RubyGems - cbac - Versions diffs - 0.3.1 → 0.5.1 - Mend

cbac 0.3.1 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

data/Manifest +60 -44
data/Rakefile +2 -2
data/cbac.gemspec +31 -31
data/generators/cbac/cbac_generator.rb +27 -6
data/generators/cbac/templates/config/cbac.pristine +2 -0
data/generators/cbac/templates/controllers/permissions_controller.rb +21 -2
data/generators/cbac/templates/controllers/upgrade_controller.rb +24 -0
data/generators/cbac/templates/fixtures/cbac_memberships.yml +1 -1
data/generators/cbac/templates/migrate/create_cbac_from_scratch.rb +59 -0
data/generators/cbac/templates/migrate/create_cbac_upgrade_path.rb +31 -0
data/generators/cbac/templates/tasks/cbac.rake +345 -0
data/generators/cbac/templates/views/layouts/cbac.html.erb +2 -1
data/generators/cbac/templates/views/memberships/index.html.erb +1 -1
data/generators/cbac/templates/views/permissions/index.html.erb +14 -6
data/generators/cbac/templates/views/upgrade/index.html.erb +32 -0
data/lib/cbac.rb +23 -12
data/lib/cbac/cbac_pristine/pristine.rb +133 -0
data/lib/cbac/cbac_pristine/pristine_file.rb +158 -0
data/lib/cbac/cbac_pristine/pristine_permission.rb +194 -0
data/lib/cbac/cbac_pristine/pristine_role.rb +42 -0
data/lib/cbac/known_permission.rb +14 -0
data/lib/cbac/permission.rb +1 -1
data/lib/cbac/privilege.rb +44 -0
data/lib/cbac/privilege_set.rb +5 -4
data/lib/cbac/privilege_set_record.rb +3 -1
data/spec/cbac_pristine_file_spec.rb +329 -0
data/spec/cbac_pristine_permission_spec.rb +358 -0
data/spec/cbac_pristine_role_spec.rb +85 -0
data/spec/rcov.opts +2 -0
data/spec/spec.opts +4 -0
data/spec/spec_helper.rb +12 -0
data/tasks/cbac.rake +345 -19
data/test/test_cbac_privilege.rb +54 -0
metadata +43 -9
data/generators/cbac/templates/migrate/create_cbac.rb +0 -40

data/generators/cbac/templates/views/layouts/cbac.html.erb CHANGED Viewed

@@ -12,6 +12,7 @@
     <%= link_to "Permissions", cbac_permissions_path %>
     <%= link_to "Generic roles", cbac_generic_roles_path %>
     <%= link_to "Memberships", cbac_memberships_path %>
+    <%= link_to "Upgrade", cbac_upgrade_path %>
     <%= yield %>
   </body>
-</html>
+</html>

data/generators/cbac/templates/views/memberships/index.html.erb CHANGED Viewed

@@ -7,7 +7,7 @@
         <th><%= role.name %></th>
       <% end %>
     </tr>
-    <% @users.each do |u| %>
+    <% (@users.sort do |x,y| x.name.downcase <=> y.name.downcase end).each do |u| %>
       <tr>
         <td><%= u.name %></td>
         <% @generic_roles.each do |generic_role| %>

