consent 1.0.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 925e2e71db7ce7b4c7104784bbd54cfeb8273b2502f0f73f599e64754d5a010a
-  data.tar.gz: 256326fbd83020d39881b53eadc1b3b7cb9c5169bedee5aac5491661a0e3023b
+  metadata.gz: 95c988d7005c2d40bc6c83a00421e15079737a8759ae635764baf1008e0bd588
+  data.tar.gz: bdd9f0cc35741ecdf89bbc9b68de9819bcedc87b3e98ddc05a00d086c66d0b6d
 SHA512:
-  metadata.gz: 84ee14b357d0edd8c7be190cc4f79e67d6a0a7f8e0f869d1bf15b0d1ebe87e6f076939aa9db684c172eec8f489bb83f8794c3ca0946a4edc569c07f04a6a9889
-  data.tar.gz: 490da917b1363a0b5d2f209df9363978764874fbe74d500c548b91a95f16f3ca35fab2a80a1ab7ac4de7364e7892101efc4e4a022d25683d0dc82896c7b39da9
+  metadata.gz: '008f73e94d325ab83a1a63ffa696aea1e22c6db5b44ef49f9d11bc2c1d8773d5a9cf3eec7466870b4cfabb2d13ec23f4d6fa3742cfa5dd6c890322e83694fe0a'
+  data.tar.gz: aaa27addbb0c0372660f8680e981be5b48a5cc5bb30c42f22d0d75a347111f1733c5b410b67ca8f5e5259bdb76b9283f2af93ec5ce18350aeeed47ac48ccdc87

data/.gitignore

@@ -1,10 +1,18 @@
 /.bundle/
 /.yardoc
-/Gemfile.lock
 /_yardoc/
-/coverage/
-/doc/
-/pkg/
+coverage
+pkg
 /spec/reports/
-/tmp/
-/consent-*.gem
+**/tmp/*
+!**/tmp/.gitkeep
+!tmp/.gitignore
+vendor/bundle
+*.log
+*.sqlite
+*.sqlite3
+Gemfile.lock
+
+# Ignore uploaded files in development
+/storage/*
+!/storage/.keep

data/.rubocop.yml

@@ -1 +1,10 @@
 inherit_from: .rubocop_todo.yml
+
+require:
+  - rubocop-powerhome
+
+AllCops:
+  TargetRubyVersion: 2.7
+
+Rails:
+  Enabled: false

data/.rubocop_todo.yml

@@ -1,21 +1,19 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2019-11-20 02:06:29 -0300 using RuboCop version 0.65.0.
+# on 2022-08-23 19:11:09 UTC using RuboCop version 1.35.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 5
-# Configuration parameters: CountComments, ExcludedMethods.
-# ExcludedMethods: refine
-Metrics/BlockLength:
+# Offense count: 3
+# Configuration parameters: AllowComments, AllowEmptyLambdas.
+Lint/EmptyBlock:
   Exclude:
-    - 'spec/**/*'
-    - 'lib/consent/rspec.rb'
+    - 'spec/consent_spec.rb'
 
-# Offense count: 9
-Style/Documentation:
+# Offense count: 1
+# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, AllowedMethods, AllowedPatterns, IgnoredMethods.
+Metrics/MethodLength:
   Exclude:
-    - 'spec/**/*'
-    - 'test/**/*'
+    - 'db/migrate/*.rb'

data/Gemfile

@@ -1,6 +1,10 @@
 # frozen_string_literal: true
 
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in consent.gemspec
 gemspec
+
+rails_version = ENV.fetch("RAILS_VERSION", ">= 5")
+
+gem "rails", rails_version

data/Rakefile

@@ -1,8 +1,14 @@
+#!/usr/bin/env rake
+
 # frozen_string_literal: true
 
-require 'bundler/gem_tasks'
-require 'rspec/core/rake_task'
+require "bundler/setup"
+Bundler::GemHelper.install_tasks
 
+require "rspec/core/rake_task"
 RSpec::Core::RakeTask.new(:spec)
 
-task default: :spec
+require "rubocop/rake_task"
+RuboCop::RakeTask.new(:rubocop)
+
+task default: %i[spec rubocop]

