cbac 0.6.1 → 0.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/Manifest +70 -74
- data/README.rdoc +51 -51
- data/Rakefile +39 -39
- data/cbac.gemspec +30 -31
- data/config/cbac/context_roles.rb +21 -21
- data/config/cbac/privileges.rb +50 -50
- data/context_roles.rb +21 -21
- data/init.rb +3 -3
- data/lib/cbac.rb +132 -132
- data/lib/cbac/cbac_pristine/pristine.rb +138 -135
- data/lib/cbac/cbac_pristine/pristine_file.rb +173 -170
- data/lib/cbac/cbac_pristine/pristine_permission.rb +205 -194
- data/lib/cbac/cbac_pristine/pristine_role.rb +41 -41
- data/lib/cbac/config.rb +9 -9
- data/lib/cbac/context_role.rb +27 -27
- data/lib/cbac/generic_role.rb +5 -5
- data/lib/cbac/known_permission.rb +14 -14
- data/lib/cbac/membership.rb +3 -3
- data/lib/cbac/permission.rb +5 -5
- data/lib/cbac/privilege.rb +117 -117
- data/lib/cbac/privilege_new_api.rb +56 -56
- data/lib/cbac/privilege_set.rb +29 -29
- data/lib/cbac/privilege_set_record.rb +6 -6
- data/lib/cbac/setup.rb +37 -37
- data/lib/generators/cbac/USAGE +33 -33
- data/lib/generators/cbac/cbac_generator.rb +75 -75
- data/lib/generators/cbac/copy_files/config/cbac.pristine +2 -2
- data/lib/generators/cbac/copy_files/config/context_roles.rb +17 -17
- data/lib/generators/cbac/copy_files/config/privileges.rb +25 -25
- data/lib/generators/cbac/copy_files/controllers/generic_roles_controller.rb +30 -30
- data/lib/generators/cbac/copy_files/controllers/memberships_controller.rb +22 -22
- data/lib/generators/cbac/copy_files/controllers/permissions_controller.rb +61 -61
- data/lib/generators/cbac/copy_files/controllers/upgrade_controller.rb +23 -23
- data/lib/generators/cbac/copy_files/fixtures/cbac_generic_roles.yml +9 -9
- data/lib/generators/cbac/copy_files/fixtures/cbac_memberships.yml +8 -8
- data/lib/generators/cbac/copy_files/fixtures/cbac_permissions.yml +8 -8
- data/lib/generators/cbac/copy_files/initializers/cbac_config.rb +4 -4
- data/lib/generators/cbac/copy_files/migrate/create_cbac_from_scratch.rb +59 -59
- data/lib/generators/cbac/copy_files/migrate/create_cbac_upgrade_path.rb +40 -31
- data/lib/generators/cbac/copy_files/stylesheets/cbac.css +65 -65
- data/lib/generators/cbac/copy_files/tasks/cbac.rake +345 -345
- data/lib/generators/cbac/copy_files/views/generic_roles/index.html.erb +58 -58
- data/lib/generators/cbac/copy_files/views/layouts/cbac.html.erb +18 -18
- data/lib/generators/cbac/copy_files/views/memberships/_update.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/memberships/index.html.erb +23 -23
- data/lib/generators/cbac/copy_files/views/permissions/_update_context_role.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/permissions/_update_generic_role.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/permissions/index.html.erb +39 -39
- data/lib/generators/cbac/copy_files/views/upgrade/index.html.erb +31 -31
- data/migrations/20110211105533_add_pristine_files_to_cbac_upgrade_path.rb +16 -0
- data/privileges.rb +50 -50
- data/spec/cbac_pristine_file_spec.rb +329 -329
- data/spec/cbac_pristine_permission_spec.rb +358 -358
- data/spec/cbac_pristine_role_spec.rb +85 -85
- data/spec/rcov.opts +1 -1
- data/spec/spec.opts +4 -4
- data/spec/spec_helper.rb +11 -11
- data/tasks/cbac.rake +345 -345
- data/test/fixtures/cbac_generic_roles.yml +9 -9
- data/test/fixtures/cbac_memberships.yml +8 -8
- data/test/fixtures/cbac_permissions.yml +14 -14
- data/test/fixtures/cbac_privilege_set.yml +18 -18
- data/test/test_cbac_actions.rb +71 -71
- data/test/test_cbac_authorize_context_roles.rb +39 -39
- data/test/test_cbac_authorize_generic_roles.rb +36 -36
- data/test/test_cbac_context_role.rb +50 -50
- data/test/test_cbac_privilege.rb +151 -151
- data/test/test_cbac_privilege_set.rb +50 -50
- data/test/test_helper.rb +28 -28
- metadata +14 -15
- data/nbproject/private/private.properties +0 -3
- data/nbproject/private/private.xml +0 -4
- data/nbproject/private/rake-d.txt +0 -0
- data/nbproject/project.properties +0 -9
- data/nbproject/project.xml +0 -16
@@ -1,358 +1,358 @@
|
|
1
|
-
|
2
|
-
require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
|
3
|
-
require 'spec'
|
4
|
-
require 'cbac/cbac_pristine/pristine'
|
5
|
-
require 'cbac/cbac_pristine/pristine_role'
|
6
|
-
require 'cbac/cbac_pristine/pristine_permission'
|
7
|
-
|
8
|
-
include Cbac::CbacPristine
|
9
|
-
|
10
|
-
describe "CbacPristinePermission" do
|
11
|
-
|
12
|
-
|
13
|
-
describe "convert pristine line to a yml fixture" do
|
14
|
-
before(:each) do
|
15
|
-
@context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
