chronos_authz 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: dc17a6fb18f79cbc7f42761ead6902e96c09d3b3
+  data.tar.gz: 57e17def29d8341147bb81ef427055384914e1f2
+SHA512:
+  metadata.gz: 53887e05e23adf136dff4856aa8bccec32815e36fde7add0012456db29b1a663a6e56c283f61d64298d634d7be42d4ab05a51530dcd795fda839a842ff91df1b
+  data.tar.gz: 92ccdfc2374509a8fd33132c7dbff4f188925b891f7143c8322e3d179f4660eba2d2336e06f6627b81fd718f198c3a6c66a3d3ce92d50089f4e07c47fdb1d4f9

data/.gitignore

@@ -0,0 +1 @@
+.idea/

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,104 @@
+PATH
+  remote: .
+  specs:
+    chronos-authz (0.0.1)
+      activesupport
+      railties (>= 4.2)
+      request_store
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionpack (5.2.0)
+      actionview (= 5.2.0)
+      activesupport (= 5.2.0)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.0)
+      activesupport (= 5.2.0)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activesupport (5.2.0)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    ansi (1.5.0)
+    builder (3.2.3)
+    concurrent-ruby (1.0.5)
+    crass (1.0.4)
+    diff-lcs (1.3)
+    docile (1.3.1)
+    erubi (1.7.1)
+    hirb (0.7.3)
+    i18n (1.0.1)
+      concurrent-ruby (~> 1.0)
+    json (2.1.0)
+    loofah (2.2.2)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    method_source (0.9.0)
+    mini_portile2 (2.3.0)
+    minitest (5.11.3)
+    nokogiri (1.8.4)
+      mini_portile2 (~> 2.3.0)
+    rack (2.0.5)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (5.2.0)
+      actionpack (= 5.2.0)
+      activesupport (= 5.2.0)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (12.0.0)
+    request_store (1.4.1)
+      rack (>= 1.4)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.1)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-support (3.7.1)
+    simplecov (0.16.1)
+      docile (~> 1.1)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-console (0.4.2)
+      ansi
+      hirb
+      simplecov
+    simplecov-html (0.10.2)
+    thor (0.20.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  chronos-authz!
+  rake (>= 11.3.0)
+  rspec
+  simplecov
+  simplecov-console
+
+BUNDLED WITH
+   1.16.2

