authorizy 0.1.0

data/lib/generators/authorizy/templates/config/initializers/authorizy.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+Authorizy.configure do |config|
+  # Creates aliases to automatically allow permission for another action.
+  # https://github.com/wbotelhos/authorizy#aliases
+  # config.aliases = {}
+
+  # An interceptor to filter the request and decide if the request will be authorized
+  # https://github.com/wbotelhos/authorizy#cop
+  # config.cop = Authorizy::BaseCop
+
+  # The current user from we fetch the permissions
+  # https://github.com/wbotelhos/authorizy#current-user
+  # config.current_user = -> (context) { context.respond_to?(:current_user) ? context.current_user : nil }
+
+  # Inherited permissions from some other permission the user already has
+  # https://github.com/wbotelhos/authorizy#dependencies
+  # config.dependencies = {}
+
+  # URL to be redirect when user has no permission to access some resource
+  # https://github.com/wbotelhos/authorizy#dependencies
+  # config.redirect_url = -> (context) { context.respond_to?(:root_url) ? context.root_url : '/' }
+end

data/lib/generators/authorizy/templates/db/migrate/add_authorizy_on_users.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddAuthorizyOnUsers < ActiveRecord::Migration[6.0]
+  def change
+    add_column :users, :authorizy, :jsonb, default: {}, null: false
+  end
+end

data/spec/authorizy/base_cop/access_question_spec.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::BaseCop, '#access?' do
+  subject(:cop) { described_class.new('current_user', 'params', 'session', 'controller', 'action') }
+
+  it 'returns false as default' do
+    expect(cop.access?).to be(false)
+  end
+end

data/spec/authorizy/config/aliases_spec.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config, '#aliases' do
+  subject(:config) { described_class.new }
+
+  it 'has default value and can receive a new one' do
+    expect(subject.aliases).to eq({})
+
+    config.aliases = 'value'
+
+    expect(config.aliases).to eq('value')
+  end
+end

data/spec/authorizy/config/cop_spec.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config, '#cop' do
+  subject(:config) { described_class.new }
+
+  it 'has default value and can receive a new one' do
+    expect(subject.cop).to eq(Authorizy::BaseCop)
+
+    config.cop = 'value'
+
+    expect(config.cop).to eq('value')
+  end
+end

data/spec/authorizy/config/current_user_spec.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config, '#current_user' do
+  subject(:config) { described_class.new }
+
+  context 'when uses default value' do
+    context 'when context responds to current_user' do
+      let!(:context) { OpenStruct.new(current_user: 'user') }
+
+      it 'is called' do
+        expect(subject.current_user.call(context)).to eq('user')
+      end
+    end
+
+    context 'when context does not respond to current_user' do
+      let!(:context) { 'context' }
+
+      it 'returns nil' do
+        expect(subject.current_user.call(context)).to be(nil)
+      end
+    end
+  end
+
+  context 'when uses custom value' do
+    it 'executes what you want' do
+      config.current_user = -> (context) { context[:value] }
+
+      expect(config.current_user.call({ value: 'value' })).to eq('value')
+    end
+  end
+end

data/spec/authorizy/config/dependencies_spec.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config, '#dependencies' do
+  subject(:config) { described_class.new }
+
+  it 'has default value and can receive a new one' do
+    expect(subject.dependencies).to eq({})
+
+    config.dependencies = 'value'
+
+    expect(config.dependencies).to eq('value')
+  end
+end

data/spec/authorizy/config/initialize_spec.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config do
+  it 'starts with a default cop' do
+    expect(subject.cop).to eq(Authorizy::BaseCop)
+  end
+end

data/spec/authorizy/config/redirect_url_spec.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Config, '#redirect_url' do
+  subject(:config) { described_class.new }
+
+  context 'when uses default value' do
+    context 'when context responds to root_url' do
+      let!(:context) { OpenStruct.new(root_url: '/root') }
+
+      it 'is called' do
+        expect(subject.redirect_url.call(context)).to eq('/root')
+      end
+    end
+
+    context 'when context does not respond to root_url' do
+      let!(:context) { 'context' }
+
+      it 'returns just a slash' do
+        expect(subject.redirect_url.call(context)).to eq('/')
+      end
+    end
+  end
+
+  context 'when uses custom value' do
+    it 'executes what you want' do
+      config.redirect_url = -> (context) { context[:value] }
+
+      expect(config.redirect_url.call({ value: 'value' })).to eq('value')
+    end
+  end
+end

data/spec/authorizy/cop/controller_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'support/models/authorizy_cop'
+require 'support/models/empty_cop'
+require 'support/controllers/dummy_controller'
+
+RSpec.describe DummyController, '#authorizy', type: :controller do
+  let!(:parameters) { ActionController::Parameters.new(key: 'value', controller: 'dummy', action: 'action') }
+  let!(:user) { User.new }
+
+  context 'when cop responds to the controller name' do
+    context 'when method resturns false' do
+      it 'denies the access' do
+        config_mock(cop: AuthorizyCop, current_user: user) do
+          get :action, params: { access: false }
+        end
+
+        expect(response).to redirect_to('/')
+      end
+    end
+
+    context 'when method resturns true' do
+      it 'denies the access' do
+        config_mock(cop: AuthorizyCop, current_user: user) do
+          get :action, params: { access: true }
+        end
+
+        expect(response.body).to eq('{"message":"authorized"}')
+      end
+    end
+  end
+
+  context 'when cop responds to the controller name' do
+    it 'denies the access' do
+      config_mock(cop: EmptyCop, current_user: user) do
+        get :action
+      end
+
+      expect(response).to redirect_to('/')
+    end
+  end
+end

data/spec/authorizy/cop/model_spec.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'support/models/authorizy_cop'
+
+RSpec.describe AuthorizyCop do
+  subject(:cop) { described_class.new('current_user', 'params', 'session', 'controller', 'action') }
+
+  it 'adds private attributes readers' do
+    expect(cop.get_action).to       eq('action')
+    expect(cop.get_controller).to   eq('controller')
+    expect(cop.get_current_user).to eq('current_user')
+    expect(cop.get_params).to       eq('params')
+    expect(cop.get_session).to      eq('session')
+  end
+end

data/spec/authorizy/cop/namespaced_controller_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'support/models/authorizy_cop'
+require 'support/models/empty_cop'
+require 'support/controllers/admin/dummy_controller'
+
+RSpec.describe Admin::DummyController, '#authorizy', type: :controller do
+  let!(:parameters) { ActionController::Parameters.new(key: 'value', controller: 'admin/users', action: 'action') }
+  let!(:user) { User.new }
+
+  context 'when cop responds to the controller name' do
+    context 'when method resturns false' do
+      it 'denies the access' do
+        config_mock(cop: AuthorizyCop, current_user: user) do
+          get :action, params: { admin: false }
+        end
+
+        expect(response).to redirect_to('/')
+      end
+    end
+
+    context 'when method resturns true' do
+      it 'denies the access' do
+        config_mock(cop: AuthorizyCop, current_user: user) do
+          get :action, params: { admin: true }
+        end
+
+        expect(response.body).to eq('{"message":"authorized"}')
+      end
+    end
+  end
+
+  context 'when cop responds to the controller name' do
+    it 'denies the access' do
+      config_mock(cop: EmptyCop, current_user: user) do
+        get :action
+      end
+
+      expect(response).to redirect_to('/')
+    end
+  end
+end

data/spec/authorizy/core/access_spec.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Core, '#access?' do
+  context 'when permissions is in session as string' do
+    let!(:current_user) { User.new }
+    let!(:params) { { 'action' => 'create', 'controller' => 'controller' } }
+    let!(:session) { { 'permissions' => [{ 'action' => 'create', 'controller' => 'controller' }] } }
+
+    it 'uses the session value skipping the user fetch' do
+      expect(described_class.new(current_user, params, session).access?).to be(true)
+    end
+  end
+
+  context 'when permissions is not in session' do
+    subject(:authorizy) { described_class.new(current_user, params, session) }
+
+    let!(:current_user) { User.new(authorizy: { permissions: [{ action: 'create', controller: 'match' }] }) }
+    let!(:params) { { 'action' => 'create', 'controller' => 'match' } }
+    let!(:session) { {} }
+
+    it 'fetches the permission from user' do
+      expect(authorizy.access?).to be(true)
+    end
+  end
+
+  context 'when session has no permission nor the user' do
+    subject(:authorizy) { described_class.new(current_user, params, session) }
+
+    let!(:current_user) { User.new }
+    let!(:params) { { 'action' => 'create', 'controller' => 'match' } }
+    let!(:session) { {} }
+
+    it { expect(authorizy.access?).to be(false) }
+  end
+
+  context 'when cop does not respond to controller' do
+    subject(:authorizy) { described_class.new(current_user, params, session) }
+
+    let!(:cop) { instance_double('Authorizy.config.cop') }
+    let!(:current_user) { User.new }
+    let!(:params) { { 'action' => 'create', 'controller' => 'missing' } }
+    let!(:session) { {} }
+
+    before do
+      allow(Authorizy.config.cop).to receive(:new)
+        .with(current_user, params, session, 'missing', 'create')
+        .and_return(cop)
+
+      allow(cop).to receive(:respond_to?).with('missing').and_return(false)
+    end
+
+    it 'does not authorize via cop' do
+      expect(authorizy.access?).to be(false)
+    end
+  end
+
+  context 'when cop responds to controller' do
+    subject(:authorizy) { described_class.new(current_user, params, session) }
+
+    let!(:cop) { instance_double('Authorizy.config.cop') }
+    let!(:current_user) { User.new }
+    let!(:params) { { 'action' => 'create', 'controller' => 'match' } }
+    let!(:session) { {} }
+
+    before do
+      allow(Authorizy.config.cop).to receive(:new)
+        .with(current_user, params, session, 'match', 'create')
+        .and_return(cop)
+
+      allow(cop).to receive(:respond_to?).with('match').and_return(true)
+    end
+
+    context 'when cop does not release the access' do
+      it 'continues trying via session and so user permissions' do
+        allow(cop).to receive(:public_send).with('match').and_return(false)
+
+        expect(authorizy.access?).to be(false)
+      end
+    end
+
+    context 'when cop releases the access' do
+      it 'skips session and user permission return true to the access' do
+        allow(cop).to receive(:public_send).with('match').and_return(true)
+
+        expect(authorizy.access?).to be(true)
+      end
+    end
+  end
+
+  context 'when controller is given' do
+    subject(:authorizy) { described_class.new(current_user, params, session, controller: 'controller') }
+
+    let!(:current_user) { User.new }
+    let!(:params) { { 'action' => 'action', 'controller' => 'ignored' } }
+    let!(:session) { { 'permissions' => [{ 'action' => 'action', 'controller' => 'controller' }] } }
+
+    it 'uses the given controller over the one on params' do
+      expect(authorizy.access?).to be(true)
+    end
+  end
+
+  context 'when action is given' do
+    subject(:authorizy) { described_class.new(current_user, params, session, action: 'action') }
+
+    let!(:current_user) { User.new }
+    let!(:params) { { 'action' => 'ignored', 'controller' => 'controller' } }
+    let!(:session) { { 'permissions' => [{ 'action' => 'action', 'controller' => 'controller' }] } }
+
+    it 'uses the given action over the one on params' do
+      expect(authorizy.access?).to be(true)
+    end
+  end
+
+  context 'when user has the controller permission but not action' do
+    subject(:authorizy) { described_class.new(current_user, params, session) }
+
+    let!(:current_user) { User.new }
+    let!(:params) { { 'action' => 'action', 'controller' => 'controller' } }
+    let!(:session) { { 'permissions' => [{ 'action' => 'miss', 'controller' => 'controller' }] } }
+
+    it 'cannot access' do
+      expect(authorizy.access?).to be(false)
+    end
+  end
+
+  context 'when user has the action permission but not controller' do
+    subject(:authorizy) { described_class.new(current_user, params, session) }
+
+    let!(:current_user) { User.new }
+    let!(:params) { { 'action' => 'action', 'controller' => 'controller' } }
+    let!(:session) { { 'permissions' => [{ 'action' => 'create', 'controller' => 'miss' }] } }
+
+    it 'cannot access' do
+      expect(authorizy.access?).to be(false)
+    end
+  end
+end

data/spec/authorizy/expander/expand_spec.rb

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+RSpec.describe Authorizy::Expander, '#expand' do
+  subject(:expander) { described_class.new }
+
+  context 'when permissions is blank' do
+    let(:permissions) { [] }
+
+    it 'returns an empty permissions' do
+      expect(expander.expand(permissions)).to eq []
+    end
+  end
+
+  context 'when permissions is given' do
+    context 'when data is symbol' do
+      let(:permissions) do
+        [
+          { action: :create, controller: :controller },
+          { action: :edit, controller: :controller },
+          { action: :new, controller: :controller },
+          { action: :update, controller: :controller },
+        ]
+      end
+
+      it 'mappes the default actions aliases' do
+        expect(expander.expand(permissions)).to match_array [
+          { 'action' => 'create', 'controller' => 'controller' },
+          { 'action' => 'edit',   'controller' => 'controller' },
+          { 'action' => 'new',    'controller' => 'controller' },
+          { 'action' => 'update', 'controller' => 'controller' },
+        ]
+      end
+    end
+
+    context 'when data is string' do
+      let(:permissions) do
+        [
+          { 'action' => 'create', 'controller' => 'controller' },
+          { 'action' => 'edit', 'controller' => 'controller' },
+          { 'action' => 'new', 'controller' => 'controller' },
+          { 'action' => 'update', 'controller' => 'controller' },
+        ]
+      end
+
+      it 'mappes the default actions aliases' do
+        expect(expander.expand(permissions)).to match_array [
+          { 'action' => 'create', 'controller' => 'controller' },
+          { 'action' => 'edit',   'controller' => 'controller' },
+          { 'action' => 'new',    'controller' => 'controller' },
+          { 'action' => 'update', 'controller' => 'controller' },
+        ]
+      end
+    end
+  end
+
+  context 'when a dependencies is given' do
+    context 'when keys and values are strings' do
+      let(:dependencies) { { 'controller' => { 'action' => [{ 'action' => 'action2', 'controller' => 'controller2' }] } } }
+      let!(:permissions) { [{ 'action' => 'action', 'controller' => 'controller' }] }
+
+      it 'addes the dependencies permissions' do
+        config_mock(dependencies: dependencies) do
+          expect(expander.expand(permissions)).to match_array [
+            { 'action' => 'action', 'controller' => 'controller' },
+            { 'action' => 'action2', 'controller' => 'controller2' },
+          ]
+        end
+      end
+    end
+
+    context 'when keys and values are symbol' do
+      let(:dependencies) { { controller: { action: [{ action: :action2, controller: :controller2 }] } } }
+      let!(:permissions) { [{ 'action' => 'action', 'controller' => 'controller' }] }
+
+      it 'addes the dependencies permissions' do
+        config_mock(dependencies: dependencies) do
+          expect(expander.expand(permissions)).to match_array [
+            { 'action' => 'action', 'controller' => 'controller' },
+            { 'action' => 'action2', 'controller' => 'controller2' },
+          ]
+        end
+      end
+    end
+  end
+
+
+  context 'when aliases is given' do
+    let!(:permissions) { [{ 'action' => 'action', 'controller' => 'controller' }] }
+
+    context 'when key and values are strings' do
+      let(:aliases) { { 'action' => 'action2' } }
+
+      it 'mappes the action with the current controller' do
+        config_mock(aliases: aliases) do
+          expect(expander.expand(permissions)).to match_array [
+            { 'action' => 'action', 'controller' => 'controller' },
+            { 'action' => 'action2', 'controller' => 'controller' },
+          ]
+        end
+      end
+    end
+
+    context 'when key and values are symbols' do
+      let(:aliases) { { action: :action2 } }
+
+      it 'mappes the action with the current controller' do
+        config_mock(aliases: aliases) do
+          expect(expander.expand(permissions)).to match_array [
+            { 'action' => 'action', 'controller' => 'controller' },
+            { 'action' => 'action2', 'controller' => 'controller' },
+          ]
+        end
+      end
+    end
+
+    context 'when key and values are array of strings' do
+      let(:aliases) { { action: %w[action2 action3] } }
+
+      it 'mappes the actions with the current controller' do
+        config_mock(aliases: aliases) do
+          expect(expander.expand(permissions)).to match_array [
+            { 'action' => 'action', 'controller' => 'controller' },
+            { 'action' => 'action2', 'controller' => 'controller' },
+            { 'action' => 'action3', 'controller' => 'controller' },
+          ]
+        end
+      end
+    end
+
+    context 'when key and values are array of symbols' do
+      let(:aliases) { { action: %i[action2 action3] } }
+
+      it 'mappes the actions with the current controller' do
+        config_mock(aliases: aliases) do
+          expect(expander.expand(permissions)).to match_array [
+            { 'action' => 'action', 'controller' => 'controller' },
+            { 'action' => 'action2', 'controller' => 'controller' },
+            { 'action' => 'action3', 'controller' => 'controller' },
+          ]
+        end
+      end
+    end
+  end
+end