checken 0.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6bdb1baf6e0ae23735e7a39a8887f8763d547ebc1729c9988db95933dce08f72
+  data.tar.gz: 689ace3710457f53b88a7928b02f48791ccd36d7054079de5b2faab99b50c4e7
+SHA512:
+  metadata.gz: a0c04c549042a1d9049a86aa485b2195af46fd2b92f68da4546455a3c180518a68c7f0135b247e24b4a49761686b2009bad89d650a3523bc52cc8fd629360145
+  data.tar.gz: 65b881ddbff40c87d633da457f02f925781442a13b45f648777574be0c7a5ed8cd781f1966b6c647e6d04e4c731a2d612e76f9a09bf4370d456941d4310c6745

data/lib/checken/concerns/has_parents.rb

@@ -0,0 +1,28 @@
+module Checken
+  module Concerns
+    module HasParents
+
+      # Return the full path to this permission
+      #
+      # @return [String]
+      def path
+        @key.nil? ? nil : [@group.path, @key].compact.join('.')
+      end
+
+      # Return the parents for ths group
+      #
+      # @return [Array<Checken::PermissionGroup, Checken::Permission>]
+      def parents
+        @key.nil? ? [] : [@group.parents, @group].compact.flatten
+      end
+
+      # Return the root group
+      #
+      # @return [Checken::PermissionGroup]
+      def root
+        @key.nil? ? self : parents.first
+      end
+
+    end
+  end
+end

data/lib/checken/config.rb

@@ -0,0 +1,40 @@
+require 'logger'
+require 'checken/user_proxy'
+
+module Checken
+  class Config
+
+    # The class that should be used to create user proxies.
+    #
+    # @return [Class]
+    def user_proxy_class
+      @user_proxy_class ||= UserProxy
+    end
+    attr_writer :user_proxy_class
+
+    # A logger class that will be used to log all activities
+    #
+    # @return [Logger]
+    def logger
+      @logger ||= Logger.new(log_path)
+    end
+    attr_writer :logger
+
+    # The path where logs should be written to if using the default logger
+    #
+    # @return [String]
+    def log_path
+      @log_path ||= "/dev/null"
+    end
+    attr_writer :log_path
+
+    # The method name which will return the current user object in any
+    # controller action.
+    #
+    # @return [Symbol]
+    def current_user_method_name
+      @current_user_method_name || :current_user
+    end
+
+  end
+end

data/lib/checken/dsl/group_dsl.rb

@@ -0,0 +1,80 @@
+require 'checken/dsl/set_dsl'
+
+module Checken
+  module DSL
+    class GroupDSL
+
+      def initialize(group, options = {})
+        @group = group
+
+        if options[:active_sets]
+          @active_sets = options[:active_sets]
+        end
+      end
+
+      def name(name)
+        @group.name = name
+      end
+
+      def description(description)
+        @group.description = description
+      end
+
+      def define_rule(key, *required_object_types, &block)
+        @group.define_rule(key, *required_object_types, &block)
+      end
+
+      def set(&block)
+        dsl = SetDSL.new(self)
+        active_sets << dsl
+        dsl.instance_eval(&block) if block_given?
+        dsl
+      ensure
+        active_sets.pop
+      end
+
+      def group(key, &block)
+        sub_group = @group.groups[key.to_sym] || @group.add_group(key.to_sym)
+        sub_group.dsl(:active_sets => active_sets, &block) if block_given?
+        sub_group
+      end
+
+      def permission(key, description = nil, &block)
+        permission = @group.add_permission(key)
+        permission.description = description
+
+        active_sets.each do |set_dsl|
+          set_dsl.required_object_types.each do |rot|
+            permission.add_required_object_type(rot)
+          end
+
+          set_dsl.rules.each do |key, rule|
+            permission.add_rule(key, rule)
+          end
+
+          set_dsl.dependencies.each do |path|
+            permission.add_dependency(path)
+          end
+
+          set_dsl.contexts.each do |context|
+            permission.add_context(context)
+          end
+
+          set_dsl.included_rules.each do |key, rule|
+            permission.include_rule(rule)
+          end
+        end
+
+        permission.dsl(&block) if block_given?
+        permission
+      end
+
+      private
+
+      def active_sets
+        @active_sets ||= []
+      end
+
+    end
+  end
+end

