cbac 0.6.10 → 0.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +4 -0
- data/.rspec +1 -0
- data/Gemfile +0 -4
- data/README.rdoc +3 -2
- data/Rakefile +1 -1
- data/cbac.gemspec +21 -28
- data/lib/cbac.rb +14 -6
- data/lib/cbac/cbac_pristine/pristine_file.rb +2 -2
- data/lib/cbac/cbac_pristine/pristine_permission.rb +29 -13
- data/lib/cbac/cbac_pristine/pristine_role.rb +1 -1
- data/lib/cbac/generic_role.rb +0 -1
- data/lib/cbac/known_permission.rb +2 -2
- data/lib/cbac/privilege.rb +2 -1
- data/lib/cbac/privilege_set.rb +1 -1
- data/lib/cbac/version.rb +1 -1
- data/lib/generators/cbac/copy_files/controllers/generic_roles_controller.rb +7 -2
- data/lib/generators/cbac/copy_files/migrate/create_cbac_from_scratch.rb +7 -7
- data/lib/generators/cbac/copy_files/tasks/cbac.rake +1 -1
- data/migrations/20110211105533_add_pristine_files_to_cbac_upgrade_path.rb +1 -1
- data/spec/cbac_authorization_check_spec.rb +7 -8
- data/spec/cbac_pristine_file_spec.rb +94 -92
- data/spec/cbac_pristine_permission_spec.rb +102 -100
- data/spec/cbac_pristine_role_spec.rb +23 -24
- data/spec/fixtures/controllers/dating/daughter_controller.rb +3 -2
- data/tasks/cbac.rake +1 -1
- data/test/test_helper.rb +1 -1
- metadata +57 -94
- data/Gemfile.lock +0 -121
@@ -8,272 +8,274 @@ describe "CbacPristineFile" do
|
|
8
8
|
end
|
9
9
|
|
10
10
|
describe "indicate if a line looks like a pristine line" do
|
11
|
-
it "
|
11
|
+
it "indicates that a ruby style comment line is not a pristine line" do
|
12
12
|
comment_line = "#this is a comment line in Ruby"
|
13
13
|
|
14
|
-
@pristine_file.is_pristine_permission_line?(comment_line, 1).
|
14
|
+
expect(@pristine_file.is_pristine_permission_line?(comment_line, 1)).to be_falsy
|
15
15
|
end
|
16
16
|
|
17
|
-
it "
|
17
|
+
it "raises an error if the line does not look like a pristine line" do
|
18
18
|
line = "this is not pristine line. And it isn't a comment. 1"
|
19
19
|
|
20
|
-
proc{
|
20
|
+
expect(proc{
|
21
21
|
@pristine_file.is_pristine_permission_line?(line, 0)
|
22
|
-
}.
|
22
|
+
}).to raise_error(SyntaxError)
|
23
23
|
end
|
24
24
|
|
25
|
-
it "
|
25
|
+
it "returns true in case of a valid pristine line" do
|
26
26
|
line = "0:+:PrivilegeSet(login)ContextRole(everybody)"
|
27
27
|
|
28
|
-
@pristine_file.is_pristine_permission_line?(line, 0).
|
28
|
+
expect(@pristine_file.is_pristine_permission_line?(line, 0)).to be_truthy
|
29
29
|
end
|
30
30
|
|
31
|
-
it "
|
31
|
+
it "fails if the id of the pristine line contains a character" do
|
32
32
|
line = "0b:+:PrivilegeSet(login)ContextRole(everybody)"
|
33
33
|
|
34
|
-
proc{
|
34
|
+
expect(proc{
|
35
35
|
@pristine_file.is_pristine_permission_line?(line, 0)
|
36
|
-
}.
|
36
|
+
}).to raise_error(SyntaxError)
|
37
37
|
end
|
38
38
|
|
39
|
-
it "
|
39
|
+
it "succeeds if the privilege set name is not provided" do
|
40
40
|
line = "0:+:PrivilegeSet()Admin()"
|
41
41
|
|
42
|
-
@pristine_file.is_pristine_permission_line?(line, 0).
|
42
|
+
expect(@pristine_file.is_pristine_permission_line?(line, 0)).to be_truthy
|
43
43
|
end
|
44
44
|
|
45
|
-
it "
|
45
|
+
it "succeeds if the context role name is not provided" do
|
46
46
|
line = "0:+:PrivilegeSet(login)ContextRole()"
|
47
47
|
|
48
|
-
@pristine_file.is_pristine_permission_line?(line, 0).
|
48
|
+
expect(@pristine_file.is_pristine_permission_line?(line, 0)).to be_truthy
|
49
49
|
end
|
50
50
|
|
51
51
|
end
|
52
52
|
|
53
53
|
describe "parse the privilege set name from a pristine line" do
|
54
|
-
it "
|
54
|
+
it "fails if the privilege set name is not provided" do
|
55
55
|
line = "0:+:PrivilegeSet()Admin()"
|
56
56
|
|
57
|
-
proc{
|
57
|
+
expect(proc{
|
58
58
|
@pristine_file.parse_privilege_set_name(line, 0)
|
59
|
-
}.
