cuba-api 0.5.1 → 0.6.0

data/lib/cuba_api/allow_session_rack.rb

@@ -0,0 +1,16 @@
+module CubaApi
+  class AllowSessionRack
+    def initialize( app, *not_pattern )
+      @app = app
+      @regexp = /^\/#{not_pattern.join( '|^\/' )}/
+    end
+    
+    def call( env )
+      status, headers, resp = @app.call( env )
+      if not( env[ 'PATH_INFO' ].match @regexp )
+        headers.delete( 'Set-Cookie' )
+      end
+      [ status, headers, resp ]
+    end
+  end
+end

data/lib/cuba_api/guard.rb

@@ -20,19 +20,86 @@
 #
 # -*- Coding: utf-8 -*-
 
+require 'ixtlan/user_management/guard'
+
+# TODO move to upstream
+class Ixtlan::UserManagement::Permission
+  attribute :parent, Ixtlan::UserManagement::Permission
+end
+
 module CubaApi
   module Guard
-    warn 'DEPRECATED: guard will disappear as it is now'
-    def allowed?( *group_names )
-      authenticated? && ( allowed_groups( *group_names ).size > 0 )
-    end
+    module ClassMethods
 
-    def allowed_groups( *group_names )
-      current_groups.select { |g| group_names.member?( g.name ) }
+      def guard( &block )
+        self[ :guard ] ||= block ||
+          begin
+            warn 'no guard configured. default guard denies eveythings !'
+            guard = Ixtlan::UserManagement::Guard.new
+            Proc.new do |groups|
+              guard
+            end
+          end
+      end
+      
     end
 
     def current_groups
       current_user.groups
     end
+
+    def allowed_associations
+      guard.associations( @_context, @_method )
+    end
+
+    def on_context( name, &block )
+      perm = guard.permissions( name )
+      if perm && perm.parent &&
+          perm.parent.resource !=  @_context
+        raise 'parent resource is not guarded'
+      end
+      on name do
+        old = @_context
+        @_context = name
+        yield( *captures )
+        @_context = old
+      end
+    end
+
+    def on_association
+      on :association do |association|
+        # TODO one method in guard
+        asso = guard.permissions( @_context ).associations
+        if asso.empty? or asso.include?( association )
+          yield( association )
+        else
+          no_body :forbidden 
+        end
+      end
+    end
+    
+    def on_guard( method, *args)
+      args.insert( 0, send( method ) )
+      on *args do
+        
+        @_method = method
+        
+        warn "[CubaApi::Guard] check #{method.to_s.upcase} #{@_context}: #{guard.allow?( @_context, method )}"
+        # TODO guard needs no association here
+        if guard.allow?( @_context, method, (allowed_associations || []).first )
+          
+          yield( *captures )
+        else
+          no_body :forbidden # 403
+        end
+      end
+    end
+
+    private
+
+    def guard
+      self.class.guard.call( current_groups )
+    end
+
   end
 end

data/lib/cuba_api/utils.rb

@@ -15,6 +15,13 @@ module CubaApi
       req.options?
     end
 
+    # convenient method for status only responses
+    def no_body( status )
+      res.status = Rack::Utils.status_code( status )
+      res.write Rack::Utils::HTTP_STATUS_CODES[ res.status ]
+      res['Content-Type' ] = 'text/plain'
+    end
+
     # params
     def to_float( name, default = nil )
      v = req[ name ]

data/lib/cuba_api/write_aspect.rb

@@ -39,12 +39,6 @@ module CubaApi
       end
     end
 
-    def no_body( status )
-      res.status = Rack::Utils.status_code( status )
-      res.write Rack::Utils::HTTP_STATUS_CODES[ res.status ]
-      res['Content-Type' ] = 'text/plain'
-    end
-
     def write( obj, options = {} )
       self.res.status = options[:status] || 200
       # make sure we inherit aspects and repsect the order

data/spec/accept_spec.rb

@@ -1,5 +1,6 @@
 require 'spec_helper'
 require 'cuba_api/config'
+require 'cuba_api/utils'
 require 'cuba_api/write_aspect'
 require 'cuba_api/accept_content'
 require 'yaml'
@@ -15,6 +16,7 @@ describe CubaApi::AcceptContent do
   before do
     Cuba.reset!
     Cuba.plugin CubaApi::Config
+    Cuba.plugin CubaApi::Utils
     Cuba[ :aspects ] = []
     Cuba.plugin CubaApi::WriteAspect
     Cuba.plugin CubaApi::AcceptContent

