cbac 0.5.4 → 0.6.0

data/lib/cbac/cbac_pristine/pristine_file.rb

@@ -1,170 +1,170 @@
-require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_role'))
-require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
-
-module Cbac
-  module CbacPristine
-    class AbstractPristineFile
-      attr_accessor :file_name, :permissions, :generic_roles
-
-      def initialize(file_name)
-        @file_name = file_name
-        @generic_roles = []
-        @context_roles = []
-        @permissions = []
-        @admin_role = nil
-      end
-
-      def parse(use_db = true)
-        @permissions = Array.new
-
-        f = File.open(@file_name, "r")
-        last_row_number = -1
-        f.each_with_index do |l, line_number|
-          pristine_permission = PristinePermission.new
-          permission_line = l.chomp
-          # if this is not a line we can convert into a permission, go to next line (or fail.....)
-          next unless is_pristine_permission_line?(permission_line, line_number)
-
-          # check if the row numbers are constructed properly.
-          # this is needed for migration purposes, each permission should have an unique and persistent row number
-          header_match = permission_line.match(/^(\d+):([\+-x]|=>):\s*/)
-          pristine_permission.line_number = header_match.captures[0].to_i
-          if pristine_permission.line_number != last_row_number.succ
-            raise SyntaxError, "Error: row numbers in pristine file do not increase monotonously"
-          else
-            last_row_number = pristine_permission.line_number
-          end
-          pristine_permission.operation = header_match.captures[1]
-          # parse the role and privilege set name
-          pristine_permission.privilege_set_name = parse_privilege_set_name(permission_line, line_number)
-          pristine_permission.pristine_role = parse_role(permission_line, line_number, use_db)
-          # it's pristine, so changes should be treated as such
-          # if a permission was created and later revoked, we should remove the pristine line which was created before
-          case pristine_permission.operation
-            when '+'
-              @permissions.push(pristine_permission)
-            when '-'
-              permission_to_delete = nil
-              #check if this is actually a permission that can be revoked.
-              @permissions.each do |known_permission|
-                if known_permission.privilege_set_name == pristine_permission.privilege_set_name and known_permission.pristine_role.name == pristine_permission.pristine_role.name
-                  permission_to_delete = known_permission
-                  break
-                end
-              end
-              if permission_to_delete.nil?
-                raise SyntaxError, "Error: trying to remove a privilege set with \"#{permission_line}\" on line #{(line_number + 1).to_s}, but this privilege set wasn't created!"
-              else
-                @permissions.push(pristine_permission)
-              end
-            when 'x', '=>'
-              raise NotImplementedError, "Using an x or => in a pristine file is not implemented yet"
-          end
-        end
-      end
-
-      def is_pristine_permission_line?(line, line_number)
-        if line.match(/^\s*(\d+)\s*:\s*([\+-x]|=>)\s*:(\s*[A-Za-z]+\(\s*[A-Za-z_]*\s*\))+\s*\Z/) #looks like pristine line.....
-          return true
-        end
-        if line.match(/^\s*(#.*|\s*)$/) # line is whitespace or comment line
-          return false
-        end
-        raise SyntaxError, "Error: garbage found in input file on line #{(line_number + 1).to_s}" #line is rubbish
-      end
-
-      def parse_privilege_set_name(line, line_number)
-        if match_data= line.match(/^.*PrivilegeSet\(\s*([A-Za-z0-9_]+)\s*\)\s*/)
-          return match_data.captures[0]
-        end
-        raise SyntaxError, "Error: PrivilegeSet expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
-      end
-
-      def parse_role(line, line_number, use_db = true)
-        raise NotImplementedError("Error: the AbstractPristineFile cannot parse roles, use a PristineFile or GenericPristineFile instead")
-      end
-
-      def permission_set
-        permission_set = Array.new(@permissions)
-        @permissions.each do |pristine_permission|
-           case pristine_permission.operation
-            when '+'
-              permission_set.push(pristine_permission)
-            when '-'
-              permission_to_delete = nil
-              #check if this is actually a permission that can be revoked.
-              permission_set.each do |known_permission|
-                if known_permission.privilege_set_name == pristine_permission.privilege_set_name and known_permission.pristine_role.name == pristine_permission.pristine_role.name and known_permission.operation == '+'
-                  permission_to_delete = known_permission
-                  break
-                end
-              end
-              if permission_to_delete.nil?
