controlist 0.1.0

data/lib/controlist/interceptor.rb

@@ -0,0 +1,193 @@
+module Controlist
+
+  class Interceptor
+
+    PROXY_CLASSES = {}
+
+    class << self
+
+      def hook
+        hook_read
+        hook_persistence
+        hook_attribute
+      end
+
+      # used by hook_attribute
+      def build_proxy(target)
+        klass = target.class
+        proxy_class = (PROXY_CLASSES[klass] ||= create_value_object_proxy_class klass)
+        proxy_class.new target
+      end
+
+      private
+
+      # Avoid ActiveModel::MissingAttributeError due to select(attributes) according to constrains
+      #   #suppose attribute_proxy is :_val, value_object_proxy is :_value_object
+      #   user = User.find 1
+      #   user._val(:name)
+      #   user._value_object.name
+      def hook_attribute
+        ActiveRecord::Persistence.class_eval %Q{
+          def #{Controlist.attribute_proxy}(attr)
+            self.#{Controlist.value_object_proxy}[attr]
+          end
+
+          def #{Controlist.value_object_proxy}
+            @#{Controlist.value_object_proxy} ||= Controlist::Interceptor.build_proxy self
+          end
+        }
+      end
+
+      def hook_persistence
+        if Controlist.is_activerecord3?
+          settings = {
+            create: :create,
+            update: :update,
+            delete: [:delete, :destroy]
+          }
+        else
+          settings = {
+            create: :_create_record,
+            update: :_update_record,
+            delete: [:delete, :destroy]
+          }
+        end
+        settings.each do |operation, methods|
+          Array(methods).each do |method|
+            ActiveRecord::Persistence.module_eval %Q{
+              def #{method}_with_controlist(*args)
+                permission_provider = Controlist.permission_provider
+                unless permission_provider.skip?
+                  permission_package = permission_provider.get_permission_package
+                  permissions = permission_package.list_#{operation}[self.class] if permission_package
+                  if permissions.blank?
+                    raise NoPermissionError
+                  else
+                    passed = false
+                    matched_permission = nil
+                    permissions.each do |permission|
+                      if permission.match_for_persistence(self, Controlist::Permission::#{operation.upcase})
+                        Controlist.logger.debug{"Controlist matched to \#{permission.is_allowed ? 'allow' : 'forbid'} \#{permission.inspect}"}
+                        if permission.is_allowed
+                          passed = true
+                        end
+                        matched_permission = permission
+                        break
+                      end
+                    end
+                    if passed
+                      Controlist.logger.debug{"Controlist #{operation} checked: PASSED"}
+                    else
+                      Controlist.logger.debug{"Controlist #{operation} checked: FORBIDDEN"}
+                      if matched_permission.nil?
+                        raise NoPermissionError
+                      else
+                        raise PermissionForbidden.new "Forbidden by permission", matched_permission
+                      end
+                    end
+                  end
+                end
+            #{method}_without_controlist(*args)
+          end
+          alias_method_chain :#{method}, :controlist unless method_defined? :#{method}_without_controlist
+            }
+        end
+      end
+    end
+
+    def hook_read
+      if Controlist.is_activerecord3?
+        ActiveRecord::QueryMethods.module_eval do
+          def where!(opts, *rest)
+            return if opts.blank?
+            self.where_values += build_where(opts, rest)
+          end
+          def _select!(*value)
+            self.select_values += Array.wrap(value)
+          end
+          def joins!(*args)
+            return if args.compact.blank?
+            args.flatten!
+            self.joins_values += args
+          end
+        end
+        ActiveRecord::IdentityMap.module_eval do
+          def self.enabled?
+            false
+          end
+          def self.enabled
+            false
+          end
+        end
+      else
+        ActiveRecord::Core::ClassMethods.module_eval do
+          #Bypass find_by_statement_cache, otherwise will use cached sql which may has wrong permissions
+          def find(*args)
+            super
+          end
+          def find_by(*args)
+            super
+          end
+        end
+      end
+      ActiveRecord::Relation.class_eval do
+        def build_arel_with_controlist
+          permission_provider = Controlist.permission_provider
+          if permission_provider.skip? || @controlist_processing
+            build_arel_without_controlist
+          else
+            if @controlist_done
+              raise Controlist::NotReuseableError.new("The relation has built a sql, you can't reuse it, or you can clone it before sql building", self)
+            else
+              @controlist_processing = true
+              permission_provider = Controlist.permission_provider
+              unless permission_provider.skip?
+                permission_package = permission_provider.get_permission_package
+                permissions = permission_package.list_read[@klass] if permission_package
+                if permissions.blank?
+                  self.where!("1 != 1")
+                else
+                  permissions.each do |permission|
+                    permission.handle_for_read self
+                  end
+                end
+              end
+              @controlist_processing = false
+              @controlist_done = true
+              build_arel_without_controlist
+            end
+          end
+        end
+        alias_method_chain :build_arel, :controlist unless method_defined? :build_arel_without_controlist
+      end
+    end
+
+    def create_value_object_proxy_class(klass)
+      attributes = klass.columns.map(&:name)
+      attributes.delete klass.primary_key
+      proxy_class = Class.new
+      code_block = ""
+      attributes.each do |attribute|
+        code_block += %Q{
+            def #{attribute}
+              @target.#{attribute} rescue nil
+            end
+        }
+      end
+      proxy_class.class_eval %Q{
+          def initialize(target)
+            @target = target
+          end
+          def [](attribute)
+            @target[attribute] rescue nil
+          end
+      #{code_block}
+      }
+      proxy_class
+    end
+
+  end
+
+end
+
+end

