cbac 0.3.1 → 0.5.1

data/lib/cbac/cbac_pristine/pristine_permission.rb

@@ -0,0 +1,194 @@
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_role'))
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
+require 'active_record'
+
+module Cbac
+  module CbacPristine
+    class PristinePermission < ActiveRecord::Base
+      set_table_name 'cbac_staged_permissions'
+
+      belongs_to :pristine_role, :class_name => "Cbac::CbacPristine::PristineRole"
+
+      def privilege_set
+        Cbac::PrivilegeSetRecord.first(:conditions => {:name => privilege_set_name})
+      end
+
+      def operation_string
+        case operation
+          when '+'
+            return "add"
+          when '-'
+            return "revoke"
+          else
+            return "unknown"
+        end
+      end
+
+      #convert this pristine line to a yml statement which can be used to create a yml fixtures file
+      #executing this statement will result in one cbac_permission in the DB
+      def to_yml_fixture(fixture_id = nil)
+        raise ArgumentError, "Error: cannot convert line #{line_number.to_s} to yml because the role is not specified" if pristine_role.nil?
+        raise ArgumentError, "Error: cannot convert line #{line_number.to_s} to yml because the privilege_set_name is not specified" if privilege_set_name.blank?
+
+        fixture_id = line_number if fixture_id.nil?
+
+        yml = "cbac_permission_00" << fixture_id.to_s << ":\n"
+        yml << "  id: " << fixture_id.to_s << "\n"
+        yml << "  context_role: "
+        yml << pristine_role.name if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
+        yml << "\n"
+        yml << "  generic_role_id: " << pristine_role.role_id.to_s << "\n"
+        yml << "  privilege_set_id: <%= Cbac::PrivilegeSetRecord.find(:first, :conditions => {:name => '" << privilege_set_name << "'}).id %>\n"
+        yml << "  created_at: " << Time.now.strftime("%Y-%m-%d %H:%M:%S") << "\n"
+        yml << "  updated_at: " << Time.now.strftime("%Y-%m-%d %H:%M:%S") << "\n"
+        yml << "\n"
+      end
+
+      # checks if the current cbac permissions contains a permission which is exactly like this one
+      def cbac_permission_exists?
+        if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
+          Cbac::Permission.count(:joins => [:privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :context_role => pristine_role.name}) > 0
+        else
+          Cbac::Permission.count(:joins => [:generic_role, :privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :cbac_generic_roles => {:name => pristine_role.name}}) > 0
+        end
+      end
+
+      # checks if a pristine permission with the same properties(except line_number) exists in the database
+      def exists?
+        Cbac::CbacPristine::PristinePermission.count(:conditions => {:privilege_set_name => privilege_set_name, :pristine_role_id => pristine_role_id, :operation => operation}) > 0
+      end
+
+      # checks if a pristine permission with the exact same properties(except line_number), but the reverse operation exists in the database
+      def reverse_exists?
+        Cbac::CbacPristine::PristinePermission.count(:conditions => {:privilege_set_name => privilege_set_name, :pristine_role_id => pristine_role_id, :operation => reverse_operation}) > 0
+      end
+
+      # delete the pristine permission with the reverse operation of this one
+      def delete_reverse_permission
+        reverse_permission = Cbac::CbacPristine::PristinePermission.first(:conditions => {:privilege_set_name => privilege_set_name, :pristine_role_id => pristine_role_id, :operation => reverse_operation})
+        reverse_permission.delete
+      end
+
+      # get the reverse operation of this one
+      def reverse_operation
+        case operation
+          when '+'
+            return '-'
+          when '-'
+            return '+'
+          when 'x', '=>'
+            raise NotImplementedError, "Error: using an x or => in a pristine file is not implemented yet"
+          else
+            raise ArgumentError, "Error: invalid operation #{operation} is used in the pristine file"
+        end
+      end
+
+      # checks if the known_permissions table has an entry for this permission
+      def known_permission_exists?
+        Cbac::KnownPermission.count(:conditions => {:permission_type => pristine_role.known_permission_type, :permission_number => line_number}) > 0
+      end
+
+      # accept this permission and apply to the current cbac permission set
+      def accept
+        case operation
+          when '+'
+            handle_grant_permission
+          when '-'
+            handle_revoke_permission
+          when 'x', '=>'
+            raise NotImplementedError, "Error: using an x or => in a pristine file is not implemented yet"
+          else
+            raise ArgumentError, "Error: invalid operation #{operation} is used in the pristine file"
+        end
+        PristinePermission.delete(id) unless id.nil?
+      end
+
+      # reject this permission, but register it as a known permission. The user actually rejected this himself.
+      def reject
+        register_change
+        PristinePermission.delete(id) unless id.nil?
+      end
+
+      # add this permission to the cbac permission set, unless it already exists
+      def handle_grant_permission
+        return if cbac_permission_exists?
+
+        permission = Cbac::Permission.new
+        permission.privilege_set = privilege_set
+
+        if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
+          permission.context_role = pristine_role.name
+        else
+          generic_role = Cbac::GenericRole.first(:conditions => {:name => pristine_role.name})
+          permission.generic_role = generic_role.nil? ? Cbac::GenericRole.create(:name => pristine_role.name, :remarks => "Autogenerated by Cbac loading / upgrade system") : generic_role
+        end
+
+        register_change if permission.save
+        permission
+      end
+
+      # revoke this permission from the current permission set, raises an error if it doesn't exist yet
+      def handle_revoke_permission
+        raise ArgumentError, "Error: trying to revoke permission #{privilege_set_name} for #{pristine_role.name}, but this permission does not exist" unless cbac_permission_exists?
+
+        if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
+          permission = Cbac::Permission.first(:joins => [:privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :context_role => pristine_role.name})
+        else
+          permission = Cbac::Permission.first(:joins => [:generic_role, :privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :cbac_generic_roles => {:name => pristine_role.name}})
+        end
+
+        register_change if permission.destroy
+      end
+
+      # register this permission as a known permission
+      def register_change
+        Cbac::KnownPermission.create(:permission_number => line_number, :permission_type => pristine_role.known_permission_type)
+      end
+
+      # add this permission to the staging area
+      def stage
+        raise ArgumentError, "Error: this staged permission already exists. Record with line number #{line_number} is a duplicate permission." if exists?
+        return if known_permission_exists?
+
+        if operation == '-'
+          # if the reverse permission is also staged, remove it and do not add this one
+          if reverse_exists?
+            delete_reverse_permission
+            return
+          end
+          # if this is an attempt to revoke a permission, it should exist as a real cbac permission!
+          save if cbac_permission_exists?
+        elsif operation == '+'
+          # if this is an attempt to add a permission, it MUST not exist yet
+          save unless cbac_permission_exists?
+        end
+      end
+
+
+
+      # clear the staging area of all generic pristine permissions
+      def self.delete_generic_permissions
+        generic_staged_permissions = all(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type = ?", PristineRole.ROLE_TYPES[:generic]])
+        generic_staged_permissions.each do |permission|
+          delete(permission.id)
+        end
+      end
+
+      # clear the staging area of all non generic permissions
+      def self.delete_non_generic_permissions
+        staged_permissions = all(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type != ?", PristineRole.ROLE_TYPES[:generic]])
+        staged_permissions.each do |permission|
+          delete(permission.id)
+        end
+      end
+
+      def self.count_generic_permissions
+        count(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type = ?", PristineRole.ROLE_TYPES[:generic]])
+      end
+
+      def self.count_non_generic_permissions
+        count(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type != ?", PristineRole.ROLE_TYPES[:generic]])
+      end
+    end
+  end
+end