data/lib/checken/dsl/permission_dsl.rb

@@ -0,0 +1,40 @@
+module Checken
+  module DSL
+    class PermissionDSL
+
+      def initialize(permission)
+        @permission = permission
+      end
+
+      def rule(key, &block)
+        @permission.add_rule(key, &block)
+      end
+
+      def depends_on(path)
+        @permission.add_dependency(path)
+      end
+
+      def include_rule(key, options = {}, &block)
+        @permission.include_rule(key, options, &block)
+      end
+
+      def requires_object(*names)
+        names.each do |name|
+          @permission.add_required_object_type(name)
+        end
+      end
+
+      def context(*contexts)
+        contexts.each do |context|
+          @permission.add_context(context)
+        end
+      end
+
+      def context!(*contexts)
+        @permission.remove_all_contexts
+        context(*contexts)
+      end
+
+    end
+  end
+end

data/lib/checken/dsl/set_dsl.rb

@@ -0,0 +1,65 @@
+module Checken
+  module DSL
+    class SetDSL
+
+      attr_reader :rules
+      attr_reader :required_object_types
+      attr_reader :dependencies
+      attr_reader :contexts
+      attr_reader :included_rules
+
+      def initialize(group_dsl)
+        @group_dsl = group_dsl
+        @rules = {}
+        @required_object_types = []
+        @dependencies = []
+        @contexts = []
+        @included_rules = {}
+      end
+
+      def rule(name, &block)
+        @rules[name] = Rule.new(name, &block)
+      end
+
+      def include_rule(key, options = {}, &block)
+        @included_rules[key] = begin
+          rule = IncludedRule.new(key, &block)
+          rule.condition = options[:if]
+          rule
+        end
+      end
+
+      def requires_object(*names)
+        names.each do |name|
+          @required_object_types << name
+        end
+      end
+
+      def depends_on(*paths)
+        paths.each do |path|
+          @dependencies << path
+        end
+      end
+
+      def context(*contexts)
+        contexts.each do |context|
+          @contexts << context
+        end
+      end
+
+      def permission(name, description = nil, &block)
+        @group_dsl.permission(name, description, &block)
+      end
+
+      def group(key, &block)
+        # Pass the group back to the source group.
+        @group_dsl.group(key, &block)
+      end
+
+      def set(&block)
+        @group_dsl.set(&block)
+      end
+
+    end
+  end
+end

data/lib/checken/error.rb

@@ -0,0 +1,36 @@
+module Checken
+  class Error < StandardError
+  end
+
+  class PermissionNotFoundError < Error
+  end
+
+  class InvalidObjectError < Error
+  end
+
+  class NoPermissionsFoundError < Error
+  end
+
+  class SchemaError < Error
+  end
+
+  class PermissionDeniedError < Error
+    attr_reader :code
+    attr_reader :description
+    attr_reader :permission
+    attr_accessor :rule
+    attr_accessor :user
+    attr_accessor :object
+
+    def initialize(code, description, permission = nil)
+      @code = code
+      @description = description
+      @permission = permission
+      @memo = {}
+    end
+
+    def message
+      "Access denied: #{description} (#{code})"
+    end
+  end
+end

data/lib/checken/extensions/action_controller.rb

@@ -0,0 +1,72 @@
+module Checken
+  module Extensions
+    module ActionController
+
+      def self.included(base)
+        base.extend ClassMethods
+        base.helper_method :granted_checken_permissions
+        base.class_eval do
+          private :checken_user_proxy
+          private :restrict
+          private :granted_checken_permissions
+        end
+      end
+
+      def checken_user_proxy
+        # Can be overriden to return the user proxy class which can be used
+        # when performing permission checks using `restrict`.
+      end
+
+      def restrict(permission_path, object = nil, options = {})
+        if checken_user_proxy.nil?
+          user = send(Checken.current_schema.config.current_user_method_name)
+          user_proxy = Checken.current_schema.config.user_proxy_class.new(user)
+        else
+          user_proxy = checken_user_proxy
+        end
+        granted_permissions = Checken.current_schema.check_permission!(permission_path, user_proxy, object)
+        granted_permissions.each do |permission|
+          granted_checken_permissions << permission
+        end
+      end
+
+      def granted_checken_permissions
+        @granted_checken_permissions ||= []
+      end
+
+      module ClassMethods
+        def restrict(permission_path, object_or_options = {}, options_if_object_provided = {})
+          if object_or_options.is_a?(Hash)
+            object = nil
+            options = object_or_options
+          else
+            object = object_or_options
+            options = options_if_object_provided
+          end
+
+          restrict_options = options.delete(:restrict_options)
+
+          before_action(options) do
+            if object.is_a?(Proc)
+              # If a proc is given, resolve manually
+              resolved_object = object.call
+            elsif object.is_a?(Symbol)
+              if object.to_s =~ /\A@/
+                resolved_object = instance_variable_get(object.to_s)
+              else
+                resolved_object = send(object)
+              end
+            else
+              # Otherwise, the object is nil
+              resolved_object = nil
+            end
+
+            restrict(permission_path, resolved_object, restrict_options)
+          end
+
+        end
+      end
+
+    end
+  end
+end