-                raise ArgumentError, "Error: trying to remove permission #{pristine_permission.privilege_set_name}\" for #{pristine_permission.pristine_role.name}, but this permission wasn't created!"
-              else
-                permission_set.delete(permission_to_delete)
-                permission_set.delete(pristine_permission)
-              end
-            when 'x', '=>'
-              raise NotImplementedError, "Using an x or => in a pristine file is not implemented yet"
-          end
-        end
-        permission_set
-      end
-
-    end
-
-
-    class PristineFile < Cbac::CbacPristine::AbstractPristineFile
-      def parse_role(line, line_number, use_db = true)
-        if line.match(/^.*Admin\(\)/)
-          return @admin_role unless @admin_role.nil?
-
-          @admin_role = PristineRole.admin_role(use_db)
-          @generic_roles.push(@admin_role)
-          return @admin_role
-        end
-        if context_role_name = line.match(/^.*ContextRole\(\s*([A-Za-z0-9_]+)\s*\)/)
-          # NOTE: the 0 for an ID is very important! In CBAC a context role permission MUST have 0 as generic_role_id
-          # if not, the context role is not found by CBAC and thus will not work
-          
-          # this may be a context role that's already in the database
-          context_role = use_db ? PristineRole.first(:conditions => {:role_type => PristineRole.ROLE_TYPES[:context], :name => context_role_name.captures[0]}) : nil
-          
-          # this may still be a context role we've seen before...
-          context_role = @context_roles.select do |cr| cr.role_type == PristineRole.ROLE_TYPES[:context] and cr.name == context_role_name.captures[0] end.first if context_role.nil?
-          
-          if context_role.nil? 
-            # this is a never-before-seen context role
-            context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => context_role_name.captures[0]) if context_role.nil?
-            context_role.save if use_db
-            @context_roles.push context_role
-          end
-          return context_role
-        end
-        raise SyntaxError, "Error: ContextRole or Admin expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
-      end
-
-
-    end
-
-    class GenericPristineFile < Cbac::CbacPristine::AbstractPristineFile
-      def parse_role(line, line_number, use_db = true)
-        # generic pristine files differ, because they create generic roles when needed
-        # but those generic roles should be re-used if one with that name already exists
-        if generic_role= line.match(/^.*GenericRole\(\s*([A-Za-z0-9_]+)\s*\)/)
-          @generic_roles.each do |generic_cbac_role|
-            if generic_cbac_role.name == generic_role.captures[0]
-              return generic_cbac_role
-            end
-          end
-          role = use_db ? PristineRole.first(:conditions => {:role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role.captures[0]}) : nil
-          role =  PristineRole.new(:role_id => @generic_roles.length + 2, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role.captures[0]) if role.nil?
-          @generic_roles.push(role)
-          return role
-        end
-        raise SyntaxError, "Error: GenericRole expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
-      end
-    end
-  end
-end
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_role'))
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
+
+module Cbac
+  module CbacPristine
+    class AbstractPristineFile
+      attr_accessor :file_name, :permissions, :generic_roles
+
+      def initialize(file_name)
+        @file_name = file_name
+        @generic_roles = []
+        @context_roles = []
+        @permissions = []
+        @admin_role = nil
+      end
+
+      def parse(use_db = true)
+        @permissions = Array.new
+
+        f = File.open(@file_name, "r")
+        last_row_number = -1
+        f.each_with_index do |l, line_number|
+          pristine_permission = PristinePermission.new
+          permission_line = l.chomp
+          # if this is not a line we can convert into a permission, go to next line (or fail.....)
+          next unless is_pristine_permission_line?(permission_line, line_number)
+
+          # check if the row numbers are constructed properly.
