cbac 0.3.1 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/Manifest +60 -44
- data/Rakefile +2 -2
- data/cbac.gemspec +31 -31
- data/generators/cbac/cbac_generator.rb +27 -6
- data/generators/cbac/templates/config/cbac.pristine +2 -0
- data/generators/cbac/templates/controllers/permissions_controller.rb +21 -2
- data/generators/cbac/templates/controllers/upgrade_controller.rb +24 -0
- data/generators/cbac/templates/fixtures/cbac_memberships.yml +1 -1
- data/generators/cbac/templates/migrate/create_cbac_from_scratch.rb +59 -0
- data/generators/cbac/templates/migrate/create_cbac_upgrade_path.rb +31 -0
- data/generators/cbac/templates/tasks/cbac.rake +345 -0
- data/generators/cbac/templates/views/layouts/cbac.html.erb +2 -1
- data/generators/cbac/templates/views/memberships/index.html.erb +1 -1
- data/generators/cbac/templates/views/permissions/index.html.erb +14 -6
- data/generators/cbac/templates/views/upgrade/index.html.erb +32 -0
- data/lib/cbac.rb +23 -12
- data/lib/cbac/cbac_pristine/pristine.rb +133 -0
- data/lib/cbac/cbac_pristine/pristine_file.rb +158 -0
- data/lib/cbac/cbac_pristine/pristine_permission.rb +194 -0
- data/lib/cbac/cbac_pristine/pristine_role.rb +42 -0
- data/lib/cbac/known_permission.rb +14 -0
- data/lib/cbac/permission.rb +1 -1
- data/lib/cbac/privilege.rb +44 -0
- data/lib/cbac/privilege_set.rb +5 -4
- data/lib/cbac/privilege_set_record.rb +3 -1
- data/spec/cbac_pristine_file_spec.rb +329 -0
- data/spec/cbac_pristine_permission_spec.rb +358 -0
- data/spec/cbac_pristine_role_spec.rb +85 -0
- data/spec/rcov.opts +2 -0
- data/spec/spec.opts +4 -0
- data/spec/spec_helper.rb +12 -0
- data/tasks/cbac.rake +345 -19
- data/test/test_cbac_privilege.rb +54 -0
- metadata +43 -9
- data/generators/cbac/templates/migrate/create_cbac.rb +0 -40
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
ENV["RAILS_ENV"] ||= 'test'
|
2
|
+
|
3
|
+
require 'spec/autorun'
|
4
|
+
require 'spec/rails'
|
5
|
+
|
6
|
+
Spec::Runner.configure do |config|
|
7
|
+
# If you're not using ActiveRecord you should remove these
|
8
|
+
# lines, delete config/database.yml and disable :active_record
|
9
|
+
# in your config/boot.rb
|
10
|
+
config.use_transactional_fixtures = true
|
11
|
+
config.use_instantiated_fixtures = false
|
12
|
+
end
|
data/tasks/cbac.rake
CHANGED
@@ -1,19 +1,345 @@
|
|
1
|
-
#
|
2
|
-
#
|
3
|
-
#
|
4
|
-
|
5
|
-
#
|
6
|
-
|
7
|
-
#
|
8
|
-
#
|
9
|
-
#
|
10
|
-
#
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
1
|
+
#TODO: zip (or something) the directory resulting from a snapshot and delete it
|
2
|
+
#TODO: unzip (or something) the provided snapshot and load from it, then delete temp dir
|
3
|
+
#TODO: add staging area to extracted snapshot, inserted snapshot, clearing code, etc.
|
4
|
+
|
5
|
+
#TODO: add comments to pristine lines, in a Comment() style
|
6
|
+
|
7
|
+
# WARNING: Non-changes are not saved as known_permissions when using pristine or such. THIS IS NOT A BUG! Think of the following scenario:
|
8
|
+
# 1) Developers grant permission X
|
9
|
+
# 2) User deploys. Permission X is granted in the database.
|
10
|
+
# 3) User revokes permission X
|
11
|
+
# 4) Developers revoke permission X
|
12
|
+
# 5) User upgrades. No change in permission X detected, (since devteam and user agree) so the user is not prompted to accept the change.
|
13
|
+
# 6) User grants permission X again
|
14
|
+
# 7) User upgrades again. At this point, we want the user to be warned that the devteam thinks granting this permission is not a good idea.
