cbac 0.6.2 → 0.6.3
Sign up to get free protection for your applications and to get access to all the features.
- data/Manifest +71 -70
- data/README.rdoc +51 -51
- data/Rakefile +39 -39
- data/cbac.gemspec +30 -30
- data/config/cbac/context_roles.rb +21 -21
- data/config/cbac/privileges.rb +50 -50
- data/context_roles.rb +21 -21
- data/init.rb +3 -3
- data/lib/cbac.rb +132 -132
- data/lib/cbac/cbac_pristine/pristine.rb +138 -138
- data/lib/cbac/cbac_pristine/pristine_file.rb +179 -173
- data/lib/cbac/cbac_pristine/pristine_permission.rb +205 -205
- data/lib/cbac/cbac_pristine/pristine_role.rb +43 -42
- data/lib/cbac/config.rb +9 -9
- data/lib/cbac/context_role.rb +27 -27
- data/lib/cbac/generic_role.rb +7 -6
- data/lib/cbac/known_permission.rb +15 -14
- data/lib/cbac/membership.rb +3 -3
- data/lib/cbac/permission.rb +5 -5
- data/lib/cbac/privilege.rb +117 -117
- data/lib/cbac/privilege_new_api.rb +56 -56
- data/lib/cbac/privilege_set.rb +29 -29
- data/lib/cbac/privilege_set_record.rb +6 -6
- data/lib/cbac/setup.rb +37 -37
- data/lib/generators/cbac/USAGE +33 -33
- data/lib/generators/cbac/cbac_generator.rb +75 -75
- data/lib/generators/cbac/copy_files/config/cbac.pristine +2 -2
- data/lib/generators/cbac/copy_files/config/context_roles.rb +17 -17
- data/lib/generators/cbac/copy_files/config/privileges.rb +25 -25
- data/lib/generators/cbac/copy_files/controllers/generic_roles_controller.rb +30 -30
- data/lib/generators/cbac/copy_files/controllers/memberships_controller.rb +22 -22
- data/lib/generators/cbac/copy_files/controllers/permissions_controller.rb +61 -61
- data/lib/generators/cbac/copy_files/controllers/upgrade_controller.rb +23 -23
- data/lib/generators/cbac/copy_files/fixtures/cbac_generic_roles.yml +9 -9
- data/lib/generators/cbac/copy_files/fixtures/cbac_memberships.yml +8 -8
- data/lib/generators/cbac/copy_files/fixtures/cbac_permissions.yml +8 -8
- data/lib/generators/cbac/copy_files/initializers/cbac_config.rb +4 -4
- data/lib/generators/cbac/copy_files/migrate/create_cbac_from_scratch.rb +59 -59
- data/lib/generators/cbac/copy_files/migrate/create_cbac_upgrade_path.rb +40 -40
- data/lib/generators/cbac/copy_files/stylesheets/cbac.css +65 -65
- data/lib/generators/cbac/copy_files/tasks/cbac.rake +345 -345
- data/lib/generators/cbac/copy_files/views/generic_roles/index.html.erb +58 -58
- data/lib/generators/cbac/copy_files/views/layouts/cbac.html.erb +18 -18
- data/lib/generators/cbac/copy_files/views/memberships/_update.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/memberships/index.html.erb +23 -23
- data/lib/generators/cbac/copy_files/views/permissions/_update_context_role.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/permissions/_update_generic_role.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/permissions/index.html.erb +39 -39
- data/lib/generators/cbac/copy_files/views/upgrade/index.html.erb +31 -31
- data/migrations/20110211105533_add_pristine_files_to_cbac_upgrade_path.rb +16 -16
- data/privileges.rb +50 -50
- data/spec/cbac_pristine_file_spec.rb +329 -329
- data/spec/cbac_pristine_permission_spec.rb +358 -358
- data/spec/cbac_pristine_role_spec.rb +85 -85
- data/spec/rcov.opts +1 -1
- data/spec/spec.opts +4 -4
- data/spec/spec_helper.rb +11 -11
- data/tasks/cbac.rake +345 -345
- data/test/db/test.sqlite3 +0 -0
- data/test/fixtures/cbac_generic_roles.yml +9 -9
