declarative_policy 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8c08845902bc432f4c737ba76d2b9a5f0cc456fed1d0f26353755146ab49b2a1
+  data.tar.gz: 0f64e5d7707dff73572484cd700b529704f4d41dfd0b1972c8d675e4281d3582
+SHA512:
+  metadata.gz: 0b5bc3cfd66be62b483aa8beb673b8b858121a18a0dcb64bd9f6fa79d268ebf3ddb566ede84c1032beac05bc81f6fa8f0642e846a42f6bcf21083eb04de7fa2c
+  data.tar.gz: fabb732587403af0e1cfe8cfcc25033f0d8ccaee066e8310bd0bacf38fba052758e97e3aedbc42e6c62f898a07eaf598885a731f4b80fa9fdf1fe321dfa2901b

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.gitlab-ci.yml

@@ -0,0 +1,48 @@
+image: "ruby:2.7"
+
+.tests:
+  stage: test
+  only:
+    refs:
+      - master
+      - tags
+      - merge_requests
+
+# Cache gems in between builds
+cache:
+  paths:
+    - vendor/ruby
+
+before_script:
+  - ruby -v  # Print out ruby version for debugging
+  - bundle install -j $(nproc) --path vendor  # Install dependencies into ./vendor/ruby
+
+rubocop:
+  extends: .tests
+  script:
+    - bundle exec rubocop
+
+rspec:
+  extends: .tests
+  image: "ruby:$RUBY_VERSION"
+  script:
+    - bundle exec rspec
+  parallel:
+    matrix:
+      - RUBY_VERSION:
+        - "2.7"
+        - "3.0"
+
+danger-review:
+  extends: .tests
+  needs: []
+  script:
+    - >
+      if [ -z "$DANGER_GITLAB_API_TOKEN" ]; then
+        # Force danger to skip CI source GitLab and fallback to "local only git repo".
+        unset GITLAB_CI
+        # We need to base SHA to help danger determine the base commit for this shallow clone.
+        bundle exec danger dry_run --fail-on-errors=true --verbose --base="$CI_MERGE_REQUEST_DIFF_BASE_SHA"
+      else
+        bundle exec danger --fail-on-errors=true --verbose
+      fi

data/.rspec

@@ -0,0 +1,4 @@
+--format documentation
+--color
+--require spec_helper
+--order rand

data/.rubocop.yml

@@ -0,0 +1,10 @@
+inherit_gem:
+  gitlab-styles:
+    - rubocop-default.yml
+
+AllCops:
+  TargetRubyVersion: 2.6
+  NewCops: enable
+
+RSpec/MultipleMemoizedHelpers:
+  Max: 10

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at akalderimis@gitlab.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [https://contributor-covenant.org/version/1/4][version]
+
+[homepage]: https://contributor-covenant.org
+[version]: https://contributor-covenant.org/version/1/4/

data/Dangerfile

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'gitlab-dangerfiles'
+
+Gitlab::Dangerfiles.import_plugins(danger)
+danger.import_plugin('danger/plugins/*.rb')
+
+return if helper.release_automation?
+
+danger.import_dangerfile(path: File.join('danger', 'roulette'))
+
+anything_to_post = status_report.values.any?(&:any?)
+
+if helper.ci? && anything_to_post
+  markdown("**If needed, you can retry the [`danger-review` job](#{ENV['CI_JOB_URL']}) that generated this comment.**")
+end

data/Gemfile

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in declarative-policy.gemspec
+gemspec
+
+gem 'activesupport', '>= 6.0'
+gem 'rake', '~> 12.0'
+gem 'rubocop', require: false
+
+group :test do
+  gem 'rspec', '~> 3.0'
+  gem 'rspec-parameterized', require: false
+  gem 'pry-byebug'
+end
+
+group :development, :test do
+  gem 'gitlab-styles', '~> 6.1.0', require: false
+end
+
+group :development, :test, :danger do
+  gem 'gitlab-dangerfiles', '~> 1.1.0', require: false
+end

