declarative_policy 1.0.0 → 2.0.1

data/lib/declarative_policy/configuration.rb

@@ -7,6 +7,7 @@ module DeclarativePolicy
     def initialize
       @named_policies = {}
       @name_transformation = ->(name) { "#{name}Policy" }
+      @class_for = ->(name) { Object.const_get(name) }
     end
 
     def named_policy(name, policy = nil)
@@ -26,10 +27,15 @@ module DeclarativePolicy
       nil
     end
 
+    def class_for(&block)
+      @class_for = block
+      nil
+    end
+
     def policy_class(domain_class_name)
       return unless domain_class_name
 
-      @name_transformation.call(domain_class_name).constantize
+      @class_for.call(@name_transformation.call(domain_class_name))
     rescue NameError
       nil
     end

data/lib/declarative_policy/delegate_dsl.rb

@@ -15,7 +15,7 @@ module DeclarativePolicy
       @rule_dsl.delegate(@delegate_name, msg)
     end
 
-    def respond_to_missing?(msg, include_all)
+    def respond_to_missing?(_msg, _include_all)
       true
     end
   end

data/lib/declarative_policy/policy_dsl.rb

@@ -33,10 +33,10 @@ module DeclarativePolicy
       @context_class.prevent_all_when(@rule)
     end
 
-    def method_missing(msg, *args, &block)
+    def method_missing(msg, ...)
       return super unless @context_class.respond_to?(msg)
 
-      @context_class.__send__(msg, *args, &block) # rubocop: disable GitlabSecurity/PublicSend
+      @context_class.__send__(msg, ...) # rubocop: disable GitlabSecurity/PublicSend
     end
 
     def respond_to_missing?(msg)

data/lib/declarative_policy/preferred_scope.rb

@@ -2,7 +2,7 @@
 
 module DeclarativePolicy
   module PreferredScope
-    PREFERRED_SCOPE_KEY = :"DeclarativePolicy.preferred_scope"
+    PREFERRED_SCOPE_KEY = :'DeclarativePolicy.preferred_scope'
 
     def with_preferred_scope(scope)
       old_scope = Thread.current[PREFERRED_SCOPE_KEY]

data/lib/declarative_policy/rule.rb

@@ -210,7 +210,7 @@ module DeclarativePolicy
         cached = cached_pass?(context)
         return cached unless cached.nil?
 
-        @rules.all? { |r| r.pass?(context) }
+        @rules.sort_by { |r| r.score(context) }.all? { |r| r.pass?(context) }
       end
 
       def cached_pass?(context)
@@ -240,7 +240,7 @@ module DeclarativePolicy
         cached = cached_pass?(context)
         return cached unless cached.nil?
 
-        @rules.any? { |r| r.pass?(context) }
+        @rules.sort_by { |r| r.score(context) }.any? { |r| r.pass?(context) }
       end
 
       def simplify
@@ -285,9 +285,9 @@ module DeclarativePolicy
 
       def simplify
         case @rule
-        when And then Or.new(@rule.rules.map(&:negate)).simplify
-        when Or then And.new(@rule.rules.map(&:negate)).simplify
-        when Not then @rule.rule.simplify
+        when And then Or.new(@rule.rules.map(&:negate)).simplify # DeMorgan's laws
+        when Or then And.new(@rule.rules.map(&:negate)).simplify # DeMorgan's laws
+        when Not then @rule.rule.simplify # double negation
         else Not.new(@rule.simplify)
         end
       end

data/lib/declarative_policy/rule_dsl.rb

@@ -44,7 +44,7 @@ module DeclarativePolicy
       end
     end
 
-    def respond_to_missing?(symbol, include_all)
+    def respond_to_missing?(_symbol, _include_all)
       true
     end
   end

data/lib/declarative_policy/runner.rb

@@ -1,11 +1,16 @@
 # frozen_string_literal: true
 
+require 'set'
+
 module DeclarativePolicy
   class Runner
     class State
+      attr_reader :called_conditions
+
       def initialize
         @enabled = false
         @prevented = false
+        @called_conditions = Set.new
       end
 
       def enable!
@@ -27,6 +32,10 @@ module DeclarativePolicy
       def pass?
         !prevented? && enabled?
       end
+
+      def register(manifest_condition)
+        @called_conditions << manifest_condition.cache_key
+      end
     end
 
