RubyGems - cbac - Versions diffs - 0.3.1 → 0.5.1 - Mend

cbac 0.3.1 → 0.5.1

Files changed (35) hide show

data/Manifest +60 -44
data/Rakefile +2 -2
data/cbac.gemspec +31 -31
data/generators/cbac/cbac_generator.rb +27 -6
data/generators/cbac/templates/config/cbac.pristine +2 -0
data/generators/cbac/templates/controllers/permissions_controller.rb +21 -2
data/generators/cbac/templates/controllers/upgrade_controller.rb +24 -0
data/generators/cbac/templates/fixtures/cbac_memberships.yml +1 -1
data/generators/cbac/templates/migrate/create_cbac_from_scratch.rb +59 -0
data/generators/cbac/templates/migrate/create_cbac_upgrade_path.rb +31 -0
data/generators/cbac/templates/tasks/cbac.rake +345 -0
data/generators/cbac/templates/views/layouts/cbac.html.erb +2 -1
data/generators/cbac/templates/views/memberships/index.html.erb +1 -1
data/generators/cbac/templates/views/permissions/index.html.erb +14 -6
data/generators/cbac/templates/views/upgrade/index.html.erb +32 -0
data/lib/cbac.rb +23 -12
data/lib/cbac/cbac_pristine/pristine.rb +133 -0
data/lib/cbac/cbac_pristine/pristine_file.rb +158 -0
data/lib/cbac/cbac_pristine/pristine_permission.rb +194 -0
data/lib/cbac/cbac_pristine/pristine_role.rb +42 -0
data/lib/cbac/known_permission.rb +14 -0
data/lib/cbac/permission.rb +1 -1
data/lib/cbac/privilege.rb +44 -0
data/lib/cbac/privilege_set.rb +5 -4
data/lib/cbac/privilege_set_record.rb +3 -1
data/spec/cbac_pristine_file_spec.rb +329 -0
data/spec/cbac_pristine_permission_spec.rb +358 -0
data/spec/cbac_pristine_role_spec.rb +85 -0
data/spec/rcov.opts +2 -0
data/spec/spec.opts +4 -0
data/spec/spec_helper.rb +12 -0
data/tasks/cbac.rake +345 -19
data/test/test_cbac_privilege.rb +54 -0
metadata +43 -9
data/generators/cbac/templates/migrate/create_cbac.rb +0 -40

data/generators/cbac/templates/views/layouts/cbac.html.erb CHANGED Viewed

@@ -12,6 +12,7 @@
     <%= link_to "Permissions", cbac_permissions_path %>
     <%= link_to "Generic roles", cbac_generic_roles_path %>
     <%= link_to "Memberships", cbac_memberships_path %>
+    <%= link_to "Upgrade", cbac_upgrade_path %>
     <%= yield %>
   </body>
-</html>
+</html>

data/generators/cbac/templates/views/memberships/index.html.erb CHANGED Viewed

@@ -7,7 +7,7 @@
         <th><%= role.name %></th>
       <% end %>
     </tr>
-    <% @users.each do |u| %>
+    <% (@users.sort do |x,y| x.name.downcase <=> y.name.downcase end).each do |u| %>
       <tr>
         <td><%= u.name %></td>
         <% @generic_roles.each do |generic_role| %>

