authorized_persona 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 4c94ee11ec5cc61e600479f513dbd1977768ff146b61ec18ae34f34aeaa2e223
4
+ data.tar.gz: 687dde9d36b005ab6a8b8d08e6b40ea7349819d765fb93c1cd4c06fb568dfc5d
5
+ SHA512:
6
+ metadata.gz: 7d146c61b9932e9eea82aea03ac7f48798ce42c47bf3eb8eb9cffc403631db58e56559a1098c7b9a640e4598858552a37ca75e6749c564882f248188c8bcd00c
7
+ data.tar.gz: e371dc3c7752412945d46cb76716d8973ad6d1cdc3149d49bf31dde852b5b12c37e10b3d05490f0b4711694bdb0d1108ea683e28bef6d6ecd9dd322919095db6
@@ -0,0 +1,11 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /_yardoc/
4
+ /coverage/
5
+ /doc/
6
+ /pkg/
7
+ /spec/reports/
8
+ /tmp/
9
+
10
+ # rspec failure tracking
11
+ .rspec_status
data/.rspec ADDED
@@ -0,0 +1,3 @@
1
+ --format documentation
2
+ --color
3
+ --require spec_helper
@@ -0,0 +1,3 @@
1
+ inherit_gem:
2
+ rubocop-betterment:
3
+ - config/default.yml
@@ -0,0 +1,7 @@
1
+ ---
2
+ sudo: false
3
+ language: ruby
4
+ cache: bundler
5
+ rvm:
6
+ - 2.6.1
7
+ before_install: gem install bundler -v 2.0.1
@@ -0,0 +1,74 @@
1
+ # Contributor Covenant Code of Conduct
2
+
3
+ ## Our Pledge
4
+
5
+ In the interest of fostering an open and welcoming environment, we as
6
+ contributors and maintainers pledge to making participation in our project and
7
+ our community a harassment-free experience for everyone, regardless of age, body
8
+ size, disability, ethnicity, gender identity and expression, level of experience,
9
+ nationality, personal appearance, race, religion, or sexual identity and
10
+ orientation.
11
+
12
+ ## Our Standards
13
+
14
+ Examples of behavior that contributes to creating a positive environment
15
+ include:
16
+
17
+ * Using welcoming and inclusive language
18
+ * Being respectful of differing viewpoints and experiences
19
+ * Gracefully accepting constructive criticism
20
+ * Focusing on what is best for the community
21
+ * Showing empathy towards other community members
22
+
23
+ Examples of unacceptable behavior by participants include:
24
+
25
+ * The use of sexualized language or imagery and unwelcome sexual attention or
26
+ advances
27
+ * Trolling, insulting/derogatory comments, and personal or political attacks
28
+ * Public or private harassment
29
+ * Publishing others' private information, such as a physical or electronic
30
+ address, without explicit permission
31
+ * Other conduct which could reasonably be considered inappropriate in a
32
+ professional setting
33
+
34
+ ## Our Responsibilities
35
+
36
+ Project maintainers are responsible for clarifying the standards of acceptable
37
+ behavior and are expected to take appropriate and fair corrective action in
38
+ response to any instances of unacceptable behavior.
39
+
40
+ Project maintainers have the right and responsibility to remove, edit, or
41
+ reject comments, commits, code, wiki edits, issues, and other contributions
42
+ that are not aligned to this Code of Conduct, or to ban temporarily or
43
+ permanently any contributor for other behaviors that they deem inappropriate,
44
+ threatening, offensive, or harmful.
45
+
46
+ ## Scope
47
+
48
+ This Code of Conduct applies both within project spaces and in public spaces
49
+ when an individual is representing the project or its community. Examples of
50
+ representing a project or community include using an official project e-mail
51
+ address, posting via an official social media account, or acting as an appointed
52
+ representative at an online or offline event. Representation of a project may be
53
+ further defined and clarified by project maintainers.
54
+
55
+ ## Enforcement
56
+
57
+ Instances of abusive, harassing, or otherwise unacceptable behavior may be
58
+ reported by contacting the project team at john@betterment.com. All
59
+ complaints will be reviewed and investigated and will result in a response that
60
+ is deemed necessary and appropriate to the circumstances. The project team is
61
+ obligated to maintain confidentiality with regard to the reporter of an incident.