     # a Runner contains a list of Steps to be run.
@@ -44,6 +53,11 @@ module DeclarativePolicy
       !!@state
     end
 
+    # Delete the cached state - allowing this runner to be re-used if the facts have changed.
+    def uncache!
+      @state = nil
+    end
+
     # used by Rule::Ability. See #steps_by_score
     def score
       return 0 if cached?
@@ -55,11 +69,20 @@ module DeclarativePolicy
       Runner.new(@steps + other.steps)
     end
 
+    def dependencies
+      return Set.new unless @state
+
+      @state.called_conditions
+    end
+
     # The main entry point, called for making an ability decision.
     # See #run and DeclarativePolicy::Base#can?
     def pass?
       run unless cached?
 
+      parent_state = Thread.current[:declarative_policy_current_runner_state]
+      parent_state&.called_conditions&.merge(@state.called_conditions)
+
       @state.pass?
     end
 
@@ -70,6 +93,16 @@ module DeclarativePolicy
 
     private
 
+    def with_state
+      @state = State.new
+      old_runner_state = Thread.current[:declarative_policy_current_runner_state]
+      Thread.current[:declarative_policy_current_runner_state] = @state
+
+      yield
+    ensure
+      Thread.current[:declarative_policy_current_runner_state] = old_runner_state
+    end
+
     def flatten_steps!
       @steps = @steps.flat_map { |s| s.flattened(@steps) }
     end
@@ -78,33 +111,31 @@ module DeclarativePolicy
     # It relies on #steps_by_score for the main loop, and updates @state
     # with the result of the step.
     def run(debug = nil)
-      @state = State.new
-
-      steps_by_score do |step, score|
-        break if !debug && @state.prevented?
-
-        passed = nil
-        case step.action
-        when :enable
-          # we only check :enable actions if they have a chance of
-          # changing the outcome - if no other rule has enabled or
-          # prevented.
-          unless @state.enabled? || @state.prevented?
-            passed = step.pass?
-            @state.enable! if passed
-          end
-
-          debug << inspect_step(step, score, passed) if debug
-        when :prevent
-          # we only check :prevent actions if the state hasn't already
-          # been prevented.
-          unless @state.prevented?
-            passed = step.pass?
-            @state.prevent! if passed
+      with_state do
+        steps_by_score(!!debug) do |step, score|
+          break if !debug && @state.prevented?
+
+          passed = nil
+          case step.action
+          when :enable
+            # we only check :enable actions if they have a chance of
+            # changing the outcome - if no other rule has enabled or
+            # prevented.
+            unless @state.enabled? || @state.prevented?
+              passed = step.pass?
+              @state.enable! if passed
+            end
+          when :prevent
+            # we only check :prevent actions if the state hasn't already
+            # been prevented.
+            unless @state.prevented?
+              passed = step.pass?
+              @state.prevent! if passed
+            end
+          else raise "invalid action #{step.action.inspect}"
           end
 
           debug << inspect_step(step, score, passed) if debug
-        else raise "invalid action #{step.action.inspect}"
         end
       end
 
@@ -131,7 +162,7 @@ module DeclarativePolicy
     #
     # For each step, we yield the step object along with the computed score
     # for debugging purposes.
-    def steps_by_score
+    def steps_by_score(debugging)
       flatten_steps!
 
       if @steps.size > 50
@@ -156,6 +187,7 @@ module DeclarativePolicy
           # if the permission hasn't yet been enabled and we only have
           # prevent steps left, we short-circuit the state here
           @state.prevent!
+          return unless debugging
         end
 
         return if remaining_steps.empty?
@@ -185,7 +217,7 @@ module DeclarativePolicy
         break if lowest_score.zero?
       end
 
-      [next_step, score]
+      [next_step, lowest_score]
     end
 
     # Formatter for debugging output.

data/lib/declarative_policy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeclarativePolicy
-  VERSION = '1.0.0'
+  VERSION = '2.0.1'
 end

data/lib/declarative_policy.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
-require 'active_support/dependencies'
-require 'active_support/core_ext'
-
+require 'set'
 require_relative 'declarative_policy/cache'
 require_relative 'declarative_policy/condition'
 require_relative 'declarative_policy/delegate_dsl'
@@ -20,21 +18,32 @@ require_relative 'declarative_policy/configuration'
 module DeclarativePolicy
   extend PreferredScope
 
