cbac 0.3.1

data/generators/cbac/templates/stylesheets/cbac.css

@@ -0,0 +1,65 @@
+/****
+* General 
+*/
+
+div.cbac h1 {
+
+}
+
+div.cbac table {
+    padding: 0px;
+    margin: 0px;
+    border-collapse: collapse;
+}
+
+div.cbac div.linebreak {
+    height: 20px;
+}
+
+/****
+* Table
+*/
+
+div.cbac th {
+    background-color: #ABEB71;
+}
+
+div.cbac td, div.cbac th {
+    border: 1px solid black;
+}
+
+div.cbac td.small, div.cbac th.small {
+    width: 50px;
+}
+
+div.cbac td.medium, div.cbac th.medium {
+    width: 150px;
+}
+
+div.cbac td.large, div.cbac th.large {
+    width: 600px;
+}
+
+div.cbac td.checked {
+    text-align: center;
+}
+
+div.cbac td.submit {
+    text-align: right;
+}
+
+/****
+* Controls
+*/
+
+div.cbac input[type="text"] {
+    margin: 2px;
+}
+
+div.cbac td.medium input[type="text"] {
+    width: 138px;
+}
+
+div.cbac td.large input[type="text"] {
+    width: 588px;
+}

data/generators/cbac/templates/views/generic_roles/index.html.erb

@@ -0,0 +1,59 @@
+<div class="cbac">
+  <h1>Generic roles</h1>
+  <table>
+    <tr>
+      <th class="medium">Name</th>
+      <th class="large">Remarks</th>
+      <th class="small">&nbsp;</th>
+    </tr>
+
+    <% Cbac::GenericRole.find(:all).each do |role| %>
+      <tr class="row">
+        <% form_for role do |r| %>
+          <td class="medium"><%= r.text_field :name %></td>
+          <td class="large"><%= r.text_field :remarks, :rows => 1 %></td>
+          <td class="small"><%= r.submit "OK" %></td>
+        <% end %>
+      </tr>
+    <% end%>
+  </table>
+
+  <div class="linebreak"></div>
+
+  <table>
+    <% form_for(Cbac::GenericRole.new) do |new_role| %>
+      <tr class="row">
+        <th colspan="2">New generic role</th>
+      </tr>
+      <tr class="row">
+        <td class="medium">Name</td>
+        <td class="medium"><%= new_role.text_field :name %></td>
+      </tr>
+      <tr class="row">
+        <td class="medium">Remarks</td>
+        <td class="large"><%= new_role.text_field :remarks %></td>
+      </tr>
+      <tr class="row">
+        <td colspan="2" class="submit"><%= new_role.submit "Create" %></td>
+      </tr>
+    <% end %>
+  </table>
+
+  <div class="linebreak"></div>
+
+  <table>
+    <% form_tag(:controller => "cbac/generic_roles", :action => "delete") do |f| %>
+      <tr>
+        <th colspan="2">Delete generic role</th>
+      </tr>
+      <tr>
+        <td class="medium">Select role</td>
+        <td class="medium"><%= select_tag "id", Cbac::GenericRole.find(:all).collect{|role|"<option value='#{role.id}'>#{role.name}</option>"} %>
+        </td>
+      </tr>
+      <tr>
+        <td colspan="2" class="submit"><%= submit_tag "Delete" %></td>
+      </tr>
+    <% end %>
+  </table>
+</div>

data/generators/cbac/templates/views/layouts/cbac.html.erb

@@ -0,0 +1,17 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
+    <title>Context Based Access Control</title>
+    <%= javascript_include_tag :defaults %>
+    <%= stylesheet_link_tag "cbac" %>
+  </head>
+  <body>
+    <%= link_to "Permissions", cbac_permissions_path %>
+    <%= link_to "Generic roles", cbac_generic_roles_path %>
+    <%= link_to "Memberships", cbac_memberships_path %>
+    <%= yield %>
+  </body>
+</html>

data/generators/cbac/templates/views/memberships/_update.html.erb

@@ -0,0 +1,12 @@
+<% update_name = generic_role.id.to_s + "__" + user_id.to_s %>
+<% unless update_partial %><div id="<%= update_name %>"><% end %>
+  <% remote_form_for "/cbac/memberships/update", :url => {:controller => "cbac/memberships", :action => "update"},
+    :update => update_name, :before => "$('#{update_name}').style.visibility = 'hidden';",
+    :complete => "$('#{update_name}').style.visibility = 'visible';" do %>
+    <%= hidden_field_tag "generic_role_id" + update_name, generic_role.id.to_s, :name => "generic_role_id" %>
+    <%= hidden_field_tag "user_id" + update_name, user_id.to_s, :name => "user_id" %>
+    <%= check_box_tag "member" + update_name, "1",
+      (Cbac::Membership.find(:all, :conditions => ["generic_role_id = ? AND user_id = ?", generic_role.id.to_s, user_id.to_s]).length > 0),
+      {:onclick => "this.form.onsubmit();", :name => "member"}%>
+  <% end %>
+<% unless update_partial %></div><% end %>

