cbac 0.6.1 → 0.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/Manifest +70 -74
- data/README.rdoc +51 -51
- data/Rakefile +39 -39
- data/cbac.gemspec +30 -31
- data/config/cbac/context_roles.rb +21 -21
- data/config/cbac/privileges.rb +50 -50
- data/context_roles.rb +21 -21
- data/init.rb +3 -3
- data/lib/cbac.rb +132 -132
- data/lib/cbac/cbac_pristine/pristine.rb +138 -135
- data/lib/cbac/cbac_pristine/pristine_file.rb +173 -170
- data/lib/cbac/cbac_pristine/pristine_permission.rb +205 -194
- data/lib/cbac/cbac_pristine/pristine_role.rb +41 -41
- data/lib/cbac/config.rb +9 -9
- data/lib/cbac/context_role.rb +27 -27
- data/lib/cbac/generic_role.rb +5 -5
- data/lib/cbac/known_permission.rb +14 -14
- data/lib/cbac/membership.rb +3 -3
- data/lib/cbac/permission.rb +5 -5
- data/lib/cbac/privilege.rb +117 -117
- data/lib/cbac/privilege_new_api.rb +56 -56
- data/lib/cbac/privilege_set.rb +29 -29
- data/lib/cbac/privilege_set_record.rb +6 -6
- data/lib/cbac/setup.rb +37 -37
- data/lib/generators/cbac/USAGE +33 -33
- data/lib/generators/cbac/cbac_generator.rb +75 -75
- data/lib/generators/cbac/copy_files/config/cbac.pristine +2 -2
- data/lib/generators/cbac/copy_files/config/context_roles.rb +17 -17
- data/lib/generators/cbac/copy_files/config/privileges.rb +25 -25
- data/lib/generators/cbac/copy_files/controllers/generic_roles_controller.rb +30 -30
- data/lib/generators/cbac/copy_files/controllers/memberships_controller.rb +22 -22
- data/lib/generators/cbac/copy_files/controllers/permissions_controller.rb +61 -61
- data/lib/generators/cbac/copy_files/controllers/upgrade_controller.rb +23 -23
- data/lib/generators/cbac/copy_files/fixtures/cbac_generic_roles.yml +9 -9
- data/lib/generators/cbac/copy_files/fixtures/cbac_memberships.yml +8 -8
- data/lib/generators/cbac/copy_files/fixtures/cbac_permissions.yml +8 -8
- data/lib/generators/cbac/copy_files/initializers/cbac_config.rb +4 -4
- data/lib/generators/cbac/copy_files/migrate/create_cbac_from_scratch.rb +59 -59
- data/lib/generators/cbac/copy_files/migrate/create_cbac_upgrade_path.rb +40 -31
- data/lib/generators/cbac/copy_files/stylesheets/cbac.css +65 -65
- data/lib/generators/cbac/copy_files/tasks/cbac.rake +345 -345
- data/lib/generators/cbac/copy_files/views/generic_roles/index.html.erb +58 -58
- data/lib/generators/cbac/copy_files/views/layouts/cbac.html.erb +18 -18
- data/lib/generators/cbac/copy_files/views/memberships/_update.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/memberships/index.html.erb +23 -23
- data/lib/generators/cbac/copy_files/views/permissions/_update_context_role.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/permissions/_update_generic_role.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/permissions/index.html.erb +39 -39
- data/lib/generators/cbac/copy_files/views/upgrade/index.html.erb +31 -31
- data/migrations/20110211105533_add_pristine_files_to_cbac_upgrade_path.rb +16 -0
- data/privileges.rb +50 -50
- data/spec/cbac_pristine_file_spec.rb +329 -329
- data/spec/cbac_pristine_permission_spec.rb +358 -358
- data/spec/cbac_pristine_role_spec.rb +85 -85
- data/spec/rcov.opts +1 -1
- data/spec/spec.opts +4 -4
- data/spec/spec_helper.rb +11 -11
- data/tasks/cbac.rake +345 -345
- data/test/fixtures/cbac_generic_roles.yml +9 -9
- data/test/fixtures/cbac_memberships.yml +8 -8
- data/test/fixtures/cbac_permissions.yml +14 -14
- data/test/fixtures/cbac_privilege_set.yml +18 -18
- data/test/test_cbac_actions.rb +71 -71
- data/test/test_cbac_authorize_context_roles.rb +39 -39
- data/test/test_cbac_authorize_generic_roles.rb +36 -36
- data/test/test_cbac_context_role.rb +50 -50
- data/test/test_cbac_privilege.rb +151 -151
- data/test/test_cbac_privilege_set.rb +50 -50
- data/test/test_helper.rb +28 -28
- metadata +14 -15
- data/nbproject/private/private.properties +0 -3
- data/nbproject/private/private.xml +0 -4
- data/nbproject/private/rake-d.txt +0 -0
- data/nbproject/project.properties +0 -9