|
15
|
+
# This is only possible if the non-change in #5 is not registered as KnownChange
|
16
|
+
|
17
|
+
# Get a privilege set that fulfills the provided conditions
|
18
|
+
def get_privilege_set(conditions)
|
19
|
+
Cbac::PrivilegeSetRecord.first(:conditions => conditions)
|
20
|
+
end
|
21
|
+
|
22
|
+
# Get a Hash containing all entries from the provided table
|
23
|
+
def select_all(table)
|
24
|
+
ActiveRecord::Base.connection.select_all("SELECT * FROM %s;" % table)
|
25
|
+
end
|
26
|
+
|
27
|
+
# Generate a usable filename for dumping records of the specified type
|
28
|
+
def get_filename(type)
|
29
|
+
"#{ENV['SNAPSHOT_NAME']}/cbac_#{type}.yml"
|
30
|
+
end
|
31
|
+
|
32
|
+
def load_objects_from_yaml(type)
|
33
|
+
filename = get_filename(type)
|
34
|
+
|
35
|
+
Yaml.load_file(filename)
|
36
|
+
end
|
37
|
+
|
38
|
+
# Dump the specified permissions to a YAML file
|
39
|
+
def dump_permissions_to_yaml_file(permissions)
|
40
|
+
permissions.each do |cp|
|
41
|
+
privilege_set_name = get_privilege_set(:id => cp['privilege_set_id']).name
|
42
|
+
cp['privilege_set_id'] = "<%= Cbac::PrivilegeSetRecord.find(:first, :conditions => {:name => '#{privilege_set_name}'}).id %>"
|
43
|
+
end
|
44
|
+
dump_objects_to_yaml_file(permissions, "permissions")
|
45
|
+
end
|
46
|
+
|
47
|
+
# Dump a set of objects to a YAML file. Filename is determined by type-string
|
48
|
+
def dump_objects_to_yaml_file(objects, type)
|
49
|
+
filename = get_filename(type)
|
50
|
+
|
51
|
+
puts "Writing #{type} to disk"
|
52
|
+
|
53
|
+
File.open(filename, "w") do |output_file|
|
54
|
+
index = "0000"
|
55
|
+
output_file.write objects.inject({}) { |hash, record|
|
56
|
+
hash["#{type.singularize}_#{index.succ!}"] = record
|
57
|
+
hash
|
58
|
+
}.to_yaml
|
59
|
+
end
|
60
|
+
end
|
61
|
+
|
62
|
+
def get_cbac_pristine_adapter
|
63
|
+
adapter_class = Class.new
|
64
|
+
adapter_class.send :include, Cbac::CbacPristine
|
65
|
+
adapter_class.new
|
66
|
+
end
|
67
|
+
|
68
|
+
namespace :cbac do
|
69
|
+
desc 'Initialize CBAC tables with bootstrap data. Allows ADMINUSER to log in and visit CBAC administration pages. Also, if a Privilege Set called "login" exists, this privilege is granted to "everyone"'
|
70
|
+
task :bootstrap => :environment do
|
71
|
+
adapter = get_cbac_pristine_adapter
|
72
|
+
if adapter.database_contains_cbac_data?
|
73
|
+
if ENV['FORCE'] == "true"
|
74
|
+
puts "FORCE specified: emptying CBAC tables"
|
75
|
+
adapter.clear_cbac_tables
|
76
|
+
else
|
77
|
+
puts "CBAC bootstrap failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
|
78
|
+
exit
|
79
|
+
end
|
80
|
+
end
|
81
|
+
|
82
|
+
adminuser = ENV['ADMINUSER'] || 1
|
83
|
+
login_privilege_set = get_privilege_set(:name => "login")
|
84
|
+
everybody_context_role = ContextRole.roles[:everybody]
|
85
|
+
if !login_privilege_set.nil? and !everybody_context_role.nil?
|
86
|
+
puts "Login privilege exists. Allowing context role 'everybody' to use login privilege"
|
87
|
+
login_permission = Cbac::Permission.new(:context_role => 'everybody', :privilege_set_id => login_privilege_set.id)
|
88
|
+
throw "Failed to save Login Permission" unless login_permission.save
|
89
|
+
end
|
90
|
+
|
91
|
+
puts "Creating Generic Role: administrators"
|
92
|
+
admin_role = Cbac::GenericRole.new(:name => "administrators", :remarks => "System administrators - may edit CBAC permissions")
|
93
|
+
throw "Failed to save new Generic Role" unless admin_role.save
|
94
|
+
|
95
|
+
puts "Creating Administrator Membership for user #{adminuser}"
|
96
|
+
membership = Cbac::Membership.new(:user_id => adminuser, :generic_role_id => admin_role.id)
|
97
|
+
throw "Failed to save new Administrator Membership" unless membership.save
|
98
|
+
|
99
|
+
begin
|
100
|
+
admin_privilege_set_id = get_privilege_set({:name => 'cbac_administration'}).id
|
101
|
+
rescue
|
102
|
+
throw "No PrivilegeSet cbac_administration defined. Aborting."