+          # this is needed for migration purposes, each permission should have an unique and persistent row number
+          header_match = permission_line.match(/^(\d+):([\+-x]|=>):\s*/)
+          pristine_permission.line_number = header_match.captures[0].to_i
+          if pristine_permission.line_number != last_row_number.succ
+            raise SyntaxError, "Error: row numbers in pristine file do not increase monotonously"
+          else
+            last_row_number = pristine_permission.line_number
+          end
+          pristine_permission.operation = header_match.captures[1]
+          # parse the role and privilege set name
+          pristine_permission.privilege_set_name = parse_privilege_set_name(permission_line, line_number)
+          pristine_permission.pristine_role = parse_role(permission_line, line_number, use_db)
+          # it's pristine, so changes should be treated as such
+          # if a permission was created and later revoked, we should remove the pristine line which was created before
+          case pristine_permission.operation
+            when '+'
+              @permissions.push(pristine_permission)
+            when '-'
+              permission_to_delete = nil
+              #check if this is actually a permission that can be revoked.
+              @permissions.each do |known_permission|
+                if known_permission.privilege_set_name == pristine_permission.privilege_set_name and known_permission.pristine_role.name == pristine_permission.pristine_role.name
+                  permission_to_delete = known_permission
+                  break
+                end
+              end
+              if permission_to_delete.nil?
+                raise SyntaxError, "Error: trying to remove a privilege set with \"#{permission_line}\" on line #{(line_number + 1).to_s}, but this privilege set wasn't created!"
+              else
+                @permissions.push(pristine_permission)
+              end
+            when 'x', '=>'
+              raise NotImplementedError, "Using an x or => in a pristine file is not implemented yet"
+          end
+        end
+      end
+
+      def is_pristine_permission_line?(line, line_number)
+        if line.match(/^\s*(\d+)\s*:\s*([\+-x]|=>)\s*:(\s*[A-Za-z]+\(\s*[A-Za-z_]*\s*\))+\s*\Z/) #looks like pristine line.....
+          return true
+        end
+        if line.match(/^\s*(#.*|\s*)$/) # line is whitespace or comment line
+          return false
+        end
+        raise SyntaxError, "Error: garbage found in input file on line #{(line_number + 1).to_s}" #line is rubbish
+      end
+
+      def parse_privilege_set_name(line, line_number)
+        if match_data= line.match(/^.*PrivilegeSet\(\s*([A-Za-z0-9_]+)\s*\)\s*/)
+          return match_data.captures[0]
+        end
+        raise SyntaxError, "Error: PrivilegeSet expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
+      end
+
+      def parse_role(line, line_number, use_db = true)
+        raise NotImplementedError("Error: the AbstractPristineFile cannot parse roles, use a PristineFile or GenericPristineFile instead")
+      end
+
+      def permission_set
+        permission_set = Array.new(@permissions)
+        @permissions.each do |pristine_permission|
+           case pristine_permission.operation
+            when '+'
+              permission_set.push(pristine_permission)
+            when '-'
+              permission_to_delete = nil
+              #check if this is actually a permission that can be revoked.
+              permission_set.each do |known_permission|
+                if known_permission.privilege_set_name == pristine_permission.privilege_set_name and known_permission.pristine_role.name == pristine_permission.pristine_role.name and known_permission.operation == '+'
+                  permission_to_delete = known_permission
+                  break
+                end
+              end
+              if permission_to_delete.nil?
+                raise ArgumentError, "Error: trying to remove permission #{pristine_permission.privilege_set_name}\" for #{pristine_permission.pristine_role.name}, but this permission wasn't created!"
+              else
+                permission_set.delete(permission_to_delete)
+                permission_set.delete(pristine_permission)
+              end
+            when 'x', '=>'
+              raise NotImplementedError, "Using an x or => in a pristine file is not implemented yet"
+          end
+        end
+        permission_set
+      end
+
+    end
+
+
+    class PristineFile < Cbac::CbacPristine::AbstractPristineFile
+      def parse_role(line, line_number, use_db = true)
+        if line.match(/^.*Admin\(\)/)
+          return @admin_role unless @admin_role.nil?
+
+          @admin_role = PristineRole.admin_role(use_db)
+          @generic_roles.push(@admin_role)
+          return @admin_role
+        end
+        if context_role_name = line.match(/^.*ContextRole\(\s*([A-Za-z0-9_]+)\s*\)/)
+          # NOTE: the 0 for an ID is very important! In CBAC a context role permission MUST have 0 as generic_role_id
+          # if not, the context role is not found by CBAC and thus will not work
+          
+          # this may be a context role that's already in the database
+          context_role = use_db ? PristineRole.first(:conditions => {:role_type => PristineRole.ROLE_TYPES[:context], :name => context_role_name.captures[0]}) : nil
+          
+          # this may still be a context role we've seen before...