- data/nbproject/project.xml +0 -16
@@ -1,330 +1,330 @@
|
|
1
|
-
require 'spec'
|
2
|
-
require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
|
3
|
-
require 'cbac/cbac_pristine/pristine'
|
4
|
-
require 'cbac/cbac_pristine/pristine_permission'
|
5
|
-
require 'cbac/cbac_pristine/pristine_role'
|
6
|
-
require 'cbac/cbac_pristine/pristine_file'
|
7
|
-
include Cbac::CbacPristine
|
8
|
-
|
9
|
-
describe "CbacPristineFile" do
|
10
|
-
before(:each) do
|
11
|
-
@pristine_file = PristineFile.new("cbac.pristine")
|
12
|
-
end
|
13
|
-
|
14
|
-
describe "indicate if a line looks like a pristine line" do
|
15
|
-
|
16
|
-
it "should indicate that a ruby style comment line is not a pristine line" do
|
17
|
-
comment_line = "#this is a comment line in Ruby"
|
18
|
-
|
19
|
-
@pristine_file.is_pristine_permission_line?(comment_line, 1).should be_false
|
20
|
-
end
|
21
|
-
|
22
|
-
it "should raise an error if the line does not look like a pristine line" do
|
23
|
-
line = "this is not pristine line. And it isn't a comment. 1"
|
24
|
-
|
25
|
-
proc{
|
26
|
-
@pristine_file.is_pristine_permission_line?(line, 0)
|
27
|
-
}.should raise_error(SyntaxError)
|
28
|
-
end
|
29
|
-
|
30
|
-
it "should return true in case of a valid pristine line" do
|
31
|
-
line = "0:+:PrivilegeSet(login)ContextRole(everybody)"
|
32
|
-
|
33
|
-
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
34
|
-
end
|
35
|
-
|
36
|
-
it "should fail if the id of the pristine line contains a character" do
|
37
|
-
line = "0b:+:PrivilegeSet(login)ContextRole(everybody)"
|
38
|
-
|
39
|
-
proc{
|
40
|
-
@pristine_file.is_pristine_permission_line?(line, 0)
|
41
|
-
}.should raise_error(SyntaxError)
|
42
|
-
end
|
43
|
-
|
44
|
-
it "should succeed if the privilege set name is not provided" do
|
45
|
-
line = "0:+:PrivilegeSet()Admin()"
|
46
|
-
|
47
|
-
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
48
|
-
end
|
49
|
-
|
50
|
-
it "should succeed if the context role name is not provided" do
|
51
|
-
line = "0:+:PrivilegeSet(login)ContextRole()"
|
52
|
-
|
53
|
-
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
54
|
-
end
|
55
|
-
|
56
|
-
end
|
57
|
-
|
58
|
-
describe "parse the privilege set name from a pristine line" do
|
59
|
-
it "should fail if the privilege set name is not provided" do
|
60
|
-
line = "0:+:PrivilegeSet()Admin()"
|
61
|
-
|
62
|
-
proc{
|
63
|
-
@pristine_file.parse_privilege_set_name(line, 0)
|
64
|
-
}.should raise_error(SyntaxError)
|
65
|
-
end
|
66
|
-
|
67
|
-
it "should return the name of the privilege set provided in the line" do
|
68
|
-
privilege_set_name = "chat"
|
69
|
-
line = "0:+:PrivilegeSet(#{privilege_set_name})Admin()"
|
70
|
-
|
71
|
-
@pristine_file.parse_privilege_set_name(line, 0).should == privilege_set_name
|
72
|
-
end
|
73
|
-
|
74
|
-
it "should fail if an invalid line is provided" do
|
75
|
-
line = "0:+:ContextRole(toeteraars)"
|
76
|
-
|
77
|
-
proc{
|
78
|
-
@pristine_file.parse_privilege_set_name(line, 0)
|
79
|
-
}.should raise_error(SyntaxError)
|
80
|
-
end
|
81
|
-
end
|
82
|
-
|
83
|
-
describe "parse the role from a pristine line" do
|
84
|
-
it "should return the admin role if the role is Admin()" do
|
85
|
-
admin_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:admin], :name => 'administrator')
|
86
|
-
PristineRole.stub!(:admin_role).and_return(admin_role)
|
87
|
-
line = "0:+:PrivilegeSet(chat)Admin()"
|
88
|
-
|
89
|
-
@pristine_file.parse_role(line, 0).should == admin_role
|
90
|
-
end
|
91
|
-
|
92
|
-
it "should return a context role if the role specified as ContextRole" do
|
93
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
94
|
-
|
95
|
-
@pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:context]
|
96
|
-
end
|
97
|
-
|
98
|
-
it "should return a context role with specified name if the role specified as ContextRole" do
|
99
|
-
context_role_name = "logged_in_user"
|
100
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
101
|
-
