cbac 0.6.1 → 0.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/Manifest +70 -74
- data/README.rdoc +51 -51
- data/Rakefile +39 -39
- data/cbac.gemspec +30 -31
- data/config/cbac/context_roles.rb +21 -21
- data/config/cbac/privileges.rb +50 -50
- data/context_roles.rb +21 -21
- data/init.rb +3 -3
- data/lib/cbac.rb +132 -132
- data/lib/cbac/cbac_pristine/pristine.rb +138 -135
- data/lib/cbac/cbac_pristine/pristine_file.rb +173 -170
- data/lib/cbac/cbac_pristine/pristine_permission.rb +205 -194
- data/lib/cbac/cbac_pristine/pristine_role.rb +41 -41
- data/lib/cbac/config.rb +9 -9
- data/lib/cbac/context_role.rb +27 -27
- data/lib/cbac/generic_role.rb +5 -5
- data/lib/cbac/known_permission.rb +14 -14
- data/lib/cbac/membership.rb +3 -3
- data/lib/cbac/permission.rb +5 -5
- data/lib/cbac/privilege.rb +117 -117
- data/lib/cbac/privilege_new_api.rb +56 -56
- data/lib/cbac/privilege_set.rb +29 -29
- data/lib/cbac/privilege_set_record.rb +6 -6
- data/lib/cbac/setup.rb +37 -37
- data/lib/generators/cbac/USAGE +33 -33
- data/lib/generators/cbac/cbac_generator.rb +75 -75
- data/lib/generators/cbac/copy_files/config/cbac.pristine +2 -2
- data/lib/generators/cbac/copy_files/config/context_roles.rb +17 -17
- data/lib/generators/cbac/copy_files/config/privileges.rb +25 -25
- data/lib/generators/cbac/copy_files/controllers/generic_roles_controller.rb +30 -30
- data/lib/generators/cbac/copy_files/controllers/memberships_controller.rb +22 -22
- data/lib/generators/cbac/copy_files/controllers/permissions_controller.rb +61 -61
- data/lib/generators/cbac/copy_files/controllers/upgrade_controller.rb +23 -23
- data/lib/generators/cbac/copy_files/fixtures/cbac_generic_roles.yml +9 -9
- data/lib/generators/cbac/copy_files/fixtures/cbac_memberships.yml +8 -8
- data/lib/generators/cbac/copy_files/fixtures/cbac_permissions.yml +8 -8
- data/lib/generators/cbac/copy_files/initializers/cbac_config.rb +4 -4
- data/lib/generators/cbac/copy_files/migrate/create_cbac_from_scratch.rb +59 -59
- data/lib/generators/cbac/copy_files/migrate/create_cbac_upgrade_path.rb +40 -31
- data/lib/generators/cbac/copy_files/stylesheets/cbac.css +65 -65
- data/lib/generators/cbac/copy_files/tasks/cbac.rake +345 -345
- data/lib/generators/cbac/copy_files/views/generic_roles/index.html.erb +58 -58
- data/lib/generators/cbac/copy_files/views/layouts/cbac.html.erb +18 -18
- data/lib/generators/cbac/copy_files/views/memberships/_update.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/memberships/index.html.erb +23 -23
- data/lib/generators/cbac/copy_files/views/permissions/_update_context_role.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/permissions/_update_generic_role.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/permissions/index.html.erb +39 -39
- data/lib/generators/cbac/copy_files/views/upgrade/index.html.erb +31 -31
- data/migrations/20110211105533_add_pristine_files_to_cbac_upgrade_path.rb +16 -0
- data/privileges.rb +50 -50
- data/spec/cbac_pristine_file_spec.rb +329 -329
- data/spec/cbac_pristine_permission_spec.rb +358 -358
- data/spec/cbac_pristine_role_spec.rb +85 -85
- data/spec/rcov.opts +1 -1
- data/spec/spec.opts +4 -4
- data/spec/spec_helper.rb +11 -11
- data/tasks/cbac.rake +345 -345
- data/test/fixtures/cbac_generic_roles.yml +9 -9
