declarative_policy 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +2 -0
- data/.gitlab-ci.yml +59 -16
- data/.rubocop.yml +4 -1
- data/CHANGELOG.md +8 -0
- data/CONTRIBUTING.md +41 -0
- data/Gemfile +7 -8
- data/Gemfile.lock +37 -20
- data/LICENSE.txt +4 -1
- data/README.md +6 -4
- data/benchmarks/repeated_invocation.rb +37 -0
- data/declarative_policy.gemspec +1 -1
- data/doc/caching.md +299 -1
- data/doc/defining-policies.md +29 -3
- data/doc/optimization.md +277 -0
- data/lib/declarative_policy/base.rb +60 -28
- data/lib/declarative_policy/cache.rb +1 -1
- data/lib/declarative_policy/condition.rb +4 -2
- data/lib/declarative_policy/configuration.rb +7 -1
- data/lib/declarative_policy/rule.rb +5 -5
- data/lib/declarative_policy/runner.rb +58 -26
- data/lib/declarative_policy/version.rb +1 -1
- data/lib/declarative_policy.rb +30 -40
- metadata +11 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6dffd68fb3da1c6d7629901c2436d47e87d7a2b275dfa7282371ef97e7e623b9
|
4
|
+
data.tar.gz: 9d07ae900c5c2de61025ac2ecff512da42a235f2365db2696babc4b41a654ec2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e95c536a5b724dc302e192c975b7adf9a3096a7b2fca2ebe63cc1a6fcead19bb37928fecd796b63403902c7885f577859beff3a51237ce37d7a4deff9a51318d
|
7
|
+
data.tar.gz: acfa272dae2fce1bb4ea9be06c45d10f3da93a8a87ea8c329db1b2e8cd8cf707615104945872bc391e4eb35bc9b2adba0d768ecdd9ddf1bb5ce480ba7dd337c0
|
data/.gitignore
CHANGED
data/.gitlab-ci.yml
CHANGED
@@ -1,38 +1,52 @@
|
|
1
1
|
image: "ruby:2.7"
|
2
2
|
|
3
|
+
include:
|
4
|
+
- template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
|
5
|
+
- template: Security/Dependency-Scanning.gitlab-ci.yml
|
6
|
+
- template: Security/License-Scanning.gitlab-ci.yml
|
7
|
+
- template: Security/SAST.gitlab-ci.yml
|
8
|
+
- template: Security/Secret-Detection.gitlab-ci.yml
|
9
|
+
|
3
10
|
.tests:
|
4
11
|
stage: test
|
5
|
-
|
6
|
-
|
7
|
-
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
# Cache gems in between builds
|
12
|
-
cache:
|
13
|
-
paths:
|
14
|
-
- vendor/ruby
|
15
|
-
|
16
|
-
before_script:
|
17
|
-
- ruby -v # Print out ruby version for debugging
|
18
|
-
- bundle install -j $(nproc) --path vendor # Install dependencies into ./vendor/ruby
|
12
|
+
cache:
|
13
|
+
paths:
|
14
|
+
- vendor/ruby
|
15
|
+
before_script:
|
16
|
+
- ruby -v # Print out ruby version for debugging
|
17
|
+
- bundle install -j $(nproc) --path vendor/ruby/$RUBY_VERSION
|
19
18
|
|
20
19
|
rubocop:
|
21
20
|
extends: .tests
|
22
21
|
script:
|
23
22
|
- bundle exec rubocop
|
24
23
|
|
25
|
-
rspec:
|
24
|
+
.rspec:
|
26
25
|
extends: .tests
|
27
|
-
image: "ruby:$RUBY_VERSION"
|
28
26
|
script:
|
29
27
|
- bundle exec rspec
|
28
|
+
|
29
|
+
rspec:mri:
|
30
|
+
extends: .rspec
|
31
|
+
image: "ruby:$RUBY_VERSION"
|
30
32
|
parallel:
|
31
33
|
matrix:
|
32
34
|
- RUBY_VERSION:
|
33
35
|
- "2.7"
|
34
36
|
- "3.0"
|
35
37
|
|
38
|
+
rspec:jruby:
|
39
|
+
extends: .rspec
|
40
|
+
image: "bitnami/jruby:latest"
|
41
|
+
variables:
|
42
|
+
RUBY_VERSION: jruby
|
43
|
+
|
44
|
+
rspec:truffleruby:
|
45
|
+
extends: .rspec
|
46
|
+
image: "flavorjones/truffleruby:latest"
|
47
|
+
variables:
|
48
|
+
RUBY_VERSION: truffleruby
|
49
|
+
|
36
50
|
danger-review:
|
37
51
|
extends: .tests
|
38
52
|
needs: []
|
@@ -46,3 +60,32 @@ danger-review:
|
|
46
60
|
else
|
47
61
|
bundle exec danger --fail-on-errors=true --verbose
|
48
62
|
fi
|
63
|
+
|
64
|
+
# run security jobs on MRs
|
65
|
+
# see: https://gitlab.com/gitlab-org/gitlab/-/issues/218444#note_478761991
|
66
|
+
|
67
|
+
brakeman-sast:
|
68
|
+
rules:
|
69
|
+
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
70
|
+
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
|
71
|
+
|
72
|