data/lib/cbac/cbac_pristine/pristine_role.rb

@@ -0,0 +1,42 @@
+require 'active_record'
+module Cbac
+  module CbacPristine
+    class PristineRole < ActiveRecord::Base
+      set_table_name "cbac_staged_roles"
+
+      def self.ROLE_TYPES
+        {:context => "context", :generic => "generic", :admin => "administrator"}
+      end
+
+     
+      #convert this cbac role to a yml statement which can be used to create a yml fixtures file
+      #executing this statement will result in one cbac_generic_role in the DB
+      def to_yml_fixture(fixture_id = nil)
+        fixture_id = role_id if fixture_id.nil?
+
+        return '' if role_type == Cbac::CbacPristine::PristineRole.ROLE_TYPES[:context]
+        raise ArgumentError, "cannot convert role #{id.to_s} to yml, because it has no name" if name.blank?
+
+        yml = "cbac_generic_role_00" << fixture_id.to_s << ":\n"
+        yml << "  id: " << fixture_id.to_s << "\n"
+        yml << "  name: " << name << "\n"
+        yml << "  created_at: " << Time.now.strftime("%Y-%m-%d %H:%M:%S") << "\n"
+        yml << "  updated_at: " << Time.now.strftime("%Y-%m-%d %H:%M:%S") << "\n"
+        yml << "\n"
+      end
+
+      def known_permission_type
+        # NOTE: known permissions use different type definitions than pristine roles.
+        # They only use the file type to determine if it is a generic or context role.
+        # Context roles include the admin role (same file) while pristine roles use a different type
+        role_type == PristineRole.ROLE_TYPES[:generic] ? Cbac::KnownPermission.PERMISSION_TYPES[:generic] : Cbac::KnownPermission.PERMISSION_TYPES[:context]
+      end
+
+      def self.admin_role(use_db = true)
+        admin_role =  use_db ? PristineRole.first(:conditions => {:role_type => PristineRole.ROLE_TYPES[:admin]}) : nil
+
+        admin_role.nil?  ? PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => "administrator") : admin_role
+      end
+    end
+  end
+end