|
102
|
-
@pristine_file.parse_role(line, 0).name.should == context_role_name
|
103
|
-
end
|
104
|
-
|
105
|
-
it "should return an existing context role with specified name if possible" do
|
106
|
-
context_role_name = "logged_in_user"
|
107
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
108
|
-
existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
|
109
|
-
|
110
|
-
@pristine_file.parse_role(line, 0).should == existing_context_role
|
111
|
-
end
|
112
|
-
|
113
|
-
it "should not return an existing context role with specified name if db should not be used" do
|
114
|
-
context_role_name = "logged_in_user"
|
115
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
116
|
-
existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
|
117
|
-
|
118
|
-
@pristine_file.parse_role(line, 0, false).should_not == existing_context_role
|
119
|
-
end
|
120
|
-
|
121
|
-
it "should return a context role with id of 0 if the role specified as ContextRole" do
|
122
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
123
|
-
|
124
|
-
@pristine_file.parse_role(line, 0).role_id.should == 0
|
125
|
-
end
|
126
|
-
|
127
|
-
it "should fail if an invalid line is provided" do
|
128
|
-
line = "0:+:PrivilegeSet(toeteraars)"
|
129
|
-
|
130
|
-
proc{
|
131
|
-
@pristine_file.parse_role(line, 0)
|
132
|
-
}.should raise_error(SyntaxError)
|
133
|
-
end
|
134
|
-
|
135
|
-
it "should fail if a generic role is provided for the normal (non-generic) pristine file" do
|
136
|
-
line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
|
137
|
-
|
138
|
-
proc{
|
139
|
-
@pristine_file.parse_role(line, 0)
|
140
|
-
}.should raise_error(SyntaxError)
|
141
|
-
end
|
142
|
-
|
143
|
-
|
144
|
-
it "should return a generic role if a generic pristine file is used" do
|
145
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
146
|
-
line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
|
147
|
-
|
148
|
-
@pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:generic]
|
149
|
-
end
|
150
|
-
|
151
|
-
it "should return an existing generic role if use_db is not specified" do
|
152
|
-
generic_role_name = 'group_admins'
|
153
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
154
|
-
line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
|
155
|
-
existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
|
156
|
-
|
157
|
-
@pristine_file.parse_role(line, 0).should == existing_role
|
158
|
-
end
|
159
|
-
|
160
|
-
it "should not use an existing role if use_db is set to false" do
|
161
|
-
generic_role_name = 'group_admins'
|
162
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
163
|
-
line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
|
164
|
-
existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
|
165
|
-
|
166
|
-
@pristine_file.parse_role(line, 0, false).should_not == existing_role
|
167
|
-
end
|
168
|
-
|
169
|
-
it "should fail if an Admin role is used in a generic pristine file" do
|
170
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
171
|
-
line = "0:+:PrivilegeSet(chat)Admin()"
|
172
|
-
|
173
|
-
proc{
|
174
|
-
@pristine_file.parse_role(line, 0)
|
175
|
-
}.should raise_error(SyntaxError)
|
176
|
-
end
|
177
|
-
|
178
|
-
it "should fail if an context role is used in a generic pristine file" do
|
179
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
180
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
181
|
-
|
182
|
-
proc{
|
183
|
-
@pristine_file.parse_role(line, 0)
|
184
|
-
}.should raise_error(SyntaxError)
|
185
|
-
end
|
186
|
-
|
187
|
-
it "should fail if an invalid line is provided in a generic pristine file" do
|
188
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
189
|
-
line = "0:+:PrivilegeSet(toeteraars)"
|
190
|
-
|
191
|
-
proc{
|
192
|
-
@pristine_file.parse_role(line, 0)
|
193
|
-
}.should raise_error(SyntaxError)
|
194
|
-
end
|
195
|
-
end
|
196
|
-
|
197
|
-
describe "parsing a cbac_pristine file" do
|
198
|
-
|
199
|
-