- data/test/fixtures/cbac_memberships.yml +8 -8
- data/test/fixtures/cbac_permissions.yml +14 -14
- data/test/fixtures/cbac_privilege_set.yml +18 -18
- data/test/test_cbac_actions.rb +71 -71
- data/test/test_cbac_authorize_context_roles.rb +39 -39
- data/test/test_cbac_authorize_generic_roles.rb +36 -36
- data/test/test_cbac_context_role.rb +50 -50
- data/test/test_cbac_privilege.rb +151 -151
- data/test/test_cbac_privilege_set.rb +50 -50
- data/test/test_helper.rb +28 -28
- metadata +14 -15
- data/nbproject/private/private.properties +0 -3
- data/nbproject/private/private.xml +0 -4
- data/nbproject/private/rake-d.txt +0 -0
- data/nbproject/project.properties +0 -9
- data/nbproject/project.xml +0 -16
data/context_roles.rb
CHANGED
@@ -1,21 +1,21 @@
|
|
1
|
-
### context_roles.rb
|
2
|
-
#
|
3
|
-
# Defines the context roles for the CBAC system
|
4
|
-
#
|
5
|
-
include Cbac
|
6
|
-
|
7
|
-
# Defining context roles
|
8
|
-
ContextRole.add :not_logged_in_user, 'current_user == 0'
|
9
|
-
ContextRole.add :logged_in_user, 'current_user.to_i > 0'
|
10
|
-
ContextRole.add :everybody, "true"
|
11
|
-
ContextRole.add :news_owner do
|
12
|
-
context[:post].user.id == current_user
|
13
|
-
end
|
14
|
-
|
15
|
-
ContextRole.add :news_owner_with_email do
|
16
|
-
return false if News.find(params[:id]).author_id == current_user
|
17
|
-
return false if User.find(current_user).email.nil?
|
18
|
-
true
|
19
|
-
end
|
20
|
-
|
21
|
-
|
1
|
+
### context_roles.rb
|
2
|
+
#
|
3
|
+
# Defines the context roles for the CBAC system
|
4
|
+
#
|
5
|
+
include Cbac
|
6
|
+
|
7
|
+
# Defining context roles
|
8
|
+
ContextRole.add :not_logged_in_user, 'current_user == 0'
|
9
|
+
ContextRole.add :logged_in_user, 'current_user.to_i > 0'
|
10
|
+
ContextRole.add :everybody, "true"
|
11
|
+
ContextRole.add :news_owner do
|
12
|
+
context[:post].user.id == current_user
|
13
|
+
end
|
14
|
+
|
15
|
+
ContextRole.add :news_owner_with_email do
|
16
|
+
return false if News.find(params[:id]).author_id == current_user
|
17
|
+
return false if User.find(current_user).email.nil?
|
18
|
+
true
|
19
|
+
end
|
20
|
+
|
21
|
+
|
data/init.rb
CHANGED
@@ -1,3 +1,3 @@
|
|
1
|
-
# Include CBAC core file
|
2
|
-
require File.dirname(__FILE__) + '/lib/cbac.rb'
|
3
|
-
|
1
|
+
# Include CBAC core file
|
2
|
+
require File.dirname(__FILE__) + '/lib/cbac.rb'
|
3
|
+
|
data/lib/cbac.rb
CHANGED
@@ -1,132 +1,132 @@
|
|
1
|
-
# TODO: Check the permission table for double entries, ie: both an entry in the
|
2
|
-
# generic_role_id field and an entry in the context_role field. Solution: solve
|
3
|
-
# via model. Update model & add test
|
4
|
-
require "cbac/setup"
|
5
|
-
require "cbac/config"
|
6
|
-
require "cbac/context_role"
|
7
|
-
require "cbac/generic_role"
|
8
|
-
require "cbac/known_permission"
|
9
|
-
require "cbac/membership"
|
10
|
-
require "cbac/permission"
|
11
|
-
require "cbac/privilege"
|
12
|
-
require "cbac/privilege_new_api"
|
13
|
-
require "cbac/privilege_set"
|
14
|
-
require "cbac/privilege_set_record"
|
15
|
-
require "cbac/cbac_pristine/pristine"
|
16
|
-
require "cbac/cbac_pristine/pristine_file"
|
17
|
-
require "cbac/cbac_pristine/pristine_permission"
|
18
|
-
require "cbac/cbac_pristine/pristine_role"
