canned 0.1.4

data/lib/canned/context/matchers/that.rb

@@ -0,0 +1,23 @@
+module Canned
+  module Context
+    module Matchers
+      module That
+
+        def that(&_block)
+          if _block
+            instance_eval &_block
+          else self end
+        end
+
+        def that_all(&_block)
+          # TODO
+        end
+
+        def that_any(&_block)
+          # TODO
+        end
+
+      end
+    end
+  end
+end

data/lib/canned/context/matchers/the.rb

@@ -0,0 +1,24 @@
+module Canned
+  module Context
+    module Matchers
+      module The
+
+        ## Loads an actor and returns an actor context.
+        #
+        # @param [String|Symbol] _name Actor name
+        # @param [Hash] _options Various options:
+        #     * as: If given, the actor will use **as** as alias for **where** blocks instead of the name.
+        # @param [Block] _block If given, then the block will be evaluated in the actor's context and the result
+        # of that returned by this function.
+        #
+        def the(_name, _options={}, &_block)
+          _chain_context(Canned::Context::Actor, _block) do |stack|
+            actor = @ctx.actors[_name]
+            break false if actor.nil?
+            stack.push(:actor, _options.fetch(:as, _name), actor)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/canned/context/matchers/where.rb

@@ -0,0 +1,36 @@
+module Canned
+  module Context
+    module Matchers
+      module Where
+
+        class WhereCtx
+          def initialize(_stack)
+            @stack = _stack
+          end
+
+          def method_missing(_method, *_args, &_block)
+            if _args.count == 0 and _block.nil?
+              begin
+                return @stack.resolve(_method)
+              rescue Canned::InmmutableStack::NotFound; end
+            end
+            super
+          end
+        end
+
+        ## Executes a given block using current resources.
+        #
+        #    Examples:
+        #       upon { the(:actor) { loads(:resource).where { actor.res_id == resource.id } } }
+        #
+        # @param [Block] _block Block to be evaluated.
+        # @returns [Boolean] True if conditions are met.
+        #
+        def where(&_block)
+          return false unless indeed?
+          WhereCtx.new(@stack).instance_eval(&_block)
+        end
+      end
+    end
+  end
+end

data/lib/canned/context/multi.rb

@@ -0,0 +1,8 @@
+module Canned
+  module Context
+    class Multi < Base
+      include Matchers::Where
+      include Matchers::Plus
+    end
+  end
+end

data/lib/canned/context/resource.rb

@@ -0,0 +1,11 @@
+module Canned
+  module Context
+    class Resource < Base
+      include Matchers::Where
+      include Matchers::Has
+      include Matchers::Is
+      include Matchers::That
+      include Matchers::Relation
+    end
+  end
+end

data/lib/canned/context/value.rb

@@ -0,0 +1,7 @@
+module Canned
+  module Context
+    class Value < Resource
+      include Matchers::Equality
+    end
+  end
+end

