cbac 0.6.3 → 0.6.4
Sign up to get free protection for your applications and to get access to all the features.
- data/Manifest +71 -71
- data/README.rdoc +51 -51
- data/Rakefile +39 -39
- data/cbac.gemspec +30 -30
- data/config/cbac/context_roles.rb +21 -21
- data/config/cbac/privileges.rb +50 -50
- data/context_roles.rb +21 -21
- data/init.rb +3 -3
- data/lib/cbac.rb +132 -132
- data/lib/cbac/cbac_pristine/pristine.rb +138 -138
- data/lib/cbac/cbac_pristine/pristine_file.rb +179 -179
- data/lib/cbac/cbac_pristine/pristine_permission.rb +205 -205
- data/lib/cbac/cbac_pristine/pristine_role.rb +43 -43
- data/lib/cbac/config.rb +9 -9
- data/lib/cbac/context_role.rb +27 -27
- data/lib/cbac/generic_role.rb +7 -7
- data/lib/cbac/known_permission.rb +15 -15
- data/lib/cbac/membership.rb +3 -3
- data/lib/cbac/permission.rb +5 -5
- data/lib/cbac/privilege.rb +117 -117
- data/lib/cbac/privilege_new_api.rb +56 -56
- data/lib/cbac/privilege_set.rb +29 -29
- data/lib/cbac/privilege_set_record.rb +6 -6
- data/lib/cbac/setup.rb +37 -37
- data/lib/generators/cbac/USAGE +33 -33
- data/lib/generators/cbac/cbac_generator.rb +75 -75
- data/lib/generators/cbac/copy_files/config/cbac.pristine +2 -2
- data/lib/generators/cbac/copy_files/config/context_roles.rb +17 -17
- data/lib/generators/cbac/copy_files/config/privileges.rb +25 -25
- data/lib/generators/cbac/copy_files/controllers/generic_roles_controller.rb +30 -30
- data/lib/generators/cbac/copy_files/controllers/memberships_controller.rb +22 -22
- data/lib/generators/cbac/copy_files/controllers/permissions_controller.rb +61 -61
- data/lib/generators/cbac/copy_files/controllers/upgrade_controller.rb +23 -23
- data/lib/generators/cbac/copy_files/fixtures/cbac_generic_roles.yml +9 -9
- data/lib/generators/cbac/copy_files/fixtures/cbac_memberships.yml +8 -8
- data/lib/generators/cbac/copy_files/fixtures/cbac_permissions.yml +8 -8
- data/lib/generators/cbac/copy_files/initializers/cbac_config.rb +4 -4
- data/lib/generators/cbac/copy_files/migrate/create_cbac_from_scratch.rb +59 -59
- data/lib/generators/cbac/copy_files/migrate/create_cbac_upgrade_path.rb +40 -40
- data/lib/generators/cbac/copy_files/stylesheets/cbac.css +65 -65
- data/lib/generators/cbac/copy_files/tasks/cbac.rake +345 -345
- data/lib/generators/cbac/copy_files/views/generic_roles/index.html.erb +58 -58
- data/lib/generators/cbac/copy_files/views/layouts/cbac.html.erb +18 -18
- data/lib/generators/cbac/copy_files/views/memberships/_update.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/memberships/index.html.erb +23 -23
- data/lib/generators/cbac/copy_files/views/permissions/_update_context_role.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/permissions/_update_generic_role.html.erb +11 -11
- data/lib/generators/cbac/copy_files/views/permissions/index.html.erb +39 -39
- data/lib/generators/cbac/copy_files/views/upgrade/index.html.erb +31 -31
- data/migrations/20110211105533_add_pristine_files_to_cbac_upgrade_path.rb +16 -16
- data/privileges.rb +50 -50
- data/spec/cbac_pristine_file_spec.rb +329 -329
- data/spec/cbac_pristine_permission_spec.rb +358 -358
- data/spec/cbac_pristine_role_spec.rb +85 -85
- data/spec/rcov.opts +1 -1
- data/spec/spec.opts +4 -4
- data/spec/spec_helper.rb +11 -11
- data/tasks/cbac.rake +345 -345
- data/test/db/test.sqlite3 +0 -0
- data/test/fixtures/cbac_generic_roles.yml +9 -9
- data/test/fixtures/cbac_memberships.yml +8 -8
- data/test/fixtures/cbac_permissions.yml +14 -14
- data/test/fixtures/cbac_privilege_set.yml +18 -18
- data/test/test_cbac_actions.rb +71 -71
- data/test/test_cbac_authorize_context_roles.rb +39 -39
- data/test/test_cbac_authorize_generic_roles.rb +36 -36
- data/test/test_cbac_context_role.rb +50 -50
- data/test/test_cbac_privilege.rb +151 -151
- data/test/test_cbac_privilege_set.rb +50 -50
- data/test/test_helper.rb +28 -28
- metadata +11 -13
data/privileges.rb
CHANGED
|
@@ -1,50 +1,50 @@
|
|
|
1
|
-
### Privileges.rb
|
|
2
|
-
#
|
|
3
|
-
# Defines the privilegesets and privileges for the CBAC system
|
|
4
|
-
#
|
|
5
|
-
include Cbac
|
|
6
|
-
|
|
7
|
-
# Defining privilegesets
|
|
8
|
-
PrivilegeSet.add :cbac_administration, "Allows administration of CBAC modules"
|
|
9
|
-
PrivilegeSet.add :login, "Allows users to log onto the system"
|
|
10
|
-
PrivilegeSet.add :news_item_read, "Allows reading news_item items"
|
|
11
|
-
PrivilegeSet.add :news_item_create, "Allows creating news_item items"
|
|
12
|
-
PrivilegeSet.add :news_item_update, "Allows changing existing news_item items"
|
|
13
|
-
PrivilegeSet.add :news_item_administrator, "Allows administration of news items"
|
|
14
|
-
PrivilegeSet.add :news_item_moderator, "Moderator"
|
|
15
|
-
|
|
16
|
-
# Defining privileges
|
|
17
|
-
Privilege.resource :cbac_administration, "cbac/permissions/index"
|
|
18
|
-
Privilege.resource :cbac_administration, "cbac/permissions/update", :post
|
|
19
|
-
Privilege.resource :cbac_administration, "cbac/generic_roles/index"
