declarative_policy 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8c08845902bc432f4c737ba76d2b9a5f0cc456fed1d0f26353755146ab49b2a1
-  data.tar.gz: 0f64e5d7707dff73572484cd700b529704f4d41dfd0b1972c8d675e4281d3582
+  metadata.gz: 6dffd68fb3da1c6d7629901c2436d47e87d7a2b275dfa7282371ef97e7e623b9
+  data.tar.gz: 9d07ae900c5c2de61025ac2ecff512da42a235f2365db2696babc4b41a654ec2
 SHA512:
-  metadata.gz: 0b5bc3cfd66be62b483aa8beb673b8b858121a18a0dcb64bd9f6fa79d268ebf3ddb566ede84c1032beac05bc81f6fa8f0642e846a42f6bcf21083eb04de7fa2c
-  data.tar.gz: fabb732587403af0e1cfe8cfcc25033f0d8ccaee066e8310bd0bacf38fba052758e97e3aedbc42e6c62f898a07eaf598885a731f4b80fa9fdf1fe321dfa2901b
+  metadata.gz: e95c536a5b724dc302e192c975b7adf9a3096a7b2fca2ebe63cc1a6fcead19bb37928fecd796b63403902c7885f577859beff3a51237ce37d7a4deff9a51318d
+  data.tar.gz: acfa272dae2fce1bb4ea9be06c45d10f3da93a8a87ea8c329db1b2e8cd8cf707615104945872bc391e4eb35bc9b2adba0d768ecdd9ddf1bb5ce480ba7dd337c0

data/.gitignore

@@ -8,3 +8,5 @@
 
 # rspec failure tracking
 .rspec_status
+declarative_policy-*.gem
+.tool-versions

data/.gitlab-ci.yml

@@ -1,38 +1,52 @@
 image: "ruby:2.7"
 
+include:
+  - template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
+  - template: Security/License-Scanning.gitlab-ci.yml
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
+
 .tests:
   stage: test
-  only:
-    refs:
-      - master
-      - tags
-      - merge_requests
-
-# Cache gems in between builds
-cache:
-  paths:
-    - vendor/ruby
-
-before_script:
-  - ruby -v  # Print out ruby version for debugging
-  - bundle install -j $(nproc) --path vendor  # Install dependencies into ./vendor/ruby
+  cache:
+    paths:
+      - vendor/ruby
+  before_script:
+    - ruby -v  # Print out ruby version for debugging
+    - bundle install -j $(nproc) --path vendor/ruby/$RUBY_VERSION
 
 rubocop:
   extends: .tests
   script:
     - bundle exec rubocop
 
-rspec:
+.rspec:
   extends: .tests
-  image: "ruby:$RUBY_VERSION"
   script:
     - bundle exec rspec
+
+rspec:mri:
+  extends: .rspec
+  image: "ruby:$RUBY_VERSION"
   parallel:
     matrix:
       - RUBY_VERSION:
         - "2.7"
         - "3.0"
 
+rspec:jruby:
+  extends: .rspec
+  image: "bitnami/jruby:latest"
+  variables:
+    RUBY_VERSION: jruby
+
+rspec:truffleruby:
+  extends: .rspec
+  image: "flavorjones/truffleruby:latest"
+  variables:
+    RUBY_VERSION: truffleruby
+
 danger-review:
   extends: .tests
   needs: []
@@ -46,3 +60,32 @@ danger-review:
       else
         bundle exec danger --fail-on-errors=true --verbose
       fi
+
+# run security jobs on MRs
+# see: https://gitlab.com/gitlab-org/gitlab/-/issues/218444#note_478761991
+
+brakeman-sast:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+gemnasium-dependency_scanning:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+bundler-audit-dependency_scanning:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+license_scanning:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+secret_detection:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+

data/.rubocop.yml

@@ -2,8 +2,11 @@ inherit_gem:
   gitlab-styles:
     - rubocop-default.yml
 
+CodeReuse/ActiveRecord:
+  Enabled: false
+
 AllCops:
-  TargetRubyVersion: 2.6
+  TargetRubyVersion: 2.5
   NewCops: enable
 