data/lib/cbac/known_permission.rb

@@ -0,0 +1,14 @@
+class Cbac::KnownPermission < ActiveRecord::Base
+  set_table_name "cbac_known_permissions"
+
+  cattr_accessor :PERMISSION_TYPES
+  @@PERMISSION_TYPES = {:context => 0, :generic => 1}
+
+  def self.find_context_permissions(conditions = {})
+    all(:conditions => conditions.merge(:permission_type => @@PERMISSION_TYPES[:context]))
+  end
+
+  def self.find_generic_permissions(conditions = {})
+    all(:conditions => conditions.merge(:permission_type => @@PERMISSION_TYPES[:generic]))
+  end
+end

data/lib/cbac/permission.rb

@@ -2,5 +2,5 @@ class Cbac::Permission < ActiveRecord::Base
   set_table_name "cbac_permissions"
 
   belongs_to :generic_role, :class_name => "Cbac::GenericRole", :foreign_key => "generic_role_id"
-  belongs_to :privilegeset, :class_name => "Cbac::PrivilegeSetRecord", :foreign_key => "privilege_set_id"
+  belongs_to :privilege_set, :class_name => "Cbac::PrivilegeSetRecord", :foreign_key => "privilege_set_id"
 end

data/lib/cbac/privilege.rb

@@ -7,6 +7,14 @@ class Privilege
   class << self
     attr_reader :get_resources, :post_resources, :model_attributes, :models
 
+    # The includes hash contains references to inheritence. The key points to the
+    # base class, the value is an array of children.
+    #
+    # Example:
+    # If Child inherits from Parent, then the structure would be:
+    # includes[:Parent] = [:Child]
+    attr_reader :includes
+
     # Links a resource with a PrivilegeSet
     #
     # An ArgumentError exception is thrown if the PrivilegeSet does not exist.
@@ -22,12 +30,43 @@ class Privilege
       case action_option[0]
       when "GET"
         (@get_resources[method] ||= Array.new) << PrivilegeSet.sets[privilege_set]
+        (@includes[privilege_set] || Array.new).each {|child_set| (@get_resources[method] ||= Array.new) << PrivilegeSet.sets[child_set]} unless @includes.nil?
       when "POST"
         (@post_resources[method] ||= Array.new) << PrivilegeSet.sets[privilege_set]
+        (@includes[privilege_set] || Array.new).each {|child_set| (@post_resources[method] ||= Array.new) << PrivilegeSet.sets[child_set]} unless @includes.nil?
       else
+        raise "This should never happen"
       end
     end
 
+    # Make a privilege set dependant on other privilege set(s).
+    #
+    # Usage:
+    # Privilege.include :child_set, :base_set
+    # Privilege.include :child_set, [:base_set_1, :base_set_2]
+    #
+    # An ArgumentError exception is thrown if any of the PrivilegeSet methods do not exist.
+    def include(privilege_set, included_privilege_set)
+      @includes = Hash.new if @includes.nil?
+      child_set = privilege_set.to_sym
+      raise ArgumentError, "CBAC: PrivilegeSet does not exist: #{child_set}" unless PrivilegeSet.sets.include?(child_set)
+      included_privilege_set = [included_privilege_set] unless included_privilege_set.is_a?(Enumerable)
+      included_privilege_set.each do |base_set|
+        # Check for existence of PrivilegeSet
+        raise ArgumentError, "CBAC: PrivilegeSet does not exist: #{base_set}" unless PrivilegeSet.sets.include?(base_set)
+        # Adds the references
+        (@includes[base_set.to_sym] ||= Array.new) << child_set
+        # Copies existing resources
+        @get_resources.each do |method, privilege_sets|
+          resource child_set, method, :get if privilege_sets.any? {|set| set.name == base_set.to_s}
+        end
+        @post_resources.each do |method, privilege_sets|
+          resource child_set, method, :post if privilege_sets.any? {|set| set.name == base_set.to_s}
+        end
+      end
+    end
+      
+
     def model_attribute
 