+
gemnasium-dependency_scanning:
|
73
|
+
rules:
|
74
|
+
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
75
|
+
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
|
76
|
+
|
77
|
+
bundler-audit-dependency_scanning:
|
78
|
+
rules:
|
79
|
+
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
80
|
+
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
|
81
|
+
|
82
|
+
license_scanning:
|
83
|
+
rules:
|
84
|
+
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
85
|
+
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
|
86
|
+
|
87
|
+
secret_detection:
|
88
|
+
rules:
|
89
|
+
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
90
|
+
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
|
91
|
+
|
data/.rubocop.yml
CHANGED
data/CHANGELOG.md
ADDED
data/CONTRIBUTING.md
ADDED
@@ -0,0 +1,41 @@
|
|
1
|
+
## Developer Certificate of Origin and License
|
2
|
+
|
3
|
+
By contributing to GitLab B.V., you accept and agree to the following terms and
|
4
|
+
conditions for your present and future contributions submitted to GitLab B.V.
|
5
|
+
Except for the license granted herein to GitLab B.V. and recipients of software
|
6
|
+
distributed by GitLab B.V., you reserve all right, title, and interest in and to
|
7
|
+
your Contributions.
|
8
|
+
|
9
|
+
All contributions are subject to the Developer Certificate of Origin and license set out at [docs.gitlab.com/ce/legal/developer_certificate_of_origin](https://docs.gitlab.com/ce/legal/developer_certificate_of_origin).
|
10
|
+
|
11
|
+
_This notice should stay as the first item in the CONTRIBUTING.md file._
|
12
|
+
|
13
|
+
## Code of conduct
|
14
|
+
|
15
|
+
As contributors and maintainers of this project, we pledge to respect all people
|
16
|
+
who contribute through reporting issues, posting feature requests, updating
|
17
|
+
documentation, submitting pull requests or patches, and other activities.
|
18
|
+
|
19
|
+
We are committed to making participation in this project a harassment-free
|
20
|
+
experience for everyone, regardless of level of experience, gender, gender
|
21
|
+
identity and expression, sexual orientation, disability, personal appearance,
|
22
|
+
body size, race, ethnicity, age, or religion.
|
23
|
+
|
24
|
+
Examples of unacceptable behavior by participants include the use of sexual
|
25
|
+
language or imagery, derogatory comments or personal attacks, trolling, public
|
26
|
+
or private harassment, insults, or other unprofessional conduct.
|
27
|
+
|
28
|
+
Project maintainers have the right and responsibility to remove, edit, or reject
|
29
|
+
comments, commits, code, wiki edits, issues, and other contributions that are
|
30
|
+
not aligned to this Code of Conduct. Project maintainers who do not follow the
|
31
|
+
Code of Conduct may be removed from the project team.
|
32
|
+
|
33
|
+
This code of conduct applies both within project spaces and in public spaces
|
34
|
+
when an individual is representing the project or its community.
|
35
|
+
|
36
|
+
Instances of abusive, harassing, or otherwise unacceptable behavior can be
|
37
|
+
reported by emailing contact@gitlab.com.
|
38
|
+
|
39
|
+
This Code of Conduct is adapted from the [Contributor Covenant](https://contributor-covenant.org), version 1.1.0,
|
40
|
+
available at [https://contributor-covenant.org/version/1/1/0/](https://contributor-covenant.org/version/1/1/0/).
|
41
|
+
|
data/Gemfile
CHANGED
@@ -5,20 +5,19 @@ source 'https://rubygems.org'
|
|
5
5
|
# Specify your gem's dependencies in declarative-policy.gemspec
|
6
6
|
gemspec
|
7
7
|
|
8
|
-
gem 'activesupport', '>= 6.0'
|
9
|
-
gem 'rake', '~> 12.0'
|
10
|
-
gem 'rubocop', require: false
|
11
|
-
|
12
8
|
group :test do
|
13
|
-
gem 'rspec', '~> 3.