|
103
|
+
end
|
104
|
+
cbac_admin_permission = Cbac::Permission.new(:generic_role_id => admin_role.id, :privilege_set_id => admin_privilege_set_id)
|
105
|
+
throw "Failed to save Cbac_Administration Permission" unless cbac_admin_permission.save
|
106
|
+
|
107
|
+
puts <<EOF
|
108
|
+
**********************************************************
|
109
|
+
* Succesfully bootstrapped CBAC. The specified user (# #{adminuser} ) *
|
110
|
+
* may now visit the cbac administration pages, which are *
|
111
|
+
* located at the URL /cbac/permissions/index by default *
|
112
|
+
**********************************************************
|
113
|
+
EOF
|
114
|
+
end
|
115
|
+
|
116
|
+
desc 'Extract a snapshot of the current authorization settings, which can later be restored using the restore_snapshot task. Parameter SNAPSHOT_NAME determines where the snapshot is stored'
|
117
|
+
task :extract_snapshot => :environment do
|
118
|
+
if ENV['SNAPSHOT_NAME'].nil?
|
119
|
+
puts "Missing argument SNAPSHOT_NAME. Substituting timestamp for SNAPSHOT_NAME"
|
120
|
+
require 'date'
|
121
|
+
ENV['SNAPSHOT_NAME'] = DateTime.now.strftime("%Y%m%d%H%M%S")
|
122
|
+
end
|
123
|
+
|
124
|
+
if File::exists?(ENV['SNAPSHOT_NAME']) # Directory already exists!
|
125
|
+
if ENV['FORCE'] == "true"
|
126
|
+
puts "FORCE specified - overwriting older snapshot with same name."
|
127
|
+
else
|
128
|
+
puts "A snapshot with the given name (#{ENV['SNAPSHOT_NAME']}) already exists, and overwriting is dangerous. Specify FORCE=true to override this check"
|
129
|
+
exit
|
130
|
+
end
|
131
|
+
else # Directory does not exist yet
|
132
|
+
FileUtils.mkdir(ENV['SNAPSHOT_NAME'])
|
133
|
+
end
|
134
|
+
|
135
|
+
puts "Extracting CBAC permissions to #{ENV['SNAPSHOT_NAME']}"
|
136
|
+
|
137
|
+
# Don't need privilege sets since they are loaded from a config file.
|
138
|
+
staged_changes = select_all "cbac_staged_permissions"
|
139
|
+
dump_objects_to_yaml_file(staged_changes, "staged_permissions")
|
140
|
+
|
141
|
+
staged_roles = select_all "cbac_staged_roles"
|
142
|
+
dump_objects_to_yaml_file(staged_roles, "staged_roles")
|
143
|
+
|
144
|
+
permissions = select_all "cbac_permissions"
|
145
|
+
dump_permissions_to_yaml_file(permissions)
|
146
|
+
|
147
|
+
generic_roles = select_all "cbac_generic_roles"
|
148
|
+
dump_objects_to_yaml_file(generic_roles, "generic_roles")
|
149
|
+
|
150
|
+
memberships = select_all "cbac_memberships"
|
151
|
+
dump_objects_to_yaml_file(memberships, "memberships")
|
152
|
+
|
153
|
+
known_permissions = select_all "cbac_known_permissions"
|
154
|
+
dump_objects_to_yaml_file(known_permissions, "known_permissions")
|
155
|
+
end
|
156
|
+
|
157
|
+
desc 'Restore a snapshot of authorization settings that was extracted earlier. Specify a snapshot using SNAPSHOT_NAME'
|
158
|
+
task :restore_snapshot => :environment do
|
159
|
+
adapter = get_cbac_pristine_adapter
|
160
|
+
if ENV['SNAPSHOT_NAME'].nil?
|
161
|
+
puts "Missing required parameter SNAPSHOT_NAME. Exiting."
|
162
|
+
exit
|
163
|
+
elsif adapter.database_contains_cbac_data?
