RubyGems - cbac - Versions diffs - 0.3.1 - Mend

cbac 0.3.1

Files changed (45) hide show

data/Manifest +44 -0
data/README.rdoc +48 -0
data/Rakefile +36 -0
data/cbac.gemspec +31 -0
data/generators/cbac/USAGE +34 -0
data/generators/cbac/cbac_generator.rb +45 -0
data/generators/cbac/templates/config/context_roles.rb +10 -0
data/generators/cbac/templates/config/privileges.rb +30 -0
data/generators/cbac/templates/controllers/generic_roles_controller.rb +30 -0
data/generators/cbac/templates/controllers/memberships_controller.rb +22 -0
data/generators/cbac/templates/controllers/permissions_controller.rb +42 -0
data/generators/cbac/templates/fixtures/cbac_generic_roles.yml +9 -0
data/generators/cbac/templates/fixtures/cbac_memberships.yml +8 -0
data/generators/cbac/templates/fixtures/cbac_permissions.yml +8 -0
data/generators/cbac/templates/migrate/create_cbac.rb +40 -0
data/generators/cbac/templates/stylesheets/cbac.css +65 -0
data/generators/cbac/templates/views/generic_roles/index.html.erb +59 -0
data/generators/cbac/templates/views/layouts/cbac.html.erb +17 -0
data/generators/cbac/templates/views/memberships/_update.html.erb +12 -0
data/generators/cbac/templates/views/memberships/index.html.erb +22 -0
data/generators/cbac/templates/views/permissions/_update_context_role.html.erb +12 -0
data/generators/cbac/templates/views/permissions/_update_generic_role.html.erb +12 -0
data/generators/cbac/templates/views/permissions/index.html.erb +31 -0
data/init.rb +11 -0
data/lib/cbac.rb +104 -0
data/lib/cbac/config.rb +10 -0
data/lib/cbac/context_role.rb +27 -0
data/lib/cbac/generic_role.rb +6 -0
data/lib/cbac/membership.rb +4 -0
data/lib/cbac/permission.rb +6 -0
data/lib/cbac/privilege.rb +72 -0
data/lib/cbac/privilege_set.rb +28 -0
data/lib/cbac/privilege_set_record.rb +5 -0
data/lib/cbac/setup.rb +31 -0
data/tasks/cbac.rake +19 -0
data/test/fixtures/cbac_generic_roles.yml +9 -0
data/test/fixtures/cbac_memberships.yml +8 -0
data/test/fixtures/cbac_permissions.yml +15 -0
data/test/fixtures/cbac_privilege_set.yml +18 -0
data/test/test_cbac_authorize_context_roles.rb +43 -0
data/test/test_cbac_authorize_generic_roles.rb +37 -0
data/test/test_cbac_context_role.rb +51 -0
data/test/test_cbac_privilege.rb +99 -0
data/test/test_cbac_privilege_set.rb +52 -0
metadata +118 -0

@@ -0,0 +1,28 @@
+# Defines sets of privileges
+#
+# To create a new set: PrivilegeSet.add :set_name, "Some comment on what this
+# set does"
+#
+# To retrieve a privilegeset, use the sets attribute. This is a Hash containing
+# PrivilegeSetRecords. Usage: PrivilegeSet.sets(:set_name). If the PrivilegeSet
+# already exists, an ArgumentError is thrown stating the set was already
+# defined.
+class Cbac::PrivilegeSet
+  class << self
+    # Hash containing all the PrivilegeSetRecords
+    attr_reader :sets
+    # Create a new PrivilegeSet
+    def add(symbol, comment)
+      # initialize variables (if applicable)
+      @sets = Hash.new if @sets.nil?
+      # check for double creation
+      raise ArgumentError, "CBAC: PrivilegeSet was already defined: #{symbol.to_s}" if @sets.include?(symbol)
+      # Create record if privilegeset doesn't exist
+      Cbac::PrivilegeSetRecord.create(:name => symbol.to_s) if Cbac::PrivilegeSetRecord.find(:first, :conditions => ["name = ?", symbol.to_s]).nil?
+      record = Cbac::PrivilegeSetRecord.find(:first, :conditions => ["name = ?", symbol.to_s])
+      record.comment = comment
+      @sets[symbol] = record
+    end
+  end
+end

