authorizy 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d9be49c0763122d6a892671c240a9211720a664a62d66ee457c31203a436c0f8
+  data.tar.gz: 8c6806a8c63b06c3f750cba5ed61ce512e8520b79d20273711cfdac1b1345188
+SHA512:
+  metadata.gz: 4aecc0fc9dfb238e9a0b4948bf49e424ae3bdd1ce9d8b5942c8ae66605c259b0f2f80b0800dcf6c383248a76a6a47ead49f42ff4f746523875eb8fb8e3c2a628
+  data.tar.gz: 62386459e46f79d0d17a21e4229fd69c4915eb762f115adf2a76323590f0c471ef325bfa9f8c44ab6283a20e32dd196692da4958fd9a1f436255baafa83d1248

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+# v0.1.0
+
+## Features
+
+- Enables permission control via JSON data;

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Washington Botelho
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,190 @@
+# Authorizy
+
+[![CI](https://github.com/wbotelhos/authorizy/workflows/CI/badge.svg)](https://github.com/wbotelhos/authorizy/actions)
+[![Gem Version](https://badge.fury.io/rb/authorizy.svg)](https://badge.fury.io/rb/authorizy)
+[![Maintainability](https://api.codeclimate.com/v1/badges/f312587b4f126bb13e85/maintainability)](https://codeclimate.com/github/wbotelhos/authorizy/maintainability)
+[![Coverage](https://codecov.io/gh/wbotelhos/blogy/branch/master/graph/badge.svg?token=PENDING)](https://codecov.io/gh/wbotelhos/authorizy)
+[![Sponsor](https://img.shields.io/badge/donate-%3C3-brightgreen.svg)](https://www.patreon.com/wbotelhos)
+
+A JSON based Authorization.
+
+##### Why not [cancancan](https://github.com/CanCanCommunity/cancancan)?
+
+I have been working with cancan/cancancan for years. Since the beginning with [database access](https://github.com/CanCanCommunity/cancancan/blob/develop/docs/Abilities-in-Database.md). After a while, I realised I built a couple of abstractions around `ability` class and suddenly migrated to JSON for better performance. As I need a full role admin I decided to start to extract this logic to a gem.
+
+## Install
+
+Add the following code on your `Gemfile` and run `bundle install`:
+
+```ruby
+gem 'authorizy'
+```
+
+Run the following task to create Authorizy migration and initialize.
+
+```sh
+rails g rating:install
+```
+
+Then execute the migration to adds the column `authorizy` to your `users` table.
+
+```sh
+rake db:migrate
+```
+
+## Usage
+
+```ruby
+class ApplicationController < ActionController::Base
+  include Authorizy::Extension
+end
+```
+
+Add the `authorizy` filter on the controller you want enables authorization.
+
+```ruby
+class UserController < ApplicationController
+  before_action :authorizy
+end
+```
+
+## JSON
+
+The column `authorizy` is a JSON column that has a key called `permission` with a list of permissions identified by the controller and action name which the user can access.
+
+```ruby
+{
+  permissions: [
+    { controller: :user, action: :create },
+    { controller: :user, action: :update },
+  }
+}
+```
+
+## Configuration
+
+You can change the default configuration.
+
+### Aliases
+
+Alias is an action that maps another action. We have some defaults.
+
+|Action|alias |
+|------|------|
+|create|new   |
+|edit  |update|
+|new   |create|
+|update|edit  |
+