16
|
-
@admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => "administrator")
|
17
|
-
end
|
18
|
-
|
19
|
-
|
20
|
-
it "should raise an error if the pristine line has no role" do
|
21
|
-
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => 'log_in', :pristine_role => nil)
|
22
|
-
lambda{
|
23
|
-
pristine_permission.to_yml_fixture
|
24
|
-
}.should raise_error(ArgumentError)
|
25
|
-
end
|
26
|
-
|
27
|
-
it "should raise an error if the pristine line has no privilege_set_name" do
|
28
|
-
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "", :pristine_role => @context_role)
|
29
|
-
lambda{
|
30
|
-
pristine_permission.to_yml_fixture
|
31
|
-
}.should raise_error(ArgumentError)
|
32
|
-
end
|
33
|
-
|
34
|
-
it "should return a yml string starting with cbac_permission_ " do
|
35
|
-
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "chat", :pristine_role => @context_role)
|
36
|
-
|
37
|
-
pristine_permission.to_yml_fixture.should match(/\Acbac_permission_/)
|
38
|
-
end
|
39
|
-
|
40
|
-
it "should return a yml string containing the line number of the pristine line" do
|
41
|
-
line_number= 100
|
42
|
-
pristine_permission = PristinePermission.new(:line_number => line_number, :privilege_set_name => "chat", :pristine_role => @context_role)
|
43
|
-
|
44
|
-
pristine_permission.to_yml_fixture.should match(/id: #{line_number}/)
|
45
|
-
end
|
46
|
-
|
47
|
-
it "should return a yml string containing a generic role id of 0 if a context_role is used" do
|
48
|
-
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
|
49
|
-
|
50
|
-
pristine_permission.to_yml_fixture.should match(/generic_role_id: 0/)
|
51
|
-
end
|
52
|
-
|
53
|
-
it "should return a yml string containing the name of the context role if a context_role is used" do
|
54
|
-
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
|
55
|
-
|
56
|
-
pristine_permission.to_yml_fixture.should match(/context_role: #{@context_role.name}/)
|
57
|
-
end
|
58
|
-
|
59
|
-
it "should return a yml string containing the id of the generic role if a generic role is used" do
|
60
|
-
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @admin_role)
|
61
|
-
|
62
|
-
pristine_permission.to_yml_fixture.should match(/generic_role_id: #{@admin_role.id.to_s}/)
|
63
|
-
end
|
64
|
-
|
65
|
-
it "should return a yml string containing ruby code to find the privilege set by name" do
|
66
|
-
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
|
67
|
-
|
68
|
-
pristine_permission.to_yml_fixture.should match(/privilege_set_id: \<%= Cbac::PrivilegeSetRecord.find\(:first, :conditions => \{:name => '#{pristine_permission.privilege_set_name}'\}\)\.id %>/)
|
69
|
-
end
|
70
|
-
|
71
|
-
it "should return a yml string containing created_at and updated_at" do
|
72
|
-
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "chat", :pristine_role => @context_role)
|
73
|
-
pristine_permission.to_yml_fixture.should match(/created_at:.+updated_at:/m)
|
74
|
-
end
|
75
|
-
end
|
76
|
-
|
77
|
-
describe "check if this pristine permission exists" do
|
78
|
-
before(:each) do
|
79
|
-
@privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
|
80
|
-
@admin_role = Cbac::GenericRole.create(:name => "administrator")
|
81
|
-
|
82
|
-
@pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
83
|
-
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => @admin_role.name)
|
84
|
-
end
|
85
|
-
|
86
|
-
it "should return true if the pristine permission exists as generic cbac permission in the database" do
|
87
|
-
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => @admin_role.id)
|
88
|
-
|
89
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
90
|
-
|
91
|
-
pristine_permission.cbac_permission_exists?.should be_true
|
92
|
-
end
|
93
|
-
|
94
|
-
it "should return true if the pristine permission exists as context cbac permission in the database" do
|
95
|
-
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
96
|
-
|
97
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
98
|
-
|
99
|
-
pristine_permission.cbac_permission_exists?.should be_true
|
100
|
-
end
|
101
|
-
|
102
|
-
it "should return false if the pristine permission does not exist as context cbac permission in the database" do
|
103
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
104
|
-
|
105
|
-
pristine_permission.cbac_permission_exists?.should be_false
|
106
|
-
end
|
107
|
-
|
108
|
-
it "should return false if the pristine permission does not exist as a generic cbac permission in the database" do
|
109
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