it "should fail if a row number is used twice" do
|
200
|
-
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
201
|
-
pristine_file_lines.push("0:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
202
|
-
|
203
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
204
|
-
|
205
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
206
|
-
|
207
|
-
proc{
|
208
|
-
pristine_file.parse
|
209
|
-
}.should raise_error(SyntaxError)
|
210
|
-
end
|
211
|
-
|
212
|
-
it "should fill the lines array with an object for each file line" do
|
213
|
-
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
214
|
-
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
215
|
-
pristine_file_lines.push("2:+:PrivilegeSet(log_out)ContextRole(logged_in_user)")
|
216
|
-
|
217
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
218
|
-
|
219
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
220
|
-
pristine_file.parse
|
221
|
-
|
222
|
-
pristine_file.permissions.length.should == pristine_file_lines.length
|
223
|
-
end
|
224
|
-
|
225
|
-
it "should not create an object for a comment line" do
|
226
|
-
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
227
|
-
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
228
|
-
pristine_file_lines.push("#this is a Ruby comment line")
|
229
|
-
|
230
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
231
|
-
|
232
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
233
|
-
pristine_file.parse
|
234
|
-
|
235
|
-
pristine_file.permissions.length.should == 2
|
236
|
-
end
|
237
|
-
|
238
|
-
it "should also add a permission object if permission is revoked (operand - is used)" do
|
239
|
-
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
240
|
-
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
241
|
-
pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(logged_in_user)")
|
242
|
-
|
243
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
244
|
-
|
245
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
246
|
-
pristine_file.parse
|
247
|
-
|
248
|
-
pristine_file.permissions.length.should == 3
|
249
|
-
pristine_file.permissions[2].operation.should == '-'
|
250
|
-
end
|
251
|
-
|
252
|
-
it "should fail if a permission is revoked which wasn't added before" do
|
253
|
-
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
254
|
-
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
255
|
-
pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(everybody)")
|
256
|
-
|
257
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
258
|
-
|
259
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
260
|
-
proc{
|
261
|
-
pristine_file.parse
|
262
|
-
}.should raise_error(SyntaxError)
|
263
|
-
end
|
264
|
-
|
265
|
-
it "should fail if an x is used as an operand" do
|
266
|
-
pristine_file_lines = ["0:x:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
267
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
268
|
-
|
269
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
270
|
-
proc{
|
271
|
-
pristine_file.parse
|
272
|
-
}.should raise_error(NotImplementedError)
|
273
|
-
end
|
274
|
-
|
275
|
-
it "should fail if an => is used as an operand" do
|
276
|
-
pristine_file_lines = ["0:=>:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
277
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
278
|
-
|
279
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
280
|
-
proc{
|
281
|
-
pristine_file.parse
|
282
|
-
}.should raise_error(NotImplementedError)
|
283
|
-
end
|
284
|
-
end
|
285
|
-
|
286
|
-
describe "permission set" do
|
287
|
-
before(:each) do
|
288
|
-
@context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
289
|
-
@admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin],:name => "administrator")
|
290
|
-
@pristine_file = PristineFile.new("cbac.pristine")
|
291
|
-
end
|
292
|
-
|
293
|
-
it "should filter out the permissions which were revoked" do
|
294
|
-
permission_to_revoke = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