data/lib/checken/included_rule.rb

@@ -0,0 +1,14 @@
+module Checken
+  class IncludedRule
+
+    attr_reader :key
+    attr_reader :block
+    attr_accessor :condition
+
+    def initialize(key, &block)
+      @key = key
+      @block = block
+    end
+
+  end
+end

data/lib/checken/permission.rb

@@ -0,0 +1,299 @@
+require 'checken/concerns/has_parents'
+require 'checken/dsl/permission_dsl'
+require 'checken/rule'
+require 'checken/rule_execution'
+require 'checken/included_rule'
+
+module Checken
+  class Permission
+
+    include Checken::Concerns::HasParents
+
+    attr_reader :group
+    attr_reader :key
+
+    # A description of this permission
+    #
+    # @return [String]
+    attr_accessor :description
+
+    # A list of permission paths that this permission depends on
+    #
+    # @return [Array<String>]
+    attr_reader :dependencies
+
+    # An array of object type names (as Strings) that the object passed to this
+    # permission must be one of. If empty, any object is permitted.
+    #
+    # @return [Array<String>]
+    attr_reader :required_object_types
+
+    # The name of the contexts that apply to this permission
+    #
+    # @return [Array<Symbol>]
+    attr_reader :contexts
+
+    # Create a new permission group
+    #
+    # @param group [Checken::PermissionGroup, nil]
+    # @param key [Symbol]
+    def initialize(group, key)
+      if group.nil?
+        raise Error, "Group must be provided when creating a permission"
+      end
+
+      @group = group
+      @key = key
+      @required_object_types = []
+      @dependencies = []
+      @contexts = []
+    end
+
+    # Return a description
+    #
+    # @return [String]
+    def description
+      @description || "#{path}"
+    end
+
+    # Check this permission and raises an error if not permitted.
+    #
+    # @param user [Object]
+    # @param object [Object]
+    # @raises [Checken::PermissionDeniedError]
+    # @raises [Checken::InvalidObjectError]
+    # @return true
+    def check!(user_proxy, object = nil)
+      # If we havent' been given a user proxy here, we need to make one. This
+      # shouldn't happen very often in production because everything would be
+      # encapsulated by the User#can? method.
+      unless user_proxy.is_a?(Checken::UserProxy)
+        user_proxy = @group.schema.config.user_proxy_class.new(user_proxy)
+      end
+
+      # If we're asking about this permission and we aren't in the correct
+      # context, it should be denied always.
+      unless @contexts.empty?
+        unless @contexts.any? { |c| user_proxy.contexts.include?(c) }
+          @group.schema.logger.info "`#{self.path}` not granted to #{user_proxy.description} because not in context."
+          error = PermissionDeniedError.new('NotInContext', "Permission '#{self.path}' cannot be granted in the #{user_proxy.contexts.join(',')} context(s). Only allowed for #{@contexts.join(', ')}.", self)
+          error.user = user_proxy.user
+          error.object = object
+          raise error
+        end
+      end
+
+      # Check the user has this permission
+      unless user_proxy.granted_permissions.include?(self.path)
+        @group.schema.logger.info "`#{self.path}` not granted to #{user_proxy.description}"
+        error = PermissionDeniedError.new('PermissionNotGranted', "User has not been granted the '#{self.path}' permission", self)
+        error.user = user_proxy.user
+        error.object = object
+        raise error
+      end
+
+      # Check other dependent rules once we've established this
+      # user has the base rule. The actual rules won't be checked
+      # until we've checked other rules.
+      dependencies_as_permissions.each do |dependency_permission|
+        @group.schema.logger.info "`#{self.path}` has a dependency of `#{dependency_permission.path}`..."
+        dependency_permission.check!(user_proxy, object)
+      end
+
+      # Check any included rules too
+      if unsatisifed_rule = self.first_unsatisfied_included_rule(user_proxy, object)
+        @group.schema.logger.info "`#{self.path} not granted to #{user_proxy.description} because rule `#{unsatisifed_rule.rule.key}` on `#{self.path}` was not satisified."
+        error = PermissionDeniedError.new('IncludedRuleNotSatisifed', "Rule #{unsatisifed_rule.rule.key} (on #{self.path}) was not satisified.", self)
+        error.rule = unsatisifed_rule
+        error.user = user_proxy.user
+        error.object = object
+        raise error
+      end
+
+      # Check rules
+      if self.required_object_types.empty? || self.required_object_types.include?(object.class.name)
+        if unsatisifed_rule = self.first_unsatisfied_rule(user_proxy, object)
+          @group.schema.logger.info "`#{self.path} not granted to #{user_proxy.description} because rule `#{unsatisifed_rule.rule.key}` on `#{self.path}` was not satisified."
+          error = PermissionDeniedError.new('RuleNotSatisifed', "Rule #{unsatisifed_rule.rule.key} (on #{self.path}) was not satisified.", self)
+          error.rule = unsatisifed_rule
+          error.user = user_proxy.user
+          error.object = object
+          raise error
+        else
+          @group.schema.logger.info "`#{self.path}` granted to #{user_proxy.description}"
