credentials 1.0.1

data/History.txt

@@ -0,0 +1,10 @@
+=== 1.0.1 / 2009-04-23
+
+* Now sort of framework-agnostic. I say "sort of", because what I've actually
+  done is just copy and paste the chunks I needed out of ActiveSupport. I guess
+  the goal would be to rewrite around these, but since I basically never need
+  this for anything except Rails, it seems like overkill.
+
+=== 1.0.0 / 2009-04-23
+
+* Gemification and README

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 Matt Powell
+ 
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+ 
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+ 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Manifest.txt

@@ -0,0 +1,107 @@
+credentials.gemspec
+generators/credentials/credentials_generator.rb
+generators/credentials/USAGE
+History.txt
+init.rb
+install.rb
+lib/credentials/actor.rb
+lib/credentials/class_methods.rb
+lib/credentials/inflector.rb
+lib/credentials/rulebook.rb
+lib/credentials/rules/can.rb
+lib/credentials/rules/cannot.rb
+lib/credentials/rules/rule.rb
+lib/credentials.rb
+LICENSE
+Manifest.txt
+Rakefile
+README.rdoc
+uninstall.rb
+tt@Yavin:credentials[master]$ find . -type f | grep -v ".git"./credentials.gemspec
+generators/credentials/credentials_generator.rb
+generators/credentials/USAGE
+History.txt
+init.rb
+install.rb
+lib/credentials/actor.rb
+lib/credentials/class_methods.rb
+lib/credentials/inflector.rb
+lib/credentials/rulebook.rb
+lib/credentials/rules/can.rb
+lib/credentials/rules/cannot.rb
+lib/credentials/rules/rule.rb
+lib/credentials.rb
+LICENSE
+Manifest.txt
+Rakefile
+README.rdoc
+spec/credentials_spec.rb
+spec/debug.log
+spec/inflector_spec.rb
+spec/spec_helper.rb
+spec/test_app/app/controllers/application.rb
+spec/test_app/app/models/group.rb
+spec/test_app/app/models/headmaster.rb
+spec/test_app/app/models/house.rb
+spec/test_app/app/models/school.rb
+spec/test_app/app/models/student.rb
+spec/test_app/app/models/teacher.rb
+spec/test_app/app/models/user.rb
+spec/test_app/config/boot.rb
+spec/test_app/config/database.yml
+spec/test_app/config/environment.rb
+spec/test_app/config/environments/development.rb
+spec/test_app/config/environments/production.rb
+spec/test_app/config/environments/test.rb
+spec/test_app/config/initializers/inflections.rb
+spec/test_app/config/initializers/mime_types.rb
+spec/test_app/config/initializers/new_rails_defaults.rb
+spec/test_app/config/locales/en.yml
+spec/test_app/config/routes.rb
+spec/test_app/db/development.sqlite3
+spec/test_app/db/migrate/20081128211345_create_users.rb
+spec/test_app/db/migrate/20081128213041_create_groups.rb
+spec/test_app/db/migrate/20081129031929_create_students.rb
+spec/test_app/db/migrate/20081129101832_create_schools.rb
+spec/test_app/db/migrate/20081129105013_create_houses.rb
+spec/test_app/db/schema.rb
+spec/test_app/db/test.sqlite3
+spec/test_app/lib/tasks/rspec.rake
+spec/test_app/log/test.log
+spec/test_app/Rakefile
+spec/test_app/README
+spec/test_app/script/about
+spec/test_app/script/autospec
+spec/test_app/script/console
+spec/test_app/script/dbconsole
+spec/test_app/script/destroy
+spec/test_app/script/generate
+spec/test_app/script/performance/benchmarker
+spec/test_app/script/performance/profiler
+spec/test_app/script/performance/request
+spec/test_app/script/plugin
+spec/test_app/script/process/inspector
+spec/test_app/script/process/reaper
+spec/test_app/script/process/spawner
+spec/test_app/script/runner
+spec/test_app/script/server
+spec/test_app/script/spec
+spec/test_app/script/spec_server
+spec/test_app/spec/fixtures/groups.yml
+spec/test_app/spec/fixtures/houses.yml
+spec/test_app/spec/fixtures/schools.yml
+spec/test_app/spec/fixtures/users.yml
+spec/test_app/spec/models/group_spec.rb
+spec/test_app/spec/models/headmaster_spec.rb
+spec/test_app/spec/models/house_spec.rb
+spec/test_app/spec/models/school_spec.rb
+spec/test_app/spec/models/student_spec.rb
+spec/test_app/spec/models/teacher_spec.rb
+spec/test_app/spec/models/user_spec.rb
+spec/test_app/spec/rcov.opts
+spec/test_app/spec/spec.opts
+spec/test_app/spec/spec_helper.rb
+spec/test_app/stories/all.rb
+spec/test_app/stories/helper.rb
+spec/test_app/vendor/plugins/credentials/init.rb
+uninstall.rb

