checkpoint 1.0.0 → 1.0.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 6a1c461fe8389571e1850b62a87c9d0db9ade53e
4
- data.tar.gz: 2854266ee72cf25d1e789aed12eb63e27e7436a5
2
+ SHA256:
3
+ metadata.gz: a2cf353cc2bb33e3ccbce11553f4bc0194ebdbc7ca7f438cfdad5fe01ae13865
4
+ data.tar.gz: 836124e3b1327020e8b05e667febed345469dd60200b2b2a98f1182a8b4e1cc8
5
5
  SHA512:
6
- metadata.gz: cea376e3ab91a65d63e86b64b7eddd54ea4edbf5a403763e099a334ca1546454b3e4d86a666cafa56e4b1db7c663a8d89ed4f52a890b358975e3f8f071851ae2
7
- data.tar.gz: ae1c1b1bdb8bfe5705ede2d5d4478a8888884200307008206e80680b49f75785ed8d02d02a13856c9a137b559a204807fc46910a27a2b7dde054c61e97d0e4a3
6
+ metadata.gz: fe22903fad979e47556ffc5a7cbc3a1ec6f7e03509092ecff08b28c600af54400aa8b5438c1dca271881611a4b2eeee7ea072a6b9e361c567a201421aa90a41d
7
+ data.tar.gz: 43b0e8b1c4ad32176a574b151ccb6453d0aa4963374eb479b4cc0f42c61f18992d9397ae9e69236d9615b3ef3514584a5608d2c87b8626dd1c160b8355ff5184
@@ -1,6 +1,6 @@
1
1
  # frozen_string_literal: true
2
2
 
3
- lib = File.expand_path("../lib", __FILE__)
3
+ lib = File.expand_path('lib', __dir__)
4
4
  $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
5
5
  require "checkpoint/version"
6
6
 
@@ -3,7 +3,7 @@
3
3
  module Checkpoint
4
4
  module DB
5
5
  # Sequel model for permits
6
- class Permit < Sequel::Model
6
+ class Permit < Sequel::Model(DB.db)
7
7
  # Instantiate a Permit from the constituent domain objects (agent,
8
8
  # resource, credential).
9
9
  def self.from(agent, credential, resource, zone: 'system')
@@ -42,23 +42,23 @@ module Checkpoint
42
42
  end
43
43
 
44
44
  def before_blocks
45
- @before ||= []
45
+ @before_blocks ||= []
46
46
  end
47
47
 
48
48
  def after_blocks
49
- @after ||= []
49
+ @after_blocks ||= []
50
50
  end
51
51
 
52
52
  def ready_blocks
53
- @ready ||= []
53
+ @ready_blocks ||= []
54
54
  end
55
55
 
56
56
  def under_rake!
57
- @rake = true
57
+ @under_rake = true
58
58
  end
59
59
 
60
60
  def under_rake?
61
- @rake ||= false
61
+ @under_rake ||= false
62
62
  end
63
63
  end
64
64
 
@@ -82,14 +82,7 @@ module Checkpoint
82
82
  Railtie.after_blocks.each do |block|
83
83
  block.call(config.to_h)
84
84
  end
85
- end
86
85
 
87
- # This runs before any block registered under a `config.to_prepare`, which
88
- # could be in plugins or initializers that want to use a fully configured
89
- # Checkpoint instance. The `to_prepare` hook is run once at the start of a
90
- # production instance and for every request in development (unless caching
91
- # is turned on so there is no reloading).
92
- initializer "checkpoint.ready", after: :finisher_hook do
93
86
  Checkpoint::DB.initialize! unless Railtie.under_rake?
94
87
 
95
88
  Railtie.ready_blocks.each do |block|
@@ -97,9 +90,14 @@ module Checkpoint
97
90
  end
98
91
  end
99
92
 