     end
@@ -39,6 +78,11 @@ class Privilege
     # action_type Valid values for action_type are "get", "post" and "put".
     # "put" is converted into "post".
     #
+    # Usage:
+    # Privilege.select "my_controller/action", :get
+    #
+    # Returns an array of PrivilegeSet objects
+    #
     # If incorrect values are given for action_type the method will raise an
     # ArgumentError. If the controller and action name are not found, an
     # exception is being raised.

data/lib/cbac/privilege_set.rb

@@ -18,10 +18,11 @@ class Cbac::PrivilegeSet
       @sets = Hash.new if @sets.nil?
       # check for double creation
       raise ArgumentError, "CBAC: PrivilegeSet was already defined: #{symbol.to_s}" if @sets.include?(symbol)
-      # Create record if privilegeset doesn't exist
-      Cbac::PrivilegeSetRecord.create(:name => symbol.to_s) if Cbac::PrivilegeSetRecord.find(:first, :conditions => ["name = ?", symbol.to_s]).nil?
-      record = Cbac::PrivilegeSetRecord.find(:first, :conditions => ["name = ?", symbol.to_s])
-      record.comment = comment
+      # Create record if privilege set doesn't exist
+      record = Cbac::PrivilegeSetRecord.find_or_create_by_name(symbol.to_s)
+      record.set_comment(comment)
+      record.save
+
       @sets[symbol] = record
     end
   end

data/lib/cbac/privilege_set_record.rb

@@ -1,5 +1,7 @@
 class Cbac::PrivilegeSetRecord < ActiveRecord::Base
   set_table_name "cbac_privilege_set"
 
-  attr_accessor :comment
+  def set_comment(comment)
+    self.comment = comment if has_attribute?("comment")    
+  end
 end