|
|
20
|
-
Privilege.resource :cbac_administration, "cbac/generic_roles/update", :post
|
|
21
|
-
Privilege.resource :cbac_administration, "cbac/generic_roles/create", :post
|
|
22
|
-
Privilege.resource :cbac_administration, "cbac/generic_roles/delete", :post
|
|
23
|
-
Privilege.resource :cbac_administration, "cbac/memberships/index"
|
|
24
|
-
Privilege.resource :cbac_administration, "cbac/memberships/update", :post
|
|
25
|
-
Privilege.resource :cbac_administration, "cbac/upgrade/index"
|
|
26
|
-
Privilege.resource :cbac_administration, "cbac/upgrade/process_changes", :post
|
|
27
|
-
Privilege.resource :login, "news_items/login", :POST
|
|
28
|
-
Privilege.resource :news_item_read, "news_items/index"
|
|
29
|
-
Privilege.resource :news_item_read, "news_items/show"
|
|
30
|
-
Privilege.resource :news_item_create, "news_items/new"
|
|
31
|
-
Privilege.resource :news_item_create, "news_items/create", :POST
|
|
32
|
-
Privilege.resource :news_item_create, "news_items/create", :idempotent
|
|
33
|
-
Privilege.resource :news_item_update, "news_items/edit"
|
|
34
|
-
Privilege.resource :news_item_update, "news_items/update", :POST
|
|
35
|
-
|
|
36
|
-
# Recursive privilegesets
|
|
37
|
-
Privilege.include :news_item_moderator, :news_item_update
|
|
38
|
-
Privilege.include :news_item_administrator, [:news_item_read, :news_item_create, :news_item_update]
|
|
39
|
-
|
|
40
|
-
# Models
|
|
41
|
-
# Enforcing mode
|
|
42
|
-
#Privilege.model :blog_read, :blog, :load
|
|
43
|
-
#Privilege.model :blog_create, :blog, :save
|
|
44
|
-
#Privilege.model :blog_update, :blog, :update
|
|
45
|
-
#Privilege.model :blog_update, :blog, :delete
|
|
46
|
-
# model attributes
|
|
47
|
-
#Privilege.model_attribute :blog_update, :blog, :author, :write
|
|
48
|
-
#privilege.model_attribute :blog_update, :blog, :author, :w
|
|
49
|
-
#privilege.model_attribute :blog_update, :blog, :author, :rw
|
|
50
|
-
|
|
1
|
+
### Privileges.rb
|
|
2
|
+
#
|
|
3
|
+
# Defines the privilegesets and privileges for the CBAC system
|
|
4
|
+
#
|
|
5
|
+
include Cbac
|
|
6
|
+
|
|
7
|
+
# Defining privilegesets
|
|
8
|
+
PrivilegeSet.add :cbac_administration, "Allows administration of CBAC modules"
|
|
9
|
+
PrivilegeSet.add :login, "Allows users to log onto the system"
|
|
10
|
+
PrivilegeSet.add :news_item_read, "Allows reading news_item items"
|
|
11
|
+
PrivilegeSet.add :news_item_create, "Allows creating news_item items"
|
|
12
|
+
PrivilegeSet.add :news_item_update, "Allows changing existing news_item items"
|
|
13
|
+
PrivilegeSet.add :news_item_administrator, "Allows administration of news items"
|
|
14
|
+
PrivilegeSet.add :news_item_moderator, "Moderator"
|
|
15
|
+
|
|
16
|
+
# Defining privileges
|
|
17
|
+
Privilege.resource :cbac_administration, "cbac/permissions/index"
|
|
18
|
+
Privilege.resource :cbac_administration, "cbac/permissions/update", :post
|
|
19
|
+
Privilege.resource :cbac_administration, "cbac/generic_roles/index"
|
|
20
|
+
Privilege.resource :cbac_administration, "cbac/generic_roles/update", :post
|
|
21
|
+
Privilege.resource :cbac_administration, "cbac/generic_roles/create", :post
|
|
22
|
+
Privilege.resource :cbac_administration, "cbac/generic_roles/delete", :post
|
|
23
|
+
Privilege.resource :cbac_administration, "cbac/memberships/index"
|
|
24
|
+
Privilege.resource :cbac_administration, "cbac/memberships/update", :post
|
|
25
|
+
Privilege.resource :cbac_administration, "cbac/upgrade/index"
|
|
26
|
+
Privilege.resource :cbac_administration, "cbac/upgrade/process_changes", :post
|
|
27
|
+
Privilege.resource :login, "news_items/login", :POST
|
|
28
|
+
Privilege.resource :news_item_read, "news_items/index"
|
|
29
|
+
Privilege.resource :news_item_read, "news_items/show"
|
|
30
|
+
Privilege.resource :news_item_create, "news_items/new"
|
|
31
|
+
Privilege.resource :news_item_create, "news_items/create", :POST
|
|
32
|
+
Privilege.resource :news_item_create, "news_items/create", :idempotent
|
|
33
|
+
Privilege.resource :news_item_update, "news_items/edit"
|
|
34
|
+
Privilege.resource :news_item_update, "news_items/update", :POST
|
|
35
|
+
|
|
36
|
+
# Recursive privilegesets
|
|
37
|
+
Privilege.include :news_item_moderator, :news_item_update
|
|
38
|
+
Privilege.include :news_item_administrator, [:news_item_read, :news_item_create, :news_item_update]
|
|
39
|
+
|
|
40
|
+
# Models
|
|
41
|
+
# Enforcing mode
|
|
42
|
+
#Privilege.model :blog_read, :blog, :load
|
|
43
|
+
#Privilege.model :blog_create, :blog, :save
|
|
44
|
+
#Privilege.model :blog_update, :blog, :update
|
|
45
|
+
#Privilege.model :blog_update, :blog, :delete
|
|
46
|
+
# model attributes
|
|
47
|
+
#Privilege.model_attribute :blog_update, :blog, :author, :write
|
|
48
|
+
#privilege.model_attribute :blog_update, :blog, :author, :w
|
|
49
|
+
#privilege.model_attribute :blog_update, :blog, :author, :rw
|
|
50
|
+
|
|
@@ -1,330 +1,330 @@
|
|
|
1
|
-
require 'spec'
|
|
2
|
-