+          context_role = @context_roles.select do |cr| cr.role_type == PristineRole.ROLE_TYPES[:context] and cr.name == context_role_name.captures[0] end.first if context_role.nil?
+          
+          if context_role.nil? 
+            # this is a never-before-seen context role
+            context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => context_role_name.captures[0]) if context_role.nil?
+            context_role.save if use_db
+            @context_roles.push context_role
+          end
+          return context_role
+        end
+        raise SyntaxError, "Error: ContextRole or Admin expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
+      end
+
+
+    end
+
+    class GenericPristineFile < Cbac::CbacPristine::AbstractPristineFile
+      def parse_role(line, line_number, use_db = true)
+        # generic pristine files differ, because they create generic roles when needed
+        # but those generic roles should be re-used if one with that name already exists
+        if generic_role= line.match(/^.*GenericRole\(\s*([A-Za-z0-9_]+)\s*\)/)
+          @generic_roles.each do |generic_cbac_role|
+            if generic_cbac_role.name == generic_role.captures[0]
+              return generic_cbac_role
+            end
+          end
+          role = use_db ? PristineRole.first(:conditions => {:role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role.captures[0]}) : nil
+          role =  PristineRole.new(:role_id => @generic_roles.length + 2, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role.captures[0]) if role.nil?
+          @generic_roles.push(role)
+          return role
+        end
+        raise SyntaxError, "Error: GenericRole expected, but found: \"#{line}\" on line #{(line_number + 1).to_s}"
+      end
+    end
+  end
+end

data/lib/cbac/cbac_pristine/pristine_permission.rb

@@ -1,194 +1,194 @@
-require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_role'))
-require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
-require 'active_record'
-
-module Cbac
-  module CbacPristine
-    class PristinePermission < ActiveRecord::Base
-      set_table_name 'cbac_staged_permissions'
-
-      belongs_to :pristine_role, :class_name => "Cbac::CbacPristine::PristineRole"
-
-      def privilege_set
-        Cbac::PrivilegeSetRecord.first(:conditions => {:name => privilege_set_name})
-      end
-
-      def operation_string
-        case operation
-          when '+'
-            return "add"
-          when '-'
-            return "revoke"
-          else
-            return "unknown"
-        end
-      end
-
-      #convert this pristine line to a yml statement which can be used to create a yml fixtures file
-      #executing this statement will result in one cbac_permission in the DB
-      def to_yml_fixture(fixture_id = nil)
-        raise ArgumentError, "Error: cannot convert line #{line_number.to_s} to yml because the role is not specified" if pristine_role.nil?
-        raise ArgumentError, "Error: cannot convert line #{line_number.to_s} to yml because the privilege_set_name is not specified" if privilege_set_name.blank?
-
-        fixture_id = line_number if fixture_id.nil?
-
-        yml = "cbac_permission_00" << fixture_id.to_s << ":\n"
-        yml << "  id: " << fixture_id.to_s << "\n"
-        yml << "  context_role: "
-        yml << pristine_role.name if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
-        yml << "\n"
-        yml << "  generic_role_id: " << pristine_role.role_id.to_s << "\n"
-        yml << "  privilege_set_id: <%= Cbac::PrivilegeSetRecord.find(:first, :conditions => {:name => '" << privilege_set_name << "'}).id %>\n"
-        yml << "  created_at: " << Time.now.strftime("%Y-%m-%d %H:%M:%S") << "\n"
-        yml << "  updated_at: " << Time.now.strftime("%Y-%m-%d %H:%M:%S") << "\n"
-        yml << "\n"
-      end
-
-      # checks if the current cbac permissions contains a permission which is exactly like this one
-      def cbac_permission_exists?
-        if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
-          Cbac::Permission.count(:joins => [:privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :context_role => pristine_role.name}) > 0
-        else
-          Cbac::Permission.count(:joins => [:generic_role, :privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :cbac_generic_roles => {:name => pristine_role.name}}) > 0
-        end
-      end
-
-      # checks if a pristine permission with the same properties(except line_number) exists in the database
-      def exists?