|
19
|
-
|
20
|
-
# The following code contains configuration options. You can turn them on for
|
21
|
-
# gem development. For actual usage, it is advisable to set the configuration
|
22
|
-
# options in the environment files.
|
23
|
-
Cbac::Config.verbose = true
|
24
|
-
|
25
|
-
# Module containing the bootstrap code
|
26
|
-
module Cbac
|
27
|
-
def cbac_boot!
|
28
|
-
if Cbac::Setup.check
|
29
|
-
puts "CBAC properly installed"
|
30
|
-
|
31
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege'))
|
32
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege_set'))
|
33
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/context_role'))
|
34
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine'))
|
35
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_file'))
|
36
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_permission'))
|
37
|
-
|
38
|
-
# check performs a check to see if the user is allowed to access the given
|
39
|
-
# resource. Example: authorization_check("BlogController", "index", :get)
|
40
|
-
def authorization_check(controller, action, request, context = {})
|
41
|
-
# Determine the controller to look for
|
42
|
-
controller_method = [controller, action].join("/")
|
43
|
-
# Get the privilegesets
|
44
|
-
privilege_sets = Privilege.select(controller_method, request)
|
45
|
-
# Check the privilege sets
|
46
|
-
check_privilege_sets(privilege_sets, context)
|
47
|
-
end
|
48
|
-
|
49
|
-
# Check the given privilege_set symbol
|
50
|
-
# TODO following code is not yet tested
|
51
|
-
def check_privilege_set(privilege_set, context = {})
|
52
|
-
check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
|
53
|
-
end
|
54
|
-
|
55
|
-
# Check the given privilege_sets
|
56
|
-
def check_privilege_sets(privilege_sets, context = {})
|
57
|
-
# Check the generic roles
|
58
|
-
return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
|
59
|
-
# Check the context roles Get the permissions
|
60
|
-
privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
|
61
|
-
puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilege_set.name}" if Cbac::Config.verbose
|
62
|
-
eval_string = ContextRole.roles[permission.context_role.to_sym]
|
63
|
-
begin
|
64
|
-
return true if eval_string.call(context)
|
65
|
-
rescue Exception => e
|
66
|
-
puts "Error in context role: #{permission.context_role} on privilege_set: #{permission.privilege_set.name}. Context: #{context}"
|
67
|
-
raise e if RAILS_ENV == "development" or RAILS_ENV == "test" # In development mode, this should crash as hard as possible, but in further stages, it should not
|
68
|
-
end
|
69
|
-
end
|
70
|
-
# not authorized
|
71
|
-
puts "Not authorized for: #{privilege_sets.to_s}" if Cbac::Config.verbose
|
72
|
-
false
|
73
|
-
end
|
74
|
-
|
75
|
-
# Code that performs authorization
|
76
|
-
def authorize
|
77
|
-
authorization_check(params[:controller], params[:action], request.request_method.downcase, self) || unauthorized
|
78
|
-
end
|
79
|
-
|
80
|
-
# Default unauthorized method Override this method to supply your own code
|
81
|
-
# for incorrect authorization
|
82
|
-
def unauthorized
|
83