110
|
-
|
111
|
-
pristine_permission.cbac_permission_exists?.should be_false
|
112
|
-
end
|
113
|
-
|
114
|
-
it "should return false if a similar pristine permission exist as a generic cbac permission in the database, but for another generic role" do
|
115
|
-
group_admin = Cbac::GenericRole.create(:name => "group_administrator")
|
116
|
-
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => group_admin.id)
|
117
|
-
|
118
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
119
|
-
|
120
|
-
pristine_permission.cbac_permission_exists?.should be_false
|
121
|
-
end
|
122
|
-
|
123
|
-
it "should return false if a similar pristine permission exist as a context cbac permission in the database, but for another context role" do
|
124
|
-
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => "group_owner")
|
125
|
-
|
126
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
127
|
-
|
128
|
-
pristine_permission.cbac_permission_exists?.should be_false
|
129
|
-
end
|
130
|
-
end
|
131
|
-
|
132
|
-
describe "check if a known permission exists for this pristine permission" do
|
133
|
-
before(:each) do
|
134
|
-
|
135
|
-
@pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
136
|
-
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => "administrator")
|
137
|
-
end
|
138
|
-
|
139
|
-
it "should return true if the pristine permission exists as a known permission in the database" do
|
140
|
-
pristine_permission = PristinePermission.new(:pristine_role => @pristine_admin_role, :line_number => 4, :privilege_set_name => "not relevant")
|
141
|
-
|
142
|
-
Cbac::KnownPermission.create(:permission_number => pristine_permission.line_number, :permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:context])
|
143
|
-
|
144
|
-
pristine_permission.known_permission_exists?.should be_true
|
145
|
-
end
|
146
|
-
end
|
147
|
-
|
148
|
-
describe "apply the permission" do
|
149
|
-
before(:each) do
|
150
|
-
@privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
|
151
|
-
@admin_role = Cbac::GenericRole.create(:name => "administrator")
|
152
|
-
|
153
|
-
@pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
154
|
-
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => @admin_role.name)
|
155
|
-
end
|
156
|
-
|
157
|
-
|
158
|
-
it "should add the context permission to the database if operation + is used" do
|
159
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
160
|
-
pristine_permission.operation = '+'
|
161
|
-
|
162
|
-
proc {
|
163
|
-
pristine_permission.accept
|
164
|
-
}.should change(Cbac::Permission, :count).by(1)
|
165
|
-
end
|
166
|
-
|
167
|
-
it "should create a generic permission if operation + is used" do
|
168
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
169
|
-
pristine_permission.operation = '+'
|
170
|
-
|
171
|
-
proc {
|
172
|
-
pristine_permission.accept
|
173
|
-
}.should change(Cbac::Permission, :count).by(1)
|
174
|
-
end
|
175
|
-
|
176
|
-
it "should delete the pristine permission since it was accepted" do
|
177
|
-
pristine_permission = PristinePermission.create(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role, :operation => '+')
|
178
|
-
|
179
|
-
proc {
|
180
|
-
pristine_permission.accept
|
181
|
-
}.should change(PristinePermission, :count).by(-1)
|
182
|
-
end
|
183
|
-
|
184
|
-
it "should create a generic role if it doesn't exist in yet" do
|
185
|
-
cbac_privilege_set = Cbac::PrivilegeSetRecord.create(:name => "cbac_administration")
|
186
|
-
|
187
|
-
cbac_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => "cbac_administrator")
|
188
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => cbac_privilege_set.name, :pristine_role => cbac_admin_role)
|
189
|
-
pristine_permission.operation = '+'
|
190
|
-
|
191
|
-
proc {
|
192
|
-
pristine_permission.accept
|
193
|
-
}.should change(Cbac::GenericRole, :count).by(1)
|
194
|
-
end
|
195
|
-
|
196
|
-
it "should use an existing role if possible" do
|
197
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
198
|
-
pristine_permission.operation = '+'
|
199
|
-
|
200
|
-
pristine_permission.accept
|
201
|
-
# test smell: depends on a clean database
|
202
|
-
cbac_permission = Cbac::Permission.first
|
203
|
-
|
204
|
-
cbac_permission.generic_role.should == @admin_role
|
205
|
-
end
|
206
|
-
|
207
|
-
it "should remove an existing permission if operation - is used" do
|
208
|
-
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
209
|
-
|
210
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
211
|
-
pristine_permission.operation = '-'
