declarative_policy 1.1.0 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6dffd68fb3da1c6d7629901c2436d47e87d7a2b275dfa7282371ef97e7e623b9
-  data.tar.gz: 9d07ae900c5c2de61025ac2ecff512da42a235f2365db2696babc4b41a654ec2
+  metadata.gz: 704af6c0500c00a0e6c6797dd5b496c098db86f33ccc1ef2496be37e43b33e03
+  data.tar.gz: 2236adb02dbee28b6565fc72541fe2fbee5a087ef15cc2fe1f0d060ce1eece13
 SHA512:
-  metadata.gz: e95c536a5b724dc302e192c975b7adf9a3096a7b2fca2ebe63cc1a6fcead19bb37928fecd796b63403902c7885f577859beff3a51237ce37d7a4deff9a51318d
-  data.tar.gz: acfa272dae2fce1bb4ea9be06c45d10f3da93a8a87ea8c329db1b2e8cd8cf707615104945872bc391e4eb35bc9b2adba0d768ecdd9ddf1bb5ce480ba7dd337c0
+  metadata.gz: c3841495e1922ae72f704524e40ca080da4838cfe075d401350212f5b31f116f6003aa3e371d2a0084a11986b4745bb82946ad84b61247a19b59470a26e24755
+  data.tar.gz: f3f0d97ba2b9e56079d5307c135ec2b15c73759661f32e6cda2db44ab0fa21002598725cf0c762ca85c0580ae1c5b7c397115f185ec94c9da600cfaf19f6e590

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+2.0.0:
+
+- Drop explicit support for Ruby 2.6 and 2.7 by removing those versions from
+  the CI matrix. These Ruby versions are now past EOL.
+- Rename default condition scope name to `:user_and_subject`
+- Clarify the use of `User` and `Subject` in README and documentation
+- Update `ruby-git` in Gemfile.lock
+
+1.1.1:
+
+- Define development dependencies
+
 1.1.0:
 
 - Add cache invalidation API: `DeclarativePolicy.invalidate(cache, keys)`

data/README.md

@@ -20,14 +20,72 @@ gem 'declarative_policy'
 
 And then execute:
 
-    $ bundle install
+```plain
+$ bundle install
+```
 
 Or install it yourself as:
 
-    $ gem install declarative_policy
+```plain
+$ gem install declarative_policy
+```
+
+## Example
 
-## Usage
+```ruby
+require 'declarative_policy'
+
+class User
+  attr_reader :name
+
+  def initialize(name:)
+    @name = name
+  end
+end
+
+class Vehicle
+  def initialize(owner:, trusted: [])
+    @owner = owner
+    @trusted = trusted
+  end
+
+  def owner?(user)
+    @owner.name == user.name
+  end
+
+  def trusted?(user)
+    @owner.name == user.name || @trusted.detect { |t| t.name == user.name }
+  end
+end
 
+class VehiclePolicy < DeclarativePolicy::Base
+  condition(:owns) { @subject.owner?(@user) }
+  condition(:trusted) { @subject.trusted?(@user) }
+
+  rule { owns }.enable :sell_vehicle
+  rule { trusted }.enable :drive_vehicle
+end
+
+jack = User.new(name: 'jack')
+jill = User.new(name: 'jill')
+jacks_vehicle = Vehicle.new(owner: jack, trusted: [jill])
+jills_vehicle = Vehicle.new(owner: jill, trusted: [jack])
+
+puts "Jack can drive Jack's vehicle? -> #{DeclarativePolicy.policy_for(jack, jacks_vehicle).can?(:drive_vehicle)}"
+puts "Jack can drive Jill's vehicle? -> #{DeclarativePolicy.policy_for(jack, jills_vehicle).can?(:drive_vehicle)}"
+puts "Jack can sell Jack's vehicle? -> #{DeclarativePolicy.policy_for(jack, jacks_vehicle).can?(:sell_vehicle)}"
+puts "Jack can sell Jill's vehicle? -> #{DeclarativePolicy.policy_for(jack, jills_vehicle).can?(:sell_vehicle)}"
+```
+
+```plain
+$ ruby example.rb
+Jack can drive Jack's vehicle? -> true
+Jack can drive Jill's vehicle? -> true
+Jack can sell Jack's vehicle? -> true
+Jack can sell Jill's vehicle? -> false
+```
+
+## Usage
 
 The core abstraction of this library is a `Policy`. Policies combine:
 
@@ -36,9 +94,12 @@ The core abstraction of this library is a `Policy`. Policies combine:
 
 This library exists to determine the truth value of statements of the form:
 