- data/test/fixtures/cbac_memberships.yml +8 -8
- data/test/fixtures/cbac_permissions.yml +14 -14
- data/test/fixtures/cbac_privilege_set.yml +18 -18
- data/test/test_cbac_actions.rb +71 -71
- data/test/test_cbac_authorize_context_roles.rb +39 -39
- data/test/test_cbac_authorize_generic_roles.rb +36 -36
- data/test/test_cbac_context_role.rb +50 -50
- data/test/test_cbac_privilege.rb +151 -151
- data/test/test_cbac_privilege_set.rb +50 -50
- data/test/test_helper.rb +28 -28
- metadata +33 -49
data/context_roles.rb
CHANGED
@@ -1,21 +1,21 @@
|
|
1
|
-
### context_roles.rb
|
2
|
-
#
|
3
|
-
# Defines the context roles for the CBAC system
|
4
|
-
#
|
5
|
-
include Cbac
|
6
|
-
|
7
|
-
# Defining context roles
|
8
|
-
ContextRole.add :not_logged_in_user, 'current_user == 0'
|
9
|
-
ContextRole.add :logged_in_user, 'current_user.to_i > 0'
|
10
|
-
ContextRole.add :everybody, "true"
|
11
|
-
ContextRole.add :news_owner do
|
12
|
-
context[:post].user.id == current_user
|
13
|
-
end
|
14
|
-
|
15
|
-
ContextRole.add :news_owner_with_email do
|
16
|
-
return false if News.find(params[:id]).author_id == current_user
|
17
|
-
return false if User.find(current_user).email.nil?
|
18
|
-
true
|
19
|
-
end
|
20
|
-
|
21
|
-
|
1
|
+
### context_roles.rb
|
2
|
+
#
|
3
|
+
# Defines the context roles for the CBAC system
|
4
|
+
#
|
5
|
+
include Cbac
|
6
|
+
|
7
|
+
# Defining context roles
|
8
|
+
ContextRole.add :not_logged_in_user, 'current_user == 0'
|
9
|
+
ContextRole.add :logged_in_user, 'current_user.to_i > 0'
|
10
|
+
ContextRole.add :everybody, "true"
|
11
|
+
ContextRole.add :news_owner do
|
12
|
+
context[:post].user.id == current_user
|
13
|
+
end
|
14
|
+
|
15
|
+
ContextRole.add :news_owner_with_email do
|
16
|
+
return false if News.find(params[:id]).author_id == current_user
|
17
|
+
return false if User.find(current_user).email.nil?
|
18
|
+
true
|
19
|
+
end
|
20
|
+
|
21
|
+
|
data/init.rb
CHANGED
@@ -1,3 +1,3 @@
|
|
1
|
-
# Include CBAC core file
|
2
|
-
require File.dirname(__FILE__) + '/lib/cbac.rb'
|
3
|
-
|
1
|
+
# Include CBAC core file
|
2
|
+
require File.dirname(__FILE__) + '/lib/cbac.rb'
|
3
|
+
|
data/lib/cbac.rb
CHANGED
@@ -1,132 +1,132 @@
|
|
1
|
-
# TODO: Check the permission table for double entries, ie: both an entry in the
|
2
|
-
# generic_role_id field and an entry in the context_role field. Solution: solve
|
3
|
-
# via model. Update model & add test
|
4
|
-
require "cbac/setup"
|
5
|
-
require "cbac/config"
|
6
|
-
require "cbac/context_role"
|
7
|
-
require "cbac/generic_role"
|
8
|
-
require "cbac/known_permission"
|
9
|
-
require "cbac/membership"
|
10
|
-
require "cbac/permission"
|
11
|
-
require "cbac/privilege"
|
12
|
-
require "cbac/privilege_new_api"
|
13
|
-
require "cbac/privilege_set"
|
14
|
-
require "cbac/privilege_set_record"
|
15
|
-
require "cbac/cbac_pristine/pristine"
|
16
|
-
require "cbac/cbac_pristine/pristine_file"
|
17
|
-
require "cbac/cbac_pristine/pristine_permission"
|
18
|
-
require "cbac/cbac_pristine/pristine_role"
|
19
|
-
|
20
|
-
# The following code contains configuration options. You can turn them on for
|
21
|
-
# gem development. For actual usage, it is advisable to set the configuration
|
22
|
-
# options in the environment files.
|
23
|
-
Cbac::Config.verbose = true
|
24
|
-
|
25
|
-
# Module containing the bootstrap code
|
26
|
-
module Cbac
|
27
|
-
def cbac_boot!