require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
|
|
3
|
-
require 'cbac/cbac_pristine/pristine'
|
|
4
|
-
require 'cbac/cbac_pristine/pristine_permission'
|
|
5
|
-
require 'cbac/cbac_pristine/pristine_role'
|
|
6
|
-
require 'cbac/cbac_pristine/pristine_file'
|
|
7
|
-
include Cbac::CbacPristine
|
|
8
|
-
|
|
9
|
-
describe "CbacPristineFile" do
|
|
10
|
-
before(:each) do
|
|
11
|
-
@pristine_file = PristineFile.new("cbac.pristine")
|
|
12
|
-
end
|
|
13
|
-
|
|
14
|
-
describe "indicate if a line looks like a pristine line" do
|
|
15
|
-
|
|
16
|
-
it "should indicate that a ruby style comment line is not a pristine line" do
|
|
17
|
-
comment_line = "#this is a comment line in Ruby"
|
|
18
|
-
|
|
19
|
-
@pristine_file.is_pristine_permission_line?(comment_line, 1).should be_false
|
|
20
|
-
end
|
|
21
|
-
|
|
22
|
-
it "should raise an error if the line does not look like a pristine line" do
|
|
23
|
-
line = "this is not pristine line. And it isn't a comment. 1"
|
|
24
|
-
|
|
25
|
-
proc{
|
|
26
|
-
@pristine_file.is_pristine_permission_line?(line, 0)
|
|
27
|
-
}.should raise_error(SyntaxError)
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
it "should return true in case of a valid pristine line" do
|
|
31
|
-
line = "0:+:PrivilegeSet(login)ContextRole(everybody)"
|
|
32
|
-
|
|
33
|
-
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
|
34
|
-
end
|
|
35
|
-
|
|
36
|
-
it "should fail if the id of the pristine line contains a character" do
|
|
37
|
-
line = "0b:+:PrivilegeSet(login)ContextRole(everybody)"
|
|
38
|
-
|
|
39
|
-
proc{
|
|
40
|
-
@pristine_file.is_pristine_permission_line?(line, 0)
|
|
41
|
-
}.should raise_error(SyntaxError)
|
|
42
|
-
end
|
|
43
|
-
|
|
44
|
-
it "should succeed if the privilege set name is not provided" do
|
|
45
|
-
line = "0:+:PrivilegeSet()Admin()"
|
|
46
|
-
|
|
47
|
-
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
|
48
|
-
end
|
|
49
|
-
|
|
50
|
-
it "should succeed if the context role name is not provided" do
|
|
51
|
-
line = "0:+:PrivilegeSet(login)ContextRole()"
|
|
52
|
-
|
|
53
|
-
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
|
54
|
-
end
|
|
55
|
-
|
|
56
|
-
end
|
|
57
|
-
|
|
58
|
-
describe "parse the privilege set name from a pristine line" do
|
|
59
|
-
it "should fail if the privilege set name is not provided" do
|
|
60
|
-
line = "0:+:PrivilegeSet()Admin()"
|
|
61
|
-
|
|
62
|
-
proc{
|
|
63
|
-
@pristine_file.parse_privilege_set_name(line, 0)
|
|
64
|
-
}.should raise_error(SyntaxError)
|
|
65
|
-
end
|
|
66
|
-
|
|
67
|
-
it "should return the name of the privilege set provided in the line" do
|
|
68
|
-
privilege_set_name = "chat"
|
|
69
|
-
line = "0:+:PrivilegeSet(#{privilege_set_name})Admin()"
|
|
70
|
-
|
|
71
|
-
@pristine_file.parse_privilege_set_name(line, 0).should == privilege_set_name
|
|
72
|
-
end
|
|
73
|
-
|
|
74
|
-
it "should fail if an invalid line is provided" do
|
|
75
|
-
line = "0:+:ContextRole(toeteraars)"
|
|
76
|
-
|
|
77
|
-
proc{
|
|
78
|
-
@pristine_file.parse_privilege_set_name(line, 0)
|
|
79
|
-
}.should raise_error(SyntaxError)
|
|
80
|
-
end
|
|
81
|
-
end
|
|
82
|
-
|
|
83
|
-
describe "parse the role from a pristine line" do
|
|
84
|
-
it "should return the admin role if the role is Admin()" do
|
|
85
|
-
admin_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:admin], :name => 'administrator')
|
|
86
|
-
PristineRole.stub!(:admin_role).and_return(admin_role)
|
|
87
|
-
line = "0:+:PrivilegeSet(chat)Admin()"
|
|
88
|
-
|
|
89
|
-
@pristine_file.parse_role(line, 0).should == admin_role
|
|
90
|
-
end
|
|
91
|
-
|
|
92
|
-
it "should return a context role if the role specified as ContextRole" do
|
|
93
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
|
94
|
-
|
|
95
|
-
@pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:context]
|
|
96
|
-
end
|
|
97
|
-
|
|
98
|
-
it "should return a context role with specified name if the role specified as ContextRole" do
|
|
99
|
-
context_role_name = "logged_in_user"
|
|
100
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
|
101
|
-
|
|
102
|
-
@pristine_file.parse_role(line, 0).name.should == context_role_name
|
|
103
|
-
end
|
|
104
|
-
|
|
105
|
-
it "should return an existing context role with specified name if possible" do
|
|
106
|
-
context_role_name = "logged_in_user"
|
|
107
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
|
108
|
-
existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
|
|
109
|
-
|
|
110
|
-
@pristine_file.parse_role(line, 0).should == existing_context_role
|
|
111
|
-
end
|
|
112
|
-
|
|
113
|
-
it "should not return an existing context role with specified name if db should not be used" do
|
|
114
|
-
context_role_name = "logged_in_user"
|
|
115
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
|
116
|
-
existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
|
|
117
|
-
|
|
118
|
-
@pristine_file.parse_role(line, 0, false).should_not == existing_context_role