62
+ Further details of specific enforcement policies may be posted separately.
63
+
64
+ Project maintainers who do not follow or enforce the Code of Conduct in good
65
+ faith may face temporary or permanent repercussions as determined by other
66
+ members of the project's leadership.
67
+
68
+ ## Attribution
69
+
70
+ This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71
+ available at [http://contributor-covenant.org/version/1/4][version]
72
+
73
+ [homepage]: http://contributor-covenant.org
74
+ [version]: http://contributor-covenant.org/version/1/4/
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source "https://rubygems.org"
2
+
3
+ # Specify your gem's dependencies in authorized_persona.gemspec
4
+ gemspec
@@ -0,0 +1,112 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ authorized_persona (0.1.0)
5
+ activemodel (>= 5.1.6.2, < 7)
6
+ railties (>= 5.1.6.2, < 7)
7
+
8
+ GEM
9
+ remote: https://rubygems.org/
10
+ specs:
11
+ actionpack (5.2.3)
12
+ actionview (= 5.2.3)
13
+ activesupport (= 5.2.3)
14
+ rack (~> 2.0)
15
+ rack-test (>= 0.6.3)
16
+ rails-dom-testing (~> 2.0)
17
+ rails-html-sanitizer (~> 1.0, >= 1.0.2)
18
+ actionview (5.2.3)
19
+ activesupport (= 5.2.3)
20
+ builder (~> 3.1)
21
+ erubi (~> 1.4)
22
+ rails-dom-testing (~> 2.0)
23
+ rails-html-sanitizer (~> 1.0, >= 1.0.3)
24
+ activemodel (5.2.3)
25
+ activesupport (= 5.2.3)
26
+ activesupport (5.2.3)
27
+ concurrent-ruby (~> 1.0, >= 1.0.2)
28
+ i18n (>= 0.7, < 2)
29
+ minitest (~> 5.1)
30
+ tzinfo (~> 1.1)
31
+ ast (2.4.0)
32
+ builder (3.2.3)
33
+ concurrent-ruby (1.1.5)
34
+ crass (1.0.4)
35
+ diff-lcs (1.3)
36
+ erubi (1.8.0)
37
+ i18n (1.6.0)
38
+ concurrent-ruby (~> 1.0)
39
+ jaro_winkler (1.5.2)
40
+ loofah (2.2.3)
41
+ crass (~> 1.0.2)
42
+ nokogiri (>= 1.5.9)
43
+ method_source (0.9.2)
44
+ mini_portile2 (2.4.0)
45
+ minitest (5.11.3)
46
+ nokogiri (1.10.3)
47
+ mini_portile2 (~> 2.4.0)
48
+ parallel (1.17.0)
49
+ parser (2.6.3.0)
50
+ ast (~> 2.4.0)
51
+ powerpack (0.1.2)
52
+ rack (2.0.7)
53
+ rack-test (1.1.0)
54
+ rack (>= 1.0, < 3)
55
+ rails-dom-testing (2.0.3)
56
+ activesupport (>= 4.2.0)
57
+ nokogiri (>= 1.6)
58
+ rails-html-sanitizer (1.0.4)
59
+ loofah (~> 2.2, >= 2.2.2)
60
+ railties (5.2.3)
61
+ actionpack (= 5.2.3)
62
+ activesupport (= 5.2.3)
63
+ method_source
64
+ rake (>= 0.8.7)
65
+ thor (>= 0.19.0, < 2.0)
66
+ rainbow (3.0.0)
67
+ rake (10.5.0)
68
+ rspec (3.8.0)
69
+ rspec-core (~> 3.8.0)
70
+ rspec-expectations (~> 3.8.0)
71
+ rspec-mocks (~> 3.8.0)
72
+ rspec-core (3.8.0)
73
+ rspec-support (~> 3.8.0)
74
+ rspec-expectations (3.8.3)
75
+ diff-lcs (>= 1.2.0, < 2.0)
76
+ rspec-support (~> 3.8.0)
77
+ rspec-mocks (3.8.0)
78
+ diff-lcs (>= 1.2.0, < 2.0)
79
+ rspec-support (~> 3.8.0)
80
+ rspec-support (3.8.0)
81
+ rubocop (0.61.1)
82
+ jaro_winkler (~> 1.5.1)
83
+ parallel (~> 1.10)
84
+ parser (>= 2.5, != 2.5.1.1)
85
+ powerpack (~> 0.1)
86
+ rainbow (>= 2.2.2, < 4.0)
87
+ ruby-progressbar (~> 1.7)
88
+ unicode-display_width (~> 1.4.0)
89
+ rubocop-betterment (1.8.0)
90
+ rubocop (~> 0.61.1)
91
+ rubocop-rspec (= 1.28.0)
92
+ rubocop-rspec (1.28.0)
93
+ rubocop (>= 0.58.0)
94
+ ruby-progressbar (1.10.1)
95
+ thor (0.20.3)
96
+ thread_safe (0.3.6)
97
+ tzinfo (1.2.5)