|
28
|
-
if Cbac::Setup.check
|
29
|
-
puts "CBAC properly installed"
|
30
|
-
|
31
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege'))
|
32
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege_set'))
|
33
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/context_role'))
|
34
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine'))
|
35
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_file'))
|
36
|
-
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_permission'))
|
37
|
-
|
38
|
-
# check performs a check to see if the user is allowed to access the given
|
39
|
-
# resource. Example: authorization_check("BlogController", "index", :get)
|
40
|
-
def authorization_check(controller, action, request, context = {})
|
41
|
-
# Determine the controller to look for
|
42
|
-
controller_method = [controller, action].join("/")
|
43
|
-
# Get the privilegesets
|
44
|
-
privilege_sets = Privilege.select(controller_method, request)
|
45
|
-
# Check the privilege sets
|
46
|
-
check_privilege_sets(privilege_sets, context)
|
47
|
-
end
|
48
|
-
|
49
|
-
# Check the given privilege_set symbol
|
50
|
-
# TODO following code is not yet tested
|
51
|
-
def check_privilege_set(privilege_set, context = {})
|
52
|
-
check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
|
53
|
-
end
|
54
|
-
|
55
|
-
# Check the given privilege_sets
|
56
|
-
def check_privilege_sets(privilege_sets, context = {})
|
57
|
-
# Check the generic roles
|
58
|
-
return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
|
59
|
-
# Check the context roles Get the permissions
|
60
|
-
privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
|
61
|
-
puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilege_set.name}" if Cbac::Config.verbose
|
62
|
-
eval_string = ContextRole.roles[permission.context_role.to_sym]
|
63
|
-
begin
|
64
|
-
return true if eval_string.call(context)
|
65
|
-
rescue Exception => e
|
66
|
-
puts "Error in context role: #{permission.context_role} on privilege_set: #{permission.privilege_set.name}. Context: #{context}"
|
67
|
-
raise e if RAILS_ENV == "development" or RAILS_ENV == "test" # In development mode, this should crash as hard as possible, but in further stages, it should not
|
68
|
-
end
|
69
|
-
end
|
70
|
-
# not authorized
|
71
|
-
puts "Not authorized for: #{privilege_sets.to_s}" if Cbac::Config.verbose
|
72
|
-
false
|
73
|
-
end
|
74
|
-
|
75
|
-
# Code that performs authorization
|
76
|
-
def authorize
|
77
|
-
authorization_check(params[:controller], params[:action], request.request_method.downcase, self) || unauthorized
|
78
|
-
end
|
79
|
-
|
80
|
-
# Default unauthorized method Override this method to supply your own code
|
81
|
-
# for incorrect authorization
|
82
|
-
def unauthorized
|
83
|
-
render :text => "You are not authorized to perform this action", :status => 401
|
84
|
-
end
|
85
|
-
|
86
|
-
# Default implementation of the current_user method
|
87
|
-
def current_user_id
|
88
|
-
session[:currentuser].to_i
|
89
|
-
end
|
90
|
-
|
91
|
-
# Load controller classes and methods
|
92
|
-
def load_controller_methods
|
93
|
-
begin
|
94
|
-
Dir.glob("app/controllers/**/*.rb").each{|file| require file}
|
95
|
-
rescue LoadError
|
96
|
-
raise "Could not load controller classes"
|
97
|
-
end
|
98
|
-
# Make this iterative TODO
|
99
|
-
@classes = ApplicationController.subclasses
|
100
|
-
end
|
101
|
-
|
102
|
-
# Extracts the class name from the filename
|
103
|
-
def extract_class_name(filename)
|
104
|
-
File.basename(filename).chomp(".rb").camelize
|
105
|
-
end
|
106
|
-
|
107
|
-
# ### Initializer Include privileges file - contains the privilege and
|
108
|
-
# privilege definitions
|
109
|
-
begin
|
110
|
-
require File.join(::Rails.root.to_s, "config", "cbac", "privileges.rb")
|
111
|
-
rescue MissingSourceFile
|
112
|
-
puts "CBAC warning: Could not load config/cbac/privileges.rb (Did you run ./script/generate cbac?)"
|
113
|
-
end
|
114
|
-
# Include context roles file - contains the context role definitions
|
115
|
-
begin
|
116
|
-
require File.join(::Rails.root.to_s, "config", "cbac", "context_roles.rb")
|
117
|
-
rescue MissingSourceFile
|
118
|
-
puts "CBAC warning: Could not load config/cbac/context_roles.rb (Did you run ./script/generate cbac?)"