|
|
119
|
-
end
|
|
120
|
-
|
|
121
|
-
it "should return a context role with id of 0 if the role specified as ContextRole" do
|
|
122
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
|
123
|
-
|
|
124
|
-
@pristine_file.parse_role(line, 0).role_id.should == 0
|
|
125
|
-
end
|
|
126
|
-
|
|
127
|
-
it "should fail if an invalid line is provided" do
|
|
128
|
-
line = "0:+:PrivilegeSet(toeteraars)"
|
|
129
|
-
|
|
130
|
-
proc{
|
|
131
|
-
@pristine_file.parse_role(line, 0)
|
|
132
|
-
}.should raise_error(SyntaxError)
|
|
133
|
-
end
|
|
134
|
-
|
|
135
|
-
it "should fail if a generic role is provided for the normal (non-generic) pristine file" do
|
|
136
|
-
line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
|
|
137
|
-
|
|
138
|
-
proc{
|
|
139
|
-
@pristine_file.parse_role(line, 0)
|
|
140
|
-
}.should raise_error(SyntaxError)
|
|
141
|
-
end
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
it "should return a generic role if a generic pristine file is used" do
|
|
145
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
146
|
-
line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
|
|
147
|
-
|
|
148
|
-
@pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:generic]
|
|
149
|
-
end
|
|
150
|
-
|
|
151
|
-
it "should return an existing generic role if use_db is not specified" do
|
|
152
|
-
generic_role_name = 'group_admins'
|
|
153
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
154
|
-
line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
|
|
155
|
-
existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
|
|
156
|
-
|
|
157
|
-
@pristine_file.parse_role(line, 0).should == existing_role
|
|
158
|
-
end
|
|
159
|
-
|
|
160
|
-
it "should not use an existing role if use_db is set to false" do
|
|
161
|
-
generic_role_name = 'group_admins'
|
|
162
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
163
|
-
line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
|
|
164
|
-
existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
|
|
165
|
-
|
|
166
|
-
@pristine_file.parse_role(line, 0, false).should_not == existing_role
|
|
167
|
-
end
|
|
168
|
-
|
|
169
|
-
it "should fail if an Admin role is used in a generic pristine file" do
|
|
170
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
171
|
-
line = "0:+:PrivilegeSet(chat)Admin()"
|
|
172
|
-
|
|
173
|
-
proc{
|
|
174
|
-
@pristine_file.parse_role(line, 0)
|
|
175
|
-
}.should raise_error(SyntaxError)
|
|
176
|
-
end
|
|
177
|
-
|
|
178
|
-
it "should fail if an context role is used in a generic pristine file" do
|
|
179
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
180
|
-
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
|
181
|
-
|
|
182
|
-
proc{
|
|
183
|
-
@pristine_file.parse_role(line, 0)
|
|
184
|
-
}.should raise_error(SyntaxError)
|
|
185
|
-
end
|
|
186
|
-
|
|
187
|
-
it "should fail if an invalid line is provided in a generic pristine file" do
|
|
188
|
-
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
189
|
-
line = "0:+:PrivilegeSet(toeteraars)"
|
|
190
|
-
|
|
191
|
-
proc{
|
|
192
|
-
@pristine_file.parse_role(line, 0)
|
|
193
|
-
}.should raise_error(SyntaxError)
|
|
194
|
-
end
|
|
195
|
-
end
|
|
196
|
-
|
|
197
|
-
describe "parsing a cbac_pristine file" do
|
|
198
|
-
|
|
199
|
-
it "should fail if a row number is used twice" do
|
|
200
|
-
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
201
|
-
pristine_file_lines.push("0:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
|
202
|
-
|
|
203
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
|
204
|
-
|
|
205
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
|
206
|
-
|
|
207
|
-
proc{
|
|
208
|
-
pristine_file.parse
|
|
209
|
-
}.should raise_error(SyntaxError)
|
|
210
|
-
end
|
|
211
|
-
|
|
212
|
-
it "should fill the lines array with an object for each file line" do
|
|
213
|
-
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
214
|
-
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
|
215
|
-
pristine_file_lines.push("2:+:PrivilegeSet(log_out)ContextRole(logged_in_user)")
|
|
216
|
-
|
|
217
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
|
218
|
-
|
|
219
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
|
220
|
-
pristine_file.parse
|
|
221
|
-
|
|
222
|
-
pristine_file.permissions.length.should == pristine_file_lines.length
|
|
223
|
-
end
|
|
224
|
-
|
|
225
|
-
it "should not create an object for a comment line" do
|
|
226
|
-
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
227
|
-
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
|
228
|
-
pristine_file_lines.push("#this is a Ruby comment line")
|
|
229
|
-
|
|
230
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
|
231
|
-
|
|
232
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
|
233
|
-
pristine_file.parse
|
|
234
|
-
|
|
235
|
-
pristine_file.permissions.length.should == 2
|
|
236
|
-
end
|
|
237
|
-
|
|
238
|
-