98
+ thread_safe (~> 0.1)
99
+ unicode-display_width (1.4.1)
100
+
101
+ PLATFORMS
102
+ ruby
103
+
104
+ DEPENDENCIES
105
+ authorized_persona!
106
+ bundler (~> 2.0)
107
+ rake (~> 10.0)
108
+ rspec (~> 3.0)
109
+ rubocop-betterment
110
+
111
+ BUNDLED WITH
112
+ 2.0.1
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2019 Betterment
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
@@ -0,0 +1,206 @@
1
+ # AuthorizedPersona
2
+
3
+ AuthorizedPersona is an extremely simple, declarative Rails
4
+ authorization library implementing the Persona Centric Authorization
5
+ pattern that Betterment developed for their internal tooling.
6
+
7
+ Persona Centric Authorization is animated by the following observations:
8
+
9
+ * Organizations are made up of folks with different skill sets and
10
+ responsibilities. For the purposes of this library, we'll call a
11
+ related set of skills and responsibilities a discipline, and the members
12
+ of a discipline a persona.
13
+ * An application built for a single persona will tend to be simpler,
14
+ more coherent, and more comprehensible for both its users and
15
+ maintainers than an application attempting to serve many personas at
16
+ once.
17
+ * Within a persona, individuals need varying levels of access to
18
+ systems based on their responsibilities, competency, accountability,
19
+ and trust levels in order to adhere to the principle of least privilege.
20
+ * Arbitrary matrix-based authorization schemes are complex and difficult
21
+ to maintain consistently as organizations, applications and
22
+ responsibilities evolve.
23
+ * It is easier to find and avoid security vulnerabilities in simpler
24
+ software.
25
+ * Code that doesn't exist in an app can't exhibit security
26
+ vulnerabilities.
27
+ * You can only perform authorization when you have full relevant context
28
+ both of who a user is, and what they are attempting to do.
29
+ * In the context of a database-backed application, it isn't an
30
+ authorization library's job to define or validate access control
31
+ relationships between system users and data. This is your application's
32
+ domain. Appropriate access controls will often emerge naturally from
33
+ your data model and trust root chaining. But even when more access
34
+ control logic is required, you will develop simpler, better-fit
35
+ solutions within your application.
36
+
37
+ Which lead us to the following conclusions:
38
+
39
+ * Applications should be built for a single persona each.
40
+ * In Rails applications, authorization should be granted and enforced
41
+ exclusively at the controller action grain because it is the only
42
+ layer in a Rails application with full context of the semantic action
43
+ being requested, and who is requesting it.
44
+ * In Rails applications, authorization logic should be limited to the
45
+ view/presenter layer, where the full context of the request is
46
+ available.
47
+ * In an application built for a single persona, we only need to define a
48
+ single privilege ladder where each tier's access is a superset of
49
+ the prior tier's in order to adhere to the principle of least privilege.
50
+
51
+ If that all sounds good to you, you should use AuthorizedPersona.