data/generators/cbac/templates/views/memberships/index.html.erb

@@ -0,0 +1,22 @@
+<div class="cbac">
+  <h1>Memberships</h1>
+  <table>
+    <tr>
+      <th class="medium">Users</th>
+      <% @generic_roles.each do |role| %>
+        <th><%= role.name %></th>
+      <% end %>
+    </tr>
+    <% @users.each do |u| %>
+      <tr>
+        <td><%= u.name %></td>
+        <% @generic_roles.each do |generic_role| %>
+          <td class="checked">
+            <%= render :partial => "cbac/memberships/update.html", :locals => {:generic_role => generic_role,
+              :user_id => u.id.to_s,:update_partial => false} %>
+          </td>
+        <% end %>
+      </tr>
+    <% end %>
+  </table>
+</div>

data/generators/cbac/templates/views/permissions/_update_context_role.html.erb

@@ -0,0 +1,12 @@
+<% update_name = "cr__" + context_role.to_s + "__" + set_id.to_s %>
+<% unless update_partial %><div id="<%= update_name %>"><% end %>
+  <% remote_form_for "/cbac/permissions/update", :url => cbac_permissions_update_path,
+    :update => update_name, :before => "$('#{update_name}').style.visibility = 'hidden';",
+    :complete => "$('#{update_name}').style.visibility = 'visible';" do %>
+    <%= hidden_field_tag "context_role" + update_name, context_role.to_s, :name => "context_role" %>
+    <%= hidden_field_tag "privilege_set_id" + update_name, set_id.to_s, :name => "privilege_set_id" %>
+    <%= check_box_tag "permission" + update_name, "1",
+      (Cbac::Permission.find(:all, :conditions => ["context_role = ? AND privilege_set_id = ?", context_role.to_s, set_id.to_s]).length > 0),
+      {:onclick => "this.form.onsubmit();", :name => "permission"}%>
+  <% end %>
+<% unless update_partial %></div><% end %>

data/generators/cbac/templates/views/permissions/_update_generic_role.html.erb

@@ -0,0 +1,12 @@
+<% update_name = "gr__" + role.id.to_s + "__" + set_id.to_s %>
+<% unless update_partial %><div id="<%= update_name %>"><% end %>
+  <% remote_form_for "/cbac/permissions/update", :url => cbac_permissions_update_path,
+    :update => update_name, :before => "$('#{update_name}').style.visibility = 'hidden';",
+    :complete => "$('#{update_name}').style.visibility = 'visible';" do %>
+    <%= hidden_field_tag "generic_role_id" + update_name, role.id.to_s, :name => "generic_role_id" %>
+    <%= hidden_field_tag "privilege_set_id" + update_name, set_id.to_s, :name => "privilege_set_id" %>
+    <%= check_box_tag "permission" + update_name, "1",
+      (Cbac::Permission.find(:all, :conditions => ["generic_role_id = ? AND privilege_set_id = ?", role.id.to_s, set_id.to_s]).length > 0),
+      {:onclick => "this.form.onsubmit();", :name => "permission"}%>
+  <% end %>
+<% unless update_partial %></div><% end %>

data/generators/cbac/templates/views/permissions/index.html.erb

@@ -0,0 +1,31 @@
+<div class="cbac">
+  <h1>Permissions</h1>
+  <table>
+    <tr>
+      <th>Privilegeset</th>
+      <% @context_roles.each do |name, comment| %>
+        <th><%= name %></th>
+      <% end %>
+      <% @generic_roles.each do |role| %>
+        <th><%= role.name %></th>
+      <% end %>
+    </tr>
+    <% PrivilegeSet.sets.each do |token, set| %>
+      <tr>
+        <td><%= set.name %></td>
+        <% @context_roles.each do |context_role, comment| %>
+          <td class="checked">
+            <%= render :partial => "cbac/permissions/update_context_role.html", :locals => {:context_role => context_role.to_s,
+              :set_id => set.id.to_s, :update_partial => false} %>
+          </td>
+        <% end %>
+        <% @generic_roles.each do |role| %>
+          <td class="checked">
+            <%= render :partial => "cbac/permissions/update_generic_role.html", :locals => {:role => role,
+              :set_id => set.id.to_s, :update_partial => false} %>
+          </td>
+        <% end %>
+      </tr>
+    <% end %>
+  </table>
+</div>