|
-
render :text => "You are not authorized to perform this action", :status => 401
|
84
|
-
end
|
85
|
-
|
86
|
-
# Default implementation of the current_user method
|
87
|
-
def current_user_id
|
88
|
-
session[:currentuser].to_i
|
89
|
-
end
|
90
|
-
|
91
|
-
# Load controller classes and methods
|
92
|
-
def load_controller_methods
|
93
|
-
begin
|
94
|
-
Dir.glob("app/controllers/**/*.rb").each{|file| require file}
|
95
|
-
rescue LoadError
|
96
|
-
raise "Could not load controller classes"
|
97
|
-
end
|
98
|
-
# Make this iterative TODO
|
99
|
-
@classes = ApplicationController.subclasses
|
100
|
-
end
|
101
|
-
|
102
|
-
# Extracts the class name from the filename
|
103
|
-
def extract_class_name(filename)
|
104
|
-
File.basename(filename).chomp(".rb").camelize
|
105
|
-
end
|
106
|
-
|
107
|
-
# ### Initializer Include privileges file - contains the privilege and
|
108
|
-
# privilege definitions
|
109
|
-
begin
|
110
|
-
require File.join(::Rails.root.to_s, "config", "cbac", "privileges.rb")
|
111
|
-
rescue MissingSourceFile
|
112
|
-
puts "CBAC warning: Could not load config/cbac/privileges.rb (Did you run ./script/generate cbac?)"
|
113
|
-
end
|
114
|
-
# Include context roles file - contains the context role definitions
|
115
|
-
begin
|
116
|
-
require File.join(::Rails.root.to_s, "config", "cbac", "context_roles.rb")
|
117
|
-
rescue MissingSourceFile
|
118
|
-
puts "CBAC warning: Could not load config/cbac/context_roles.rb (Did you run ./script/generate cbac?)"
|
119
|
-
end
|
120
|
-
|
121
|
-
# ### Database autoload code
|
122
|
-
else
|
123
|
-
# This is the code that is executed if CBAc is not properly installed/
|
124
|
-
# configured. It includes a different authorize method, aimes at refusing
|
125
|
-
# all authorizations
|
126
|
-
def authorize
|
127
|
-
render :text => "Authorization error", :status => 401
|
128
|
-
false
|
129
|
-
end
|
130
|
-
end
|
131
|
-
end
|
132
|
-
end
|
1
|
+
# TODO: Check the permission table for double entries, ie: both an entry in the
|
2
|
+
# generic_role_id field and an entry in the context_role field. Solution: solve
|
3
|
+
# via model. Update model & add test
|
4
|
+
require "cbac/setup"
|
5
|
+
require "cbac/config"
|
6
|
+
require "cbac/context_role"
|
7
|
+
require "cbac/generic_role"
|
8
|
+
require "cbac/known_permission"
|
9
|
+
require "cbac/membership"
|
10
|
+
require "cbac/permission"
|
11
|
+
require "cbac/privilege"
|
12
|
+
require "cbac/privilege_new_api"
|
13
|
+
require "cbac/privilege_set"
|
14
|
+
require "cbac/privilege_set_record"
|
15
|
+
require "cbac/cbac_pristine/pristine"
|
16
|
+
require "cbac/cbac_pristine/pristine_file"
|
17
|
+
require "cbac/cbac_pristine/pristine_permission"
|
18
|
+
require "cbac/cbac_pristine/pristine_role"
|
19
|
+
|
20
|
+
# The following code contains configuration options. You can turn them on for
|
21
|
+
# gem development. For actual usage, it is advisable to set the configuration
|
22
|
+
# options in the environment files.
|
23
|
+
Cbac::Config.verbose = true
|
24
|
+
|
25
|
+
# Module containing the bootstrap code
|
26
|
+
module Cbac
|
27
|
+
def cbac_boot!