-        Cbac::CbacPristine::PristinePermission.count(:conditions => {:privilege_set_name => privilege_set_name, :pristine_role_id => pristine_role_id, :operation => operation}) > 0
-      end
-
-      # checks if a pristine permission with the exact same properties(except line_number), but the reverse operation exists in the database
-      def reverse_exists?
-        Cbac::CbacPristine::PristinePermission.count(:conditions => {:privilege_set_name => privilege_set_name, :pristine_role_id => pristine_role_id, :operation => reverse_operation}) > 0
-      end
-
-      # delete the pristine permission with the reverse operation of this one
-      def delete_reverse_permission
-        reverse_permission = Cbac::CbacPristine::PristinePermission.first(:conditions => {:privilege_set_name => privilege_set_name, :pristine_role_id => pristine_role_id, :operation => reverse_operation})
-        reverse_permission.delete
-      end
-
-      # get the reverse operation of this one
-      def reverse_operation
-        case operation
-          when '+'
-            return '-'
-          when '-'
-            return '+'
-          when 'x', '=>'
-            raise NotImplementedError, "Error: using an x or => in a pristine file is not implemented yet"
-          else
-            raise ArgumentError, "Error: invalid operation #{operation} is used in the pristine file"
-        end
-      end
-
-      # checks if the known_permissions table has an entry for this permission
-      def known_permission_exists?
-        Cbac::KnownPermission.count(:conditions => {:permission_type => pristine_role.known_permission_type, :permission_number => line_number}) > 0
-      end
-
-      # accept this permission and apply to the current cbac permission set
-      def accept
-        case operation
-          when '+'
-            handle_grant_permission
-          when '-'
-            handle_revoke_permission
-          when 'x', '=>'
-            raise NotImplementedError, "Error: using an x or => in a pristine file is not implemented yet"
-          else
-            raise ArgumentError, "Error: invalid operation #{operation} is used in the pristine file"
-        end
-        PristinePermission.delete(id) unless id.nil?
-      end
-
-      # reject this permission, but register it as a known permission. The user actually rejected this himself.
-      def reject
-        register_change
-        PristinePermission.delete(id) unless id.nil?
-      end
-
-      # add this permission to the cbac permission set, unless it already exists
-      def handle_grant_permission
-        return if cbac_permission_exists?
-
-        permission = Cbac::Permission.new
-        permission.privilege_set = privilege_set
-
-        if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
-          permission.context_role = pristine_role.name
-        else
-          generic_role = Cbac::GenericRole.first(:conditions => {:name => pristine_role.name})
-          permission.generic_role = generic_role.nil? ? Cbac::GenericRole.create(:name => pristine_role.name, :remarks => "Autogenerated by Cbac loading / upgrade system") : generic_role
-        end
-
-        register_change if permission.save
-        permission
-      end
-
-      # revoke this permission from the current permission set, raises an error if it doesn't exist yet
-      def handle_revoke_permission
-        raise ArgumentError, "Error: trying to revoke permission #{privilege_set_name} for #{pristine_role.name}, but this permission does not exist" unless cbac_permission_exists?
-
-        if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
-          permission = Cbac::Permission.first(:joins => [:privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :context_role => pristine_role.name})
-        else
-          permission = Cbac::Permission.first(:joins => [:generic_role, :privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :cbac_generic_roles => {:name => pristine_role.name}})
-        end
-
-        register_change if permission.destroy
-      end
-
-      # register this permission as a known permission
-      def register_change
-        Cbac::KnownPermission.create(:permission_number => line_number, :permission_type => pristine_role.known_permission_type)
-      end
-
-      # add this permission to the staging area
-      def stage
-        raise ArgumentError, "Error: this staged permission already exists. Record with line number #{line_number} is a duplicate permission." if exists?
-        return if known_permission_exists?
-
-        if operation == '-'
-          # if the reverse permission is also staged, remove it and do not add this one
-          if reverse_exists?
-            delete_reverse_permission
-            return
-          end
-          # if this is an attempt to revoke a permission, it should exist as a real cbac permission!
-          save if cbac_permission_exists?
-        elsif operation == '+'
-          # if this is an attempt to add a permission, it MUST not exist yet
-          save unless cbac_permission_exists?