data/app/models/concerns/consent/authorizable.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+module Consent
+  module Authorizable
+    extend ::ActiveSupport::Concern
+
+    included do
+      has_many :permissions, class_name: "Consent::Permission",
+                             foreign_key: :role_id, inverse_of: false,
+                             dependent: :delete_all, autosave: true
+    end
+
+    # Grants all permissions in o permissions hash formatted as:
+    #
+    # `{ <subject> => { <action> => <view> } }`
+    #
+    # @example role.grant_all({ "user" => { "read" => "all" }})
+    # @example role.grant_all({ User => { read: :all }})
+    #
+    # When `replace: true`, it mark all existing permisions for destruction
+    #
+    # @example
+    #    role.grant_all(User => { read: :territory })
+    #    role.grant_all({ User => { write: :territory }, replace: true)
+    #    role.permissions
+    #    => [#<Consent::Permission subject: User(...), action: :write, view: :territory>]
+    #
+    # `grant_all` will only keep valid permissions, this excludes any permisison that grants nothing (:no_access)
+    #
+    # @param permissions [Hash] a hash formatted as documented above
+    # @param replace [Boolean] whether we should replace all existing granted permisions
+    #
+    def grant_all(permissions, replace: false)
+      changed = self.permissions
+                    .from_hash(permissions)
+                    .map { |permission| grant_permission(permission) }
+      (self.permissions - changed).each(&:mark_for_destruction) if replace
+    end
+
+    # Destructive form of {Authorizable#grant_all}. This methods grants all the given permissions and
+    # persists it to the database atomically
+    #
+    # @see #grant_all
+    # @yield after saving before commiting within the transaction
+    #
+    def grant_all!(*args, **kwargs)
+      transaction do
+        grant_all(*args, **kwargs)
+        tap(&:save!)
+        touch
+        yield if block_given?
+      end
+    end
+
+    # Grants a permission to a role, replacing any existing permission for the same subject/action pair:
+    #
+    # @example
+    #    role.grant(subject: "user", action: "read", view: "all")
+    #    role.grant(subject: "user", action: "read", view: "territory")
+    #    role.permissions
+    #    => [#<Consent::Permission subject: User(...), action: :read, view: :territory>]
+    #
+    # `grant` only grants valid permissions:
+    #
+    # @example
+    #    role.grant(subject: "user", action: "read", view: "no_access")
+    #    role.permissions
+    #    => []
+    #
+    # `grant` also does not persist the given permissions, so the caller must #save! the role
+    #
+    # @param subject [Symbol|String|Class] any valid subject
+    # @param action [String|Symbol] a valid action
+    # @param view [String|Symbol] a valid view
+    #
+    def grant(subject:, action:, view:)
+      grant_permission ::Consent::Permission.new(subject: subject, action: action, view: view)
+    end
+
+  private
+
+    def grant_permission(new_perm)
+      existing_perm = permissions.find { |p| p.subject.eql?(new_perm.subject) && p.action.eql?(new_perm.action) }
+      if existing_perm
+        existing_perm.view = new_perm.view
+        existing_perm.mark_for_destruction unless existing_perm.valid?
+        existing_perm
+      elsif new_perm.valid?
+        association(:permissions).add_to_target(new_perm)
+        new_perm
+      end
+    end
+  end
+end

data/app/models/consent/application_record.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Consent
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/consent/history.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Consent
+  class History < ::Consent::ApplicationRecord
+    enum command: { grant: "grant", revoke: "revoke" }
+
+    serialize :subject, ::Consent::SubjectCoder
+    validates :subject, presence: true
+    validates :action, presence: true
+    validates :view, presence: true
+    validates :command, presence: true
+
+    def self.record(command, permission)
+      create!(
+        **permission.slice(:role_id, :subject, :action, :view),
+        command: command.to_s
+      )
+    end
+  end
+end

data/app/models/consent/permission.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Consent
+  class Permission < ::Consent::ApplicationRecord
+    serialize :subject, ::Consent::SubjectCoder
+
+    validates :subject, presence: true
+    validates :action, presence: true
+    validates :view, presence: true,
+                     exclusion: {
+                       in: [::Consent::NO_ACCESS],
+                       message: "must grant access",
+                     }
+    after_save { ::Consent::History.record(:grant, self) }
+    after_destroy { ::Consent::History.record(:revoke, self) }
+
+    scope :to, ->(subject:, action: nil, view: nil) do
+      where({ subject: subject, action: action, view: view }.compact)
+    end
+
+    # It is true when it is a replacement for another permission
+    # @private
+    #
+    def replaces?(permission)
+      subject == permission.subject && action == permission.action
+    end
+
+    # Symbol key of an action
+    #
+    def action
+      super&.to_sym
+    end
+
+    # Symbol key of a view or "1" for full access
+    #
+    def view
+      return "1" if Consent::FULL_ACCESS.include?(super)
+
+      super&.to_sym
+    end
+
+    # Transforms a hash of permissions and views to grant into a collection
+    # of Consent::Permission
+    #
+    # I.e.:
+    #   Permission.from_hash User => { write: :territory }
+    #   => [#<Consent::Permission view: :territory, action: :write, subject: User>]
+    #
+    #   Permission.from_hash User => { write: :territory, read: :all }
+    #   => [#<Consent::Permission view: :territory, action: :write, subject: User>,]
+    #       #<Consent::Permission view: :all, action: :read, subject: User>]
+    #
+    # It also eliminates any invalid permission from the resulting set
+    #
+    # I.e.:
+    #   Permission.from_hash User => { write: :territory, read: :no_access }, Department: { write: :all }
+    #   => [#<Consent::Permission view: :territory, action: :write, subject: User>,]
+    #       #<Consent::Permission view: :all, action: :write, subject: Department>]
+    #
+    # @param permissions [Hash] a set of permissions in the hash format
+    # @return [Array<Consent::Permission>]
+    #
+    def self.from_hash(permissions)
+      permissions.flat_map do |subject, actions|
+        actions.flat_map do |action, view|
+          new(subject: subject, action: action, view: view)
+        end
+      end.select(&:valid?)
+    end
+  end
+end

data/config.ru

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require "rubygems"
+require "bundler"
+
+Bundler.require :default, :development
+
+Combustion.initialize! :all
+run Combustion::Application

data/consent.gemspec

@@ -1,31 +1,35 @@
 # frozen_string_literal: true
 
-lib = File.expand_path('lib', __dir__)
+lib = File.expand_path("lib", __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'consent/version'
+require "consent/version"
 