|
9
|
+
gem 'rspec', '~> 3.10'
|
14
10
|
gem 'rspec-parameterized', require: false
|
15
|
-
gem 'pry-byebug'
|
11
|
+
gem 'pry-byebug', platforms: [:ruby]
|
16
12
|
end
|
17
13
|
|
18
14
|
group :development, :test do
|
19
|
-
gem 'gitlab-styles', '~> 6.1.0', require: false
|
15
|
+
gem 'gitlab-styles', '~> 6.1.0', require: false, platforms: [:ruby]
|
16
|
+
gem 'rake', '~> 12.0'
|
17
|
+
gem 'benchmark', require: false
|
18
|
+
gem 'rubocop', require: false
|
20
19
|
end
|
21
20
|
|
22
21
|
group :development, :test, :danger do
|
23
|
-
gem 'gitlab-dangerfiles', '~> 1.1.0', require: false
|
22
|
+
gem 'gitlab-dangerfiles', '~> 1.1.0', require: false, platforms: [:ruby]
|
24
23
|
end
|
data/Gemfile.lock
CHANGED
@@ -1,25 +1,27 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
declarative_policy (1.
|
4
|
+
declarative_policy (1.1.0)
|
5
5
|
|
6
6
|
GEM
|
7
7
|
remote: https://rubygems.org/
|
8
8
|
specs:
|
9
9
|
abstract_type (0.0.7)
|
10
|
-
activesupport (6.
|
10
|
+
activesupport (6.1.3.2)
|
11
11
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
12
|
-
i18n (>=
|
13
|
-
minitest (
|
14
|
-
tzinfo (~>
|
15
|
-
zeitwerk (~> 2.
|
12
|
+
i18n (>= 1.6, < 2)
|
13
|
+
minitest (>= 5.1)
|
14
|
+
tzinfo (~> 2.0)
|
15
|
+
zeitwerk (~> 2.3)
|
16
16
|
adamantium (0.2.0)
|
17
17
|
ice_nine (~> 0.11.0)
|
18
18
|
memoizable (~> 0.4.0)
|
19
19
|
addressable (2.7.0)
|
20
20
|
public_suffix (>= 2.0.2, < 5.0)
|
21
21
|
ast (2.4.2)
|
22
|
+
benchmark (0.1.1)
|
22
23
|
binding_ninja (0.2.3)
|
24
|
+
binding_ninja (0.2.3-java)
|
23
25
|
byebug (11.1.3)
|
24
26
|
claide (1.0.3)
|
25
27
|
claide-plugins (0.9.2)
|
@@ -52,17 +54,24 @@ GEM
|
|
52
54
|
gitlab (~> 4.2, >= 4.2.0)
|
53
55
|
diff-lcs (1.4.4)
|
54
56
|
equalizer (0.0.11)
|
55
|
-
faraday (1.1
|
57
|
+
faraday (1.4.1)
|
58
|
+
faraday-excon (~> 1.1)
|
59
|
+
faraday-net_http (~> 1.0)
|
60
|
+
faraday-net_http_persistent (~> 1.1)
|
56
61
|
multipart-post (>= 1.2, < 3)
|
57
|
-
ruby2_keywords
|
62
|
+
ruby2_keywords (>= 0.0.4)
|
63
|
+
faraday-excon (1.1.0)
|
58
64
|
faraday-http-cache (2.2.0)
|
59
65
|
faraday (>= 0.8)
|
60
|
-
|
66
|
+
faraday-net_http (1.0.1)
|
67
|
+
faraday-net_http_persistent (1.1.0)
|
68
|
+
ffi (1.15.4-java)
|
69
|
+
git (1.8.1)
|
61
70
|
rchardet (~> 1.8)
|
62
71
|
gitlab (4.17.0)
|
63
72
|
httparty (~> 0.18)
|
64
73
|
terminal-table (~> 1.5, >= 1.5.1)
|
65
|
-
gitlab-dangerfiles (1.1.
|
74
|
+
gitlab-dangerfiles (1.1.1)
|
66
75
|
danger-gitlab
|
67
76
|
gitlab-styles (6.1.0)
|
68
77
|
rubocop (~> 0.91, >= 0.91.1)
|
@@ -73,7 +82,7 @@ GEM
|
|
73
82
|
httparty (0.18.1)
|
74
83
|
mime-types (~> 3.0)
|
75
84
|
multi_xml (>= 0.5.2)
|
76
|
-
i18n (1.8.