data/README.rdoc

@@ -0,0 +1,116 @@
+= Credentials
+
+* http://github.com/fauxparse/credentials
+
+== Description
+
+A generic actor/resource permission framework.
+
+== Installation
+
+* <tt>sudo gem install fauxparse-credentials --source=http://gems.github.com</tt>
+
+== Examples
+
+  class User
+    credentials do |user|
+      # Users should only be able to edit their own details...
+      user.can :edit, User, :if => lambda { |a, b| if a == b }
+      
+      # ...unless they are administrators!
+      user.can :edit, User, :if => :admin?
+    end
+  end
+  
+  a = User.new
+  b = User.new :admin => true
+  a.can_edit?(a) #=> true
+  a.can_edit?(b) #=> false
+  b.can_edit?(b) #=> true
+  b.can_edit?(a) #=> true
+  
+Check out the example application (in +spec/test_app+) for more (completely
+frivolous) examples.
+
+== Philosophy
+
+Credentials is NOT a role-based permission system. Permissions are based
+on code, not on database objects. That said, there's nothing to stop you
+from doing something like this:
+
+  class User
+    has_and_belongs_to_many :roles
+    
+    credentials do |user|
+      user.can :access, :admin_pages, :if => :admin?
+    end
+    
+    def admin?
+      !roles.find_by_name("admin").nil?
+    end
+  end
+  
+I just figured there were dozens of systems out there for implementing
+role-based permissions, and everyone likes to do it differently, so I
+wouldn't reinvent the wheel. Instead, I wanted to focus on capturing
+the logic behind permissions, and avoid having to grant individual
+permissions for things that should be implemented algorithmically.
+
+For example, say you want to allow users to edit user profiles under
+the following rules:
+
+* Users can edit their own profile
+* Admin users can edit any profile
+* Selected users can edit selected other individual profiles
+
+Ordinarily, that's three separate checks: sure, I can bundle these up
+into a method on my User object, but the controller still needs to call
+that method and take appropriate action if it's not satisfied.
+
+With Credentials, I can write one method in my ApplicationController,
+and then do this:
+
+  class UsersController
+    def update
+      @user = User.find params[:id]
+      requires_permission_to :edit, @user
+      @user.update_attributes params[:user]
+      # ...
+    end
+  end
+
+The +requires_permission_to+ method would call <tt>current_user.can?(:edit, @user)</tt>,
+and, if appropriate, raise an exception which would get handled by Rails
+and turned into a nice pretty error page.
+
+== To do
+
+* The test application is largely overkill. It does a half-decent job
+  of testing the functionality of the library, but I'd like to rewrite
+  it into a proper test suite.
+* Proper documentation of the API. It's been a while since I touched this.
+* Better support for groups would make integration with RBA systems easier.
+* Deny permissions (+cannot+).
+
+== License
+
+Copyright (c) 2009 Matt Powell (fauxparse@gmail.com)
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,20 @@
+require 'rake'
+require 'spec/rake/spectask'
+require 'rcov/rcovtask'
+
+desc 'Default: run specs.'
+task :default => :spec
+
+desc 'Run the specs'
+Spec::Rake::SpecTask.new(:spec) do |t|
+  t.spec_opts = ['--colour --format progress --loadby mtime --reverse']
+  t.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+desc 'Output test coverage of plugin.'
+Rcov::RcovTask.new(:rcov) do |rcov|
+  rcov.pattern    = 'spec/**/*_spec.rb'
+  rcov.output_dir = 'rcov'
+  rcov.verbose    = true
+  rcov.rcov_opts << '--exclude "test_app/config/*"'
+end

data/generators/credentials/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Explain the generator
+
+Example:
+    ./script/generate credentials Thing
+
+    This will create:
+        what/will/it/create

data/generators/credentials/credentials_generator.rb

@@ -0,0 +1,8 @@
+class CredentialsGenerator < Rails::Generator::NamedBase
+  def manifest
+    record do |m|
+      # m.directory "lib"
+      # m.template 'README', "README"
+    end
+  end
+end