data/spec/cbac_pristine_file_spec.rb

@@ -0,0 +1,329 @@
+require 'spec'
+require 'cbac/cbac_pristine/pristine_permission'
+require 'cbac/cbac_pristine/pristine_role'
+require 'cbac/cbac_pristine/pristine_file'
+require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
+include Cbac::CbacPristine
+
+describe "CbacPristineFile" do
+  before(:each) do
+      @pristine_file = PristineFile.new("cbac.pristine")
+  end
+
+  describe "indicate if a line looks like a pristine line" do
+    
+    it "should indicate that a ruby style comment line is not a pristine line" do
+      comment_line = "#this is a comment line in Ruby"
+
+      @pristine_file.is_pristine_permission_line?(comment_line, 1).should be_false
+    end
+
+    it "should raise an error if the line does not look like a pristine line" do
+      line = "this is not pristine line. And it isn't a comment. 1"
+
+      proc{
+        @pristine_file.is_pristine_permission_line?(line, 0)
+      }.should raise_error(SyntaxError)
+    end
+
+    it "should return true in case of a valid pristine line" do
+      line = "0:+:PrivilegeSet(login)ContextRole(everybody)"
+
+      @pristine_file.is_pristine_permission_line?(line, 0).should be_true
+    end
+
+    it "should fail if the id of the pristine line contains a character" do
+      line = "0b:+:PrivilegeSet(login)ContextRole(everybody)"
+
+      proc{
+        @pristine_file.is_pristine_permission_line?(line, 0)
+      }.should raise_error(SyntaxError)
+      end
+
+    it "should succeed if the privilege set name is not provided" do
+      line = "0:+:PrivilegeSet()Admin()"
+
+      @pristine_file.is_pristine_permission_line?(line, 0).should be_true
+    end
+
+    it "should succeed if the context role name is not provided" do
+      line = "0:+:PrivilegeSet(login)ContextRole()"
+
+      @pristine_file.is_pristine_permission_line?(line, 0).should be_true
+    end
+
+  end
+
+  describe "parse the privilege set name from a pristine line" do
+    it "should fail if the privilege set name is not provided" do
+      line = "0:+:PrivilegeSet()Admin()"
+
+      proc{
+        @pristine_file.parse_privilege_set_name(line, 0)
+      }.should raise_error(SyntaxError)
+    end
+
+    it "should return the name of the privilege set provided in the line" do
+      privilege_set_name = "chat"
+      line = "0:+:PrivilegeSet(#{privilege_set_name})Admin()"
+
+      @pristine_file.parse_privilege_set_name(line, 0).should == privilege_set_name      
+    end
+
+    it "should fail if an invalid line is provided" do
+      line = "0:+:ContextRole(toeteraars)"
+
+      proc{
+          @pristine_file.parse_privilege_set_name(line, 0)
+      }.should raise_error(SyntaxError)
+    end
+  end
+
+  describe "parse the role from a pristine line" do
+    it "should return the admin role if the role is Admin()" do
+      admin_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:admin], :name => 'administrators')
+      PristineRole.stub!(:admin_role).and_return(admin_role)
+      line = "0:+:PrivilegeSet(chat)Admin()"
+
+      @pristine_file.parse_role(line, 0).should == admin_role
+    end
+
+    it "should return a context role if the role specified as ContextRole" do
+      line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
+
+      @pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:context]
+    end
+
+    it "should return a context role with specified name if the role specified as ContextRole" do
+      context_role_name = "logged_in_user"
+      line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
+
+      @pristine_file.parse_role(line, 0).name.should == context_role_name
+    end
+
+    it "should return an existing context role with specified name if possible" do
+      context_role_name = "logged_in_user"
+      line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
+      existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
+
+      @pristine_file.parse_role(line, 0).should == existing_context_role
+    end
+
+    it "should not return an existing context role with specified name if db should not be used" do
+      context_role_name = "logged_in_user"
+      line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
+      existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
+
+      @pristine_file.parse_role(line, 0, false).should_not == existing_context_role
+    end
+
+    it "should return a context role with id of 0 if the role specified as ContextRole" do
+      line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
+
+      @pristine_file.parse_role(line, 0).role_id.should == 0
+    end
+
+    it "should fail if an invalid line is provided" do
+      line = "0:+:PrivilegeSet(toeteraars)"
+
+      proc{
+           @pristine_file.parse_role(line, 0)
+      }.should raise_error(SyntaxError)
+    end
+
+    it "should fail if a generic role is provided for the normal (non-generic) pristine file" do
+      line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
+
+      proc{
+           @pristine_file.parse_role(line, 0)
+      }.should raise_error(SyntaxError)
+    end
+
+
+    it "should return a generic role if a generic pristine file is used" do
+      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
+
+      @pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:generic]
+    end
+
+    it "should return an existing generic role if use_db is not specified" do
+      generic_role_name = 'group_admins'
+      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
+      existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
+
+      @pristine_file.parse_role(line, 0).should == existing_role
+    end
+
+    it "should not use an existing role if use_db is set to false" do
+      generic_role_name = 'group_admins'
+      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
+      existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
+
+      @pristine_file.parse_role(line, 0, false).should_not == existing_role
+    end
+
+    it "should fail if an Admin role is used in a generic pristine file" do
+      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      line = "0:+:PrivilegeSet(chat)Admin()"
+
+      proc{
+           @pristine_file.parse_role(line, 0)
+      }.should raise_error(SyntaxError)
+    end
+