data/spec/allow_session_rack_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+require 'cuba_api/allow_session_rack'
+
+describe CubaApi::AllowSessionRack do
+
+  before do
+    Cuba.reset!
+    Cuba.use CubaApi::AllowSessionRack, 'session', 'system'
+    Cuba.use Rack::Session::Cookie, :secret => 'secret'
+    Cuba.define do
+      on 'session' do
+        session[ 'name' ] = :me
+      end
+    end
+  end
+
+  it 'allows session' do
+     _, headers, _ = Cuba.call( { 'PATH_INFO' => '/session',
+                                  'SCRIPT_NAME' => '/session' } )
+
+    headers[ 'Set-Cookie' ].must_not.eq nil
+  end
+
+  it 'does NOT allows session' do
+     _, headers, _ = Cuba.call( { 'PATH_INFO' => '/something',
+                                  'SCRIPT_NAME' => '/something' } )
+
+    headers[ 'Set-Cookie' ].must.eq nil
+  end
+end

data/spec/allow_session_rack_spec.rb~

@@ -0,0 +1,42 @@
+require 'spec_helper'
+require 'cuba_api/config'
+require 'cuba_api/write_aspect'
+
+module Plugin
+  def one( obj, opts )
+    obj + "-one"
+  end
+  def two( obj, opts )
+    obj + "-two"
+  end
+  def three( obj, opts )
+    obj + "-three"
+  end
+end
+
+describe CubaApi::WriteAspect do
+
+  before do
+    Cuba.reset!
+    Cuba.plugin CubaApi::Config
+    Cuba[ :aspects ] = []
+    Cuba.plugin CubaApi::WriteAspect
+    Cuba.plugin Plugin
+    Cuba.append_aspect :one
+    Cuba.prepend_aspect :two
+    Cuba.append_aspect :three
+    Cuba.define do
+      on true do
+        write 'start'
+      end
+    end
+  end
+
+  after { Cuba.config.clear }
+  
+  it 'should execute aspects in the right order' do
+     _, _, resp = Cuba.call({})
+
+    resp.join.must.eq "start-two-one-three"
+  end
+end