data/init.rb

@@ -0,0 +1 @@
+require "credentials"

data/install.rb

@@ -0,0 +1 @@
+# Install hook code here

data/lib/credentials/actor.rb

@@ -0,0 +1,57 @@
+module Credentials
+  module Actor
+    def self.included(base) #:nodoc:
+      base.send :extend, ClassMethods
+    end
+    
+    # Returns true if the receiver has permission to perform the action ‘<tt>verb</tt>’ with the given <tt>args</tt>.
+    def can?(verb, *args)
+      self.class.can?(self, verb, *args)
+    end
+    alias_method :able_to?, :can?
+
+    module ClassMethods
+      # Returns true if the given <tt>actor</tt> has permission to perform the action ‘<tt>verb</tt>’ with the given <tt>args</tt>.
+      def can?(actor, verb, *args)
+        rulebook.can?(actor, verb, *args) ||
+        can_by_association?(actor, verb, *args) ||
+        can_by_actor_group?(actor, verb, *args)
+      end
+      
+      # Returns true if any magic methods give the requested permission.
+      # For example, <tt>by_association?(user, :edit, post)</tt> would try the following (in order):
+      # * <tt>user.is_editor_of?(post)</tt>
+      # * <tt>user.is_editor_for?(post)</tt>
+      # * <tt>user.is_editor_on?(post)</tt>
+      # * <tt>user.is_editor_at?(post)</tt>
+      # * <tt>user.is_editor_in?(post)</tt>
+      # * <tt>post.editor == user</tt>
+      # * <tt>post.editors.include?(user)</tt>
+      def can_by_association?(actor, verb, *args)
+        return false unless args.size == 1
+        noun = verb.to_s.actorize
+        object = args.first
+        %w(of for on at in).each do |prep|
+          return true if actor.respond_to?(method = "is_#{noun}_#{prep}?".to_sym) and actor.send(method, object)
+        end
+        return true if object.respond_to?(method = noun.to_sym) and object.send(method) == actor
+        return true if object.respond_to?(method = noun.pluralize.to_sym) and object.send(method).include?(actor)
+        false
+      end
+      
+      # Returns true if the actor belongs to any groups that have the requested permission.
+      def can_by_actor_group?(actor, verb, *args)
+        groups_for(actor).any? { |group| group.respond_to?(:can?) && group.can?(verb, *args) }
+      end
+
+      # Returns a list of the groups the user belongs to, according to the <tt>:groups</tt> option to <tt>has_credentials</tt>.
+      def groups_for(actor)
+        case true
+        when !credential_options[:groups].blank? then Array(credential_options[:groups]).map(&:to_sym).collect { |g| actor.send(g) }.flatten.uniq
+        when actor.respond_to?(:groups) then actor.groups.flatten.uniq
+        else []
+        end
+      end
+    end
+  end
+end

data/lib/credentials/class_methods.rb

@@ -0,0 +1,25 @@
+module Credentials
+  module ClassMethods
+    # Defines the set of credentials common to members of a class.
+    def credentials(options = {}, &block)
+      unless included_modules.include? Actor
+        class_inheritable_reader :rulebook
+        class_inheritable_reader :credential_options
+        include Actor
+      end
+      write_inheritable_attribute :credential_options, merge_credential_options(read_inheritable_attribute(:credential_options), options)
+      old_rulebook = read_inheritable_attribute(:rulebook)
+      write_inheritable_attribute :rulebook, Rulebook.new(self, old_rulebook ? old_rulebook.rules : [])
+      yield rulebook if block_given?
+    end
+    
+  protected
+    # Merges the set of options inherited from a parent class (if any)
+    def merge_credential_options(a, b)
+      a ||= {}
+      b ||= {}
+      a[:groups] = (Array(a[:groups]) + Array(b.delete(:groups))).uniq if b[:groups]
+      a.merge(b)
+    end
+  end
+end

