authorizy 0.1.0 → 0.3.0

data/lib/authorizy/rspec.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'rspec/expectations'
+
+RSpec::Matchers.define :be_authorized do |controller, action, params: {}, session: {}|
+  match do |user|
+    parameters = params.merge(controller: controller, action: action)
+
+    access?(user, parameters, session)
+  end
+
+  match_when_negated do |user|
+    parameters = params.merge(controller: controller, action: action)
+
+    !access?(user, parameters, session)
+  end
+
+  failure_message do |user|
+    maybe_params_or_session("expected #{user.class}##{user.id} to be authorized in #{data}", params, session)
+  end
+
+  failure_message_when_negated do |user|
+    maybe_params_or_session("expected #{user.class}##{user.id} not to be authorized in #{data}", params, session)
+  end
+
+  private
+
+  def access?(user, params, session)
+    cop = Authorizy.config.cop.new(user, params, session)
+
+    Authorizy::Core.new(user, params, session, cop: cop).access?
+  end
+
+  def maybe_params_or_session(message, params, session)
+    message += ", params: #{params}" if params.present?
+    message += ", session: #{session}" if session.present?
+
+    message
+  end
+
+  def data
+    %(controller: "#{expected[0]}", action: "#{expected[1]}")
+  end
+end

data/lib/authorizy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Authorizy
-  VERSION = '0.1.0'
+  VERSION = '0.3.0'
 end

data/spec/authorizy/base_cop/access_question_spec.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 RSpec.describe Authorizy::BaseCop, '#access?' do
-  subject(:cop) { described_class.new('current_user', 'params', 'session', 'controller', 'action') }
+  let!(:params) { { 'controller' => 'controller', 'action' => 'action' } }
+  let(:cop) { described_class.new('current_user', params, 'session') }
 
   it 'returns false as default' do
     expect(cop.access?).to be(false)

data/spec/authorizy/config/aliases_spec.rb

@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
 RSpec.describe Authorizy::Config, '#aliases' do
-  subject(:config) { described_class.new }
+  let!(:config) { described_class.new }
 
   it 'has default value and can receive a new one' do
-    expect(subject.aliases).to eq({})
+    expect(config.aliases).to eq({})
 
     config.aliases = 'value'
 

data/spec/authorizy/config/cop_spec.rb

@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
 RSpec.describe Authorizy::Config, '#cop' do
-  subject(:config) { described_class.new }
+  let!(:config) { described_class.new }
 
   it 'has default value and can receive a new one' do
-    expect(subject.cop).to eq(Authorizy::BaseCop)
+    expect(config.cop).to eq(Authorizy::BaseCop)
 
     config.cop = 'value'
 

data/spec/authorizy/config/current_user_spec.rb

@@ -1,29 +1,27 @@
 # frozen_string_literal: true
 
 RSpec.describe Authorizy::Config, '#current_user' do
-  subject(:config) { described_class.new }
+  let!(:config) { described_class.new }
 
   context 'when uses default value' do
     context 'when context responds to current_user' do
       let!(:context) { OpenStruct.new(current_user: 'user') }
 
       it 'is called' do
-        expect(subject.current_user.call(context)).to eq('user')
+        expect(config.current_user.call(context)).to eq('user')
       end
     end
 
     context 'when context does not respond to current_user' do
       let!(:context) { 'context' }
 
-      it 'returns nil' do
-        expect(subject.current_user.call(context)).to be(nil)
-      end
+      it { expect(config.current_user.call(context)).to be(nil) }
     end
   end
 
   context 'when uses custom value' do
     it 'executes what you want' do
-      config.current_user = -> (context) { context[:value] }
+      config.current_user = ->(context) { context[:value] }
 
       expect(config.current_user.call({ value: 'value' })).to eq('value')
     end

data/spec/authorizy/config/dependencies_spec.rb

@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
 RSpec.describe Authorizy::Config, '#dependencies' do
-  subject(:config) { described_class.new }
+  let!(:config) { described_class.new }
 
   it 'has default value and can receive a new one' do
-    expect(subject.dependencies).to eq({})
+    expect(config.dependencies).to eq({})
 
     config.dependencies = 'value'
 