data/README.md

@@ -0,0 +1,107 @@
+# chronos_authz
+A declarative authorization Rack middleware that supports custom authorization logic on a per-resource basis
+
+## Usage sample for Rails
+### 1. Install the gem
+```ruby
+gem 'chronos_authz'
+```
+
+### 2. Configure the ACL config/my_acl.yml
+An incoming request's http method and path will be checked against the ACL file's records for a match. At minimum, you MUST configure the path of the resource in an ACL record and SHOULD configure the http_method. If the http_method isn't configured, http method checking will not be done. You can define any other configuration here per resource as needed (ex. :permissions is a custom configuration and is defined here as this will be used in the custom authorization rule.
+    
+```ruby
+manage_accounts:
+  path: "/accounts/.*" # regex pattern
+  http_method:         # if array is used, this would work as an OR operation: checking if the incoming http request's method matches ANY of the configured http_method
+    - GET
+    - put
+  permissions:
+    - VIEW_ACCOUNTS
+    - UPDATE_ACCOUNTS
+
+create_users:
+  path: "/users"
+  http_method: POST
+  permissions:
+    - CREATE_USERS
+    
+update_users:
+  path: "/users/.*"
+  http_method: PUT
+  permissions:
+    - UPDATE_USERS
+  # rule: AnotherCustomRule # Use a different rule for this ACL record
+```
+
+### 2. Create an authorization rule initializers/MyCustomRule.rb
+An authorization rule MUST implement the __request_authorized?__ method. The rule has an access to the ff. instance variables:
+
+1. @request - [__Rack::Request__](https://www.rubydoc.info/gems/rack/Rack/Request) for the incoming HTTP request
+2. @acl_record - __ChronosAuthz::ACL::Record__ from the ACL yml that matches the incoming request's http method and path. Custom configuration in the ACL yaml will be accessible from this object. ex. @acl_record.permissions
+
+```ruby
+class MyCustomRule < ChronosAuthz::Rule
+  
+  # Must return a boolean to check
+  def request_authorized?
+    (@acl_record.permissions - user_claims).blank?
+  end
+  
+  # Optional. Implement how claims are retrieved for a given user. Normally claims could be retrieved using cookies,
+  # JWT/id_token decoded from the request header, API calls, or a database query. Any value returned here will be available to the ChronosAuthz::User.claims helper module as well.
+  def user_claims
+    # SAMPLE ONLY! In this sample configuration, only the user with the access token '1d1234913em23' would only be able to successfully send a POST request to /users. Access token 'm123493429304' bearer could both create and update a User.
+    access_tokens = {
+      "1d1234913em23" => ["CREATE_USERS"],
+      "m123493429304" => ["CREATE_USERS", "UPDATE_USERS", "SomeOtherClaimInOtherFormat", "any-format-should-work-claim"]
+    }
+    
+    access_token_from_request = @request.get_header("HTTP_AUTHORIZATION").gsub("Bearer ")
+    return (access_tokens[access_token_from_request] || [])
+  end
+end
+```
+
+### 4. Use the middleware
+```ruby
+Rails.application.config.middleware.use ChronosAuthz::Authorizer do |config|
+  # Required. Default authorization rule to use
+  config.default_rule = MyCustomRule
+  
+  # Optional. Default is false. If set to true, the ACL is treated as a whitelist of resource paths: authorization would return a 403 error if no ACL Record has been configured for a given resource path. If set to false, authorization check will only be done to the resources configured in the ACL.
+  config.strict_mode = true
+  
+  # Optional. Configure the error page to render when authorization fails 
+  config.error_page = "public/403.html"
+  
+  # Optional. Default behavior will look for 'config/authorizer_acl.yml'. Configure which ACL yml to use
+  config.acl_yaml = "config/my_acl.yml"
+end
+```
+
+## Helpers
+Include the helper module __ChronosAuthz::User__ as needed to have access to the current user's claims via the __.claims__ method.
+example:
+```ruby
+class User < ActiveRecord
+  include ChronosAuthz::User
+end
+```
+
+With this helper included in your User model and assuming you are using Devise or any other AuthN solution, you may do the ff.:
+```ruby
+current_user.claims
+=> ["CREATE_USERS"]
+```
+
+If the return value of user_claims method in your implementation is a hash:
+```ruby
+current_user.claims
+=> {permissions: ["CREATE_USERS"], email: "someemail@yourdomain.com"}
+
+current_user.claim[:email]
+=> someemail@yourdomain.com
+```
+
+

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/chronos_authz.gemspec

@@ -0,0 +1,28 @@
+$LOAD_PATH.push File.expand_path("../lib", __FILE__)
+
+require "chronos_authz/version"
+
+Gem::Specification.new do |s|
+  s.name        = "chronos_authz"
+  s.version     = ChronosAuthz::VERSION
+  s.authors     = ["Marianne Angelie del Mundo", "Rodette Pedro", "JR Respino", "Jayson Uy"]
+  s.email       = %w(marianne@chronoscloud.com rodette@chronoscloud.com jr@chronoscloud.com jayson@chronoscloud.com)
+  s.homepage    = "https://github.com/chronoscloud/chronoscloud-authz"
+  s.summary     = "A minimal and declarative authorization layer"
+  s.description = "A declarative authorization Rack middleware that supports custom authorization logic on a per-resource basis"
+  s.license     = 'N/A'
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- spec/*`.split("\n")
+  s.require_paths = ["lib"]
+
+  s.add_dependency "railties", ">= 4.2"
+  s.add_dependency "request_store"
+  s.add_dependency "activesupport"
+  s.required_ruby_version = ">= 2.4"
+
+  s.add_development_dependency "rake", ">= 11.3.0"
+  s.add_development_dependency "rspec-rails"
+  s.add_development_dependency "simplecov"
+  s.add_development_dependency "simplecov-console"
+end

data/lib/chronos_authz.rb

@@ -0,0 +1,16 @@
+require 'active_support/core_ext/string'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'ostruct'
+require 'request_store'
+require 'yaml'
+
+require 'chronos_authz/validations/validation_error'
+require 'chronos_authz/validations/options_validator'
+require 'chronos_authz/configuration'
+require 'chronos_authz/acl'
+require 'chronos_authz/rule'
+require 'chronos_authz/user'
+require 'chronos_authz/authorizer'
+
+module ChronosAuthz
+end