|
59
|
+
}).to raise_error(SyntaxError)
|
60
60
|
end
|
61
61
|
|
62
|
-
it "
|
62
|
+
it "returns the name of the privilege set provided in the line" do
|
63
63
|
privilege_set_name = "chat"
|
64
64
|
line = "0:+:PrivilegeSet(#{privilege_set_name})Admin()"
|
65
65
|
|
66
|
-
@pristine_file.parse_privilege_set_name(line, 0).
|
66
|
+
expect(@pristine_file.parse_privilege_set_name(line, 0)).to eq(privilege_set_name)
|
67
67
|
end
|
68
68
|
|
69
|
-
it "
|
69
|
+
it "fails if an invalid line is provided" do
|
70
70
|
line = "0:+:ContextRole(toeteraars)"
|
71
71
|
|
72
|
-
proc{
|
72
|
+
expect(proc{
|
73
73
|
@pristine_file.parse_privilege_set_name(line, 0)
|
74
|
-
}.
|
74
|
+
}).to raise_error(SyntaxError)
|
75
75
|
end
|
76
76
|
end
|
77
77
|
|
78
78
|
describe "parse the role from a pristine line" do
|
79
|
-
it "
|
79
|
+
it "returns the admin role if the role is Admin()" do
|
80
80
|
admin_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:admin], :name => 'administrator')
|
81
|
-
PristineRole.
|
81
|
+
allow(PristineRole).to receive(:admin_role).and_return(admin_role)
|
82
82
|
line = "0:+:PrivilegeSet(chat)Admin()"
|
83
83
|
|
84
|
-
@pristine_file.parse_role(line, 0).
|
84
|
+
expect(@pristine_file.parse_role(line, 0)).to eq(admin_role)
|
85
85
|
end
|
86
86
|
|
87
|
-
it "
|
87
|
+
it "returns a context role if the role specified as ContextRole" do
|
88
88
|
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
89
89
|
|
90
|
-
@pristine_file.parse_role(line, 0).role_type.
|
90
|
+
expect(@pristine_file.parse_role(line, 0).role_type).to eq(PristineRole.ROLE_TYPES[:context])
|
91
91
|
end
|
92
92
|
|
93
|
-
it "
|
93
|
+
it "returns a context role with specified name if the role specified as ContextRole" do
|
94
94
|
context_role_name = "logged_in_user"
|
95
95
|
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
96
96
|
|
97
|
-
@pristine_file.parse_role(line, 0).name.
|
97
|
+
expect(@pristine_file.parse_role(line, 0).name).to eq(context_role_name)
|
98
98
|
end
|
99
99
|
|
100
|
-
it "
|
100
|
+
it "returns an existing context role with specified name if possible" do
|
101
101
|
context_role_name = "logged_in_user"
|
102
102
|
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
103
103
|
existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
|
104
104
|
|
105
|
-
@pristine_file.parse_role(line, 0).
|
105
|
+
expect(@pristine_file.parse_role(line, 0)).to eq(existing_context_role)
|
106
106
|
end
|
107
107
|
|
108
|
-
it "
|
108
|
+
it "does not return an existing context role with specified name if db should not be used" do
|
109
109
|
context_role_name = "logged_in_user"
|
110
110
|
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
111
111
|
existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
|
112
112
|
|
113
|
-
@pristine_file.parse_role(line, 0, false).
|
113
|
+
expect(@pristine_file.parse_role(line, 0, false)).not_to eq(existing_context_role)
|
114
114
|
end
|
115
115
|
|
116
|
-
it "
|
116
|
+
it "returns a context role with id of 0 if the role specified as ContextRole" do
|
117
117
|
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
118
118
|
|
119
|
-
@pristine_file.parse_role(line, 0).role_id.
|
119
|
+
expect(@pristine_file.parse_role(line, 0).role_id).to eq(0)
|
120
120
|
end
|
121
121
|
|
122
|
-
it "
|
122
|
+
it "fails if an invalid line is provided" do
|
123
123
|
line = "0:+:PrivilegeSet(toeteraars)"
|
124
124
|
|
125
|
-
proc{
|
125
|
+
expect(proc{
|
126
126
|
@pristine_file.parse_role(line, 0)
|
127
|
-
}.
|
127
|
+
}).to raise_error(SyntaxError)
|
128
128
|
end
|
129
129
|
|
130
|
-
it "
|
130
|
+
it "fails if a generic role is provided for the normal (non-generic) pristine file" do
|
131
131
|
line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
|
132
132
|
|
133
|
-
proc{
|
133
|
+
expect(proc{
|
134
134
|
@pristine_file.parse_role(line, 0)
|
135
|
-
}.
|
135
|
+
}).to raise_error(SyntaxError)
|
136
136
|
end
|
137
137
|
|
138
|
-
|
139
|
-
it "should return a generic role if a generic pristine file is used" do
|
138
|
+
it "returns a generic role if a generic pristine file is used" do
|
140
139
|
@pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
|
141
140
|
line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
|
142
141
|
|
143
|
-
@pristine_file.parse_role(line, 0).role_type.