data/lib/cbac/privilege_set_record.rb ADDED

@@ -0,0 +1,5 @@
+class Cbac::PrivilegeSetRecord < ActiveRecord::Base
+  set_table_name "cbac_privilege_set"
+  attr_accessor :comment
+end

data/lib/cbac/setup.rb ADDED

@@ -0,0 +1,31 @@
+module Cbac
+  # Class performs various functions specific to the CBAC system itself. Most
+  # important function is to check if the system is initialized; without proper
+  # initialization, the bootstrapper will crash.
+  class Setup
+    class << self
+      # Check to see if the tables are correctly migrated. If the tables are not
+      # migrated, CBAC should terminate immediately.
+      def check_tables
+        return false unless Cbac::PrivilegeSetRecord.table_exists?
+        return false unless Cbac::GenericRole.table_exists?
+        return false unless Cbac::Membership.table_exists?
+        return false unless Cbac::Permission.table_exists?
+        true
+      end
+      # Checks if the system is properly setup. This method is used by the
+      # bootstrapper to see if the system should be initialized. If the system
+      # is not properly setup, the bootstrapper will crash. Checks are performed
+      # to see if all the tables exists.
+      def check
+        if check_tables == false
+          puts "CBAC: not properly initialized: one or more tables are missing. Did you install it correctly? (run generate)"
+          return false
+        end
+        true
+      end
+    end
+  end
+end

data/tasks/cbac.rake ADDED

@@ -0,0 +1,19 @@
+# This rakefile contains the rake tasks for CBAC
+#
+# CBAC is context based access control. It enables an application to
+#
+#
+# cbac:setup
+# cbac:check
+#
+# 2009-11-27  Bert Meerman        First version
+#
+namespace :cbac do
+  namespace :check do
+    desc "Checks all the available controller methods for missing privileges"
+    task :mapping do
+      load_controller_methods
+      puts "lala"
+    end
+  end
+end

data/test/fixtures/cbac_generic_roles.yml ADDED

@@ -0,0 +1,9 @@
+###
+# Context
+## YAML template for the generic roles
+one:
+  id: 1
+  name: administrators
+  remarks: Administrators role. Grants full access to the entire system.

data/test/fixtures/cbac_memberships.yml ADDED

@@ -0,0 +1,8 @@
+###
+# Context
+## YAML template for the memberships
+# Making the first user member of the administrator group
+one:
+    user_id: 1
+    generic_role_id: 1

data/test/fixtures/cbac_permissions.yml ADDED

@@ -0,0 +1,15 @@
+###
+# Context
+## YAML template for the permissions
+#role_id:   GenericRole.get_id :authorize_context_role
+# used by test_cbac_authorize_context_roles
+one:
+  context_role: authorize_context_role
+  privilege_set_id: 2
+# used by test_cbac_authorize_generic_roles
+two:
+  generic_role_id: 1
+  privilege_set_id: 3

data/test/fixtures/cbac_privilege_set.yml ADDED

@@ -0,0 +1,18 @@
+###
+# YAML template for the PrivilegeSets
+#
+# Privilegeset
+one:
+  id: 1
+  name: existing_privilege_set
+# Used by the test_cbac_authorize_context_roles
+two:
+  id: 2
+  name: cbac_context_role
+# Used by the test_cbac_authorize_generic_roles
+three:
+  id: 3
+  name: cbac_generic_role