data/lib/chronos_authz/acl.rb

@@ -0,0 +1,81 @@
+module ChronosAuthz
+  class ACL
+    attr_accessor :acl_hash, :records
+
+    def self.build_from_yaml(acl_yaml = nil)
+      acl_yaml ||= 'config/authorizer_acl.yml'
+      acl_hash = YAML.load_file(acl_yaml)
+      records = ACL.records_from_acl_hash(acl_hash)
+      return ACL.new(records, acl_hash)
+    end
+
+    # Populate @records with instances of ACL::Record and validate each instances
+    def self.records_from_acl_hash(acl_hash)
+      return acl_hash.map do |record_name, record_options = {}| 
+               ChronosAuthz::ACL::Record.new(record_options.merge!(name: record_name))
+             end
+    end
+
+    def initialize(records = [], acl_hash = nil)
+      @records = records
+      @acl_hash = acl_hash
+    end
+
+    # Find matching ACL Record
+    def find_match(http_method, request_path)
+      record = @records.select{ |record| record.matches?(http_method, request_path) }.first
+      # puts "[ChronosAuthz] Found ACL match: #{record.to_s}" if record
+
+      return record
+    end
+
+
+    class Record < OpenStruct
+      include ChronosAuthz::Validations::OptionsValidator
+
+      VALID_HTTP_METHODS = ["GET", 
+                            "POST", 
+                            "PUT", 
+                            "PATCH", 
+                            "DELETE", 
+                            "HEAD"].freeze
+
+      required :name, :path
+      check_constraint :http_method, VALID_HTTP_METHODS, allow_nil: true
+
+      def initialize(value = {})
+        value = value.with_indifferent_access
+        value[:http_method] = normalize_http_methods(value[:http_method])
+        value[:path] = normalize_path(value[:path])
+
+        super(value)
+        validate!
+      end
+
+      def matches?(http_method, request_path)
+        return false if request_path.nil?
+        
+        request_path = normalize_path(request_path)
+        path_pattern = /\A#{self.path}\z/
+
+        method_matched = self.http_method.empty? || self.http_method.include?(http_method.to_s.upcase)
+
+        return false if !method_matched
+        return !request_path.match(path_pattern).nil?
+      end
+
+      private
+
+      def normalize_path(resource_path)
+        return resource_path.squish if !resource_path.nil?
+      end
+
+      def normalize_http_methods(http_methods)
+        http_methods = [http_methods] if !http_methods.is_a? Array
+        http_methods.map!{ |http_method| http_method.to_s.upcase }
+
+        return http_methods.reject { |http_method| http_method.blank? }
+      end
+    end
+  end
+end

data/lib/chronos_authz/authorizer.rb

@@ -0,0 +1,39 @@
+module ChronosAuthz
+
+  class Authorizer
+
+    attr_accessor :configuration, :acl
+
+    def initialize(app, options = {})
+      @app, @configuration = app, ::ChronosAuthz::Configuration.new(options)
+
+      yield @configuration if block_given?
+      @configuration.validate!
+      @acl = ChronosAuthz::ACL.build_from_yaml(@configuration.acl_yaml)
+    end
+
+
+    def call(env)
+      matched_acl_record = @acl.find_match(env["REQUEST_METHOD"], env["PATH_INFO"])
+      
+      return render_unauthorized if @configuration.strict_mode && matched_acl_record.nil?
+
+      request = Rack::Request.new(env)
+      rule_class = matched_acl_record.try(:rule).try(:constantize) || @configuration.default_rule
+      rule_instance = rule_class.new(request, matched_acl_record)    
+      
+      return render_unauthorized if !rule_instance.request_authorized?
+
+      RequestStore.store[:chronos_authz_claims] = rule_instance.user_claims
+      status, headers, response = @app.call(env)
+    end
+
+    def render_unauthorized
+      if @configuration.error_page
+        # html = ActionView::Base.new.render(file: @configuration.error_page)
+        return [403, {'Content-Type' => 'text/html'}, [File.read(@configuration.error_page)]]
+      end
+      return [403, {'Content-Type' => 'text/plain'}, ["Unauthorized"]]
+    end
+  end
+end