|
142
|
+
expect(@pristine_file.parse_role(line, 0).role_type).to eq(PristineRole.ROLE_TYPES[:generic])
|
144
143
|
end
|
145
144
|
|
146
|
-
it "
|
145
|
+
it "returns an existing generic role if use_db is not specified" do
|
147
146
|
generic_role_name = 'group_admins'
|
148
147
|
@pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
|
149
148
|
line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
|
150
149
|
existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
|
151
150
|
|
152
|
-
@pristine_file.parse_role(line, 0).
|
151
|
+
expect(@pristine_file.parse_role(line, 0)).to eq(existing_role)
|
153
152
|
end
|
154
153
|
|
155
|
-
it "
|
154
|
+
it "does not use an existing role if use_db is set to false" do
|
156
155
|
generic_role_name = 'group_admins'
|
157
156
|
@pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
|
158
157
|
line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
|
159
158
|
existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
|
160
159
|
|
161
|
-
@pristine_file.parse_role(line, 0, false).
|
160
|
+
expect(@pristine_file.parse_role(line, 0, false)).not_to eq(existing_role)
|
162
161
|
end
|
163
162
|
|
164
|
-
it "
|
163
|
+
it "fails if an Admin role is used in a generic pristine file" do
|
165
164
|
@pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
|
166
165
|
line = "0:+:PrivilegeSet(chat)Admin()"
|
167
166
|
|
168
|
-
proc{
|
167
|
+
expect(proc{
|
169
168
|
@pristine_file.parse_role(line, 0)
|
170
|
-
}.
|
169
|
+
}).to raise_error(SyntaxError)
|
171
170
|
end
|
172
171
|
|
173
|
-
it "
|
172
|
+
it "fails if an context role is used in a generic pristine file" do
|
174
173
|
@pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
|
175
174
|
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
176
175
|
|
177
|
-
proc{
|
176
|
+
expect(proc{
|
178
177
|
@pristine_file.parse_role(line, 0)
|
179
|
-
}.
|
178
|
+
}).to raise_error(SyntaxError)
|
180
179
|
end
|
181
180
|
|
182
|
-
it "
|
181
|
+
it "fails if an invalid line is provided in a generic pristine file" do
|
183
182
|
@pristine_file = GenericPristineFile.new(:file_name =>"cbac.pristine")
|
184
183
|
line = "0:+:PrivilegeSet(toeteraars)"
|
185
184
|
|
186
|
-
proc{
|
185
|
+
expect(proc{
|
187
186
|
@pristine_file.parse_role(line, 0)
|
188
|
-
}.
|
187
|
+
}).to raise_error(SyntaxError)
|
189
188
|
end
|
190
189
|
end
|
191
190
|
|
192
191
|
describe "parsing a cbac_pristine file" do
|
193
|
-
it "
|
192
|
+
it "fails if a row number is used twice" do
|
194
193
|
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
195
194
|
pristine_file_lines.push("0:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
196
195
|
|
197
|
-
File.
|
196
|
+
allow(File).to receive(:open).and_return(pristine_file_lines)
|
198
197
|
|
199
198
|
pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
|
200
199
|
|
201
|
-
proc{
|
200
|
+
expect(proc{
|
202
201
|
pristine_file.parse
|
203
|
-
}.
|
202
|
+
}).to raise_error(SyntaxError)
|
204
203
|
end
|
205
204
|
|
206
|
-
it "
|
205
|
+
it "fills the lines array with an object for each file line" do
|
207
206
|
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
208
207
|
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
209
208
|
pristine_file_lines.push("2:+:PrivilegeSet(log_out)ContextRole(logged_in_user)")
|
210
209
|
|
211
|
-
File.
|
210
|
+
allow(File).to receive(:open).and_return(pristine_file_lines)
|
212
211
|
|
213
212
|
pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
|
214
213
|
pristine_file.parse
|
215
214
|
|
216
|
-
pristine_file.permissions.length.
|
215
|
+
expect(pristine_file.permissions.length).to eq(pristine_file_lines.length)
|
217
216
|
end
|
218
217
|
|
219
|
-
it "
|
218
|
+
it "does not create an object for a comment line" do
|
220
219
|
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
221
220
|
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
222
221
|
pristine_file_lines.push("#this is a Ruby comment line")
|
223
222
|
|
224
|
-
File.
|
223
|
+
allow(File).to receive(:open).and_return(pristine_file_lines)
|
225
224
|
|
226
225
|
pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
|
227
226
|
pristine_file.parse
|
228
227
|
|
229
|
-
pristine_file.permissions.length.
|
228
|
+
expect(pristine_file.permissions.length).to eq(2)
|
230
229
|
end
|
231
230
|
|
232
|
-
it "
|
231
|
+
it "also adds a permission object if permission is revoked (operand - is used)" do
|
233
232
|
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
234
233
|
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
235
234
|
pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(logged_in_user)")
|
236
235
|
|
237
|
-
File.
|
236
|
+
allow(File).to receive(:open).and_return(pristine_file_lines)
|
238
237
|
|
239
238
|
pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
|
240
239
|
pristine_file.parse
|
241
240
|
|
242
|
-
pristine_file.permissions.length.