data/spec/guard_spec.rb

@@ -0,0 +1,262 @@
+require File.expand_path( File.join( File.dirname( __FILE__ ),
+                                     'spec_helper.rb' ) )
+require 'cuba_api/config'
+require 'cuba_api/utils'
+require 'cuba_api/guard'
+require 'ixtlan/user_management/group_model'
+
+describe CubaApi::Guard do
+
+  let( :root ) { Ixtlan::UserManagement::Group.new( :name => 'root' ) }
+
+  before do
+    Cuba.reset!
+    Cuba.plugin CubaApi::Config
+    Cuba.plugin CubaApi::Utils
+    Cuba.plugin CubaApi::Guard
+    Cuba.define do
+      
+      def current_groups
+        @groups ||= [ root ]
+      end
+
+      on_context 'admins' do
+        res.write "admins"
+      end
+
+      on_context 'users' do
+
+        on_context 'accounts' do
+          on_guard :get do
+            res.write "get accounts"
+          end
+        end
+
+        on_association do |id|
+          on_guard :post do
+            res.write "post#{id}"
+          end
+          on_guard :get do
+            res.write "get#{id}"
+          end
+          on_guard :put do
+            res.write "put#{id}"
+          end
+          on_guard :delete do
+            res.write "delete#{id}"
+          end
+        end
+
+        on_guard :post do
+          res.write "post"
+        end
+        on_guard :get do
+          res.write "get#{allowed_associations ? allowed_associations.inspect : nil}"
+        end
+        on_guard :put do
+          res.write "put"
+        end
+        on_guard :delete do
+          res.write "delete"
+        end
+      end
+    end
+  end
+
+  let( :env ) do
+    { 'PATH_INFO' => '/users',
+      'SCRIPT_NAME' => '/users',
+    }
+  end
+
+  let( :guard ) do
+    guard = Ixtlan::UserManagement::Guard.new
+    Cuba[ :guard ] =  Proc.new do |groups|
+      guard
+    end
+    guard
+  end
+
+  describe 'guarded context with nested context' do
+    
+    it 'should raise error' do
+      env = { 'PATH_INFO' => '/users/accounts',
+           'SCRIPT_NAME' => '/users/accounts' }
+
+      user = guard.permission( 'users' ) do |u|
+        u.allow_all
+      end
+      guard.permission( 'admins' ) do |a|
+        a.parent = user
+        a.allow_all
+      end
+
+      env[ 'REQUEST_METHOD' ] = 'GET'
+      lambda{ Cuba.call( env ) }.must_raise RuntimeError
+    end
+
+    it 'allow all' do
+      env = { 'PATH_INFO' => '/users/accounts',
+           'SCRIPT_NAME' => '/users/accounts' }
+      user = guard.permission( 'users' ) do |u|
+        u.allow_all
+      end
+      guard.permission( 'accounts' ) do |a|
+        a.parent = user
+        a.allow_all
+      end
+
+      env[ 'REQUEST_METHOD' ] = 'GET'
+      _, _, resp = Cuba.call( env )
+      resp.join.must.eq 'get accounts'
+
+      [ 'POST','PUT', 'DELETE' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        status, _, resp = Cuba.call( env )
+        resp.must.be :empty?
+        status.must.eq 200
+      end
+    end
+
+  end
+
+  describe 'guarded context with association' do
+
+    let( :env ) do
+      { 'PATH_INFO' => '/users/42',
+        'SCRIPT_NAME' => '/users/42',
+      }
+    end
+
+    it 'denies all requests without associated id' do
+      guard.permission( 'users' ) do |u|
+        u.allow_all
+      end
+
+      ['GET', 'POST','PUT', 'DELETE' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        _, _, resp = Cuba.call( env )
+        resp.join.must.eq m.downcase + '42'
+      end
+    end
+
+    it 'denies all requests with wrong associated id' do
+      guard.permission( 'users', 13 ) do |u|
+        u.allow_all
+      end
+
+      ['GET', 'POST','PUT', 'DELETE' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        _, _, resp = Cuba.call( env )
+        resp.join.must.eq 'Forbidden'
+      end
+
+      env[ 'PATH_INFO' ] = '/users'
+      env[ 'SCRIPT_NAME' ] = '/users'
+      env[ 'REQUEST_METHOD' ] = 'GET'
+      _, _, resp = Cuba.call( env )
+      resp.join.must.eq 'get["13"]'
+    end
+
+    it 'allows all requests with associated id' do
+      guard.permission( 'users', 42 ) do |u|
+        u.allow_all
+      end
+
+      ['GET', 'POST','PUT', 'DELETE' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        _, _, resp = Cuba.call( env )
+        resp.join.must.eq m.downcase + '42'
+      end
+
+      env[ 'PATH_INFO' ] = '/users'
+      env[ 'SCRIPT_NAME' ] = '/users'
+      env[ 'REQUEST_METHOD' ] = 'GET'
+      _, _, resp = Cuba.call( env )
+      resp.join.must.eq 'get["42"]'
+    end
+  end
+
+  describe 'guarded context' do
+    it 'forbids all request' do
+      Cuba[ :guard ] = nil
+      ['GET', 'POST','PUT', 'DELETE' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        _, _, resp = Cuba.call( env )
+        resp.join.must.eq 'Forbidden'
+      end
+    end
+
+    it 'allows all request' do
+      guard.permission( 'users' ) do |u|
+        u.allow_all
+      end
+
+      ['GET', 'POST','PUT', 'DELETE' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        _, _, resp = Cuba.call( env )
+        resp.join.must.eq m.downcase
+      end
+    end
+
+    it 'allows retrieve' do
+      guard.permission( 'users' ) do |u|
+        u.allow_retrieve
+      end
+      
+      m = 'GET'
+      env[ 'REQUEST_METHOD' ] = m
+      _, _, resp = Cuba.call( env )
+      resp.join.must.eq m.downcase
+      
+      ['POST','PUT', 'DELETE' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        _, _, resp = Cuba.call( env )
+        resp.join.must.eq 'Forbidden'
+      end
+    end
+    
+    it 'allows retrieve and create' do
+      guard.permission( 'users' ) do |u|
+        u.allow_retrieve
+        u.allow_create
+      end
+      ['GET','POST' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        _, _, resp = Cuba.call( env )
+        resp.join.must.eq m.downcase
+      end
+      ['PUT', 'DELETE' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        _, _, resp = Cuba.call( env )
+        resp.join.must.eq 'Forbidden'
+      end
+    end
+
+    it 'allows retrieve and create and update' do
+      guard.permission( 'users' ) do |u|
+        u.allow_mutate
+      end
+      ['GET', 'POST','PUT' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        _, _, resp = Cuba.call( env )
+        resp.join.must.eq m.downcase
+      end
+      env[ 'REQUEST_METHOD' ] = 'DELETE'
+      _, _, resp = Cuba.call( env )
+      resp.join.must.eq 'Forbidden'
+    end
+
+    it 'allows retrieve and create and update and delete' do
+      guard.permission( 'users' ) do |u|
+        u.allow_mutate
+        u.allow_delete
+      end
+      ['GET', 'POST','PUT', 'DELETE' ].each do |m|
+        env[ 'REQUEST_METHOD' ] = m
+        _, _, resp = Cuba.call( env )
+        resp.join.must.eq m.downcase
+      end
+    end
+  end
+end

