declarative_policy 1.0.0 → 1.1.0

data/lib/declarative_policy/base.rb

@@ -33,6 +33,24 @@ module DeclarativePolicy
       end
     end
 
+    class Options
+      def initialize
+        @hash = {}
+      end
+
+      def []=(key, value)
+        @hash[key.to_sym] = value
+      end
+
+      def [](key)
+        @hash[key.to_sym]
+      end
+
+      def to_h
+        @hash
+      end
+    end
+
     class << self
       # The `own_ability_map` vs `ability_map` distinction is used so that
       # the data structure is properly inherited - with subclasses recursively
@@ -146,46 +164,40 @@ module DeclarativePolicy
 
       # A hash in which to store calls to `desc` and `with_scope`, etc.
       def last_options
-        @last_options ||= {}.with_indifferent_access
+        @last_options ||= Options.new
       end
 
-      # retrieve and zero out the previously set options (used in .condition)
-      def last_options!
-        last_options.tap { @last_options = nil }
+      def with_options(opts = {})
+        last_options.to_h.merge!(opts.to_h)
       end
 
       # Declare a description for the following condition. Currently unused,
       # but opens the potential for explaining to users why they were or were
       # not able to do something.
       def desc(description)
-        last_options[:description] = description
-      end
-
-      def with_options(opts = {})
-        last_options.merge!(opts)
+        with_options description: description
       end
 
+      # Declare a scope for the following condition.
       def with_scope(scope)
         with_options scope: scope
       end
 
+      # Declare a score for the following condition.
       def with_score(score)
         with_options score: score
       end
 
       # Declares a condition. It gets stored in `own_conditions`, and generates
       # a query method based on the condition's name.
-      def condition(name, opts = {}, &value)
-        name = name.to_sym
+      def condition(condition_name, opts = {}, &value)
+        condition_name = condition_name.to_sym
 
-        opts = last_options!.merge(opts)
-        opts[:context_key] ||= self.name
+        condition = Condition.new(condition_name, condition_options(opts), &value)
 
-        condition = Condition.new(name, opts, &value)
+        own_conditions[condition_name] = condition
 
-        own_conditions[name] = condition
-
-        define_method(:"#{name}?") { condition(name).pass? }
+        define_method(:"#{condition_name}?") { condition(condition_name).pass? }
       end
 
       # These next three methods are mainly called from PolicyDsl,
@@ -206,6 +218,16 @@ module DeclarativePolicy
       def prevent_all_when(rule)
         own_global_actions << [:prevent, rule]
       end
+
+      private
+
+      # retrieve and zero out the previously set options (used in .condition)
+      def condition_options(opts)
+        # The context_key distinguishes two conditions of the same name.
+        # For anonymous classes, use object_id.
+        opts[:context_key] ||= (name || object_id)
+        with_options(opts).tap { @last_options = nil }
+      end
     end
 
     # A policy object contains a specific user and subject on which
@@ -254,16 +276,23 @@ module DeclarativePolicy
     condition(:default, scope: :global, score: 0) { true }
 
     def repr
-      subject_repr =
-        if @subject.respond_to?(:id)
-          "#{@subject.class.name}/#{@subject.id}"
-        else
-          @subject.inspect
-        end
+      "(#{identify_user} : #{identify_subject})"
+    end
 
-      user_repr = @user.try(:to_reference) || '<anonymous>'
+    def identify_user
+      return '<anonymous>' unless @user
 
-      "(#{user_repr} : #{subject_repr})"
+      @user.to_reference
+    rescue NoMethodError
+      "<#{@user.class}: #{@user.object_id}>"
+    end
+
+    def identify_subject
+      if @subject.respond_to?(:id)
+        "#{@subject.class.name}/#{@subject.id}"
+      else
+        @subject.inspect
+      end
     end
 
     def inspect
@@ -276,19 +305,22 @@ module DeclarativePolicy
     # at the ability level.
     def runner(ability)
       ability = ability.to_sym
-      @runners ||= {}
-      @runners[ability] ||=
+      runners[ability] ||=
         begin
           own_runner = Runner.new(own_steps(ability))
           if self.class.overrides.include?(ability)
             own_runner
           else
             delegated_runners = delegated_policies.values.compact.map { |p| p.runner(ability) }
-            delegated_runners.inject(own_runner, &:merge_runner)
+            delegated_runners.reduce(own_runner, &:merge_runner)
           end
         end
     end
 
+    def runners
+      @runners ||= {}
+    end
+
     # Helpers for caching. Used by ManifestCondition in performing condition
     # computation.
     #

data/lib/declarative_policy/cache.rb

@@ -6,7 +6,7 @@ module DeclarativePolicy
       def user_key(user)
         return '<anonymous>' if user.nil?
 