|
164
|
+
if ENV['FORCE'] == "true"
|
165
|
+
puts "FORCE specified: emptying CBAC tables"
|
166
|
+
adapter.clear_cbac_tables
|
167
|
+
else
|
168
|
+
puts "Reloading snapshot failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
|
169
|
+
exit
|
170
|
+
end
|
171
|
+
end
|
172
|
+
|
173
|
+
puts "Restoring snapshot #{ENV['SNAPSHOT_NAME']}"
|
174
|
+
|
175
|
+
ENV['FIXTURES_PATH'] = ENV['SNAPSHOT_NAME']
|
176
|
+
|
177
|
+
# Don't need privilege sets since they are loaded from a config file.
|
178
|
+
ENV['FIXTURES'] = "cbac_generic_roles,cbac_memberships,cbac_known_permissions,cbac_permissions,cbac_staged_permissions, cbac_staged_roles"
|
179
|
+
|
180
|
+
Rake::Task["db:fixtures:load"].invoke
|
181
|
+
puts "Successfully restored snapshot."
|
182
|
+
#TODO: check if rake task was successful. else
|
183
|
+
# puts "Restoring snapshot failed."
|
184
|
+
#end
|
185
|
+
end
|
186
|
+
|
187
|
+
desc 'Restore permissions to factory settings by loading the pristine file into the database'
|
188
|
+
task :pristine => :environment do
|
189
|
+
adapter = get_cbac_pristine_adapter
|
190
|
+
if adapter.database_contains_cbac_data?
|
191
|
+
if ENV['FORCE'] == "true"
|
192
|
+
puts "FORCE specified: emptying CBAC tables"
|
193
|
+
else
|
194
|
+
puts "CBAC pristine failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
|
195
|
+
exit
|
196
|
+
end
|
197
|
+
end
|
198
|
+
|
199
|
+
if ENV['SKIP_SNAPSHOT'] == 'true'
|
200
|
+
puts "\nSKIP_SNAPSHOT provided - not dumping database."
|
201
|
+
else
|
202
|
+
puts "\nDumping a snapshot of the database"
|
203
|
+
Rake::Task["cbac:extract_snapshot"].invoke
|
204
|
+
end
|
205
|
+
filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
|
206
|
+
puts "Parsing pristine file #{filename}"
|
207
|
+
pristine_file = adapter.create_pristine_file(filename)
|
208
|
+
adapter.set_pristine_state([pristine_file], true)
|
209
|
+
puts "Applied #{pristine_file.permissions.length.to_s} permissions."
|
210
|
+
puts "Task cbac:pristine finished."
|
211
|
+
end
|
212
|
+
|
213
|
+
desc 'Restore generic permissions to factory settings'
|
214
|
+
task :pristine_generic => :environment do
|
215
|
+
adapter = get_cbac_pristine_adapter
|
216
|
+
if adapter.database_contains_cbac_data?
|
217
|
+
if ENV['FORCE'] == "true"
|
218
|
+
puts "FORCE specified. Dropping all generic permissions and replacing them with generic pristine"
|
219
|
+
adapter.delete_generic_known_permissions
|
220
|
+
adapter.delete_generic_permissions
|
221
|
+
else
|
222
|
+
puts "CBAC pristine failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
|
223
|
+
exit
|
224
|
+
end
|
225
|
+
end
|
226
|
+
|
227
|
+
if ENV['SKIP_SNAPSHOT'] == 'true'
|
228
|
+
puts "\nSKIP_SNAPSHOT provided - not dumping database."
|
229
|
+
else
|
230
|
+
puts "\nDumping a snapshot of the database"
|
231
|
+
Rake::Task["cbac:extract_snapshot"].invoke
|
232
|
+
end
|
233
|
+
|
234
|
+
filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
|
235
|
+
puts "Parsing pristine file #{filename}"
|
236
|
+
pristine_file = adapter.create_generic_pristine_file(filename)
|
237
|
+
adapter.set_pristine_state([pristine_file], false)
|
238
|
+
puts "Applied #{pristine_file.permissions.length.to_s} permissions."
|
239
|
+
puts "Task cbac:pristine_generic finished."
|
240
|
+
end
|
241
|
+
|
242
|
+
desc 'Restore all permissions to factory state. Uses the pristine file and the generic pristine file'
|
243
|
+
task :pristine_all => :environment do
|
244
|
+
adapter = get_cbac_pristine_adapter
|
245
|
+
if adapter.database_contains_cbac_data?
|
246
|
+
if ENV['FORCE'] == "true"
|
247
|
+
puts "FORCE specified: emptying CBAC tables"
|
248
|
+
else
|
249
|
+
puts "CBAC pristine failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
|
250
|
+
exit
|
251
|
+
end
|
252
|
+
end
|
253
|
+
|
254
|
+
if ENV['SKIP_SNAPSHOT'] == 'true'
|
255
|
+
puts "\nSKIP_SNAPSHOT provided - not dumping database."