data/generators/cbac/templates/views/permissions/index.html.erb CHANGED Viewed

@@ -1,25 +1,33 @@
 <div class="cbac">
+  <h2>Subset:</h2>
+  <form action="<%= request.request_uri %>" method="get" name="subset_view_form">
+    <b>Privilege set</b> starts with: <input type="text" name="priv_substr" value="<%= params[:priv_substr] %>" /><br />
+    <b>Role</b> starts with: <input type="text" name="role_substr" value="<%= params[:role_substr] %>" /><br/>
+    <input type="submit" value="Submit" />
+  </form>
   <h1>Permissions</h1>
   <table>
     <tr>
       <th>Privilegeset</th>
-      <% @context_roles.each do |name, comment| %>
+      <% (@context_roles.sort { |x, y| x[0].to_s <=> y[0].to_s }).each do |name, comment| %>
         <th><%= name %></th>
       <% end %>
-      <% @generic_roles.each do |role| %>
+      <% (@generic_roles.sort { |x, y| x.name <=> y.name }).each do |role| %>
         <th><%= role.name %></th>
       <% end %>
     </tr>
-    <% PrivilegeSet.sets.each do |token, set| %>
+    <% (@sets.sort do |x,y| x[0].to_s <=> y[0].to_s end).each do |token, set| %>
       <tr>
-        <td><%= set.name %></td>
-        <% @context_roles.each do |context_role, comment| %>
+        <td><span title ="<%= set.comment %>"><%= set.name %></span></td>
+        <% (@context_roles.sort { |x, y| x[0].to_s <=> y[0].to_s }).each do |context_role, comment| %>
           <td class="checked">
             <%= render :partial => "cbac/permissions/update_context_role.html", :locals => {:context_role => context_role.to_s,
               :set_id => set.id.to_s, :update_partial => false} %>
           </td>
         <% end %>
-        <% @generic_roles.each do |role| %>
+        <% (@generic_roles.sort { |x, y| x.name <=> y.name }).each do |role| %>
           <td class="checked">
             <%= render :partial => "cbac/permissions/update_generic_role.html", :locals => {:role => role,
               :set_id => set.id.to_s, :update_partial => false} %>

data/generators/cbac/templates/views/upgrade/index.html.erb ADDED Viewed

@@ -0,0 +1,32 @@
+<div class="cbac">
+  <h1>Permissions: available upgrades</h1>
+  <span>Choose which of these available permissions you want to accept or reject.
+    Each upgrade either adds a new permission or revokes an existing permission.
+    You can also leave the available upgrade for another time.</span><br/><br/>
+  <% form_tag cbac_upgrade_update_path  do %>
+  <table>
+    <tr>
+      <th class="medium">Add /revoke</th>
+      <th class="large">Privilegeset</th>
+      <th class="medium">Roletype</th>
+      <th class="medium">Role</th>
+      <th class="small">Accept</th>
+      <th class="small">Reject</th>
+      <th class="small">Leave</th>
+    </tr>
+    <% @permissions.each_with_index do |permission, index|  %>
+        <tr>
+          <td><span><%=permission.operation_string.capitalize%></span><input type="hidden" name="permissions[<%=index.to_s%>][id]" value="<%=permission.id.to_s%>"/></td>
+          <td><span title='<%=permission.privilege_set.comment%>'><%=permission.privilege_set_name%></span></td>
+          <td><span><%=permission.pristine_role.role_type%></span></td>
+          <td><span><%=permission.pristine_role.name%></span></td>
+          <td><input type="radio" name="permissions[<%=index.to_s%>][action]" value="accept"/></td>
+          <td><input type="radio" name="permissions[<%=index.to_s%>][action]" value="reject"/></td>
+          <td><input type="radio" name="permissions[<%=index.to_s%>][action]" value="leave" checked="checked"/></td>
+        </tr>
+     <% end %>
+  </table>
+    <input type="button" value="Cancel" onclick="window.location.reload();"/>
+    <input type="submit" value="OK"/>
+  <% end %>
+</div>