-        end
-      end
-
-
-
-      # clear the staging area of all generic pristine permissions
-      def self.delete_generic_permissions
-        generic_staged_permissions = all(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type = ?", PristineRole.ROLE_TYPES[:generic]])
-        generic_staged_permissions.each do |permission|
-          delete(permission.id)
-        end
-      end
-
-      # clear the staging area of all non generic permissions
-      def self.delete_non_generic_permissions
-        staged_permissions = all(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type != ?", PristineRole.ROLE_TYPES[:generic]])
-        staged_permissions.each do |permission|
-          delete(permission.id)
-        end
-      end
-
-      def self.count_generic_permissions
-        count(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type = ?", PristineRole.ROLE_TYPES[:generic]])
-      end
-
-      def self.count_non_generic_permissions
-        count(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type != ?", PristineRole.ROLE_TYPES[:generic]])
-      end
-    end
-  end
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_role'))
+require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
+require 'active_record'
+
+module Cbac
+  module CbacPristine
+    class PristinePermission < ActiveRecord::Base
+      set_table_name 'cbac_staged_permissions'
+
+      belongs_to :pristine_role, :class_name => "Cbac::CbacPristine::PristineRole"
+
+      def privilege_set
+        Cbac::PrivilegeSetRecord.first(:conditions => {:name => privilege_set_name})
+      end
+
+      def operation_string
+        case operation
+          when '+'
+            return "add"
+          when '-'
+            return "revoke"
+          else
+            return "unknown"
+        end
+      end
+
+      #convert this pristine line to a yml statement which can be used to create a yml fixtures file
+      #executing this statement will result in one cbac_permission in the DB
+      def to_yml_fixture(fixture_id = nil)
+        raise ArgumentError, "Error: cannot convert line #{line_number.to_s} to yml because the role is not specified" if pristine_role.nil?
+        raise ArgumentError, "Error: cannot convert line #{line_number.to_s} to yml because the privilege_set_name is not specified" if privilege_set_name.blank?
+
+        fixture_id = line_number if fixture_id.nil?
+
+        yml = "cbac_permission_00" << fixture_id.to_s << ":\n"
+        yml << "  id: " << fixture_id.to_s << "\n"
+        yml << "  context_role: "
+        yml << pristine_role.name if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
+        yml << "\n"
+        yml << "  generic_role_id: " << pristine_role.role_id.to_s << "\n"
+        yml << "  privilege_set_id: <%= Cbac::PrivilegeSetRecord.find(:first, :conditions => {:name => '" << privilege_set_name << "'}).id %>\n"
+        yml << "  created_at: " << Time.now.strftime("%Y-%m-%d %H:%M:%S") << "\n"
+        yml << "  updated_at: " << Time.now.strftime("%Y-%m-%d %H:%M:%S") << "\n"
+        yml << "\n"
+      end
+
+      # checks if the current cbac permissions contains a permission which is exactly like this one
+      def cbac_permission_exists?
+        if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
+          Cbac::Permission.count(:joins => [:privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :context_role => pristine_role.name}) > 0
+        else
+          Cbac::Permission.count(:joins => [:generic_role, :privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :cbac_generic_roles => {:name => pristine_role.name}}) > 0
+        end
+      end
+
+      # checks if a pristine permission with the same properties(except line_number) exists in the database
+      def exists?
+        Cbac::CbacPristine::PristinePermission.count(:conditions => {:privilege_set_name => privilege_set_name, :pristine_role_id => pristine_role_id, :operation => operation}) > 0
+      end
+
+      # checks if a pristine permission with the exact same properties(except line_number), but the reverse operation exists in the database
+      def reverse_exists?
+        Cbac::CbacPristine::PristinePermission.count(:conditions => {:privilege_set_name => privilege_set_name, :pristine_role_id => pristine_role_id, :operation => reverse_operation}) > 0
+      end
+
+      # delete the pristine permission with the reverse operation of this one
+      def delete_reverse_permission
+        reverse_permission = Cbac::CbacPristine::PristinePermission.first(:conditions => {:privilege_set_name => privilege_set_name, :pristine_role_id => pristine_role_id, :operation => reverse_operation})
+        reverse_permission.delete
+      end
+
+      # get the reverse operation of this one
+      def reverse_operation
+        case operation
+          when '+'
+            return '-'
+          when '-'
+            return '+'
+          when 'x', '=>'
+            raise NotImplementedError, "Error: using an x or => in a pristine file is not implemented yet"
+          else
+            raise ArgumentError, "Error: invalid operation #{operation} is used in the pristine file"
+        end
+      end
+
+      # checks if the known_permissions table has an entry for this permission
+      def known_permission_exists?