|
243
|
-
pristine_file.permissions[2].operation.
|
241
|
+
expect(pristine_file.permissions.length).to eq(3)
|
242
|
+
expect(pristine_file.permissions[2].operation).to eq('-')
|
244
243
|
end
|
245
244
|
|
246
|
-
it "
|
245
|
+
it "fails if a permission is revoked which wasn't added before" do
|
247
246
|
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
248
247
|
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
249
248
|
pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(everybody)")
|
250
249
|
|
251
|
-
File.
|
250
|
+
allow(File).to receive(:open).and_return(pristine_file_lines)
|
252
251
|
|
253
252
|
pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
|
254
|
-
|
253
|
+
|
254
|
+
expect(proc{
|
255
255
|
pristine_file.parse
|
256
|
-
}.
|
256
|
+
}).to raise_error(SyntaxError)
|
257
257
|
end
|
258
258
|
|
259
|
-
it "
|
259
|
+
it "fails if an x is used as an operand" do
|
260
260
|
pristine_file_lines = ["0:x:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
261
|
-
File.
|
261
|
+
allow(File).to receive(:open).and_return(pristine_file_lines)
|
262
262
|
|
263
263
|
pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
|
264
|
-
|
264
|
+
|
265
|
+
expect(proc{
|
265
266
|
pristine_file.parse
|
266
|
-
}.
|
267
|
+
}).to raise_error(NotImplementedError)
|
267
268
|
end
|
268
269
|
|
269
|
-
it "
|
270
|
+
it "fails if an => is used as an operand" do
|
270
271
|
pristine_file_lines = ["0:=>:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
271
|
-
File.
|
272
|
+
allow(File).to receive(:open).and_return(pristine_file_lines)
|
272
273
|
|
273
274
|
pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
|
274
|
-
|
275
|
+
|
276
|
+
expect(proc{
|
275
277
|
pristine_file.parse
|
276
|
-
}.
|
278
|
+
}).to raise_error(NotImplementedError)
|
277
279
|
end
|
278
280
|
end
|
279
281
|
|
@@ -284,40 +286,40 @@ describe "CbacPristineFile" do
|
|
284
286
|
@pristine_file = PristineFile.new(:file_name =>"cbac.pristine")
|
285
287
|
end
|
286
288
|
|
287
|
-
it "
|
289
|
+
it "filters out the permissions which were revoked" do
|
288
290
|
permission_to_revoke = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
|
289
291
|
@pristine_file.permissions.push(permission_to_revoke)
|
290
292
|
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => permission_to_revoke.privilege_set_name, :pristine_role => permission_to_revoke.pristine_role, :operation => '-'))
|
291
293
|
|
292
|
-
@pristine_file.permission_set.
|
294
|
+
expect(@pristine_file.permission_set).not_to include(permission_to_revoke)
|
293
295
|
end
|
294
296
|
|
295
|
-
it "
|
297
|
+
it "does not include the revoke permission itself" do
|
296
298
|
revoke_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '-')
|
297
299
|
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => revoke_permission.privilege_set_name, :pristine_role => revoke_permission.pristine_role, :operation => '+'))
|
298
300
|
@pristine_file.permissions.push(revoke_permission)
|
299
301
|
|
300
|
-
@pristine_file.permission_set.
|
302
|
+
expect(@pristine_file.permission_set).not_to include(revoke_permission)
|
301
303
|
end
|
302
304
|
|
303
|
-
it "
|
305
|
+
it "contains the permission if it is re-applied" do
|
304
306
|
re_applied_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
|
305
307
|
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '+'))
|
306
308
|
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '-'))
|
307
309
|
@pristine_file.permissions.push(re_applied_permission)
|
308
310
|
|
309
|
-
@pristine_file.permission_set.
|
311
|
+
expect(@pristine_file.permission_set).to include(re_applied_permission)
|
310
312
|
end
|
311
313
|
|
312
|
-
it "
|
314
|
+
it "raises an error if a permission is revoked which wasn't created before" do
|
313
315
|
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+'))
|
314
316
|
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "login", :pristine_role => @context_role, :operation => '+'))
|
315
317
|
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "blog_read", :pristine_role => @context_role, :operation => '-'))
|
316
318
|
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "update_blog", :pristine_role => @context_role, :operation => '+'))
|
317
319
|
|
318
|
-
proc {
|
320
|
+
expect(proc {
|
319
321
|
@pristine_file.permission_set
|
320
|
-
}.
|
322
|
+
}).to raise_error(ArgumentError)
|
321
323
|
end
|
322
324
|
end
|
323
325
|
end
|
@@ -9,60 +9,62 @@ describe "CbacPristinePermission" do
|
|
9
9
|
@context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "chat_starter")
|
10
10
|
end
|
11
11
|
|
12
|
-
it "
|
12
|
+
it "raises an error if the pristine line has no role" do
|
13
13
|
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => 'log_in', :pristine_role => nil)
|
14
|
-
|
14
|
+
|
15
|
+
expect(lambda {
|
15
16
|
pristine_permission.to_yml_fixture
|
16
|
-
}.