|
256
|
+
else
|
257
|
+
puts "\nDumping a snapshot of the database"
|
258
|
+
Rake::Task["cbac:extract_snapshot"].invoke
|
259
|
+
end
|
260
|
+
filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
|
261
|
+
generic_filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
|
262
|
+
puts "Parsing pristine file #{filename} and generic pristine file #{generic_filename}"
|
263
|
+
pristine_file = adapter.create_pristine_file(filename)
|
264
|
+
generic_pristine_file = adapter.create_generic_pristine_file(generic_filename)
|
265
|
+
adapter.set_pristine_state([pristine_file, generic_pristine_file], true)
|
266
|
+
puts "Applied #{pristine_file.permissions.length.to_s} permissions and #{generic_pristine_file.permissions.length.to_s} generic permissions."
|
267
|
+
puts "Task cbac:pristine_all finished."
|
268
|
+
end
|
269
|
+
|
270
|
+
desc 'Upgrade permissions by adding them to the staging area. Does not upgrade generic permissions'
|
271
|
+
task :upgrade_pristine => :environment do
|
272
|
+
adapter = get_cbac_pristine_adapter
|
273
|
+
if ENV['SKIP_SNAPSHOT'] == 'true'
|
274
|
+
puts "\nSKIP_SNAPSHOT provided - not dumping database."
|
275
|
+
else
|
276
|
+
puts "\nDumping a snapshot of the database"
|
277
|
+
Rake::Task["cbac:extract_snapshot"].invoke
|
278
|
+
end
|
279
|
+
|
280
|
+
ENV['CHANGE_TYPE'] = 'context'
|
281
|
+
filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
|
282
|
+
puts "Parsing pristine file #{filename}"
|
283
|
+
|
284
|
+
pristine_file = adapter.create_pristine_file(filename)
|
285
|
+
adapter.delete_non_generic_staged_permissions
|
286
|
+
puts "Deleted all staged context and administrator permissions"
|
287
|
+
|
288
|
+
adapter.stage_permissions([pristine_file])
|
289
|
+
puts "Staged #{adapter.number_of_non_generic_staged_permissions.to_s} permissions."
|
290
|
+
puts "Task cbac:upgrade_pristine finished."
|
291
|
+
end
|
292
|
+
|
293
|
+
|
294
|
+
desc 'Upgrade generic permissions by adding them to the staging area. Does not upgrade context or admin permissions.'
|
295
|
+
task :upgrade_pristine_generic => :environment do
|
296
|
+
adapter = get_cbac_pristine_adapter
|
297
|
+
if ENV['SKIP_SNAPSHOT'] == 'true'
|
298
|
+
puts "\nSKIP_SNAPSHOT provided - not dumping database."
|
299
|
+
else
|
300
|
+
puts "\nDumping a snapshot of the database"
|
301
|
+
Rake::Task["cbac:extract_snapshot"].invoke
|
302
|
+
end
|
303
|
+
|
304
|
+
ENV['CHANGE_TYPE'] = 'context'
|
305
|
+
generic_filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
|
306
|
+
|
307
|
+
puts "Parsing pristine file #{generic_filename}"
|
308
|
+
generic_pristine_file = adapter.create_generic_pristine_file(generic_filename)
|
309
|
+
|
310
|
+
adapter.delete_non_generic_staged_permissions
|
311
|
+
puts "Deleted all staged generic permissions"
|
312
|
+
|
313
|
+
adapter.stage_permissions([generic_pristine_file])
|
314
|
+
puts "Staged #{adapter.number_of_generic_staged_permissions.to_s} generic permissions."
|
315
|
+
puts "Task cbac:upgrade_pristine finished."
|
316
|
+
end
|
317
|
+
|
318
|
+
desc 'Upgrade all permissions by adding them to the staging area.'
|
319
|
+
task :upgrade_all => :environment do
|
320
|
+
adapter = get_cbac_pristine_adapter
|
321
|
+
if ENV['SKIP_SNAPSHOT'] == 'true'
|
322
|
+
puts "\nSKIP_SNAPSHOT provided - not dumping database."