+```plain
+User Predicate [Subject]
 ```
-Subject Predicate [Object]
-```
+
+Renaming `User` to `Actor` and `Subject` to `Resource` is discussed in
+[this issue](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/issues/6).
 
 For example:
 
@@ -64,14 +125,14 @@ class VehiclePolicy < DeclarativePolicy::Base
   condition(:owns, score: 0) { @subject.owner == @user }
   condition(:has_access_to, score: 3) { @subject.owner.trusts?(@user) }
   condition(:intoxicated, score: 5) { @user.blood_alcohol > laws.max_blood_alcohol }
-  
+
   # conclusions we can draw:
   rule { owns }.enable :drive_vehicle
   rule { has_access_to }.enable :drive_vehicle
   rule { ~old_enough_to_drive }.prevent :drive_vehicle
   rule { intoxicated }.prevent :drive_vehicle
   rule { ~has_driving_license }.prevent :drive_vehicle
-  
+
   # we can use methods to abstract common logic
   def laws
     @subject.registration.country.driving_laws
@@ -128,10 +189,16 @@ interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+## Additional Reading Material
+
+More details on policies and custom roles can be found in the following pages:
+- [Development Process for the DeclarativePolicy framework](https://docs.gitlab.com/ee/development/policies.html)
+- [Custom Roles docs](https://docs.gitlab.com/ee/development/permissions/custom_roles.html)
+
 ## Contributing
 
 Bug reports and merge requests are welcome on GitLab at
-https://gitlab.com/gitlab-org/declarative-policy. This project is intended to be
+https://gitlab.com/gitlab-org/ruby/gems/declarative-policy. This project is intended to be
 a safe, welcoming space for collaboration, and contributors are expected to
 adhere to the [GitLab code of conduct](https://about.gitlab.com/community/contribute/code-of-conduct/).
 

data/{declarative_policy.gemspec → declarative-policy.gemspec}

@@ -5,8 +5,8 @@ require_relative 'lib/declarative_policy/version'
 Gem::Specification.new do |spec|
   spec.name          = 'declarative_policy'
   spec.version       = DeclarativePolicy::VERSION
-  spec.authors       = ['Jeanine Adkisson', 'Alexis Kalderimis']
-  spec.email         = ['akalderimis@gitlab.com']
+  spec.authors       = ['group::authorization']
+  spec.email         = ['engineering@gitlab.com']
 
   spec.summary       = 'An authorization library with a focus on declarative policy definitions.'
   spec.description   = <<~DESC
@@ -17,20 +17,35 @@ Gem::Specification.new do |spec|
 
     This library is in production use at GitLab.com
   DESC
-  spec.homepage      = 'https://gitlab.com/gitlab-org/declarative-policy'
+  spec.homepage      = 'https://gitlab.com/gitlab-org/ruby/gems/declarative-policy'
   spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 3.0.0')
 
   spec.metadata['homepage_uri'] = spec.homepage
-  spec.metadata['source_code_uri'] = 'https://gitlab.com/gitlab-org/declarative-policy'
-  spec.metadata['changelog_uri'] = 'https://gitlab.com/gitlab-org/declarative-policy/-/blobs/master/CHANGELOG.md'
+  spec.metadata['source_code_uri'] = 'https://gitlab.com/gitlab-org/ruby/gems/declarative-policy'
+  spec.metadata['changelog_uri'] = 'https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/blob/main/CHANGELOG.md'
+
+  spec.metadata['rubygems_mfa_required'] = 'false'
 
   # Specify which files should be added to the gem when it is released.
-  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
   spec.files = Dir.chdir(File.expand_path(__dir__)) do
-    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+    %w[
+      *.gemspec
+      lib/**/*.rb
+      *.{md,txt}
+      doc/**/*
+    ].flat_map { |pattern| Dir.glob(pattern) }
   end
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
+
+  # Development dependencies:
+  spec.add_development_dependency 'benchmark-ips', '~> 2.12'
+  spec.add_development_dependency 'gitlab-dangerfiles', '~> 3.8'
+  spec.add_development_dependency 'gitlab-styles', '~> 12.0'
+  spec.add_development_dependency 'pry-byebug'
+  spec.add_development_dependency 'rake', '~> 12.0'
+  spec.add_development_dependency 'rspec', '~> 3.10'
+  spec.add_development_dependency 'rspec-parameterized', '~> 1.0'
 end

data/doc/caching.md

@@ -122,8 +122,8 @@ policy itself.
 
 The best approach here is to use normal Ruby methods and instance variables for
 such values. The policy instances themselves are cached, so that any two
-invocations of `DeclarativePolicy.policy_for(user, object)` with identical
-`user` and `object` arguments will always return the same policy object. This
+invocations of `DeclarativePolicy.policy_for(user, subject)` with identical
+`user` and `subject` arguments will always return the same policy object. This
 means instance variables stored on the policy will be available for the lifetime
 of the cache.
 
@@ -209,18 +209,18 @@ In this case, it doesn't matter who the user is or even where they are going:
 the condition will be computed once (per cache lifetime) for all combinations.
 
 Because of the implications for sharing, the scope determines the
-[`#score`](https://gitlab.com/gitlab-org/declarative-policy/blob/2ab9dbdf44fb37beb8d0f7c131742d47ae9ef5d0/lib/declarative_policy/condition.rb#L58-77) of
+[`#score`](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/blob/2ab9dbdf44fb37beb8d0f7c131742d47ae9ef5d0/lib/declarative_policy/condition.rb#L58-77) of
 the condition (if not provided explicitly). The intention is to prefer values we
 are more likely (all other things being equal) to re-use:
 
 - Conditions we have already cached get a score of `0`.
 - Conditions that are in the `:global` scope get a score of `2`.
 - Conditions that are in the `:user` or `:subject` scopes get a score of `8`.
-- Conditions that are in the `:normal` scope get a score of `16`.
+- Conditions that are in the `:user_and_subject` scope get a score of `16`.
 
 Bear helper-methods in mind when defining scopes. While the instance level cache
 for non-boolean values would not be shared, as long as the derived condition is
-shared (for example by being in the `:user` scope, rather than the `:normal`
+shared (for example by being in the `:user` scope, rather than the `:user_and_subject`
 scope), helper-methods will also benefit from improved cache hits.
 
 ### Preferred scope
@@ -231,7 +231,7 @@ the `:subject` or the `:user` scope. We can inform the optimizer of this
 by setting `DeclarativePolicy.preferred_scope`.
 
 To do this, check the abilities within a block bounded
-by [`DeclarativePolicy.with_preferred_scope`](https://gitlab.com/gitlab-org/declarative-policy/blob/481c322a74f76c325d3ccab7f2f3cc2773e8168b/lib/declarative_policy/preferred_scope.rb#L7-13).
+by [`DeclarativePolicy.with_preferred_scope`](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/blob/481c322a74f76c325d3ccab7f2f3cc2773e8168b/lib/declarative_policy/preferred_scope.rb#L7-13).
 For example:
 
 ```ruby
@@ -270,7 +270,7 @@ have different `object_id` values, and using `object_id` will not get optimal ca
 policy subjects should implement `#id` for this reason. `ActiveRecord` models
 with an `id` primary ID attribute do not need any extra configuration.
 
-Please see: [`DeclarativePolicy::Cache`](https://gitlab.com/gitlab-org/declarative-policy/blob/master/lib/declarative_policy/cache.rb).
+Please see: [`DeclarativePolicy::Cache`](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/blob/main/lib/declarative_policy/cache.rb).
 
 ## Cache invalidation
 

data/doc/defining-policies.md

@@ -22,9 +22,9 @@ and then evaluating them with `DeclarativePolicy::Base#allowed?`.
 You may wish to define a method to abstract policy evaluation. Something like:
 
 ```ruby
-def allowed?(user, ability, object)
+def allowed?(user, ability, subject)
   opts = { cache: Cache.current_cache } # re-using a cache between checks eliminates duplication of work
-  policy = DeclarativePolicy.policy_for(user, object, opts)
+  policy = DeclarativePolicy.policy_for(user, subject, opts)
   policy.allowed?(ability)
 end
 ```
@@ -41,9 +41,9 @@ want to know if a user can drive a vehicle. We need a `VehiclePolicy`:
 ```ruby
 class VehiclePolicy < DeclarativePolicy::Base
   # conditions go here by convention
-  
+
   # rules go here by convention
-  
+
   # helper methods go last
 end
 ```
@@ -55,14 +55,14 @@ Conditions are facts about the state of the system.
 They have access to two elements of the proposition:
 
 - `@user` - the representation of a user in your system: the *subject* of the proposition.
-  `user` in `allowed?(user, ability, object)`. `@user` may be `nil`, which means
+  `user` in `allowed?(user, ability, subject)`. `@user` may be `nil`, which means
   that the current user is anonymous (for example this may reflect an
   unauthenticated request in your system).
 - `@subject` - any domain object that has an associated policy: the *object* of
-  the predicate of the proposition. `object` in `allowed?(user, ability, object)`.
+  the predicate of the proposition. `subject` in `allowed?(user, ability, subject)`.
   `@subject` is never `nil`. See [handling `nil` values](./configuration.md#handling-nil-values)
   for details of how to apply policies to `nil` values.
-  
+
 
 They are defined as `condition(name, **options, &block)`, where the block is
 evaluated in the context of an instance of the policy.
@@ -184,7 +184,7 @@ like:
 ```ruby
 class DrivingLicensePolicy < DeclarativePolicy::Base
   condition(:expired) { @subject.expires_at <= Time.current }
-  
+
   rule { expired }.prevent :drive_vehicle
 end
 ```
@@ -194,7 +194,7 @@ And a registration policy:
 ```ruby
 class RegistrationPolicy < DeclarativePolicy::Base
   condition(:valid) { @subject.valid_for?(@user.current_location) }
-  
+
   rule { ~valid }.prevent :drive_vehicle
 end
 ```
@@ -209,3 +209,41 @@ delegate { @subject.registration }
 
 This is a powerful mechanism for inferring rules based on relationships between
 objects.
+
+#### Overrides
+
+It can be useful to declare that the given abilities should not be read
+from delegates. This declaration is useful if you have an ability you want
+to define differently in a policy than in a delegated policy, but you still
+want to delegate all other abilities.
+
+```ruby
+delegate { @subject.parent }
+
+overrides :drive_car, :watch_tv
+```
+
+NOTE:
+Rules with `prevent_all` present in the delegated policy are properly
+not used during overridden abilities evaluation.
+
+#### Delegated conditions
+
+When named delegates are defined, their [conditions](#conditions) can be
+referenced in [rules](#rules) using bare words.
+
+Given a registration policy:
+
+```ruby
+class RegistrationPolicy < DeclarativePolicy::Base
+  condition(:valid) { @subject.valid_for?(@user.current_location) }
+end
+```
+
+The vehicle policy can reference the `:valid` condition as follows:
+
+```ruby
+delegate(:registration) { @subject.registration }
+
+rule { registration.valid }.enable :drive_vehicle
+```

data/doc/optimization.md

@@ -97,7 +97,7 @@ They aren't necessarily run in this order, however. Instead, we try to order
 the list to minimize unnecessary work.
 
 The
-[logic](https://gitlab.com/gitlab-org/declarative-policy/blob/659ac0525773a76cf8712d47b3c2dadd03b758c9/lib/declarative_policy/runner.rb#L80-112)
+[logic](https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/blob/659ac0525773a76cf8712d47b3c2dadd03b758c9/lib/declarative_policy/runner.rb#L80-112)
 to process this list is (in pseudo-code):
 
 ```pseudo

data/lib/declarative_policy/base.rb

@@ -144,7 +144,7 @@ module DeclarativePolicy
       #
       # example:
       #
-      #   delegate { @subect.parent }
+      #   delegate { @subject.parent }
       #
       #   overrides :drive_car, :watch_tv
       #

data/lib/declarative_policy/condition.rb

@@ -9,10 +9,14 @@ module DeclarativePolicy
   class Condition
     attr_reader :name, :description, :scope, :manual_score, :context_key
 
+    VALID_SCOPES = %i[user_and_subject user subject global].freeze
+    ALLOWED_SCOPES = VALID_SCOPES + %i[normal]
+
     def initialize(name, opts = {}, &compute)
       @name = name
       @compute = compute
-      @scope = opts.fetch(:scope, :normal)
+      @scope = fetch_scope(opts)
+
       @description = opts.delete(:description)
       @context_key = opts[:context_key]
       @manual_score = opts.fetch(:score, nil)
@@ -25,6 +29,20 @@ module DeclarativePolicy
     def key
       "#{@context_key}/#{@name}"
     end
+
+    private
+
+    def fetch_scope(options)
+      result = options.fetch(:scope, :user_and_subject)
+      if result == :normal
+        warn "[DEPRECATION] `:normal` is deprecated and will be removed in 2.0. Please use new name `:user_and_subject`"
+        result = :user_and_subject
+      end
+
+      raise "Invalid scope #{result}. Allowed values: #{VALID_SCOPES.inspect}" unless ALLOWED_SCOPES.include?(result)
+
+      result
+    end
   end
 
   # In contrast to a Condition, a ManifestCondition contains
@@ -68,7 +86,7 @@ module DeclarativePolicy
       return 2 if  @condition.scope == :global
 
       # "Normal" rules can't share caches with any other policies
-      return 16 if @condition.scope == :normal
+      return 16 if @condition.scope == :user_and_subject
 
       # otherwise, we're :user or :subject scope, so it's 4 if
       # the caller has declared a preference
@@ -85,11 +103,10 @@ module DeclarativePolicy
     def cache_key
       @cache_key ||=
         case @condition.scope
-        when :normal  then "/dp/condition/#{@condition.key}/#{user_key},#{subject_key}"
+        when :global  then "/dp/condition/#{@condition.key}"
         when :user    then "/dp/condition/#{@condition.key}/#{user_key}"
         when :subject then "/dp/condition/#{@condition.key}/#{subject_key}"
-        when :global  then "/dp/condition/#{@condition.key}"
-        else raise 'invalid scope'
+        else "/dp/condition/#{@condition.key}/#{user_key},#{subject_key}"
         end
     end
 

data/lib/declarative_policy/configuration.rb

@@ -35,7 +35,7 @@ module DeclarativePolicy
     def policy_class(domain_class_name)
       return unless domain_class_name
 
-      @class_for.call((@name_transformation.call(domain_class_name)))
+      @class_for.call(@name_transformation.call(domain_class_name))
     rescue NameError
       nil
     end

data/lib/declarative_policy/delegate_dsl.rb

@@ -15,7 +15,7 @@ module DeclarativePolicy
       @rule_dsl.delegate(@delegate_name, msg)
     end
 
-    def respond_to_missing?(msg, include_all)
+    def respond_to_missing?(_msg, _include_all)
       true
     end
   end

data/lib/declarative_policy/policy_dsl.rb

@@ -33,10 +33,10 @@ module DeclarativePolicy
       @context_class.prevent_all_when(@rule)
     end
 
-    def method_missing(msg, *args, &block)
+    def method_missing(msg, ...)
       return super unless @context_class.respond_to?(msg)
 
-      @context_class.__send__(msg, *args, &block) # rubocop: disable GitlabSecurity/PublicSend
+      @context_class.__send__(msg, ...) # rubocop: disable GitlabSecurity/PublicSend
     end
 
     def respond_to_missing?(msg)

data/lib/declarative_policy/preferred_scope.rb

@@ -2,7 +2,7 @@
 
 module DeclarativePolicy
   module PreferredScope
-    PREFERRED_SCOPE_KEY = :"DeclarativePolicy.preferred_scope"
+    PREFERRED_SCOPE_KEY = :'DeclarativePolicy.preferred_scope'
 
     def with_preferred_scope(scope)
       old_scope = Thread.current[PREFERRED_SCOPE_KEY]

data/lib/declarative_policy/rule_dsl.rb

@@ -44,7 +44,7 @@ module DeclarativePolicy
       end
     end
 
-    def respond_to_missing?(symbol, include_all)
+    def respond_to_missing?(_symbol, _include_all)
       true
     end
   end

data/lib/declarative_policy/runner.rb

@@ -93,7 +93,7 @@ module DeclarativePolicy
 
     private
 
-    def with_state(&block)
+    def with_state
       @state = State.new
       old_runner_state = Thread.current[:declarative_policy_current_runner_state]
       Thread.current[:declarative_policy_current_runner_state] = @state

data/lib/declarative_policy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeclarativePolicy
-  VERSION = '1.1.0'
+  VERSION = '2.0.1'
 end

metadata

@@ -1,16 +1,113 @@
 --- !ruby/object:Gem::Specification
 name: declarative_policy
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.1
 platform: ruby
 authors:
-- Jeanine Adkisson
-- Alexis Kalderimis
+- group::authorization
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-11-05 00:00:00.000000000 Z
-dependencies: []
+date: 2025-08-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: benchmark-ips
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.12'
+- !ruby/object:Gem::Dependency
+  name: gitlab-dangerfiles
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: gitlab-styles
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+- !ruby/object:Gem::Dependency
+  name: rspec-parameterized
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: |
   This library provides an authorization framework with a declarative DSL
 
@@ -19,28 +116,17 @@ description: |
 
   This library is in production use at GitLab.com
 email:
-- akalderimis@gitlab.com
+- engineering@gitlab.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".gitlab-ci.yml"
-- ".rspec"
-- ".rubocop.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
-- Dangerfile
-- Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.md
-- Rakefile
-- benchmarks/repeated_invocation.rb
-- danger/plugins/project_helper.rb
-- danger/roulette/Dangerfile
-- declarative_policy.gemspec
+- declarative-policy.gemspec
 - doc/caching.md
 - doc/configuration.md
 - doc/defining-policies.md
@@ -59,13 +145,14 @@ files:
 - lib/declarative_policy/runner.rb
 - lib/declarative_policy/step.rb
 - lib/declarative_policy/version.rb
-homepage: https://gitlab.com/gitlab-org/declarative-policy
+homepage: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://gitlab.com/gitlab-org/declarative-policy
-  source_code_uri: https://gitlab.com/gitlab-org/declarative-policy
-  changelog_uri: https://gitlab.com/gitlab-org/declarative-policy/-/blobs/master/CHANGELOG.md
+  homepage_uri: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy
+  source_code_uri: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy
+  changelog_uri: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'false'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -74,14 +161,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.15
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: An authorization library with a focus on declarative policy definitions.

data/.gitignore

@@ -1,12 +0,0 @@
-/.bundle/
-/.yardoc
-/_yardoc/
-/coverage/
-/pkg/
-/spec/reports/
-/tmp/
-
-# rspec failure tracking
-.rspec_status
-declarative_policy-*.gem
-.tool-versions

data/.gitlab-ci.yml

@@ -1,91 +0,0 @@
-image: "ruby:2.7"
-
-include:
-  - template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
-  - template: Security/Dependency-Scanning.gitlab-ci.yml
-  - template: Security/License-Scanning.gitlab-ci.yml
-  - template: Security/SAST.gitlab-ci.yml
-  - template: Security/Secret-Detection.gitlab-ci.yml
-
-.tests:
-  stage: test
-  cache:
-    paths:
-      - vendor/ruby
-  before_script:
-    - ruby -v  # Print out ruby version for debugging
-    - bundle install -j $(nproc) --path vendor/ruby/$RUBY_VERSION
-
-rubocop:
-  extends: .tests
-  script:
-    - bundle exec rubocop
-
-.rspec:
-  extends: .tests
-  script:
-    - bundle exec rspec
-
-rspec:mri:
-  extends: .rspec
-  image: "ruby:$RUBY_VERSION"
-  parallel:
-    matrix:
-      - RUBY_VERSION:
-        - "2.7"
-        - "3.0"
-
-rspec:jruby:
-  extends: .rspec
-  image: "bitnami/jruby:latest"
-  variables:
-    RUBY_VERSION: jruby
-
-rspec:truffleruby:
-  extends: .rspec
-  image: "flavorjones/truffleruby:latest"
-  variables:
-    RUBY_VERSION: truffleruby
-
-danger-review:
-  extends: .tests
-  needs: []
-  script:
-    - >
-      if [ -z "$DANGER_GITLAB_API_TOKEN" ]; then
-        # Force danger to skip CI source GitLab and fallback to "local only git repo".
-        unset GITLAB_CI
-        # We need to base SHA to help danger determine the base commit for this shallow clone.
-        bundle exec danger dry_run --fail-on-errors=true --verbose --base="$CI_MERGE_REQUEST_DIFF_BASE_SHA"
-      else
-        bundle exec danger --fail-on-errors=true --verbose
-      fi
-
-# run security jobs on MRs
-# see: https://gitlab.com/gitlab-org/gitlab/-/issues/218444#note_478761991
-
-brakeman-sast:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-
-gemnasium-dependency_scanning:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-
-bundler-audit-dependency_scanning:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-
-license_scanning:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-
-secret_detection:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-

data/.rspec

@@ -1,4 +0,0 @@
---format documentation
---color
---require spec_helper
---order rand

data/.rubocop.yml

@@ -1,13 +0,0 @@
-inherit_gem:
-  gitlab-styles:
-    - rubocop-default.yml
-
-CodeReuse/ActiveRecord:
-  Enabled: false
-
-AllCops:
-  TargetRubyVersion: 2.5
-  NewCops: enable
-
-RSpec/MultipleMemoizedHelpers:
-  Max: 10

data/Dangerfile

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-require 'gitlab-dangerfiles'
-
-Gitlab::Dangerfiles.import_plugins(danger)
-danger.import_plugin('danger/plugins/*.rb')
-
-return if helper.release_automation?
-
-danger.import_dangerfile(path: File.join('danger', 'roulette'))
-
-anything_to_post = status_report.values.any?(&:any?)
-
-if helper.ci? && anything_to_post
-  markdown("**If needed, you can retry the [`danger-review` job](#{ENV['CI_JOB_URL']}) that generated this comment.**")
-end

data/Gemfile

@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-source 'https://rubygems.org'
-
-# Specify your gem's dependencies in declarative-policy.gemspec
-gemspec
-
-group :test do
-  gem 'rspec', '~> 3.10'
-  gem 'rspec-parameterized', require: false
-  gem 'pry-byebug', platforms: [:ruby]
-end
-
-group :development, :test do
-  gem 'gitlab-styles', '~> 6.1.0', require: false, platforms: [:ruby]
-  gem 'rake', '~> 12.0'
-  gem 'benchmark', require: false
-  gem 'rubocop', require: false
-end
-
-group :development, :test, :danger do
-  gem 'gitlab-dangerfiles', '~> 1.1.0', require: false, platforms: [:ruby]
-end

data/Gemfile.lock

@@ -1,214 +0,0 @@
-PATH
-  remote: .
-  specs:
-    declarative_policy (1.1.0)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    abstract_type (0.0.7)
-    activesupport (6.1.3.2)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 1.6, < 2)
-      minitest (>= 5.1)
-      tzinfo (~> 2.0)
-      zeitwerk (~> 2.3)
-    adamantium (0.2.0)
-      ice_nine (~> 0.11.0)
-      memoizable (~> 0.4.0)
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    ast (2.4.2)
-    benchmark (0.1.1)
-    binding_ninja (0.2.3)
-    binding_ninja (0.2.3-java)
-    byebug (11.1.3)
-    claide (1.0.3)
-    claide-plugins (0.9.2)
-      cork
-      nap
-      open4 (~> 1.3)
-    coderay (1.1.3)
-    colored2 (3.1.2)
-    concord (0.1.5)
-      adamantium (~> 0.2.0)
-      equalizer (~> 0.0.9)
-    concurrent-ruby (1.1.8)
-    cork (0.3.0)
-      colored2 (~> 3.1)
-    danger (8.2.3)
-      claide (~> 1.0)
-      claide-plugins (>= 0.9.2)
-      colored2 (~> 3.1)
-      cork (~> 0.1)
-      faraday (>= 0.9.0, < 2.0)
-      faraday-http-cache (~> 2.0)
-      git (~> 1.7)
-      kramdown (~> 2.3)
-      kramdown-parser-gfm (~> 1.0)
-      no_proxy_fix
-      octokit (~> 4.7)
-      terminal-table (>= 1, < 4)
-    danger-gitlab (8.0.0)
-      danger
-      gitlab (~> 4.2, >= 4.2.0)
-    diff-lcs (1.4.4)
-    equalizer (0.0.11)
-    faraday (1.4.1)
-      faraday-excon (~> 1.1)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.1)
-      multipart-post (>= 1.2, < 3)
-      ruby2_keywords (>= 0.0.4)
-    faraday-excon (1.1.0)
-    faraday-http-cache (2.2.0)
-      faraday (>= 0.8)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.1.0)
-    ffi (1.15.4-java)
-    git (1.8.1)
-      rchardet (~> 1.8)
-    gitlab (4.17.0)
-      httparty (~> 0.18)
-      terminal-table (~> 1.5, >= 1.5.1)
-    gitlab-dangerfiles (1.1.1)
-      danger-gitlab
-    gitlab-styles (6.1.0)
-      rubocop (~> 0.91, >= 0.91.1)
-      rubocop-gitlab-security (~> 0.1.1)
-      rubocop-performance (~> 1.9.2)
-      rubocop-rails (~> 2.9)
-      rubocop-rspec (~> 1.44)
-    httparty (0.18.1)
-      mime-types (~> 3.0)
-      multi_xml (>= 0.5.2)
-    i18n (1.8.10)
-      concurrent-ruby (~> 1.0)
-    ice_nine (0.11.2)
-    kramdown (2.3.1)
-      rexml
-    kramdown-parser-gfm (1.1.0)
-      kramdown (~> 2.0)
-    memoizable (0.4.2)
-      thread_safe (~> 0.3, >= 0.3.1)
-    method_source (1.0.0)
-    mime-types (3.3.1)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2021.0225)
-    minitest (5.14.4)
-    multi_xml (0.6.0)
-    multipart-post (2.1.1)
-    nap (1.1.0)
-    no_proxy_fix (0.1.2)
-    octokit (4.21.0)
-      faraday (>= 0.9)
-      sawyer (~> 0.8.0, >= 0.5.3)
-    open4 (1.3.4)
-    parallel (1.20.1)
-    parser (3.0.0.0)
-      ast (~> 2.4.1)
-    proc_to_ast (0.1.0)
-      coderay
-      parser
-      unparser
-    procto (0.0.3)
-    pry (0.13.1)
-      coderay (~> 1.1)
-      method_source (~> 1.0)
-    pry (0.13.1-java)
-      coderay (~> 1.1)
-      method_source (~> 1.0)
-      spoon (~> 0.0)
-    pry-byebug (3.9.0)
-      byebug (~> 11.0)
-      pry (~> 0.13.0)
-    public_suffix (4.0.6)
-    rack (2.2.3)
-    rainbow (3.0.0)
-    rake (12.3.3)
-    rchardet (1.8.0)
-    regexp_parser (1.8.2)
-    rexml (3.2.4)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-parameterized (0.4.2)
-      binding_ninja (>= 0.2.3)
-      parser
-      proc_to_ast
-      rspec (>= 2.13, < 4)
-      unparser
-    rspec-support (3.10.2)
-    rubocop (0.93.1)
-      parallel (~> 1.10)
-      parser (>= 2.7.1.5)
-      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8)
-      rexml
-      rubocop-ast (>= 0.6.0)
-      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (1.4.1)
-      parser (>= 2.7.1.5)
-    rubocop-gitlab-security (0.1.1)
-      rubocop (>= 0.51)
-    rubocop-performance (1.9.2)
-      rubocop (>= 0.90.0, < 2.0)
-      rubocop-ast (>= 0.4.0)
-    rubocop-rails (2.9.1)
-      activesupport (>= 4.2.0)
-      rack (>= 1.1)
-      rubocop (>= 0.90.0, < 2.0)
-    rubocop-rspec (1.44.1)
-      rubocop (~> 0.87)
-      rubocop-ast (>= 0.7.1)
-    ruby-progressbar (1.11.0)
-    ruby2_keywords (0.0.4)
-    sawyer (0.8.2)
-      addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
-    spoon (0.0.6)
-      ffi
-    terminal-table (1.8.0)
-      unicode-display_width (~> 1.1, >= 1.1.1)
-    thread_safe (0.3.6)
-    thread_safe (0.3.6-java)
-    tzinfo (2.0.4)
-      concurrent-ruby (~> 1.0)
-    unicode-display_width (1.7.0)
-    unparser (0.4.7)
-      abstract_type (~> 0.0.7)
-      adamantium (~> 0.2.0)
-      concord (~> 0.1.5)
-      diff-lcs (~> 1.3)
-      equalizer (~> 0.0.9)
-      parser (>= 2.6.5)
-      procto (~> 0.0.2)
-    zeitwerk (2.4.2)
-
-PLATFORMS
-  ruby
-  universal-java-1.8
-
-DEPENDENCIES
-  benchmark
-  declarative_policy!
-  gitlab-dangerfiles (~> 1.1.0)
-  gitlab-styles (~> 6.1.0)
-  pry-byebug
-  rake (~> 12.0)
-  rspec (~> 3.10)
-  rspec-parameterized
-  rubocop
-
-BUNDLED WITH
-   2.2.15

data/Rakefile

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-
-require 'bundler/gem_tasks'
-require 'rspec/core/rake_task'
-
-RSpec::Core::RakeTask.new(:spec)
-
-task default: :spec

data/benchmarks/repeated_invocation.rb

@@ -1,37 +0,0 @@
-#!/usr/bin/env ruby -w
-# frozen_string_literal: true
-
-require 'declarative_policy'
-require 'benchmark'
-
-Dir["./spec/support/policies/*.rb"].sort.each { |f| require f }
-Dir["./spec/support/models/*.rb"].sort.each { |f| require f }
-
-TIMES = 1_000_000
-LABEL = 'allowed?(driver, :drive_vehicle, car)'
-
-DeclarativePolicy.configure! do
-  named_policy :global, GlobalPolicy
-
-  name_transformation do |name|
-    'ReadmePolicy' if name == 'Vehicle'
-  end
-end
-
-Benchmark.bm(LABEL.length) do |b|
-  cache = {}
-  valid_license = License.valid
-  country = Country.moderate
-  registration = Registration.new(number: 'xyz123', country: country)
-  driver = User.new(name: 'The driver', driving_license: valid_license)
-  owner = User.new(name: 'The Owner', trusted: [driver.name])
-  car = Vehicle.new(owner: owner, registration: registration)
-
-  raise 'Expected to drive' unless DeclarativePolicy.policy_for(driver, car).allowed?(:drive_vehicle)
-
-  b.report LABEL do
-    TIMES.times do
-      DeclarativePolicy.policy_for(driver, car, cache: cache).allowed?(:drive_vehicle)
-    end
-  end
-end

data/danger/plugins/project_helper.rb

@@ -1,58 +0,0 @@
-# frozen_string_literal: true
-
-module Danger
-  # Project specific configuration
-  class ProjectHelper < ::Danger::Plugin
-    LOCAL_RULES ||= %w[
-      changelog
-      documentation
-    ].freeze
-
-    CI_ONLY_RULES ||= %w[
-      roulette
-    ].freeze
-
-    MESSAGE_PREFIX = '==>'
-
-    # First-match win, so be sure to put more specific regex at the top...
-    # rubocop: disable Style/RegexpLiteral
-    CATEGORIES = {
-      %r{\A(\.gitlab-ci\.yml\z|\.gitlab/ci)} => :engineering_productivity,
-      %r{\Alefthook.yml\z} => :engineering_productivity,
-      %r{\A\.editorconfig\z} => :engineering_productivity,
-      %r{Dangerfile\z} => :engineering_productivity,
-      %r{\A(danger/|tooling/danger/)} => :engineering_productivity,
-      %r{\A?scripts/} => :engineering_productivity,
-      %r{\Atooling/} => :engineering_productivity,
-      %r{(CODEOWNERS)} => :engineering_productivity,
-      %r{\A(Gemfile|Gemfile.lock|Rakefile)\z} => :backend,
-      %r{\A\.rubocop((_manual)?_todo)?\.yml\z} => :backend,
-      %r{\.rb\z} => :backend,
-      %r{(
-        \.(md|txt)\z |
-        \.markdownlint\.json
-      )}x => :docs
-    }.freeze
-    # rubocop: enable Style/RegexpLiteral
-
-    def changes_by_category
-      helper.changes_by_category(CATEGORIES)
-    end
-
-    def changes
-      helper.changes(CATEGORIES)
-    end
-
-    def rule_names
-      helper.ci? ? LOCAL_RULES | CI_ONLY_RULES : LOCAL_RULES
-    end
-
-    def project_name
-      # 'declarative-policy'
-      # TODO: roulette uses the project name to find reviewers, but the gitlab team
-      # directory currently does not have any team members assigned to the declarative-policy
-      # project. We thus are piggybacking on 'gitlab' for now.
-      'gitlab'
-    end
-  end
-end

data/danger/roulette/Dangerfile

@@ -1,97 +0,0 @@
-# frozen_string_literal: true
-
-require 'digest/md5'
-
-MESSAGE = <<MARKDOWN
-## Reviewer roulette
-
-Changes that require review have been detected! A merge request is normally
-reviewed by both a reviewer and a maintainer.
-MARKDOWN
-
-CATEGORY_TABLE_HEADER = <<MARKDOWN
-
-To spread load more evenly across eligible reviewers, Danger has picked a
-candidate for each review slot, based on their timezone. Feel free to
-[override these selections](https://about.gitlab.com/handbook/engineering/projects/#gitlab) if
-you think someone else would be better-suited or use the
-[GitLab Review Workload Dashboard](https://gitlab-org.gitlab.io/gitlab-roulette/) to find other
-available reviewers.
-
-To read more on how to use the reviewer roulette, please take a look at the
-[Engineering workflow](https://about.gitlab.com/handbook/engineering/workflow/#basics) and
-[code review guidelines](https://docs.gitlab.com/ee/development/code_review.html). You may
-consider assigning a reviewer or maintainer who is
-a [domain expert](https://about.gitlab.com/handbook/engineering/projects/#gitlab) for
-the `DeclarativePolicy` library.
-
-Once you've decided who will review this merge request, assign them as a reviewer!
-Danger does not automatically notify them for you.
-
-| Category | Reviewer | Maintainer |
-| -------- | -------- | ---------- |
-MARKDOWN
-
-UNKNOWN_FILES_MESSAGE = <<MARKDOWN
-
-These files couldn't be categorised, so Danger was unable to suggest a reviewer.
-Please consider creating a merge request
-to [add support](https://gitlab.com/gitlab-org/gitlab/blob/master/tooling/danger/project_helper.rb)
-for them.
-MARKDOWN
-
-OPTIONAL_REVIEW_TEMPLATE = '%{role} review is optional for %{category}'
-NOT_AVAILABLE_TEMPLATE = 'No %{role} available'
-
-def note_for_spins_role(spins, role)
-  spins.each do |spin|
-    note = note_for_spin_role(spin, role)
-
-    return note if note
-  end
-
-  format(NOT_AVAILABLE_TEMPLATE, role: role)
-end
-
-def note_for_spin_role(spin, role)
-  if spin.optional_role == role
-    return format(OPTIONAL_REVIEW_TEMPLATE, role: role.capitalize, category: helper.label_for_category(spin.category))
-  end
-
-  spin.public_send(role)&.markdown_name(author: roulette.team_mr_author) # rubocop:disable GitlabSecurity/PublicSend
-end
-
-def markdown_row_for_spins(category, spins_array)
-  reviewer_note = note_for_spins_role(spins_array, :reviewer)
-  maintainer_note = note_for_spins_role(spins_array, :maintainer)
-
-  "| #{helper.label_for_category(category)} | #{reviewer_note} | #{maintainer_note} |"
-end
-
-changes = project_helper.changes_by_category
-
-# Ignore any files that are known but uncategorized. Prompt for any unknown files
-changes.delete(:none)
-# To reinstate roulette for documentation, remove this line.
-changes.delete(:docs)
-# No special review for changelog needed and changelog was never a label.
-changes.delete(:changelog)
-# No special review for feature flags needed.
-changes.delete(:feature_flag)
-categories = changes.keys.to_set.delete(:unknown)
-
-if changes.any?
-  project = project_helper.project_name
-
-  random_roulette_spins = roulette.spin(project, categories, timezone_experiment: false)
-
-  rows = random_roulette_spins.map do |spin|
-    markdown_row_for_spins(spin.category, [spin])
-  end
-
-  markdown(MESSAGE)
-  markdown(CATEGORY_TABLE_HEADER + rows.join("\n")) unless rows.empty?
-
-  unknown = changes.fetch(:unknown, [])
-  markdown(UNKNOWN_FILES_MESSAGE + helper.markdown_list(unknown)) unless unknown.empty?
-end