|
17
|
+
}).to raise_error(ArgumentError)
|
17
18
|
end
|
18
19
|
|
19
|
-
it "
|
20
|
+
it "raises an error if the pristine line has no privilege_set_name" do
|
20
21
|
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "", :pristine_role => @context_role)
|
21
|
-
|
22
|
+
|
23
|
+
expect(lambda {
|
22
24
|
pristine_permission.to_yml_fixture
|
23
|
-
}.
|
25
|
+
}).to raise_error(ArgumentError)
|
24
26
|
end
|
25
27
|
|
26
|
-
it "
|
28
|
+
it "returns a yml string starting with cbac_permission_ " do
|
27
29
|
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "chat", :pristine_role => @context_role)
|
28
30
|
|
29
|
-
pristine_permission.to_yml_fixture.
|
31
|
+
expect(pristine_permission.to_yml_fixture).to match(/\Acbac_permission_/)
|
30
32
|
end
|
31
33
|
|
32
|
-
it "
|
34
|
+
it "returns a yml string containing the line number of the pristine line" do
|
33
35
|
line_number= 100
|
34
36
|
pristine_permission = PristinePermission.new(:line_number => line_number, :privilege_set_name => "chat", :pristine_role => @context_role)
|
35
37
|
|
36
|
-
pristine_permission.to_yml_fixture.
|
38
|
+
expect(pristine_permission.to_yml_fixture).to match(/id: #{line_number}/)
|
37
39
|
end
|
38
40
|
|
39
|
-
it "
|
41
|
+
it "returns a yml string containing a generic role id of 0 if a context_role is used" do
|
40
42
|
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
|
41
43
|
|
42
|
-
pristine_permission.to_yml_fixture.
|
44
|
+
expect(pristine_permission.to_yml_fixture).to match(/generic_role_id: 0/)
|
43
45
|
end
|
44
46
|
|
45
|
-
it "
|
47
|
+
it "returns a yml string containing the name of the context role if a context_role is used" do
|
46
48
|
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
|
47
49
|
|
48
|
-
pristine_permission.to_yml_fixture.
|
50
|
+
expect(pristine_permission.to_yml_fixture).to match(/context_role: #{@context_role.name}/)
|
49
51
|
end
|
50
52
|
|
51
|
-
it "
|
53
|
+
it "returns a yml string containing the id of the generic role if a generic role is used" do
|
52
54
|
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @admin_role)
|
53
55
|
|
54
|
-
pristine_permission.to_yml_fixture.
|
56
|
+
expect(pristine_permission.to_yml_fixture).to match(/generic_role_id: #{@admin_role.id.to_s}/)
|
55
57
|
end
|
56
58
|
|
57
|
-
it "
|
59
|
+
it "returns a yml string containing ruby code to find the privilege set by name" do
|
58
60
|
pristine_permission = PristinePermission.new(:line_number => 150, :privilege_set_name => "chat", :pristine_role => @context_role)
|
59
61
|
|
60
|
-
pristine_permission.to_yml_fixture.
|
62
|
+
expect(pristine_permission.to_yml_fixture).to match(/privilege_set_id: \<%= Cbac::PrivilegeSetRecord.where\(name: '#{pristine_permission.privilege_set_name}'\)\.first\.id %>/)
|
61
63
|
end
|
62
64
|
|
63
|
-
it "
|
65
|
+
it "returns a yml string containing created_at and updated_at" do
|
64
66
|
pristine_permission = PristinePermission.new(:line_number => 1, :privilege_set_name => "chat", :pristine_role => @context_role)
|
65
|
-
pristine_permission.to_yml_fixture.
