bali 1.0.0beta1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f654149dda4ee90b979831aeb07501fb41d22ff9
+  data.tar.gz: 81415f18fc6021d1a65c346b6dd1ef6fc95fc49e
+SHA512:
+  metadata.gz: 884958b5928962a8ee79105b897f5b971f4dc73f263f407268e1332a72745f82e2b67c384d8dedb2d7e4744e80bc1af1432fbc34e80d138676a49a9dbe5808cc
+  data.tar.gz: 3e2e565ff189df8a41265f7c3d4ec7d7071150267e9cdf18d330d94d3a14411a30eb30805546be172430a542f60f7491700676dfc2abcc6d6769bab1d3c61fad

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.2.2
+before_install: gem install bundler -v 1.10.6

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,13 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, or religion.
+
+Examples of unacceptable behavior by participants include the use of sexual language or imagery, derogatory comments or personal attacks, trolling, public or private harassment, insults, or other unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. Project maintainers who do not follow the Code of Conduct may be removed from the project team.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.0.0, available at [http://contributor-covenant.org/version/1/0/0/](http://contributor-covenant.org/version/1/0/0/)

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in bali.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Adam Pahlevi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,95 @@
+# Bali
+
+[ ![Codeship Status for saveav/bali](https://codeship.com/projects/d2f3ded0-20cf-0133-e425-0eade5a669ff/status?branch=master)](https://codeship.com/projects/95727)
+
+Bali is a powerful, framework-agnostic, thread-safe Ruby language authorization library. It is a universal authorization library, in the sense that it does not assume you to use specific Ruby library/gem/framework in order for successful use of this gem.
+
+Bali is short for Bulwark Authorization Library.
+
+## Installation
+
+It can be installed directly by using bundler's install:
+
+    $ gem install bali
+
+Otherwise, if you are using a framework such as Rails, you can add this into your gemfile:
+
+```ruby
+gem 'bali'
+```
+
+And then execute:
+
+    $ bundle
+
+## Usage
+
+### First things first: defining rules
+
+Rule in Bali is the law determining whether a user (called 'subtarget') can specific operation on a target (which is your resource).
+
+```ruby
+  Bali.map_rules do
+    rules_for My::Transaction, as: :transaction do
+      describe(:supreme_user) { can_all }
+      describe :admin_user do
+        can_all
+        # a more specific rule would be executed even if can_all is present
+        can :cancel, 
+          if: proc { |record| record.payment_channel == "CREDIT_CARD" && 
+                              !record.is_settled? }
+      end
+      describe "general user", can: [:update, :edit], cant: [:delete]
+      describe "finance user" do
+        can :update, :delete, :edit
+        can :delete, if: proc { |record| record.is_settled? }
+      end # finance_user description
+    end # rules_for
+  end
+```
+
+You may or may not assign an alias name (`as`). Make sure to keep it unique had you decided to give alias name to your rules group.
+
+### Authorization
+
+Say:
+
+```ruby
+class My::Transaction
+  attr_accessor :is_settled
+  attr_accessor :payment_channel
+
+  alias :is_settled? :is_settled
+end
+```
+
+Assuming that there exist a variable `transaction` which is an instance of `My::Transaction`, we can query about whether the subtarget is granted to perform certain operation:
+
+```ruby
+transaction.cant?(:general_user, :delete)    # => true
+transaction.can("general user", :update)     # => true
+transaction.can?(:finance_user, :delete)     # depend on context
+transaction.can?(:monitoring_user, :view)    # => true
+transaction.can?("monitoring user", :view)   # => true
+transaction.can?(:admin_user, :cancel)       # depend on context
+transaction.can?(:supreme_user, :cancel)     # => true
+```
+
+If a rule is depending on a certain context, then the context will be evaluated to determine whether the subtarget is authorized or not.
+
+In the above example, deletion of `transaction` is only allowed if the subtarget is a "finance user" and, the `transaction` itself is already settled.
+
+Rule can also be called on a class, instead of on an object:
+
+```ruby
+My::Transaction.can?(:bank_corp, :new)      # => true
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/bali. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](contributor-covenant.org) code of conduct.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bali.gemspec