|
28
|
+
if Cbac::Setup.check
|
29
|
+
puts "CBAC properly installed"
|
30
|
+
|
31
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege'))
|
32
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege_set'))
|
33
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/context_role'))
|
34
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine'))
|
35
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_file'))
|
36
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_permission'))
|
37
|
+
|
38
|
+
# check performs a check to see if the user is allowed to access the given
|
39
|
+
# resource. Example: authorization_check("BlogController", "index", :get)
|
40
|
+
def authorization_check(controller, action, request, context = {})
|
41
|
+
# Determine the controller to look for
|
42
|
+
controller_method = [controller, action].join("/")
|
43
|
+
# Get the privilegesets
|
44
|
+
privilege_sets = Privilege.select(controller_method, request)
|
45
|
+
# Check the privilege sets
|
46
|
+
check_privilege_sets(privilege_sets, context)
|
47
|
+
end
|
48
|
+
|
49
|
+
# Check the given privilege_set symbol
|
50
|
+
# TODO following code is not yet tested
|
51
|
+
def check_privilege_set(privilege_set, context = {})
|
52
|
+
check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
|
53
|
+
end
|
54
|
+
|
55
|
+
# Check the given privilege_sets
|
56
|
+
def check_privilege_sets(privilege_sets, context = {})
|
57
|
+
# Check the generic roles
|
58
|
+
return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
|
59
|
+
# Check the context roles Get the permissions
|
60
|
+
privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
|
61
|
+
puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilege_set.name}" if Cbac::Config.verbose
|
62
|
+
eval_string = ContextRole.roles[permission.context_role.to_sym]
|
63
|
+
begin
|
64
|
+
return true if eval_string.call(context)
|
65
|
+
rescue Exception => e
|
66
|
+
puts "Error in context role: #{permission.context_role} on privilege_set: #{permission.privilege_set.name}. Context: #{context}"
|
67
|
+
raise e if RAILS_ENV == "development" or RAILS_ENV == "test" # In development mode, this should crash as hard as possible, but in further stages, it should not
|
68
|
+
end
|
69
|
+
end
|
70
|
+
# not authorized
|
71
|
+
puts "Not authorized for: #{privilege_sets.to_s}" if Cbac::Config.verbose
|
72
|
+
false
|
73
|
+
end
|
74
|
+
|
75
|
+
# Code that performs authorization
|
76
|
+
def authorize
|
77
|
+
authorization_check(params[:controller], params[:action], request.request_method.downcase, self) || unauthorized
|
78
|
+
end
|
79
|
+
|
80
|
+
# Default unauthorized method Override this method to supply your own code
|
81
|
+
# for incorrect authorization
|
82
|
+
def unauthorized
|
83
|
+
render :text => "You are not authorized to perform this action", :status => 401
|
84
|
+
end
|
85
|
+
|
86
|
+
# Default implementation of the current_user method
|
87
|
+
def current_user_id
|
88
|
+
session[:currentuser].to_i
|
89
|
+
end
|
90
|
+
|
91
|
+
# Load controller classes and methods
|
92
|
+
def load_controller_methods
|
93
|
+
begin
|
94
|
+
Dir.glob("app/controllers/**/*.rb").each{|file| require file}
|
95
|
+
rescue LoadError
|
96
|
+
raise "Could not load controller classes"
|
97
|
+
end
|
98
|
+
# Make this iterative TODO
|
99
|
+
@classes = ApplicationController.subclasses
|
100
|
+
end
|
101
|
+
|
102
|
+
# Extracts the class name from the filename
|
103
|
+
def extract_class_name(filename)
|
104
|
+
File.basename(filename).chomp(".rb").camelize
|
105
|
+
end
|
106
|
+
|
107
|
+
# ### Initializer Include privileges file - contains the privilege and
|
108
|
+
# privilege definitions
|
109
|
+
begin
|
110
|
+
require File.join(::Rails.root.to_s, "config", "cbac", "privileges.rb")
|
111
|
+
rescue MissingSourceFile
|
112
|
+
puts "CBAC warning: Could not load config/cbac/privileges.rb (Did you run ./script/generate cbac?)"