it "should also add a permission object if permission is revoked (operand - is used)" do
|
|
239
|
-
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
240
|
-
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
|
241
|
-
pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(logged_in_user)")
|
|
242
|
-
|
|
243
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
|
244
|
-
|
|
245
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
|
246
|
-
pristine_file.parse
|
|
247
|
-
|
|
248
|
-
pristine_file.permissions.length.should == 3
|
|
249
|
-
pristine_file.permissions[2].operation.should == '-'
|
|
250
|
-
end
|
|
251
|
-
|
|
252
|
-
it "should fail if a permission is revoked which wasn't added before" do
|
|
253
|
-
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
254
|
-
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
|
255
|
-
pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(everybody)")
|
|
256
|
-
|
|
257
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
|
258
|
-
|
|
259
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
|
260
|
-
proc{
|
|
261
|
-
pristine_file.parse
|
|
262
|
-
}.should raise_error(SyntaxError)
|
|
263
|
-
end
|
|
264
|
-
|
|
265
|
-
it "should fail if an x is used as an operand" do
|
|
266
|
-
pristine_file_lines = ["0:x:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
267
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
|
268
|
-
|
|
269
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
|
270
|
-
proc{
|
|
271
|
-
pristine_file.parse
|
|
272
|
-
}.should raise_error(NotImplementedError)
|
|
273
|
-
end
|
|
274
|
-
|
|
275
|
-
it "should fail if an => is used as an operand" do
|
|
276
|
-
pristine_file_lines = ["0:=>:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
277
|
-
File.stub!(:open).and_return(pristine_file_lines)
|
|
278
|
-
|
|
279
|
-
pristine_file = PristineFile.new("cbac.pristine")
|
|
280
|
-
proc{
|
|
281
|
-
pristine_file.parse
|
|
282
|
-
}.should raise_error(NotImplementedError)
|
|
283
|
-
end
|
|
284
|
-
end
|
|
285
|
-
|
|
286
|
-
describe "permission set" do
|
|
287
|
-
before(:each) do
|
|
288
|
-
@context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
|
289
|
-
@admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin],:name => "administrator")
|
|
290
|
-
@pristine_file = PristineFile.new("cbac.pristine")
|
|
291
|
-
end
|
|
292
|
-
|
|
293
|
-
it "should filter out the permissions which were revoked" do
|
|
294
|
-
permission_to_revoke = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
|
|
295
|
-
@pristine_file.permissions.push(permission_to_revoke)
|
|
296
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => permission_to_revoke.privilege_set_name, :pristine_role => permission_to_revoke.pristine_role, :operation => '-'))
|
|
297
|
-
|
|
298
|
-
@pristine_file.permission_set.should_not include(permission_to_revoke)
|
|
299
|
-
end
|
|
300
|
-
|
|
301
|
-
it "should not include the revoke permission itself" do
|
|
302
|
-
revoke_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '-')
|
|
303
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => revoke_permission.privilege_set_name, :pristine_role => revoke_permission.pristine_role, :operation => '+'))
|
|
304
|
-
@pristine_file.permissions.push(revoke_permission)
|
|
305
|
-
|
|
306
|
-
@pristine_file.permission_set.should_not include(revoke_permission)
|
|
307
|
-
end
|
|
308
|
-
|
|
309
|
-
it "should contain the permission if it is re-applied" do
|
|
310
|
-
re_applied_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
|
|
311
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '+'))
|
|
312
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '-'))
|
|
313
|
-
@pristine_file.permissions.push(re_applied_permission)
|
|
314
|
-
|
|
315
|
-
@pristine_file.permission_set.should include(re_applied_permission)
|
|
316
|
-
end
|
|
317
|
-
|
|
318
|
-
it "should raise an error if a permission is revoked which wasn't created before" do
|
|
319
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+'))
|
|
320
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "login", :pristine_role => @context_role, :operation => '+'))
|
|
321
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "blog_read", :pristine_role => @context_role, :operation => '-'))
|
|
322
|
-
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "update_blog", :pristine_role => @context_role, :operation => '+'))
|
|
323
|
-
|
|
324
|
-
proc {
|
|
325
|
-
@pristine_file.permission_set
|
|
326
|
-
}.should raise_error(ArgumentError)
|
|
327
|
-
|
|
328
|
-
end
|
|
329
|
-
end
|
|
1
|
+
require 'spec'
|
|
2
|
+
require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
|
|
3
|
+
require 'cbac/cbac_pristine/pristine'
|
|
4
|
+
require 'cbac/cbac_pristine/pristine_permission'
|
|
5
|
+
require 'cbac/cbac_pristine/pristine_role'
|
|
6
|
+
require 'cbac/cbac_pristine/pristine_file'
|
|
7
|
+
include Cbac::CbacPristine
|
|
8
|
+
|
|
9
|
+