|
85
|
+
i18n (1.8.10)
|
77
86
|
concurrent-ruby (~> 1.0)
|
78
87
|
ice_nine (0.11.2)
|
79
88
|
kramdown (2.3.1)
|
@@ -85,13 +94,13 @@ GEM
|
|
85
94
|
method_source (1.0.0)
|
86
95
|
mime-types (3.3.1)
|
87
96
|
mime-types-data (~> 3.2015)
|
88
|
-
mime-types-data (3.
|
89
|
-
minitest (5.14.
|
97
|
+
mime-types-data (3.2021.0225)
|
98
|
+
minitest (5.14.4)
|
90
99
|
multi_xml (0.6.0)
|
91
100
|
multipart-post (2.1.1)
|
92
101
|
nap (1.1.0)
|
93
102
|
no_proxy_fix (0.1.2)
|
94
|
-
octokit (4.
|
103
|
+
octokit (4.21.0)
|
95
104
|
faraday (>= 0.9)
|
96
105
|
sawyer (~> 0.8.0, >= 0.5.3)
|
97
106
|
open4 (1.3.4)
|
@@ -106,6 +115,10 @@ GEM
|
|
106
115
|
pry (0.13.1)
|
107
116
|
coderay (~> 1.1)
|
108
117
|
method_source (~> 1.0)
|
118
|
+
pry (0.13.1-java)
|
119
|
+
coderay (~> 1.1)
|
120
|
+
method_source (~> 1.0)
|
121
|
+
spoon (~> 0.0)
|
109
122
|
pry-byebug (3.9.0)
|
110
123
|
byebug (~> 11.0)
|
111
124
|
pry (~> 0.13.0)
|
@@ -159,15 +172,18 @@ GEM
|
|
159
172
|
rubocop (~> 0.87)
|
160
173
|
rubocop-ast (>= 0.7.1)
|
161
174
|
ruby-progressbar (1.11.0)
|
162
|
-
ruby2_keywords (0.0.
|
175
|
+
ruby2_keywords (0.0.4)
|
163
176
|
sawyer (0.8.2)
|
164
177
|
addressable (>= 2.3.5)
|
165
178
|
faraday (> 0.8, < 2.0)
|
179
|
+
spoon (0.0.6)
|
180
|
+
ffi
|
166
181
|
terminal-table (1.8.0)
|
167
182
|
unicode-display_width (~> 1.1, >= 1.1.1)
|
168
183
|
thread_safe (0.3.6)
|
169
|
-
|
170
|
-
|
184
|
+
thread_safe (0.3.6-java)
|
185
|
+
tzinfo (2.0.4)
|
186
|
+
concurrent-ruby (~> 1.0)
|
171
187
|
unicode-display_width (1.7.0)
|
172
188
|
unparser (0.4.7)
|
173
189
|
abstract_type (~> 0.0.7)
|
@@ -181,17 +197,18 @@ GEM
|
|
181
197
|
|
182
198
|
PLATFORMS
|
183
199
|
ruby
|
200
|
+
universal-java-1.8
|
184
201
|
|
185
202
|
DEPENDENCIES
|
186
|
-
|
203
|
+
benchmark
|
187
204
|
declarative_policy!
|
188
205
|
gitlab-dangerfiles (~> 1.1.0)
|
189
206
|
gitlab-styles (~> 6.1.0)
|
190
207
|
pry-byebug
|
191
208
|
rake (~> 12.0)
|
192
|
-
rspec (~> 3.
|
209
|
+
rspec (~> 3.10)
|
193
210
|
rspec-parameterized
|
194
211
|
rubocop
|
195
212
|
|
196
213
|
BUNDLED WITH
|
197
|
-
2.
|
214
|
+
2.2.15
|
data/LICENSE.txt
CHANGED
@@ -1,6 +1,9 @@
|
|
1
1
|
The MIT License (MIT)
|
2
2
|
|
3
|
-
Copyright (c) 2021
|
3
|
+
Copyright (c) 2021 GitLab
|
4
|
+
|
5
|
+
The original author of this library is [Jeanine Adkisson](http://jneen.net),
|
6
|
+
and copyright is held by GitLab.
|
4
7
|
|
5
8
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
9
|
of this software and associated documentation files (the "Software"), to deal
|
data/README.md
CHANGED
@@ -1,5 +1,7 @@
|
|
1
1
|
# `DeclarativePolicy`: A Declarative Authorization Library
|
2
2
|
|
3
|
+
[![Gem Version](https://badge.fury.io/rb/declarative_policy.svg)](https://badge.fury.io/rb/declarative_policy)
|
4
|
+
|
3
5
|
This library provides a DSL for writing authorization policies.