|
212
|
-
|
213
|
-
proc {
|
214
|
-
pristine_permission.accept
|
215
|
-
}.should change(Cbac::Permission, :count).by(-1)
|
216
|
-
end
|
217
|
-
|
218
|
-
it "should raise an error if operation - is used and the permission does not exist" do
|
219
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
220
|
-
pristine_permission.operation = '-'
|
221
|
-
|
222
|
-
proc {
|
223
|
-
pristine_permission.accept
|
224
|
-
}.should raise_error(ArgumentError)
|
225
|
-
end
|
226
|
-
|
227
|
-
it "should create a known permission to record a change" do
|
228
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
229
|
-
pristine_permission.operation = '+'
|
230
|
-
|
231
|
-
proc {
|
232
|
-
pristine_permission.accept
|
233
|
-
}.should change(Cbac::KnownPermission, :count).by(1)
|
234
|
-
end
|
235
|
-
|
236
|
-
it "should create a known permission with specified permission identifier" do
|
237
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
238
|
-
pristine_permission.operation = '+'
|
239
|
-
|
240
|
-
pristine_permission.accept
|
241
|
-
|
242
|
-
known_permission = Cbac::KnownPermission.last
|
243
|
-
|
244
|
-
known_permission.permission_number.should == pristine_permission.line_number
|
245
|
-
end
|
246
|
-
|
247
|
-
it "should create a known permission with specified role type" do
|
248
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
249
|
-
pristine_permission.operation = '+'
|
250
|
-
|
251
|
-
pristine_permission.accept
|
252
|
-
|
253
|
-
known_permission = Cbac::KnownPermission.last
|
254
|
-
|
255
|
-
known_permission.permission_type.should == Cbac::KnownPermission.PERMISSION_TYPES[:context]
|
256
|
-
end
|
257
|
-
|
258
|
-
it "should also create a known permission if operation - is used to revoke a permission" do
|
259
|
-
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
260
|
-
|
261
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
262
|
-
pristine_permission.operation = '-'
|
263
|
-
|
264
|
-
proc {
|
265
|
-
pristine_permission.accept
|
266
|
-
}.should change(Cbac::KnownPermission, :count).by(1)
|
267
|
-
end
|
268
|
-
end
|
269
|
-
|
270
|
-
describe "stage the permission so it can be applied" do
|
271
|
-
before(:each) do
|
272
|
-
@pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
273
|
-
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => "administrator")
|
274
|
-
end
|
275
|
-
|
276
|
-
it "should persist the pristine permission to the database" do
|
277
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => "login", :pristine_role => @pristine_context_role, :operation => '+')
|
278
|
-
|
279
|
-
proc {
|
280
|
-
pristine_permission.stage
|
281
|
-
}.should change(Cbac::CbacPristine::PristinePermission, :count).by(1)
|
282
|
-
|
283
|
-
end
|
284
|
-
|
285
|
-
it "should persist the associated role if it doesn't exist yet" do
|
286
|
-
pristine_permission = PristinePermission.new(:privilege_set_name => "login", :pristine_role => @pristine_context_role, :operation => '+')
|
287
|
-
|
288
|
-
proc {
|
289
|
-
pristine_permission.stage
|
290
|
-
}.should change(Cbac::CbacPristine::PristineRole, :count).by(1)
|
291
|
-
end
|
292
|
-
|
293
|
-
it "should not create a new pristine permission if the cbac permission exists and the pristine permission wants to add" do
|
294
|
-
privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
|
295
|
-
Cbac::Permission.create(:privilege_set_id => privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
296
|
-
|
297
|
-
pristine_permission = PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set.name, :pristine_role => @pristine_context_role)
|
298
|
-
proc {
|
299
|
-
pristine_permission.stage
|
300
|
-
}.should_not change(Cbac::CbacPristine::PristinePermission, :count)
|
301
|
-
end
|
302
|
-
|
303
|
-
it "should create a new pristine permission if the cbac permission exists and the pristine permission wants to revoke" do
|
304
|
-
privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
|
305
|
-
Cbac::Permission.create(:privilege_set_id => privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
306
|
-
|
307
|
-
pristine_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set.name, :pristine_role => @pristine_context_role)
|
308
|
-
proc {
|
309
|
-
pristine_permission.stage
|
310
|
-
}.should change(Cbac::CbacPristine::PristinePermission, :count).by(1)
|
311
|
-
end
|
312
|
-
|
313
|
-
it "should not create a new pristine permission if a staged add permission exists and this pristine permission wants to revoke" do
|
314
|
-
privilege_set_name = "chat"