 Gem::Specification.new do |spec|
-  spec.name          = 'consent'
+  spec.name          = "consent"
   spec.version       = Consent::VERSION
-  spec.authors       = ['Carlos Palhares']
-  spec.email         = ['chjunior@gmail.com']
+  spec.authors       = ["Carlos Palhares"]
+  spec.email         = ["chjunior@gmail.com"]
 
-  spec.summary       = 'Consent'
-  spec.description   = 'Consent'
+  spec.summary       = "Consent permission based authorization"
+  spec.description   = "Consent permission based authorization"
+  spec.homepage = "https://github.com/powerhome/power-tools"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.7"
 
-  spec.licenses = ['MIT']
+  spec.files = `git ls-files`.split.grep_v(/^(test|spec|features)/)
+  spec.require_paths = ["lib"]
 
-  spec.files = `git ls-files`.split.reject do |file|
-    file =~ /^(test|spec|features)/
-  end
-  spec.require_paths = ['lib']
+  spec.add_dependency "cancancan", "3.2.1"
 
-  spec.add_development_dependency 'activerecord', '>= 5'
-  spec.add_development_dependency 'bundler', '>= 1.17.3'
-  spec.add_development_dependency 'cancancan', '~> 1.15.0'
-  spec.add_development_dependency 'pry', '~> 0.14.1'
-  spec.add_development_dependency 'rake', '>= 12.3.3'
-  spec.add_development_dependency 'rspec', '~> 3.0'
-  spec.add_development_dependency 'rubocop', '~> 0.65.0'
-  spec.add_development_dependency 'sqlite3', '~> 1.4.2'
+  spec.add_development_dependency "activerecord", ">= 5"
+  spec.add_development_dependency "bundler", "~> 2.1"
+  spec.add_development_dependency "combustion", "~> 1.3"
+  spec.add_development_dependency "license_finder", ">= 7.0"
+  spec.add_development_dependency "pry-byebug", "3.9.0"
+  spec.add_development_dependency "rake", "~> 13"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rspec-rails", "~> 5.1.2"
+  spec.add_development_dependency "rubocop-powerhome", "0.5.0"
+  spec.add_development_dependency "sqlite3", "~> 1.4.2"
+  spec.metadata["rubygems_mfa_required"] = "true"
 end

data/db/migrate/20211104225614_create_nitro_auth_authorization_permissions.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class CreateNitroAuthAuthorizationPermissions < ActiveRecord::Migration[5.2]
+  def change
+    create_table :"#{Consent.table_name_prefix}permissions" do |t|
+      t.string :subject, limit: 80
+      t.string :action, limit: 80
+      t.string :view, limit: 80
+      t.integer :role_id
+
+      t.timestamps
+    end
+
+    add_index :"#{Consent.table_name_prefix}permissions", :role_id
+    add_index :"#{Consent.table_name_prefix}permissions", :subject
+    add_index :"#{Consent.table_name_prefix}permissions", %i[subject action],
+              name: :"idx_#{Consent.table_name_prefix}permissions_on_subject_and_action"
+  end
+end

data/db/migrate/20220420135558_create_nitro_auth_authorization_histories.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class CreateNitroAuthAuthorizationHistories < ActiveRecord::Migration[5.2]
+  def change
+    create_table :"#{Consent.table_name_prefix}histories" do |t|
+      t.string :command, limit: 6
+      t.string :subject, limit: 80
+      t.string :action, limit: 80
+      t.string :view, limit: 80
+      t.integer :role_id
+
+      t.timestamps
+    end
+  end
+end

data/doc/dependency_decisions.yml

@@ -0,0 +1,3 @@
+---
+- - :inherit_from
+  - https://raw.githubusercontent.com/powerhome/oss-guide/master/license_rules.yml

data/docs/CHANGELOG.md

@@ -0,0 +1,23 @@
+## [Unreleased]
+
+## [2.0.0] - 2022-09-02
+
+- Support multiple versions of rails (>= 5.2.8.1)
+- Consent is now an engine, and provides the ability to store and manage permissions for a Consent::Authorizable class (i.e.: Role)
+- Consent::Ability is improved to support the new Permission model
+
+## [1.0.1] - 2021-05-10
+
+- Improve Rspec matchers
+
+## [1.0.0] - 2021-04-22
+
+- Consent released with DSL to design permissions and convenient CanCan::Ability implementation.
+
+## [0.6.0] - 2020-12-22
+## [0.5.2] - 2019-11-28
+## [0.5.0] - 2019-11-25
+## [0.4.3] - 2019-04-02
+## [0.4.2] - 2019-03-28
+## [0.4] - 2019-03-27
+## [0.3.1] - 2016-11-08