52
+
53
+ ## Installation
54
+
55
+ Add this line to your application's Gemfile:
56
+
57
+ ```ruby
58
+ gem 'authorized_persona'
59
+ ```
60
+
61
+ And then execute:
62
+
63
+ $ bundle
64
+
65
+ Or install it yourself as:
66
+
67
+ $ gem install authorized_persona
68
+
69
+ ## Usage
70
+
71
+ We'll assume you're using an authentication library like `devise` or
72
+ `clearance` that provides a `current_user` method.
73
+
74
+ 1. Integrate AuthorizedPersona into your user model.
75
+
76
+ The example uses ActiveRecord, but any ActiveModel-based ORM will do.
77
+ Your model only needs to have a string attribute named
78
+ `authorization_tier`.
79
+
80
+ ```ruby
81
+ # app/models/user.rb
82
+ class User < ApplicationRecord
83
+ include AuthorizedPersona::Persona
84
+
85
+ authorization_tiers(
86
+ trainee: "Trainee - limited access",
87
+ staff: "Staff - standard access",
88
+ admin: "Admin - all access"
89
+ )
90
+
91
+ # You can use a custom attribute name, if desired, e.g.
92
+ # self.authorization_tier_attribute_name = :auth_tier
93
+
94
+ # If you want to use validations to keep bad data from making it into your table
95
+ # do the following. The authorization_tier_names method is defined by AuthorizedPersona based
96
+ # on the `authorization_tiers` declaration above.
97
+ validates :authorization_tier, inclusion: { in: authorization_tier_names }
98
+
99
+ # Your code here...
100
+ end
101
+ ```
102
+
103
+ 2. Add AuthorizedPersona to your base controller:
104
+
105
+ ```ruby
106
+ # app/controllers/application_controller.rb
107
+ class ApplicationController < ActionController::Base
108
+ include AuthorizedPersona::Authorization
109
+
110
+ authorize_persona class_name: "User"
111
+
112
+ # or optionally override the method name we use to fetch current_[class_name] e.g.:
113
+ #
114
+ # authorize_persona class_name: "User", current_user_method_name: :current_fancy_user
115
+
116
+ # Your code here...
117
+ end
118
+ ```
119
+
120
+ At this point, no user is authorized to make a request to any descendent
121
+ of `ApplicationController`.
122
+
123
+ 3. Grant privileges in your base controller or any subclass:
124
+
125
+ ```ruby
126
+ # app/controllers/comments_controller.rb
127
+ class CommentsControlller < ApplicationController
128
+ grant(
129
+ trainee: [:index, :show],
130
+ staff: :all
131
+ )
132
+
133
+ def index
134
+ # ...
135
+ end
136
+
137
+ def show
138
+ # ...
139
+ end
140
+
141
+ def create
142
+ # ...
143
+ end
144
+ end
145
+ ```
146
+
147
+ In the scenario above, trainees will only be authorized to `index` and
148
+ `show` comments. Staff and above (including admins) will be able to
149
+ `create` comments as well (as well as any other actions that may be
150
+ defined).
151
+
152
+ Grants are inherited by subclasses, but every grant encountered
153
+ completely overrides any previous grants. This is by design to prevent
154
+ accidental privilege leakage into high-security controllers. If you see
155
+ a grant definition in a controller, you can be confident that that is
156
+ the complete definition for that controller and that no other grants
157
+ apply.
158
+
159
+ 4. Make display decisions based on authorization in your views:
160
+
161
+ ```erb
162
+ <%# app/views/home/index.html.erb %>
163
+
164
+ <% if authorized_to?(:create, :comment) %>
165
+ <%= link_to("Comment...", new_comment_path) %>
166
+ <% end %>
167
+ ```
168
+
169
+ 5. (Advanced) If you need to segment data access by authorization tier, in your
170
+ presenters:
171
+
172
+ ```ruby
173
+ # app/presenters/bill_search.rb
174
+ class BillSearch
175
+ attr_reader :searcher, :query
176
+
177
+ def initialize(searcher:, query:)
178
+ @searcher = searcher
179
+ @query = query
180
+ end
181
+
182
+ def bills
183
+ # AuthorizedPersona::Persona provides #[tier]_and_above? methods for all defined tiers
184
+ relation = searcher.admin_or_above? ? Bills.all : Bills.nonsensitive
185
+ relation.where('title like ?', query)
186
+ end
187
+ end
188
+ ```
189
+
190
+ ## Development
191
+
192
+ After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
193
+
194
+ To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
195
+
196
+ ## Contributing
197
+
198
+ Bug reports and pull requests are welcome on GitHub at https://github.com/Betterment/authorized_persona. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
199
+
200
+ ## License
201
+
202
+ The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
203
+
204
+ ## Code of Conduct
205
+
206
+ Everyone interacting in the AuthorizedPersona project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/Betterment/authorized_persona/blob/master/CODE_OF_CONDUCT.md).