data/lib/chronos_authz/configuration.rb

@@ -0,0 +1,7 @@
+module ChronosAuthz
+  class Configuration < OpenStruct
+    include ChronosAuthz::Validations::OptionsValidator
+
+    required :default_rule
+  end
+end  

data/lib/chronos_authz/rule.rb

@@ -0,0 +1,20 @@
+module ChronosAuthz
+  class Rule
+    
+    attr_accessor :request, :acl_record
+
+    def initialize(request, acl_record)
+      @request = request
+      @acl_record = acl_record
+    end
+
+    def user_claims
+      nil
+    end
+    
+    def request_authorized?
+      false
+    end
+  
+  end
+end

data/lib/chronos_authz/user.rb

@@ -0,0 +1,13 @@
+module ChronosAuthz
+  module User
+
+    def claim(key)
+      claims[key]
+    end
+
+    def claims
+      RequestStore.store[:chronos_authz_claims]
+    end
+
+  end
+end

data/lib/chronos_authz/validations/options_validator.rb

@@ -0,0 +1,60 @@
+module ChronosAuthz
+  module Validations
+    module OptionsValidator
+
+      def self.included base
+        base.extend OptionsValidatorClassMethods
+      end    
+
+      module OptionsValidatorClassMethods
+        attr_accessor :required_options, :predefined_value_map
+
+        def required(*options)
+          self.required_options = options
+        end
+
+        def check_constraint(option, predefined_values = [], constraint_options = {})
+          self.predefined_value_map ||= {}
+          self.predefined_value_map[option] = { check_values: predefined_values, 
+                                                constraint_options: constraint_options }
+        end
+      end
+
+      def validate!
+
+        # Required options
+        if !self.class.required_options.nil?
+          self.class.required_options.each do |required_option|
+            option_value = send(required_option) if respond_to?(required_option)
+            raise ChronosAuthz::Validations::ValidationError.new("Missing option #{required_option} in #{self.class}") if option_value.blank?
+          end
+        end
+
+        # Check constraint
+        if !self.class.predefined_value_map.nil?
+          self.class.predefined_value_map.each do |key, value|
+            option_values = send(key) 
+            check_values = value[:check_values]
+
+            if !option_values.is_a? Array
+              option_values = [option_values]
+            end
+
+            if value[:constraint_options][:case_sensitive].nil? || !value[:constraint_options][:case_sensitive]
+              option_values = option_values.map{|option_value| option_value.to_s.upcase }
+              check_values = check_values.map{|check_value| check_value.to_s.upcase }
+            end
+
+            option_values.each do |option_value|
+              next if value[:constraint_options][:allow_nil] && (option_value.nil? || option_value.empty?)
+              raise ChronosAuthz::Validations::ValidationError.new("Invalid option value #{option_value} for #{key} in #{self.class}. Valid values are #{check_values}.") if !check_values.include?(option_value) 
+            end
+          end
+        end
+
+        self
+      end
+    end
+
+  end
+end

data/lib/chronos_authz/validations/validation_error.rb

@@ -0,0 +1,11 @@
+module ChronosAuthz
+  module Validations
+    class ValidationError < StandardError
+
+      def initialize(message)
+        super(message)
+      end
+
+    end
+  end
+end