|
323
|
+
else
|
324
|
+
puts "\nDumping a snapshot of the database"
|
325
|
+
Rake::Task["cbac:extract_snapshot"].invoke
|
326
|
+
end
|
327
|
+
|
328
|
+
ENV['CHANGE_TYPE'] = 'context'
|
329
|
+
filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
|
330
|
+
generic_filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
|
331
|
+
puts "Parsing pristine file #{filename} and generic pristine file #{generic_filename}"
|
332
|
+
|
333
|
+
pristine_file = adapter.create_pristine_file(filename)
|
334
|
+
generic_pristine_file = adapter.create_generic_pristine_file(generic_filename)
|
335
|
+
|
336
|
+
adapter.delete_generic_staged_permissions
|
337
|
+
adapter.delete_non_generic_staged_permissions
|
338
|
+
puts "Deleted all current staged permissions"
|
339
|
+
|
340
|
+
|
341
|
+
adapter.stage_permissions([pristine_file, generic_pristine_file])
|
342
|
+
puts "Staged #{adapter.number_of_non_generic_staged_permissions.to_s} permissions and #{adapter.number_of_generic_staged_permissions.to_s} generic permissions."
|
343
|
+
puts "Task cbac:upgrade_all finished."
|
344
|
+
end
|
345
|
+
end
|
data/test/test_cbac_privilege.rb
CHANGED
@@ -9,6 +9,7 @@ class CbacPrivilegeTest < ActiveSupport::TestCase
|
|
9
9
|
# methods
|
10
10
|
def setup
|
11
11
|
PrivilegeSet.add :cbac_privilege, "" unless PrivilegeSet.sets.include?(:cbac_privilege)
|
12
|
+
PrivilegeSet.add :base_inheritence_privilege, "" unless PrivilegeSet.sets.include?(:base_inheritence_privilege)
|
12
13
|
end
|
13
14
|
|
14
15
|
# Test adding get and post resources It is possible to add a resource using
|
@@ -28,6 +29,59 @@ class CbacPrivilegeTest < ActiveSupport::TestCase
|
|
28
29
|
end
|
29
30
|
end
|
30
31
|
|
32
|
+
# Test the include method for single inheritence
|
33
|
+
def test_single_inheritence
|
34
|
+
Privilege.resource :base_inheritence_privilege, "single/inheritence"
|
35
|
+
Privilege.resource :base_inheritence_privilege, "single/inheritence/post", :post
|
36
|
+
PrivilegeSet.add :cbac_single_inheritence, "PrivilegeSet for single inheritence test"
|
37
|
+
Privilege.include :cbac_single_inheritence, :base_inheritence_privilege
|
38
|
+
result = Privilege.select("single/inheritence", :get)
|
39
|
+
assert_equal true, result.any? {|set| set.name == "base_inheritence_privilege"}, "Could not find PrivilegeSet (hint: error probably belongs to other test)"
|
40
|
+
assert_equal true, result.any? {|set| set.name == "cbac_single_inheritence"}, "Single inheritence failure"
|
41
|
+
result = Privilege.select("single/inheritence/post", :post)
|
42
|
+
assert_equal true, result.any? {|set| set.name == "cbac_single_inheritence"}, "Single inheritence failure with POST method"
|
43
|
+
end
|
44
|
+
|
45
|
+
# Test the include method for multiple inheritence
|
46
|
+
def test_multiple_inheritence
|
47
|
+
Privilege.resource :base_inheritence_privilege, "multiple/inheritence"
|
48
|
+
PrivilegeSet.add :base_multiple_inheritence, "parent/ base PrivilegeSet for multiple inheritence test"
|
49
|
+
PrivilegeSet.add :cbac_multiple_inheritence, "child PrivilegeSet for multiple inheritence test"
|
50
|
+
Privilege.resource :base_multiple_inheritence, "multiple/inheritence_again"
|
51
|
+
Privilege.include :cbac_multiple_inheritence, [:base_inheritence_privilege, :base_multiple_inheritence]
|
52
|
+
result = Privilege.select("multiple/inheritence", :get)
|
53
|
+
assert_equal true, result.any? {|set| set.name == "base_inheritence_privilege"}, "Could not find PrivilegeSet (hint: error probably belongs to other test)"
|
54
|
+
assert_equal true, result.any? {|set| set.name == "cbac_multiple_inheritence"}, "Multiple inheritence failure"
|
55
|
+
result = Privilege.select("multiple/inheritence_again", :get)