|
315
|
-
PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
316
|
-
pristine_revoke_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
317
|
-
|
318
|
-
proc {
|
319
|
-
pristine_revoke_permission.stage
|
320
|
-
}.should_not change(Cbac::CbacPristine::PristinePermission, :count).by(1)
|
321
|
-
end
|
322
|
-
|
323
|
-
it "should delete a staged add permission if the pristine permission wants to revoke the same permission" do
|
324
|
-
privilege_set_name = "chat"
|
325
|
-
PristinePermission.create(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
326
|
-
pristine_revoke_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
327
|
-
|
328
|
-
proc {
|
329
|
-
pristine_revoke_permission.stage
|
330
|
-
}.should change(Cbac::CbacPristine::PristinePermission, :count).by(-1)
|
331
|
-
end
|
332
|
-
|
333
|
-
it "should not create a new pristine permission if a cbac known permission exists" do
|
334
|
-
known_number = 1
|
335
|
-
pristine_permission = PristinePermission.new(:line_number => known_number, :privilege_set_name => "name not relevant", :pristine_role => @pristine_context_role)
|
336
|
-
Cbac::KnownPermission.create(:permission_number => known_number, :permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:context])
|
337
|
-
|
338
|
-
proc {
|
339
|
-
pristine_permission.stage
|
340
|
-
}.should_not change(Cbac::CbacPristine::PristinePermission, :count)
|
341
|
-
|
342
|
-
end
|
343
|
-
|
344
|
-
it "should raise an error if the same pristine permission is staged twice" do
|
345
|
-
privilege_set_name = "chat"
|
346
|
-
PristinePermission.create(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role, :line_number => 2)
|
347
|
-
pristine_permission = PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role, :line_number => 3)
|
348
|
-
|
349
|
-
proc {
|
350
|
-
pristine_permission.stage
|
351
|
-
}.should raise_error(ArgumentError)
|
352
|
-
end
|
353
|
-
|
354
|
-
|
355
|
-
end
|
356
|
-
|
357
|
-
end
|
358
|
-
|
1
|
+
|
2
|
+
require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
|
3
|
+
require 'spec'
|
4
|
+
require '../lib/cbac/cbac_pristine/pristine'
|
5
|
+
require '../lib/cbac/cbac_pristine/pristine_role'
|
6
|
+
require '../lib/cbac/cbac_pristine/pristine_permission'
|
7
|
+
|
8
|
+
include Cbac::CbacPristine
|
9
|
+
|
10
|
+
describe "CbacPristinePermission" do
|
11
|
+
|
12
|
+
|
13
|
+
describe "convert pristine line to a yml fixture" do
|
14
|
+
before(:each) do
|
15
|
+
@context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
16
|
+
@admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => "administrator")
|
17
|
+
end
|
18
|
+
|
19
|
+
|
20
|
+
it "should raise an error if the pristine line has no role" do
|
21
|
+
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => 'log_in', :pristine_role => nil)
|
22
|
+
lambda{
|
23
|
+
pristine_permission.to_yml_fixture
|
24
|
+
}.should raise_error(ArgumentError)
|
25
|
+
end
|
26
|
+
|
27
|
+
it "should raise an error if the pristine line has no privilege_set_name" do
|
28
|
+
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "", :pristine_role => @context_role)
|
29
|
+
lambda{
|
30
|
+
pristine_permission.to_yml_fixture
|
31
|
+
}.should raise_error(ArgumentError)
|
32
|
+
end
|
33
|
+
|
34
|
+
it "should return a yml string starting with cbac_permission_ " do
|
35
|
+
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "chat", :pristine_role => @context_role)
|
36
|
+
|
37
|
+
pristine_permission.to_yml_fixture.should match(/\Acbac_permission_/)
|
38
|
+
end
|
39
|
+
|
40
|
+
it "should return a yml string containing the line number of the pristine line" do
|
41
|
+
line_number= 100
|
42
|
+
pristine_permission = PristinePermission.new(:line_number => line_number, :privilege_set_name => "chat", :pristine_role => @context_role)
|
43
|
+
|
44
|
+
pristine_permission.to_yml_fixture.should match(/id: #{line_number}/)
|
45
|
+
end
|
46
|
+
|
47
|
+
it "should return a yml string containing a generic role id of 0 if a context_role is used" do
|
48
|
+
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
|
49
|
+
|
50
|
+
pristine_permission.to_yml_fixture.should match(/generic_role_id: 0/)
|
51
|
+
end
|
52
|
+
|
53
|
+
it "should return a yml string containing the name of the context role if a context_role is used" do
|
54
|
+
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
|
55
|
+
|
56
|
+
pristine_permission.to_yml_fixture.should match(/context_role: #{@context_role.name}/)
|
57
|
+
end
|
58
|
+
|
59
|
+