data/lib/controlist/managers/base_manager.rb

@@ -0,0 +1,31 @@
+module Controlist
+  module Managers
+    class BaseManager
+
+      class << self
+
+        def get_permission_package
+          raise NotImplementedError
+        end
+
+        def set_permission_package(package)
+          raise NotImplementedError
+        end
+
+        def skip?
+          raise NotImplementedError
+        end
+
+        def open_skip
+          raise NotImplementedError
+        end
+
+        def close_skip
+          raise NotImplementedError
+        end
+
+      end
+
+    end
+  end
+end

data/lib/controlist/managers/thread_based_manager.rb

@@ -0,0 +1,32 @@
+module Controlist
+  module Managers
+    class ThreadBasedManager < BaseManager
+
+      class << self
+
+        def get_permission_package
+          Thread.current[:permission_package]
+        end
+
+        def set_permission_package(package)
+          Thread.current[:permission_package] = package
+        end
+
+        def skip?
+          Thread.current[:skip_controlist] == true
+        end
+
+        def open_skip
+          Thread.current[:skip_controlist] = true
+        end
+
+        def close_skip
+          Thread.current[:skip_controlist] = nil
+        end
+
+      end
+
+    end
+  end
+end
+

data/lib/controlist/permission.rb

@@ -0,0 +1,209 @@
+require 'controlist/permissions/operation'
+require 'controlist/permissions/constrain'
+require 'controlist/permissions/simple_constrain'
+require 'controlist/permissions/advanced_constrain'
+require 'controlist/permissions/ordered_package'
+
+module Controlist
+  class Permission
+
+    # properties is hash with property and value pair, operation READ only need keys
+    attr_accessor :klass, :operations, :is_allowed, :constrains, :clause, :joins, :properties, :procs_read
+
+    def initialize(klass, operations, is_allowed = true, constrains=nil)
+      self.procs_read = []
+      self.klass = klass
+      unless operations.nil?
+        if operations.is_a? Array
+          self.operations = operations
+        else
+          self.operations = [operations]
+        end
+      end
+      self.is_allowed = is_allowed
+      self.joins = []
+      if self.operations.nil?
+        init_for_read constrains
+        init_for_persistence constrains
+      else
+        init_for_read constrains if self.operations.include? Controlist::Permissions::READ
+        if  self.operations.include?(Controlist::Permissions::CREATE) ||
+            self.operations.include?(Controlist::Permissions::UPDATE) ||
+            self.operations.include?(Controlist::Permissions::DELETE)
+          init_for_persistence constrains
+        end
+      end
+    end
+
+    def apply(*properties)
+      self.properties = {id: nil}
+      properties.each do |property_pair|
+        if property_pair.is_a? Hash
+          self.properties.merge! property_pair
+        else
+          self.properties[property_pair] = nil
+        end
+      end
+      self
+    end
+
+    def handle_for_read(relation)
+      relation._select!(*self.properties.keys) unless self.properties.blank?
+      relation.joins!(*self.joins) if self.joins.size > 0
+      relation.where!("#{self.clause}") if self.clause
+      unless self.procs_read.blank?
+        # Only support ActiveRecord 4
+        merging_relation = self.klass.unscoped
+        self.procs_read.each do |proc|
+          merging_relation = proc.call(merging_relation)
+        end
+        ActiveRecord::Relation::Merger.new(relation, merging_relation).merge
+      end
+
+    end
+
+    def match_for_persistence(object, operation)
+      properties_matched = match_properties_for_persistence object, operation
+      properties_matched && match_constains_for_persistence(object, operation)
+    end
+
+    def match_properties_for_persistence(object, operation)
+      return true if operation == Controlist::Permissions::DELETE || self.properties.blank?
+      properties_matched = false
+      changes = object.changes
+      self.properties.each do |property, value|
+        change = changes[property]
+        if change && (value.nil? || Array(value).include?(change.last))
+          properties_matched = true
+          break
+        end
+      end
+      Controlist.logger.debug{"Controlist #{operation} properties checked: #{properties_matched}"}
+      properties_matched
+    end
+
+    def match_constains_for_persistence(object, operation)
+      if self.constrains.blank?
+        constrain_matched = true
+      else
+        constrain_matched = self.constrains.any? do |constrain|
+          if constrain.proc_persistence.is_a?(Proc) && constrain.proc_persistence.lambda?
+            inner_matched = constrain.proc_persistence.call object, operation
+          else
+            inner_matched = false
+            property = constrain.property
+            value = constrain.value
+            operator = constrain.operator
+            if constrain.relation.nil?
