RubyGems - cbac - Versions diffs - 0.3.1 - Mend

cbac 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

data/Manifest +44 -0
data/README.rdoc +48 -0
data/Rakefile +36 -0
data/cbac.gemspec +31 -0
data/generators/cbac/USAGE +34 -0
data/generators/cbac/cbac_generator.rb +45 -0
data/generators/cbac/templates/config/context_roles.rb +10 -0
data/generators/cbac/templates/config/privileges.rb +30 -0
data/generators/cbac/templates/controllers/generic_roles_controller.rb +30 -0
data/generators/cbac/templates/controllers/memberships_controller.rb +22 -0
data/generators/cbac/templates/controllers/permissions_controller.rb +42 -0
data/generators/cbac/templates/fixtures/cbac_generic_roles.yml +9 -0
data/generators/cbac/templates/fixtures/cbac_memberships.yml +8 -0
data/generators/cbac/templates/fixtures/cbac_permissions.yml +8 -0
data/generators/cbac/templates/migrate/create_cbac.rb +40 -0
data/generators/cbac/templates/stylesheets/cbac.css +65 -0
data/generators/cbac/templates/views/generic_roles/index.html.erb +59 -0
data/generators/cbac/templates/views/layouts/cbac.html.erb +17 -0
data/generators/cbac/templates/views/memberships/_update.html.erb +12 -0
data/generators/cbac/templates/views/memberships/index.html.erb +22 -0
data/generators/cbac/templates/views/permissions/_update_context_role.html.erb +12 -0
data/generators/cbac/templates/views/permissions/_update_generic_role.html.erb +12 -0
data/generators/cbac/templates/views/permissions/index.html.erb +31 -0
data/init.rb +11 -0
data/lib/cbac.rb +104 -0
data/lib/cbac/config.rb +10 -0
data/lib/cbac/context_role.rb +27 -0
data/lib/cbac/generic_role.rb +6 -0
data/lib/cbac/membership.rb +4 -0
data/lib/cbac/permission.rb +6 -0
data/lib/cbac/privilege.rb +72 -0
data/lib/cbac/privilege_set.rb +28 -0
data/lib/cbac/privilege_set_record.rb +5 -0
data/lib/cbac/setup.rb +31 -0
data/tasks/cbac.rake +19 -0
data/test/fixtures/cbac_generic_roles.yml +9 -0
data/test/fixtures/cbac_memberships.yml +8 -0
data/test/fixtures/cbac_permissions.yml +15 -0
data/test/fixtures/cbac_privilege_set.yml +18 -0
data/test/test_cbac_authorize_context_roles.rb +43 -0
data/test/test_cbac_authorize_generic_roles.rb +37 -0
data/test/test_cbac_context_role.rb +51 -0
data/test/test_cbac_privilege.rb +99 -0
data/test/test_cbac_privilege_set.rb +52 -0
metadata +118 -0

data/generators/cbac/templates/stylesheets/cbac.css ADDED

@@ -0,0 +1,65 @@
+/****
+* General
+*/
+div.cbac h1 {
+}
+div.cbac table {
+    padding: 0px;
+    margin: 0px;
+    border-collapse: collapse;
+}
+div.cbac div.linebreak {
+    height: 20px;
+}
+/****
+* Table
+*/
+div.cbac th {
+    background-color: #ABEB71;
+}
+div.cbac td, div.cbac th {
+    border: 1px solid black;
+}
+div.cbac td.small, div.cbac th.small {
+    width: 50px;
+}
+div.cbac td.medium, div.cbac th.medium {
+    width: 150px;
+}
+div.cbac td.large, div.cbac th.large {
+    width: 600px;
+}
+div.cbac td.checked {
+    text-align: center;
+}
+div.cbac td.submit {
+    text-align: right;
+}
+/****
+* Controls
+*/
+div.cbac input[type="text"] {
+    margin: 2px;
+}
+div.cbac td.medium input[type="text"] {
+    width: 138px;
+}
+div.cbac td.large input[type="text"] {
+    width: 588px;
+}