data/lib/chronos_authz/version.rb

@@ -0,0 +1,3 @@
+module ChronosAuthz
+  VERSION = "0.0.1"
+end

data/spec/acl_spec.rb

@@ -0,0 +1,186 @@
+require 'spec_helper'
+
+describe ChronosAuthz::ACL do
+  let(:acl_yaml) { 'spec/config/authorizer_acl_test.yml' }
+
+  describe 'attribute accessors' do
+    it 'assigns acl_hash' do
+      acl_object = ChronosAuthz::ACL.build_from_yaml(acl_yaml)
+
+      expect(acl_object.acl_hash).to_not be_nil
+    end
+
+    it 'assigns records' do
+      acl_object = ChronosAuthz::ACL.build_from_yaml(acl_yaml)
+
+      expect(acl_object.records).to_not be_empty
+    end
+  end
+
+  describe '.build_from_yaml' do
+   context 'when acl_yaml is specified' do
+     it 'loads a YAML file from the acl_yaml' do
+       allow(YAML).to receive(:load_file).and_return(YAML.load_file(acl_yaml))
+       expect(YAML).to receive(:load_file).with(acl_yaml)
+
+       ChronosAuthz::ACL.build_from_yaml(acl_yaml)
+     end
+   end
+
+   context 'when no acl_yaml is specified' do
+      it 'loads a YAML file using a default path' do
+        allow(YAML).to receive(:load_file).and_return(YAML.load_file(acl_yaml))
+        expect(YAML).to receive(:load_file).with('config/authorizer_acl.yml')
+
+        ChronosAuthz::ACL.build_from_yaml
+      end
+    end
+
+    it 'initializes a new ACL' do
+      expect(ChronosAuthz::ACL).to receive(:new)
+
+      ChronosAuthz::ACL.build_from_yaml(acl_yaml)
+    end
+
+    it 'returns an ACL object' do
+      expect(ChronosAuthz::ACL.build_from_yaml(acl_yaml)).to be_an_instance_of(ChronosAuthz::ACL)
+    end
+
+  end
+
+  describe '.records_from_acl_hash' do
+    it 'returns an array of ACL::Record from a YAML hash' do
+      records = ChronosAuthz::ACL.records_from_acl_hash(YAML.load_file(acl_yaml))
+      expect(records).to_not be_empty
+      expect(records).to all(be_an(ChronosAuthz::ACL::Record))
+    end
+  end 
+
+  describe '#find_match' do
+    let(:acl) { ChronosAuthz::ACL.build_from_yaml(acl_yaml) }
+
+    context 'when using valid parameters' do
+      context 'when http_method and request_path is in config' do
+
+        it 'returns an ACLRecord' do
+          expect(acl.find_match('POST', '/users')).to be_an_instance_of(ChronosAuthz::ACL::Record)
+        end
+
+        it 'finds the record that matches the path pattern' do
+          expect(acl.find_match('GET', '/accounts/2')).to_not be_nil
+        end
+      end
+
+      context 'when http_method is not in config' do
+        it 'returns nil' do
+          expect(acl.find_match('DELETE', '/users')).to be_nil
+        end
+      end
+
+      context 'when request_path is not in config' do
+        it 'returns nil' do
+          expect(acl.find_match('GET', '/test')).to be_nil
+          expect(acl.find_match('POST', '/users////')).to be_nil
+          expect(acl.find_match('POST', '/user/1/1/1/')).to be_nil
+        end
+      end
+    end
+
+    context 'when using null parameters' do
+      context 'when http_method is null' do
+        it 'returns nil' do
+          expect(acl.find_match(nil, '/test')).to be_nil
+        end
+      end
+
+      context 'when resource_path is null' do
+        it 'returns nil' do
+          expect(acl.find_match('GET', 'nil')).to be_nil
+        end
+      end
+    end
+  end
+end
+
+
+describe ChronosAuthz::ACL::Record do
+  let(:acl_record_string_method) { ChronosAuthz::ACL::Record.new(name: 'create_users', 
+                                                 http_method: 'post', 
+                                                 path: ' /users  ') }
+  let(:acl_record_array_method) { ChronosAuthz::ACL::Record.new(name: 'create_users', 
+                                                 http_method: ['POST', 'put'], 
+                                                 path: '/users') }
+  let(:acl_record_implicit_all_method) { ChronosAuthz::ACL::Record.new(name: 'create_users', 
+                                                 path: '/users') }
+
+  describe 'initialization' do
+    context 'when http_method is specified' do
+      context 'with a valid HTTP method' do
+        it 'assigns http_method as a normalized array' do
+          expect(acl_record_string_method.http_method).to_not be_empty
+          expect(acl_record_string_method.http_method).eql?(['POST'])
+        end
+      end
+
+      context 'with an invalid HTTP method' do
+        it 'raises a validation error' do
+          expect{ ChronosAuthz::ACL::Record.new(name: 'create_users',
+                                                http_method: 'GETS',  
+                                                path: '/users')  }.to raise_error(ChronosAuthz::Validations::ValidationError)
+        end
+      end
+    end
+
+    context 'when path is specified' do
+      it 'assigns a squished http_method' do
+        expect(acl_record_string_method.path).eql?("/users")
+      end
+    end
+
+    it 'raises a validation error if name is not specified' do
+      expect{ ChronosAuthz::ACL::Record.new(path: '/users') }.to raise_error(ChronosAuthz::Validations::ValidationError)
+    end
+
+    it 'raises a validation error if path is not specified' do
+      expect{ ChronosAuthz::ACL::Record.new(name: 'create_users') }.to raise_error(ChronosAuthz::Validations::ValidationError)
+    end
+
+  end
+
+  describe '#matches?' do
+    context 'when request_path matches the request_path regex pattern config' do
+      context 'with an array http_method config' do
+        it 'returns true if http_method has a match from the http_method array config' do
+          expect(acl_record_array_method.matches?('POST', '/users')).to be true
+        end
+
+        it 'returns false if http_method doesn\'t have a match from the http_method array config' do
+          expect(acl_record_array_method.matches?('GET', '/accounts')).to be false
+        end
+      end
+
+      context 'with a string http_method config' do
+        it 'returns true if http_method matches the http_method string config' do
+          expect(acl_record_string_method.matches?('POST', '/users')).to be true
+        end
+
+        it 'returns false if http_method doesn\'t match the http_method string config' do
+          expect(acl_record_string_method.matches?('get', '/accounts')).to be false
+        end
+      end
+
+      context 'with a nil http_method config' do
+        it 'returns true' do
+          expect(acl_record_implicit_all_method.matches?('post', '/users')).to be true
+        end
+      end
+    end
+
+    context 'when request_path doesn\'t match the request_path regex pattern config' do
+      it 'returns false' do
+        expect(acl_record_implicit_all_method.matches?('post', '/account/')).to be false
+      end
+    end
+  end
+
+end