|
56
|
+
assert_equal true, result.any? {|set| set.name == "cbac_multiple_inheritence"}, "Multiple inheritence failure"
|
57
|
+
end
|
58
|
+
|
59
|
+
# Inheritence must be applied if a resource is added after an inheritence call
|
60
|
+
def test_inherit_resource_after_declaration
|
61
|
+
PrivilegeSet.add :cbac_inheritence_after_declaration, "PrivilegeSet for single inheritence test"
|
62
|
+
# First, we setup the inheritence relation
|
63
|
+
Privilege.include :cbac_inheritence_after_declaration, :base_inheritence_privilege
|
64
|
+
# Then, we setup the resource connection
|
65
|
+
Privilege.resource :base_inheritence_privilege, "inheritence/after/declaration"
|
66
|
+
Privilege.resource :base_inheritence_privilege, "inheritence/after/declaration/post", :post
|
67
|
+
# Test
|
68
|
+
result = Privilege.select("inheritence/after/declaration", :get)
|
69
|
+
assert_equal true, result.any?{|set| set.name == "base_inheritence_privilege"}, "Could not find PrivilegeSet (hint: error probably belongs to other test)"
|
70
|
+
assert_equal true, result.any?{|set| set.name == "cbac_inheritence_after_declaration"}, "Resource declaration after inheritence call failed"
|
71
|
+
result = Privilege.select("inheritence/after/declaration/post", :post)
|
72
|
+
assert_equal true, result.any?{|set| set.name == "cbac_inheritence_after_declaration"}, "Resource declaration after inheritence call failed with POST method"
|
73
|
+
end
|
74
|
+
|
75
|
+
# If the inheritence functionality is used with invalid privilege_sets, an ArgumentException must be thrown
|
76
|
+
def test_inheritence_with_invalid_privilege_sets
|
77
|
+
assert_raise(ArgumentError) do
|
78
|
+
Privilege.include :cbac_privilege, :invalid_privilege_set
|
79
|
+
end
|
80
|
+
assert_raise(ArgumentError) do
|
81
|
+
Privilege.include :invalid_privilege_set, :cbac_privilege
|
82
|
+
end
|
83
|
+
end
|
84
|
+
|
31
85
|
# If an invalid action is specified, the method must raise an ArgumentError
|
32
86
|
# exception.
|
33
87
|
def test_add_incorrect_action
|
metadata
CHANGED
@@ -1,7 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cbac
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
|
4
|
+
hash: 9
|
5
|
+
prerelease: false
|
6
|
+
segments:
|
7
|
+
- 0
|
8
|
+
- 5
|
9
|
+
- 1
|
10
|
+
version: 0.5.1
|
5
11
|
platform: ruby
|
6
12
|
authors:
|
7
13
|
- Bert Meerman
|
@@ -9,12 +15,12 @@ autorequire:
|
|
9
15
|
bindir: bin
|
10
16
|
cert_chain: []
|
11
17
|
|
12
|
-
date: 2010-
|
18
|
+
date: 2010-07-15 00:00:00 +02:00
|
13
19
|
default_executable:
|
14
20
|
dependencies: []
|
15
21
|
|
16
22
|
description: Simple authorization system for Rails applications. Allows you to develop applications with a mixed role based authorization and a context based authorization model. Does not supply authentication.
|
17
|
-
email:
|
23
|
+
email: bertm@rubyforge.org
|
18
24
|
executables: []
|
19
25
|
|
20
26
|
extensions: []
|
@@ -22,9 +28,14 @@ extensions: []
|
|
22
28
|
extra_rdoc_files:
|
23
29
|
- README.rdoc
|
24
30
|
- lib/cbac.rb
|
31
|
+
- lib/cbac/cbac_pristine/pristine.rb
|
32
|
+
- lib/cbac/cbac_pristine/pristine_file.rb
|
33
|
+
- lib/cbac/cbac_pristine/pristine_permission.rb
|
34
|
+
- lib/cbac/cbac_pristine/pristine_role.rb
|
25
35
|
- lib/cbac/config.rb
|
26
36
|
- lib/cbac/context_role.rb
|
27
37
|
- lib/cbac/generic_role.rb
|
38
|
+
- lib/cbac/known_permission.rb
|
28
39
|
- lib/cbac/membership.rb
|
29
40
|
- lib/cbac/permission.rb
|
30
41
|
- lib/cbac/privilege.rb
|
@@ -39,16 +50,20 @@ files:
|
|
39
50
|
- cbac.gemspec
|
40
51
|
- generators/cbac/USAGE
|
41
52
|
- generators/cbac/cbac_generator.rb
|
53
|
+
- generators/cbac/templates/config/cbac.pristine
|
42
54
|