|
119
|
-
end
|
120
|
-
|
121
|
-
# ### Database autoload code
|
122
|
-
else
|
123
|
-
# This is the code that is executed if CBAc is not properly installed/
|
124
|
-
# configured. It includes a different authorize method, aimes at refusing
|
125
|
-
# all authorizations
|
126
|
-
def authorize
|
127
|
-
render :text => "Authorization error", :status => 401
|
128
|
-
false
|
129
|
-
end
|
130
|
-
end
|
131
|
-
end
|
132
|
-
end
|
1
|
+
# TODO: Check the permission table for double entries, ie: both an entry in the
|
2
|
+
# generic_role_id field and an entry in the context_role field. Solution: solve
|
3
|
+
# via model. Update model & add test
|
4
|
+
require "cbac/setup"
|
5
|
+
require "cbac/config"
|
6
|
+
require "cbac/context_role"
|
7
|
+
require "cbac/generic_role"
|
8
|
+
require "cbac/known_permission"
|
9
|
+
require "cbac/membership"
|
10
|
+
require "cbac/permission"
|
11
|
+
require "cbac/privilege"
|
12
|
+
require "cbac/privilege_new_api"
|
13
|
+
require "cbac/privilege_set"
|
14
|
+
require "cbac/privilege_set_record"
|
15
|
+
require "cbac/cbac_pristine/pristine"
|
16
|
+
require "cbac/cbac_pristine/pristine_file"
|
17
|
+
require "cbac/cbac_pristine/pristine_permission"
|
18
|
+
require "cbac/cbac_pristine/pristine_role"
|
19
|
+
|
20
|
+
# The following code contains configuration options. You can turn them on for
|
21
|
+
# gem development. For actual usage, it is advisable to set the configuration
|
22
|
+
# options in the environment files.
|
23
|
+
Cbac::Config.verbose = true
|
24
|
+
|
25
|
+
# Module containing the bootstrap code
|
26
|
+
module Cbac
|
27
|
+
def cbac_boot!
|
28
|
+
if Cbac::Setup.check
|
29
|
+
puts "CBAC properly installed"
|
30
|
+
|
31
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege'))
|
32
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/privilege_set'))
|
33
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/context_role'))
|
34
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine'))
|
35
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_file'))
|
36
|
+
require File.expand_path(File.join(File.dirname(__FILE__), '/cbac/cbac_pristine/pristine_permission'))
|
37
|
+
|
38
|
+
# check performs a check to see if the user is allowed to access the given
|
39
|
+
# resource. Example: authorization_check("BlogController", "index", :get)
|
40
|
+
def authorization_check(controller, action, request, context = {})
|
41
|
+
# Determine the controller to look for
|
42
|
+
controller_method = [controller, action].join("/")
|
43
|
+
# Get the privilegesets
|
44
|
+
privilege_sets = Privilege.select(controller_method, request)
|
45
|
+
# Check the privilege sets
|
46
|
+
check_privilege_sets(privilege_sets, context)
|
47
|
+
end
|
48
|
+
|
49
|
+
# Check the given privilege_set symbol
|
50
|
+
# TODO following code is not yet tested
|
51
|
+
def check_privilege_set(privilege_set, context = {})
|
52
|
+
check_privilege_sets([PrivilegeSet.sets[privilege_set.to_sym]], context)
|
53
|
+
end
|
54
|
+
|
55
|
+
# Check the given privilege_sets
|
56
|
+
def check_privilege_sets(privilege_sets, context = {})
|
57
|
+
# Check the generic roles
|
58
|
+
return true if privilege_sets.any? { |set| Cbac::GenericRole.find(:all, :conditions => ["user_id= ? AND privilege_set_id = ?", current_user, set.id],:joins => [:generic_role_members, :permissions]).length > 0 }
|
59
|
+
# Check the context roles Get the permissions
|
60
|
+
privilege_sets.collect{|privilege_set|Cbac::Permission.find(:all, :conditions => ["privilege_set_id = ? AND generic_role_id = 0", privilege_set.id.to_s])}.flatten.each do |permission|
|
61
|
+