describe "CbacPristineFile" do
|
|
10
|
+
before(:each) do
|
|
11
|
+
@pristine_file = PristineFile.new("cbac.pristine")
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
describe "indicate if a line looks like a pristine line" do
|
|
15
|
+
|
|
16
|
+
it "should indicate that a ruby style comment line is not a pristine line" do
|
|
17
|
+
comment_line = "#this is a comment line in Ruby"
|
|
18
|
+
|
|
19
|
+
@pristine_file.is_pristine_permission_line?(comment_line, 1).should be_false
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
it "should raise an error if the line does not look like a pristine line" do
|
|
23
|
+
line = "this is not pristine line. And it isn't a comment. 1"
|
|
24
|
+
|
|
25
|
+
proc{
|
|
26
|
+
@pristine_file.is_pristine_permission_line?(line, 0)
|
|
27
|
+
}.should raise_error(SyntaxError)
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
it "should return true in case of a valid pristine line" do
|
|
31
|
+
line = "0:+:PrivilegeSet(login)ContextRole(everybody)"
|
|
32
|
+
|
|
33
|
+
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
it "should fail if the id of the pristine line contains a character" do
|
|
37
|
+
line = "0b:+:PrivilegeSet(login)ContextRole(everybody)"
|
|
38
|
+
|
|
39
|
+
proc{
|
|
40
|
+
@pristine_file.is_pristine_permission_line?(line, 0)
|
|
41
|
+
}.should raise_error(SyntaxError)
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
it "should succeed if the privilege set name is not provided" do
|
|
45
|
+
line = "0:+:PrivilegeSet()Admin()"
|
|
46
|
+
|
|
47
|
+
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
it "should succeed if the context role name is not provided" do
|
|
51
|
+
line = "0:+:PrivilegeSet(login)ContextRole()"
|
|
52
|
+
|
|
53
|
+
@pristine_file.is_pristine_permission_line?(line, 0).should be_true
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
describe "parse the privilege set name from a pristine line" do
|
|
59
|
+
it "should fail if the privilege set name is not provided" do
|
|
60
|
+
line = "0:+:PrivilegeSet()Admin()"
|
|
61
|
+
|
|
62
|
+
proc{
|
|
63
|
+
@pristine_file.parse_privilege_set_name(line, 0)
|
|
64
|
+
}.should raise_error(SyntaxError)
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
it "should return the name of the privilege set provided in the line" do
|
|
68
|
+
privilege_set_name = "chat"
|
|
69
|
+
line = "0:+:PrivilegeSet(#{privilege_set_name})Admin()"
|
|
70
|
+
|
|
71
|
+
@pristine_file.parse_privilege_set_name(line, 0).should == privilege_set_name
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
it "should fail if an invalid line is provided" do
|
|
75
|
+
line = "0:+:ContextRole(toeteraars)"
|
|
76
|
+
|
|
77
|
+
proc{
|
|
78
|
+
@pristine_file.parse_privilege_set_name(line, 0)
|
|
79
|
+
}.should raise_error(SyntaxError)
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
|
|
83
|
+
describe "parse the role from a pristine line" do
|
|
84
|
+
it "should return the admin role if the role is Admin()" do
|
|
85
|
+
admin_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:admin], :name => 'administrator')
|
|
86
|
+
PristineRole.stub!(:admin_role).and_return(admin_role)
|
|
87
|
+
line = "0:+:PrivilegeSet(chat)Admin()"
|
|
88
|
+
|
|
89
|
+
@pristine_file.parse_role(line, 0).should == admin_role
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
it "should return a context role if the role specified as ContextRole" do
|
|
93
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
|
94
|
+
|
|
95
|
+
@pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:context]
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
it "should return a context role with specified name if the role specified as ContextRole" do
|
|
99
|
+
context_role_name = "logged_in_user"
|
|
100
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
|
101
|
+
|
|
102
|
+
@pristine_file.parse_role(line, 0).name.should == context_role_name
|
|
103
|
+
end
|
|
104
|
+
|
|
105
|
+
it "should return an existing context role with specified name if possible" do
|
|
106
|
+
context_role_name = "logged_in_user"
|
|
107
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
|
108
|
+
existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
|
|
109
|
+
|
|
110
|
+
@pristine_file.parse_role(line, 0).should == existing_context_role
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
it "should not return an existing context role with specified name if db should not be used" do
|
|
114
|
+
context_role_name = "logged_in_user"
|
|
115
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(#{context_role_name})"
|
|
116
|
+
existing_context_role = PristineRole.create(:name => context_role_name, :role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context])
|
|
117
|
+
|
|
118
|
+
@pristine_file.parse_role(line, 0, false).should_not == existing_context_role
|
|
119
|
+
end
|
|
120
|
+
|
|
121
|
+
it "should return a context role with id of 0 if the role specified as ContextRole" do