-  CLASS_CACHE_MUTEX = Mutex.new
-  CLASS_CACHE_IVAR = :@__DeclarativePolicy_CLASS_CACHE
-
   class << self
     def policy_for(user, subject, opts = {})
       cache = opts[:cache] || {}
       key = Cache.policy_key(user, subject)
 
-      cache[key] ||=
-        # to avoid deadlocks in multi-threaded environment when
-        # autoloading is enabled, we allow concurrent loads,
-        # https://gitlab.com/gitlab-org/gitlab-foss/issues/48263
-        ActiveSupport::Dependencies.interlock.permit_concurrent_loads do
-          class_for(subject).new(user, subject, opts)
+      cache[key] ||= class_for(subject).new(user, subject, opts)
+    end
+
+    # Find the list of runners with now invalidated keys, and invalidate the runners
+    def invalidate(cache, invalidated_keys)
+      return unless cache&.any?
+      return unless invalidated_keys&.any?
+
+      keys = invalidated_keys.to_set
+
+      policies = cache.select { |k, _| k.is_a?(String) && k.start_with?('/dp/policy/') }
+
+      policies.each_value do |policy|
+        policy.runners.each do |runner|
+          runner.uncache! if keys.intersect?(runner.dependencies)
         end
+      end
+
+      invalidated_keys.each { |k| cache.delete(k) }
+
+      nil
     end
 
     def class_for(subject)
@@ -72,38 +81,19 @@ module DeclarativePolicy
       @configuration ||= DeclarativePolicy::Configuration.new
     end
 
-    # This method is heavily cached because there are a lot of anonymous
-    # modules in play in a typical rails app, and #name performs quite
-    # slowly for anonymous classes and modules.
-    #
-    # See https://bugs.ruby-lang.org/issues/11119
-    #
-    # if the above bug is resolved, this caching could likely be removed.
     def class_for_class(subject_class)
-      unless subject_class.instance_variable_defined?(CLASS_CACHE_IVAR)
-        CLASS_CACHE_MUTEX.synchronize do
-          # re-check in case of a race
-          break if subject_class.instance_variable_defined?(CLASS_CACHE_IVAR)
-
-          policy_class = compute_class_for_class(subject_class)
-          subject_class.instance_variable_set(CLASS_CACHE_IVAR, policy_class)
+      if subject_class.respond_to?(:declarative_policy_class)
+        Object.const_get(subject_class.declarative_policy_class)
+      else
+        subject_class.ancestors.each do |klass|
+          name = klass.name
+          klass = policy_class(name)
+
+          return klass if klass
         end
-      end
-
-      subject_class.instance_variable_get(CLASS_CACHE_IVAR)
-    end
 
-    def compute_class_for_class(subject_class)
-      return subject_class.declarative_policy_class.constantize if subject_class.respond_to?(:declarative_policy_class)
-
-      subject_class.ancestors.each do |klass|
-        name = klass.name
-        klass = policy_class(name)
-
-        return klass if klass
+        nil
       end
-
-      nil
     end
 
     def policy_class(name)

metadata

@@ -1,16 +1,113 @@
 --- !ruby/object:Gem::Specification
 name: declarative_policy
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.1
 platform: ruby
 authors:
-- Jeanine Adkisson
-- Alexis Kalderimis
-autorequire: 
+- group::authorization
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-04-12 00:00:00.000000000 Z
-dependencies: []
+date: 2025-08-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: benchmark-ips
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.12'
+- !ruby/object:Gem::Dependency
+  name: gitlab-dangerfiles
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: gitlab-styles
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+- !ruby/object:Gem::Dependency
+  name: rspec-parameterized
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: |
   This library provides an authorization framework with a declarative DSL
 