|
67
|
+
expect(pristine_permission.to_yml_fixture).to match(/created_at:.+updated_at:/m)
|
66
68
|
end
|
67
69
|
end
|
68
70
|
|
@@ -75,49 +77,49 @@ describe "CbacPristinePermission" do
|
|
75
77
|
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => @admin_role.name)
|
76
78
|
end
|
77
79
|
|
78
|
-
it "
|
80
|
+
it "returns true if the pristine permission exists as generic cbac permission in the database" do
|
79
81
|
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => @admin_role.id)
|
80
82
|
|
81
83
|
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
82
84
|
|
83
|
-
pristine_permission.cbac_permission_exists
|
85
|
+
expect(pristine_permission.cbac_permission_exists?).to be_truthy
|
84
86
|
end
|
85
87
|
|
86
|
-
it "
|
88
|
+
it "returns true if the pristine permission exists as context cbac permission in the database" do
|
87
89
|
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
88
90
|
|
89
91
|
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
90
92
|
|
91
|
-
pristine_permission.cbac_permission_exists
|
93
|
+
expect(pristine_permission.cbac_permission_exists?).to be_truthy
|
92
94
|
end
|
93
95
|
|
94
|
-
it "
|
96
|
+
it "returns false if the pristine permission does not exist as context cbac permission in the database" do
|
95
97
|
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
96
98
|
|
97
|
-
pristine_permission.cbac_permission_exists
|
99
|
+
expect(pristine_permission.cbac_permission_exists?).to be_falsey
|
98
100
|
end
|
99
101
|
|
100
|
-
it "
|
102
|
+
it "returns false if the pristine permission does not exist as a generic cbac permission in the database" do
|
101
103
|
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
102
104
|
|
103
|
-
pristine_permission.cbac_permission_exists
|
105
|
+
expect(pristine_permission.cbac_permission_exists?).to be_falsey
|
104
106
|
end
|
105
107
|
|
106
|
-
it "
|
108
|
+
it "returns false if a similar pristine permission exist as a generic cbac permission in the database, but for another generic role" do
|
107
109
|
group_admin = Cbac::GenericRole.create(:name => "group_administrator")
|
108
110
|
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => group_admin.id)
|
109
111
|
|
110
112
|
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_admin_role)
|
111
113
|
|
112
|
-
pristine_permission.cbac_permission_exists
|
114
|
+
expect(pristine_permission.cbac_permission_exists?).to be_falsey
|
113
115
|
end
|
114
116
|
|
115
|
-
it "
|
117
|
+
it "returns false if a similar pristine permission exist as a context cbac permission in the database, but for another context role" do
|
116
118
|
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => "group_owner")
|
117
119
|
|
118
120
|
pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name, :pristine_role => @pristine_context_role)
|
119
121
|
|
120
|
-
pristine_permission.cbac_permission_exists
|
122
|
+
expect(pristine_permission.cbac_permission_exists?).to be_falsey
|
121
123
|
end
|
122
124
|
end
|
123
125
|
|
@@ -127,12 +129,12 @@ describe "CbacPristinePermission" do
|
|
127
129
|
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => "administrator")
|
128
130
|
end
|
129
131
|
|
130
|
-
it "
|
132
|
+
it "returns true if the pristine permission exists as a known permission in the database" do
|
131
133
|
pristine_permission = PristinePermission.new(:pristine_role => @pristine_admin_role, :line_number => 4, :privilege_set_name => "not relevant")
|
132
134
|
|
133
135
|
Cbac::KnownPermission.create(:permission_number => pristine_permission.line_number, :permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:context])
|
134
136
|
|
135
|
-
pristine_permission.known_permission_exists
|
137
|
+
expect(pristine_permission.known_permission_exists?).to be_truthy
|
136
138
|
end
|
137
139
|
end
|
138
140
|
|
@@ -147,30 +149,30 @@ describe "CbacPristinePermission" do
|
|
147
149
|
@pristine_permission.operation = '+'
|
148
150
|
@pristine_permission.line_number = rand
|
149
151
|
|
150
|
-
@pristine_file =
|
151
|
-
@pristine_permission.
|
152
|
+
@pristine_file = double('pristine_file', :permissions => [ @pristine_permission ])
|
153
|
+
allow(@pristine_permission).to receive(:pristine_file).and_return @pristine_file
|
152
154
|
end
|
153
155
|
|
154
|
-
it "
|
155
|
-
proc {
|
156
|
+
it "creates a known permission to record a change" do
|
157
|
+
expect(proc {
|
156
158
|
@pristine_permission.accept
|
157
|
-
}.
|
159
|
+
}).to change(Cbac::KnownPermission, :count).by(1)
|
158
160
|
end
|
159
161
|
|
160
|
-
it "
|
162
|
+
it "creates a known permission with specified permission identifier" do
|
161
163
|
@pristine_permission.accept
|
162
164
|
|
163
165
|
known_permission = Cbac::KnownPermission.last
|
164
166
|
|
165
|
-
known_permission.permission_number.
|
167
|
+
expect(known_permission.permission_number).to eq(@pristine_permission.line_number)
|
166
168
|
end
|
167
169
|
|
168
|
-
it "
|
170
|
+
it "creates a known permission with specified role type" do
|
169
171
|
@pristine_permission.accept
|
170
172
|
|
171
173
|
known_permission = Cbac::KnownPermission.last
|
172
174
|
|
173
|
-
known_permission.permission_type.
|
175
|
+
expect(known_permission.permission_type).to eq(Cbac::KnownPermission.PERMISSION_TYPES[:context])
|
174
176
|
end
|
175
177
|
|
176
178
|
context "if the operation is '-'" do
|
@@ -180,10 +182,10 @@ describe "CbacPristinePermission" do
|
|
180
182
|
@pristine_permission.operation = '-'
|
181
183
|
end
|
182
184
|
|
183
|
-
it "
|
184
|
-
proc {
|
185
|
+
it "still creates a known permission" do
|
186
|
+
expect(proc {
|
185
187
|
@pristine_permission.accept
|
186
|
-
}.
|
188
|
+
}).to change(Cbac::KnownPermission, :count).by(1)
|
187
189
|
end
|
188
190
|
end
|
189
191
|
end
|
@@ -197,7 +199,7 @@ describe "CbacPristinePermission" do
|
|
197
199
|
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => @admin_role.name)
|
198
200
|
|
199
201
|
@pristine_permission = PristinePermission.new(:privilege_set_name => @privilege_set.name)
|
200
|
-
@pristine_permission.