+You can add more alias, for example, all permissions for action `index` will allow access to action `gridy` of the same controller. So `users#index` will allow `users#gridy` too.
+
+```ruby
+Authorizy.configure do |config|
+  config.aliases = { index: :gridy }
+end
+```
+
+### Dependencies
+
+You can allow access to one or more controllers and actions based on your permissions. It'll consider not only the `action`, like [aliases](#aliases) but the controller either.
+
+```ruby
+Authorizy.configure do |config|
+  config.dependencies = {
+    payments: {
+      index: [
+        { controller: :users, action: :index },
+        { controller: :enrollments, action: :index },
+      ]
+    }
+  }
+end
+```
+
+So now if a have the permission `payments#index` I'll receive more two permissions: `users#index` and `enrollments#index`.
+
+### Cop
+
+Sometimes we need to allow access in runtime because the permission will depend on the request data and/or some dynamic logic. For this you can create a *Cop* class, the inherit from `Authorizy::BaseCop`, to allow it based on logic. It works like a [Interceptor](https://en.wikipedia.org/wiki/Interceptor_pattern).
+
+First, you need to configure your cop:
+
+```ruby
+Authorizy.configure do |config|
+  config.cop = AuthorizyCop
+end
+```
+
+Now creates the cop class. The following example will intercept all access to the controller `users_controller`:
+
+```ruby
+class AuthorizyCop < Authorizy::BaseCop
+  def users
+    return false if action           == 'create'
+    return false if controller       == 'users'
+    return true  if current_user     == User.find_by(admin: true)
+    return true  if params[:allow]   == 'true'
+    return true  if session[:logged] == 'true'
+  end
+end
+```
+
+As you can see, you have access to a couple of variables: `action`, `controller`, `current_user`, `params`, and `session`.
+
+If your controller has a namespace, just use `__` to separate the modules name:
+
+```ruby
+class AuthorizyCop < Authorizy::BaseCop
+  def admin__users
+  end
+end
+```
+
+### Current User
+
+By default Authorizy fetch the current user from the variable `current_user`. You have a config, that receives the controller context, where you can change it:
+
+```ruby
+Authorizy.configure do |config|
+  config.current_user -> (context) { context.current_person }
+end
+```
+
+### Redirect URL
+
+When authorization fails and the request is not a XHR request a redirect happens to `/` path. You can change it:
+
+```ruby
+Authorizy.configure do |config|
+  config.redirect_url -> (context) { context.new_session_url }
+end
+```
+
+# Helper
+
+You can use `authorizy?` method to check if `current_user` has access to some `controller` and `action`.
+
+Using on controller:
+
+```ruby
+class UserController < ApplicationController
+  before_action :assign_events, if: -> { authorizy?('system/events', 'index') }
+
+  def assign_events
+  end
+end
+```
+
+Using on view:
+
+```ruby
+<% if authorizy?(:users, :create) %>
+  <a href="/users/new">New User</a>
+<% end %>
+```
+
+Using on jBuilder view:
+
+```ruby
+json.create_link new_users_url if authorizy?(:users, :create)
+```