data/test/test_cbac_authorize_context_roles.rb ADDED

@@ -0,0 +1,43 @@
+require File.expand_path(File.join(File.dirname(__FILE__), '../../../../test/test_helper'))
+require 'test/unit'
+require 'rubygems'
+# Dummy code for overriding the default current_user behavior
+module Cbac
+  def current_user
+    1
+  end
+end
+###
+# Tests the Cbac system for authorization with context roles
+#
+class CbacAuthorizeContextRolesTest <  ActiveSupport::TestCase
+  include Cbac
+  self.fixture_path = File.join(File.dirname(__FILE__), "fixtures")
+  fixtures :all
+  attr_accessor :authorize_context_eval_string
+  # Setup defines the PrivilegeSet that is being used by all PrivilegeTest methods
+  def setup
+    return if PrivilegeSet.sets.include?(:cbac_context_role)
+    PrivilegeSet.add :cbac_context_role, ""
+    Privilege.resource  :cbac_context_role, "authorize/context/roles", :get
+    ContextRole.add :authorize_context_role, "context.authorize_context_eval_string"
+  end
+  # Check to see if action is correctly authorized
+  def test_authorize_ok
+    self.authorize_context_eval_string = true
+    assert_equal true, authorization_check("authorize/context", "roles", :get, self)
+  end
+  # Run authorization with incorrect authorization
+  def test_authorize_incorrect_privilege
+    self.authorize_context_eval_string = false
+#    ContextRole.roles[:authorize_context_role] = "false"
+    assert_equal false, authorization_check("authorize/context", "roles", :get, self)
+#    ContextRole.roles[:authorize_context_role] = "true"
+  end
+end

data/test/test_cbac_authorize_generic_roles.rb ADDED

@@ -0,0 +1,37 @@
+require File.expand_path(File.join(File.dirname(__FILE__), '../../../../test/test_helper'))
+require 'test/unit'
+require 'rubygems'
+# Dummy code for overriding the default current_user behavior
+module Cbac
+  def current_user
+    1
+  end
+end
+###
+# Tests the Cbac system for authorization with generic roles
+#
+class CbacAuthorizeGenericRolesTest <  ActiveSupport::TestCase
+  self.fixture_path = File.join(File.dirname(__FILE__), "fixtures")
+  fixtures :all
+  # Setup defines the PrivilegeSet that is being used by all PrivilegeTest methods
+  def setup
+    return if PrivilegeSet.sets.include?(:cbac_generic_role)
+    PrivilegeSet.add :cbac_generic_role, ""
+    PrivilegeSet.add :cbac_generic_role_incorrect, ""
+    Privilege.resource  :cbac_generic_role, "authorize/generic/roles", :get
+    Privilege.resource  :cbac_generic_role_incorrect, "authorize/generic/roles_incorrect", :get
+  end
+  # Check to see if action is correctly authorized
+  def test_authorize_ok
+    assert_equal true, authorization_check("authorize/generic", "roles", :get)
+  end
+  # Run authorization with incorrect authorization
+  def test_authorize_incorrect_privilege
+    assert_equal false, authorization_check("authorize/generic", "roles_incorrect", :get)
+  end
+end