@@ -0,0 +1,10 @@
1
+ require "bundler/gem_tasks"
2
+ require "rspec/core/rake_task"
3
+
4
+ RSpec::Core::RakeTask.new(:spec)
5
+
6
+ task :rubocop do
7
+ sh 'rubocop'
8
+ end
9
+
10
+ task default: %i(rubocop spec)
@@ -0,0 +1,34 @@
1
+ lib = File.expand_path('lib', __dir__)
2
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
3
+ require "authorized_persona/version"
4
+
5
+ Gem::Specification.new do |spec|
6
+ spec.name = "authorized_persona"
7
+ spec.version = AuthorizedPersona::VERSION
8
+ spec.authors = ["John Mileham"]
9
+ spec.email = ["john@betterment.com"]
10
+
11
+ spec.summary = "the simplest authorization library you will ever love"
12
+ spec.description = "AuthorizedPersona is a rails implementation of Betterment's Persona Centric Authorization pattern"
13
+ spec.homepage = "https://github.com/Betterment/authorized_persona"
14
+ spec.license = "MIT"
15
+
16
+ # Specify which files should be added to the gem when it is released.
17
+ # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
18
+ spec.files = Dir.chdir(File.expand_path(__dir__)) do
19
+ `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
20
+ end
21
+ spec.bindir = "exe"
22
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
23
+ spec.require_paths = ["lib"]
24
+
25
+ rails_version_range = [">= 5.1.6.2", "< 7"]
26
+
27
+ spec.add_dependency "activemodel", *rails_version_range
28
+ spec.add_dependency "railties", *rails_version_range
29
+
30
+ spec.add_development_dependency "bundler", "~> 2.0"
31
+ spec.add_development_dependency "rake", "~> 10.0"
32
+ spec.add_development_dependency "rspec", "~> 3.0"
33
+ spec.add_development_dependency "rubocop-betterment"
34
+ end
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "authorized_persona"
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ # require "pry"
11
+ # Pry.start
12
+
13
+ require "irb"
14
+ IRB.start(__FILE__)
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,14 @@
1
+ require "authorized_persona/version"
2
+
3
+ require "rails"
4
+ require "active_model"
5
+
6
+ require "authorized_persona/persona"
7
+ require "authorized_persona/authorization"
8
+ require 'authorized_persona/view_helpers'
9
+
10
+ require "authorized_persona/railtie"
11
+
12
+ module AuthorizedPersona
13
+ class Error < StandardError; end
14
+ end
@@ -0,0 +1,104 @@
1
+ module AuthorizedPersona
2
+ module Authorization
3
+ extend ActiveSupport::Concern
4
+
5
+ included do
6
+ class_attribute :authorization_persona_class_name
7
+ class_attribute :authorization_current_user_method
8
+ class_attribute :authorized_actions
9
+ self.authorized_actions = {}
10
+
11
+ helper_method :authorization_current_user
12
+
13
+ before_action :authorize!
14
+ end
15
+
16
+ class_methods do
17
+ # Configure authorization for an authorized persona class
18
+ def authorize_persona(class_name:, current_user_method: nil) # rubocop:disable Metrics/AbcSize
19
+ raise AuthorizedPersona::Error, "you can only configure authorization once" if authorization_persona_class_name.present?