|
202
|
+
allow(@pristine_permission).to receive(:register_change)
|
201
203
|
end
|
202
204
|
|
203
205
|
context "if operation '+' is used" do
|
@@ -211,22 +213,22 @@ describe "CbacPristinePermission" do
|
|
211
213
|
@pristine_permission.save!
|
212
214
|
end
|
213
215
|
|
214
|
-
it "
|
215
|
-
proc {
|
216
|
+
it "deletes the pristine permission since it was accepted" do
|
217
|
+
expect(proc {
|
216
218
|
@pristine_permission.accept
|
217
|
-
}.
|
219
|
+
}).to change(PristinePermission, :count).by(-1)
|
218
220
|
end
|
219
221
|
|
220
|
-
it "
|
221
|
-
@pristine_permission.
|
222
|
+
it "registers the change" do
|
223
|
+
expect(@pristine_permission).to receive(:register_change)
|
222
224
|
|
223
225
|
@pristine_permission.accept
|
224
226
|
end
|
225
227
|
|
226
|
-
it "
|
227
|
-
proc {
|
228
|
+
it "adds the context permission to the database" do
|
229
|
+
expect(proc {
|
228
230
|
@pristine_permission.accept
|
229
|
-
}.
|
231
|
+
}).to change(Cbac::Permission, :count).by(1)
|
230
232
|
end
|
231
233
|
end
|
232
234
|
|
@@ -236,31 +238,31 @@ describe "CbacPristinePermission" do
|
|
236
238
|
@pristine_permission.save!
|
237
239
|
end
|
238
240
|
|
239
|
-
it "
|
240
|
-
proc {
|
241
|
+
it "deletes the pristine permission since it was accepted" do
|
242
|
+
expect(proc {
|
241
243
|
@pristine_permission.accept
|
242
|
-
}.
|
244
|
+
}).to change(PristinePermission, :count).by(-1)
|
243
245
|
end
|
244
246
|
|
245
|
-
it "
|
246
|
-
@pristine_permission.
|
247
|
+
it "registers the change" do
|
248
|
+
expect(@pristine_permission).to receive(:register_change)
|
247
249
|
|
248
250
|
@pristine_permission.accept
|
249
251
|
end
|
250
252
|
|
251
|
-
it "
|
252
|
-
proc {
|
253
|
+
it "creates a generic permission" do
|
254
|
+
expect(proc {
|
253
255
|
@pristine_permission.accept
|
254
|
-
}.
|
256
|
+
}).to change(Cbac::Permission, :count).by(1)
|
255
257
|
end
|
256
258
|
|
257
259
|
context "and the given role already exists" do
|
258
|
-
it "
|
260
|
+
it "uses the existing role" do
|
259
261
|
@pristine_permission.pristine_role = @pristine_admin_role
|
260
262
|
|
261
263
|
@pristine_permission.accept
|
262
264
|
|
263
|
-
Cbac::Permission.last.generic_role.
|
265
|
+
expect(Cbac::Permission.last.generic_role).to eq(@admin_role)
|
264
266
|
end
|
265
267
|
end
|
266
268
|
|
@@ -269,10 +271,10 @@ describe "CbacPristinePermission" do
|
|
269
271
|
Cbac::GenericRole.delete_all
|
270
272
|
end
|
271
273
|
|
272
|
-
it "
|
273
|
-
proc {
|
274
|
+
it "creates a generic role if it doesn't exist yet" do
|
275
|
+
expect(proc {
|
274
276
|
@pristine_permission.accept
|
275
|
-
}.
|
277
|
+
}).to change(Cbac::GenericRole, :count).by(1)
|
276
278
|
end
|
277
279
|
end
|
278
280
|
end
|
@@ -284,12 +286,12 @@ describe "CbacPristinePermission" do
|
|
284
286
|
@pristine_permission.pristine_role = @pristine_context_role
|
285
287
|
end
|
286
288
|
|
287
|
-
it "
|
289
|
+
it "removes an existing permission" do
|
288
290
|
Cbac::Permission.create(:privilege_set_id => @privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
289
291
|
|
290
|
-
proc {
|
292
|
+
expect(proc {
|
291
293
|
@pristine_permission.accept
|
292
|
-
}.
|
294
|
+
}).to change(Cbac::Permission, :count).by(-1)
|
293
295
|
end
|
294
296
|
|
295
297
|
context "if the permission specified does not exist" do
|
@@ -297,10 +299,10 @@ describe "CbacPristinePermission" do
|
|
297
299
|
Cbac::Permission.delete_all
|
298
300
|
end
|
299
301
|
|
300
|
-
it "
|
301
|
-
proc {
|
302
|
+
it "raises an error" do
|
303
|
+
expect(proc {
|
302
304
|
@pristine_permission.accept
|
303
|
-
}.
|
305
|
+
}).to raise_error(ArgumentError)
|
304
306
|
end
|
305
307
|
end
|
306
308
|
end
|
@@ -312,82 +314,82 @@ describe "CbacPristinePermission" do
|
|
312
314
|
@pristine_admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin], :name => "administrator")
|
313
315
|
end
|
314
316
|
|
315
|
-
it "
|
317
|
+
it "persists the pristine permission to the database" do
|
316
318
|
pristine_permission = PristinePermission.new(:privilege_set_name => "login", :pristine_role => @pristine_context_role, :operation => '+')
|
317
319
|
|
318
|
-
proc {
|
320
|
+
expect(proc {
|
319
321
|
pristine_permission.stage
|
320
|
-
}.