data/generators/cbac/templates/views/generic_roles/index.html.erb ADDED

@@ -0,0 +1,59 @@
+<div class="cbac">
+  <h1>Generic roles</h1>
+  <table>
+    <tr>
+      <th class="medium">Name</th>
+      <th class="large">Remarks</th>
+      <th class="small">&nbsp;</th>
+    </tr>
+    <% Cbac::GenericRole.find(:all).each do |role| %>
+      <tr class="row">
+        <% form_for role do |r| %>
+          <td class="medium"><%= r.text_field :name %></td>
+          <td class="large"><%= r.text_field :remarks, :rows => 1 %></td>
+          <td class="small"><%= r.submit "OK" %></td>
+        <% end %>
+      </tr>
+    <% end%>
+  </table>
+  <div class="linebreak"></div>
+  <table>
+    <% form_for(Cbac::GenericRole.new) do |new_role| %>
+      <tr class="row">
+        <th colspan="2">New generic role</th>
+      </tr>
+      <tr class="row">
+        <td class="medium">Name</td>
+        <td class="medium"><%= new_role.text_field :name %></td>
+      </tr>
+      <tr class="row">
+        <td class="medium">Remarks</td>
+        <td class="large"><%= new_role.text_field :remarks %></td>
+      </tr>
+      <tr class="row">
+        <td colspan="2" class="submit"><%= new_role.submit "Create" %></td>
+      </tr>
+    <% end %>
+  </table>
+  <div class="linebreak"></div>
+  <table>
+    <% form_tag(:controller => "cbac/generic_roles", :action => "delete") do |f| %>
+      <tr>
+        <th colspan="2">Delete generic role</th>
+      </tr>
+      <tr>
+        <td class="medium">Select role</td>
+        <td class="medium"><%= select_tag "id", Cbac::GenericRole.find(:all).collect{|role|"<option value='#{role.id}'>#{role.name}</option>"} %>
+        </td>
+      </tr>
+      <tr>
+        <td colspan="2" class="submit"><%= submit_tag "Delete" %></td>
+      </tr>
+    <% end %>
+  </table>
+</div>

data/generators/cbac/templates/views/layouts/cbac.html.erb ADDED

@@ -0,0 +1,17 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
+    <title>Context Based Access Control</title>
+    <%= javascript_include_tag :defaults %>
+    <%= stylesheet_link_tag "cbac" %>
+  </head>
+  <body>
+    <%= link_to "Permissions", cbac_permissions_path %>
+    <%= link_to "Generic roles", cbac_generic_roles_path %>
+    <%= link_to "Memberships", cbac_memberships_path %>
+    <%= yield %>
+  </body>
+</html>

data/generators/cbac/templates/views/memberships/_update.html.erb ADDED

@@ -0,0 +1,12 @@
+<% update_name = generic_role.id.to_s + "__" + user_id.to_s %>
+<% unless update_partial %><div id="<%= update_name %>"><% end %>
+  <% remote_form_for "/cbac/memberships/update", :url => {:controller => "cbac/memberships", :action => "update"},
+    :update => update_name, :before => "$('#{update_name}').style.visibility = 'hidden';",
+    :complete => "$('#{update_name}').style.visibility = 'visible';" do %>
+    <%= hidden_field_tag "generic_role_id" + update_name, generic_role.id.to_s, :name => "generic_role_id" %>
+    <%= hidden_field_tag "user_id" + update_name, user_id.to_s, :name => "user_id" %>
+    <%= check_box_tag "member" + update_name, "1",
+      (Cbac::Membership.find(:all, :conditions => ["generic_role_id = ? AND user_id = ?", generic_role.id.to_s, user_id.to_s]).length > 0),
+      {:onclick => "this.form.onsubmit();", :name => "member"}%>
+  <% end %>
+<% unless update_partial %></div><% end %>

data/generators/cbac/templates/views/memberships/index.html.erb ADDED

@@ -0,0 +1,22 @@
+<div class="cbac">
+  <h1>Memberships</h1>
+  <table>
+    <tr>
+      <th class="medium">Users</th>
+      <% @generic_roles.each do |role| %>
+        <th><%= role.name %></th>
+      <% end %>
+    </tr>
+    <% @users.each do |u| %>
+      <tr>
+        <td><%= u.name %></td>
+        <% @generic_roles.each do |generic_role| %>
+          <td class="checked">
+            <%= render :partial => "cbac/memberships/update.html", :locals => {:generic_role => generic_role,
+              :user_id => u.id.to_s,:update_partial => false} %>
+          </td>
+        <% end %>
+      </tr>
+    <% end %>
+  </table>
+</div>

data/generators/cbac/templates/views/permissions/_update_context_role.html.erb ADDED