puts "Checking for context_role:#{permission.context_role} on privilege_set:#{permission.privilege_set.name}" if Cbac::Config.verbose
|
62
|
+
eval_string = ContextRole.roles[permission.context_role.to_sym]
|
63
|
+
begin
|
64
|
+
return true if eval_string.call(context)
|
65
|
+
rescue Exception => e
|
66
|
+
puts "Error in context role: #{permission.context_role} on privilege_set: #{permission.privilege_set.name}. Context: #{context}"
|
67
|
+
raise e if RAILS_ENV == "development" or RAILS_ENV == "test" # In development mode, this should crash as hard as possible, but in further stages, it should not
|
68
|
+
end
|
69
|
+
end
|
70
|
+
# not authorized
|
71
|
+
puts "Not authorized for: #{privilege_sets.to_s}" if Cbac::Config.verbose
|
72
|
+
false
|
73
|
+
end
|
74
|
+
|
75
|
+
# Code that performs authorization
|
76
|
+
def authorize
|
77
|
+
authorization_check(params[:controller], params[:action], request.request_method.downcase, self) || unauthorized
|
78
|
+
end
|
79
|
+
|
80
|
+
# Default unauthorized method Override this method to supply your own code
|
81
|
+
# for incorrect authorization
|
82
|
+
def unauthorized
|
83
|
+
render :text => "You are not authorized to perform this action", :status => 401
|
84
|
+
end
|
85
|
+
|
86
|
+
# Default implementation of the current_user method
|
87
|
+
def current_user_id
|
88
|
+
session[:currentuser].to_i
|
89
|
+
end
|
90
|
+
|
91
|
+
# Load controller classes and methods
|
92
|
+
def load_controller_methods
|
93
|
+
begin
|
94
|
+
Dir.glob("app/controllers/**/*.rb").each{|file| require file}
|
95
|
+
rescue LoadError
|
96
|
+
raise "Could not load controller classes"
|
97
|
+
end
|
98
|
+
# Make this iterative TODO
|
99
|
+
@classes = ApplicationController.subclasses
|
100
|
+
end
|
101
|
+
|
102
|
+
# Extracts the class name from the filename
|
103
|
+
def extract_class_name(filename)
|
104
|
+
File.basename(filename).chomp(".rb").camelize
|
105
|
+
end
|
106
|
+
|
107
|
+
# ### Initializer Include privileges file - contains the privilege and
|
108
|
+
# privilege definitions
|
109
|
+
begin
|
110
|
+
require File.join(::Rails.root.to_s, "config", "cbac", "privileges.rb")
|
111
|
+
rescue MissingSourceFile
|
112
|
+
puts "CBAC warning: Could not load config/cbac/privileges.rb (Did you run ./script/generate cbac?)"
|
113
|
+
end
|
114
|
+
# Include context roles file - contains the context role definitions
|
115
|
+
begin
|
116
|
+
require File.join(::Rails.root.to_s, "config", "cbac", "context_roles.rb")
|
117
|
+
rescue MissingSourceFile
|
118
|
+
puts "CBAC warning: Could not load config/cbac/context_roles.rb (Did you run ./script/generate cbac?)"
|
119
|
+
end
|
120
|
+
|
121
|
+
# ### Database autoload code
|
122
|
+
else
|
123
|
+
# This is the code that is executed if CBAc is not properly installed/
|
124
|
+
# configured. It includes a different authorize method, aimes at refusing
|
125
|
+
# all authorizations
|
126
|
+
def authorize
|
127
|
+
render :text => "Authorization error", :status => 401
|
128
|
+
false
|
129
|
+
end
|
130
|
+
end
|
131
|
+
end
|
132
|
+
end
|
@@ -1,138 +1,138 @@
|
|
1
|
-
require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_file'))
|
2
|
-
require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
|
3
|
-
|
4
|
-
module Cbac
|
5
|
-
module CbacPristine
|
6
|
-
#creates a yml file containing all generic roles from the specified pristine file objects
|
7
|
-
def create_generic_role_fixtures_file(pristine_files, fixtures_file_name)
|
8
|
-
roles = []
|
9
|
-
|
10
|
-
pristine_files.each do |pristine_file|
|
11
|
-
#if the pristine file wasn't parsed yet, we'll do it here
|
12
|
-
pristine_file.parse(false) if pristine_file.permissions.empty?