@@ -19,28 +116,21 @@ description: |
 
   This library is in production use at GitLab.com
 email:
-- akalderimis@gitlab.com
+- engineering@gitlab.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".gitlab-ci.yml"
-- ".rspec"
-- ".rubocop.yml"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
-- Dangerfile
-- Gemfile
-- Gemfile.lock
+- CONTRIBUTING.md
 - LICENSE.txt
 - README.md
-- Rakefile
-- danger/plugins/project_helper.rb
-- danger/roulette/Dangerfile
-- declarative_policy.gemspec
+- declarative-policy.gemspec
 - doc/caching.md
 - doc/configuration.md
 - doc/defining-policies.md
+- doc/optimization.md
 - lib/declarative_policy.rb
 - lib/declarative_policy/base.rb
 - lib/declarative_policy/cache.rb
@@ -55,14 +145,15 @@ files:
 - lib/declarative_policy/runner.rb
 - lib/declarative_policy/step.rb
 - lib/declarative_policy/version.rb
-homepage: https://gitlab.com/gitlab-org/declarative-policy
+homepage: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://gitlab.com/gitlab-org/declarative-policy
-  source_code_uri: https://gitlab.com/gitlab-org/declarative-policy
-  changelog_uri: https://gitlab.com/gitlab-org/declarative-policy/-/blobs/master/CHANGELOG.md
-post_install_message: 
+  homepage_uri: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy
+  source_code_uri: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy
+  changelog_uri: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'false'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -70,15 +161,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.6.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: An authorization library with a focus on declarative policy definitions.
 test_files: []

data/.gitignore

@@ -1,10 +0,0 @@
-/.bundle/
-/.yardoc
-/_yardoc/
-/coverage/
-/pkg/
-/spec/reports/
-/tmp/
-
-# rspec failure tracking
-.rspec_status

data/.gitlab-ci.yml

@@ -1,48 +0,0 @@
-image: "ruby:2.7"
-
-.tests:
-  stage: test
-  only:
-    refs:
-      - master
-      - tags
-      - merge_requests
-
-# Cache gems in between builds
-cache:
-  paths:
-    - vendor/ruby
-
-before_script:
-  - ruby -v  # Print out ruby version for debugging
-  - bundle install -j $(nproc) --path vendor  # Install dependencies into ./vendor/ruby
-
-rubocop:
-  extends: .tests
-  script:
-    - bundle exec rubocop
-
-rspec:
-  extends: .tests
-  image: "ruby:$RUBY_VERSION"
-  script:
-    - bundle exec rspec
-  parallel:
-    matrix:
-      - RUBY_VERSION:
-        - "2.7"
-        - "3.0"
-
-danger-review:
-  extends: .tests
-  needs: []
-  script:
-    - >
-      if [ -z "$DANGER_GITLAB_API_TOKEN" ]; then
-        # Force danger to skip CI source GitLab and fallback to "local only git repo".
-        unset GITLAB_CI
-        # We need to base SHA to help danger determine the base commit for this shallow clone.
-        bundle exec danger dry_run --fail-on-errors=true --verbose --base="$CI_MERGE_REQUEST_DIFF_BASE_SHA"
-      else
-        bundle exec danger --fail-on-errors=true --verbose
-      fi

data/.rspec

@@ -1,4 +0,0 @@
---format documentation
---color
---require spec_helper
---order rand

data/.rubocop.yml

@@ -1,10 +0,0 @@
-inherit_gem:
-  gitlab-styles:
-    - rubocop-default.yml
-
-AllCops:
-  TargetRubyVersion: 2.6
-  NewCops: enable
-
-RSpec/MultipleMemoizedHelpers:
-  Max: 10

data/Dangerfile

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-require 'gitlab-dangerfiles'
-
-Gitlab::Dangerfiles.import_plugins(danger)
-danger.import_plugin('danger/plugins/*.rb')
-
-return if helper.release_automation?
-
-danger.import_dangerfile(path: File.join('danger', 'roulette'))
-
-anything_to_post = status_report.values.any?(&:any?)
-
-if helper.ci? && anything_to_post
-  markdown("**If needed, you can retry the [`danger-review` job](#{ENV['CI_JOB_URL']}) that generated this comment.**")
-end

data/Gemfile

@@ -1,24 +0,0 @@
-# frozen_string_literal: true
-
-source 'https://rubygems.org'
-
-# Specify your gem's dependencies in declarative-policy.gemspec
-gemspec
-
-gem 'activesupport', '>= 6.0'
-gem 'rake', '~> 12.0'
-gem 'rubocop', require: false
-
-group :test do
-  gem 'rspec', '~> 3.0'
-  gem 'rspec-parameterized', require: false
-  gem 'pry-byebug'
-end
-
-group :development, :test do
-  gem 'gitlab-styles', '~> 6.1.0', require: false
-end
-
-group :development, :test, :danger do
-  gem 'gitlab-dangerfiles', '~> 1.1.0', require: false
-end