data/init.rb

@@ -0,0 +1,11 @@
+# Configuration file
+require File.dirname(__FILE__) + '/lib/cbac/config.rb'
+
+# The following code contains configuration options. You can turn them on for
+# gem development. For actual usage, it is advisable to set the configuration
+# options in the environment files.
+Cbac::Config.verbose = false
+
+# Include CBAC core file
+require File.dirname(__FILE__) + '/lib/cbac.rb'
+

data/lib/cbac.rb

@@ -0,0 +1,104 @@
+# TODO: Check the permission table for double entries, ie: both an entry in the
+# generic_role_id field and an entry in the context_role field. Solution: solve
+# via model. Update model & add test
+
+
+module Cbac
+  if Cbac::Setup.check
+    puts "CBAC properly installed"
+
+    require File.dirname(__FILE__) + '/cbac/privilege.rb'
+    require File.dirname(__FILE__) + '/cbac/privilege_set.rb'
+    require File.dirname(__FILE__) + '/cbac/context_role.rb'
+
+    # check performs a check to see if the user is allowed to access the given
+    # resource. Example: authorization_check("BlogController", "index", :get)
+    def authorization_check(controller, action, request, context = {})
+      # Determine the controller to look for
+      controller_method = [controller, action].join("/")
+      # Get the privilegesets
+      privilege_sets = Privilege.select(controller_method, request)
+      # Check the privilege sets
+      check_privilege_sets(privilege_sets, context)
+    end
+
+    # Check the given privilege_set symbol
+    # TODO following code is not yet tested
+    def check_privilege_set(privilege_set, context = {})
+      check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
+    end
+
+    # Check the given privilege_sets
+    def check_privilege_sets(privilege_sets, context = {})
+      # Check the generic roles
+      return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
+      # Check the context roles Get the permissions
+      privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
+        puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilegeset.name}" if Cbac::Config.verbose
+        eval_string = ContextRole.roles[permission.context_role.to_sym]
+        # Not sure if this will work everywhere
+        return true if eval_string.call(context)
+      end
+      # not authorized
+      puts "Not authorized for: #{controller_method}" if Cbac::Config.verbose
+      false
+    end
+
+    # Code that performs authorization
+    def authorize
+      authorization_check(params[:controller], params[:action], request.request_method) || unauthorized
+    end
+
+    # Default unauthorized method Override this method to supply your own code
+    # for incorrect authorization
+    def unauthorized
+      render :text => "You are not authorized to perform this action", :status => 401
+    end
+
+    # Default implementation of the current_user method
+    def current_user
+      session[:currentuser].to_i
+    end
+
+    # Load controller classes and methods
+    def load_controller_methods
+      begin
+        Dir.glob("app/controllers/**/*.rb").each{|file| require file}
+      rescue LoadError
+        raise "Could not load controller classes"
+      end
+      # Make this iterative TODO
+      @classes = ApplicationController.subclasses
+    end
+
+    # Extracts the class name from the filename
+    def extract_class_name(filename)
+      File.basename(filename).chomp(".rb").camelize
+    end
+
+    # ### Initializer Include privileges file - contains the privilege and
+    # privilege definitions
+    begin
+      require File.join(RAILS_ROOT, "config", "privileges.rb")
+    rescue MissingSourceFile
+      puts "CBAC warning: Could not load config/privileges.rb (Did you run ./script/generate cbac)"
+    end
+    # Include context roles file - contains the context role definitions
+    begin
+      require File.join(RAILS_ROOT, "config", "context_roles.rb")
+    rescue MissingSourceFile
+      puts "CBAC warning: Could not load config/context_roles.rb (Did you run ./script/generate cbac)"
+    end
+
+    # ### Database autoload code
+  else
+    # This is the code that is executed if CBAc is not properly installed/
+    # configured. It includes a different authorize method, aimes at refusing
+    # all authorizations
+    def authorize
+      render :text => "Authorization error", :status => 401
+      false
+    end
+  end
+end
+

data/lib/cbac/config.rb

@@ -0,0 +1,10 @@
+module Cbac
+  # Class containing configuration options for the Cbac system. The following
+  # configuration options are supported: verbose. Determines whether or not to
+  # output results to the console. All outputs are processed as puts commands.
+  class Config
+    class << self
+      attr_accessor :verbose
+    end
+  end
+end

