canned 0.1.4

data/lib/canned/profile_dsl.rb

@@ -0,0 +1,130 @@
+module Canned
+
+  ## Holds all rules associated to a single user profile.
+  #
+  # This class describes the avaliable DSL when defining a new profile.
+  # TODO: example
+  #
+  class ProfileDsl
+
+    def initialize(_profile, _loaded_profiles)
+      @profile = _profile
+      @loaded_profiles = _loaded_profiles
+    end
+
+    ## Sets the default context for this profile block.
+    def context(_proc=nil, &_block)
+      @profile.context = _proc || _block
+    end
+
+    ## Adds an "allowance" rule
+    #
+    #    Examples:
+    #       allow 'index'
+    #       allow 'index', upon(:user) { that(:is_admin) }
+    #       allow('index') { upon(:user).that(:is_admin) }
+    #       allow
+    #       allow upon(:user) { that(:is_admin) }
+    #       allow { upon(:user).that(:is_admin) }
+    #
+    # @param [String|Proc] _action The action to authorize, if no action is given then rule apply to any action.
+    # @param [Proc] _proc The test procedure, if not given, then action is always allowed.
+    #
+    def allow(_action=nil, _proc=nil)
+
+      if _action.is_a? Proc
+        _proc = _action
+        _action = nil
+      end
+
+      @profile.rules << { type: :allow, action: _action, proc: _proc }
+    end
+
+    ## Adds a "forbidden" rule
+    #
+    # Works the same way as **allow** but if rule checks then user is forbidden to access
+    # the resource regardles of presenting another profile that passes.
+    #
+    def forbid(_action=nil, _proc=nil)
+
+      if _action.is_a? Proc
+        _proc = _action
+        _action = nil
+      end
+
+      @profile.rules << { type: :forbid, action: _action, proc: _proc }
+    end
+
+    ## Breaks from the current profile scope if condition is not match.
+    #
+    # When calling this function from within a scope, it will only break from scope.
+    #
+    #   Example:
+    #     # The following rules will be tested against every user
+    #     allow 'index', upon(:user) { that(:is_registered) }
+    #     allow 'index', upon(:user) { that(:is_alien) }
+    #     allow 'index', upon(:user) { that(:is_chewbaka) }
+    #
+    #     continue upon(:user) { that(:is_jedi) }
+    #     # The following rules will only be tested against jedis
+    #     allow 'index', upon(:user) { with(:force).greater_than(100) }
+    #
+    #
+    def continue(_proc)
+      @profile.rules << { type: :continue, proc: _proc }
+    end
+
+    ## Embedds a _profile inside another one.
+    #
+    def expand(_profile)
+      profile = @loaded_profiles[_profile]
+      raise SetupError.new "Profile not found '#{_profile}'" if profile.nil?
+      @profile.rules << { type: :expand, profile: profile }
+    end
+
+    ## Allows defining a set of rules with common options.
+    #
+    #   Example:
+    #     # The following group
+    #     scope upon: :user
+    #       # the following only breaks from current scope.
+    #       continue upon { that(:is_jedi) }
+    #       # the following will only forbid jedis that belong to death star (resource).
+    #       forbid 'index', upon { belongs_to(:death_star) }
+    #       allow 'index', upon(:user) { that(:has_pony_tail) }
+    #     end
+    #
+    #     # the following rule will be tested against every user.
+    #     allow 'index', upon(:user) { that(:is_registered) }
+    #
+    #
+    def scope(&_block)
+      child = Profile.new
+      ProfileDsl.new(child, @loaded_profiles).instance_eval &_block
+      @profile.rules << { type: :scope, profile: child }
+    end
+
+    ## SHORT HAND METHODS
+
+    ## Same as calling upon { the() ... }
+    def upon(*_args, &_block)
+      if _args.count == 0
+        return _block
+      elsif _block
+        Proc.new { the(*_args).instance_eval &_block }
+      else
+        Proc.new { the(*_args) }
+      end
+    end
+
+    # TODO: Implement following
+
+    # def upon_one(_expr, &_block)
+    #   Proc.new { upon_one(_expr, &_block) }
+    # end
+
+    # def upon_all(_expr, &_block)
+    #   Proc.new { upon_all(_expr, &_block) }
+    # end
+  end
+end