@@ -0,0 +1,12 @@
+<% update_name = "cr__" + context_role.to_s + "__" + set_id.to_s %>
+<% unless update_partial %><div id="<%= update_name %>"><% end %>
+  <% remote_form_for "/cbac/permissions/update", :url => cbac_permissions_update_path,
+    :update => update_name, :before => "$('#{update_name}').style.visibility = 'hidden';",
+    :complete => "$('#{update_name}').style.visibility = 'visible';" do %>
+    <%= hidden_field_tag "context_role" + update_name, context_role.to_s, :name => "context_role" %>
+    <%= hidden_field_tag "privilege_set_id" + update_name, set_id.to_s, :name => "privilege_set_id" %>
+    <%= check_box_tag "permission" + update_name, "1",
+      (Cbac::Permission.find(:all, :conditions => ["context_role = ? AND privilege_set_id = ?", context_role.to_s, set_id.to_s]).length > 0),
+      {:onclick => "this.form.onsubmit();", :name => "permission"}%>
+  <% end %>
+<% unless update_partial %></div><% end %>

data/generators/cbac/templates/views/permissions/_update_generic_role.html.erb ADDED

@@ -0,0 +1,12 @@
+<% update_name = "gr__" + role.id.to_s + "__" + set_id.to_s %>
+<% unless update_partial %><div id="<%= update_name %>"><% end %>
+  <% remote_form_for "/cbac/permissions/update", :url => cbac_permissions_update_path,
+    :update => update_name, :before => "$('#{update_name}').style.visibility = 'hidden';",
+    :complete => "$('#{update_name}').style.visibility = 'visible';" do %>
+    <%= hidden_field_tag "generic_role_id" + update_name, role.id.to_s, :name => "generic_role_id" %>
+    <%= hidden_field_tag "privilege_set_id" + update_name, set_id.to_s, :name => "privilege_set_id" %>
+    <%= check_box_tag "permission" + update_name, "1",
+      (Cbac::Permission.find(:all, :conditions => ["generic_role_id = ? AND privilege_set_id = ?", role.id.to_s, set_id.to_s]).length > 0),
+      {:onclick => "this.form.onsubmit();", :name => "permission"}%>
+  <% end %>
+<% unless update_partial %></div><% end %>

data/generators/cbac/templates/views/permissions/index.html.erb ADDED

@@ -0,0 +1,31 @@
+<div class="cbac">
+  <h1>Permissions</h1>
+  <table>
+    <tr>
+      <th>Privilegeset</th>
+      <% @context_roles.each do |name, comment| %>
+        <th><%= name %></th>
+      <% end %>
+      <% @generic_roles.each do |role| %>
+        <th><%= role.name %></th>
+      <% end %>
+    </tr>
+    <% PrivilegeSet.sets.each do |token, set| %>
+      <tr>
+        <td><%= set.name %></td>
+        <% @context_roles.each do |context_role, comment| %>
+          <td class="checked">
+            <%= render :partial => "cbac/permissions/update_context_role.html", :locals => {:context_role => context_role.to_s,
+              :set_id => set.id.to_s, :update_partial => false} %>
+          </td>
+        <% end %>
+        <% @generic_roles.each do |role| %>
+          <td class="checked">
+            <%= render :partial => "cbac/permissions/update_generic_role.html", :locals => {:role => role,
+              :set_id => set.id.to_s, :update_partial => false} %>
+          </td>
+        <% end %>
+      </tr>
+    <% end %>
+  </table>
+</div>

data/init.rb ADDED

@@ -0,0 +1,11 @@
+# Configuration file
+require File.dirname(__FILE__) + '/lib/cbac/config.rb'
+# The following code contains configuration options. You can turn them on for
+# gem development. For actual usage, it is advisable to set the configuration
+# options in the environment files.
+Cbac::Config.verbose = false
+# Include CBAC core file
+require File.dirname(__FILE__) + '/lib/cbac.rb'