|
295
|
-
@pristine_file.permissions.push(permission_to_revoke)
|
296
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => permission_to_revoke.privilege_set_name, :pristine_role => permission_to_revoke.pristine_role, :operation => '-'))
|
297
|
-
|
298
|
-
@pristine_file.permission_set.should_not include(permission_to_revoke)
|
299
|
-
end
|
300
|
-
|
301
|
-
it "should not include the revoke permission itself" do
|
302
|
-
revoke_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '-')
|
303
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => revoke_permission.privilege_set_name, :pristine_role => revoke_permission.pristine_role, :operation => '+'))
|
304
|
-
@pristine_file.permissions.push(revoke_permission)
|
305
|
-
|
306
|
-
@pristine_file.permission_set.should_not include(revoke_permission)
|
307
|
-
end
|
308
|
-
|
309
|
-
it "should contain the permission if it is re-applied" do
|
310
|
-
re_applied_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
|
311
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '+'))
|
312
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '-'))
|
313
|
-
@pristine_file.permissions.push(re_applied_permission)
|
314
|
-
|
315
|
-
@pristine_file.permission_set.should include(re_applied_permission)
|
316
|
-
end
|
317
|
-
|
318
|
-
it "should raise an error if a permission is revoked which wasn't created before" do
|
319
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+'))
|
320
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "login", :pristine_role => @context_role, :operation => '+'))
|
321
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "blog_read", :pristine_role => @context_role, :operation => '-'))
|
322
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "update_blog", :pristine_role => @context_role, :operation => '+'))
|
323
|
-
|
324
|
-
proc {
|
325
|
-
@pristine_file.permission_set
|
326
|
-
}.should raise_error(ArgumentError)
|
327
|
-
|
328
|
-
end
|
329
|
-
end
|
1
|
+
require 'spec'
|
2
|
+
require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
|
3
|
+
require 'cbac/cbac_pristine/pristine'
|
4
|
+
require 'cbac/cbac_pristine/pristine_permission'
|
5
|
+
require 'cbac/cbac_pristine/pristine_role'
|
6
|
+
require 'cbac/cbac_pristine/pristine_file'
|
7
|
+
include Cbac::CbacPristine
|
8
|
+
|
9
|
+
describe "CbacPristineFile" do
|
10
|
+
before(:each) do
|
11
|
+
@pristine_file = PristineFile.new("cbac.pristine")
|
12
|
+
end
|
13
|
+
|
14
|
+
describe "indicate if a line looks like a pristine line" do
|
15
|
+
|
16
|
+
it "should indicate that a ruby style comment line is not a pristine line" do
|
17
|
+
comment_line = "#this is a comment line in Ruby"
|
18
|
+
|
19
|
+
@pristine_file.is_pristine_permission_line?(comment_line, 1).should be_false
|
20
|
+
end
|
21
|
+
|
22
|
+
it "should raise an error if the line does not look like a pristine line" do
|
23
|
+
line = "this is not pristine line. And it isn't a comment. 1"
|
24
|
+
|
25
|
+
proc{
|
26
|
+
@pristine_file.is_pristine_permission_line?(line, 0)
|
27
|
+
}.should raise_error(SyntaxError)
|
28
|
+
end
|
29
|
+
|
30
|
+
it "should return true in case of a valid pristine line" do
|
31
|
+
line = "0:+:PrivilegeSet(login)ContextRole(everybody)"
|
32
|
+
|
33
|
+
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
34
|
+
end
|
35
|
+
|
36
|
+
it "should fail if the id of the pristine line contains a character" do
|
37
|
+
line = "0b:+:PrivilegeSet(login)ContextRole(everybody)"
|
38
|
+
|
39
|
+
proc{
|
40
|
+
@pristine_file.is_pristine_permission_line?(line, 0)
|
41
|
+
}.should raise_error(SyntaxError)
|
42
|
+
end
|
43
|
+
|
44
|
+
it "should succeed if the privilege set name is not provided" do
|
45
|
+
line = "0:+:PrivilegeSet()Admin()"
|
46
|
+
|
47
|
+
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
48
|
+
end
|
49
|
+
|
50
|
+
it "should succeed if the context role name is not provided" do
|
51
|
+