-        id_for(user)
+        "#{user.class.name}:#{id_for(user)}"
       end
 
       def policy_key(user, subject)

data/lib/declarative_policy/condition.rb

@@ -40,6 +40,8 @@ module DeclarativePolicy
     # the context's cache here so that we can share in the global
     # cache (often RequestStore or similar).
     def pass?
+      Thread.current[:declarative_policy_current_runner_state]&.register(self)
+
       @context.cache(cache_key) { @condition.compute(@context) }
     end
 
@@ -76,8 +78,6 @@ module DeclarativePolicy
       8
     end
 
-    private
-
     # This method controls the caching for the condition. This is where
     # the condition(scope: ...) option comes into play. Notice that
     # depending on the scope, we may cache only by the user or only by
@@ -93,6 +93,8 @@ module DeclarativePolicy
         end
     end
 
+    private
+
     def user_key
       Cache.user_key(@context.user)
     end

data/lib/declarative_policy/configuration.rb

@@ -7,6 +7,7 @@ module DeclarativePolicy
     def initialize
       @named_policies = {}
       @name_transformation = ->(name) { "#{name}Policy" }
+      @class_for = ->(name) { Object.const_get(name) }
     end
 
     def named_policy(name, policy = nil)
@@ -26,10 +27,15 @@ module DeclarativePolicy
       nil
     end
 
+    def class_for(&block)
+      @class_for = block
+      nil
+    end
+
     def policy_class(domain_class_name)
       return unless domain_class_name
 
-      @name_transformation.call(domain_class_name).constantize
+      @class_for.call((@name_transformation.call(domain_class_name)))
     rescue NameError
       nil
     end

data/lib/declarative_policy/rule.rb

@@ -210,7 +210,7 @@ module DeclarativePolicy
         cached = cached_pass?(context)
         return cached unless cached.nil?
 
-        @rules.all? { |r| r.pass?(context) }
+        @rules.sort_by { |r| r.score(context) }.all? { |r| r.pass?(context) }
       end
 
       def cached_pass?(context)
@@ -240,7 +240,7 @@ module DeclarativePolicy
         cached = cached_pass?(context)
         return cached unless cached.nil?
 
-        @rules.any? { |r| r.pass?(context) }
+        @rules.sort_by { |r| r.score(context) }.any? { |r| r.pass?(context) }
       end
 
       def simplify
@@ -285,9 +285,9 @@ module DeclarativePolicy
 
       def simplify
         case @rule
-        when And then Or.new(@rule.rules.map(&:negate)).simplify
-        when Or then And.new(@rule.rules.map(&:negate)).simplify
-        when Not then @rule.rule.simplify
+        when And then Or.new(@rule.rules.map(&:negate)).simplify # DeMorgan's laws
+        when Or then And.new(@rule.rules.map(&:negate)).simplify # DeMorgan's laws
+        when Not then @rule.rule.simplify # double negation
         else Not.new(@rule.simplify)
         end
       end

data/lib/declarative_policy/runner.rb

@@ -1,11 +1,16 @@
 # frozen_string_literal: true
 
+require 'set'
+
 module DeclarativePolicy
   class Runner
     class State
+      attr_reader :called_conditions
+
       def initialize
         @enabled = false
         @prevented = false
+        @called_conditions = Set.new
       end
 
       def enable!
@@ -27,6 +32,10 @@ module DeclarativePolicy
       def pass?
         !prevented? && enabled?
       end
+
+      def register(manifest_condition)
+        @called_conditions << manifest_condition.cache_key
+      end
     end
 
     # a Runner contains a list of Steps to be run.
@@ -44,6 +53,11 @@ module DeclarativePolicy
       !!@state
     end
 
+    # Delete the cached state - allowing this runner to be re-used if the facts have changed.
+    def uncache!
+      @state = nil
+    end
+
     # used by Rule::Ability. See #steps_by_score
     def score
       return 0 if cached?
@@ -55,11 +69,20 @@ module DeclarativePolicy
       Runner.new(@steps + other.steps)
     end
 
+    def dependencies
+      return Set.new unless @state
+
+      @state.called_conditions
+    end
+
     # The main entry point, called for making an ability decision.
     # See #run and DeclarativePolicy::Base#can?
     def pass?
       run unless cached?
 