data/generators/cbac/templates/views/permissions/index.html.erb CHANGED Viewed

@@ -1,25 +1,33 @@
 <div class="cbac">
+  <h2>Subset:</h2>
+  <form action="<%= request.request_uri %>" method="get" name="subset_view_form">
+    <b>Privilege set</b> starts with: <input type="text" name="priv_substr" value="<%= params[:priv_substr] %>" /><br />
+    <b>Role</b> starts with: <input type="text" name="role_substr" value="<%= params[:role_substr] %>" /><br/>
+    <input type="submit" value="Submit" />
+  </form>
   <h1>Permissions</h1>
   <table>
     <tr>
       <th>Privilegeset</th>
-      <% @context_roles.each do |name, comment| %>
+      <% (@context_roles.sort { |x, y| x[0].to_s <=> y[0].to_s }).each do |name, comment| %>
         <th><%= name %></th>
       <% end %>
-      <% @generic_roles.each do |role| %>
+      <% (@generic_roles.sort { |x, y| x.name <=> y.name }).each do |role| %>
         <th><%= role.name %></th>
       <% end %>
     </tr>
-    <% PrivilegeSet.sets.each do |token, set| %>
+    <% (@sets.sort do |x,y| x[0].to_s <=> y[0].to_s end).each do |token, set| %>
       <tr>
-        <td><%= set.name %></td>
-        <% @context_roles.each do |context_role, comment| %>
+        <td><span title ="<%= set.comment %>"><%= set.name %></span></td>
+        <% (@context_roles.sort { |x, y| x[0].to_s <=> y[0].to_s }).each do |context_role, comment| %>
           <td class="checked">
             <%= render :partial => "cbac/permissions/update_context_role.html", :locals => {:context_role => context_role.to_s,
               :set_id => set.id.to_s, :update_partial => false} %>
           </td>
         <% end %>
-        <% @generic_roles.each do |role| %>
+        <% (@generic_roles.sort { |x, y| x.name <=> y.name }).each do |role| %>
           <td class="checked">
             <%= render :partial => "cbac/permissions/update_generic_role.html", :locals => {:role => role,
               :set_id => set.id.to_s, :update_partial => false} %>

data/generators/cbac/templates/views/upgrade/index.html.erb ADDED Viewed

@@ -0,0 +1,32 @@
+<div class="cbac">
+  <h1>Permissions: available upgrades</h1>
+  <span>Choose which of these available permissions you want to accept or reject.
+    Each upgrade either adds a new permission or revokes an existing permission.
+    You can also leave the available upgrade for another time.</span><br/><br/>
+  <% form_tag cbac_upgrade_update_path  do %>
+  <table>
+    <tr>
+      <th class="medium">Add /revoke</th>
+      <th class="large">Privilegeset</th>
+      <th class="medium">Roletype</th>
+      <th class="medium">Role</th>
+      <th class="small">Accept</th>
+      <th class="small">Reject</th>
+      <th class="small">Leave</th>
+    </tr>
+    <% @permissions.each_with_index do |permission, index|  %>
+        <tr>
+          <td><span><%=permission.operation_string.capitalize%></span><input type="hidden" name="permissions[<%=index.to_s%>][id]" value="<%=permission.id.to_s%>"/></td>
+          <td><span title='<%=permission.privilege_set.comment%>'><%=permission.privilege_set_name%></span></td>
+          <td><span><%=permission.pristine_role.role_type%></span></td>
+          <td><span><%=permission.pristine_role.name%></span></td>
+          <td><input type="radio" name="permissions[<%=index.to_s%>][action]" value="accept"/></td>
+          <td><input type="radio" name="permissions[<%=index.to_s%>][action]" value="reject"/></td>
+          <td><input type="radio" name="permissions[<%=index.to_s%>][action]" value="leave" checked="checked"/></td>
+        </tr>
+     <% end %>
+  </table>
+    <input type="button" value="Cancel" onclick="window.location.reload();"/>
+    <input type="submit" value="OK"/>
+  <% end %>
+</div>