data/lib/canned/stack.rb

@@ -0,0 +1,63 @@
+module Canned
+
+  ## Implements an inmmutable stack where every operation generates a new stack
+  #
+  # Used by the test contexts to hold the subject stack.
+  #
+  class InmmutableStack
+
+    class NotFound < Exception; end
+
+    ## Class used to hold stack entries
+    class Entry
+
+      attr_reader :tag # entry tag
+      attr_reader :name # entry name
+      attr_reader :obj # entry data
+
+      def initialize(_tag, _name, _obj)
+        @tag = _tag
+        @name = _name.to_s
+        @obj = _obj
+      end
+    end
+
+    def initialize(_entry=nil, _tail=nil)
+      @stack = if _tail then _tail.entries else [] end
+      @stack << _entry if _entry
+    end
+
+    ## Gets a copy of the internal stack state.
+    #
+    def entries; @stack.clone; end
+
+    ## Returns true if stack is empty
+    def empty?; @stack.empty?; end
+
+    ## Creates a new stack using the current stack as tail.
+    #
+    def push(_tag, _name, _value)
+      InmmutableStack.new Entry.new(_tag, _name, _value), self
+    end
+
+    ## Retrieves the top value of the stack
+    #
+    def top(_tag=nil)
+      return @stack.last.obj if _tag.nil?
+      @stack.reverse_each do |item|
+        return item.obj if item.tag == _tag
+      end
+      return nil
+    end
+
+    ## Resolves a stack value by it's name
+    #
+    def resolve(_name)
+      _name = _name.to_s
+      @stack.reverse_each do |item|
+        return item.obj if item.name == _name
+      end
+      raise NotFound
+    end
+  end
+end

data/lib/canned/version.rb

@@ -0,0 +1,3 @@
+module Canned
+  VERSION = "0.1.4"
+end

data/spec/canned/canned_spec.rb

@@ -0,0 +1,116 @@
+require 'spec_helper'
+
+describe Canned do
+
+  describe "TestProfiles.validate" do
+
+    context 'when using profile with a context' do
+
+      let(:definition) do
+        class TestProfiles
+          include Canned::Definition
+
+          profile :profile do
+            context { the(:user) }
+            allow 'rute1', upon { asks_with_same_id(:app_id) }
+            allow 'rute2', upon { asks_for(:test) }
+            forbid 'rute3', upon { not is(:is_admin) }
+          end
+        end
+        TestProfiles
+      end
+
+      context 'and a matching context' do
+        let(:context) do
+          dummy(
+            action_name: 'test',
+            actors: { user: dummy(app_id: 10, is_admin: false) },
+            resources: {},
+            params: { app_id: "10" }
+          )
+        end
+
+        it "is allowed if asks for same id" do
+          definition.validate(context, :profile, 'rute1').should == :allowed
+        end
+
+        it "is allowed if asks for same action" do
+          definition.validate(context, :profile, 'rute2').should == :allowed
+        end
+
+        it "is forbidden if 'is' expression returns true" do
+          definition.validate(context, :profile, 'rute3').should == :forbidden
+        end
+      end
+    end
+
+    context 'when using simple profile' do
+
+      let(:definition) do
+        class TestProfiles
+          include Canned::Definition
+
+          profile :profile do
+            allow 'action1', upon(:user) { asks_with_same_id(:app_id) }
+            allow 'action2', upon(:user) { belongs_to(:app, as: :app) }
+            allow 'action3', upon(:user) { asks_with_same(:app_id) }
+          end
+        end
+        TestProfiles
+      end
+
+      context 'and an allowed context with actor and resource' do
+        let(:context) do
+          dummy(
+            action_name: 'test',
+            actors: { user: dummy(app_id: 10, is_admin: true) },
+            resources: { app: dummy(id: 10) },
+            params: { app_id: "10" }
+          )
+        end
+
+        it "is allowed if calls asks_for_same_id" do
+          definition.validate(context, :profile, 'action1').should == :allowed
+        end
+
+        it "is allowed if belongs_to resource" do
+          definition.validate(context, :profile, 'action2').should == :allowed
+        end
+
+        it "is not allowed if asks_for_same instead of asks_same_id" do
+          definition.validate(context, :profile, 'action3').should == :default
+        end
+      end
+
+      context 'and does not ask for same id' do
+        let(:context) do
+          dummy(
+            action_name: 'test',
+            actors: { user: dummy(app_id: 10, is_admin: true) },
+            resources: {},
+            params: { app_id: "11" }
+          )
+        end
+
+        it "is not allowed" do
+          definition.validate(context, :profile, 'action1').should == :default
+        end
+      end
+
+      context 'and does not belong to resource' do
+        let(:context) do
+          dummy(
+            action_name: 'test',
+            actors: { user: dummy(app_id: 10, is_admin: true) },
+            resources: { app: dummy(id: 11) },
+            params: {}
+          )
+        end
+
+        it "is not allowed" do
+          definition.validate(context, :profile, 'action2').should == :default
+        end
+      end
+    end
+  end
+end