+      parent_state = Thread.current[:declarative_policy_current_runner_state]
+      parent_state&.called_conditions&.merge(@state.called_conditions)
+
       @state.pass?
     end
 
@@ -70,6 +93,16 @@ module DeclarativePolicy
 
     private
 
+    def with_state(&block)
+      @state = State.new
+      old_runner_state = Thread.current[:declarative_policy_current_runner_state]
+      Thread.current[:declarative_policy_current_runner_state] = @state
+
+      yield
+    ensure
+      Thread.current[:declarative_policy_current_runner_state] = old_runner_state
+    end
+
     def flatten_steps!
       @steps = @steps.flat_map { |s| s.flattened(@steps) }
     end
@@ -78,33 +111,31 @@ module DeclarativePolicy
     # It relies on #steps_by_score for the main loop, and updates @state
     # with the result of the step.
     def run(debug = nil)
-      @state = State.new
-
-      steps_by_score do |step, score|
-        break if !debug && @state.prevented?
-
-        passed = nil
-        case step.action
-        when :enable
-          # we only check :enable actions if they have a chance of
-          # changing the outcome - if no other rule has enabled or
-          # prevented.
-          unless @state.enabled? || @state.prevented?
-            passed = step.pass?
-            @state.enable! if passed
-          end
-
-          debug << inspect_step(step, score, passed) if debug
-        when :prevent
-          # we only check :prevent actions if the state hasn't already
-          # been prevented.
-          unless @state.prevented?
-            passed = step.pass?
-            @state.prevent! if passed
+      with_state do
+        steps_by_score(!!debug) do |step, score|
+          break if !debug && @state.prevented?
+
+          passed = nil
+          case step.action
+          when :enable
+            # we only check :enable actions if they have a chance of
+            # changing the outcome - if no other rule has enabled or
+            # prevented.
+            unless @state.enabled? || @state.prevented?
+              passed = step.pass?
+              @state.enable! if passed
+            end
+          when :prevent
+            # we only check :prevent actions if the state hasn't already
+            # been prevented.
+            unless @state.prevented?
+              passed = step.pass?
+              @state.prevent! if passed
+            end
+          else raise "invalid action #{step.action.inspect}"
           end
 
           debug << inspect_step(step, score, passed) if debug
-        else raise "invalid action #{step.action.inspect}"
         end
       end
 
@@ -131,7 +162,7 @@ module DeclarativePolicy
     #
     # For each step, we yield the step object along with the computed score
     # for debugging purposes.
-    def steps_by_score
+    def steps_by_score(debugging)
       flatten_steps!
 
       if @steps.size > 50
@@ -156,6 +187,7 @@ module DeclarativePolicy
           # if the permission hasn't yet been enabled and we only have
           # prevent steps left, we short-circuit the state here
           @state.prevent!
+          return unless debugging
         end
 
         return if remaining_steps.empty?
@@ -185,7 +217,7 @@ module DeclarativePolicy
         break if lowest_score.zero?
       end
 
-      [next_step, score]
+      [next_step, lowest_score]
     end
 
     # Formatter for debugging output.

data/lib/declarative_policy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeclarativePolicy
-  VERSION = '1.0.0'
+  VERSION = '1.1.0'
 end

data/lib/declarative_policy.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
-require 'active_support/dependencies'
-require 'active_support/core_ext'
-
+require 'set'
 require_relative 'declarative_policy/cache'
 require_relative 'declarative_policy/condition'
 require_relative 'declarative_policy/delegate_dsl'
@@ -20,21 +18,32 @@ require_relative 'declarative_policy/configuration'
 module DeclarativePolicy
   extend PreferredScope
 