+        Cbac::KnownPermission.count(:conditions => {:permission_type => pristine_role.known_permission_type, :permission_number => line_number}) > 0
+      end
+
+      # accept this permission and apply to the current cbac permission set
+      def accept
+        case operation
+          when '+'
+            handle_grant_permission
+          when '-'
+            handle_revoke_permission
+          when 'x', '=>'
+            raise NotImplementedError, "Error: using an x or => in a pristine file is not implemented yet"
+          else
+            raise ArgumentError, "Error: invalid operation #{operation} is used in the pristine file"
+        end
+        PristinePermission.delete(id) unless id.nil?
+      end
+
+      # reject this permission, but register it as a known permission. The user actually rejected this himself.
+      def reject
+        register_change
+        PristinePermission.delete(id) unless id.nil?
+      end
+
+      # add this permission to the cbac permission set, unless it already exists
+      def handle_grant_permission
+        return if cbac_permission_exists?
+
+        permission = Cbac::Permission.new
+        permission.privilege_set = privilege_set
+
+        if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
+          permission.context_role = pristine_role.name
+        else
+          generic_role = Cbac::GenericRole.first(:conditions => {:name => pristine_role.name})
+          permission.generic_role = generic_role.nil? ? Cbac::GenericRole.create(:name => pristine_role.name, :remarks => "Autogenerated by Cbac loading / upgrade system") : generic_role
+        end
+
+        register_change if permission.save
+        permission
+      end
+
+      # revoke this permission from the current permission set, raises an error if it doesn't exist yet
+      def handle_revoke_permission
+        raise ArgumentError, "Error: trying to revoke permission #{privilege_set_name} for #{pristine_role.name}, but this permission does not exist" unless cbac_permission_exists?
+
+        if pristine_role.role_type == PristineRole.ROLE_TYPES[:context]
+          permission = Cbac::Permission.first(:joins => [:privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :context_role => pristine_role.name})
+        else
+          permission = Cbac::Permission.first(:joins => [:generic_role, :privilege_set], :conditions => {:cbac_privilege_set => {:name => privilege_set_name}, :cbac_generic_roles => {:name => pristine_role.name}})
+        end
+
+        register_change if permission.destroy
+      end
+
+      # register this permission as a known permission
+      def register_change
+        Cbac::KnownPermission.create(:permission_number => line_number, :permission_type => pristine_role.known_permission_type)
+      end
+
+      # add this permission to the staging area
+      def stage
+        raise ArgumentError, "Error: this staged permission already exists. Record with line number #{line_number} is a duplicate permission." if exists?
+        return if known_permission_exists?
+
+        if operation == '-'
+          # if the reverse permission is also staged, remove it and do not add this one
+          if reverse_exists?
+            delete_reverse_permission
+            return
+          end
+          # if this is an attempt to revoke a permission, it should exist as a real cbac permission!
+          save if cbac_permission_exists?
+        elsif operation == '+'
+          # if this is an attempt to add a permission, it MUST not exist yet
+          save unless cbac_permission_exists?
+        end
+      end
+
+
+
+      # clear the staging area of all generic pristine permissions
+      def self.delete_generic_permissions
+        generic_staged_permissions = all(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type = ?", PristineRole.ROLE_TYPES[:generic]])
+        generic_staged_permissions.each do |permission|
+          delete(permission.id)
+        end
+      end
+
+      # clear the staging area of all non generic permissions
+      def self.delete_non_generic_permissions
+        staged_permissions = all(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type != ?", PristineRole.ROLE_TYPES[:generic]])
+        staged_permissions.each do |permission|
+          delete(permission.id)
+        end
+      end
+
+      def self.count_generic_permissions
+        count(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type = ?", PristineRole.ROLE_TYPES[:generic]])
+      end
+
+      def self.count_non_generic_permissions
+        count(:joins => :pristine_role, :conditions => ["cbac_staged_roles.role_type != ?", PristineRole.ROLE_TYPES[:generic]])
+      end
+    end
+  end
 end