*args)
+    p = permissions.for(args.pop).first
+    return Authorize::Permission::Mask[] unless p
+    p.mask -= Authorize::Permission::Mask[*args].complete
+    p.mask.empty? ? p.destroy : p.save
+    p.mask.complete
+  end
+
+  # Test if all given modes are permitted for the given resource
+  def may?(*args)
+    return false unless p = permissions.for(args.pop).first
+    mask = Authorize::Permission::Mask[*args].complete
+    mask.subset?(p.mask)
+  end
+
+  # Test if none of the given modes are permitted for the given resource
+  def may_not?(*args)
+    return true unless p = permissions.for(args.pop).first
+    mask = Authorize::Permission::Mask[*args].complete
+    (mask & p.mask).empty?
+  end
+
+  def to_s
+    (name || "%s") % resource rescue "!! INVALID ROLE NAME !!"
+  end
+
+  def vertex
+    raise 'Not possible to dereference vertex for an unpersisted role' unless id
+    @vertex ||= self.class.graph.vertex_by_name(id)
+  end
+
+  def roles
+    ids = traverser.map{|v| v.id.slice(/#{VERTICES_ID_PREFIX}::(\d+)/, 1)}
+    self.class.find(ids).to_set
+  end
+
+  def descendants
+    roles.delete(self)
+  end
+
+  def ancestors
+    ids = reverse_traverser.map{|v| v.id.slice(/#{VERTICES_ID_PREFIX}::(\d+)/, 1)}
+    ids -= [id.to_s]
+    self.class.find(ids).to_set
+  end
+
+  private
+  def traverser
+    @traverser ||= Authorize::Graph::DirectedAcyclicGraphTraverser.traverse(vertex)
+  end
+
+  def reverse_traverser
+    @reverse_traverser ||= Authorize::Graph::DirectedAcyclicGraphReverseTraverser.traverse(vertex)
+  end
+end