data/lib/cbac/context_role.rb

@@ -0,0 +1,27 @@
+# ContextRole is the class containing the context role definitions
+#
+# Usage: ContextRole.add :logged_in_user, "!session[:currentuser].nil?"
+class ContextRole
+  class << self
+    # Hash containing all the context roles. Keys are the role names Values are
+    # the Ruby eval strings Eval strings must result in true or false
+    attr_reader :roles
+
+    # Adds a context role to the list of context roles. @symbol defines the name
+    # of the context role @context_rule defines the ruby code to be evaluated
+    # when determining role membership
+    #
+    # If the context role already exists, an exception is thrown.
+    def add(symbol, context_rule = "", &block)
+      symbol = symbol.to_sym
+      @roles = Hash.new if @roles.nil?
+      raise ArgumentError, "CBAC: ContextRole was already defined" if @roles.keys.include?(symbol)
+      # TODO following code
+      #raise ArgumentError, "CBAC: cannot specify both string rule and block rule" unless context_rule.nil? and block.nil?
+      # TODO context parameter in block statement is not explicitly tested
+      block = eval("Proc.new {|context| " + context_rule + "}") if block.nil?
+      @roles[symbol] = block
+    end
+  end
+end
+

data/lib/cbac/generic_role.rb

@@ -0,0 +1,6 @@
+class Cbac::GenericRole < ActiveRecord::Base
+  set_table_name "cbac_generic_roles"
+
+  has_many :generic_role_members, :class_name => "Cbac::Membership", :foreign_key => "generic_role_id"
+  has_many :permissions, :class_name => "Cbac::Permission", :foreign_key => "generic_role_id"
+end

data/lib/cbac/membership.rb

@@ -0,0 +1,4 @@
+class Cbac::Membership < ActiveRecord::Base
+  set_table_name "cbac_memberships"
+  belongs_to :generic_role, :class_name => "Cbac::GenericRole", :foreign_key => "generic_role_id"
+end

data/lib/cbac/permission.rb

@@ -0,0 +1,6 @@
+class Cbac::Permission < ActiveRecord::Base
+  set_table_name "cbac_permissions"
+
+  belongs_to :generic_role, :class_name => "Cbac::GenericRole", :foreign_key => "generic_role_id"
+  belongs_to :privilegeset, :class_name => "Cbac::PrivilegeSetRecord", :foreign_key => "privilege_set_id"
+end

data/lib/cbac/privilege.rb

@@ -0,0 +1,72 @@
+# Class containing all the privileges
+#
+# To define a new controller method resource: Privilege.resource :privilegeset,
+# "controller/method"
+#
+class Privilege
+  class << self
+    attr_reader :get_resources, :post_resources, :model_attributes, :models
+
+    # Links a resource with a PrivilegeSet
+    #
+    # An ArgumentError exception is thrown if the PrivilegeSet does not exist.
+    # To create PrivilegeSets, use the PrivilegeSet.add method
+    def resource(privilege_set, method, action="GET")
+      privilege_set = privilege_set.to_sym
+      @get_resources = Hash.new if @get_resources.nil?
+      @post_resources = Hash.new if @post_resources.nil?
+      action_aliases = {"GET" => ["GET", "get", "g","idempotent"], "POST" => ["POST", "post", "p"]}
+      raise ArgumentError, "CBAC: PrivilegeSet does not exist: #{privilege_set}" unless PrivilegeSet.sets.include?(privilege_set)
+      action_option = action_aliases.find { |name, aliases| aliases.include?(action.to_s) }
+      raise ArgumentError, "CBAC: Wrong value for argument 'action' in Privilege.resource: #{action}" if action_option.nil?
+      case action_option[0]
+      when "GET"
+        (@get_resources[method] ||= Array.new) << PrivilegeSet.sets[privilege_set]
+      when "POST"
+        (@post_resources[method] ||= Array.new) << PrivilegeSet.sets[privilege_set]
+      else
+      end
+    end
+
+    def model_attribute
+
+    end
+    def model
+
+    end
+
+    # Finds the privilege sets associated with the given controller_method and
+    # action_type Valid values for action_type are "get", "post" and "put".
+    # "put" is converted into "post".
+    #
+    # If incorrect values are given for action_type the method will raise an
+    # ArgumentError. If the controller and action name are not found, an
+    # exception is being raised.
+    def select(controller_method, action_type)
+      action_type = action_type.to_s
+      post_methods = ["post", "put", "delete"]
+      if action_type == "get"
+        privilege_sets = Privilege.get_resources[controller_method]
+      else if post_methods.include?(action_type)
+          privilege_sets = Privilege.post_resources[controller_method]
+        else
+          raise ArgumentError, "CBAC: Incorrect action_type: #{action_type}"
+        end
+      end
+      # Error handling if no privilege_sets were found
+      if privilege_sets.nil?
+        if action_type == "get"
+          if !Privilege.post_resources[controller_method].nil?
+            raise "CBAC: PrivilegeSets only exist for other action: post on method: #{controller_method}"
+          end
+        else
+          if !Privilege.get_resources[controller_method].nil?
+            raise "CBAC: PrivilegeSets only exist for other action: get on method: #{controller_method}"
+          end
+        end
+        raise "CBAC: Could not find any privilege sets associated with: #{controller_method} and action: #{action_type}"
+      end
+      privilege_sets
+    end
+  end
+end