data/test/test_cbac_context_role.rb ADDED

@@ -0,0 +1,51 @@
+require File.expand_path(File.join(File.dirname(__FILE__), '../../../../test/test_helper'))
+require 'test/unit'
+require 'rubygems'
+# ### Tests the Cbac::ContextRole class
+#
+class CbacContextRoleTest <  ActiveSupport::TestCase
+  # Adds a new context role This test should add a new ContextRole and
+  # everything should be working.
+  def test_adding_new_context_role_by_string
+    eval_string = "true"
+    assert_difference("ContextRole.roles.length", 1, "Failed to add new ContextRole") do
+      ContextRole.add :test_adding_new_context_role_by_string, eval_string
+    end
+    assert_equal(true, ContextRole.roles.keys.include?(:test_adding_new_context_role_by_string), "ContextRole symbol not found.")
+    result = ContextRole.roles[:test_adding_new_context_role_by_string].call(nil)
+    assert_equal(true, result, "Incorrect eval string.")
+    eval_string = "false"
+    assert_difference("ContextRole.roles.length", 1, "Failed to add new ContextRole") do
+      ContextRole.add :test_adding_new_context_role_by_string2, eval_string
+    end
+    assert_equal(true, ContextRole.roles.keys.include?(:test_adding_new_context_role_by_string2), "ContextRole symbol not found.")
+    result = ContextRole.roles[:test_adding_new_context_role_by_string2].call(nil)
+    assert_equal(false, result, "Incorrect eval string.")
+  end
+  # Adds a new context role This test should add a new ContextRole and
+  # everything should be working.
+  def test_adding_new_context_role_by_block_statement
+    assert_difference("ContextRole.roles.length", 1, "Failed to add new ContextRole") do
+      ContextRole.add :test_adding_new_context_role_by_block_stmt do
+        @test = 2
+        true
+      end
+    end
+    assert_equal(true, ContextRole.roles.keys.include?(:test_adding_new_context_role_by_block_stmt), "ContextRole symbol not found.")
+    @test = 0
+    ContextRole.roles[:test_adding_new_context_role_by_block_stmt].call
+    assert_equal(2, @test, "Incorrect eval string.")
+  end
+  # When adding an already existing ContextRole, an ArgumentError should be
+  # raised. ContextRoles can only be declared once.
+  def test_adding_double_context_roles
+    ContextRole.add :test_adding_double_context_roles, ""
+    assert_raise(ArgumentError) do
+      ContextRole.add :test_adding_double_context_roles, ""
+    end
+  end
+end

data/test/test_cbac_privilege.rb ADDED

@@ -0,0 +1,99 @@
+require File.expand_path(File.join(File.dirname(__FILE__), '../../../../test/test_helper'))
+require 'test/unit'
+require 'rubygems'
+# ### Tests the Cbac::Privilege class
+#
+class CbacPrivilegeTest <  ActiveSupport::TestCase
+  # Setup defines the PrivilegeSet that is being used by all PrivilegeTest
+  # methods
+  def setup
+    PrivilegeSet.add :cbac_privilege, "" unless PrivilegeSet.sets.include?(:cbac_privilege)
+  end
+  # Test adding get and post resources It is possible to add a resource using
+  # different names for actions. This method also checks if these aliases are
+  # all operating well.
+  def test_add_resources
+    assert_difference("Privilege.get_resources.length", 4, "GET resource was not added.") do
+      Privilege.resource :cbac_privilege, "add/resources/get/1", :GET
+      Privilege.resource :cbac_privilege, "add/resources/get/2", :get
+      Privilege.resource :cbac_privilege, "add/resources/get/3", :g
+      Privilege.resource :cbac_privilege, "add/resources/get/4", :idempotent
+    end
+    assert_difference("Privilege.post_resources.length", 3, "POST resource was not added.") do
+      Privilege.resource :cbac_privilege, "add/resources/post/1", :POST
+      Privilege.resource :cbac_privilege, "add/resources/post/2", :post
+      Privilege.resource :cbac_privilege, "add/resources/post/3", :p
+    end
+  end
+  # If an invalid action is specified, the method must raise an ArgumentError
+  # exception.
+  def test_add_incorrect_action
+    assert_raise(ArgumentError) do
+      Privilege.resource :cbac_privilege, "add/incorrect/action", :error
+    end
+  end
+  # If a privilege is added to a non existing PrivilegeSet, an ArgumentError
+  # exception must occur.
+  def test_add_resource_to_invalid_privilege_set
+    assert_raise(ArgumentError) do
+      Privilege.resource :cbac_privilege_error, "add/resource/to/invalid/privilege/set", :get
+    end
+  end
+  # Test the Privilege.select method. This method accepts a controller method
+  # string and an action type It returns the privilegesets that comply with this
+  # combination The actions post, put and delete are identical. This test aims
+  # at testing this assumption.
+  def test_select_correct
+    Privilege.resource :cbac_privilege, "select/correct/get", :get
+    Privilege.resource :cbac_privilege, "select/correct/post", :post
+    Privilege.resource :cbac_privilege, "select/correct/put", :post
+    Privilege.resource :cbac_privilege, "select/correct/delete", :post
+    assert_equal 1, Privilege.select("select/correct/get", :get).length
+    [:post, :put, :delete].each do |action|
+      assert_equal 1, Privilege.select("select/correct/post", action).length
+      assert_equal 1, Privilege.select("select/correct/put", action).length
+      assert_equal 1, Privilege.select("select/correct/delete", action).length
+    end
+  end
+  def test_exception()
+    begin
+      yield
+    rescue Exception => e
+      return e.message
+    end
+    raise "No exception was thrown"
+  end
+  # test selecting an incorrect action type
+  def test_select_incorrect_action_types
+    controller_method = "select/incorrect/action/types/get"
+    Privilege.resource :cbac_privilege, controller_method, :get
+    Privilege.select(controller_method, :get)
+    assert_match(/Incorrect action_type/, test_exception { Privilege.select(controller_method, :error) })
+  end
+  # If a user asks for the wrong action_type (e.g. a request is made for 'get'
+  # but there are only 'post' privileges or vica versa) the system will throw an
+  # exception as expected, but the system will also hint at the possibility of
+  # messing up get and post.
+  def test_select_the_other_action_type
+    controller_method = "select/the/other/action/type/get"
+    Privilege.resource :cbac_privilege, controller_method, :get
+    assert_match(/PrivilegeSets only exist for other action/, test_exception { Privilege.select(controller_method, :post) })
+  end
+  # Trying to find privileges for a set that doesn't exist, should result in an
+  # exception
+  def test_select_could_not_find_any_privilegeset
+    controller_method = "select/could/not/find/any/privilegeset/get"
+    assert_raise(RuntimeError) do
+      Privilege.select(controller_method, :post)
+    end
+  end
+end