data/lib/cbac.rb CHANGED Viewed

@@ -6,10 +6,13 @@
 module Cbac
   if Cbac::Setup.check
     puts "CBAC properly installed"
-    require File.dirname(__FILE__) + '/cbac/privilege.rb'
-    require File.dirname(__FILE__) + '/cbac/privilege_set.rb'
-    require File.dirname(__FILE__) + '/cbac/context_role.rb'
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege'))
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege_set'))
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/context_role'))
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine'))
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_file'))
+    require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_permission'))
     # check performs a check to see if the user is allowed to access the given
     # resource. Example: authorization_check("BlogController", "index", :get)
@@ -31,13 +34,21 @@ module Cbac
     # Check the given privilege_sets
     def check_privilege_sets(privilege_sets, context = {})
       # Check the generic roles
-      return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
+      return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user_id, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
       # Check the context roles Get the permissions
       privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
-        puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilegeset.name}" if Cbac::Config.verbose
+        puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilege_set.name}" if Cbac::Config.verbose
         eval_string = ContextRole.roles[permission.context_role.to_sym]
         # Not sure if this will work everywhere
-        return true if eval_string.call(context)
+        # TODO: sort this out
+        context[:session] = session
+        context["session"] = session
+        begin
+          return true if eval_string.call(context)
+        rescue Exception => e
+          puts "Error in context role: #{permission.context_role} on privilege_set: #{permission.privilege_set.name}. Context: #{context}"
+          raise e if RAILS_ENV == "development" or RAILS_ENV == "test" # In development mode, this should crash as hard as possible, but in further stages, it should not
+        end
       end
       # not authorized
       puts "Not authorized for: #{controller_method}" if Cbac::Config.verbose
@@ -56,7 +67,7 @@ module Cbac
     end
     # Default implementation of the current_user method
-    def current_user
+    def current_user_id
       session[:currentuser].to_i
     end
@@ -79,15 +90,15 @@ module Cbac
     # ### Initializer Include privileges file - contains the privilege and
     # privilege definitions
     begin
-      require File.join(RAILS_ROOT, "config", "privileges.rb")
+      require File.join(RAILS_ROOT, "config", "cbac", "privileges.rb")
     rescue MissingSourceFile
-      puts "CBAC warning: Could not load config/privileges.rb (Did you run ./script/generate cbac)"
+      puts "CBAC warning: Could not load config/cbac/privileges.rb (Did you run ./script/generate cbac?)"
     end
     # Include context roles file - contains the context role definitions
     begin
-      require File.join(RAILS_ROOT, "config", "context_roles.rb")
+      require File.join(RAILS_ROOT, "config", "cbac", "context_roles.rb")
     rescue MissingSourceFile
-      puts "CBAC warning: Could not load config/context_roles.rb (Did you run ./script/generate cbac)"
+      puts "CBAC warning: Could not load config/cbac/context_roles.rb (Did you run ./script/generate cbac?)"
     end
     # ### Database autoload code

data/lib/cbac/cbac_pristine/pristine.rb ADDED Viewed

@@ -0,0 +1,133 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_file'))
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
+module Cbac
+  module CbacPristine
+    #creates a yml file containing all generic roles from the specified pristine file objects
+    def create_generic_role_fixtures_file(pristine_files, fixtures_file_name)
+      roles = []
+      pristine_files.each do |pristine_file|
+        #if the pristine file wasn't parsed yet, we'll do it here