data/spec/authorizy/config/field_spec.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config, '#field' do
+  let!(:config) { described_class.new }
+
+  context 'when uses default value' do
+    context 'when current_user responds to authorizy' do
+      let!(:current_user) { OpenStruct.new(authorizy: { permissions: [%i[users index]] }) }
+
+      it 'is called' do
+        expect(config.field.call(current_user)).to eq(permissions: [%i[users index]])
+      end
+    end
+
+    context 'when current_user does not respond to field' do
+      let!(:current_user) { nil }
+
+      it { expect(config.field.call(current_user)).to eq({}) }
+    end
+  end
+
+  context 'when uses custom value' do
+    it 'executes what you want' do
+      config.field = ->(current_user) { current_user[:value] }
+
+      expect(config.field.call({ value: 'value' })).to eq('value')
+    end
+  end
+end

data/spec/authorizy/config/initialize_spec.rb

@@ -2,6 +2,6 @@
 
 RSpec.describe Authorizy::Config do
   it 'starts with a default cop' do
-    expect(subject.cop).to eq(Authorizy::BaseCop)
+    expect(described_class.new.cop).to eq(Authorizy::BaseCop)
   end
 end

data/spec/authorizy/config/redirect_url_spec.rb

@@ -1,14 +1,14 @@
 # frozen_string_literal: true
 
 RSpec.describe Authorizy::Config, '#redirect_url' do
-  subject(:config) { described_class.new }
+  let!(:config) { described_class.new }
 
   context 'when uses default value' do
     context 'when context responds to root_url' do
       let!(:context) { OpenStruct.new(root_url: '/root') }
 
       it 'is called' do
-        expect(subject.redirect_url.call(context)).to eq('/root')
+        expect(config.redirect_url.call(context)).to eq('/root')
       end
     end
 
@@ -16,14 +16,14 @@ RSpec.describe Authorizy::Config, '#redirect_url' do
       let!(:context) { 'context' }
 
       it 'returns just a slash' do
-        expect(subject.redirect_url.call(context)).to eq('/')
+        expect(config.redirect_url.call(context)).to eq('/')
       end
     end
   end
 
   context 'when uses custom value' do
     it 'executes what you want' do
-      config.redirect_url = -> (context) { context[:value] }
+      config.redirect_url = ->(context) { context[:value] }
 
       expect(config.redirect_url.call({ value: 'value' })).to eq('value')
     end

data/spec/authorizy/cop/controller_spec.rb

@@ -5,7 +5,6 @@ require 'support/models/empty_cop'
 require 'support/controllers/dummy_controller'
 
 RSpec.describe DummyController, '#authorizy', type: :controller do
-  let!(:parameters) { ActionController::Parameters.new(key: 'value', controller: 'dummy', action: 'action') }
   let!(:user) { User.new }
 
   context 'when cop responds to the controller name' do
@@ -30,7 +29,7 @@ RSpec.describe DummyController, '#authorizy', type: :controller do
     end
   end
 
-  context 'when cop responds to the controller name' do
+  context 'when cop does not respond to the controller name' do
     it 'denies the access' do
       config_mock(cop: EmptyCop, current_user: user) do
         get :action

data/spec/authorizy/cop/model_spec.rb

@@ -3,13 +3,14 @@
 require 'support/models/authorizy_cop'
 
 RSpec.describe AuthorizyCop do
-  subject(:cop) { described_class.new('current_user', 'params', 'session', 'controller', 'action') }
+  let!(:params) { { controller: 'controller', action: 'action' } }
+  let(:cop) { described_class.new('current_user', params, 'session') }
 
   it 'adds private attributes readers' do
-    expect(cop.get_action).to       eq('action')
-    expect(cop.get_controller).to   eq('controller')
-    expect(cop.get_current_user).to eq('current_user')
-    expect(cop.get_params).to       eq('params')
-    expect(cop.get_session).to      eq('session')
+    expect(cop.fetch_action).to       eq('action')
+    expect(cop.fetch_controller).to   eq('controller')
+    expect(cop.fetch_current_user).to eq('current_user')
+    expect(cop.fetch_params).to       eq(controller: 'controller', action: 'action')
+    expect(cop.fetch_session).to      eq('session')
   end
 end

data/spec/authorizy/cop/namespaced_controller_spec.rb

@@ -5,7 +5,6 @@ require 'support/models/empty_cop'
 require 'support/controllers/admin/dummy_controller'
 