line = "0:+:PrivilegeSet(login)ContextRole()"
|
52
|
+
|
53
|
+
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
54
|
+
end
|
55
|
+
|
56
|
+
end
|
57
|
+
|
58
|
+
describe "parse the privilege set name from a pristine line" do
|
59
|
+
it "should fail if the privilege set name is not provided" do
|
60
|
+
line = "0:+:PrivilegeSet()Admin()"
|
61
|
+
|
62
|
+
proc{
|
63
|
+
@pristine_file.parse_privilege_set_name(line, 0)
|
64
|
+
}.should raise_error(SyntaxError)
|
65
|
+
end
|
66
|
+
|
67
|
+
it "should return the name of the privilege set provided in the line" do
|
68
|
+
privilege_set_name = "chat"
|
69
|
+
line = "0:+:PrivilegeSet(#{privilege_set_name})Admin()"
|
70
|
+
|
71
|
+
@pristine_file.parse_privilege_set_name(line, 0).should == privilege_set_name
|
72
|
+
end
|
73
|
+
|
74
|
+
it "should fail if an invalid line is provided" do
|
75
|
+
line = "0:+:ContextRole(toeteraars)"
|
76
|
+
|
77
|
+
proc{
|
78
|
+
@pristine_file.parse_privilege_set_name(line, 0)
|
79
|
+
}.should raise_error(SyntaxError)
|
80
|
+
end
|
81
|
+
end
|
82
|
+
|
83
|
+
describe "parse the role from a pristine line" do
|
84
|
+
it "should return the admin role if the role is Admin()" do
|
85
|
+
admin_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:admin], :name => 'administrator')
|
86
|
+
PristineRole.stub!(:admin_role).and_return(admin_role)
|
87
|
+
line = "0:+:PrivilegeSet(chat)Admin()"
|
88
|
+
|
89
|
+
@pristine_file.parse_role(line, 0).should == admin_role
|
90
|
+
end
|
91
|
+
|
92
|
+
it "should return a context role if the role specified as ContextRole" do
|
93
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
94
|
+
|
95
|
+
@pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:context]
|
96
|
+
end
|
97
|
+
|
98
|
+
it "should return a context role with specified name if the role specified as ContextRole" do
|
99
|
+
context_role_name = "logged_in_user"
|
100
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
101
|
+
|
102
|
+
@pristine_file.parse_role(line, 0).name.should == context_role_name
|
103
|
+
end
|
104
|
+
|
105
|
+
it "should return an existing context role with specified name if possible" do
|
106
|
+
context_role_name = "logged_in_user"
|
107
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
108
|
+
existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
|
109
|
+
|
110
|
+
@pristine_file.parse_role(line, 0).should == existing_context_role
|
111
|
+
end
|
112
|
+
|
113
|
+
it "should not return an existing context role with specified name if db should not be used" do
|
114
|
+
context_role_name = "logged_in_user"
|
115
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
116
|
+
existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
|
117
|
+
|
118
|
+
@pristine_file.parse_role(line, 0, false).should_not == existing_context_role
|
119
|
+
end
|
120
|
+
|
121
|
+
it "should return a context role with id of 0 if the role specified as ContextRole" do
|
122
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
123
|
+
|
124
|
+
@pristine_file.parse_role(line, 0).role_id.should == 0
|
125
|
+
end
|
126
|
+
|
127
|
+
it "should fail if an invalid line is provided" do
|
128
|
+
line = "0:+:PrivilegeSet(toeteraars)"
|
129
|
+
|
130
|
+
proc{
|
131
|
+
@pristine_file.parse_role(line, 0)
|
132
|
+
}.should raise_error(SyntaxError)
|
133
|
+
end
|
134
|
+
|
135
|
+
it "should fail if a generic role is provided for the normal (non-generic) pristine file" do
|
136
|
+
line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
|
137
|
+
|
138
|
+
proc{
|
139
|
+
@pristine_file.parse_role(line, 0)
|
140
|
+
}.should raise_error(SyntaxError)
|
141
|
+
end
|
142
|
+
|
143
|
+
|
144
|
+
it "should return a generic role if a generic pristine file is used" do
|
145
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
146
|
+
line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
|
147
|
+
|
148
|
+
@pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:generic]
|
149
|
+
end
|
150
|
+