@@ -0,0 +1,28 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'bali/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "bali"
+  spec.version       = Bali::VERSION
+  spec.authors       = ["Adam Pahlevi"]
+  spec.email         = ["adam.pahlevi@gmail.com"]
+
+  spec.summary       = %q{Bali is a powerful, framework-agnostic, thread-safe Ruby language authorization library}
+  spec.description   = %q{Bali (Bulwark Authorization Library) is a universal authorization library, in the sense that 
+                          it does not assume you to use specific Ruby library/gem/framework.}
+  spec.homepage      = "https://github.com/saveav/bali"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.9"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.3"
+  spec.add_development_dependency "pry", "~> 0.10"
+
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "bali"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/bali.rb

@@ -0,0 +1,198 @@
+require_relative "bali/version"
+require_relative "bali/rule_class"
+require_relative "bali/rule_group"
+require_relative "bali/rule"
+
+require_relative "bali/objector"
+
+# exception classes
+require_relative "bali/exceptions/dsl_error"
+module Bali
+  # mapping class to a RuleClass
+  RULE_CLASS_MAP = {}
+
+  # from symbol to full class name
+  ALIASED_RULE_CLASS_MAP = {}
+
+  # from full class name to symbol
+  REVERSE_ALIASED_RULE_CLASS_MAP = {}
+end
+
+module Bali
+  extend self
+
+  def rule_classes
+    RULE_CLASS_MAP
+  end
+
+  def rule_class_for(target)
+    if target.is_a?(Symbol)
+      class_name = ALIASED_RULE_CLASS_MAP[target]
+      raise Bali::DslError, "Rule class is not defined for: #{target}" if class_name.nil?
+
+      rule_class_for(class_name)
+    else
+      rule_class = RULE_CLASS_MAP[target]
+      raise Bali::DslError, "Rule class is not defined for: #{target}" if rule_class.nil?
+      rule_class
+    end
+  end
+
+  def rule_group_for(target_class, subtarget)
+    rule_class = Bali.rule_class_for(target_class)
+    rule_group = rule_class.rules_for(subtarget)
+    
+    rule_group
+  end
+
+  def add_rule_class(rule_class)
+    if rule_class.is_a?(Bali::RuleClass)
+      target = rule_class.target_class
+      alias_target = rule_class.alias_name
+
+      raise "Target must be a class" unless target.is_a?(Class)
+
+      # remove any previous association of rule
+      begin 
+        last_associated_alias = Bali::REVERSE_ALIASED_RULE_CLASS_MAP[target]
+        if last_associated_alias
+          Bali::ALIASED_RULE_CLASS_MAP.delete(last_associated_alias)
+          Bali::REVERSE_ALIASED_RULE_CLASS_MAP.delete(target)
+          Bali::RULE_CLASS_MAP.delete(target)
+        end
+      end
+
+      # if "as" is present
+      if alias_target.is_a?(Symbol)
+        Bali::ALIASED_RULE_CLASS_MAP[alias_target] = target
+        Bali::REVERSE_ALIASED_RULE_CLASS_MAP[target] = alias_target
+      end
+
+      Bali::RULE_CLASS_MAP[target] = rule_class
+    else
+      raise "Only allow instance of Bali::RuleClass"
+    end
+  end # add_rule_class
+end
+
+module Bali
+  class Bali::MapRulesDsl
+    attr_accessor :current_rule_class
+
+    def initialize
+      @@lock = Mutex.new
+    end
+
+    def rules_for(target_class, target_alias_hash = {}, &block)
+      @@lock.synchronize do
+        self.current_rule_class = Bali::RuleClass.new(target_class)
+        self.current_rule_class.alias_name = target_alias_hash[:as] || target_alias_hash["as"]
+
+        Bali::MapRulesRulesForDsl.new(self).instance_eval(&block)
+
+        # done processing the block, now add the rule class
+        Bali.add_rule_class(self.current_rule_class)
+
+        target_class.include(Bali::Objector) unless target_class.include?(Bali::Objector)
+      end
+    end
+  end
+end
+
+module Bali
+  class Bali::MapRulesRulesForDsl
+    attr_accessor :map_rules_dsl
+    attr_accessor :current_rule_group
+
+    def initialize(map_rules_dsl)
+      @@lock = Mutex.new
+      self.map_rules_dsl = map_rules_dsl
+    end
+
+    def describe(subtarget, rules = {})
+      target_class = self.map_rules_dsl.current_rule_class.target_class
+      target_alias = self.map_rules_dsl.current_rule_class.alias_name
+      @@lock.synchronize do
+        rule_group = Bali::RuleGroup.new(target_class, target_alias, subtarget)
+        self.current_rule_group = rule_group
+
+        if block_given?
+          the_object = Object.new
+          # the_object would be the record, or the object of class as specified
+          # in rules_for
+          yield the_object
+        else
+          # auth_val is either can or cant
+          rules.each do |auth_val, operations|
+            if operations.is_a?(Array)
+              operations.each do |op|
+                rule = Bali::Rule.new(auth_val, op)
+                rule_group.add_rule(rule)
+              end
+            else
+              operation = operations # well, basically is 1 only
+              rule = Bali::Rule.new(auth_val, operation) 
+              rule_group.add_rule(rule)
+            end
+          end # each rules
+        end # block_given?
+
+        # add current_rule_group
+        self.map_rules_dsl.current_rule_class.add_rule_group(rule_group)
+      end # mutex synchronize
+    end # describe
+
+
+    def process_auth_rules(auth_val, operations)
+      conditional_hash = nil
+      
+      # scan opreation for hash
+      operations.each do |elm|
+        if elm.is_a?(Hash)
+          conditional_hash = elm
+        end
+      end
+
+      if conditional_hash
+        op = operations[0]
+        rule = Bali::Rule.new(auth_val, op)
+        rule.decider = conditional_hash[:if] || conditional_hash["if"]
+        self.current_rule_group.add_rule(rule)
+      else
+        # no conditional hash, proceed adding operations one by one
+        operations.each do |op|
+          rule = Bali::Rule.new(auth_val, op)
+          self.current_rule_group.add_rule(rule)
+        end
+      end
+    end # process_auth_rules
+
+    def can(*operations)
+      process_auth_rules(:can, operations)
+    end
+
+    def cant(*operations)
+      process_auth_rules(:cant, operations)
+    end
+
+    def can_all
+      self.current_rule_group.zeus = true
+    end
+
+  end # class
+end # module
+
+module Bali
+  extend self
+  def map_rules(&block)
+    dsl_map_rules = Bali::MapRulesDsl.new
+    dsl_map_rules.instance_eval(&block)
+  end
+
+  def clear_rules
+    Bali::RULE_CLASS_MAP.clear
+    Bali::REVERSE_ALIASED_RULE_CLASS_MAP.clear
+    Bali::ALIASED_RULE_CLASS_MAP.clear
+    true
+  end
+end