data/lib/cbac.rb ADDED

@@ -0,0 +1,104 @@
+# TODO: Check the permission table for double entries, ie: both an entry in the
+# generic_role_id field and an entry in the context_role field. Solution: solve
+# via model. Update model & add test
+module Cbac
+  if Cbac::Setup.check
+    puts "CBAC properly installed"
+    require File.dirname(__FILE__) + '/cbac/privilege.rb'
+    require File.dirname(__FILE__) + '/cbac/privilege_set.rb'
+    require File.dirname(__FILE__) + '/cbac/context_role.rb'
+    # check performs a check to see if the user is allowed to access the given
+    # resource. Example: authorization_check("BlogController", "index", :get)
+    def authorization_check(controller, action, request, context = {})
+      # Determine the controller to look for
+      controller_method = [controller, action].join("/")
+      # Get the privilegesets
+      privilege_sets = Privilege.select(controller_method, request)
+      # Check the privilege sets
+      check_privilege_sets(privilege_sets, context)
+    end
+    # Check the given privilege_set symbol
+    # TODO following code is not yet tested
+    def check_privilege_set(privilege_set, context = {})
+      check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
+    end
+    # Check the given privilege_sets
+    def check_privilege_sets(privilege_sets, context = {})
+      # Check the generic roles
+      return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
+      # Check the context roles Get the permissions
+      privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
+        puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilegeset.name}" if Cbac::Config.verbose
+        eval_string = ContextRole.roles[permission.context_role.to_sym]
+        # Not sure if this will work everywhere
+        return true if eval_string.call(context)
+      end
+      # not authorized
+      puts "Not authorized for: #{controller_method}" if Cbac::Config.verbose
+      false
+    end
+    # Code that performs authorization
+    def authorize
+      authorization_check(params[:controller], params[:action], request.request_method) || unauthorized
+    end
+    # Default unauthorized method Override this method to supply your own code
+    # for incorrect authorization
+    def unauthorized
+      render :text => "You are not authorized to perform this action", :status => 401
+    end
+    # Default implementation of the current_user method
+    def current_user
+      session[:currentuser].to_i
+    end
+    # Load controller classes and methods
+    def load_controller_methods
+      begin
+        Dir.glob("app/controllers/**/*.rb").each{|file| require file}
+      rescue LoadError
+        raise "Could not load controller classes"
+      end
+      # Make this iterative TODO
+      @classes = ApplicationController.subclasses
+    end
+    # Extracts the class name from the filename
+    def extract_class_name(filename)
+      File.basename(filename).chomp(".rb").camelize
+    end
+    # ### Initializer Include privileges file - contains the privilege and
+    # privilege definitions
+    begin
+      require File.join(RAILS_ROOT, "config", "privileges.rb")
+    rescue MissingSourceFile
+      puts "CBAC warning: Could not load config/privileges.rb (Did you run ./script/generate cbac)"
+    end
+    # Include context roles file - contains the context role definitions
+    begin
+      require File.join(RAILS_ROOT, "config", "context_roles.rb")
+    rescue MissingSourceFile
+      puts "CBAC warning: Could not load config/context_roles.rb (Did you run ./script/generate cbac)"
+    end
+    # ### Database autoload code
+  else
+    # This is the code that is executed if CBAc is not properly installed/
+    # configured. It includes a different authorize method, aimes at refusing
+    # all authorizations
+    def authorize
+      render :text => "Authorization error", :status => 401
+      false
+    end
+  end
+end

data/lib/cbac/config.rb ADDED

@@ -0,0 +1,10 @@
+module Cbac
+  # Class containing configuration options for the Cbac system. The following
+  # configuration options are supported: verbose. Determines whether or not to
+  # output results to the console. All outputs are processed as puts commands.
+  class Config
+    class << self
+      attr_accessor :verbose
+    end
+  end
+end

data/lib/cbac/context_role.rb ADDED

@@ -0,0 +1,27 @@
+# ContextRole is the class containing the context role definitions
+#
+# Usage: ContextRole.add :logged_in_user, "!session[:currentuser].nil?"
+class ContextRole
+  class << self
+    # Hash containing all the context roles. Keys are the role names Values are
+    # the Ruby eval strings Eval strings must result in true or false
+    attr_reader :roles
+    # Adds a context role to the list of context roles. @symbol defines the name
+    # of the context role @context_rule defines the ruby code to be evaluated
+    # when determining role membership
+    #
+    # If the context role already exists, an exception is thrown.
+    def add(symbol, context_rule = "", &block)
+      symbol = symbol.to_sym
+      @roles = Hash.new if @roles.nil?
+      raise ArgumentError, "CBAC: ContextRole was already defined" if @roles.keys.include?(symbol)
+      # TODO following code
+      #raise ArgumentError, "CBAC: cannot specify both string rule and block rule" unless context_rule.nil? and block.nil?
+      # TODO context parameter in block statement is not explicitly tested
+      block = eval("Proc.new {|context| " + context_rule + "}") if block.nil?
+      @roles[symbol] = block
+    end
+  end
+end