+    it "should fail if an context role is used in a generic pristine file" do
+      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
+
+      proc{
+           @pristine_file.parse_role(line, 0)
+      }.should raise_error(SyntaxError)
+    end
+
+    it "should fail if an invalid line is provided in a generic pristine file" do
+      @pristine_file = GenericPristineFile.new("cbac.pristine")
+      line = "0:+:PrivilegeSet(toeteraars)"
+
+      proc{
+           @pristine_file.parse_role(line, 0)
+      }.should raise_error(SyntaxError)
+    end
+  end
+
+  describe "parsing a cbac_pristine file" do
+
+    it "should fail if a row number is used twice" do
+      pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
+      pristine_file_lines.push("0:+:PrivilegeSet(log_in)ContextRole(everybody)")
+      
+      File.stub!(:open).and_return(pristine_file_lines)
+
+      pristine_file = PristineFile.new("cbac.pristine")
+
+      proc{
+        pristine_file.parse
+      }.should raise_error(SyntaxError)
+    end
+
+    it "should fill the lines array with an object for each file line" do
+      pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
+      pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
+      pristine_file_lines.push("2:+:PrivilegeSet(log_out)ContextRole(logged_in_user)")
+
+      File.stub!(:open).and_return(pristine_file_lines)
+
+      pristine_file = PristineFile.new("cbac.pristine")
+      pristine_file.parse
+
+      pristine_file.permissions.length.should == pristine_file_lines.length
+    end
+
+    it "should not create an object for a comment line" do
+      pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
+      pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
+      pristine_file_lines.push("#this is a Ruby comment line")
+
+      File.stub!(:open).and_return(pristine_file_lines)
+
+      pristine_file = PristineFile.new("cbac.pristine")
+      pristine_file.parse
+
+      pristine_file.permissions.length.should == 2
+    end
+
+    it "should also add a permission object if permission is revoked (operand - is used)" do
+      pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
+      pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
+      pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(logged_in_user)")
+
+      File.stub!(:open).and_return(pristine_file_lines)
+
+      pristine_file = PristineFile.new("cbac.pristine")
+      pristine_file.parse
+
+      pristine_file.permissions.length.should == 3
+      pristine_file.permissions[2].operation.should == '-'
+    end
+
+    it "should fail if a permission is revoked which wasn't added before" do
+      pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
+      pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
+      pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(everybody)")
+
+      File.stub!(:open).and_return(pristine_file_lines)
+
+      pristine_file = PristineFile.new("cbac.pristine")
+      proc{
+        pristine_file.parse
+      }.should raise_error(SyntaxError)
+    end
+
+    it "should fail if an x is used as an operand" do
+      pristine_file_lines = ["0:x:PrivilegeSet(chat)ContextRole(logged_in_user)"]
+      File.stub!(:open).and_return(pristine_file_lines)
+
+      pristine_file = PristineFile.new("cbac.pristine")
+      proc{
+        pristine_file.parse
+      }.should raise_error(NotImplementedError)
+    end
+
+    it "should fail if an => is used as an operand" do
+      pristine_file_lines = ["0:=>:PrivilegeSet(chat)ContextRole(logged_in_user)"]
+      File.stub!(:open).and_return(pristine_file_lines)
+
+      pristine_file = PristineFile.new("cbac.pristine")
+      proc{
+        pristine_file.parse
+      }.should raise_error(NotImplementedError)
+    end
+  end
+
+  describe "permission set" do
+    before(:each) do
+      @context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
+      @admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin],:name => "administrator")
+      @pristine_file = PristineFile.new("cbac.pristine")
+    end
+
+    it "should filter out the permissions which were revoked" do
+      permission_to_revoke = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
+      @pristine_file.permissions.push(permission_to_revoke)
+      @pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => permission_to_revoke.privilege_set_name, :pristine_role => permission_to_revoke.pristine_role, :operation => '-'))
+
+      @pristine_file.permission_set.should_not include(permission_to_revoke)
+    end
+
+     it "should not include the revoke permission itself" do
+      revoke_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '-')
+      @pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => revoke_permission.privilege_set_name, :pristine_role => revoke_permission.pristine_role, :operation => '+'))
+      @pristine_file.permissions.push(revoke_permission)
+
+      @pristine_file.permission_set.should_not include(revoke_permission)
+    end
+
+    it "should contain the permission if it is re-applied" do
+      re_applied_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
+      @pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '+'))
+      @pristine_file.permissions.push(PristinePermission.new(:privilege_set_name =>  re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '-'))
+      @pristine_file.permissions.push(re_applied_permission)
+
+      @pristine_file.permission_set.should include(re_applied_permission)
+    end
+
+    it "should raise an error if a permission is revoked which wasn't created before" do
+      @pristine_file.permissions.push(PristinePermission.new(:privilege_set_name =>  "chat", :pristine_role => @context_role, :operation => '+'))
+      @pristine_file.permissions.push(PristinePermission.new(:privilege_set_name =>  "login", :pristine_role => @context_role, :operation =>  '+'))
+      @pristine_file.permissions.push(PristinePermission.new(:privilege_set_name =>  "blog_read", :pristine_role => @context_role, :operation =>  '-'))
+      @pristine_file.permissions.push(PristinePermission.new(:privilege_set_name =>  "update_blog", :pristine_role => @context_role, :operation => '+'))
+
+      proc {
+        @pristine_file.permission_set
+      }.should raise_error(ArgumentError)
+
+    end
+  end
+end