data/lib/credentials/inflector.rb

@@ -0,0 +1,133 @@
+require "singleton"
+
+module Credentials
+  module Inflector
+    extend self
+    
+    class Inflections
+      include Singleton
+      
+      attr_reader :actors
+
+      def actors
+        @actors ||= []
+      end
+
+      def actor(rule, replacement)
+        actors.insert 0, [ rule, replacement ]
+      end
+      
+      unless defined?(ActiveSupport)
+        attr_reader :plurals, :singulars, :uncountables
+        
+        def initialize
+          @plurals, @singulars, @uncountables = [], [], []
+        end
+        
+        def plurals
+          @plurals ||= []
+        end
+        
+        def plural(rule, replacement)
+          plurals.insert 0, [ rule, replacement ]
+        end
+        def plural(rule, replacement)
+          @uncountables.delete(rule) if rule.is_a?(String)
+          @uncountables.delete(replacement)
+          @plurals.insert(0, [rule, replacement])
+        end
+
+        def singular(rule, replacement)
+          @uncountables.delete(rule) if rule.is_a?(String)
+          @uncountables.delete(replacement)
+          @singulars.insert(0, [rule, replacement])
+        end
+
+        def irregular(singular, plural)
+          @uncountables.delete(singular)
+          @uncountables.delete(plural)
+          if singular[0,1].upcase == plural[0,1].upcase
+            plural(Regexp.new("(#{singular[0,1]})#{singular[1..-1]}$", "i"), '\1' + plural[1..-1])
+            singular(Regexp.new("(#{plural[0,1]})#{plural[1..-1]}$", "i"), '\1' + singular[1..-1])
+          else
+            plural(Regexp.new("#{singular[0,1].upcase}(?i)#{singular[1..-1]}$"), plural[0,1].upcase + plural[1..-1])
+            plural(Regexp.new("#{singular[0,1].downcase}(?i)#{singular[1..-1]}$"), plural[0,1].downcase + plural[1..-1])
+            singular(Regexp.new("#{plural[0,1].upcase}(?i)#{plural[1..-1]}$"), singular[0,1].upcase + singular[1..-1])
+            singular(Regexp.new("#{plural[0,1].downcase}(?i)#{plural[1..-1]}$"), singular[0,1].downcase + singular[1..-1])
+          end
+        end
+
+        def uncountable(*words)
+          (@uncountables << words).flatten!
+        end
+      end
+    end
+    
+    def inflections
+      if block_given?
+        yield Inflections.instance
+      else
+        Inflections.instance
+      end
+    end
+    
+    def actorize(word)
+      result = word.to_s.dup
+      inflections.actors.each { |(rule, replacement)| break if result.gsub!(rule, replacement) } unless result.empty?
+      result
+    end
+    
+    unless defined?(ActiveSupport)
+      def pluralize(word)
+        result = word.to_s.dup
+
+        if word.empty? || inflections.uncountables.include?(result.downcase)
+          result
+        else
+          inflections.plurals.each { |(rule, replacement)| break if result.gsub!(rule, replacement) }
+          result
+        end
+      end
+
+      def singularize(word)
+        result = word.to_s.dup
+
+        if inflections.uncountables.include?(result.downcase)
+          result
+        else
+          inflections.singulars.each { |(rule, replacement)| break if result.gsub!(rule, replacement) }
+          result
+        end
+      end
+    end
+  end
+  
+  module StringExtensions
+    def actorize
+      Credentials::Inflector.actorize(self)
+    end
+    
+    unless defined?(ActiveSupport)
+      def pluralize
+        Credentials::Inflector.pluralize(self)
+      end
+      
+      def singularize
+        Credentials::Inflector.singularize(self)
+      end
+    end
+  end
+end
+
+String.send :include, Credentials::StringExtensions
+
+Credentials::Inflector.inflections do |inflect|
+  inflect.actor(/$/, 'er')
+  inflect.actor(/e$/, 'er')
+  inflect.actor(/ate$/, 'ator')
+  inflect.actor(/([^aeiou])([aeiou])([^aeioux])$/, '\1\2\3\3er')
+  inflect.actor(/ct$/, 'ctor')
+  inflect.actor(/^(improvi[sz])e$/, '\1or')
+  inflect.actor(/^(authori)[sz]e$/, '\1ty')
+  inflect.actor(/^administer$/, 'administrator')
+end

data/lib/credentials/rulebook.rb

@@ -0,0 +1,27 @@
+module Credentials
+  class Rulebook
+    attr_reader :rules
+    
+    def initialize(klass, rules = [])
+      @rules = rules
+      @klass = klass
+    end
+    
+    def can(verb, *args)
+      @rules << Credentials::Rules::Can.new(@klass, verb, *args)
+    end
+    
+    def cannot(verb, *args)
+      @rules << Credentials::Rules::Cannot.new(@klass, verb, *args)
+    end
+    
+    def can?(actor, verb, *args)
+      result = @klass.credential_options[:allow_by_default] || false
+      @rules.each do |rule|
+        result = true if rule.allow?(actor, verb, *args)
+        result = false if rule.deny?(actor, verb, *args)
+      end
+      result
+    end
+  end
+end