+              if object.persisted? && (changes = object.changes[property])
+                inner_matched = match_value(changes.first, value, operator)
+              else
+                inner_matched = match_value(object[property], value, operator)
+              end
+            else
+              relation_object = object.send(constrain.relation)
+              inner_matched = (relation_object && match_value(relation_object[property], value, operator))
+            end
+          end
+          inner_matched
+        end
+      end
+      Controlist.logger.debug{"Controlist #{operation} constrains checked: #{constrain_matched}"}
+      constrain_matched
+    end
+
+    private
+
+    def init_for_persistence(constrains)
+      return if constrains.nil?
+      if !(constrains.is_a?(Controlist::Permissions::Constrain) ||constrains.is_a?(Array))
+        raise ArgumentError.new("constrains has unknown type #{constrains.class}")
+      end
+      constrains = [constrains] if constrains.is_a? Controlist::Permissions::Constrain
+      constrains.compact!
+      constrains.each do |constrain|
+        raise "Persistence operation can't use constrain clause" unless constrain.clause.blank?
+      end
+      self.constrains = constrains
+    end
+
+    def match_value(left, right, operator)
+      if operator.nil?
+        left == right
+      else
+        left.send(operator.to_sym, right)
+      end
+    end
+
+    def init_for_read(constrains)
+      return if constrains.nil?
+      case constrains
+      when String
+        self.clause = constrains
+      when Array, Controlist::Permissions::Constrain
+        constrains = [constrains] if constrains.is_a? Controlist::Permissions::Constrain
+        self.constrains = constrains.compact
+        self.clause = build_clause
+        self.clause = "not (#{self.clause})" if self.is_allowed == false
+      else
+        raise ArgumentError.new("constrains has unknown type #{constrains.class}")
+      end
+    end
+
+    def build_clause
+      clause = ""
+      self.constrains.each do |constrain|
+        if constrain.proc_read.is_a?(Proc)
+          self.procs_read << constrain.proc_read
+          next
+        else
+          if !constrain.clause.nil?
+            part_clause = constrain.clause
+          else
+            table_name = append_joins constrain.relation if constrain.relation
+            table_name ||= (constrain.table_name || self.klass.table_name)
+            property = constrain.property
+            value = constrain.value
+            raise ArgumentError.new("property could not be nil") if property.blank?
+            raise ArgumentError.new("value could not be nil") if value.blank?
+            default_operator = '='
+            if value.is_a?(Proc) && value.lambda?
+              Controlist.skip{ value = value.call }
+            end
+            if value.is_a? Array
+              if value.first.is_a? String
+                value = "('" + value.join("','") + "')"
+              else
+                value = "(" + value.join(",") + ")"
+              end
+              default_operator = 'in'
+            else
+              if value.is_a? String
+                if value.upcase == 'NULL'
+                  default_operator = 'is' 
+                else
+                  value = "'#{value}'"
+                end
+              end
+            end
+            operator = constrain.operator || default_operator
+            part_clause = "#{table_name}.#{property} #{operator} #{value}"
+          end
+          clause += " and " if clause.length > 0
+          clause += "(#{part_clause})"
+        end
+      end
+      clause
+    end
+
+    def append_joins(relation_name)
+      reflections = self.klass.reflections
+      # Rails 4.2 use string key, instead Rails 4.1 use symbol key
+      relation = reflections[relation_name.to_s] || reflections[relation_name.to_sym]
+      raise "Relation #{relation_name} Not found for class #{self.klass}!" if relation.nil?
+      self.joins << relation_name.to_sym
+      relation.table_name
+    end
+
+  end
+end

data/lib/controlist/permissions/advanced_constrain.rb

@@ -0,0 +1,24 @@
+module Controlist
+  module Permissions
+
+    class AdvancedConstrain < Constrain
+
+      def initialize(hash)
+        self.property = hash[:property]
+        self.value = hash[:value]
+        self.relation = hash[:relation]
+        self.table_name = hash[:table_name]
+        self.operator = hash[:operator]
+        self.clause = hash[:clause]
+        if Controlist.is_activerecord3? && (hash.has_key?(:proc_read) || hash.has_key?(:proc_persistence))
+          raise NotImplementedError, "Skip proc_read and proc_persistence, that features only be supported in ActiveRecord 4 or later"
+        else
+          self.proc_read = hash[:proc_read]
+          self.proc_persistence = hash[:proc_persistence]
+        end
+      end
+
+    end
+
+  end
+end