 RSpec.describe Admin::DummyController, '#authorizy', type: :controller do
-  let!(:parameters) { ActionController::Parameters.new(key: 'value', controller: 'admin/users', action: 'action') }
   let!(:user) { User.new }
 
   context 'when cop responds to the controller name' do
@@ -30,7 +29,7 @@ RSpec.describe Admin::DummyController, '#authorizy', type: :controller do
     end
   end
 
-  context 'when cop responds to the controller name' do
+  context 'when cop does not respond to the controller name' do
     it 'denies the access' do
       config_mock(cop: EmptyCop, current_user: user) do
         get :action

data/spec/authorizy/core/access_spec.rb

@@ -1,137 +1,181 @@
 # frozen_string_literal: true
 
 RSpec.describe Authorizy::Core, '#access?' do
-  context 'when permissions is in session as string' do
+  context 'when cop#access? returns true' do
+    let!(:cop) { OpenStruct.new(access?: true) }
     let!(:current_user) { User.new }
-    let!(:params) { { 'action' => 'create', 'controller' => 'controller' } }
-    let!(:session) { { 'permissions' => [{ 'action' => 'create', 'controller' => 'controller' }] } }
+    let!(:params) { { action: 'any', controller: 'any' } }
+    let!(:session) { {} }
 
-    it 'uses the session value skipping the user fetch' do
-      expect(described_class.new(current_user, params, session).access?).to be(true)
+    it 'is authorized based in the cop response' do
+      expect(described_class.new(current_user, params, session, cop: cop).access?).to be(true)
     end
   end
 
-  context 'when permissions is not in session' do
-    subject(:authorizy) { described_class.new(current_user, params, session) }
-
-    let!(:current_user) { User.new(authorizy: { permissions: [{ action: 'create', controller: 'match' }] }) }
-    let!(:params) { { 'action' => 'create', 'controller' => 'match' } }
+  context 'when permissions is in the current user' do
+    let!(:cop) { OpenStruct.new(access?: false) }
+    let!(:current_user) { User.new(authorizy: { permissions: [%w[controller create]] }) }
+    let!(:params) { { controller: 'controller', action: 'create' } }
     let!(:session) { {} }
 
-    it 'fetches the permission from user' do
-      expect(authorizy.access?).to be(true)
+    it 'is authorized based on the user permissions' do
+      expect(described_class.new(current_user, params, session, cop: cop).access?).to be(true)
     end
   end
 
   context 'when session has no permission nor the user' do
-    subject(:authorizy) { described_class.new(current_user, params, session) }
-
+    let!(:cop) { OpenStruct.new(access?: false) }
     let!(:current_user) { User.new }
-    let!(:params) { { 'action' => 'create', 'controller' => 'match' } }
+    let!(:params) { { controller: 'match', action: 'create' } }
     let!(:session) { {} }
 
-    it { expect(authorizy.access?).to be(false) }
+    it 'does not authorize' do
+      expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+    end
   end
 
   context 'when cop does not respond to controller' do
-    subject(:authorizy) { described_class.new(current_user, params, session) }
-
-    let!(:cop) { instance_double('Authorizy.config.cop') }
+    let!(:cop) { instance_double('Authorizy::BaseCop', access?: false) }
     let!(:current_user) { User.new }
-    let!(:params) { { 'action' => 'create', 'controller' => 'missing' } }
+    let!(:params) { { action: 'create', controller: 'missing' } }
     let!(:session) { {} }
 
-    before do
-      allow(Authorizy.config.cop).to receive(:new)
-        .with(current_user, params, session, 'missing', 'create')
-        .and_return(cop)
-
-      allow(cop).to receive(:respond_to?).with('missing').and_return(false)
-    end
-
     it 'does not authorize via cop' do
-      expect(authorizy.access?).to be(false)
+      expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
     end
   end
 
   context 'when cop responds to controller' do
-    subject(:authorizy) { described_class.new(current_user, params, session) }
-
-    let!(:cop) { instance_double('Authorizy.config.cop') }
     let!(:current_user) { User.new }
-    let!(:params) { { 'action' => 'create', 'controller' => 'match' } }
+    let!(:params) { { controller: 'admin/controller', action: 'create' } }
     let!(:session) { {} }
 