data/lib/cbac/generic_role.rb ADDED

@@ -0,0 +1,6 @@
+class Cbac::GenericRole < ActiveRecord::Base
+  set_table_name "cbac_generic_roles"
+  has_many :generic_role_members, :class_name => "Cbac::Membership", :foreign_key => "generic_role_id"
+  has_many :permissions, :class_name => "Cbac::Permission", :foreign_key => "generic_role_id"
+end

data/lib/cbac/membership.rb ADDED

@@ -0,0 +1,4 @@
+class Cbac::Membership < ActiveRecord::Base
+  set_table_name "cbac_memberships"
+  belongs_to :generic_role, :class_name => "Cbac::GenericRole", :foreign_key => "generic_role_id"
+end

data/lib/cbac/permission.rb ADDED

@@ -0,0 +1,6 @@
+class Cbac::Permission < ActiveRecord::Base
+  set_table_name "cbac_permissions"
+  belongs_to :generic_role, :class_name => "Cbac::GenericRole", :foreign_key => "generic_role_id"
+  belongs_to :privilegeset, :class_name => "Cbac::PrivilegeSetRecord", :foreign_key => "privilege_set_id"
+end

data/lib/cbac/privilege.rb ADDED

@@ -0,0 +1,72 @@
+# Class containing all the privileges
+#
+# To define a new controller method resource: Privilege.resource :privilegeset,
+# "controller/method"
+#
+class Privilege
+  class << self
+    attr_reader :get_resources, :post_resources, :model_attributes, :models
+    # Links a resource with a PrivilegeSet
+    #
+    # An ArgumentError exception is thrown if the PrivilegeSet does not exist.
+    # To create PrivilegeSets, use the PrivilegeSet.add method
+    def resource(privilege_set, method, action="GET")
+      privilege_set = privilege_set.to_sym
+      @get_resources = Hash.new if @get_resources.nil?
+      @post_resources = Hash.new if @post_resources.nil?
+      action_aliases = {"GET" => ["GET", "get", "g","idempotent"], "POST" => ["POST", "post", "p"]}
+      raise ArgumentError, "CBAC: PrivilegeSet does not exist: #{privilege_set}" unless PrivilegeSet.sets.include?(privilege_set)
+      action_option = action_aliases.find { |name, aliases| aliases.include?(action.to_s) }
+      raise ArgumentError, "CBAC: Wrong value for argument 'action' in Privilege.resource: #{action}" if action_option.nil?
+      case action_option[0]
+      when "GET"
+        (@get_resources[method] ||= Array.new) << PrivilegeSet.sets[privilege_set]
+      when "POST"
+        (@post_resources[method] ||= Array.new) << PrivilegeSet.sets[privilege_set]
+      else
+      end
+    end
+    def model_attribute
+    end
+    def model
+    end
+    # Finds the privilege sets associated with the given controller_method and
+    # action_type Valid values for action_type are "get", "post" and "put".
+    # "put" is converted into "post".
+    #
+    # If incorrect values are given for action_type the method will raise an
+    # ArgumentError. If the controller and action name are not found, an
+    # exception is being raised.
+    def select(controller_method, action_type)
+      action_type = action_type.to_s
+      post_methods = ["post", "put", "delete"]
+      if action_type == "get"
+        privilege_sets = Privilege.get_resources[controller_method]
+      else if post_methods.include?(action_type)
+          privilege_sets = Privilege.post_resources[controller_method]
+        else
+          raise ArgumentError, "CBAC: Incorrect action_type: #{action_type}"
+        end
+      end
+      # Error handling if no privilege_sets were found
+      if privilege_sets.nil?
+        if action_type == "get"
+          if !Privilege.post_resources[controller_method].nil?
+            raise "CBAC: PrivilegeSets only exist for other action: post on method: #{controller_method}"
+          end
+        else
+          if !Privilege.get_resources[controller_method].nil?
+            raise "CBAC: PrivilegeSets only exist for other action: get on method: #{controller_method}"
+          end
+        end
+        raise "CBAC: Could not find any privilege sets associated with: #{controller_method} and action: #{action_type}"
+      end
+      privilege_sets
+    end
+  end
+end