|
|
122
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
|
123
|
+
|
|
124
|
+
@pristine_file.parse_role(line, 0).role_id.should == 0
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
it "should fail if an invalid line is provided" do
|
|
128
|
+
line = "0:+:PrivilegeSet(toeteraars)"
|
|
129
|
+
|
|
130
|
+
proc{
|
|
131
|
+
@pristine_file.parse_role(line, 0)
|
|
132
|
+
}.should raise_error(SyntaxError)
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
it "should fail if a generic role is provided for the normal (non-generic) pristine file" do
|
|
136
|
+
line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
|
|
137
|
+
|
|
138
|
+
proc{
|
|
139
|
+
@pristine_file.parse_role(line, 0)
|
|
140
|
+
}.should raise_error(SyntaxError)
|
|
141
|
+
end
|
|
142
|
+
|
|
143
|
+
|
|
144
|
+
it "should return a generic role if a generic pristine file is used" do
|
|
145
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
146
|
+
line = "0:+:PrivilegeSet(chat)GenericRole(group_admins)"
|
|
147
|
+
|
|
148
|
+
@pristine_file.parse_role(line, 0).role_type.should == PristineRole.ROLE_TYPES[:generic]
|
|
149
|
+
end
|
|
150
|
+
|
|
151
|
+
it "should return an existing generic role if use_db is not specified" do
|
|
152
|
+
generic_role_name = 'group_admins'
|
|
153
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
154
|
+
line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
|
|
155
|
+
existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
|
|
156
|
+
|
|
157
|
+
@pristine_file.parse_role(line, 0).should == existing_role
|
|
158
|
+
end
|
|
159
|
+
|
|
160
|
+
it "should not use an existing role if use_db is set to false" do
|
|
161
|
+
generic_role_name = 'group_admins'
|
|
162
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
163
|
+
line = "0:+:PrivilegeSet(chat)GenericRole(#{generic_role_name})"
|
|
164
|
+
existing_role = PristineRole.create(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:generic], :name => generic_role_name)
|
|
165
|
+
|
|
166
|
+
@pristine_file.parse_role(line, 0, false).should_not == existing_role
|
|
167
|
+
end
|
|
168
|
+
|
|
169
|
+
it "should fail if an Admin role is used in a generic pristine file" do
|
|
170
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
171
|
+
line = "0:+:PrivilegeSet(chat)Admin()"
|
|
172
|
+
|
|
173
|
+
proc{
|
|
174
|
+
@pristine_file.parse_role(line, 0)
|
|
175
|
+
}.should raise_error(SyntaxError)
|
|
176
|
+
end
|
|
177
|
+
|
|
178
|
+
it "should fail if an context role is used in a generic pristine file" do
|
|
179
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
180
|
+
line = "0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"
|
|
181
|
+
|
|
182
|
+
proc{
|
|
183
|
+
@pristine_file.parse_role(line, 0)
|
|
184
|
+
}.should raise_error(SyntaxError)
|
|
185
|
+
end
|
|
186
|
+
|
|
187
|
+
it "should fail if an invalid line is provided in a generic pristine file" do
|
|
188
|
+
@pristine_file = GenericPristineFile.new("cbac.pristine")
|
|
189
|
+
line = "0:+:PrivilegeSet(toeteraars)"
|
|
190
|
+
|
|
191
|
+
proc{
|
|
192
|
+
@pristine_file.parse_role(line, 0)
|
|
193
|
+
}.should raise_error(SyntaxError)
|
|
194
|
+
end
|
|
195
|
+
end
|
|
196
|
+
|
|
197
|
+
describe "parsing a cbac_pristine file" do
|
|
198
|
+
|
|
199
|
+
it "should fail if a row number is used twice" do
|
|
200
|
+
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
201
|
+
pristine_file_lines.push("0:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
|
202
|
+
|
|
203
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
|
204
|
+
|
|
205
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
|
206
|
+
|
|
207
|
+
proc{
|
|
208
|
+
pristine_file.parse
|
|
209
|
+
}.should raise_error(SyntaxError)
|
|
210
|
+
end
|
|
211
|
+
|
|
212
|
+
it "should fill the lines array with an object for each file line" do
|
|
213
|
+
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
214
|
+
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
|
215
|
+
pristine_file_lines.push("2:+:PrivilegeSet(log_out)ContextRole(logged_in_user)")
|
|
216
|
+
|
|
217
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
|
218
|
+
|
|
219
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
|
220
|
+
pristine_file.parse
|
|
221
|
+
|
|
222
|
+
pristine_file.permissions.length.should == pristine_file_lines.length
|
|
223
|
+
end
|
|
224
|
+
|
|
225
|
+
it "should not create an object for a comment line" do
|
|
226
|
+
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
227
|
+
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
|
228
|
+
pristine_file_lines.push("#this is a Ruby comment line")
|
|
229
|
+
|
|
230
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
|
231
|
+
|
|
232
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
|
233
|
+
pristine_file.parse
|
|
234
|
+
|
|
235
|
+
pristine_file.permissions.length.should == 2
|
|
236
|
+
end
|
|
237
|
+
|
|
238
|
+