data/spec/authorizer_spec.rb

@@ -0,0 +1,96 @@
+require 'spec_helper'
+require 'rack'
+describe ChronosAuthz::Authorizer do
+
+  class AuthorizeAllRequestRule < ChronosAuthz::Rule
+    def request_authorized?
+      true
+    end
+  end
+
+  class BlockAllRequestsRule < ChronosAuthz::Rule
+    def request_authorized?
+      false
+    end
+  end
+
+  describe "Middleware configuration" do
+
+    it "should raise an error if default_rule isn't configured" do
+      env = mock_env("/")
+      app = lambda{}
+      expect{ rack_app(app).call(env) }.to raise_error(ChronosAuthz::Validations::ValidationError)
+    end
+
+    it "should use default_rule for authorization check when no :rule option was specified in the matched ACL record" do
+      env = mock_env("/accounts/")
+      app = lambda{ |env| [200, {'Content-Type' => 'text/plain'}, ["OK"]] }
+      default_rule_class = AuthorizeAllRequestRule
+      expect_any_instance_of(default_rule_class).to receive(:request_authorized?)
+      rack_app(app, :default_rule => default_rule_class, :strict_mode => false).call(env)
+    end
+
+    it "should use the matched ACL Record's :rule option if it is specified" do
+      env = mock_env("/users", method: "POST")
+      app = lambda{ |env| [200, {'Content-Type' => 'text/plain'}, ["OK"]] }
+      expect_any_instance_of(ChronosAuthz::Spec::Helpers::CustomRule).to receive(:request_authorized?)
+      expect_any_instance_of(AuthorizeAllRequestRule).to_not receive(:request_authorized?)
+      rack_app(app, :default_rule => AuthorizeAllRequestRule, :strict_mode => false).call(env)
+    end
+
+    it "should use the configured error_page if the request is unauthorized" do
+      env = mock_env("/accounts/123", method: "PUT")
+      app = lambda{ |env| [200, {'Content-Type' => 'text/plain'}, ["OK"]] }
+      error_page_path = 'spec/config/error_page.html'
+      error_page_contents = File.read(error_page_path)
+      result = rack_app(app, :default_rule => BlockAllRequestsRule, :error_page => error_page_path).call(env)
+      expect(result.last.first).to eq(error_page_contents)
+    end
+  end
+ 
+  describe "Authorization" do
+
+    it "should fail with a 403 response if strict_mode configuration is set to true and no ACL Record was configured for the incoming request" do
+      env = mock_env("/some_unknown_path")
+      app = lambda{}
+      result = rack_app(app, :default_rule => AuthorizeAllRequestRule, :strict_mode => true).call(env)
+      expect(result.first).to eq(403)
+    end
+
+    it "should not fail with a 403 response if strict_mode configuration is not set to true and no ACL Record was configured for the incoming request" do
+      env = mock_env("/")
+      app = lambda{ |env| [200, {'Content-Type' => 'text/plain'}, ["OK"]] }
+      result = rack_app(app, :default_rule => AuthorizeAllRequestRule, :strict_mode => false).call(env)
+      expect(result.first).to eq(200)
+    end
+
+    it "should fail with a 403 response if authorization check failed" do
+      env = mock_env("/")
+      app = lambda{}
+      result = rack_app(app, :default_rule => BlockAllRequestsRule).call(env)
+      expect(result.first).to eq(403)
+    end
+
+    it "should not fail with a 403 response if authorization check succeeded" do
+      env = mock_env("/")
+      app = lambda{ |env| [200, {'Content-Type' => 'text/plain'}, ["OK"]] }
+      result = rack_app(app, :default_rule => AuthorizeAllRequestRule).call(env)
+      expect(result.first).to eq(200)
+    end
+  end
+
+  def rack_app(app, options= {})
+    options[:acl_yaml] ||= 'spec/config/authorizer_acl_test.yml'
+    Rack::Builder.new do
+      use ChronosAuthz::Authorizer, options
+      run app
+    end
+  end
+
+  def mock_env(path = "/", params = {})
+    method = params.delete(:method) || "GET"
+    env = { 'HTTP_VERSION' => '1.1', 'REQUEST_METHOD' => "#{method}" }
+    Rack::MockRequest.env_for("#{path}?#{Rack::Utils.build_query(params)}", env)
+  end
+
+end