|
13
|
-
pristine_file.generic_roles.each do |generic_role|
|
14
|
-
# we only want the unique generic roles, because the yml file cannot have duplicates
|
15
|
-
has_role = false
|
16
|
-
roles.each do |role|
|
17
|
-
if role.name == generic_role.name
|
18
|
-
has_role = true
|
19
|
-
end
|
20
|
-
end
|
21
|
-
roles.push(generic_role) unless has_role
|
22
|
-
end
|
23
|
-
end
|
24
|
-
create_fixtures_file(roles, fixtures_file_name)
|
25
|
-
end
|
26
|
-
|
27
|
-
# creates a yml file containing all cbac_permissions from the specified pristine file objects
|
28
|
-
def create_permissions_fixtures_file(pristine_files, fixtures_file_name)
|
29
|
-
permissions = []
|
30
|
-
|
31
|
-
pristine_files.each do |pristine_file|
|
32
|
-
pristine_file.parse(false) if pristine_file.permissions.empty?
|
33
|
-
pristine_file.permission_set.each do |line|
|
34
|
-
permissions.push(line)
|
35
|
-
end
|
36
|
-
end
|
37
|
-
create_fixtures_file(permissions, fixtures_file_name)
|
38
|
-
end
|
39
|
-
|
40
|
-
# turns the fixtures into yml and writes them to a file with specified name.
|
41
|
-
def create_fixtures_file(fixtures, fixtures_file_name)
|
42
|
-
File.delete(fixtures_file_name) if File.exists?(fixtures_file_name)
|
43
|
-
f = File.new(fixtures_file_name, "w")
|
44
|
-
flock(f, File::LOCK_EX) do |f|
|
45
|
-
fixtures.each_with_index do |fixture, index|
|
46
|
-
f.write(fixture.to_yml_fixture(index + 1))
|
47
|
-
end
|
48
|
-
end
|
49
|
-
end
|
50
|
-
|
51
|
-
# set all cbac permissions and generic roles to the state in the specified pristine file objects
|
52
|
-
def set_pristine_state(pristine_files, clear_tables)
|
53
|
-
clear_cbac_tables if clear_tables
|
54
|
-
pristine_files.each do |pristine_file|
|
55
|
-
pristine_file.parse if pristine_file.permissions.empty?
|
56
|
-
pristine_file.permissions.each do |permission|
|
57
|
-
permission.accept
|
58
|
-
end
|
59
|
-
end
|
60
|
-
end
|
61
|
-
|
62
|
-
# stage all unknown cbac_permissions
|
63
|
-
def stage_permissions(pristine_files)
|
64
|
-
|
65
|
-
pristine_files.each do |pristine_file|
|
66
|
-
pristine_file.parse(true) if pristine_file.permissions.empty?
|
67
|
-
pristine_file.permissions.each do |permission|
|
68
|
-
permission.stage
|
69
|
-
end
|
70
|
-
end
|
71
|
-
end
|
72
|
-
|
73
|
-
def clear_cbac_tables
|
74
|
-
Cbac::GenericRole.delete_all
|
75
|
-
Cbac::Membership.delete_all
|
76
|
-
Cbac::Permission.delete_all
|
77
|
-
Cbac::KnownPermission.delete_all
|
78
|
-
Cbac::CbacPristine::PristineFile.delete_all
|
79
|
-
Cbac::CbacPristine::PristinePermission.delete_all
|
80
|
-
Cbac::CbacPristine::PristineRole.delete_all
|
81
|
-
end
|
82
|
-
|
83
|
-
def delete_generic_known_permissions
|
84
|
-
known_permissions = Cbac::KnownPermission.find(:all, :conditions => {:permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:generic]})
|
85
|
-
known_permissions.each { |p| p.destroy }
|
86
|
-
end
|
87
|
-
|
88
|
-
def delete_generic_permissions
|
89
|
-
permissions = Cbac::Permission.find(:all, :conditions => {:context_role => nil})
|
90
|
-
# for backwards compatibility, generic_role name was administrators instead of administrator
|
91
|
-
# SMELL: administrator role *only* identified by name
|
92
|
-
(permissions.select { |perm| perm.generic_role.name != "administrator" and perm.generic_role.name != "administrators" }).each { |p| p.destroy }
|
93
|
-
end
|
94
|
-
|
95
|
-
def delete_non_generic_staged_permissions
|
96
|
-
PristinePermission.delete_non_generic_permissions
|
97
|
-
end
|
98
|
-
|
99
|
-
def delete_generic_staged_permissions
|
100
|
-
PristinePermission.delete_generic_permissions
|
101
|
-
end
|
102
|
-
|
103
|
-
def database_contains_cbac_data?