data/lib/bali/exceptions/dsl_error.rb

@@ -0,0 +1,2 @@
+class Bali::DslError < StandardError
+end

data/lib/bali/objector.rb

@@ -0,0 +1,63 @@
+# class that will be included in each instantiated target classes as defined
+# in map_rules
+module Bali::Objector
+  def self.included(base)
+    base.extend Bali::Objector::Statics
+  end
+
+  def can?(subtarget, operation) 
+    self.class.can?(subtarget, operation, self)
+  end
+
+  def cant?(subtarget, operation)
+    self.class.can?(subtarget, operation, self)
+  end
+end
+
+module Bali::Objector::Statics
+  def can?(subtarget, operation, record = self)
+    rule_group = Bali.rule_group_for(record.class, subtarget)
+    rule = rule_group.get_rule(:can, operation)
+
+    # godly subtarget is allowed to do as he wishes
+    # so long that the rule is not specificly defined
+    return true if rule_group.zeus? && rule.nil?
+
+    # default to false when asked about can? but no rule to be found
+    return false if rule.nil?
+
+    if rule.has_decider?
+      # must test first
+      decider = rule.decider
+      if decider.arity == 0
+        decider.() == true
+      else
+        decider.(record) == true
+      end
+    else
+      # rule is properly defined
+      return true
+    end
+  end
+
+  def cant?(subtarget, operation)
+    rule_group = Bali.rule_group_for(self.class, subtarget)
+    rule = rule_group.get_rule(:cant, operation)
+
+    # godly subtarget is not to be prohibited in his endeavours
+    # so long that no specific rule about this operation is defined
+    return false if rule_group.zeus? && rule.nil?
+
+    # default to true when asked about cant? but no rule to be found
+    return true if rule.nil?
+
+    if rule.has_decider?
+      decider = rule.decider
+      if decider.arity == 0
+        decider.() == true
+      else
+        decider.(record) == true
+      end
+    end
+  end
+end