data/spec/config/authorizer_acl_test.yml

@@ -0,0 +1,18 @@
+manage_accounts:
+  path: "/accounts/.*"
+  http_method: 
+    - GET
+    - put
+  permissions:
+    - AUTH::VIEW_ACCOUNT
+    - AUTH::MANAGE_ACCOUNTS
+
+create_users:
+  path: "/users"
+  http_method: POST
+  permissions:
+    - AUTH::CREATE_USERS
+  rule: ChronosAuthz::Spec::Helpers::CustomRule
+
+shipment:
+  path: "/*"

data/spec/config/error_page.html

@@ -0,0 +1 @@
+Custom error page

data/spec/helpers/custom_rule.rb

@@ -0,0 +1,9 @@
+module ChronosAuthz::Spec
+  module Helpers
+    class CustomRule < ChronosAuthz::Rule
+      def request_authorized?
+        true
+      end
+    end
+  end
+end

data/spec/options_validator_spec.rb

@@ -0,0 +1,85 @@
+require 'spec_helper'
+
+describe ChronosAuthz::Validations::OptionsValidator do
+  PRIMARY_COLORS = ["red", "yellow", "blue"].freeze
+
+  class WithRequiredAndCheckConstraint < OpenStruct
+    include ChronosAuthz::Validations::OptionsValidator 
+    required :some_required_attribute
+    check_constraint :primary_color, PRIMARY_COLORS
+  end
+
+  class WithRequiredCheckConstraintOption < OpenStruct
+    include ChronosAuthz::Validations::OptionsValidator 
+    check_constraint :primary_color, PRIMARY_COLORS, allow_nil: false
+  end
+
+  class WithCheckConstraint < OpenStruct
+    include ChronosAuthz::Validations::OptionsValidator 
+    check_constraint :primary_color, ["red", "yellow", "blue"], allow_nil: true
+  end
+
+  class WithCaseSensitiveCheckConstraintOption < OpenStruct
+    include ChronosAuthz::Validations::OptionsValidator 
+    check_constraint :primary_color, ["red", "yellow", "blue"], case_sensitive: true
+  end
+
+  describe 'required options validation' do
+
+    it 'raises a validation error if a required option is nil' do
+      expect{ WithRequiredAndCheckConstraint.new.validate! }.to raise_error(ChronosAuthz::Validations::ValidationError)
+    end
+
+  end
+
+  describe 'check constraint validation' do
+
+    context 'when option value is a string' do
+      it 'raises a validation error if the option value isn\'t found from the valid option values' do
+        expect{ WithRequiredAndCheckConstraint.new(some_required_attribute: 'some_value', primary_color: "brown").validate! }.to raise_error(ChronosAuthz::Validations::ValidationError)
+      end
+
+      context 'with allow_nil config set to false' do
+        it 'raises a validation error if option value is nil' do
+          expect{ WithRequiredCheckConstraintOption.new.validate! }.to raise_error(ChronosAuthz::Validations::ValidationError)
+        end
+      end
+
+      context 'with allow_nil config set to true' do
+        it 'doesn\'t raise any validation errors if option value is nil' do
+          expect{ WithCheckConstraint.new.validate! }.to_not raise_error(ChronosAuthz::Validations::ValidationError)
+        end
+      end
+
+      context 'with case_sensitive config set to true' do
+        it 'raises a validation error if option value is meaningfully equal to any of the valid option values but in different case' do
+          expect{ WithCaseSensitiveCheckConstraintOption.new(primary_color: "RED").validate! }.to raise_error(ChronosAuthz::Validations::ValidationError)
+        end
+      end
+    end
+
+    context 'when option value is an array' do
+      it 'raises a validation error if an element from the option value isn\'t found from the valid option values' do
+        expect{ WithRequiredAndCheckConstraint.new(some_required_attribute: 'some_value', primary_color: ["RED", "brown"]).validate! }.to raise_error(ChronosAuthz::Validations::ValidationError)
+      end
+