|
151
|
+
it "should return an existing generic role if use_db is not specified" do
|
152
|
+
generic_role_name = 'group_admins'
|
153
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
154
|
+
line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
|
155
|
+
existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
|
156
|
+
|
157
|
+
@pristine_file.parse_role(line, 0).should == existing_role
|
158
|
+
end
|
159
|
+
|
160
|
+
it "should not use an existing role if use_db is set to false" do
|
161
|
+
generic_role_name = 'group_admins'
|
162
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
163
|
+
line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
|
164
|
+
existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
|
165
|
+
|
166
|
+
@pristine_file.parse_role(line, 0, false).should_not == existing_role
|
167
|
+
end
|
168
|
+
|
169
|
+
it "should fail if an Admin role is used in a generic pristine file" do
|
170
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
171
|
+
line = "0:+:PrivilegeSet(chat)Admin()"
|
172
|
+
|
173
|
+
proc{
|
174
|
+
@pristine_file.parse_role(line, 0)
|
175
|
+
}.should raise_error(SyntaxError)
|
176
|
+
end
|
177
|
+
|
178
|
+
it "should fail if an context role is used in a generic pristine file" do
|
179
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
180
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
181
|
+
|
182
|
+
proc{
|
183
|
+
@pristine_file.parse_role(line, 0)
|
184
|
+
}.should raise_error(SyntaxError)
|
185
|
+
end
|
186
|
+
|
187
|
+
it "should fail if an invalid line is provided in a generic pristine file" do
|
188
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
189
|
+
line = "0:+:PrivilegeSet(toeteraars)"
|
190
|
+
|
191
|
+
proc{
|
192
|
+
@pristine_file.parse_role(line, 0)
|
193
|
+
}.should raise_error(SyntaxError)
|
194
|
+
end
|
195
|
+
end
|
196
|
+
|
197
|
+
describe "parsing a cbac_pristine file" do
|
198
|
+
|
199
|
+
it "should fail if a row number is used twice" do
|
200
|
+
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
201
|
+
pristine_file_lines.push("0:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
202
|
+
|
203
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
204
|
+
|
205
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
206
|
+
|
207
|
+
proc{
|
208
|
+
pristine_file.parse
|
209
|
+
}.should raise_error(SyntaxError)
|
210
|
+
end
|
211
|
+
|
212
|
+
it "should fill the lines array with an object for each file line" do
|
213
|
+
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
214
|
+
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
215
|
+
pristine_file_lines.push("2:+:PrivilegeSet(log_out)ContextRole(logged_in_user)")
|
216
|
+
|
217
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
218
|
+
|
219
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
220
|
+
pristine_file.parse
|
221
|
+
|
222
|
+
pristine_file.permissions.length.should == pristine_file_lines.length
|
223
|
+
end
|
224
|
+
|
225
|
+
it "should not create an object for a comment line" do
|
226
|
+
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
227
|
+
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
228
|
+
pristine_file_lines.push("#this is a Ruby comment line")
|
229
|
+
|
230
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
231
|
+
|
232
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
233
|
+
pristine_file.parse
|
234
|
+
|
235
|
+
pristine_file.permissions.length.should == 2
|
236
|
+
end
|
237
|
+
|
238
|
+
it "should also add a permission object if permission is revoked (operand - is used)" do
|
239
|
+
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
240
|
+
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
241
|
+
pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(logged_in_user)")
|
242
|
+
|
243
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
244
|
+
|
245
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
246
|
+
pristine_file.parse