data/lib/cbac.rb CHANGED Viewed

@@ -6,10 +6,13 @@
 module Cbac
   if Cbac::Setup.check
     puts "CBAC properly installed"
-    require File.dirname(__FILE__) + '/cbac/privilege.rb'
-    require File.dirname(__FILE__) + '/cbac/privilege_set.rb'
-    require File.dirname(__FILE__) + '/cbac/context_role.rb'
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege'))
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege_set'))
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/context_role'))
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine'))
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_file'))
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_permission'))
     # check performs a check to see if the user is allowed to access the given
     # resource. Example: authorization_check("BlogController", "index", :get)
@@ -31,13 +34,21 @@ module Cbac
     # Check the given privilege_sets
     def check_privilege_sets(privilege_sets, context = {})
       # Check the generic roles
-      return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
+      return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user_id, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
       # Check the context roles Get the permissions
       privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
-        puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilegeset.name}" if Cbac::Config.verbose
+        puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilege_set.name}" if Cbac::Config.verbose
         eval_string = ContextRole.roles[permission.context_role.to_sym]
         # Not sure if this will work everywhere
-        return true if eval_string.call(context)
+        # TODO: sort this out
+        context[:session] = session
+        context["session"] = session
+        begin
+          return true if eval_string.call(context)
+        rescue Exception => e
+          puts "Error in context role: #{permission.context_role} on privilege_set: #{permission.privilege_set.name}. Context: #{context}"
+          raise e if RAILS_ENV == "development" or RAILS_ENV == "test" # In development mode, this should crash as hard as possible, but in further stages, it should not
+        end
       end
       # not authorized
       puts "Not authorized for: #{controller_method}" if Cbac::Config.verbose
@@ -56,7 +67,7 @@ module Cbac
     end
     # Default implementation of the current_user method
-    def current_user
+    def current_user_id
       session[:currentuser].to_i
     end
@@ -79,15 +90,15 @@ module Cbac
     # ### Initializer Include privileges file - contains the privilege and
     # privilege definitions
     begin
-      require File.join(RAILS_ROOT, "config", "privileges.rb")
+      require File.join(RAILS_ROOT, "config", "cbac", "privileges.rb")
     rescue MissingSourceFile
-      puts "CBAC warning: Could not load config/privileges.rb (Did you run ./script/generate cbac)"
+      puts "CBAC warning: Could not load config/cbac/privileges.rb (Did you run ./script/generate cbac?)"
     end
     # Include context roles file - contains the context role definitions
     begin
-      require File.join(RAILS_ROOT, "config", "context_roles.rb")
+      require File.join(RAILS_ROOT, "config", "cbac", "context_roles.rb")
     rescue MissingSourceFile
-      puts "CBAC warning: Could not load config/context_roles.rb (Did you run ./script/generate cbac)"
+      puts "CBAC warning: Could not load config/cbac/context_roles.rb (Did you run ./script/generate cbac?)"
     end
     # ### Database autoload code

data/lib/cbac/cbac_pristine/pristine.rb ADDED Viewed

@@ -0,0 +1,133 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_file'))
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
+module Cbac
+  module CbacPristine
+    #creates a yml file containing all generic roles from the specified pristine file objects
+    def create_generic_role_fixtures_file(pristine_files, fixtures_file_name)
+      roles = []
+      pristine_files.each do |pristine_file|
+        #if the pristine file wasn't parsed yet, we'll do it here
