checkpoint 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6a1c461fe8389571e1850b62a87c9d0db9ade53e
-  data.tar.gz: 2854266ee72cf25d1e789aed12eb63e27e7436a5
+SHA256:
+  metadata.gz: a2cf353cc2bb33e3ccbce11553f4bc0194ebdbc7ca7f438cfdad5fe01ae13865
+  data.tar.gz: 836124e3b1327020e8b05e667febed345469dd60200b2b2a98f1182a8b4e1cc8
 SHA512:
-  metadata.gz: cea376e3ab91a65d63e86b64b7eddd54ea4edbf5a403763e099a334ca1546454b3e4d86a666cafa56e4b1db7c663a8d89ed4f52a890b358975e3f8f071851ae2
-  data.tar.gz: ae1c1b1bdb8bfe5705ede2d5d4478a8888884200307008206e80680b49f75785ed8d02d02a13856c9a137b559a204807fc46910a27a2b7dde054c61e97d0e4a3
+  metadata.gz: fe22903fad979e47556ffc5a7cbc3a1ec6f7e03509092ecff08b28c600af54400aa8b5438c1dca271881611a4b2eeee7ea072a6b9e361c567a201421aa90a41d
+  data.tar.gz: 43b0e8b1c4ad32176a574b151ccb6453d0aa4963374eb479b4cc0f42c61f18992d9397ae9e69236d9615b3ef3514584a5608d2c87b8626dd1c160b8355ff5184

data/checkpoint.gemspec

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-lib = File.expand_path("../lib", __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "checkpoint/version"
 

data/lib/checkpoint/db/permit.rb

@@ -3,7 +3,7 @@
 module Checkpoint
   module DB
     # Sequel model for permits
-    class Permit < Sequel::Model
+    class Permit < Sequel::Model(DB.db)
       # Instantiate a Permit from the constituent domain objects (agent,
       # resource, credential).
       def self.from(agent, credential, resource, zone: 'system')

data/lib/checkpoint/railtie.rb

@@ -42,23 +42,23 @@ module Checkpoint
       end
 
       def before_blocks
-        @before ||= []
+        @before_blocks ||= []
       end
 
       def after_blocks
-        @after ||= []
+        @after_blocks ||= []
       end
 
       def ready_blocks
-        @ready ||= []
+        @ready_blocks ||= []
       end
 
       def under_rake!
-        @rake = true
+        @under_rake = true
       end
 
       def under_rake?
-        @rake ||= false
+        @under_rake ||= false
       end
     end
 
@@ -82,14 +82,7 @@ module Checkpoint
       Railtie.after_blocks.each do |block|
         block.call(config.to_h)
       end
-    end
 
-    # This runs before any block registered under a `config.to_prepare`, which
-    # could be in plugins or initializers that want to use a fully configured
-    # Checkpoint instance. The `to_prepare` hook is run once at the start of a
-    # production instance and for every request in development (unless caching
-    # is turned on so there is no reloading).
-    initializer "checkpoint.ready", after: :finisher_hook do
       Checkpoint::DB.initialize! unless Railtie.under_rake?
 
       Railtie.ready_blocks.each do |block|
@@ -97,9 +90,14 @@ module Checkpoint
       end
     end
 
+    def rake_files
+      base = Pathname(__dir__) + '../tasks/'
+      [base + 'migrate.rake']
+    end
+
     rake_tasks do
       Railtie.under_rake!
-      load "tasks/migrate.rake"
+      rake_files.each { |file| load file }
     end
   end
 end

data/lib/checkpoint/resource/resolver.rb

@@ -3,18 +3,66 @@
 module Checkpoint
   class Resource
     # A Resource Resolver takes a concrete object (like a model instance) and
-    # resolves it into all {Resource}s for which a permit would allow an action.
+    # resolves it into all {Resource}s for which a grant would allow an action.
     # For example, this can be used to grant a credential on all items of a given
     # model class or to implement cascading permissions when all credentials for
     # a container should apply to the contained objects.
     #
-    # NOTE: This implementation currently always resolves to the entity and its
-    # type and nothing more. This needs some thought on an appropriate extension
-    # mechanism to mirror the {PermissionMapper}.
+    # This base implementation resolves to three agents: one for the entity
+    # itself, one for all entities of its type, and one for all entities of any
+    # type. This provides a convenient and familiar construct, where a broader
+    # grant (say, at the type level, or for "everything") implies a grant at
+    # the more specific level.
+    #
+    # If an application needs to have broader grants that should be revocable
+    # at a more specific level, this could be done in a specific policy, or by
+    # implementing a custom resource resolver. The policy approach would be
+    # localized to where it is needed, and is recommended in order to keep the
+    # semantics of resource resolution consistent with other applications.
+    #
+    # A custom resource resolver could be useful particularly in cases where
+    # there is equivalence or cascading across entities or types and those
+    # rules need to be maintained consistently across policies or in support of
+    # building administrative interfaces.
+    #
+    # Checkpoint does not enforce the decision of where necessary complexity
+    # resides in an application, though the general notion is that application
+    # policies should be the first place to add specialized rules. If rules are
+    # more complex, base policies or delegation are helpful tools. And, if
+    # there is even more complexity, Checkpoint allows its fundamental
+    # semantics to be extended by implementing a custom resolver.
     class Resolver
+      # Resolve an application entity into a set of Resources for which a grant
+      # would allow access.
+      #
+      # The entity will be converted to a Resource with {Resource::from} and
+      # {Resource::AllOfType::from}. That is, the Resolver does a
+      # straightforward expansion, not applying any of its own conversion
+      # semantics. The special {Resource::all} resource is also included to
+      # support zone-wide grants.
+      #
+      # As an example, permission to download high quality versions of media
+      # assets might be granted to a given user system wide (that is, for the
+      # special 'all' resource). Implementing in this way, the credential would
+      # be a specific permission in the domain (e.g., permission:high-quality),
+      # and it would be checked when authorizing those downloads.
+      #
+      # An alternative approach would be to grant a generic permission (e.g.,
+      # permission:download) to that user for a specific resource type modeling
+      # the high quality version. Which is more appropriate depends on the
+      # conceptual models and design of an application and Checkpoint does not
+      # enforce one design decision over another.
+      #
+      # If these default extension mechanisms do not match an application's
+      # needs, a custom implementation may be used with whatever resolution is
+      # appropriate. This could be especially useful if it is commonly needed
+      # to authorize actions on a specific resource, while permissions for it
+      # should be inherited from a container resource. For some applications,
+      # this approach may be more convenient than, for example, delegating to a
+      # specific policy in the same way from multiple sections of the
+      # application.
       def resolve(target)
-        return [target] if target.is_a?(Resource)
-        [Resource.from(target), Resource::AllOfType.from(target)]
+        [Resource.from(target), Resource::AllOfType.from(target), Resource.all]
       end
     end
   end

data/lib/checkpoint/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Checkpoint
-  VERSION = "1.0.0"
+  VERSION = "1.0.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: checkpoint
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Noah Botimer
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-03-05 00:00:00.000000000 Z
+date: 2018-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ettin
@@ -287,7 +287,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 2.7.3
 signing_key: 
 specification_version: 4
 summary: Checkpoint provides a model and infrastructure for policy-based authorization,