data/spec/canned/controller_ext_spec.rb

@@ -0,0 +1,95 @@
+require 'spec_helper'
+
+describe Canned::ControllerExt do
+
+  let(:controller_class) do
+    controller_class = Class.new
+    controller_class.send(:include, Canned::ControllerExt)
+    controller_class
+  end
+
+  let(:controller) do
+    controller = controller_class.new
+    controller.stub(:params) { { app_id: 10 } }
+    controller.stub(:controller_name) { 'controller' }
+    controller.stub(:action_name) { 'action' }
+    controller.stub(:good_user) { dummy(app_id: 10, is_admin: true) }
+    controller.stub(:bad_user) { dummy(app_id: 11) }
+    controller
+  end
+
+  let(:definition) do
+    class TestProfiles
+      include Canned::Definition
+
+      profile :profile do
+        allow 'controller#action', upon(:user) { asks_with_id(:app_id).equal_to(own: :app_id) }
+      end
+
+      profile :profile2 do
+        allow 'controller#action', upon(:user) { belongs_to(:resource, as: :app) }
+      end
+    end
+    TestProfiles
+  end
+
+  describe ".is_restricted?" do
+    context 'when action is restricted' do
+      it { controller.is_restricted?.should be_true }
+    end
+    context 'when action is not restricted' do
+      before { controller_class.unrestricted :action }
+      it { controller.is_restricted?.should be_false }
+    end
+  end
+
+  describe ".perform_resource_loading" do
+
+    context 'when registering resource for another action' do
+      let(:proxy) do
+        controller_class.register_resource(:resource, only: [:other]) { HashObj.new(id: 10) }
+        controller.perform_resource_loading
+      end
+      it { proxy.resources.has_key?(:resource).should be_false }
+    end
+
+    context 'when registering resource except for this action' do
+      let(:proxy) do
+        controller_class.register_resource(:resource, except: [:action]) { HashObj.new(id: 10) }
+        controller.perform_resource_loading
+      end
+      it { proxy.resources.has_key?(:resource).should be_false }
+    end
+
+    context 'when registering actor in a super class' do
+      let(:proxy) do
+        controller_class.register_actor(:actor) { HashObj.new(id: 10) }
+        sub_class = Class.new controller_class
+        other_controller = sub_class.new
+        other_controller.stub(:action_name) { 'action' }
+        other_controller.perform_resource_loading
+      end
+      it { proxy.actors.has_key?(:actor).should be_true }
+    end
+  end
+
+  describe ".perform_access_authorization" do
+
+    context 'when registering and testing a valid actor' do
+      let(:result) do
+        controller_class.register_actor :good_user, as: :user
+        controller.perform_access_authorization(definition, [:profile])
+      end
+      it { result.should be_true }
+    end
+
+    context 'when registering and testing a valid actor and resource' do
+      let(:result) do
+        controller_class.register_actor :good_user, as: :user
+        controller_class.register_resource(:resource) { HashObj.new(id: 10) }
+        controller.perform_access_authorization(definition, [:profile2])
+      end
+      it { result.should be_true }
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,35 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+#
+
+require 'active_support/all'
+require 'canned'
+
+class HashObj
+  def initialize(_hash)
+    _hash.each do |k,v| self.class.send(:define_method, k) { v } end
+  end
+end
+
+module Helpers
+  def dummy(_hash={})
+    HashObj.new _hash
+  end
+end
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+  config.include Helpers
+end