data/lib/canned/controller_ext.rb

@@ -0,0 +1,216 @@
+require "canned/definition"
+
+module Canned
+
+  ## Action Controller extension
+  #
+  # Include this in the the base application controller and use the acts_as_restricted method to seal it.
+  #
+  #   ApplicationController << ActionController:Base
+  #     include Canned:ControllerExt
+  #
+  #     # Call canned setup method passing the desired profile definition object
+  #     acts_as_restricted Profiles do
+  #
+  #       # Put authentication code here...
+  #
+  #       # Return profiles you wish to validate
+  #       [:profile_1, :profile_2]
+  #     end
+  #
+  #   end
+  #
+  module ControllerExt
+
+    def self.included(klass)
+      class << klass
+        attr_accessor :_cn_actors
+        attr_accessor :_cn_excluded
+        attr_accessor :_cn_resources
+      end
+
+      # actors are shared between subclasses
+      klass.cattr_accessor :_cn_actors
+      klass._cn_actors = ActiveSupport::HashWithIndifferentAccess.new
+
+      klass.extend ClassMethods
+    end
+
+    ## Performs access authorization for current action
+    #
+    # @param [Definition] _definition Profile definition
+    # @param [Array<String>] _profiles Profiles to validate
+    # @returns [Boolean] True if action access is authorized
+    #
+    def perform_access_authorization(_definition, _profiles)
+      # preload resources, retrieve resource proxy
+      proxy = perform_resource_loading
+
+      # run profile validation
+      result = false
+      _profiles.each do |profile|
+        case _definition.validate proxy, profile, [controller_name, "#{controller_name}##{action_name}"]
+        when :forbidden then return false
+        when :allowed then result = true
+        end
+      end
+      return result
+    end
+
+    ## Performs resource loading for current action
+    #
+    # @returns [ControllerProxy] used for resource loading
+    #
+    def perform_resource_loading
+      proxy = ControllerProxy.new self
+      proxy.preload_resources_for action_name
+      return proxy
+    end
+
+    ## Returns true if the current action is protected.
+    #
+    def is_restricted?
+      return true if self.class._cn_excluded.nil?
+      return false if self.class._cn_excluded == :all
+      return !(self.class._cn_excluded.include? action_name.to_sym)
+    end
+
+    module ClassMethods
+
+      ## Setups the controller user profile definitions and profile provider block (or proc)
+      #
+      # The passed method or block must return a list of profiles to be validated
+      # by the definition.
+      #
+      # TODO: default definition (canned config)
+      #
+      # @param [Definition] _definition Profile definition
+      # @param [Symbol] _method Profile provider method name
+      # @param [Block] _block Profile provider block
+      #
+      def acts_as_restricted(_definition, _method=nil, &_block)
+        self.before_filter do
+          if is_restricted?
+            profiles = Array(if _method.nil? then instance_eval(&_block) else send(_method) end)
+            raise Canned::AuthError.new 'No profiles avaliable' if profiles.empty?
+            raise Canned::AuthError unless perform_access_authorization(_definition, profiles)
+          else perform_resource_loading end
+        end
+      end
+
+      ## Removes protection for all controller actions.
+      def unrestricted_all
+        self._cn_excluded = :all
+      end
+
+      ## Removes protection for the especified controller actions.
+      #
+      # @param [splat] _excluded List of actions to be excluded.
+      #
+      def unrestricted(*_excluded)
+        self._cn_excluded ||= []
+        self._cn_excluded.push(*(_excluded.collect &:to_sym))
+      end
+
+      ## Registers a canned actor
+      #
+      # @param [String] _name Actor's name and generator method name if no block is given.
+      # @param [Hash] _options Options:
+      #     * as: If given, this si used as actor's name and _name is only used for generator retrieval.
+      # @param [Block] _block generator block, used instead of generator method if given.
+      #
+      def register_actor(_name, _options={}, &_block)
+        self._cn_actors[_options.fetch(:as, _name)] = _block || _name
+      end
+
+      ## Registers a canned resource
+      #
+      # @param [String] _name Resource name
+      # @param [String] _options Options:
+      #     * using: Parameter used as key if not block is given.
+      #     * only: If set, will only load the resource for the given actions.
+      #     * except: If set, will not load the resource for any of the given actions.
+      #     * from: TODO load_resource :raffle, from: :site
+      #     * as: TODO: load_resource :raffle, from: :site, as: :draws
+      # @param [Block] _block generator block, will be called to generate the resource if needed.
+      #
+      def register_resource(_name, _options={}, &_block)
+        self._cn_resources ||= []
+        self._cn_resources << {
+          name: _name,
+          only: unless _options[:only].nil? then Array(_options[:only]) else nil end,
+          except: Array(_options[:except]),
+          loader: _block || Proc.new do
+            key = _options.fetch(:using, :id)
+            if params.has_key? key then eval(_name.to_s.camelize).find params[key]
+            else nil end
+          end
+        }
+      end
+
+      def register_default_resources
+        # TODO: Load resources using convention and controller names.
+      end
+    end
+
+  private
+
+    ## ActionController - TestContext adapter
+    class ControllerProxy
+
+      attr_reader :resources
+      attr_reader :actors
+
+      def initialize(_controller)
+        @controller = _controller
+        @resources = ActiveSupport::HashWithIndifferentAccess.new
+        # actors are provided throug a dynamic loader.
+        @actors = ActorLoader.new _controller, _controller.class._cn_actors
+      end
+
+      ## Proxies messages to wrapped controller.
+      def method_missing(_method, *_args, &_block)
+        @controller.send(_method, *_args, &_block)
+      end
+
+      ## Loads resources required by _action
+      def preload_resources_for(_action)
+        _action = _action.to_sym
+        Array(@controller.class._cn_resources).each do |res|
+          next unless res[:only].nil? or res[:only].include? _action
+          next unless res[:except].nil? or !res[:except].include? _action
+
+          @resources[res[:name]] = resource = @controller.instance_eval &res[:loader]
+          @controller.instance_variable_set "@#{res[:name]}", resource
+        end
+      end
+
+    private
+
+      ## Allows actors to be served on demand, provides a hash–like interface
+      # to TestContext through ControllerProxy.actors method.
+      class ActorLoader
+
+        def initialize(_controller, _loaders)
+          @controller = _controller
+          @loaders = _loaders
+          @actor_cache = {}
+        end
+
+        def [](_key)
+          _key = _key.to_sym
+          return @actor_cache[_key] if @actor_cache.has_key? _key
+
+          loader = @loaders[_key]
+          raise Canned::SetupError.new "Invalid actor loader value" if loader.nil?
+          actor = if loader.is_a? String then @controller.send(loader) else @controller.instance_eval(&loader) end
+          @actor_cache[_key] = actor
+        end
+
+        def has_key?(_key)
+          @loaders.has_key? _key.to_sym
+        end
+      end
+    end
+  end
+end