20
+ raise AuthorizedPersona::Error, "class_name must be a string" unless class_name.is_a?(String)
21
+ raise AuthorizedPersona::Error, "current_user_method must be a symbol" if current_user_method && !current_user_method.is_a?(Symbol)
22
+
23
+ self.authorization_persona_class_name = class_name
24
+
25
+ unless authorization_persona < AuthorizedPersona::Persona
26
+ raise AuthorizedPersona::Error, "#{class_name} must be an AuthorizedPersona::Persona"
27
+ end
28
+
29
+ self.authorization_current_user_method = current_user_method || :"current_#{authorization_persona.model_name.singular_route_key}"
30
+ end
31
+
32
+ # Grants replace all previous grants to avoid privilege leakage
33
+ def grant(privileges) # rubocop:disable Metrics/AbcSize
34
+ self.authorized_actions = Hash[privileges.map { |auth_tier, actions| [auth_tier.to_s, [actions].flatten.map(&:to_sym)] }]
35
+
36
+ tier_names = authorization_persona.authorization_tier_names
37
+ extra_keys = authorized_actions.keys - authorization_persona.authorization_tier_names
38
+ if extra_keys.present?
39
+ raise AuthorizedPersona::Error, "invalid grant: #{authorization_persona_class_name} " \
40
+ "has authorization tiers #{tier_names.join(', ')} but received extra keys: #{extra_keys.join(', ')}"
41
+ end
42
+ end
43
+
44
+ def authorization_persona
45
+ unless authorization_persona_class_name.is_a?(String)
46
+ raise AuthorizedPersona::Error, "you must configure authorization, e.g. `authorize_persona class_name: 'User'`"
47
+ end
48
+
49
+ authorization_persona_class_name.constantize
50
+ end
51
+
52
+ def authorized?(current_user:, action:)
53
+ raise AuthorizedPersona::Error, "#{current_user} is not a #{authorization_persona}" unless current_user.is_a?(authorization_persona)
54
+
55
+ current_user.authorization_tier_at_or_above?(authorized_tier(action: action))
56
+ end
57
+
58
+ def authorized_tier(action:)
59
+ action = action.to_sym
60
+ authorization_persona.authorization_tier_names.each do |tier|
61
+ actions = authorized_actions[tier] || []
62
+ return tier if actions == [:all] || actions.include?(action)
63
+ end
64
+ raise AuthorizedPersona::Error, "missing authorization grant for #{name}##{action}"
65
+ end
66
+ end
67
+
68
+ def authorized?
69
+ authorization_current_user && authorization_current_user.authorization_tier_at_or_above?(authorized_tier)
70
+ end
71
+
72
+ private
73
+
74
+ def authorization_current_user
75
+ unless authorization_current_user_method.is_a?(Symbol)
76
+ raise AuthorizedPersona::Error, "you must configure authorization with a valid current_user method name, " \
77
+ "e.g. `authorize_persona class_name: 'User', current_user_method: :my_custom_current_user`"
78
+ end
79
+
80
+ send(self.class.authorization_current_user_method)
81
+ end
82
+
83
+ def authorized_tier
84
+ self.class.authorized_tier(action: params[:action])
85
+ end
86
+
87
+ def authorize! # rubocop:disable Metrics/MethodLength
88
+ return if authorized?
89
+
90
+ respond_to do |format|
91
+ format.html do
92
+ flash[:error] = 'You are not authorized to perform this action.'
93
+ redirect_back fallback_location: '/', allow_other_host: false
94
+ end
95
+ format.json do
96
+ render json: {}, status: :unauthorized
97
+ end
98
+ format.any do
99
+ head :unauthorized
100
+ end
101
+ end
102
+ end
103
+ end
104
+ end
@@ -0,0 +1,63 @@
1
+ module AuthorizedPersona
2
+ module Persona
3
+ extend ActiveSupport::Concern
4
+
5
+ class_methods do
6
+ # Get the attribute name for authorization_tier
7
+ def authorization_tier_attribute_name
8
+ @authorization_tier_attribute_name || :authorization_tier
9
+ end
10
+
11
+ # Override the attribute name for authorization_tier
12
+ def authorization_tier_attribute_name=(override)
13
+ raise AuthorizedPersona::Error, "authorization_tier_attribute_name must be a symbol" unless override.is_a?(Symbol)
14
+
15
+ @authorization_tier_attribute_name = override
16
+ end
17
+
18
+ # Label-first for use in forms
19
+ def authorization_tier_collection
20
+ @authorization_tier_collection = @authorization_tiers.invert
21
+ end
22
+
23
+ # Just the tier slugs for inclusion validations, etc.