+          [self, *dependencies_as_permissions]
+        end
+      else
+        # If one of the permission doesn't have the right object type, raise an error
+        raise InvalidObjectError, "The #{object.class.name} object provided to permission check for #{self.path} was not valid. Valid object types are: #{self.required_object_types.join(', ')}"
+      end
+    end
+
+    # Return a hash of all configured rules
+    #
+    # @return [Hash]
+    def rules
+      @rules ||= {}
+    end
+
+    # Add a new rule to this permission
+    #
+    # @param key [String]
+    # @return [Checken::Rule]
+    def add_rule(key, rule = nil, &block)
+      key = key.to_sym
+      if rules[key].nil?
+        rule ||= Rule.new(key, &block)
+        rules[key] = rule
+      else
+        raise Error, "Rule with key '#{key}' already exists on this permission"
+      end
+    end
+
+    # Return a hash of all configured included rules
+    #
+    # @return [Hash]
+    def included_rules
+      @included_rules ||= {}
+    end
+
+    # Add a new rule to this permission
+    #
+    # @param key [String]
+    # @return [Checken::Rule]
+    def include_rule(key_or_existing_rule, options = {}, &block)
+      if key_or_existing_rule.is_a?(IncludedRule)
+        key = key_or_existing_rule.key
+        included_rule = key_or_existing_rule
+      else
+        key = key_or_existing_rule.to_sym
+        included_rule = nil
+      end
+
+      if included_rules[key].nil?
+        included_rule ||= begin
+          new_rule = IncludedRule.new(key, &block)
+          new_rule.condition = options[:if]
+          new_rule
+        end
+        included_rules[key] = included_rule
+      else
+        raise Error, "Rule with key '#{key}' already been included on this permission"
+      end
+    end
+
+    # Add a new context to this permission
+    #
+    # @param context [Symbol]
+    # @return [Symbol, false]
+    def add_context(context)
+      context = context.to_sym
+      if self.contexts.include?(context)
+        false
+      else
+        self.contexts << context
+        context
+      end
+    end
+
+    # Remove all context from this permission
+    #
+    # @return [Integer]
+    def remove_all_contexts
+      previous_size = @contexts.size
+      @contexts = []
+      previous_size
+    end
+
+    # Add a new dependency to this permission
+    #
+    # @param path [String]
+    # @return [String, false]
+    def add_dependency(path)
+      path = path.to_s
+      if dependencies.include?(path)
+        false
+      else
+        dependencies << path
+        path
+      end
+    end
+
+    # Add a new dependency to this permission
+    #
+    # @param path [String]
+    # @return [String, false]
+    def add_required_object_type(type)
+      type = type.to_s
+      if required_object_types.include?(type)
+        false
+      else
+        required_object_types << type
+        type
+      end
+    end
+
+    # Check all the rules for this permission and ensure they are compliant.
+    #
+    # @param [Checken::UserProxy]
+    # @param [Object]
+    # @return [Checken::Rule, false] false if all rules are satisified
+    def first_unsatisfied_rule(user_proxy, object)
+      self.rules.values.each do |rule|
+        rule_execution = RuleExecution.new(rule, user_proxy.user, object)
+        unless rule_execution.satisfied?
+          return rule_execution
+        end
+      end
+      nil
+    end
+
+    def first_unsatisfied_included_rule(user_proxy, object)
+      self.included_rules.values.each do |included_rule|
+
+        if included_rule.condition && !included_rule.condition.call(user_proxy.user, object)
+          # If the inclusion has a condition, check that and skip this
+          # included rule if it's not valid.
+          next
+        end
+
+        if included_rule.block
+          translated_object = included_rule.block.call(object)
+        else
+          translated_object = object
+        end
+
+        rule = @group.all_defined_rules[included_rule.key]
+        if rule.nil?
+          raise Error, "No defined rule with key #{included_rule.key} is available for #{self.path}"
+        end
+
+        unless rule.required_object_types.empty? || rule.required_object_types.include?(translated_object.class.name)
+          raise InvalidObjectError, "The #{translated_object.class.name} object provided to included rule (#{rule.key}) for #{self.path} was not valid. Valid object types are: #{rule.required_object_types.join(', ')}"
+        end
+
+        rule_execution = RuleExecution.new(rule, user_proxy.user, translated_object)
+        unless rule_execution.satisfied?
+          return rule_execution
+        end
+      end
+      nil
+    end
+
+    def dsl(&block)
+      dsl = DSL::PermissionDSL.new(self)
+      dsl.instance_eval(&block) if block_given?
+      dsl
+    end
+
+    # Return an array of all dependencies as permissions
+    #
+    # @return [Array<Checken::Permission>]
+    def dependencies_as_permissions
+      @dependencies_as_permissions ||= dependencies.map do |path|
+        @group.schema.root_group.find_permissions_from_path(path)
+      end.flatten
+    end
+
+  end
+end