data/Gemfile.lock

@@ -0,0 +1,197 @@
+PATH
+  remote: .
+  specs:
+    declarative_policy (1.0.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    abstract_type (0.0.7)
+    activesupport (6.0.3.4)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    adamantium (0.2.0)
+      ice_nine (~> 0.11.0)
+      memoizable (~> 0.4.0)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    ast (2.4.2)
+    binding_ninja (0.2.3)
+    byebug (11.1.3)
+    claide (1.0.3)
+    claide-plugins (0.9.2)
+      cork
+      nap
+      open4 (~> 1.3)
+    coderay (1.1.3)
+    colored2 (3.1.2)
+    concord (0.1.5)
+      adamantium (~> 0.2.0)
+      equalizer (~> 0.0.9)
+    concurrent-ruby (1.1.8)
+    cork (0.3.0)
+      colored2 (~> 3.1)
+    danger (8.2.3)
+      claide (~> 1.0)
+      claide-plugins (>= 0.9.2)
+      colored2 (~> 3.1)
+      cork (~> 0.1)
+      faraday (>= 0.9.0, < 2.0)
+      faraday-http-cache (~> 2.0)
+      git (~> 1.7)
+      kramdown (~> 2.3)
+      kramdown-parser-gfm (~> 1.0)
+      no_proxy_fix
+      octokit (~> 4.7)
+      terminal-table (>= 1, < 4)
+    danger-gitlab (8.0.0)
+      danger
+      gitlab (~> 4.2, >= 4.2.0)
+    diff-lcs (1.4.4)
+    equalizer (0.0.11)
+    faraday (1.1.0)
+      multipart-post (>= 1.2, < 3)
+      ruby2_keywords
+    faraday-http-cache (2.2.0)
+      faraday (>= 0.8)
+    git (1.7.0)
+      rchardet (~> 1.8)
+    gitlab (4.17.0)
+      httparty (~> 0.18)
+      terminal-table (~> 1.5, >= 1.5.1)
+    gitlab-dangerfiles (1.1.0)
+      danger-gitlab
+    gitlab-styles (6.1.0)
+      rubocop (~> 0.91, >= 0.91.1)
+      rubocop-gitlab-security (~> 0.1.1)
+      rubocop-performance (~> 1.9.2)
+      rubocop-rails (~> 2.9)
+      rubocop-rspec (~> 1.44)
+    httparty (0.18.1)
+      mime-types (~> 3.0)
+      multi_xml (>= 0.5.2)
+    i18n (1.8.9)
+      concurrent-ruby (~> 1.0)
+    ice_nine (0.11.2)
+    kramdown (2.3.1)
+      rexml
+    kramdown-parser-gfm (1.1.0)
+      kramdown (~> 2.0)
+    memoizable (0.4.2)
+      thread_safe (~> 0.3, >= 0.3.1)
+    method_source (1.0.0)
+    mime-types (3.3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2020.1104)
+    minitest (5.14.3)
+    multi_xml (0.6.0)
+    multipart-post (2.1.1)
+    nap (1.1.0)
+    no_proxy_fix (0.1.2)
+    octokit (4.20.0)
+      faraday (>= 0.9)
+      sawyer (~> 0.8.0, >= 0.5.3)
+    open4 (1.3.4)
+    parallel (1.20.1)
+    parser (3.0.0.0)
+      ast (~> 2.4.1)
+    proc_to_ast (0.1.0)
+      coderay
+      parser
+      unparser
+    procto (0.0.3)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    pry-byebug (3.9.0)
+      byebug (~> 11.0)
+      pry (~> 0.13.0)
+    public_suffix (4.0.6)
+    rack (2.2.3)
+    rainbow (3.0.0)
+    rake (12.3.3)
+    rchardet (1.8.0)
+    regexp_parser (1.8.2)
+    rexml (3.2.4)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-parameterized (0.4.2)
+      binding_ninja (>= 0.2.3)
+      parser
+      proc_to_ast
+      rspec (>= 2.13, < 4)
+      unparser
+    rspec-support (3.10.2)
+    rubocop (0.93.1)
+      parallel (~> 1.10)
+      parser (>= 2.7.1.5)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8)
+      rexml
+      rubocop-ast (>= 0.6.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (1.4.1)
+      parser (>= 2.7.1.5)
+    rubocop-gitlab-security (0.1.1)
+      rubocop (>= 0.51)
+    rubocop-performance (1.9.2)
+      rubocop (>= 0.90.0, < 2.0)
+      rubocop-ast (>= 0.4.0)
+    rubocop-rails (2.9.1)
+      activesupport (>= 4.2.0)
+      rack (>= 1.1)
+      rubocop (>= 0.90.0, < 2.0)
+    rubocop-rspec (1.44.1)
+      rubocop (~> 0.87)
+      rubocop-ast (>= 0.7.1)
+    ruby-progressbar (1.11.0)
+    ruby2_keywords (0.0.2)
+    sawyer (0.8.2)
+      addressable (>= 2.3.5)
+      faraday (> 0.8, < 2.0)
+    terminal-table (1.8.0)
+      unicode-display_width (~> 1.1, >= 1.1.1)
+    thread_safe (0.3.6)
+    tzinfo (1.2.9)
+      thread_safe (~> 0.1)
+    unicode-display_width (1.7.0)
+    unparser (0.4.7)
+      abstract_type (~> 0.0.7)
+      adamantium (~> 0.2.0)
+      concord (~> 0.1.5)
+      diff-lcs (~> 1.3)
+      equalizer (~> 0.0.9)
+      parser (>= 2.6.5)
+      procto (~> 0.0.2)
+    zeitwerk (2.4.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport (>= 6.0)
+  declarative_policy!
+  gitlab-dangerfiles (~> 1.1.0)
+  gitlab-styles (~> 6.1.0)
+  pry-byebug
+  rake (~> 12.0)
+  rspec (~> 3.0)
+  rspec-parameterized
+  rubocop
+
+BUNDLED WITH
+   2.1.4