|
247
|
+
|
248
|
+
pristine_file.permissions.length.should == 3
|
249
|
+
pristine_file.permissions[2].operation.should == '-'
|
250
|
+
end
|
251
|
+
|
252
|
+
it "should fail if a permission is revoked which wasn't added before" do
|
253
|
+
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
254
|
+
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
255
|
+
pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(everybody)")
|
256
|
+
|
257
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
258
|
+
|
259
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
260
|
+
proc{
|
261
|
+
pristine_file.parse
|
262
|
+
}.should raise_error(SyntaxError)
|
263
|
+
end
|
264
|
+
|
265
|
+
it "should fail if an x is used as an operand" do
|
266
|
+
pristine_file_lines = ["0:x:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
267
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
268
|
+
|
269
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
270
|
+
proc{
|
271
|
+
pristine_file.parse
|
272
|
+
}.should raise_error(NotImplementedError)
|
273
|
+
end
|
274
|
+
|
275
|
+
it "should fail if an => is used as an operand" do
|
276
|
+
pristine_file_lines = ["0:=>:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
277
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
278
|
+
|
279
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
280
|
+
proc{
|
281
|
+
pristine_file.parse
|
282
|
+
}.should raise_error(NotImplementedError)
|
283
|
+
end
|
284
|
+
end
|
285
|
+
|
286
|
+
describe "permission set" do
|
287
|
+
before(:each) do
|
288
|
+
@context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
289
|
+
@admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin],:name => "administrator")
|
290
|
+
@pristine_file = PristineFile.new("cbac.pristine")
|
291
|
+
end
|
292
|
+
|
293
|
+
it "should filter out the permissions which were revoked" do
|
294
|
+
permission_to_revoke = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
|
295
|
+
@pristine_file.permissions.push(permission_to_revoke)
|
296
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => permission_to_revoke.privilege_set_name, :pristine_role => permission_to_revoke.pristine_role, :operation => '-'))
|
297
|
+
|
298
|
+
@pristine_file.permission_set.should_not include(permission_to_revoke)
|
299
|
+
end
|
300
|
+
|
301
|
+
it "should not include the revoke permission itself" do
|
302
|
+
revoke_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '-')
|
303
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => revoke_permission.privilege_set_name, :pristine_role => revoke_permission.pristine_role, :operation => '+'))
|
304
|
+
@pristine_file.permissions.push(revoke_permission)
|
305
|
+
|
306
|
+
@pristine_file.permission_set.should_not include(revoke_permission)
|
307
|
+
end
|
308
|
+
|
309
|
+
it "should contain the permission if it is re-applied" do
|
310
|
+
re_applied_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
|
311
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '+'))
|
312
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '-'))
|
313
|
+
@pristine_file.permissions.push(re_applied_permission)
|
314
|
+
|
315
|
+
@pristine_file.permission_set.should include(re_applied_permission)
|
316
|
+
end
|
317
|
+
|
318
|
+
it "should raise an error if a permission is revoked which wasn't created before" do
|
319
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+'))
|
320
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "login", :pristine_role => @context_role, :operation => '+'))
|
321
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "blog_read", :pristine_role => @context_role, :operation => '-'))
|
322
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "update_blog", :pristine_role => @context_role, :operation => '+'))
|
323
|
+
|
324
|
+
proc {
|
325
|
+
@pristine_file.permission_set
|
326
|
+
}.should raise_error(ArgumentError)
|
327
|
+
|
328
|
+
end
|
329
|
+
end
|
330
330
|
end
|