data/spec/guard_spec.rb~

@@ -0,0 +1,118 @@
+require File.expand_path( File.join( File.dirname( __FILE__ ),
+                                     'spec_helper.rb' ) )
+require 'cuba_api/config'
+require 'cuba_api/cors'
+
+describe CubaApi::Cors do
+
+  before do
+    Cuba.reset!
+    Cuba.plugin CubaApi::Config
+    Cuba.plugin CubaApi::Cors
+    Cuba.define do
+
+      on_cors 'path/to/:who' do |who|
+        on post do
+          res.write "post from #{who}"
+        end
+      end
+
+      on_cors_method [:post, :get], 'office/:me' do |me|
+        on post do
+          res.write "#{me} posted"
+        end
+      end
+
+      on_cors_method :delete, 'something' do
+        res.write "delete something"
+      end
+
+      on_cors_method :delete, 'home/:me' do |me|
+        res.write "delete #{me}"
+      end
+
+      on_cors do
+        on put do
+          res.write "put answered"
+        end
+      end
+
+    end
+  end
+
+  let( :env ) do
+    { 'REQUEST_METHOD' => 'OPTIONS',
+      'PATH_INFO' => '/account',
+      'HTTP_ORIGIN' => 'http://middleearth',
+      'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'PUT',
+      'HTTP_ACCESS_CONTROL_REQUEST_HEADERS' => 'x-requested-with'
+    }
+  end
+
+  it 'should response with catch section' do
+    _, headers, _ = Cuba.call( env )
+
+    headers[ "Access-Control-Max-Age" ].must.eq "86400"
+    headers[ "Access-Control-Allow-Origin" ].must.eq "http://middleearth"
+    headers[ "Access-Control-Allow-Methods" ].must.eq "GET, HEAD, POST, PUT, DELETE"
+    headers[ "Access-Control-Allow-Headers" ].must.eq 'x-requested-with'
+    headers[ "Access-Control-Allow-Expose-Headers" ].must.eq nil
+
+    env[ 'REQUEST_METHOD' ] = 'PUT'
+    _, _, resp = Cuba.call( env )
+    resp.join.must.eq 'put answered'
+  end
+
+  it 'should with path/to/:me section' do
+    env[ 'PATH_INFO' ] = '/path/to/alf'
+    env[ 'SCRIPT_NAME' ] = '/path/to/alf'
+
+    _, headers, _ = Cuba.call( env )
+
+    headers[ "Access-Control-Max-Age" ].must.eq "86400"
+    headers[ "Access-Control-Allow-Origin" ].must.eq "http://middleearth"
+    headers[ "Access-Control-Allow-Methods" ].must.eq "GET, HEAD, POST, PUT, DELETE"
+    headers[ "Access-Control-Allow-Headers" ].must.eq 'x-requested-with'
+    headers[ "Access-Control-Allow-Expose-Headers" ].must.eq nil
+
+    env[ 'REQUEST_METHOD' ] = 'POST'
+    _, _, resp = Cuba.call( env )
+    resp.join.must.eq 'post from alf'
+  end
+
+  it 'should with home/:me section' do
+    env[ 'PATH_INFO' ] = '/home/gandalf'
+    env[ 'SCRIPT_NAME' ] = '/home/gandalf'
+    env[ 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' ] = 'DELETE'
+
+    _, headers, _ = Cuba.call( env )
+
+    headers[ "Access-Control-Max-Age" ].must.eq "86400"
+    headers[ "Access-Control-Allow-Origin" ].must.eq "http://middleearth"
+    headers[ "Access-Control-Allow-Methods" ].must.eq "DELETE"
+    headers[ "Access-Control-Allow-Headers" ].must.eq 'x-requested-with'
+    headers[ "Access-Control-Allow-Expose-Headers" ].must.eq nil
+
+    env[ 'REQUEST_METHOD' ] = 'DELETE'
+    _, _, resp = Cuba.call( env )
+    resp.join.must.eq 'delete gandalf'
+  end
+
+  it 'should with office/:me section' do