data/lib/checken/permission_group.rb

@@ -0,0 +1,169 @@
+require 'checken/permission'
+require 'checken/error'
+require 'checken/concerns/has_parents'
+require 'checken/dsl/group_dsl'
+
+module Checken
+  class PermissionGroup
+
+    include Checken::Concerns::HasParents
+
+    attr_accessor :name
+    attr_accessor :description
+    attr_reader :schema
+    attr_reader :group
+    attr_reader :key
+    attr_reader :groups
+    attr_reader :permissions
+    attr_reader :defined_rules
+
+    # Return a group or permission matching the given key
+    #
+    # @param group_or_permission_key [Symbol]
+    # @return [Checken::PermissionGroup, Checken::Permission, nil]
+    def [](group_or_permission_key)
+      @groups[group_or_permission_key.to_sym] || @permissions[group_or_permission_key.to_sym]
+    end
+
+    # Create a new permission group
+    #
+    # @param group [Checken::PermissionGroup, nil]
+    # @param key [Symbol]
+    def initialize(schema, group, key = nil)
+      if group && key.nil?
+        raise Error, "Cannot create a new non-root permission group without a key"
+      elsif group.nil? && key
+        raise Error, "Cannot create a new root permission group with a key"
+      end
+
+      @schema = schema
+      @group = group
+      @key = key.to_sym if key
+      @groups = {}
+      @permissions = {}
+      @defined_rules = {}
+    end
+
+    # Return a group or a permission that matches the given key
+    #
+    # @return [Cheken::PermissionGroup, Checken::Permission]
+    def group_or_permission(key)
+      key = key.to_sym
+      @groups[key] || @permissions[key]
+    end
+
+    # Adds a new sub group to this group
+    #
+    # @param key [String]
+    # @return [Checken::PermissionGroup]
+    def add_group(key)
+      key = key.to_sym
+      if group_or_permission(key).nil?
+        @groups[key] = PermissionGroup.new(@schema, self, key)
+      else
+        raise Error, "Group or permission with key of #{key} already exists"
+      end
+    end
+
+    # Adds a permission to the group
+    #
+    # @param key [String]
+    # @return [Checken::Permission]
+    def add_permission(key)
+      key = key.to_sym
+      if group_or_permission(key).nil?
+        @permissions[key] = Permission.new(self, key)
+      else
+        raise Error, "Group or permission with key of #{key} already exists"
+      end
+    end
+
+    # Define a new global rule that can be used by any permissions
+    #
+    # @param key [Symbol]
+    # @param required_object_types [Array]
+    # @return [Checken::Rule]
+    def define_rule(key, *required_object_types, &block)
+      if all_defined_rules[key.to_sym]
+        raise Checken::Error, "Rule #{key} has already been defined"
+      else
+        rule = Rule.new(key, &block)
+        required_object_types.each { |rot| rule.required_object_types << rot }
+        @defined_rules[key.to_sym] = rule
+        rule
+      end
+    end
+
+    # Return an array of all defined rules on this and all upper groups
+    #
+    # @return [Array<Checken::Rule>]
+    def all_defined_rules
+      if @group
+        @defined_rules.merge(@group.all_defined_rules)
+      else
+        @defined_rules
+      end
+    end
+
+    # Find permissions from a path
+    def find_permissions_from_path(path)
+      unless path.is_a?(String) && path.length > 0
+        raise PermissionNotFoundError, "Must provide a permission path"
+      end
+
+      path_parts = path.split('.').map(&:to_sym)
+      last_group_or_permission = self
+      while part = path_parts.shift
+        if part == :*
+          if path_parts.empty?
+            # We're at the end of the path, that's an acceptable place for a wildcard.
+            # Return all the permissions in the final group.
+            return last_group_or_permission.permissions.values
+          else
+            raise Error, "Wildcards must be placed at the end of a permission path"
+          end
+        elsif part == :** && path_parts[0] == :*
+          # If we get a **.* wildcard, we should find permissions in the sub groups too.
+          return last_group_or_permission.all_permissions
+        else
+          last_group_or_permission = last_group_or_permission.group_or_permission(part)
+          if last_group_or_permission.is_a?(Permission) && !path_parts.empty?
+            raise Error, "Permission found too early in the path. Permission key should always be at the end of the path."
+          elsif last_group_or_permission.nil?
+            raise PermissionNotFoundError, "No permission found matching '#{path}'"
+          end
+        end
+      end
+
+      if last_group_or_permission.is_a?(Permission)
+        [last_group_or_permission]
+      else
+        raise Error, "Last part of path was not a permission. Last part of permission must be a path"
+      end
+    end
+
+    # Return all permissions in this group and all the permissions in its sub groups
+    #
+    # @return [Array<Checken::Permission>]
+    def all_permissions
+      array = []
+      @permissions.each { |_, permission| array << permission }
+      @groups.each do |_, group|
+        group.all_permissions.each do |permission|
+          array << permission
+        end
+      end
+      array
+    end
+
+    # Execute the given block within the group DSL
+    #
+    # @return [Checken::DSL::GroupDSL]
+    def dsl(options = {}, &block)
+      dsl = DSL::GroupDSL.new(self, options)
+      dsl.instance_eval(&block)
+      dsl
+    end
+
+  end
+end