24
+ def authorization_tier_names
25
+ @authorization_tier_names ||= @authorization_tiers.keys.map(&:to_s)
26
+ end
27
+
28
+ # Configure the authorization tiers in my_tier_slug: "My Tier Title And Description" form from lowest to highest privilege.
29
+ def authorization_tiers(tiers) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
30
+ raise AuthorizedPersona::Error, "you can only define authorization tiers once" if instance_variable_defined?(:@authorization_tiers)
31
+
32
+ if !tiers.is_a?(Hash) || !tiers.all? { |k, v| k.is_a?(Symbol) && v.is_a?(String) }
33
+ raise('you must provide a hash of symbol tier names and string descriptions, e.g. " +
34
+ trainee: "Trainee - limited access", staff: "Staff - regular access", admin: "Admin - full access"')
35
+ end
36
+
37
+ instance_methods = Module.new
38
+ include instance_methods
39
+
40
+ instance_methods.module_eval do
41
+ tiers.keys.each do |tier|
42
+ define_method "#{tier}_or_above?" do
43
+ authorization_tier_at_or_above?(tier)
44
+ end
45
+ end
46
+ end
47
+
48
+ @authorization_tiers = tiers.freeze
49
+ end
50
+
51
+ private
52
+
53
+ def authorization_tier_level(tier)
54
+ authorization_tier_names.index(tier.to_s) || raise("Invalid authorization tier: #{tier}")
55
+ end
56
+ end
57
+
58
+ def authorization_tier_at_or_above?(target_tier)
59
+ attr_name = public_send(self.class.authorization_tier_attribute_name)
60
+ self.class.send(:authorization_tier_level, attr_name) >= self.class.send(:authorization_tier_level, target_tier)
61
+ end
62
+ end
63
+ end
@@ -0,0 +1,7 @@
1
+ module AuthorizedPersona
2
+ class Railtie < Rails::Railtie
3
+ initializer "authorized_persona.view_helpers" do
4
+ ActionView::Base.send :include, AuthorizedPersona::ViewHelpers
5
+ end
6
+ end
7
+ end
@@ -0,0 +1,3 @@
1
+ module AuthorizedPersona
2
+ VERSION = "0.1.0".freeze
3
+ end
@@ -0,0 +1,11 @@
1
+ module AuthorizedPersona
2
+ module ViewHelpers
3
+ def authorized_to?(action, resource)
4
+ route = Rails.application.routes.named_routes[resource]
5
+ raise AuthorizedPersona::Error, "Unable to determine route for #{resource}" if route.nil?
6
+
7
+ controller_class = (route.defaults[:controller].camelize + 'Controller').constantize
8
+ controller_class.authorized?(current_user: authorization_current_user, action: action)
9
+ end
10
+ end
11
+ end
metadata ADDED
@@ -0,0 +1,159 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: authorized_persona
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - John Mileham
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2019-06-07 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: activemodel
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: 5.1.6.2
20
+ - - "<"
21
+ - !ruby/object:Gem::Version
22
+ version: '7'
23
+ type: :runtime
24
+ prerelease: false
25
+ version_requirements: !ruby/object:Gem::Requirement
26
+ requirements:
27
+ - - ">="
28
+ - !ruby/object:Gem::Version
29
+ version: 5.1.6.2
30
+ - - "<"
31
+ - !ruby/object:Gem::Version
32
+ version: '7'
33
+ - !ruby/object:Gem::Dependency
34
+ name: railties
35
+ requirement: !ruby/object:Gem::Requirement
36
+ requirements:
37
+ - - ">="
38
+ - !ruby/object:Gem::Version
39
+ version: 5.1.6.2
40
+ - - "<"
41
+ - !ruby/object:Gem::Version
42
+ version: '7'