it "should return a yml string containing the id of the generic role if a generic role is used" do
|
60
|
+
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @admin_role)
|
61
|
+
|
62
|
+
pristine_permission.to_yml_fixture.should match(/generic_role_id: #{@admin_role.id.to_s}/)
|
63
|
+
end
|
64
|
+
|
65
|
+
it "should return a yml string containing ruby code to find the privilege set by name" do
|
66
|
+
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
|
67
|
+
|
68
|
+
pristine_permission.to_yml_fixture.should match(/privilege_set_id: \<%= Cbac::PrivilegeSetRecord.find\(:first, :conditions => \{:name => '#{pristine_permission.privilege_set_name}'\}\)\.id %>/)
|
69
|
+
end
|
70
|
+
|
71
|
+
it "should return a yml string containing created_at and updated_at" do
|
72
|
+
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "chat", :pristine_role => @context_role)
|
73
|
+
pristine_permission.to_yml_fixture.should match(/created_at:.+updated_at:/m)
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
describe "check if this pristine permission exists" do
|
78
|
+
before(:each) do
|
79
|
+
@privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
|
80
|
+
@admin_role = Cbac::GenericRole.create(:name => "administrator")
|
81
|
+
|
82
|
+
@pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
83
|
+
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => @admin_role.name)
|
84
|
+
end
|
85
|
+
|
86
|
+
it "should return true if the pristine permission exists as generic cbac permission in the database" do
|
87
|
+
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => @admin_role.id)
|
88
|
+
|
89
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
90
|
+
|
91
|
+
pristine_permission.cbac_permission_exists?.should be_true
|
92
|
+
end
|
93
|
+
|
94
|
+
it "should return true if the pristine permission exists as context cbac permission in the database" do
|
95
|
+
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
96
|
+
|
97
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
98
|
+
|
99
|
+
pristine_permission.cbac_permission_exists?.should be_true
|
100
|
+
end
|
101
|
+
|
102
|
+
it "should return false if the pristine permission does not exist as context cbac permission in the database" do
|
103
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
104
|
+
|
105
|
+
pristine_permission.cbac_permission_exists?.should be_false
|
106
|
+
end
|
107
|
+
|
108
|
+
it "should return false if the pristine permission does not exist as a generic cbac permission in the database" do
|
109
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
110
|
+
|
111
|
+
pristine_permission.cbac_permission_exists?.should be_false
|
112
|
+
end
|
113
|
+
|
114
|
+
it "should return false if a similar pristine permission exist as a generic cbac permission in the database, but for another generic role" do
|
115
|
+
group_admin = Cbac::GenericRole.create(:name => "group_administrator")
|
116
|
+
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => group_admin.id)
|
117
|
+
|
118
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
119
|
+
|
120
|
+
pristine_permission.cbac_permission_exists?.should be_false
|
121
|
+
end
|
122
|
+
|
123
|
+
it "should return false if a similar pristine permission exist as a context cbac permission in the database, but for another context role" do
|
124
|
+
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => "group_owner")
|
125
|
+
|
126
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
127
|
+
|
128
|
+
pristine_permission.cbac_permission_exists?.should be_false
|
129
|
+
end
|
130
|
+
end
|
131
|
+
|
132
|
+
describe "check if a known permission exists for this pristine permission" do
|
133
|
+
before(:each) do
|
134
|
+
|
135
|
+
@pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
136
|
+
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => "administrator")
|
137
|
+
end
|
138
|
+
|
139
|
+
it "should return true if the pristine permission exists as a known permission in the database" do
|
140
|
+
pristine_permission = PristinePermission.new(:pristine_role => @pristine_admin_role, :line_number => 4, :privilege_set_name => "not relevant")
|
141
|
+
|
142
|
+
Cbac::KnownPermission.create(:permission_number => pristine_permission.line_number, :permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:context])
|
143
|
+
|
144
|
+
pristine_permission.known_permission_exists?.should be_true
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
148
|
+
describe "apply the permission" do
|
149
|
+
before(:each) do
|
150
|
+
@privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