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 Alex Kalderimis
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,144 @@
+# `DeclarativePolicy`: A Declarative Authorization Library
+
+This library provides a DSL for writing authorization policies.
+
+It can be used to separate logic from permissions, and has been
+used at scale in production at [GitLab.com](https://gitlab.com).
+
+The original author of this library is [Jeanine Adkisson](http://jneen.net),
+and copyright is held by GitLab.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'declarative_policy'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install declarative_policy
+
+## Usage
+
+
+The core abstraction of this library is a `Policy`. Policies combine:
+
+- **facts** (called `conditions`) about the state of the world
+- **judgements** about these facts (called `rules`)
+
+This library exists to determine the truth value of statements of the form:
+
+```
+Subject Predicate [Object]
+```
+
+For example:
+
+- `user :is_alive`
+- `user :can_drive car`
+- `user :can_sell car`
+
+It does this by letting us associate a `Policy` (a set of rules about which
+statements are true) with the objects of the sentences. A statement is
+considered to hold if no rule `prevents` it, and at least one rule `enables` it.
+
+For example, imagine we have a data model containing vehicles and users, and we
+want to know if a user can drive a vehicle. We need a `VehiclePolicy`:
+
+```ruby
+class VehiclePolicy < DeclarativePolicy::Base
+  # relevant facts
+  condition(:owns) { @subject.owner == @user }
+  condition(:has_access_to) { @subject.owner.trusts?(@user) }
+  condition(:old_enough_to_drive) { @user.age >= laws.minimum_age }
+  condition(:has_driving_license) { @user.driving_license&.valid? }
+  # expensive rules can have 'score'. Higher scores are 'more expensive' to calculate
+  condition(:owns, score: 0) { @subject.owner == @user }
+  condition(:has_access_to, score: 3) { @subject.owner.trusts?(@user) }
+  condition(:intoxicated, score: 5) { @user.blood_alcohol < laws.max_blood_alcohol }
+  
+  # conclusions we can draw:
+  rule { owns }.enable :drive_vehicle
+  rule { has_access_to }.enable :drive_vehicle
+  rule { ~old_enough_to_drive }.prevent :drive_vehicle
+  rule { intoxicated }.prevent :drive_vehicle
+  rule { ~has_driving_license }.prevent :drive_vehicle
+  
+  # we can use methods to abstract common logic
+  def laws
+    @subject.registration.country.driving_laws
+  end
+end
+```
+
+A few points to note: we could have written this as one big rule
+(`(owns | has_access_to) & old_enough_to_drive & ~intoxicated & has_driving_license`)
+but we can see some of the features that make declarative policies scalable for
+large systems: rules can be broken up into small elements, and composed into
+larger rules. New conditions and rules can be added at any time.
+
+What is more difficult to see is that many performance optimizations are handled
+for us transparently:
+
+- more expensive conditions are called later
+- we automatically get the desired groupings (evaluate all conditions that might
+  prevent an action, but stop once we have at least one call to enable).
+- intermediate values are cached.
+- policies support inheritance and delegation, meaning authorization logic
+  remains DRY.
+
+In short this library aims to be declarative: we declare the rules that are
+important, and the library arranges how to evaluate them.
+
+Caching is a particularly valuable feature of policies. If we add new rules
+about selling a vehicle, for example:
+
+```ruby
+rule { owns }.enable :sell_vehicle
+```
+
+Then the fact of ownership can be shared between different calls to the policy,
+saving database calls and other expensive IO operations.
+
+### Evaluating a policy:
+
+We can check the determination of a policy with:
+
+```ruby
+cache = Session.current_session
+policy = DeclarativePolicy.policy_for(user, car, cache: cache)
+policy.can?(:drive_vehicle)
+```
+
+For more usage details, see the [documentation](docs/usage.md).
+
+## Development
+
+After checking out the repository, run `bin/setup` to install dependencies.
+Then, run `rake spec` to run the tests. You can also run `bin/console` for an
+interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at
+https://gitlab.com/gitlab-org/declarative-policy. This project is intended to be
+a safe, welcoming space for collaboration, and contributors are expected to
+adhere to the [GitLab code of conduct](https://about.gitlab.com/community/contribute/code-of-conduct/).
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the `DeclarativePolicy` project's codebase, issue
+trackers, chat rooms and mailing lists is expected to follow
+the [code of conduct](https://github.com/[USERNAME]/declarative-policy/blob/master/CODE_OF_CONDUCT.md).