|
113
|
+
end
|
114
|
+
# Include context roles file - contains the context role definitions
|
115
|
+
begin
|
116
|
+
require File.join(::Rails.root.to_s, "config", "cbac", "context_roles.rb")
|
117
|
+
rescue MissingSourceFile
|
118
|
+
puts "CBAC warning: Could not load config/cbac/context_roles.rb (Did you run ./script/generate cbac?)"
|
119
|
+
end
|
120
|
+
|
121
|
+
# ### Database autoload code
|
122
|
+
else
|
123
|
+
# This is the code that is executed if CBAc is not properly installed/
|
124
|
+
# configured. It includes a different authorize method, aimes at refusing
|
125
|
+
# all authorizations
|
126
|
+
def authorize
|
127
|
+
render :text => "Authorization error", :status => 401
|
128
|
+
false
|
129
|
+
end
|
130
|
+
end
|
131
|
+
end
|
132
|
+
end
|
@@ -1,135 +1,138 @@
|
|
1
|
-
require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_file'))
|
2
|
-
require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
|
3
|
-
|
4
|
-
module Cbac
|
5
|
-
module CbacPristine
|
6
|
-
#creates a yml file containing all generic roles from the specified pristine file objects
|
7
|
-
def create_generic_role_fixtures_file(pristine_files, fixtures_file_name)
|
8
|
-
roles = []
|
9
|
-
|
10
|
-
pristine_files.each do |pristine_file|
|
11
|
-
#if the pristine file wasn't parsed yet, we'll do it here
|
12
|
-
pristine_file.parse(false) if pristine_file.permissions.empty?
|
13
|
-
pristine_file.generic_roles.each do |generic_role|
|
14
|
-
# we only want the unique generic roles, because the yml file cannot have duplicates
|
15
|
-
has_role = false
|
16
|
-
roles.each do |role|
|
17
|
-
if role.name == generic_role.name
|
18
|
-
has_role = true
|
19
|
-
end
|
20
|
-
end
|
21
|
-
roles.push(generic_role) unless has_role
|
22
|
-
end
|
23
|
-
end
|
24
|
-
create_fixtures_file(roles, fixtures_file_name)
|
25
|
-
end
|
26
|
-
|
27
|
-
# creates a yml file containing all cbac_permissions from the specified pristine file objects
|
28
|
-
def create_permissions_fixtures_file(pristine_files, fixtures_file_name)
|
29
|
-
permissions = []
|
30
|
-
|
31
|
-
pristine_files.each do |pristine_file|
|
32
|
-
pristine_file.parse(false) if pristine_file.permissions.empty?
|
33
|
-
pristine_file.permission_set.each do |line|
|
34
|
-
permissions.push(line)
|
35
|
-
end
|
36
|
-
end
|
37
|
-
create_fixtures_file(permissions, fixtures_file_name)
|
38
|
-
end
|
39
|
-
|
40
|
-
# turns the fixtures into yml and writes them to a file with specified name.
|
41
|
-
def create_fixtures_file(fixtures, fixtures_file_name)
|
42
|
-
File.delete(fixtures_file_name) if File.exists?(fixtures_file_name)
|
43
|
-
f = File.new(fixtures_file_name, "w")
|
44
|
-
flock(f, File::LOCK_EX) do |f|
|
45
|
-
fixtures.each_with_index do |fixture, index|
|
46
|
-
f.write(fixture.to_yml_fixture(index + 1))
|
47
|
-
end
|
48
|
-
end
|
49
|
-
end
|
50
|
-
|
51
|
-
# set all cbac permissions and generic roles to the state in the specified pristine file objects
|
52
|
-
def set_pristine_state(pristine_files, clear_tables)
|
53
|
-
clear_cbac_tables if clear_tables
|
54
|
-
pristine_files.each do |pristine_file|
|
55
|
-
pristine_file.parse if pristine_file.permissions.empty?