data/lib/controlist/permissions/constrain.rb

@@ -0,0 +1,10 @@
+module Controlist
+  module Permissions
+
+    class Constrain
+      attr_accessor :property, :value, :relation, :table_name, :operator, :clause, :proc_read, :proc_persistence
+    end
+
+  end
+end
+

data/lib/controlist/permissions/operation.rb

@@ -0,0 +1,32 @@
+module Controlist
+  module Permissions
+
+    CREATE = :create
+    READ = :read
+    UPDATE = :update
+    DELETE = :delete
+
+    module_function
+
+    def is_persistence?(operation)
+      [CREATE, UPDATE, DELETE].include? operation.to_sym
+    end
+
+    def is_create?(operation)
+      CREATE == operation.to_sym
+    end
+
+    def is_read?(operation)
+      READ == operation.to_sym
+    end
+
+    def is_update?(operation)
+      UPDATE == operation.to_sym
+    end
+
+    def is_delete?(operation)
+      DELETE == operation.to_sym
+    end
+
+  end
+end

data/lib/controlist/permissions/ordered_package.rb

@@ -0,0 +1,56 @@
+module Controlist
+  module Permissions
+
+    class OrderedPackage
+
+      attr_reader :list_create, :list_read, :list_update, :list_delete, :permissions
+
+      def initialize(*permissions)
+        permissions.compact!
+        @list_create = {}
+        @list_read = {}
+        @list_update = {}
+        @list_delete = {}
+        @permissions = permissions
+        @permissions.freeze # avoid bypassing add_permissions/remove_permissions
+        add_permissions *permissions
+      end
+
+      def add_permissions(*permissions)
+        @permissions += permissions
+        @permissions.freeze
+        permissions.each do |permission|
+          operations = permission.operations
+          add @list_create, permission if operations.nil? || operations.include?(CREATE)
+          add @list_read, permission if operations.nil? ||  operations.include?(READ)
+          add @list_update, permission if operations.nil? ||  operations.include?(UPDATE)
+          add @list_delete, permission if operations.nil? ||  operations.include?(DELETE)
+        end
+      end
+
+      def remove_permissions(*permissions)
+        @permissions -= permissions
+        @permissions.freeze
+        permissions.each do |permission|
+          operations = permission.operations
+          remove @list_create, permission if operations.nil? || operations.include?(CREATE)
+          remove @list_read, permission if operations.nil? ||  operations.include?(READ)
+          remove @list_update, permission if operations.nil? ||  operations.include?(UPDATE)
+          remove @list_delete, permission if operations.nil? ||  operations.include?(DELETE)
+        end
+      end
+
+      private
+
+      def add(list, permission)
+        (list[permission.klass] ||= []) << permission
+      end
+
+      def remove(list, permission)
+        (list[permission.klass] ||= []).delete permission
+      end
+
+    end
+
+  end
+end

data/lib/controlist/permissions/simple_constrain.rb

@@ -0,0 +1,16 @@
+module Controlist
+  module Permissions
+
+    class SimpleConstrain < Constrain
+
+      def initialize(property, value, hash={})
+        self.property = property.to_s
+        self.value = value
+        self.relation = hash[:relation]
+        self.table_name = hash[:table_name]
+      end
+
+    end
+
+  end
+end

data/lib/controlist/version.rb

@@ -0,0 +1,3 @@
+module Controlist
+  VERSION = "0.1.0"
+end

data/lib/controlist.rb

@@ -0,0 +1,32 @@
+require "controlist/version"
+require "controlist/errors"
+require "controlist/permission"
+require "controlist/interceptor"
+require "controlist/managers/base_manager"
+
+module Controlist
+
+  class << self
+
+    attr_accessor :permission_provider, :attribute_proxy, :value_object_proxy, :logger
+
+    def initialize(permission_provider, config={})
+      @permission_provider = permission_provider
+      @attribute_proxy = config[:attribute_proxy] || "_val"
+      @value_object_proxy = config[:value_object_proxy] || "_value_object"
+      @logger = config[:logger] || Logger.new(STDOUT)
+      Interceptor.hook
+    end
+
+    def skip
+      @permission_provider.open_skip
+      yield
+      @permission_provider.close_skip
+    end
+
+    def is_activerecord3?
+      ActiveRecord::VERSION::MAJOR == 3
+    end
+  end
+
+end