+      context 'with allow_nil config set to false' do
+        it 'raises a validation error if an element from the option value is nil' do
+          expect{ WithRequiredCheckConstraintOption.new(primary_color: ["blue", nil]).validate! }.to raise_error(ChronosAuthz::Validations::ValidationError)
+        end
+      end
+
+      context 'with allow_nil config set to true' do
+        it 'doesn\'t raise any validation errors if an element from the option value is nil' do
+          expect{ WithCheckConstraint.new(primary_color: ["blue", nil]).validate! }.to_not raise_error(ChronosAuthz::Validations::ValidationError)
+        end
+      end
+
+      context 'with case_sensitive config set to true' do
+        it 'raises a validation error if an element from the option value is meaningfully equal to any of the valid option values but in different case' do
+          expect{ WithCaseSensitiveCheckConstraintOption.new(primary_color: ["blue", "ReD"]).validate! }.to raise_error(ChronosAuthz::Validations::ValidationError)
+        end
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,115 @@
+require 'bundler/setup'
+Bundler.setup
+
+require 'chronos_authz'
+
+require 'simplecov'
+require 'simplecov-console'
+
+Dir[File.join(File.dirname(__FILE__), "helpers", "**/*.rb")].each do |f|
+  require f
+end
+
+SimpleCov.formatter = SimpleCov.formatter = SimpleCov::Formatter::Console
+SimpleCov.start
+
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec::Expectations.configuration.on_potential_false_positives = :nothing
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  # config.include(ChronosAuthz::Spec::Helpers)
+
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+  
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end

metadata

@@ -0,0 +1,179 @@
+--- !ruby/object:Gem::Specification
+name: chronos_authz
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Marianne Angelie del Mundo
+- Rodette Pedro
+- JR Respino
+- Jayson Uy
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-08-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.2'
+- !ruby/object:Gem::Dependency
+  name: request_store
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 11.3.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 11.3.0
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov-console
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A declarative authorization Rack middleware that supports custom authorization
+  logic on a per-resource basis
+email:
+- marianne@chronoscloud.com
+- rodette@chronoscloud.com
+- jr@chronoscloud.com
+- jayson@chronoscloud.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- chronos_authz.gemspec
+- lib/chronos_authz.rb
+- lib/chronos_authz/acl.rb
+- lib/chronos_authz/authorizer.rb
+- lib/chronos_authz/configuration.rb
+- lib/chronos_authz/rule.rb
+- lib/chronos_authz/user.rb
+- lib/chronos_authz/validations/options_validator.rb
+- lib/chronos_authz/validations/validation_error.rb
+- lib/chronos_authz/version.rb
+- spec/acl_spec.rb
+- spec/authorizer_spec.rb
+- spec/config/authorizer_acl_test.yml
+- spec/config/error_page.html
+- spec/helpers/custom_rule.rb
+- spec/options_validator_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/chronoscloud/chronoscloud-authz
+licenses:
+- N/A
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.4'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: A minimal and declarative authorization layer
+test_files:
+- spec/acl_spec.rb
+- spec/authorizer_spec.rb
+- spec/config/authorizer_acl_test.yml
+- spec/config/error_page.html
+- spec/helpers/custom_rule.rb
+- spec/options_validator_spec.rb
+- spec/spec_helper.rb