|
321
|
-
|
322
|
+
}).to change(Cbac::CbacPristine::PristinePermission, :count).by(1)
|
322
323
|
end
|
323
324
|
|
324
|
-
it "
|
325
|
+
it "persists the associated role if it doesn't exist yet" do
|
325
326
|
pristine_permission = PristinePermission.new(:privilege_set_name => "login", :pristine_role => @pristine_context_role, :operation => '+')
|
326
327
|
|
327
|
-
proc {
|
328
|
+
expect(proc {
|
328
329
|
pristine_permission.stage
|
329
|
-
}.
|
330
|
+
}).to change(Cbac::CbacPristine::PristineRole, :count).by(1)
|
330
331
|
end
|
331
332
|
|
332
|
-
it "
|
333
|
+
it "does not create a new pristine permission if the cbac permission exists and the pristine permission wants to add" do
|
333
334
|
privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
|
334
335
|
Cbac::Permission.create(:privilege_set_id => privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
335
336
|
|
336
337
|
pristine_permission = PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set.name, :pristine_role => @pristine_context_role)
|
337
|
-
|
338
|
+
|
339
|
+
expect(proc {
|
338
340
|
pristine_permission.stage
|
339
|
-
}.
|
341
|
+
}).not_to change(Cbac::CbacPristine::PristinePermission, :count)
|
340
342
|
end
|
341
343
|
|
342
|
-
it "
|
344
|
+
it "creates a new pristine permission if the cbac permission exists and the pristine permission wants to revoke" do
|
343
345
|
privilege_set = Cbac::PrivilegeSetRecord.create(:name => "login")
|
344
346
|
Cbac::Permission.create(:privilege_set_id => privilege_set.id, :generic_role_id => 0, :context_role => @pristine_context_role.name)
|
345
347
|
|
346
348
|
pristine_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set.name, :pristine_role => @pristine_context_role)
|
347
|
-
|
349
|
+
|
350
|
+
expect(proc {
|
348
351
|
pristine_permission.stage
|
349
|
-
}.
|
352
|
+
}).to change(Cbac::CbacPristine::PristinePermission, :count).by(1)
|
350
353
|
end
|
351
354
|
|
352
|
-
it "
|
355
|
+
it "does not create a new pristine permission if a staged add permission exists and this pristine permission wants to revoke" do
|
353
356
|
privilege_set_name = "chat"
|
354
357
|
PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
355
358
|
pristine_revoke_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
356
359
|
|
357
|
-
proc {
|
360
|
+
expect(proc {
|
358
361
|
pristine_revoke_permission.stage
|
359
|
-
}.
|
362
|
+
}).not_to change(Cbac::CbacPristine::PristinePermission, :count)
|
360
363
|
end
|
361
364
|
|
362
|
-
it "
|
365
|
+
it "deletes a staged add permission if the pristine permission wants to revoke the same permission" do
|
363
366
|
privilege_set_name = "chat"
|
364
367
|
PristinePermission.create(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
365
368
|
pristine_revoke_permission = PristinePermission.new(:operation => '-', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role)
|
366
369
|
|
367
|
-
proc {
|
370
|
+
expect(proc {
|
368
371
|
pristine_revoke_permission.stage
|
369
|
-
}.
|
372
|
+
}).to change(Cbac::CbacPristine::PristinePermission, :count).by(-1)
|
370
373
|
end
|
371
374
|
|
372
|
-
it "
|
375
|
+
it "does not create a new pristine permission if a cbac known permission exists" do
|
373
376
|
known_number = 1
|
374
377
|
pristine_permission = PristinePermission.new(:line_number => known_number, :privilege_set_name => "name not relevant", :pristine_role => @pristine_context_role)
|
375
378
|
Cbac::KnownPermission.create(:permission_number => known_number, :permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:context])
|
376
379
|
|
377
|
-
proc {
|
380
|
+
expect(proc {
|
378
381
|
pristine_permission.stage
|
379
|
-
}.
|
380
|
-
|
382
|
+
}).not_to change(Cbac::CbacPristine::PristinePermission, :count)
|
381
383
|
end
|
382
384
|
|
383
|
-
it "
|
385
|
+
it "raises an error if the same pristine permission is staged twice" do
|
384
386
|
privilege_set_name = "chat"
|
385
387
|
PristinePermission.create(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role, :line_number => 2)
|
386
388
|
pristine_permission = PristinePermission.new(:operation => '+', :privilege_set_name => privilege_set_name, :pristine_role => @pristine_context_role, :line_number => 3)
|
387
389
|
|
388
|
-
proc {
|
390
|
+
expect(proc {
|
389
391
|
pristine_permission.stage
|
390
|
-
}.
|
392
|
+
}).to raise_error(ArgumentError)
|
391
393
|
end
|
392
394
|
end
|
393
395
|
end
|