+        pristine_file.parse(false) if pristine_file.permissions.empty?
+        pristine_file.generic_roles.each do |generic_role|
+          # we only want the unique generic roles, because the yml file cannot have duplicates
+          has_role = false
+          roles.each do |role|
+            if role.name == generic_role.name
+              has_role = true
+            end
+          end
+          roles.push(generic_role) unless has_role
+        end
+      end
+      create_fixtures_file(roles, fixtures_file_name)
+    end
+    # creates a yml file containing all cbac_permissions from the specified pristine file objects
+    def create_permissions_fixtures_file(pristine_files, fixtures_file_name)
+      permissions = []
+      pristine_files.each do |pristine_file|
+        pristine_file.parse(false) if pristine_file.permissions.empty?
+        pristine_file.permission_set.each do |line|
+          permissions.push(line)
+        end
+      end
+      create_fixtures_file(permissions, fixtures_file_name)
+    end
+    # turns the fixtures into yml and writes them to a file with specified name.
+    def create_fixtures_file(fixtures, fixtures_file_name)
+      File.delete(fixtures_file_name) if File.exists?(fixtures_file_name)
+      f = File.new(fixtures_file_name, "w")
+      flock(f, File::LOCK_EX) do |f|
+        fixtures.each_with_index do |fixture, index|
+          f.write(fixture.to_yml_fixture(index + 1))
+        end
+      end
+    end
+    # set all cbac permissions and generic roles to the state in the specified pristine file objects
+    def set_pristine_state(pristine_files, clear_tables)
+      clear_cbac_tables if clear_tables
+      pristine_files.each do |pristine_file|
+        pristine_file.parse if pristine_file.permissions.empty?
+        pristine_file.permissions.each do |permission|
+          permission.accept
+        end
+      end
+    end
+    # stage all unknown cbac_permissions
+    def stage_permissions(pristine_files)
+      pristine_files.each do |pristine_file|
+        pristine_file.parse(true) if pristine_file.permissions.empty?
+        pristine_file.permissions.each do |permission|
+          permission.stage
+        end
+      end
+    end
+    def clear_cbac_tables
+      Cbac::GenericRole.delete_all
+      Cbac::Membership.delete_all
+      Cbac::Permission.delete_all
+      Cbac::KnownPermission.delete_all
+      Cbac::CbacPristine::PristinePermission.delete_all
+      Cbac::CbacPristine::PristineRole.delete_all
+    end
+    def delete_generic_known_permissions
+      known_permissions = Cbac::KnownPermission.find(:all, :conditions => {:permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:generic]})
+      known_permissions.each { |p| p.destroy }
+    end
+    def delete_generic_permissions
+      permissions = Cbac::Permission.find(:all, :conditions => {:context_role => nil})
+      (permissions.select { |perm| perm.generic_role.name != "administrators" }).each { |p| p.destroy }
+    end
+    def delete_non_generic_staged_permissions
+      PristinePermission.delete_non_generic_permissions
+    end
+    def delete_generic_staged_permissions
+      PristinePermission.delete_generic_permissions
+    end
+    def database_contains_cbac_data?
+      return (Cbac::GenericRole.count != 0 or Cbac::Membership.count != 0 or Cbac::Permission.count != 0 or Cbac::KnownPermission.count != 0 or Cbac::CbacPristine::PristinePermission.count != 0 or Cbac::CbacPristine::PristineRole.count != 0)
+    end
+    def create_generic_pristine_file(file_name)
+       GenericPristineFile.new(file_name)
+    end
+    def create_pristine_file(file_name)
+       PristineFile.new(file_name)
+    end
+    def number_of_generic_staged_permissions
+      PristinePermission.count_generic_permissions
+    end
+    def number_of_non_generic_staged_permissions
+      PristinePermission.count_non_generic_permissions
+    end
+    def flock(file, mode)
+      success = file.flock(mode)
+      if success
+        begin
+          yield file
+        ensure
+          file.flock(File::LOCK_UN)
+        end
+      end
+      return success
+    end
+  end
+end