+        pristine_file.parse(false) if pristine_file.permissions.empty?
+        pristine_file.generic_roles.each do |generic_role|
+          # we only want the unique generic roles, because the yml file cannot have duplicates
+          has_role = false
+          roles.each do |role|
+            if role.name == generic_role.name
+              has_role = true
+            end
+          end
+          roles.push(generic_role) unless has_role
+        end
+      end
+      create_fixtures_file(roles, fixtures_file_name)
+    end
+    # creates a yml file containing all cbac_permissions from the specified pristine file objects
+    def create_permissions_fixtures_file(pristine_files, fixtures_file_name)
+      permissions = []
+      pristine_files.each do |pristine_file|
+        pristine_file.parse(false) if pristine_file.permissions.empty?
+        pristine_file.permission_set.each do |line|
+          permissions.push(line)
+        end
+      end
+      create_fixtures_file(permissions, fixtures_file_name)
+    end
+    # turns the fixtures into yml and writes them to a file with specified name.
+    def create_fixtures_file(fixtures, fixtures_file_name)
+      File.delete(fixtures_file_name) if File.exists?(fixtures_file_name)
+      f = File.new(fixtures_file_name, "w")
+      flock(f, File::LOCK_EX) do |f|
+        fixtures.each_with_index do |fixture, index|
+          f.write(fixture.to_yml_fixture(index + 1))
+        end
+      end
+    end
+    # set all cbac permissions and generic roles to the state in the specified pristine file objects
+    def set_pristine_state(pristine_files, clear_tables)
+      clear_cbac_tables if clear_tables
+      pristine_files.each do |pristine_file|
+        pristine_file.parse if pristine_file.permissions.empty?
+        pristine_file.permissions.each do |permission|
+          permission.accept
+        end
+      end
+    end
+    # stage all unknown cbac_permissions
+    def stage_permissions(pristine_files)
+      pristine_files.each do |pristine_file|
+        pristine_file.parse(true) if pristine_file.permissions.empty?
+        pristine_file.permissions.each do |permission|
+          permission.stage
+        end
+      end
+    end
+    def clear_cbac_tables
+      Cbac::GenericRole.delete_all
+      Cbac::Membership.delete_all
+      Cbac::Permission.delete_all
+      Cbac::KnownPermission.delete_all
+      Cbac::CbacPristine::PristinePermission.delete_all
+      Cbac::CbacPristine::PristineRole.delete_all
+    end
+    def delete_generic_known_permissions
+      known_permissions = Cbac::KnownPermission.find(:all, :conditions => {:permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:generic]})
+      known_permissions.each { |p| p.destroy }
+    end
+    def delete_generic_permissions
+      permissions = Cbac::Permission.find(:all, :conditions => {:context_role => nil})
+      (permissions.select { |perm| perm.generic_role.name != "administrators" }).each { |p| p.destroy }
+    end
+    def delete_non_generic_staged_permissions
+      PristinePermission.delete_non_generic_permissions
+    end
+    def delete_generic_staged_permissions
+      PristinePermission.delete_generic_permissions
+    end
+    def database_contains_cbac_data?
+      return (Cbac::GenericRole.count != 0 or Cbac::Membership.count != 0 or Cbac::Permission.count != 0 or Cbac::KnownPermission.count != 0 or Cbac::CbacPristine::PristinePermission.count != 0 or Cbac::CbacPristine::PristineRole.count != 0)
+    end
+    def create_generic_pristine_file(file_name)
+       GenericPristineFile.new(file_name)
+    end
+    def create_pristine_file(file_name)
+       PristineFile.new(file_name)
+    end
+    def number_of_generic_staged_permissions
+      PristinePermission.count_generic_permissions
+    end
+    def number_of_non_generic_staged_permissions
+      PristinePermission.count_non_generic_permissions
+    end
+    def flock(file, mode)
+      success = file.flock(mode)
+      if success
+        begin
+          yield file
+        ensure
+          file.flock(File::LOCK_UN)
+        end
+      end
+      return success
+    end
+  end
+end