data/lib/checken/railtie.rb

@@ -0,0 +1,32 @@
+require 'checken/schema'
+require 'checken/reload_middleware'
+
+module Checken
+  class Railtie < Rails::Railtie
+
+    initializer 'checken.initialize' do |app|
+      # Initialize a new schema for the application when it is loaded.
+      Checken::Schema.instance = Checken::Schema.new
+
+      # Default configuration
+      Checken::Schema.instance.configure do |config|
+        # Set the logger to log into a file in the log directory.
+        # This can be overriden later if needed.
+        config.log_path = Rails.root.join('log', 'checken.log')
+      end
+
+      # Load from a directory
+      Checken::Schema.instance.load_from_directory(Rails.root.join('permissions'))
+
+      # Add controller options
+      ActiveSupport.on_load :action_controller do
+        require 'checken/extensions/action_controller'
+        include Checken::Extensions::ActionController
+      end
+
+      # Insert the middleware
+      app.middleware.insert_before(ActionDispatch::Callbacks, Checken::ReloadMiddleware)
+    end
+
+  end
+end

data/lib/checken/reload_middleware.rb

@@ -0,0 +1,25 @@
+require 'checken/schema'
+
+module Checken
+  class ReloadMiddleware
+
+    MUTEX = Mutex.new
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      # If we need to reload, we shall do that here.
+      unless Rails.application.config.cache_classes
+        MUTEX.synchronize do
+          Checken::Schema.instance.reload
+        end
+      end
+
+      # Call our app as normal
+      @app.call(env)
+    end
+
+  end
+end

data/lib/checken/rule.rb

@@ -0,0 +1,22 @@
+module Checken
+  class Rule
+
+    attr_reader :key
+    attr_reader :required_object_types
+
+    def initialize(key, &block)
+      @key = key
+      @block = block
+      @required_object_types = []
+    end
+
+    # Are we satisifed that this rule's condition is true?
+    #
+    # @param user [Checken::User]
+    # @return [Boolean]
+    def satisfied?(rule_execution)
+      !!@block.call(rule_execution.user, rule_execution.object, rule_execution)
+    end
+
+  end
+end