-  CLASS_CACHE_MUTEX = Mutex.new
-  CLASS_CACHE_IVAR = :@__DeclarativePolicy_CLASS_CACHE
-
   class << self
     def policy_for(user, subject, opts = {})
       cache = opts[:cache] || {}
       key = Cache.policy_key(user, subject)
 
-      cache[key] ||=
-        # to avoid deadlocks in multi-threaded environment when
-        # autoloading is enabled, we allow concurrent loads,
-        # https://gitlab.com/gitlab-org/gitlab-foss/issues/48263
-        ActiveSupport::Dependencies.interlock.permit_concurrent_loads do
-          class_for(subject).new(user, subject, opts)
+      cache[key] ||= class_for(subject).new(user, subject, opts)
+    end
+
+    # Find the list of runners with now invalidated keys, and invalidate the runners
+    def invalidate(cache, invalidated_keys)
+      return unless cache&.any?
+      return unless invalidated_keys&.any?
+
+      keys = invalidated_keys.to_set
+
+      policies = cache.select { |k, _| k.is_a?(String) && k.start_with?('/dp/policy/') }
+
+      policies.each_value do |policy|
+        policy.runners.each do |runner|
+          runner.uncache! if keys.intersect?(runner.dependencies)
         end
+      end
+
+      invalidated_keys.each { |k| cache.delete(k) }
+
+      nil
     end
 
     def class_for(subject)
@@ -72,38 +81,19 @@ module DeclarativePolicy
       @configuration ||= DeclarativePolicy::Configuration.new
     end
 
-    # This method is heavily cached because there are a lot of anonymous
-    # modules in play in a typical rails app, and #name performs quite
-    # slowly for anonymous classes and modules.
-    #
-    # See https://bugs.ruby-lang.org/issues/11119
-    #
-    # if the above bug is resolved, this caching could likely be removed.
     def class_for_class(subject_class)
-      unless subject_class.instance_variable_defined?(CLASS_CACHE_IVAR)
-        CLASS_CACHE_MUTEX.synchronize do
-          # re-check in case of a race
-          break if subject_class.instance_variable_defined?(CLASS_CACHE_IVAR)
-
-          policy_class = compute_class_for_class(subject_class)
-          subject_class.instance_variable_set(CLASS_CACHE_IVAR, policy_class)
+      if subject_class.respond_to?(:declarative_policy_class)
+        Object.const_get(subject_class.declarative_policy_class)
+      else
+        subject_class.ancestors.each do |klass|
+          name = klass.name
+          klass = policy_class(name)
+
+          return klass if klass
         end
-      end
-
-      subject_class.instance_variable_get(CLASS_CACHE_IVAR)
-    end
 
-    def compute_class_for_class(subject_class)
-      return subject_class.declarative_policy_class.constantize if subject_class.respond_to?(:declarative_policy_class)
-
-      subject_class.ancestors.each do |klass|
-        name = klass.name
-        klass = policy_class(name)
-
-        return klass if klass
+        nil
       end
-
-      nil
     end
 
     def policy_class(name)

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: declarative_policy
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Jeanine Adkisson
 - Alexis Kalderimis
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-04-12 00:00:00.000000000 Z
+date: 2021-11-05 00:00:00.000000000 Z
 dependencies: []
 description: |
   This library provides an authorization framework with a declarative DSL
@@ -28,19 +28,23 @@ files:
 - ".gitlab-ci.yml"
 - ".rspec"
 - ".rubocop.yml"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - Dangerfile
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
+- benchmarks/repeated_invocation.rb
 - danger/plugins/project_helper.rb
 - danger/roulette/Dangerfile
 - declarative_policy.gemspec
 - doc/caching.md
 - doc/configuration.md
 - doc/defining-policies.md
+- doc/optimization.md
 - lib/declarative_policy.rb
 - lib/declarative_policy/base.rb
 - lib/declarative_policy/cache.rb
@@ -62,7 +66,7 @@ metadata:
   homepage_uri: https://gitlab.com/gitlab-org/declarative-policy
   source_code_uri: https://gitlab.com/gitlab-org/declarative-policy
   changelog_uri: https://gitlab.com/gitlab-org/declarative-policy/-/blobs/master/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -70,15 +74,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.6.0
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.2.15
+signing_key:
 specification_version: 4
 summary: An authorization library with a focus on declarative policy definitions.
 test_files: []