43
+ type: :runtime
44
+ prerelease: false
45
+ version_requirements: !ruby/object:Gem::Requirement
46
+ requirements:
47
+ - - ">="
48
+ - !ruby/object:Gem::Version
49
+ version: 5.1.6.2
50
+ - - "<"
51
+ - !ruby/object:Gem::Version
52
+ version: '7'
53
+ - !ruby/object:Gem::Dependency
54
+ name: bundler
55
+ requirement: !ruby/object:Gem::Requirement
56
+ requirements:
57
+ - - "~>"
58
+ - !ruby/object:Gem::Version
59
+ version: '2.0'
60
+ type: :development
61
+ prerelease: false
62
+ version_requirements: !ruby/object:Gem::Requirement
63
+ requirements:
64
+ - - "~>"
65
+ - !ruby/object:Gem::Version
66
+ version: '2.0'
67
+ - !ruby/object:Gem::Dependency
68
+ name: rake
69
+ requirement: !ruby/object:Gem::Requirement
70
+ requirements:
71
+ - - "~>"
72
+ - !ruby/object:Gem::Version
73
+ version: '10.0'
74
+ type: :development
75
+ prerelease: false
76
+ version_requirements: !ruby/object:Gem::Requirement
77
+ requirements:
78
+ - - "~>"
79
+ - !ruby/object:Gem::Version
80
+ version: '10.0'
81
+ - !ruby/object:Gem::Dependency
82
+ name: rspec
83
+ requirement: !ruby/object:Gem::Requirement
84
+ requirements:
85
+ - - "~>"
86
+ - !ruby/object:Gem::Version
87
+ version: '3.0'
88
+ type: :development
89
+ prerelease: false
90
+ version_requirements: !ruby/object:Gem::Requirement
91
+ requirements:
92
+ - - "~>"
93
+ - !ruby/object:Gem::Version
94
+ version: '3.0'
95
+ - !ruby/object:Gem::Dependency
96
+ name: rubocop-betterment
97
+ requirement: !ruby/object:Gem::Requirement
98
+ requirements:
99
+ - - ">="
100
+ - !ruby/object:Gem::Version
101
+ version: '0'
102
+ type: :development
103
+ prerelease: false
104
+ version_requirements: !ruby/object:Gem::Requirement
105
+ requirements:
106
+ - - ">="
107
+ - !ruby/object:Gem::Version
108
+ version: '0'
109
+ description: AuthorizedPersona is a rails implementation of Betterment's Persona Centric
110
+ Authorization pattern
111
+ email:
112
+ - john@betterment.com
113
+ executables: []
114
+ extensions: []
115
+ extra_rdoc_files: []
116
+ files:
117
+ - ".gitignore"
118
+ - ".rspec"
119
+ - ".rubocop.yml"
120
+ - ".travis.yml"
121
+ - CODE_OF_CONDUCT.md
122
+ - Gemfile
123
+ - Gemfile.lock
124
+ - LICENSE.txt
125
+ - README.md
126
+ - Rakefile
127
+ - authorized_persona.gemspec
128
+ - bin/console
129
+ - bin/setup
130
+ - lib/authorized_persona.rb
131
+ - lib/authorized_persona/authorization.rb
132
+ - lib/authorized_persona/persona.rb
133
+ - lib/authorized_persona/railtie.rb
134
+ - lib/authorized_persona/version.rb
135
+ - lib/authorized_persona/view_helpers.rb
136
+ homepage: https://github.com/Betterment/authorized_persona
137
+ licenses:
138
+ - MIT
139
+ metadata: {}
140
+ post_install_message:
141
+ rdoc_options: []
142
+ require_paths:
143
+ - lib
144
+ required_ruby_version: !ruby/object:Gem::Requirement
145
+ requirements:
146
+ - - ">="
147
+ - !ruby/object:Gem::Version
148
+ version: '0'
149
+ required_rubygems_version: !ruby/object:Gem::Requirement
150
+ requirements:
151
+ - - ">="
152
+ - !ruby/object:Gem::Version
153
+ version: '0'
154
+ requirements: []
155
+ rubygems_version: 3.0.3
156
+ signing_key:
157
+ specification_version: 4
158
+ summary: the simplest authorization library you will ever love
159
+ test_files: []