data/lib/canned/definition.rb

@@ -0,0 +1,79 @@
+require "canned/errors"
+require "canned/stack"
+require "canned/profile"
+require "canned/profile_dsl"
+
+require "canned/context/base"
+require "canned/context/default"
+require "canned/context/actor"
+require "canned/context/resource"
+require "canned/context/value"
+require "canned/context/multi"
+
+Dir[File.dirname(__FILE__) + '/context/*.rb'].each { |file| require file }
+
+
+module Canned
+
+  ## Definition module
+  #
+  # This module is used to generate a canned definition that can later
+  # be refered when calling "canned_setup".
+  #
+  # TODO: Usage
+  #
+  module Definition
+
+    def self.included(klass)
+      klass.class_eval("
+        @@tests = {}
+        @@profiles = {}
+
+        def self.tests; @@tests end
+        def self.profiles; @@profiles end
+      ", __FILE__, __LINE__ + 1)
+      klass.extend ClassMethods
+    end
+
+    module ClassMethods
+
+      ## Defines a new test that can be used in "certifies" instructions
+      #
+      # **IMPORTANT** Tests are executed in the same context as upon blocks,
+      #
+      # @param [Symbol] _name test identifier
+      # @param [Block] _block test block, arity must be 0
+      #
+      def test(_name, &_block)
+        raise SetupError.new "Duplicated test identifier" if tests.has_key? _name
+      end
+
+      ## Creates a new profile and evaluates the given block using the profile context.
+      #
+      # @param [String|Symbol] _name Profile name.
+      # @param [Hash] _options Various options: none for now
+      #
+      def profile(_name, _options={}, &_block)
+        _name = _name.to_sym
+        raise Canned::SetupError.new "Duplicated profile identifier '#{_name}'" if profiles.has_key? _name
+
+        profile = Canned::Profile.new
+        ProfileDsl.new(profile, profiles).instance_eval &_block
+        profiles[_name] = profile
+      end
+
+      ## Returns true if **_action** is avaliable for **_profile** under the given **_ctx**.
+      #
+      # @param [Canned2::TestContext] _ctx The test context to be used
+      # @param [string] _acting_as The name of profile to be tested
+      # @param [String|Array<String>] _actions The action or actions to test
+      #
+      def validate(_ctx, _acting_as, _action)
+        profile = profiles[_acting_as.to_sym]
+        raise Canned::SetupError.new "Profile not found '#{_acting_as}'" if profile.nil?
+        _ctx = Canned::Context::Default.new(_ctx, tests, InmmutableStack.new)
+        profile.validate _ctx, Array(_action)
+      end
+    end
+  end
+end

data/lib/canned/errors.rb

@@ -0,0 +1,6 @@
+module Canned
+  class Error < StandardError; end
+  class SetupError < Error; end
+  class AuthError < Error; end
+  class ForbiddenError < AuthError; end
+end

data/lib/canned/profile.rb

@@ -0,0 +1,62 @@
+module Canned
+
+  ## Holds a profile definition and provides the **validate** method
+  #
+  # This class instances are populated using the **ProfileDsl**.
+  #
+  # profile :hola do
+  #   context { the(:user) }
+  #   context { a(:raffle) }
+  #
+  #   allow 'index', upon(:admin) { loads(:) where {  } } }
+  #   allow 'index', upon { the(:user_id) { is } and a(:raffle).is }
+  #   allow 'show', upon { is :is_allowed? and has() and a(:apron).has(:id).same_as(own: :id) asks_for(:) and owns(:raffle) } }
+  # end
+  #
+  class Profile
+
+    attr_accessor :context
+    attr_accessor :rules
+
+    def initialize
+      @context = nil
+      @rules = []
+    end
+
+    def validate(_base, _actions)
+
+      # TODO: optimize, do not process allow rules if already allowed.
+
+      # run the context block if given
+      # TODO: check base type when a context is used?
+      _base = _base.instance_eval &@context if @context
+
+      @rules.each do |rule|
+        case rule[:type]
+        when :allow
+          if rule[:action].nil? or _actions.include? rule[:action]
+            return :allowed if rule[:proc].nil? or _base.instance_eval(&rule[:proc])
+          end
+        when :forbid
+          if rule[:action].nil? or _actions.include? rule[:action]
+            return :forbidden if rule[:proc].nil? or _base.instance_eval(&rule[:proc])
+          end
+        when :continue
+          # continue block's interrupt flow if false
+          return :break unless _base.instance_eval(&rule[:proc])
+        when :expand
+          # when evaluating an cross profile call, any special condition will cause to break.
+          result = rule[:profile].validate(_base, _actions)
+          return result if result != :default
+        when :scope
+          # when evaluating a child block, only break if a matching allow or forbid is found.
+          result = rule[:profile].validate(_base, _actions)
+          return result if result != :default and result != :break
+        end
+      end
+
+      # No rule matched, return not allowed.
+      return :default
+    end
+  end
+end