data/lib/authorizy.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Authorizy
+  require 'authorizy/base_cop'
+  require 'authorizy/config'
+  require 'authorizy/core'
+  require 'authorizy/expander'
+  require 'authorizy/extension'
+
+  class << self
+    def config
+      @config ||= Authorizy::Config.new
+    end
+
+    def configure
+      yield(config)
+    end
+  end
+end

data/lib/authorizy/base_cop.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Authorizy
+  class BaseCop
+    def initialize(current_user, params, session, controller, action)
+      @action       = action
+      @controller   = controller
+      @current_user = current_user
+      @params       = params
+      @session      = session
+    end
+
+    def access?
+      false
+    end
+
+    protected
+
+    attr_reader :action, :controller, :current_user, :params, :session
+  end
+end

data/lib/authorizy/config.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Authorizy
+  class Config
+    attr_accessor :aliases, :dependencies, :cop, :current_user, :redirect_url
+
+    def initialize
+      @aliases      = {}
+      @cop          = Authorizy::BaseCop
+      @current_user = -> (context) { context.respond_to?(:current_user) ? context.current_user : nil }
+      @dependencies = {}
+      @redirect_url = -> (context) { context.respond_to?(:root_url) ? context.root_url : '/' }
+    end
+  end
+end

data/lib/authorizy/core.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Authorizy
+  class Core
+    def initialize(current_user, params, session, controller: params['controller'], action: params['action'])
+      @action       = action.to_s
+      @controller   = controller.to_s
+      @current_user = current_user
+      @params       = params
+      @session      = session
+    end
+
+    def access?
+      return false if @current_user.blank?
+
+      granted = permissions.any? do |item|
+        data = item.stringify_keys
+
+        data['controller'].to_s == @controller && data['action'].to_s == @action
+      end
+
+      return true if granted
+
+      cop.respond_to?(cop_controller) && cop.public_send(cop_controller)
+    end
+
+    private
+
+    def cop
+      Authorizy.config.cop.new(@current_user, @params, @session, @controller, @action)
+    end
+
+    def cop_controller
+      @controller.sub('/', '__')
+    end
+
+    def permissions
+      Authorizy::Expander.new.expand(
+        [@session['permissions']].flatten.compact.presence || @current_user.authorizy.try(:[], 'permissions')
+      )
+    end
+  end
+end

data/lib/authorizy/expander.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module Authorizy
+  class Expander
+    def expand(permissions)
+      return [] if permissions.blank?
+
+      result = {}
+
+      permissions.each do |permission|
+        item = permission.stringify_keys.transform_values(&:to_s)
+
+        result[key_for(item)] = item
+
+        if (items = controller_dependency(item))
+          items.each { |data| result[key_for(data)] = data }
+        end
+
+        actions = [default_aliases[item['action']]].flatten.compact
+
+        next if actions.blank?
+
+        actions.each do |action|
+          result[key_for(item, action: action)] = { 'action' => action.to_s, 'controller' => item['controller'].to_s }
+        end
+      end
+
+      result.values
+    end
+
+    private
+
+    def aliases
+      Authorizy.config.aliases.stringify_keys
+    end
+
+    def controller_dependency(item)
+      return if (actions = dependencies[item['controller']]).blank?
+      return if (permissions = actions[item['action']]).blank?
+
+      permissions.map { |permission| permission.transform_values(&:to_s) }
+    end
+
+    def default_aliases
+      {
+        'create' => 'new',
+        'edit'   => 'update',
+        'new'    => 'create',
+        'update' => 'edit',
+      }.merge(aliases)
+    end
+
+    def dependencies
+      Authorizy.config.dependencies.deep_stringify_keys
+    end
+
+    def key_for(item, action: nil)
+      "#{item['controller']}##{action || item['action']}"
+    end
+  end
+end

data/lib/authorizy/extension.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Authorizy
+  module Extension
+    extend ::ActiveSupport::Concern
+
+    included do
+      helper_method(:authorizy?)
+
+      def authorizy
+        return if Authorizy::Core.new(authorizy_user, params, session).access?
+
+        info = I18n.t('authorizy.denied', action: params[:action], controller: params[:controller])
+
+        return render(json: { message: info }, status: 422) if request.xhr?
+
+        redirect_to Authorizy.config.redirect_url.call(self), info: info
+      end
+
+      def authorizy?(controller, action)
+        Authorizy::Core.new(authorizy_user, params, session, action: action, controller: controller).access?
+      end
+
+      private
+
+      def authorizy_user
+        Authorizy.config.current_user.call(self)
+      end
+    end
+  end
+end

data/lib/authorizy/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Authorizy
+  VERSION = '0.1.0'
+end

data/lib/generators/authorizy/install_generator.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Authorizy
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path('templates', __dir__)
+
+    desc 'Creates Initializer and Migration for Authorizy'
+
+    def create_initializer
+      copy_file 'config/initializers/authorizy.rb', 'config/initializers/authorizy.rb'
+    end
+
+    def create_migration
+      copy_file 'db/migrate/add_authorizy_on_users.rb', "db/migrate/#{timestamp(0)}_add_authorizy_on_users.rb"
+    end
+
+    private
+
+    def timestamp(seconds)
+      (Time.current + seconds.seconds).strftime('%Y%m%d%H%M%S')
+    end
+  end
+end