data/lib/cbac/cbac_pristine/pristine_file.rb ADDED Viewed

@@ -0,0 +1,158 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_role'))
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
+module Cbac
+  module CbacPristine
+    class AbstractPristineFile
+      attr_accessor :file_name, :permissions, :generic_roles
+      def initialize(file_name)
+        @file_name = file_name
+        @generic_roles = []
+        @permissions = []
+        @admin_role = nil
+      end
+      def parse(use_db = true)
+        @permissions = Array.new
+        f = File.open(@file_name, "r")
+        last_row_number = -1
+        f.each_with_index do |l, line_number|
+          pristine_permission = PristinePermission.new
+          permission_line = l.chomp
+          # if this is not a line we can convert into a permission, go to next line (or fail.....)
+          next unless is_pristine_permission_line?(permission_line, line_number)
+          # check if the row numbers are constructed properly.
+          # this is needed for migration purposes, each permission should have an unique and persistent row number
+          header_match = permission_line.match(/^(\d+):([\+-x]|=>):\s*/)
+          pristine_permission.line_number = header_match.captures[0].to_i
+          if pristine_permission.line_number != last_row_number.succ
+            raise SyntaxError, "Error: row numbers in pristine file do not increase monotonously"
+          else
+            last_row_number = pristine_permission.line_number
+          end
+          pristine_permission.operation = header_match.captures[1]
+          # parse the role and privilege set name
+          pristine_permission.privilege_set_name = parse_privilege_set_name(permission_line, line_number)
+          pristine_permission.pristine_role = parse_role(permission_line, line_number, use_db)
+          # it's pristine, so changes should be treated as such
+          # if a permission was created and later revoked, we should remove the pristine line which was created before
+          case pristine_permission.operation
+            when '+'
+              @permissions.push(pristine_permission)
+            when '-'
+              permission_to_delete = nil
+              #check if this is actually a permission that can be revoked.
+              @permissions.each do |known_permission|
+                if known_permission.privilege_set_name == pristine_permission.privilege_set_name and known_permission.pristine_role.name == pristine_permission.pristine_role.name
+                  permission_to_delete = known_permission
+                  break
+                end
+              end
+              if permission_to_delete.nil?
+                raise SyntaxError, "Error: trying to remove a privilege set with \"#{permission_line}\" on line #{(line_number + 1).to_s}, but this privilege set wasn't created!"
+              else
+                @permissions.push(pristine_permission)
+              end
+            when 'x', '=>'
+              raise NotImplementedError, "Using an x or => in a pristine file is not implemented yet"
+          end
+        end
+      end
+      def is_pristine_permission_line?(line, line_number)
+        if line.match(/^\s*(\d+)\s*:\s*([\+-x]|=>)\s*:(\s*[A-Za-z]+\(\s*[A-Za-z_]*\s*\))+\s*\Z/) #looks like pristine line.....
+          return true
+        end
+        if line.match(/^\s*(#.*|\s*)$/) # line is whitespace or comment line
+          return false
+        end
+        raise SyntaxError, "Error: garbage found in input file on line #{(line_number + 1).to_s}" #line is rubbish
+      end
+      def parse_privilege_set_name(line, line_number)
+        if match_data= line.match(/^.*PrivilegeSet\(\s*([A-Za-z0-9_]+)\s*\)\s*/)
+          return match_data.captures[0]
+        end
+        raise SyntaxError, "Error: PrivilegeSet expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
+      end
+      def parse_role(line, line_number, use_db = true)
+        raise NotImplementedError("Error: the AbstractPristineFile cannot parse roles, use a PristineFile or GenericPristineFile instead")
+      end
+      def permission_set
+        permission_set = Array.new(@permissions)
+        @permissions.each do |pristine_permission|
+           case pristine_permission.operation
+            when '+'
+              permission_set.push(pristine_permission)
+            when '-'
+              permission_to_delete = nil
+              #check if this is actually a permission that can be revoked.
+              permission_set.each do |known_permission|
+                if known_permission.privilege_set_name == pristine_permission.privilege_set_name and known_permission.pristine_role.name == pristine_permission.pristine_role.name and known_permission.operation == '+'
+                  permission_to_delete = known_permission
+                  break
+                end
+              end
+              if permission_to_delete.nil?
+                raise ArgumentError, "Error: trying to remove permission #{pristine_permission.privilege_set_name}\" for #{pristine_permission.pristine_role.name}, but this permission wasn't created!"
+              else
+                permission_set.delete(permission_to_delete)
+                permission_set.delete(pristine_permission)
+              end
+            when 'x', '=>'
+              raise NotImplementedError, "Using an x or => in a pristine file is not implemented yet"
+          end
+        end
+        permission_set
+      end
+    end
+    class PristineFile < Cbac::CbacPristine::AbstractPristineFile
+      def parse_role(line, line_number, use_db = true)
+        if line.match(/^.*Admin\(\)/)
+          return @admin_role unless @admin_role.nil?
+          @admin_role = PristineRole.admin_role(use_db)
+          @generic_roles.push(@admin_role)
+          return @admin_role
+        end
+        if context_role_name = line.match(/^.*ContextRole\(\s*([A-Za-z0-9_]+)\s*\)/)
+          # NOTE: the 0 for an ID is very important! In CBAC a context role permission MUST have 0 as generic_role_id
+          # if not, the context role is not found by CBAC and thus will not work
+          context_role = use_db ? PristineRole.first(:conditions => {:role_type => PristineRole.ROLE_TYPES[:context], :name => context_role_name.captures[0]}) : nil
+          context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => context_role_name.captures[0]) if context_role.nil?
+          return context_role
+        end
+        raise SyntaxError, "Error: ContextRole or Admin expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
+      end
+    end
+    class GenericPristineFile < Cbac::CbacPristine::AbstractPristineFile
+      def parse_role(line, line_number, use_db = true)
+        # generic pristine files differ, because they create generic roles when needed
+        # but those generic roles should be re-used if one with that name already exists
+        if generic_role= line.match(/^.*GenericRole\(\s*([A-Za-z0-9_]+)\s*\)/)
+          @generic_roles.each do |generic_cbac_role|
+            if generic_cbac_role.name == generic_role.captures[0]
+              return generic_cbac_role
+            end
+          end
+          role = use_db ? PristineRole.first(:conditions => {:role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role.captures[0]}) : nil
+          role =  PristineRole.new(:role_id => @generic_roles.length + 2, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role.captures[0]) if role.nil?
+          @generic_roles.push(role)
+          return role
+        end
+        raise SyntaxError, "Error: GenericRole expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
+      end
+    end
+  end
+end