|
104
|
-
(Cbac::GenericRole.count != 0 or Cbac::Membership.count != 0 or Cbac::Permission.count != 0 or Cbac::KnownPermission.count != 0 or Cbac::CbacPristine::PristinePermission.count != 0 or Cbac::CbacPristine::PristineRole.count != 0)
|
105
|
-
end
|
106
|
-
|
107
|
-
def find_or_create_generic_pristine_file(file_name)
|
108
|
-
pristine_file = GenericPristineFile.find_by_file_name(file_name)
|
109
|
-
pristine_file.present? ? pristine_file : GenericPristineFile.create(:file_name => file_name)
|
110
|
-
end
|
111
|
-
|
112
|
-
def find_or_create_pristine_file(file_name)
|
113
|
-
pristine_file = PristineFile.find_by_file_name(file_name)
|
114
|
-
pristine_file.present? ? pristine_file : PristineFile.create(:file_name => file_name)
|
115
|
-
end
|
116
|
-
|
117
|
-
def number_of_generic_staged_permissions
|
118
|
-
PristinePermission.count_generic_permissions
|
119
|
-
end
|
120
|
-
|
121
|
-
def number_of_non_generic_staged_permissions
|
122
|
-
PristinePermission.count_non_generic_permissions
|
123
|
-
end
|
124
|
-
|
125
|
-
def flock(file, mode)
|
126
|
-
success = file.flock(mode)
|
127
|
-
if success
|
128
|
-
begin
|
129
|
-
yield file
|
130
|
-
ensure
|
131
|
-
file.flock(File::LOCK_UN)
|
132
|
-
end
|
133
|
-
end
|
134
|
-
return success
|
135
|
-
end
|
136
|
-
|
137
|
-
end
|
138
|
-
end
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_file'))
|
2
|
+
require File.expand_path(File.join(File.dirname(__FILE__), 'pristine_permission'))
|
3
|
+
|
4
|
+
module Cbac
|
5
|
+
module CbacPristine
|
6
|
+
#creates a yml file containing all generic roles from the specified pristine file objects
|
7
|
+
def create_generic_role_fixtures_file(pristine_files, fixtures_file_name)
|
8
|
+
roles = []
|
9
|
+
|
10
|
+
pristine_files.each do |pristine_file|
|
11
|
+
#if the pristine file wasn't parsed yet, we'll do it here
|
12
|
+
pristine_file.parse(false) if pristine_file.permissions.nil? || pristine_file.permissions.empty?
|
13
|
+
pristine_file.generic_roles.each do |generic_role|
|
14
|
+
# we only want the unique generic roles, because the yml file cannot have duplicates
|
15
|
+
has_role = false
|
16
|
+
roles.each do |role|
|
17
|
+
if role.name == generic_role.name
|
18
|
+
has_role = true
|
19
|
+
end
|
20
|
+
end
|
21
|
+
roles.push(generic_role) unless has_role
|
22
|
+
end
|
23
|
+
end
|
24
|
+
create_fixtures_file(roles, fixtures_file_name)
|
25
|
+
end
|
26
|
+
|
27
|
+
# creates a yml file containing all cbac_permissions from the specified pristine file objects
|
28
|
+
def create_permissions_fixtures_file(pristine_files, fixtures_file_name)
|
29
|
+
permissions = []
|
30
|
+
|
31
|
+
pristine_files.each do |pristine_file|
|
32
|
+
pristine_file.parse(false) if pristine_file.permissions.nil? || pristine_file.permissions.empty?
|
33
|
+
pristine_file.permission_set.each do |line|
|
34
|
+
permissions.push(line)
|
35
|
+
end
|
36
|
+
end
|
37
|
+
create_fixtures_file(permissions, fixtures_file_name)
|
38
|
+
end
|
39
|
+
|
40
|
+
# turns the fixtures into yml and writes them to a file with specified name.
|
41
|
+
def create_fixtures_file(fixtures, fixtures_file_name)
|
42
|
+
File.delete(fixtures_file_name) if File.exists?(fixtures_file_name)
|
43
|
+
f = File.new(fixtures_file_name, "w")
|
44
|
+
flock(f, File::LOCK_EX) do |f|
|
45
|
+
fixtures.each_with_index do |fixture, index|
|
46
|
+
f.write(fixture.to_yml_fixture(index + 1))
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
# set all cbac permissions and generic roles to the state in the specified pristine file objects
|
52
|
+
def set_pristine_state(pristine_files, clear_tables)
|
53
|
+
clear_cbac_tables if clear_tables
|
54
|
+
pristine_files.each do |pristine_file|
|
55
|
+
pristine_file.parse if pristine_file.permissions.nil? || pristine_file.permissions.empty?