data/lib/credentials/rules/can.rb

@@ -0,0 +1,6 @@
+module Credentials
+  module Rules
+    class Can < Rule
+    end
+  end
+end

data/lib/credentials/rules/cannot.rb

@@ -0,0 +1,20 @@
+module Credentials
+  module Rules
+    class Cannot < Can
+      def allow?(actor, verb, *args)
+        return false unless match? actor, verb, *args
+        result = false
+        result ||= evaluate(@options[:unless], actor, *args) if @options[:unless]
+        result
+      end
+    
+      def deny?(actor, verb, *args)
+        return false unless match? actor, verb, *args
+        result = true
+        result &&= evaluate(@options[:if], actor, *args) if @options[:if]
+        result &&= !evaluate(@options[:unless], actor, *args) if @options[:unless]
+        result
+      end
+    end
+  end
+end

data/lib/credentials/rules/rule.rb

@@ -0,0 +1,46 @@
+module Credentials
+  module Rules
+    class Rule
+      attr_accessor :verb
+      attr_accessor :options
+    
+      def initialize(klass, verb, *args)
+        @klass = klass
+        @verb = verb.to_sym
+        @options = args.last.is_a?(Hash) ? args.pop : {}
+        @pattern = Array(args)
+      end
+
+      def match?(actor, verb, *args)
+        return false unless actor == @klass or actor.is_a?(@klass)
+        return false unless @verb == :any or @verb == verb.to_sym
+        return false unless args.size == @pattern.size
+        @pattern.zip(args).each { |pattern, arg| return false unless !pattern.is_a?(Class) or arg == pattern or arg.is_a?(pattern) }
+      end
+    
+      def allow?(actor, verb, *args)
+        return false unless match? actor, verb, *args
+        result = true
+        result &&= evaluate(@options[:if], actor, *args) if @options[:if]
+        result &&= !evaluate(@options[:unless], actor, *args) if @options[:unless]
+        result
+      end
+    
+      def deny?(actor, verb, *args)
+        return false unless match? actor, verb, *args
+        result = false
+        result ||= evaluate(@options[:unless], actor, *args) if @options[:unless]
+        result
+      end
+    
+    protected
+      def evaluate(fn, actor, *args)
+        case fn
+        when Proc           then fn.call(actor, *args)
+        when Symbol, String then actor.send(fn.to_sym, *args)
+        else raise ArgumentError, "expected a proc or a symbol"
+        end
+      end
+    end
+  end
+end

data/lib/credentials.rb

@@ -0,0 +1,9 @@
+require "credentials/actor"
+require "credentials/rulebook"
+require "credentials/class_methods"
+require "credentials/inflector"
+require "credentials/rules/rule"
+Dir.glob(File.dirname(__FILE__) + "/credentials/rules/*.rb").each { |f| require f }
+Dir.glob(File.dirname(__FILE__) + "/credentials/support/*.rb").each { |f| require f } unless defined?(ActiveSupport)
+
+Object.send :extend, Credentials::ClassMethods

data/uninstall.rb

@@ -0,0 +1 @@
+# Uninstall hook code here

metadata

@@ -0,0 +1,73 @@
+--- !ruby/object:Gem::Specification 
+name: credentials
+version: !ruby/object:Gem::Version 
+  version: 1.0.1
+platform: ruby
+authors: 
+- Matt Powell
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-04-23 00:00:00 +12:00
+default_executable: 
+dependencies: []
+
+description: Credentials is a generic actor/resource permission framework based on rules, not objects.
+email: fauxparse@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- generators/credentials/credentials_generator.rb
+- generators/credentials/USAGE
+- History.txt
+- init.rb
+- install.rb
+- lib/credentials/actor.rb
+- lib/credentials/class_methods.rb
+- lib/credentials/inflector.rb
+- lib/credentials/rulebook.rb
+- lib/credentials/rules/can.rb
+- lib/credentials/rules/cannot.rb
+- lib/credentials/rules/rule.rb
+- lib/credentials.rb
+- LICENSE
+- Manifest.txt
+- Rakefile
+- README.rdoc
+- uninstall.rb
+has_rdoc: true
+homepage: http://github.com/fauxparse/credentials
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --inline-source
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: credentials
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Credentials is a generic actor/resource permission framework based on rules, not objects.
+test_files: []
+