|
56
|
-
pristine_file.permissions.each do |permission|
|
57
|
-
permission.accept
|
58
|
-
end
|
59
|
-
end
|
60
|
-
end
|
61
|
-
|
62
|
-
# stage all unknown cbac_permissions
|
63
|
-
def stage_permissions(pristine_files)
|
64
|
-
|
65
|
-
pristine_files.each do |pristine_file|
|
66
|
-
pristine_file.parse(true) if pristine_file.permissions.empty?
|
67
|
-
pristine_file.permissions.each do |permission|
|
68
|
-
permission.stage
|
69
|
-
end
|
70
|
-
end
|
71
|
-
end
|
72
|
-
|
73
|
-
def clear_cbac_tables
|
74
|
-
Cbac::GenericRole.delete_all
|
75
|
-
Cbac::Membership.delete_all
|
76
|
-
Cbac::Permission.delete_all
|
77
|
-
Cbac::KnownPermission.delete_all
|
78
|
-
Cbac::CbacPristine::
|
79
|
-
Cbac::CbacPristine::
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
known_permissions.
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
#
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
end
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_file'))
|
2
|
+
require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
|
3
|
+
|
4
|
+
module Cbac
|
5
|
+
module CbacPristine
|
6
|
+
#creates a yml file containing all generic roles from the specified pristine file objects
|
7
|
+
def create_generic_role_fixtures_file(pristine_files, fixtures_file_name)
|
8
|
+
roles = []
|
9
|
+
|
10
|
+
pristine_files.each do |pristine_file|
|
11
|
+
#if the pristine file wasn't parsed yet, we'll do it here
|
12
|
+
pristine_file.parse(false) if pristine_file.permissions.empty?
|
13
|
+
pristine_file.generic_roles.each do |generic_role|
|
14
|
+
# we only want the unique generic roles, because the yml file cannot have duplicates
|
15
|
+
has_role = false
|
16
|
+
roles.each do |role|
|
17
|
+
if role.name == generic_role.name
|
18
|
+
has_role = true
|
19
|
+
end
|
20
|
+
end
|
21
|
+
roles.push(generic_role) unless has_role
|
22
|
+
end
|
23
|
+
end
|
24
|
+
create_fixtures_file(roles, fixtures_file_name)
|
25
|
+
end
|
26
|
+
|
27
|
+
# creates a yml file containing all cbac_permissions from the specified pristine file objects
|
28
|
+
def create_permissions_fixtures_file(pristine_files, fixtures_file_name)
|
29
|
+
permissions = []
|
30
|
+
|
31
|
+
pristine_files.each do |pristine_file|
|
32
|
+
pristine_file.parse(false) if pristine_file.permissions.empty?
|
33
|
+
pristine_file.permission_set.each do |line|
|
34
|
+
permissions.push(line)
|
35
|
+
end
|
36
|
+
end
|
37
|
+
create_fixtures_file(permissions, fixtures_file_name)
|
38
|
+
end
|
39
|
+
|
40
|
+
# turns the fixtures into yml and writes them to a file with specified name.
|
41
|
+
def create_fixtures_file(fixtures, fixtures_file_name)
|
42
|
+
File.delete(fixtures_file_name) if File.exists?(fixtures_file_name)
|
43
|
+
f = File.new(fixtures_file_name, "w")
|
44
|
+
flock(f, File::LOCK_EX) do |f|
|
45
|
+
fixtures.each_with_index do |fixture, index|
|
46
|
+
f.write(fixture.to_yml_fixture(index + 1))
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
# set all cbac permissions and generic roles to the state in the specified pristine file objects
|
52
|
+
def set_pristine_state(pristine_files, clear_tables)
|
53
|
+
clear_cbac_tables if clear_tables
|
54
|
+
pristine_files.each do |pristine_file|
|
55
|
+
pristine_file.parse if pristine_file.permissions.empty?