|
151
|
+
@admin_role = Cbac::GenericRole.create(:name => "administrator")
|
152
|
+
|
153
|
+
@pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
154
|
+
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => @admin_role.name)
|
155
|
+
end
|
156
|
+
|
157
|
+
|
158
|
+
it "should add the context permission to the database if operation + is used" do
|
159
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
160
|
+
pristine_permission.operation = '+'
|
161
|
+
|
162
|
+
proc {
|
163
|
+
pristine_permission.accept
|
164
|
+
}.should change(Cbac::Permission, :count).by(1)
|
165
|
+
end
|
166
|
+
|
167
|
+
it "should create a generic permission if operation + is used" do
|
168
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
169
|
+
pristine_permission.operation = '+'
|
170
|
+
|
171
|
+
proc {
|
172
|
+
pristine_permission.accept
|
173
|
+
}.should change(Cbac::Permission, :count).by(1)
|
174
|
+
end
|
175
|
+
|
176
|
+
it "should delete the pristine permission since it was accepted" do
|
177
|
+
pristine_permission = PristinePermission.create(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role, :operation => '+')
|
178
|
+
|
179
|
+
proc {
|
180
|
+
pristine_permission.accept
|
181
|
+
}.should change(PristinePermission, :count).by(-1)
|
182
|
+
end
|
183
|
+
|
184
|
+
it "should create a generic role if it doesn't exist in yet" do
|
185
|
+
cbac_privilege_set = Cbac::PrivilegeSetRecord.create(:name => "cbac_administration")
|
186
|
+
|
187
|
+
cbac_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => "cbac_administrator")
|
188
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => cbac_privilege_set.name, :pristine_role => cbac_admin_role)
|
189
|
+
pristine_permission.operation = '+'
|
190
|
+
|
191
|
+
proc {
|
192
|
+
pristine_permission.accept
|
193
|
+
}.should change(Cbac::GenericRole, :count).by(1)
|
194
|
+
end
|
195
|
+
|
196
|
+
it "should use an existing role if possible" do
|
197
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
198
|
+
pristine_permission.operation = '+'
|
199
|
+
|
200
|
+
pristine_permission.accept
|
201
|
+
# test smell: depends on a clean database
|
202
|
+
cbac_permission = Cbac::Permission.first
|
203
|
+
|
204
|
+
cbac_permission.generic_role.should == @admin_role
|
205
|
+
end
|
206
|
+
|
207
|
+
it "should remove an existing permission if operation - is used" do
|
208
|
+
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
209
|
+
|
210
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
211
|
+
pristine_permission.operation = '-'
|
212
|
+
|
213
|
+
proc {
|
214
|
+
pristine_permission.accept
|
215
|
+
}.should change(Cbac::Permission, :count).by(-1)
|
216
|
+
end
|
217
|
+
|
218
|
+
it "should raise an error if operation - is used and the permission does not exist" do
|
219
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
220
|
+
pristine_permission.operation = '-'
|
221
|
+
|
222
|
+
proc {
|
223
|
+
pristine_permission.accept
|
224
|
+
}.should raise_error(ArgumentError)
|
225
|
+
end
|
226
|
+
|
227
|
+
it "should create a known permission to record a change" do
|
228
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
229
|
+
pristine_permission.operation = '+'
|
230
|
+
|
231
|
+
proc {
|
232
|
+
pristine_permission.accept
|
233
|
+
}.should change(Cbac::KnownPermission, :count).by(1)
|
234
|
+
end
|
235
|
+
|
236
|
+
it "should create a known permission with specified permission identifier" do
|
237
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
238
|
+
pristine_permission.operation = '+'
|
239
|
+
|
240
|
+
pristine_permission.accept
|
241
|
+
|
242
|
+
known_permission = Cbac::KnownPermission.last
|
243
|
+
|
244
|
+
known_permission.permission_number.should == pristine_permission.line_number
|
245
|
+
end
|
246
|
+
|
247
|
+
it "should create a known permission with specified role type" do
|
248
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
249
|
+
pristine_permission.operation = '+'
|
250
|
+
|
251
|
+
pristine_permission.accept
|
252
|
+
|
253
|
+
known_permission = Cbac::KnownPermission.last
|
254
|
+
|
255
|
+
known_permission.permission_type.should == Cbac::KnownPermission.PERMISSION_TYPES[:context]
|
256
|
+
end
|
257
|
+
|
258
|
+
it "should also create a known permission if operation - is used to revoke a permission" do
|
259
|
+
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
260
|
+
|
261
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
262
|
+
pristine_permission.operation = '-'
|
263
|
+
|
264
|
+
proc {
|
265
|
+