|
4
6
|
|
5
7
|
It can be used to separate logic from permissions, and has been
|
@@ -61,7 +63,7 @@ class VehiclePolicy < DeclarativePolicy::Base
|
|
61
63
|
# expensive rules can have 'score'. Higher scores are 'more expensive' to calculate
|
62
64
|
condition(:owns, score: 0) { @subject.owner == @user }
|
63
65
|
condition(:has_access_to, score: 3) { @subject.owner.trusts?(@user) }
|
64
|
-
condition(:intoxicated, score: 5) { @user.blood_alcohol
|
66
|
+
condition(:intoxicated, score: 5) { @user.blood_alcohol > laws.max_blood_alcohol }
|
65
67
|
|
66
68
|
# conclusions we can draw:
|
67
69
|
rule { owns }.enable :drive_vehicle
|
@@ -116,11 +118,11 @@ policy = DeclarativePolicy.policy_for(user, car, cache: cache)
|
|
116
118
|
policy.can?(:drive_vehicle)
|
117
119
|
```
|
118
120
|
|
119
|
-
For more usage details, see the [documentation](
|
121
|
+
For more usage details, see the [documentation](doc).
|
120
122
|
|
121
123
|
## Development
|
122
124
|
|
123
|
-
After checking out the repository, run `
|
125
|
+
After checking out the repository, run `bundle install` to install dependencies.
|
124
126
|
Then, run `rake spec` to run the tests. You can also run `bin/console` for an
|
125
127
|
interactive prompt that will allow you to experiment.
|
126
128
|
|
@@ -128,7 +130,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
|
|
128
130
|
|
129
131
|
## Contributing
|
130
132
|
|
131
|
-
Bug reports and
|
133
|
+
Bug reports and merge requests are welcome on GitLab at
|
132
134
|
https://gitlab.com/gitlab-org/declarative-policy. This project is intended to be
|
133
135
|
a safe, welcoming space for collaboration, and contributors are expected to
|
134
136
|
adhere to the [GitLab code of conduct](https://about.gitlab.com/community/contribute/code-of-conduct/).
|
@@ -0,0 +1,37 @@
|
|
1
|
+
#!/usr/bin/env ruby -w
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'declarative_policy'
|
5
|
+
require 'benchmark'
|
6
|
+
|
7
|
+
Dir["./spec/support/policies/*.rb"].sort.each { |f| require f }
|
8
|
+
Dir["./spec/support/models/*.rb"].sort.each { |f| require f }
|
9
|
+
|
10
|
+
TIMES = 1_000_000
|
11
|
+
LABEL = 'allowed?(driver, :drive_vehicle, car)'
|
12
|
+
|
13
|
+
DeclarativePolicy.configure! do
|
14
|
+
named_policy :global, GlobalPolicy
|
15
|
+
|
16
|
+
name_transformation do |name|
|
17
|
+
'ReadmePolicy' if name == 'Vehicle'
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
Benchmark.bm(LABEL.length) do |b|
|
22
|
+
cache = {}
|
23
|
+
valid_license = License.valid
|
24
|
+
country = Country.moderate
|
25
|
+
registration = Registration.new(number: 'xyz123', country: country)
|
26
|
+
driver = User.new(name: 'The driver', driving_license: valid_license)
|
27
|
+
owner = User.new(name: 'The Owner', trusted: [driver.name])
|
28
|
+
car = Vehicle.new(owner: owner, registration: registration)
|
29
|
+
|
30
|
+
raise 'Expected to drive' unless DeclarativePolicy.policy_for(driver, car).allowed?(:drive_vehicle)
|
31
|
+
|
32
|
+
b.report LABEL do
|
33
|
+
TIMES.times do
|
34
|
+
DeclarativePolicy.policy_for(driver, car, cache: cache).allowed?(:drive_vehicle)
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
data/declarative_policy.gemspec
CHANGED
@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
|
|
19
19
|
DESC
|
20
20
|
spec.homepage = 'https://gitlab.com/gitlab-org/declarative-policy'
|
21
21
|
spec.license = 'MIT'
|
22
|
-
spec.required_ruby_version = Gem::Requirement.new('>= 2.
|
22
|
+
spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
|
23
23
|
|
24
24
|
spec.metadata['homepage_uri'] = spec.homepage
|
25
25
|
spec.metadata['source_code_uri'] = 'https://gitlab.com/gitlab-org/declarative-policy'
|