data/lib/cbac/cbac_pristine/pristine_file.rb ADDED Viewed

@@ -0,0 +1,158 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_role'))
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
+module Cbac
+  module CbacPristine
+    class AbstractPristineFile
+      attr_accessor :file_name, :permissions, :generic_roles
+      def initialize(file_name)
+        @file_name = file_name
+        @generic_roles = []
+        @permissions = []
+        @admin_role = nil
+      end
+      def parse(use_db = true)
+        @permissions = Array.new
+        f = File.open(@file_name, "r")
+        last_row_number = -1
+        f.each_with_index do |l, line_number|
+          pristine_permission = PristinePermission.new
+          permission_line = l.chomp
+          # if this is not a line we can convert into a permission, go to next line (or fail.....)
+          next unless is_pristine_permission_line?(permission_line, line_number)
+          # check if the row numbers are constructed properly.
+          # this is needed for migration purposes, each permission should have an unique and persistent row number
+          header_match = permission_line.match(/^(\d+):([\+-x]|=>):\s*/)
+          pristine_permission.line_number = header_match.captures[0].to_i
+          if pristine_permission.line_number != last_row_number.succ
+            raise SyntaxError, "Error: row numbers in pristine file do not increase monotonously"
+          else
+            last_row_number = pristine_permission.line_number
+          end
+          pristine_permission.operation = header_match.captures[1]
+          # parse the role and privilege set name
+          pristine_permission.privilege_set_name = parse_privilege_set_name(permission_line, line_number)
+          pristine_permission.pristine_role = parse_role(permission_line, line_number, use_db)
+          # it's pristine, so changes should be treated as such
+          # if a permission was created and later revoked, we should remove the pristine line which was created before
+          case pristine_permission.operation
+            when '+'
+              @permissions.push(pristine_permission)
+            when '-'
+              permission_to_delete = nil
+              #check if this is actually a permission that can be revoked.
+              @permissions.each do |known_permission|
+                if known_permission.privilege_set_name == pristine_permission.privilege_set_name and known_permission.pristine_role.name == pristine_permission.pristine_role.name
+                  permission_to_delete = known_permission
+                  break
+                end
+              end
+              if permission_to_delete.nil?
+                raise SyntaxError, "Error: trying to remove a privilege set with \"#{permission_line}\" on line #{(line_number + 1).to_s}, but this privilege set wasn't created!"
+              else
+                @permissions.push(pristine_permission)
+              end
+            when 'x', '=>'
+              raise NotImplementedError, "Using an x or => in a pristine file is not implemented yet"
+          end
+        end
+      end
+      def is_pristine_permission_line?(line, line_number)
+        if line.match(/^\s*(\d+)\s*:\s*([\+-x]|=>)\s*:(\s*[A-Za-z]+\(\s*[A-Za-z_]*\s*\))+\s*\Z/) #looks like pristine line.....
+          return true
+        end
+        if line.match(/^\s*(#.*|\s*)$/) # line is whitespace or comment line
+          return false
+        end
+        raise SyntaxError, "Error: garbage found in input file on line #{(line_number + 1).to_s}" #line is rubbish
+      end
+      def parse_privilege_set_name(line, line_number)
+        if match_data= line.match(/^.*PrivilegeSet\(\s*([A-Za-z0-9_]+)\s*\)\s*/)
+          return match_data.captures[0]
+        end
+        raise SyntaxError, "Error: PrivilegeSet expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
+      end
+      def parse_role(line, line_number, use_db = true)
+        raise NotImplementedError("Error: the AbstractPristineFile cannot parse roles, use a PristineFile or GenericPristineFile instead")
+      end
+      def permission_set
+        permission_set = Array.new(@permissions)
+        @permissions.each do |pristine_permission|
+           case pristine_permission.operation
+            when '+'
+              permission_set.push(pristine_permission)
+            when '-'
+              permission_to_delete = nil
+              #check if this is actually a permission that can be revoked.
+              permission_set.each do |known_permission|
+                if known_permission.privilege_set_name == pristine_permission.privilege_set_name and known_permission.pristine_role.name == pristine_permission.pristine_role.name and known_permission.operation == '+'
+                  permission_to_delete = known_permission
+                  break
+                end
+              end
+              if permission_to_delete.nil?
+                raise ArgumentError, "Error: trying to remove permission #{pristine_permission.privilege_set_name}\" for #{pristine_permission.pristine_role.name}, but this permission wasn't created!"
+              else
+                permission_set.delete(permission_to_delete)
+                permission_set.delete(pristine_permission)
+              end
+            when 'x', '=>'
+              raise NotImplementedError, "Using an x or => in a pristine file is not implemented yet"
+          end
+        end
+        permission_set
+      end
+    end
+    class PristineFile < Cbac::CbacPristine::AbstractPristineFile
+      def parse_role(line, line_number, use_db = true)
+        if line.match(/^.*Admin\(\)/)
+          return @admin_role unless @admin_role.nil?
+          @admin_role = PristineRole.admin_role(use_db)
+          @generic_roles.push(@admin_role)
+          return @admin_role
+        end
+        if context_role_name = line.match(/^.*ContextRole\(\s*([A-Za-z0-9_]+)\s*\)/)
+          # NOTE: the 0 for an ID is very important! In CBAC a context role permission MUST have 0 as generic_role_id
+          # if not, the context role is not found by CBAC and thus will not work
+          context_role = use_db ? PristineRole.first(:conditions => {:role_type => PristineRole.ROLE_TYPES[:context], :name => context_role_name.captures[0]}) : nil
+          context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => context_role_name.captures[0]) if context_role.nil?
+          return context_role
+        end
+        raise SyntaxError, "Error: ContextRole or Admin expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
+      end
+    end
+    class GenericPristineFile < Cbac::CbacPristine::AbstractPristineFile
+      def parse_role(line, line_number, use_db = true)
+        # generic pristine files differ, because they create generic roles when needed
+        # but those generic roles should be re-used if one with that name already exists
+        if generic_role= line.match(/^.*GenericRole\(\s*([A-Za-z0-9_]+)\s*\)/)
+          @generic_roles.each do |generic_cbac_role|
+            if generic_cbac_role.name == generic_role.captures[0]
+              return generic_cbac_role
+            end
+          end
+          role = use_db ? PristineRole.first(:conditions => {:role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role.captures[0]}) : nil
+          role =  PristineRole.new(:role_id => @generic_roles.length + 2, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role.captures[0]) if role.nil?
+          @generic_roles.push(role)
+          return role
+        end
+        raise SyntaxError, "Error: GenericRole expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
+      end
+    end
+  end
+end