pristine_permission.accept
|
266
|
+
}.should change(Cbac::KnownPermission, :count).by(1)
|
267
|
+
end
|
268
|
+
end
|
269
|
+
|
270
|
+
describe "stage the permission so it can be applied" do
|
271
|
+
before(:each) do
|
272
|
+
@pristine_context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
273
|
+
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => "administrator")
|
274
|
+
end
|
275
|
+
|
276
|
+
it "should persist the pristine permission to the database" do
|
277
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => "login", :pristine_role => @pristine_context_role, :operation => '+')
|
278
|
+
|
279
|
+
proc {
|
280
|
+
pristine_permission.stage
|
281
|
+
}.should change(Cbac::CbacPristine::PristinePermission, :count).by(1)
|
282
|
+
|
283
|
+
end
|
284
|
+
|
285
|
+
it "should persist the associated role if it doesn't exist yet" do
|
286
|
+
pristine_permission = PristinePermission.new(:privilege_set_name => "login", :pristine_role => @pristine_context_role, :operation => '+')
|
287
|
+
|
288
|
+
proc {
|
289
|
+
pristine_permission.stage
|
290
|
+
}.should change(Cbac::CbacPristine::PristineRole, :count).by(1)
|
291
|
+
end
|
292
|
+
|
293
|
+
it "should not create a new pristine permission if the cbac permission exists and the pristine permission wants to add" do
|
294
|
+
privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
|
295
|
+
Cbac::Permission.create(:privilege_set_id => privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
296
|
+
|
297
|
+
pristine_permission = PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set.name, :pristine_role => @pristine_context_role)
|
298
|
+
proc {
|
299
|
+
pristine_permission.stage
|
300
|
+
}.should_not change(Cbac::CbacPristine::PristinePermission, :count)
|
301
|
+
end
|
302
|
+
|
303
|
+
it "should create a new pristine permission if the cbac permission exists and the pristine permission wants to revoke" do
|
304
|
+
privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
|
305
|
+
Cbac::Permission.create(:privilege_set_id => privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
306
|
+
|
307
|
+
pristine_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set.name, :pristine_role => @pristine_context_role)
|
308
|
+
proc {
|
309
|
+
pristine_permission.stage
|
310
|
+
}.should change(Cbac::CbacPristine::PristinePermission, :count).by(1)
|
311
|
+
end
|
312
|
+
|
313
|
+
it "should not create a new pristine permission if a staged add permission exists and this pristine permission wants to revoke" do
|
314
|
+
privilege_set_name = "chat"
|
315
|
+
PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
316
|
+
pristine_revoke_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
317
|
+
|
318
|
+
proc {
|
319
|
+
pristine_revoke_permission.stage
|
320
|
+
}.should_not change(Cbac::CbacPristine::PristinePermission, :count).by(1)
|
321
|
+
end
|
322
|
+
|
323
|
+
it "should delete a staged add permission if the pristine permission wants to revoke the same permission" do
|
324
|
+
privilege_set_name = "chat"
|
325
|
+
PristinePermission.create(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
326
|
+
pristine_revoke_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
327
|
+
|
328
|
+
proc {
|
329
|
+
pristine_revoke_permission.stage
|
330
|
+
}.should change(Cbac::CbacPristine::PristinePermission, :count).by(-1)
|
331
|
+
end
|
332
|
+
|
333
|
+
it "should not create a new pristine permission if a cbac known permission exists" do
|
334
|
+
known_number = 1
|
335
|
+
pristine_permission = PristinePermission.new(:line_number => known_number, :privilege_set_name => "name not relevant", :pristine_role => @pristine_context_role)
|
336
|
+
Cbac::KnownPermission.create(:permission_number => known_number, :permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:context])
|
337
|
+
|
338
|
+
proc {
|
339
|
+
pristine_permission.stage
|
340
|
+
}.should_not change(Cbac::CbacPristine::PristinePermission, :count)
|
341
|
+
|
342
|
+
end
|
343
|
+
|
344
|
+
it "should raise an error if the same pristine permission is staged twice" do
|
345
|
+
privilege_set_name = "chat"
|
346
|
+
PristinePermission.create(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role, :line_number => 2)
|
347
|
+
pristine_permission = PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role, :line_number => 3)
|
348
|
+
|
349
|
+
proc {
|
350
|
+
pristine_permission.stage
|
351
|
+
}.should raise_error(ArgumentError)
|
352
|
+
end
|
353
|
+
|
354
|
+
|
355
|
+
end
|
356
|
+
|
357
|
+
end
|
358
|
+
|