data/lib/checken/rule_execution.rb

@@ -0,0 +1,21 @@
+module Checken
+  class RuleExecution
+
+    attr_reader :rule
+    attr_reader :user
+    attr_reader :object
+    attr_reader :memo
+
+    def initialize(rule, user, object = nil)
+      @rule = rule
+      @user = user
+      @object = object
+      @memo = {}
+    end
+
+    def satisfied?
+      @rule.satisfied?(self)
+    end
+
+  end
+end

data/lib/checken/schema.rb

@@ -0,0 +1,132 @@
+require 'checken/config'
+require 'checken/permission'
+require 'checken/permission_group'
+
+module Checken
+  class Schema
+
+    class << self
+      # This can be used for storing a global instance of a schema for an application
+      # that may require such a thing.
+      attr_accessor :instance
+    end
+
+    attr_reader :root_group
+    attr_reader :config
+
+    # Create a new schema
+    #
+    def initialize
+      @root_group = PermissionGroup.new(self, nil)
+      @config = Config.new
+    end
+
+    # Add configuration for this schema
+    def configure(&block)
+      block.call(@config)
+    end
+
+    # Does the given user have the appropriate permissions to handle?
+    #
+    # @param permission_path [String]
+    # @param user [User]
+    # @param object [Object]
+    def check_permission!(permission_path, user_proxy, object = nil)
+      permissions = @root_group.find_permissions_from_path(permission_path)
+
+      if permissions.size == 1
+        # If we only have a single permission, we'll just run the check
+        # as normal through the check process. This will work as normal and raise
+        # and return directly.
+        permissions.first.check!(user_proxy, object)
+
+      elsif permissions.size == 0
+        # No permissions found
+        raise Checken::NoPermissionsFoundError, "No permissions found matching #{permission_path}"
+
+      else
+        # If we have multiple permissions, we need to loop through each permission
+        # and handle them as appropriate.
+        granted_permissions = []
+        ungranted_permissions = 0
+        permissions.each do |permission|
+          begin
+            permission.check!(user_proxy, object).each do |permission|
+              granted_permissions << permission
+            end
+          rescue Checken::PermissionDeniedError => e
+            if e.code == 'PermissionNotGranted'
+              # If the permission isn't granted, update the counter so we can
+              # keep track of the number of ungranted permissions.
+              ungranted_permissions += 1
+            else
+              # Raise other errors as normal
+              raise
+            end
+          end
+        end
+
+        if permissions.size == ungranted_permissions
+          # If the user is ungranted to all the found permissions, they do not
+          # have access and should be denied.
+          raise PermissionDeniedError.new('PermissionNotGranted', "User does not have any permissions #{permissions.map(&:path).join(', ')} permission.", permissions.first)
+        else
+          granted_permissions
+        end
+      end
+    end
+
+    # Load a set of schema files from a given directory
+    #
+    # @param path [String]
+    # @return [Boolean]
+    def load_from_directory(path)
+      # Store the load path for future reload
+      @load_path = path
+
+      # If the path doesn't exist, just return false. We won't load anything
+      # if the directory hasnt' been loaded yet.
+      unless File.exist?(path)
+        return false
+      end
+
+      # Check that the directory is a a directory
+      unless File.directory?(path)
+        raise Error, "Path to directory must be a directory. #{path} is not a directory."
+      end
+
+      # Read all the files and pass them through the DSL for the root schema.
+      # Each directory is a group. Everything in the root will be at the root.
+      Dir[File.join(path, "**", "*.rb")].each do |path|
+        contents = File.read(path)
+        dsl = DSL::GroupDSL.new(@root_group)
+        dsl.instance_eval(contents, path)
+      end
+
+      logger.info "Loaded permission schema from #{path}"
+
+      true
+    end
+
+    # Reload the schema from the directory if possible
+    #
+    # @return [void]
+    def reload
+      if @load_path
+        @root_group = PermissionGroup.new(self, nil)
+        load_from_directory(@load_path)
+        true
+      else
+        raise Error, "Cannot reload a schema that wasn't loaded from a directory"
+      end
+    end
+
+    # Return the logger
+    #
+    # @return [Logger]
+    def logger
+      @config.logger
+    end
+
+  end
+end