93
+ def rake_files
94
+ base = Pathname(__dir__) + '../tasks/'
95
+ [base + 'migrate.rake']
96
+ end
97
+
100
98
  rake_tasks do
101
99
  Railtie.under_rake!
102
- load "tasks/migrate.rake"
100
+ rake_files.each { |file| load file }
103
101
  end
104
102
  end
105
103
  end
@@ -3,18 +3,66 @@
3
3
  module Checkpoint
4
4
  class Resource
5
5
  # A Resource Resolver takes a concrete object (like a model instance) and
6
- # resolves it into all {Resource}s for which a permit would allow an action.
6
+ # resolves it into all {Resource}s for which a grant would allow an action.
7
7
  # For example, this can be used to grant a credential on all items of a given
8
8
  # model class or to implement cascading permissions when all credentials for
9
9
  # a container should apply to the contained objects.
10
10
  #
11
- # NOTE: This implementation currently always resolves to the entity and its
12
- # type and nothing more. This needs some thought on an appropriate extension
13
- # mechanism to mirror the {PermissionMapper}.
11
+ # This base implementation resolves to three agents: one for the entity
12
+ # itself, one for all entities of its type, and one for all entities of any
13
+ # type. This provides a convenient and familiar construct, where a broader
14
+ # grant (say, at the type level, or for "everything") implies a grant at
15
+ # the more specific level.
16
+ #
17
+ # If an application needs to have broader grants that should be revocable
18
+ # at a more specific level, this could be done in a specific policy, or by
19
+ # implementing a custom resource resolver. The policy approach would be
20
+ # localized to where it is needed, and is recommended in order to keep the
21
+ # semantics of resource resolution consistent with other applications.
22
+ #
23
+ # A custom resource resolver could be useful particularly in cases where
24
+ # there is equivalence or cascading across entities or types and those
25
+ # rules need to be maintained consistently across policies or in support of
26
+ # building administrative interfaces.
27
+ #
28
+ # Checkpoint does not enforce the decision of where necessary complexity
29
+ # resides in an application, though the general notion is that application
30
+ # policies should be the first place to add specialized rules. If rules are
31
+ # more complex, base policies or delegation are helpful tools. And, if
32
+ # there is even more complexity, Checkpoint allows its fundamental
33
+ # semantics to be extended by implementing a custom resolver.
14
34
  class Resolver
35
+ # Resolve an application entity into a set of Resources for which a grant
36
+ # would allow access.
37
+ #
38
+ # The entity will be converted to a Resource with {Resource::from} and
39
+ # {Resource::AllOfType::from}. That is, the Resolver does a
40
+ # straightforward expansion, not applying any of its own conversion
41
+ # semantics. The special {Resource::all} resource is also included to
42
+ # support zone-wide grants.
43
+ #
44
+ # As an example, permission to download high quality versions of media
45
+ # assets might be granted to a given user system wide (that is, for the
46
+ # special 'all' resource). Implementing in this way, the credential would
47
+ # be a specific permission in the domain (e.g., permission:high-quality),
48
+ # and it would be checked when authorizing those downloads.
49
+ #
50
+ # An alternative approach would be to grant a generic permission (e.g.,
51
+ # permission:download) to that user for a specific resource type modeling
52
+ # the high quality version. Which is more appropriate depends on the
53
+ # conceptual models and design of an application and Checkpoint does not
54
+ # enforce one design decision over another.
55
+ #
56
+ # If these default extension mechanisms do not match an application's
57
+ # needs, a custom implementation may be used with whatever resolution is
58
+ # appropriate. This could be especially useful if it is commonly needed
59
+ # to authorize actions on a specific resource, while permissions for it
60
+ # should be inherited from a container resource. For some applications,
61
+ # this approach may be more convenient than, for example, delegating to a
62
+ # specific policy in the same way from multiple sections of the
63
+ # application.
15
64
  def resolve(target)
16
- return [target] if target.is_a?(Resource)
17
- [Resource.from(target), Resource::AllOfType.from(target)]
65
+ [Resource.from(target), Resource::AllOfType.from(target), Resource.all]
18
66
  end
19
67
  end
20
68
  end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Checkpoint
4
- VERSION = "1.0.0"
4
+ VERSION = "1.0.1"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: checkpoint
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Noah Botimer
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-03-05 00:00:00.000000000 Z
11
+ date: 2018-06-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: ettin
@@ -287,7 +287,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
287
287
  version: '0'
288
288
  requirements: []
289
289
  rubyforge_project:
290
- rubygems_version: 2.6.13
290
+ rubygems_version: 2.7.3
291
291
  signing_key:
292
292
  specification_version: 4
293
293
  summary: Checkpoint provides a model and infrastructure for policy-based authorization,