it "should also add a permission object if permission is revoked (operand - is used)" do
|
|
239
|
+
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
240
|
+
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
|
241
|
+
pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(logged_in_user)")
|
|
242
|
+
|
|
243
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
|
244
|
+
|
|
245
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
|
246
|
+
pristine_file.parse
|
|
247
|
+
|
|
248
|
+
pristine_file.permissions.length.should == 3
|
|
249
|
+
pristine_file.permissions[2].operation.should == '-'
|
|
250
|
+
end
|
|
251
|
+
|
|
252
|
+
it "should fail if a permission is revoked which wasn't added before" do
|
|
253
|
+
pristine_file_lines = ["0:+:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
254
|
+
pristine_file_lines.push("1:+:PrivilegeSet(log_in)ContextRole(everybody)")
|
|
255
|
+
pristine_file_lines.push("2:-:PrivilegeSet(chat)ContextRole(everybody)")
|
|
256
|
+
|
|
257
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
|
258
|
+
|
|
259
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
|
260
|
+
proc{
|
|
261
|
+
pristine_file.parse
|
|
262
|
+
}.should raise_error(SyntaxError)
|
|
263
|
+
end
|
|
264
|
+
|
|
265
|
+
it "should fail if an x is used as an operand" do
|
|
266
|
+
pristine_file_lines = ["0:x:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
267
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
|
268
|
+
|
|
269
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
|
270
|
+
proc{
|
|
271
|
+
pristine_file.parse
|
|
272
|
+
}.should raise_error(NotImplementedError)
|
|
273
|
+
end
|
|
274
|
+
|
|
275
|
+
it "should fail if an => is used as an operand" do
|
|
276
|
+
pristine_file_lines = ["0:=>:PrivilegeSet(chat)ContextRole(logged_in_user)"]
|
|
277
|
+
File.stub!(:open).and_return(pristine_file_lines)
|
|
278
|
+
|
|
279
|
+
pristine_file = PristineFile.new("cbac.pristine")
|
|
280
|
+
proc{
|
|
281
|
+
pristine_file.parse
|
|
282
|
+
}.should raise_error(NotImplementedError)
|
|
283
|
+
end
|
|
284
|
+
end
|
|
285
|
+
|
|
286
|
+
describe "permission set" do
|
|
287
|
+
before(:each) do
|
|
288
|
+
@context_role = PristineRole.new(:role_id => 0, :role_type => PristineRole.ROLE_TYPES[:context], :name => "logged_in_user")
|
|
289
|
+
@admin_role = PristineRole.new(:role_id => 1, :role_type => PristineRole.ROLE_TYPES[:admin],:name => "administrator")
|
|
290
|
+
@pristine_file = PristineFile.new("cbac.pristine")
|
|
291
|
+
end
|
|
292
|
+
|
|
293
|
+
it "should filter out the permissions which were revoked" do
|
|
294
|
+
permission_to_revoke = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
|
|
295
|
+
@pristine_file.permissions.push(permission_to_revoke)
|
|
296
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => permission_to_revoke.privilege_set_name, :pristine_role => permission_to_revoke.pristine_role, :operation => '-'))
|
|
297
|
+
|
|
298
|
+
@pristine_file.permission_set.should_not include(permission_to_revoke)
|
|
299
|
+
end
|
|
300
|
+
|
|
301
|
+
it "should not include the revoke permission itself" do
|
|
302
|
+
revoke_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '-')
|
|
303
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => revoke_permission.privilege_set_name, :pristine_role => revoke_permission.pristine_role, :operation => '+'))
|
|
304
|
+
@pristine_file.permissions.push(revoke_permission)
|
|
305
|
+
|
|
306
|
+
@pristine_file.permission_set.should_not include(revoke_permission)
|
|
307
|
+
end
|
|
308
|
+
|
|
309
|
+
it "should contain the permission if it is re-applied" do
|
|
310
|
+
re_applied_permission = PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+')
|
|
311
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '+'))
|
|
312
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => re_applied_permission.privilege_set_name, :pristine_role => re_applied_permission.pristine_role, :operation => '-'))
|
|
313
|
+
@pristine_file.permissions.push(re_applied_permission)
|
|
314
|
+
|
|
315
|
+
@pristine_file.permission_set.should include(re_applied_permission)
|
|
316
|
+
end
|
|
317
|
+
|
|
318
|
+
it "should raise an error if a permission is revoked which wasn't created before" do
|
|
319
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "chat", :pristine_role => @context_role, :operation => '+'))
|
|
320
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "login", :pristine_role => @context_role, :operation => '+'))
|
|
321
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "blog_read", :pristine_role => @context_role, :operation => '-'))
|
|
322
|
+
@pristine_file.permissions.push(PristinePermission.new(:privilege_set_name => "update_blog", :pristine_role => @context_role, :operation => '+'))
|
|
323
|
+
|
|
324
|
+
proc {
|
|
325
|
+
@pristine_file.permission_set
|
|
326
|
+
}.should raise_error(ArgumentError)
|
|
327
|
+
|
|
328
|
+
end
|
|
329
|
+
end
|
|
330
330
|
end
|