|
56
|
+
pristine_file.permissions.each do |permission|
|
57
|
+
permission.accept
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
61
|
+
|
62
|
+
# stage all unknown cbac_permissions
|
63
|
+
def stage_permissions(pristine_files)
|
64
|
+
|
65
|
+
pristine_files.each do |pristine_file|
|
66
|
+
pristine_file.parse(true) if pristine_file.permissions.empty?
|
67
|
+
pristine_file.permissions.each do |permission|
|
68
|
+
permission.stage
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
|
73
|
+
def clear_cbac_tables
|
74
|
+
Cbac::GenericRole.delete_all
|
75
|
+
Cbac::Membership.delete_all
|
76
|
+
Cbac::Permission.delete_all
|
77
|
+
Cbac::KnownPermission.delete_all
|
78
|
+
Cbac::CbacPristine::PristineFile.delete_all
|
79
|
+
Cbac::CbacPristine::PristinePermission.delete_all
|
80
|
+
Cbac::CbacPristine::PristineRole.delete_all
|
81
|
+
end
|
82
|
+
|
83
|
+
def delete_generic_known_permissions
|
84
|
+
known_permissions = Cbac::KnownPermission.find(:all, :conditions => {:permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:generic]})
|
85
|
+
known_permissions.each { |p| p.destroy }
|
86
|
+
end
|
87
|
+
|
88
|
+
def delete_generic_permissions
|
89
|
+
permissions = Cbac::Permission.find(:all, :conditions => {:context_role => nil})
|
90
|
+
# for backwards compatibility, generic_role name was administrators instead of administrator
|
91
|
+
# SMELL: administrator role *only* identified by name
|
92
|
+
(permissions.select { |perm| perm.generic_role.name != "administrator" and perm.generic_role.name != "administrators" }).each { |p| p.destroy }
|
93
|
+
end
|
94
|
+
|
95
|
+
def delete_non_generic_staged_permissions
|
96
|
+
PristinePermission.delete_non_generic_permissions
|
97
|
+
end
|
98
|
+
|
99
|
+
def delete_generic_staged_permissions
|
100
|
+
PristinePermission.delete_generic_permissions
|
101
|
+
end
|
102
|
+
|
103
|
+
def database_contains_cbac_data?
|
104
|
+
(Cbac::GenericRole.count != 0 or Cbac::Membership.count != 0 or Cbac::Permission.count != 0 or Cbac::KnownPermission.count != 0 or Cbac::CbacPristine::PristinePermission.count != 0 or Cbac::CbacPristine::PristineRole.count != 0)
|
105
|
+
end
|
106
|
+
|
107
|
+
def find_or_create_generic_pristine_file(file_name)
|
108
|
+
pristine_file = GenericPristineFile.find_by_file_name(file_name)
|
109
|
+
pristine_file.present? ? pristine_file : GenericPristineFile.create(:file_name => file_name)
|
110
|
+
end
|
111
|
+
|
112
|
+
def find_or_create_pristine_file(file_name)
|
113
|
+
pristine_file = PristineFile.find_by_file_name(file_name)
|
114
|
+
pristine_file.present? ? pristine_file : PristineFile.create(:file_name => file_name)
|
115
|
+
end
|
116
|
+
|
117
|
+
def number_of_generic_staged_permissions
|
118
|
+
PristinePermission.count_generic_permissions
|
119
|
+
end
|
120
|
+
|
121
|
+
def number_of_non_generic_staged_permissions
|
122
|
+
PristinePermission.count_non_generic_permissions
|
123
|
+
end
|
124
|
+
|
125
|
+
def flock(file, mode)
|
126
|
+
success = file.flock(mode)
|
127
|
+
if success
|
128
|
+
begin
|
129
|
+
yield file
|
130
|
+
ensure
|
131
|
+
file.flock(File::LOCK_UN)
|
132
|
+
end
|
133
|
+
end
|
134
|
+
return success
|
135
|
+
end
|
136
|
+
|
137
|
+
end
|
138
|
+
end
|