- generators/cbac/templates/config/context_roles.rb
|
43
55
|
- generators/cbac/templates/config/privileges.rb
|
44
56
|
- generators/cbac/templates/controllers/generic_roles_controller.rb
|
45
57
|
- generators/cbac/templates/controllers/memberships_controller.rb
|
46
58
|
- generators/cbac/templates/controllers/permissions_controller.rb
|
59
|
+
- generators/cbac/templates/controllers/upgrade_controller.rb
|
47
60
|
- generators/cbac/templates/fixtures/cbac_generic_roles.yml
|
48
61
|
- generators/cbac/templates/fixtures/cbac_memberships.yml
|
49
62
|
- generators/cbac/templates/fixtures/cbac_permissions.yml
|
50
|
-
- generators/cbac/templates/migrate/
|
63
|
+
- generators/cbac/templates/migrate/create_cbac_from_scratch.rb
|
64
|
+
- generators/cbac/templates/migrate/create_cbac_upgrade_path.rb
|
51
65
|
- generators/cbac/templates/stylesheets/cbac.css
|
66
|
+
- generators/cbac/templates/tasks/cbac.rake
|
52
67
|
- generators/cbac/templates/views/generic_roles/index.html.erb
|
53
68
|
- generators/cbac/templates/views/layouts/cbac.html.erb
|
54
69
|
- generators/cbac/templates/views/memberships/_update.html.erb
|
@@ -56,17 +71,29 @@ files:
|
|
56
71
|
- generators/cbac/templates/views/permissions/_update_context_role.html.erb
|
57
72
|
- generators/cbac/templates/views/permissions/_update_generic_role.html.erb
|
58
73
|
- generators/cbac/templates/views/permissions/index.html.erb
|
74
|
+
- generators/cbac/templates/views/upgrade/index.html.erb
|
59
75
|
- init.rb
|
60
76
|
- lib/cbac.rb
|
77
|
+
- lib/cbac/cbac_pristine/pristine.rb
|
78
|
+
- lib/cbac/cbac_pristine/pristine_file.rb
|
79
|
+
- lib/cbac/cbac_pristine/pristine_permission.rb
|
80
|
+
- lib/cbac/cbac_pristine/pristine_role.rb
|
61
81
|
- lib/cbac/config.rb
|
62
82
|
- lib/cbac/context_role.rb
|
63
83
|
- lib/cbac/generic_role.rb
|
84
|
+
- lib/cbac/known_permission.rb
|
64
85
|
- lib/cbac/membership.rb
|
65
86
|
- lib/cbac/permission.rb
|
66
87
|
- lib/cbac/privilege.rb
|
67
88
|
- lib/cbac/privilege_set.rb
|
68
89
|
- lib/cbac/privilege_set_record.rb
|
69
90
|
- lib/cbac/setup.rb
|
91
|
+
- spec/cbac_pristine_file_spec.rb
|
92
|
+
- spec/cbac_pristine_permission_spec.rb
|
93
|
+
- spec/cbac_pristine_role_spec.rb
|
94
|
+
- spec/rcov.opts
|
95
|
+
- spec/spec.opts
|
96
|
+
- spec/spec_helper.rb
|
70
97
|
- tasks/cbac.rake
|
71
98
|
- test/fixtures/cbac_generic_roles.yml
|
72
99
|
- test/fixtures/cbac_memberships.yml
|
@@ -92,27 +119,34 @@ rdoc_options:
|
|
92
119
|
require_paths:
|
93
120
|
- lib
|
94
121
|
required_ruby_version: !ruby/object:Gem::Requirement
|
122
|
+
none: false
|
95
123
|
requirements:
|
96
124
|
- - ">="
|
97
125
|
- !ruby/object:Gem::Version
|
126
|
+
hash: 3
|
127
|
+
segments:
|
128
|
+
- 0
|
98
129
|
version: "0"
|
99
|
-
version:
|
100
130
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
131
|
+
none: false
|
101
132
|
requirements:
|
102
133
|
- - ">="
|
103
134
|
- !ruby/object:Gem::Version
|
135
|
+
hash: 11
|
136
|
+
segments:
|
137
|
+
- 1
|
138
|
+
- 2
|
104
139
|
version: "1.2"
|
105
|
-
version:
|
106
140
|
requirements: []
|
107
141
|
|
108
142
|
rubyforge_project: cbac
|
109
|
-
rubygems_version: 1.3.
|
143
|
+
rubygems_version: 1.3.7
|
110
144
|
signing_key:
|
111
145
|
specification_version: 3
|
112
146
|
summary: CBAC - Simple authorization system for Rails applications.
|
113
147
|
test_files:
|
114
|
-
- test/test_cbac_authorize_context_roles.rb
|
115
|
-
- test/test_cbac_authorize_generic_roles.rb
|
116
148
|
- test/test_cbac_context_role.rb
|
149
|
+
- test/test_cbac_authorize_context_roles.rb
|
117
150
|
- test/test_cbac_privilege.rb
|
118
151
|
- test/test_cbac_privilege_set.rb
|
152
|
+
- test/test_cbac_authorize_generic_roles.rb
|