-    before do
-      allow(Authorizy.config.cop).to receive(:new)
-        .with(current_user, params, session, 'match', 'create')
-        .and_return(cop)
-
-      allow(cop).to receive(:respond_to?).with('match').and_return(true)
-    end
-
     context 'when cop does not release the access' do
-      it 'continues trying via session and so user permissions' do
-        allow(cop).to receive(:public_send).with('match').and_return(false)
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            false
+          end
+        end.new(current_user, params, session)
+      end
 
-        expect(authorizy.access?).to be(false)
+      it 'is not authorized by cop' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
       end
     end
 
     context 'when cop releases the access' do
-      it 'skips session and user permission return true to the access' do
-        allow(cop).to receive(:public_send).with('match').and_return(true)
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            true
+          end
+        end.new(current_user, params, session)
+      end
 
-        expect(authorizy.access?).to be(true)
+      it 'is authorized by the cop' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(true)
       end
     end
-  end
 
-  context 'when controller is given' do
-    subject(:authorizy) { described_class.new(current_user, params, session, controller: 'controller') }
+    context 'when cop return nil' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            nil
+          end
+        end.new(current_user, params, session)
+      end
 
-    let!(:current_user) { User.new }
-    let!(:params) { { 'action' => 'action', 'controller' => 'ignored' } }
-    let!(:session) { { 'permissions' => [{ 'action' => 'action', 'controller' => 'controller' }] } }
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
+    end
+
+    context 'when cop return empty' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            ''
+          end
+        end.new(current_user, params, session)
+      end
 
-    it 'uses the given controller over the one on params' do
-      expect(authorizy.access?).to be(true)
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
     end
-  end
 
-  context 'when action is given' do
-    subject(:authorizy) { described_class.new(current_user, params, session, action: 'action') }
+    context 'when cop return nothing' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
 
-    let!(:current_user) { User.new }
-    let!(:params) { { 'action' => 'ignored', 'controller' => 'controller' } }
-    let!(:session) { { 'permissions' => [{ 'action' => 'action', 'controller' => 'controller' }] } }
+          def admin__controller; end
+        end.new(current_user, params, session)
+      end
 
-    it 'uses the given action over the one on params' do
-      expect(authorizy.access?).to be(true)
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
+    end
+
+    context 'when cop return true as string' do
+      let!(:cop) do
+        Class.new(Authorizy::BaseCop) do
+          def access?
+            false
+          end
+
+          def admin__controller
+            'true'
+          end
+        end.new(current_user, params, session)
+      end
+
+      it 'is converted to false' do
+        expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
+      end
     end
   end
 
   context 'when user has the controller permission but not action' do
-    subject(:authorizy) { described_class.new(current_user, params, session) }
-
+    let!(:cop) { instance_double('Authorizy::BaseCop', access?: false) }
     let!(:current_user) { User.new }
-    let!(:params) { { 'action' => 'action', 'controller' => 'controller' } }
-    let!(:session) { { 'permissions' => [{ 'action' => 'miss', 'controller' => 'controller' }] } }
+    let!(:params) { { controller: 'controller', action: 'action' } }
+    let!(:session) { { permissions: [%w[controller miss]] } }
 
-    it 'cannot access' do
-      expect(authorizy.access?).to be(false)
+    it 'is not authorized' do
+      expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
     end
   end
 
   context 'when user has the action permission but not controller' do
-    subject(:authorizy) { described_class.new(current_user, params, session) }
-
+    let!(:cop) { instance_double('Authorizy::BaseCop', access?: false) }
     let!(:current_user) { User.new }
-    let!(:params) { { 'action' => 'action', 'controller' => 'controller' } }
-    let!(:session) { { 'permissions' => [{ 'action' => 'create', 'controller' => 'miss' }] } }
+    let!(:params) { { controller: 'controller', action: 'action' } }
+    let!(:session) { { permissions: [%w[miss action]] } }
 
-    it 'cannot access' do
-      expect(authorizy.access?).to be(false)
+    it 'is not authorized' do
+      expect(described_class.new(current_user, params, session, cop: cop).access?).to be(false)
     end
   end
 end