+    env[ 'PATH_INFO' ] = '/office/frodo'
+    env[ 'SCRIPT_NAME' ] = '/home/frodo'
+    env[ 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' ] = 'POST'
+
+    _, headers, _ = Cuba.call( env )
+
+    headers[ "Access-Control-Max-Age" ].must.eq "86400"
+    headers[ "Access-Control-Allow-Origin" ].must.eq "http://middleearth"
+    headers[ "Access-Control-Allow-Methods" ].must.eq "POST, GET"
+    headers[ "Access-Control-Allow-Headers" ].must.eq 'x-requested-with'
+    headers[ "Access-Control-Allow-Expose-Headers" ].must.eq nil
+
+    env[ 'REQUEST_METHOD' ] = 'POST'
+    _, _, resp = Cuba.call( env )
+    resp.join.must.eq 'frodo posted'
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cuba-api
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.6.0
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-10-01 00:00:00.000000000 Z
+date: 2013-10-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cuba
@@ -97,13 +97,13 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '10.1'
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '10.1'
     none: false
   prerelease: false
   type: :development
@@ -113,13 +113,13 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.0'
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.0'
     none: false
   prerelease: false
   type: :development
@@ -140,18 +140,18 @@ dependencies:
   prerelease: false
   type: :development
 - !ruby/object:Gem::Dependency
-  name: backports
+  name: ixtlan-user-management
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '0.2'
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '0.2'
     none: false
   prerelease: false
   type: :development
@@ -170,6 +170,7 @@ files:
 - lib/cuba_api/config.rb~
 - lib/cuba_api/reloader_rack.rb
 - lib/cuba_api/utils.rb
+- lib/cuba_api/allow_session_rack.rb
 - lib/cuba_api/cors.rb~
 - lib/cuba_api/input_filter.rb~
 - lib/cuba_api/response_status.rb~
@@ -183,6 +184,7 @@ files:
 - lib/cuba_api/utils.rb~
 - lib/cuba_api/guard.rb
 - lib/cuba_api/current_user.rb~
+- lib/cuba_api/allow_session_rack.rb~
 - lib/cuba_api/config.rb
 - lib/cuba_api/accept_content.rb
 - lib/cuba_api/ext2mime_rack.rb
@@ -191,19 +193,22 @@ files:
 - lib/cuba_api/reloader_rack.rb~
 - lib/cuba_api/no_session_rack.rb~
 - lib/cuba_api/serializer.rb
-- lib/cuba_api/no_session_rack.rb
 - lib/cuba_api/guard.rb~
 - lib/cuba_api/current_user.rb
 - spec/serializer_spec.rb
 - spec/cors_with_config_spec.rb~
 - spec/accept_spec.rb
 - spec/current_user_spec.rb
+- spec/allow_session_rack_spec.rb
 - spec/config_spec.rb
+- spec/allow_session_rack_spec.rb~
 - spec/input_filter_spec.rb
 - spec/serializer_spec.rb~
+- spec/guard_spec.rb~
 - spec/aspects_spec.rb~
 - spec/accept_spec.rb~
 - spec/cors_with_config_spec.rb
+- spec/guard_spec.rb
 - spec/spec_helper.rb~
 - spec/response_status_spec.rb
 - spec/spec_helper.rb
@@ -244,9 +249,11 @@ test_files:
 - spec/serializer_spec.rb
 - spec/accept_spec.rb
 - spec/current_user_spec.rb
+- spec/allow_session_rack_spec.rb
 - spec/config_spec.rb
 - spec/input_filter_spec.rb
 - spec/cors_with_config_spec.rb
+- spec/guard_spec.rb
 - spec/response_status_spec.rb
 - spec/cors_spec.rb
 - spec/aspects_spec.rb