data/lib/checken/user.rb

@@ -0,0 +1,36 @@
+module Checken
+  module User
+
+    # Can the user perform the given action?
+    #
+    # @param permission_path [String] the permission name/path
+    # @option options [Checken::Schema] :schema an optional scheme to use
+    # @return [Boolean]
+    def check_permission!(permission_path, object_or_options = {}, options_when_object_provided = {})
+      if object_or_options.is_a?(Hash)
+        object = nil
+        options = object_or_options
+      else
+        object = object_or_options
+        options = options_when_object_provided
+      end
+
+      schema = options.delete(:schema) || Checken.current_schema || Checken::Schema.instance
+
+      if schema.nil?
+        raise Error, "Could not determine a schema. Make sure you set Checken.current_schema or pass :schema to can? methods."
+      end
+
+      user_proxy = schema.config.user_proxy_class.new(self)
+      schema.check_permission!(permission_path, user_proxy, object)
+    end
+
+    def can?(*args)
+      check_permission!(*args)
+      true
+    rescue Checken::PermissionDeniedError => e
+      false
+    end
+
+  end
+end

data/lib/checken/user_proxy.rb

@@ -0,0 +1,49 @@
+module Checken
+  # The user proxy class sits on top of a user and provides the methods that
+  # checken needs. You can write your own proxy or use the default. If you use
+  # the default you'll need to make sure that the users you provide implement
+  # the methods this proxy will call.
+  #
+  # All interactions between checken and a user will happen via a proxy. This
+  # default class is a useful benchmark list of how your user should behave.
+  class UserProxy
+
+    attr_accessor :user
+
+    # @param user [Object]
+    def initialize(user)
+      @user = user
+    end
+
+    # Return a suitable description for this user for use in log files
+    #
+    # @return [String]
+    def description
+      if @user.respond_to?(:id)
+        "#{@user.class}##{@user.id}"
+      else
+        "#{@user.class}"
+      end
+    end
+
+    # Returns an array of permissions that this user has permission to
+    # use.
+    #
+    # @return [Array<String>]
+    def granted_permissions
+      @user.assigned_checken_permissions
+    end
+
+    # An array of contexts that this user is part of
+    #
+    # @return [Array<Symbol>]
+    def contexts
+      if @user.respond_to?(:checken_contexts)
+        @user.checken_contexts
+      else
+        []
+      end
+    end
+
+  end
+end

data/lib/checken/version.rb

@@ -0,0 +1,3 @@
+module Checken
+  VERSION = '0.0.3'
+end

data/lib/checken.rb

@@ -0,0 +1,20 @@
+require 'checken/version'
+require 'checken/user'
+
+module Checken
+
+  # Return the current global scheme
+  def self.current_schema
+    Thread.current[:cheken_schema] || Checken::Schema.instance
+  end
+
+  # Set the current global schema
+  def self.current_schema=(schema)
+    Thread.current[:cheken_schema] = schema
+  end
+
+end
+
+if defined?(Rails)
+  require 'checken/railtie'
+end

metadata

@@ -0,0 +1,64 @@
+--- !ruby/object:Gem::Specification
+name: checken
+version: !ruby/object:Gem::Version
+  version: 0.0.3
+platform: ruby
+authors:
+- Adam Cooke
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2025-03-27 00:00:00.000000000 Z
+dependencies: []
+description: An authorization framework for Ruby & Rails applications.
+email:
+- adam@krystal.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/checken.rb
+- lib/checken/concerns/has_parents.rb
+- lib/checken/config.rb
+- lib/checken/dsl/group_dsl.rb
+- lib/checken/dsl/permission_dsl.rb
+- lib/checken/dsl/set_dsl.rb
+- lib/checken/error.rb
+- lib/checken/extensions/action_controller.rb
+- lib/checken/included_rule.rb
+- lib/checken/permission.rb
+- lib/checken/permission_group.rb
+- lib/checken/railtie.rb
+- lib/checken/reload_middleware.rb
+- lib/checken/rule.rb
+- lib/checken/rule_execution.rb
+- lib/checken/schema.rb
+- lib/checken/user.rb
+- lib/checken/user_proxy.rb
+- lib/checken/version.rb
+homepage: https://github.com/krystal/checken
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'false'
+  changelog_uri: https://github.com/krystal/checken/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: This gem provides a friendly DSL for managing and enforcing permissions.
+test_files: []