data/lib/bali/rule.rb

@@ -0,0 +1,33 @@
+# for internal use, representing rule
+class Bali::Rule
+  # auth_val is either :can or :cant
+  attr_reader :auth_val
+
+  # what is the operation: create, update, delete, or any other
+  attr_reader :operation
+
+  # if decider is defined, a rule is executed only if decider evaluates to true
+  attr_accessor :decider
+
+  def initialize(auth_val, operation)
+    self.auth_val = auth_val
+    @operation = operation
+    self
+  end
+
+  def auth_val=(aval)
+    if aval == :can || aval == :cant
+      @auth_val = aval
+    else
+      raise Bali::DslError, "auth_val can only either be :can or :cant"
+    end
+  end
+
+  def is_discouragement?
+    self.auth_val == :cant
+  end
+
+  def has_decider?
+    self.decider.is_a?(Proc)
+  end
+end

data/lib/bali/rule_class.rb

@@ -0,0 +1,31 @@
+# the parent of all Bali::RuleGroup.
+class Bali::RuleClass
+  attr_reader :target_class
+  attr_accessor :alias_name
+
+  attr_accessor :rule_groups
+
+  def initialize(target_class)
+    if target_class.is_a?(Class)
+      @target_class = target_class
+    else
+      raise Bali::DslError, "Target class must be a Class"
+    end
+
+    self.rule_groups = {}
+  end
+
+  def add_rule_group(rule_group)
+    if rule_group.is_a?(Bali::RuleGroup)
+      target_user = rule_group.subtarget
+      self.rule_groups[target_user.to_sym] = rule_group
+    else
+      raise Bali::DslError, "Rule group must be an instance of Bali::RuleGroup"
+    end
+  end
+
+  def rules_for(subtarget)
+    subtarget = Bali::RuleGroup.canon_name(subtarget)
+    self.rule_groups[subtarget]
+  end
+end

data/lib/bali/rule_group.rb

@@ -0,0 +1,67 @@
+class Bali::RuleGroup
+  # the target class
+  attr_accessor :target
+
+  # the alias name for the target
+  attr_accessor :alias_tgt
+
+  # the user to which this rule group is applied
+  attr_accessor :subtarget
+
+  # what can be done and what cannot be done
+  attr_accessor :cans, :cants
+
+  # if set to true then the subtarget can do anything
+  attr_accessor :zeus
+  alias :zeus? :zeus
+
+  # allowing "general user" and :general_user to route to the same rule group
+  def self.canon_name(subtarget)
+    if subtarget.is_a?(String)
+      return subtarget.gsub(" ", "_").to_sym
+    else
+      return subtarget
+    end
+  end
+
+  def initialize(target, alias_tgt, subtarget)
+    self.target = target
+    self.alias_tgt = alias_tgt
+    self.subtarget = Bali::RuleGroup.canon_name(subtarget)
+
+    self.cans = {}
+    self.cants = {}
+  end
+
+  def add_rule(rule)
+    # operation cannot be defined twice
+    operation = rule.operation.to_sym
+
+    raise Bali::DslError, "Rule is defined twice for operation #{operation}" if self.cants[operation] && self.cans[operation]
+
+    if rule.is_discouragement?
+      self.cants[rule.operation.to_sym] = rule
+    else
+      self.cans[rule.operation.to_sym] = rule
+    end
+  end
+
+  def get_rule(auth_val, operation)
+    rule = nil
+    case auth_val
+    when :can, "can"
+      rule = self.cans[operation.to_sym]
+    when :cant, "cant"
+      rule = self.cants[operation.to_sym]
+    else
+      raise Bali::DslError, "Undefined operation: #{auth_val}"
+    end
+
+    rule
+  end
+
+  # all rules
+  def rules
+    self.cans.values + self.cants.values
+  end
+end

data/lib/bali/version.rb

@@ -0,0 +1,3 @@
+module Bali
+  VERSION = "1.0.0beta1"
+end

metadata

@@ -0,0 +1,122 @@
+--- !ruby/object:Gem::Specification
+name: bali
+version: !ruby/object:Gem::Version
+  version: 1.0.0beta1
+platform: ruby
+authors:
+- Adam Pahlevi
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-08-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+description: "Bali (Bulwark Authorization Library) is a universal authorization library,
+  in the sense that \n                          it does not assume you to use specific
+  Ruby library/gem/framework."
+email:
+- adam.pahlevi@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bali.gemspec
+- bin/console
+- bin/setup
+- lib/bali.rb
+- lib/bali/exceptions/dsl_error.rb
+- lib/bali/objector.rb
+- lib/bali/rule.rb
+- lib/bali/rule_class.rb
+- lib/bali/rule_group.rb
+- lib/bali/version.rb
+homepage: https://github.com/saveav/bali
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Bali is a powerful, framework-agnostic, thread-safe Ruby language authorization
+  library
+test_files: []
+has_rdoc: