declarative_policy 1.1.0 → 2.1.0

data/lib/declarative_policy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeclarativePolicy
-  VERSION = '1.1.0'
+  VERSION = '2.1.0'
 end

data/lib/declarative_policy.rb

@@ -4,6 +4,7 @@ require 'set'
 require_relative 'declarative_policy/cache'
 require_relative 'declarative_policy/condition'
 require_relative 'declarative_policy/delegate_dsl'
+require_relative 'declarative_policy/prevent_all_dsl'
 require_relative 'declarative_policy/policy_dsl'
 require_relative 'declarative_policy/rule_dsl'
 require_relative 'declarative_policy/preferred_scope'

metadata

@@ -1,16 +1,113 @@
 --- !ruby/object:Gem::Specification
 name: declarative_policy
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.1.0
 platform: ruby
 authors:
-- Jeanine Adkisson
-- Alexis Kalderimis
+- group::authorization
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-11-05 00:00:00.000000000 Z
-dependencies: []
+date: 2026-03-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: benchmark-ips
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.12'
+- !ruby/object:Gem::Dependency
+  name: gitlab-dangerfiles
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: gitlab-styles
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+- !ruby/object:Gem::Dependency
+  name: rspec-parameterized
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: |
   This library provides an authorization framework with a declarative DSL
 
@@ -19,28 +116,17 @@ description: |
 
   This library is in production use at GitLab.com
 email:
-- akalderimis@gitlab.com
+- engineering@gitlab.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".gitlab-ci.yml"
-- ".rspec"
-- ".rubocop.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
-- Dangerfile
-- Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.md
-- Rakefile
-- benchmarks/repeated_invocation.rb
-- danger/plugins/project_helper.rb
-- danger/roulette/Dangerfile
-- declarative_policy.gemspec
+- declarative-policy.gemspec
 - doc/caching.md
 - doc/configuration.md
 - doc/defining-policies.md
@@ -54,18 +140,20 @@ files:
 - lib/declarative_policy/nil_policy.rb
 - lib/declarative_policy/policy_dsl.rb
 - lib/declarative_policy/preferred_scope.rb
+- lib/declarative_policy/prevent_all_dsl.rb
 - lib/declarative_policy/rule.rb
 - lib/declarative_policy/rule_dsl.rb
 - lib/declarative_policy/runner.rb
 - lib/declarative_policy/step.rb
 - lib/declarative_policy/version.rb
-homepage: https://gitlab.com/gitlab-org/declarative-policy
+homepage: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://gitlab.com/gitlab-org/declarative-policy
-  source_code_uri: https://gitlab.com/gitlab-org/declarative-policy
-  changelog_uri: https://gitlab.com/gitlab-org/declarative-policy/-/blobs/master/CHANGELOG.md
+  homepage_uri: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy
+  source_code_uri: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy
+  changelog_uri: https://gitlab.com/gitlab-org/ruby/gems/declarative-policy/-/releases
+  rubygems_mfa_required: 'false'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -74,14 +162,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.15
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: An authorization library with a focus on declarative policy definitions.

data/.gitignore

@@ -1,12 +0,0 @@
-/.bundle/
-/.yardoc
-/_yardoc/
-/coverage/
-/pkg/
-/spec/reports/
-/tmp/
-
-# rspec failure tracking
-.rspec_status
-declarative_policy-*.gem
-.tool-versions

data/.gitlab-ci.yml

@@ -1,91 +0,0 @@
-image: "ruby:2.7"
-
-include:
-  - template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
-  - template: Security/Dependency-Scanning.gitlab-ci.yml
-  - template: Security/License-Scanning.gitlab-ci.yml
-  - template: Security/SAST.gitlab-ci.yml
-  - template: Security/Secret-Detection.gitlab-ci.yml
-
-.tests:
-  stage: test
-  cache:
-    paths:
-      - vendor/ruby
-  before_script:
-    - ruby -v  # Print out ruby version for debugging
-    - bundle install -j $(nproc) --path vendor/ruby/$RUBY_VERSION
-
-rubocop:
-  extends: .tests
-  script:
-    - bundle exec rubocop
-
-.rspec:
-  extends: .tests
-  script:
-    - bundle exec rspec
-
-rspec:mri:
-  extends: .rspec
-  image: "ruby:$RUBY_VERSION"
-  parallel:
-    matrix:
-      - RUBY_VERSION:
-        - "2.7"
-        - "3.0"
-
-rspec:jruby:
-  extends: .rspec
-  image: "bitnami/jruby:latest"
-  variables:
-    RUBY_VERSION: jruby
-
-rspec:truffleruby:
-  extends: .rspec
-  image: "flavorjones/truffleruby:latest"
-  variables:
-    RUBY_VERSION: truffleruby
-
-danger-review:
-  extends: .tests
-  needs: []
-  script:
-    - >
-      if [ -z "$DANGER_GITLAB_API_TOKEN" ]; then
-        # Force danger to skip CI source GitLab and fallback to "local only git repo".
-        unset GITLAB_CI
-        # We need to base SHA to help danger determine the base commit for this shallow clone.
-        bundle exec danger dry_run --fail-on-errors=true --verbose --base="$CI_MERGE_REQUEST_DIFF_BASE_SHA"
-      else
-        bundle exec danger --fail-on-errors=true --verbose
-      fi
-
-# run security jobs on MRs
-# see: https://gitlab.com/gitlab-org/gitlab/-/issues/218444#note_478761991
-
-brakeman-sast:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-
-gemnasium-dependency_scanning:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-
-bundler-audit-dependency_scanning:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-
-license_scanning:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-
-secret_detection:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-

data/.rspec

@@ -1,4 +0,0 @@
---format documentation
---color
---require spec_helper
---order rand

data/.rubocop.yml

@@ -1,13 +0,0 @@
-inherit_gem:
-  gitlab-styles:
-    - rubocop-default.yml
-
-CodeReuse/ActiveRecord:
-  Enabled: false
-
-AllCops:
-  TargetRubyVersion: 2.5
-  NewCops: enable
-
-RSpec/MultipleMemoizedHelpers:
-  Max: 10

data/Dangerfile

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-require 'gitlab-dangerfiles'
-
-Gitlab::Dangerfiles.import_plugins(danger)
-danger.import_plugin('danger/plugins/*.rb')
-
-return if helper.release_automation?
-
-danger.import_dangerfile(path: File.join('danger', 'roulette'))
-
-anything_to_post = status_report.values.any?(&:any?)
-
-if helper.ci? && anything_to_post
-  markdown("**If needed, you can retry the [`danger-review` job](#{ENV['CI_JOB_URL']}) that generated this comment.**")
-end

data/Gemfile

@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-source 'https://rubygems.org'
-
-# Specify your gem's dependencies in declarative-policy.gemspec
-gemspec
-
-group :test do
-  gem 'rspec', '~> 3.10'
-  gem 'rspec-parameterized', require: false
-  gem 'pry-byebug', platforms: [:ruby]
-end
-
-group :development, :test do
-  gem 'gitlab-styles', '~> 6.1.0', require: false, platforms: [:ruby]
-  gem 'rake', '~> 12.0'
-  gem 'benchmark', require: false
-  gem 'rubocop', require: false
-end
-
-group :development, :test, :danger do
-  gem 'gitlab-dangerfiles', '~> 1.1.0', require: false, platforms: [:ruby]
-end

data/Gemfile.lock

@@ -1,214 +0,0 @@
-PATH
-  remote: .
-  specs:
-    declarative_policy (1.1.0)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    abstract_type (0.0.7)
-    activesupport (6.1.3.2)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 1.6, < 2)
-      minitest (>= 5.1)
-      tzinfo (~> 2.0)
-      zeitwerk (~> 2.3)
-    adamantium (0.2.0)
-      ice_nine (~> 0.11.0)
-      memoizable (~> 0.4.0)
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    ast (2.4.2)
-    benchmark (0.1.1)
-    binding_ninja (0.2.3)
-    binding_ninja (0.2.3-java)
-    byebug (11.1.3)
-    claide (1.0.3)
-    claide-plugins (0.9.2)
-      cork
-      nap
-      open4 (~> 1.3)
-    coderay (1.1.3)
-    colored2 (3.1.2)
-    concord (0.1.5)
-      adamantium (~> 0.2.0)
-      equalizer (~> 0.0.9)
-    concurrent-ruby (1.1.8)
-    cork (0.3.0)
-      colored2 (~> 3.1)
-    danger (8.2.3)
-      claide (~> 1.0)
-      claide-plugins (>= 0.9.2)
-      colored2 (~> 3.1)
-      cork (~> 0.1)
-      faraday (>= 0.9.0, < 2.0)
-      faraday-http-cache (~> 2.0)
-      git (~> 1.7)
-      kramdown (~> 2.3)
-      kramdown-parser-gfm (~> 1.0)
-      no_proxy_fix
-      octokit (~> 4.7)
-      terminal-table (>= 1, < 4)
-    danger-gitlab (8.0.0)
-      danger
-      gitlab (~> 4.2, >= 4.2.0)
-    diff-lcs (1.4.4)
-    equalizer (0.0.11)
-    faraday (1.4.1)
-      faraday-excon (~> 1.1)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.1)
-      multipart-post (>= 1.2, < 3)
-      ruby2_keywords (>= 0.0.4)
-    faraday-excon (1.1.0)
-    faraday-http-cache (2.2.0)
-      faraday (>= 0.8)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.1.0)
-    ffi (1.15.4-java)
-    git (1.8.1)
-      rchardet (~> 1.8)
-    gitlab (4.17.0)
-      httparty (~> 0.18)
-      terminal-table (~> 1.5, >= 1.5.1)
-    gitlab-dangerfiles (1.1.1)
-      danger-gitlab
-    gitlab-styles (6.1.0)
-      rubocop (~> 0.91, >= 0.91.1)
-      rubocop-gitlab-security (~> 0.1.1)
-      rubocop-performance (~> 1.9.2)
-      rubocop-rails (~> 2.9)
-      rubocop-rspec (~> 1.44)
-    httparty (0.18.1)
-      mime-types (~> 3.0)
-      multi_xml (>= 0.5.2)
-    i18n (1.8.10)
-      concurrent-ruby (~> 1.0)
-    ice_nine (0.11.2)
-    kramdown (2.3.1)
-      rexml
-    kramdown-parser-gfm (1.1.0)
-      kramdown (~> 2.0)
-    memoizable (0.4.2)
-      thread_safe (~> 0.3, >= 0.3.1)
-    method_source (1.0.0)
-    mime-types (3.3.1)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2021.0225)
-    minitest (5.14.4)
-    multi_xml (0.6.0)
-    multipart-post (2.1.1)
-    nap (1.1.0)
-    no_proxy_fix (0.1.2)
-    octokit (4.21.0)
-      faraday (>= 0.9)
-      sawyer (~> 0.8.0, >= 0.5.3)
-    open4 (1.3.4)
-    parallel (1.20.1)
-    parser (3.0.0.0)
-      ast (~> 2.4.1)
-    proc_to_ast (0.1.0)
-      coderay
-      parser
-      unparser
-    procto (0.0.3)
-    pry (0.13.1)
-      coderay (~> 1.1)
-      method_source (~> 1.0)
-    pry (0.13.1-java)
-      coderay (~> 1.1)
-      method_source (~> 1.0)
-      spoon (~> 0.0)
-    pry-byebug (3.9.0)
-      byebug (~> 11.0)
-      pry (~> 0.13.0)
-    public_suffix (4.0.6)
-    rack (2.2.3)
-    rainbow (3.0.0)
-    rake (12.3.3)
-    rchardet (1.8.0)
-    regexp_parser (1.8.2)
-    rexml (3.2.4)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-parameterized (0.4.2)
-      binding_ninja (>= 0.2.3)
-      parser
-      proc_to_ast
-      rspec (>= 2.13, < 4)
-      unparser
-    rspec-support (3.10.2)
-    rubocop (0.93.1)
-      parallel (~> 1.10)
-      parser (>= 2.7.1.5)
-      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8)
-      rexml
-      rubocop-ast (>= 0.6.0)
-      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (1.4.1)
-      parser (>= 2.7.1.5)
-    rubocop-gitlab-security (0.1.1)
-      rubocop (>= 0.51)
-    rubocop-performance (1.9.2)
-      rubocop (>= 0.90.0, < 2.0)
-      rubocop-ast (>= 0.4.0)
-    rubocop-rails (2.9.1)
-      activesupport (>= 4.2.0)
-      rack (>= 1.1)
-      rubocop (>= 0.90.0, < 2.0)
-    rubocop-rspec (1.44.1)
-      rubocop (~> 0.87)
-      rubocop-ast (>= 0.7.1)
-    ruby-progressbar (1.11.0)
-    ruby2_keywords (0.0.4)
-    sawyer (0.8.2)
-      addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
-    spoon (0.0.6)
-      ffi
-    terminal-table (1.8.0)
-      unicode-display_width (~> 1.1, >= 1.1.1)
-    thread_safe (0.3.6)
-    thread_safe (0.3.6-java)
-    tzinfo (2.0.4)
-      concurrent-ruby (~> 1.0)
-    unicode-display_width (1.7.0)
-    unparser (0.4.7)
-      abstract_type (~> 0.0.7)
-      adamantium (~> 0.2.0)
-      concord (~> 0.1.5)
-      diff-lcs (~> 1.3)
-      equalizer (~> 0.0.9)
-      parser (>= 2.6.5)
-      procto (~> 0.0.2)
-    zeitwerk (2.4.2)
-
-PLATFORMS
-  ruby
-  universal-java-1.8
-
-DEPENDENCIES
-  benchmark
-  declarative_policy!
-  gitlab-dangerfiles (~> 1.1.0)
-  gitlab-styles (~> 6.1.0)
-  pry-byebug
-  rake (~> 12.0)
-  rspec (~> 3.10)
-  rspec-parameterized
-  rubocop
-
-BUNDLED WITH
-   2.2.15

data/Rakefile

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-
-require 'bundler/gem_tasks'
-require 'rspec/core/rake_task'
-
-RSpec::Core::RakeTask.new(:spec)
-
-task default: :spec

data/benchmarks/repeated_invocation.rb

@@ -1,37 +0,0 @@
-#!/usr/bin/env ruby -w
-# frozen_string_literal: true
-
-require 'declarative_policy'
-require 'benchmark'
-
-Dir["./spec/support/policies/*.rb"].sort.each { |f| require f }
-Dir["./spec/support/models/*.rb"].sort.each { |f| require f }
-
-TIMES = 1_000_000
-LABEL = 'allowed?(driver, :drive_vehicle, car)'
-
-DeclarativePolicy.configure! do
-  named_policy :global, GlobalPolicy
-
-  name_transformation do |name|
-    'ReadmePolicy' if name == 'Vehicle'
-  end
-end
-
-Benchmark.bm(LABEL.length) do |b|
-  cache = {}
-  valid_license = License.valid
-  country = Country.moderate
-  registration = Registration.new(number: 'xyz123', country: country)
-  driver = User.new(name: 'The driver', driving_license: valid_license)
-  owner = User.new(name: 'The Owner', trusted: [driver.name])
-  car = Vehicle.new(owner: owner, registration: registration)
-
-  raise 'Expected to drive' unless DeclarativePolicy.policy_for(driver, car).allowed?(:drive_vehicle)
-
-  b.report LABEL do
-    TIMES.times do
-      DeclarativePolicy.policy_for(driver, car, cache: cache).allowed?(:drive_vehicle)
-    end
-  end
-end

data/danger/plugins/project_helper.rb

@@ -1,58 +0,0 @@
-# frozen_string_literal: true
-
-module Danger
-  # Project specific configuration
-  class ProjectHelper < ::Danger::Plugin
-    LOCAL_RULES ||= %w[
-      changelog
-      documentation
-    ].freeze
-
-    CI_ONLY_RULES ||= %w[
-      roulette
-    ].freeze
-
-    MESSAGE_PREFIX = '==>'
-
-    # First-match win, so be sure to put more specific regex at the top...
-    # rubocop: disable Style/RegexpLiteral
-    CATEGORIES = {
-      %r{\A(\.gitlab-ci\.yml\z|\.gitlab/ci)} => :engineering_productivity,
-      %r{\Alefthook.yml\z} => :engineering_productivity,
-      %r{\A\.editorconfig\z} => :engineering_productivity,
-      %r{Dangerfile\z} => :engineering_productivity,
-      %r{\A(danger/|tooling/danger/)} => :engineering_productivity,
-      %r{\A?scripts/} => :engineering_productivity,
-      %r{\Atooling/} => :engineering_productivity,
-      %r{(CODEOWNERS)} => :engineering_productivity,
-      %r{\A(Gemfile|Gemfile.lock|Rakefile)\z} => :backend,
-      %r{\A\.rubocop((_manual)?_todo)?\.yml\z} => :backend,
-      %r{\.rb\z} => :backend,
-      %r{(
-        \.(md|txt)\z |
-        \.markdownlint\.json
-      )}x => :docs
-    }.freeze
-    # rubocop: enable Style/RegexpLiteral
-
-    def changes_by_category
-      helper.changes_by_category(CATEGORIES)
-    end
-
-    def changes
-      helper.changes(CATEGORIES)
-    end
-
-    def rule_names
-      helper.ci? ? LOCAL_RULES | CI_ONLY_RULES : LOCAL_RULES
-    end
-
-    def project_name
-      # 'declarative-policy'
-      # TODO: roulette uses the project name to find reviewers, but the gitlab team
-      # directory currently does not have any team members assigned to the declarative-policy
-      # project. We thus are piggybacking on 'gitlab' for now.
-      'gitlab'
-    end
-  end
-end