|
56
|
+
pristine_file.permissions.each do |permission|
|
57
|
+
permission.accept
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
61
|
+
|
62
|
+
# stage all unknown cbac_permissions
|
63
|
+
def stage_permissions(pristine_files)
|
64
|
+
|
65
|
+
pristine_files.each do |pristine_file|
|
66
|
+
pristine_file.parse(true) if pristine_file.permissions.nil? || pristine_file.permissions.empty?
|
67
|
+
pristine_file.permissions.each do |permission|
|
68
|
+
permission.stage
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
|
73
|
+
def clear_cbac_tables
|
74
|
+
Cbac::GenericRole.delete_all
|
75
|
+
Cbac::Membership.delete_all
|
76
|
+
Cbac::Permission.delete_all
|
77
|
+
Cbac::KnownPermission.delete_all
|
78
|
+
Cbac::CbacPristine::PristineFile.delete_all
|
79
|
+
Cbac::CbacPristine::PristinePermission.delete_all
|
80
|
+
Cbac::CbacPristine::PristineRole.delete_all
|
81
|
+
end
|
82
|
+
|
83
|
+
def delete_generic_known_permissions
|
84
|
+
known_permissions = Cbac::KnownPermission.find(:all, :conditions => {:permission_type => Cbac::KnownPermission.PERMISSION_TYPES[:generic]})
|
85
|
+
known_permissions.each { |p| p.destroy }
|
86
|
+
end
|
87
|
+
|
88
|
+
def delete_generic_permissions
|
89
|
+
permissions = Cbac::Permission.find(:all, :conditions => {:context_role => nil})
|
90
|
+
# for backwards compatibility, generic_role name was administrators instead of administrator
|
91
|
+
# SMELL: administrator role *only* identified by name
|
92
|
+
(permissions.select { |perm| perm.generic_role.name != "administrator" and perm.generic_role.name != "administrators" }).each { |p| p.destroy }
|
93
|
+
end
|
94
|
+
|
95
|
+
def delete_non_generic_staged_permissions
|
96
|
+
PristinePermission.delete_non_generic_permissions
|
97
|
+
end
|
98
|
+
|
99
|
+
def delete_generic_staged_permissions
|
100
|
+
PristinePermission.delete_generic_permissions
|
101
|
+
end
|
102
|
+
|
103
|
+
def database_contains_cbac_data?
|
104
|
+
(Cbac::GenericRole.count != 0 or Cbac::Membership.count != 0 or Cbac::Permission.count != 0 or Cbac::KnownPermission.count != 0 or Cbac::CbacPristine::PristinePermission.count != 0 or Cbac::CbacPristine::PristineRole.count != 0)
|
105
|
+
end
|
106
|
+
|
107
|
+
def find_or_create_generic_pristine_file(file_name)
|
108
|
+
pristine_file = GenericPristineFile.find_by_file_name(file_name)
|
109
|
+
pristine_file.present? ? pristine_file : GenericPristineFile.create(:file_name => file_name)
|
110
|
+
end
|
111
|
+
|
112
|
+
def find_or_create_pristine_file(file_name)
|
113
|
+
pristine_file = PristineFile.find_by_file_name(file_name)
|
114
|
+
pristine_file.present? ? pristine_file : PristineFile.create(:file_name => file_name)
|
115
|
+
end
|
116
|
+
|
117
|
+
def number_of_generic_staged_permissions
|
118
|
+
PristinePermission.count_generic_permissions
|
119
|
+
end
|
120
|
+
|
121
|
+
def number_of_non_generic_staged_permissions
|
122
|
+
PristinePermission.count_non_generic_permissions
|
123
|
+
end
|
124
|
+
|
125
|
+
def flock(file, mode)
|
126
|
+
success = file.flock(mode)
|
127
|
+
if success
|
128
|
+
begin
|
129
|
+
yield file
|
130
|
+
ensure
|
131
|
+
file.flock(File::LOCK_UN)
|
132
|
+
end
|
133
|
+
end
|
134
|
+
return success
|
135
|
+
end
|
136
|
+
|
137
|
+
end
|
138
|
+
end
|