data/test/test_cbac_privilege_set.rb ADDED

@@ -0,0 +1,52 @@
+require File.expand_path(File.join(File.dirname(__FILE__), '../../../../test/test_helper'))
+require 'test/unit'
+require 'rubygems'
+###
+# Tests the Cbac::PrivilegeSet class
+#
+class CbacPrivilegeSetTest <  ActiveSupport::TestCase
+  self.fixture_path = File.join(File.dirname(__FILE__), "fixtures")
+  fixtures :all
+  # Adds a new privilege to the PrivilegeSet.
+  # This test should add a new privilege and everything should be working.
+  def test_adding_new_privilege_set
+    comment = "test_adding_new_privilege_set"
+    assert_difference("PrivilegeSet.sets.length", 1, "Adding test PrivilegeSet") do
+      PrivilegeSet.add :test_adding_new_privilege_set, comment
+    end
+    assert_equal(true, PrivilegeSet.sets.include?(:test_adding_new_privilege_set), "PrivilegeSet symbol not found.")
+    assert_equal(comment, PrivilegeSet.sets[:test_adding_new_privilege_set].comment, "Incorrect comment.")
+  end
+  # When adding an already existing PrivilegeSet, an ArgumentError should be raised.
+  # PrivilegeSets can only be declared once.
+  def test_adding_double_privilege_sets
+    PrivilegeSet.add :test_adding_double_privilege_sets, ""
+    assert_raise(ArgumentError) do
+      PrivilegeSet.add :test_adding_double_privilege_sets, ""
+    end
+  end
+  # This privilegeset is already in the database. The id
+  # should therefore be identical to the id specified in the fixture.
+  # Also, the number of records should not change.
+  def test_initializing_existing_privilege_set
+    assert_difference("PrivilegeSet.sets.length", 1, "Adding test PrivilegeSet") do
+      assert_difference("Cbac::PrivilegeSetRecord.find(:all).length", 0, "Record should have been added to table") do
+        PrivilegeSet.add :existing_privilege_set, "Something"
+      end
+    end
+  end
+  # This privilegeset does not yet exist. A new entry should be created
+  # in the database. Also, the id should not be zero.
+  def test_initializing_new_privilege_set
+    assert_difference("PrivilegeSet.sets.length", 1, "Adding test PrivilegeSet") do
+      assert_difference("Cbac::PrivilegeSetRecord.find(:all).length", 1, "Record should not be added to table - record already exists") do
+        PrivilegeSet.add :test_initializing_new_privilege_set, "Something"
+      end
+    end
+  end
+end

metadata ADDED

@@ -0,0 +1,118 @@
+--- !ruby/object:Gem::Specification
+name: cbac
+version: !ruby/object:Gem::Version
+  version: 0.3.1
+platform: ruby
+authors:
+- Bert Meerman
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2010-02-05 00:00:00 +01:00
+default_executable:
+dependencies: []
+description: Simple authorization system for Rails applications. Allows you to develop applications with a mixed role based authorization and a context based authorization model. Does not supply authentication.
+email: b.meerman@ogd.nl
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.rdoc
+- lib/cbac.rb
+- lib/cbac/config.rb
+- lib/cbac/context_role.rb
+- lib/cbac/generic_role.rb
+- lib/cbac/membership.rb
+- lib/cbac/permission.rb
+- lib/cbac/privilege.rb
+- lib/cbac/privilege_set.rb
+- lib/cbac/privilege_set_record.rb
+- lib/cbac/setup.rb
+- tasks/cbac.rake
+files:
+- Manifest
+- README.rdoc
+- Rakefile
+- cbac.gemspec
+- generators/cbac/USAGE
+- generators/cbac/cbac_generator.rb
+- generators/cbac/templates/config/context_roles.rb
+- generators/cbac/templates/config/privileges.rb
+- generators/cbac/templates/controllers/generic_roles_controller.rb
+- generators/cbac/templates/controllers/memberships_controller.rb
+- generators/cbac/templates/controllers/permissions_controller.rb
+- generators/cbac/templates/fixtures/cbac_generic_roles.yml
+- generators/cbac/templates/fixtures/cbac_memberships.yml
+- generators/cbac/templates/fixtures/cbac_permissions.yml
+- generators/cbac/templates/migrate/create_cbac.rb
+- generators/cbac/templates/stylesheets/cbac.css
+- generators/cbac/templates/views/generic_roles/index.html.erb
+- generators/cbac/templates/views/layouts/cbac.html.erb
+- generators/cbac/templates/views/memberships/_update.html.erb
+- generators/cbac/templates/views/memberships/index.html.erb
+- generators/cbac/templates/views/permissions/_update_context_role.html.erb
+- generators/cbac/templates/views/permissions/_update_generic_role.html.erb
+- generators/cbac/templates/views/permissions/index.html.erb
+- init.rb
+- lib/cbac.rb
+- lib/cbac/config.rb
+- lib/cbac/context_role.rb
+- lib/cbac/generic_role.rb
+- lib/cbac/membership.rb
+- lib/cbac/permission.rb
+- lib/cbac/privilege.rb
+- lib/cbac/privilege_set.rb
+- lib/cbac/privilege_set_record.rb
+- lib/cbac/setup.rb
+- tasks/cbac.rake
+- test/fixtures/cbac_generic_roles.yml
+- test/fixtures/cbac_memberships.yml
+- test/fixtures/cbac_permissions.yml
+- test/fixtures/cbac_privilege_set.yml
+- test/test_cbac_authorize_context_roles.rb
+- test/test_cbac_authorize_generic_roles.rb
+- test/test_cbac_context_role.rb
+- test/test_cbac_privilege.rb
+- test/test_cbac_privilege_set.rb
+has_rdoc: true
+homepage: http://cbac.rubyforge.org
+licenses: []
+post_install_message:
+rdoc_options:
+- --line-numbers
+- --inline-source
+- --title
+- Cbac
+- --main
+- README.rdoc
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
+  version:
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "1.2"
+  version:
+requirements: []
+rubyforge_project: cbac
+rubygems_version: 1.3.5
+signing_key:
+specification_version: 3
+summary: CBAC - Simple authorization system for Rails applications.
+test_files:
+- test/test_cbac_authorize_context_roles.rb
+- test/test_cbac_authorize_generic_roles.rb
+- test/test_cbac_context_role.rb
+- test/test_cbac_privilege.rb
+- test/test_cbac_privilege_set.rb