 RSpec/MultipleMemoizedHelpers:

data/CHANGELOG.md

@@ -0,0 +1,8 @@
+1.1.0:
+
+- Add cache invalidation API: `DeclarativePolicy.invalidate(cache, keys)`
+- Include actor class name in cache key
+
+1.0.1:
+
+- Added unit level tests for `lib/declarative_policy/rule.rb`

data/CONTRIBUTING.md

@@ -0,0 +1,41 @@
+## Developer Certificate of Origin and License
+
+By contributing to GitLab B.V., you accept and agree to the following terms and
+conditions for your present and future contributions submitted to GitLab B.V.
+Except for the license granted herein to GitLab B.V. and recipients of software
+distributed by GitLab B.V., you reserve all right, title, and interest in and to
+your Contributions.
+
+All contributions are subject to the Developer Certificate of Origin and license set out at [docs.gitlab.com/ce/legal/developer_certificate_of_origin](https://docs.gitlab.com/ce/legal/developer_certificate_of_origin).
+
+_This notice should stay as the first item in the CONTRIBUTING.md file._
+
+## Code of conduct
+
+As contributors and maintainers of this project, we pledge to respect all people
+who contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, or religion.
+
+Examples of unacceptable behavior by participants include the use of sexual
+language or imagery, derogatory comments or personal attacks, trolling, public
+or private harassment, insults, or other unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct. Project maintainers who do not follow the
+Code of Conduct may be removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior can be
+reported by emailing contact@gitlab.com.
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://contributor-covenant.org), version 1.1.0,
+available at [https://contributor-covenant.org/version/1/1/0/](https://contributor-covenant.org/version/1/1/0/).
+

data/Gemfile

@@ -5,20 +5,19 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in declarative-policy.gemspec
 gemspec
 
-gem 'activesupport', '>= 6.0'
-gem 'rake', '~> 12.0'
-gem 'rubocop', require: false
-
 group :test do
-  gem 'rspec', '~> 3.0'
+  gem 'rspec', '~> 3.10'
   gem 'rspec-parameterized', require: false
-  gem 'pry-byebug'
+  gem 'pry-byebug', platforms: [:ruby]
 end
 
 group :development, :test do
-  gem 'gitlab-styles', '~> 6.1.0', require: false
+  gem 'gitlab-styles', '~> 6.1.0', require: false, platforms: [:ruby]
+  gem 'rake', '~> 12.0'
+  gem 'benchmark', require: false
+  gem 'rubocop', require: false
 end
 
 group :development, :test, :danger do
-  gem 'gitlab-dangerfiles', '~> 1.1.0', require: false
+  gem 'gitlab-dangerfiles', '~> 1.1.0', require: false, platforms: [:ruby]
 end

data/Gemfile.lock

@@ -1,25 +1,27 @@
 PATH
   remote: .
   specs:
-    declarative_policy (1.0.0)
+    declarative_policy (1.1.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
     abstract_type (0.0.7)
-    activesupport (6.0.3.4)
+    activesupport (6.1.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
     adamantium (0.2.0)
       ice_nine (~> 0.11.0)
       memoizable (~> 0.4.0)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     ast (2.4.2)
+    benchmark (0.1.1)
     binding_ninja (0.2.3)
+    binding_ninja (0.2.3-java)
     byebug (11.1.3)
     claide (1.0.3)
     claide-plugins (0.9.2)
@@ -52,17 +54,24 @@ GEM
       gitlab (~> 4.2, >= 4.2.0)
     diff-lcs (1.4.4)
     equalizer (0.0.11)
-    faraday (1.1.0)
+    faraday (1.4.1)
+      faraday-excon (~> 1.1)
+      faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.1)
       multipart-post (>= 1.2, < 3)
-      ruby2_keywords
+      ruby2_keywords (>= 0.0.4)
+    faraday-excon (1.1.0)
     faraday-http-cache (2.2.0)
       faraday (>= 0.8)
-    git (1.7.0)
+    faraday-net_http (1.0.1)
+    faraday-net_http_persistent (1.1.0)
+    ffi (1.15.4-java)
+    git (1.8.1)
       rchardet (~> 1.8)
     gitlab (4.17.0)
       httparty (~> 0.18)
       terminal-table (~> 1.5, >= 1.5.1)
-    gitlab-dangerfiles (1.1.0)
+    gitlab-dangerfiles (1.1.1)
       danger-gitlab
     gitlab-styles (6.1.0)
       rubocop (~> 0.91, >= 0.91.1)
@@ -73,7 +82,7 @@ GEM
     httparty (0.18.1)
       mime-types (~> 3.0)
       multi_xml (>= 0.5.2)
-    i18n (1.8.9)
+    i18n (1.8.10)
       concurrent-ruby (~> 1.0)
     ice_nine (0.11.2)
     kramdown (2.3.1)
@@ -85,13 +94,13 @@ GEM
     method_source (1.0.0)
     mime-types (3.3.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2020.1104)
-    minitest (5.14.3)
+    mime-types-data (3.2021.0225)
+    minitest (5.14.4)
     multi_xml (0.6.0)
     multipart-post (2.1.1)
     nap (1.1.0)
     no_proxy_fix (0.1.2)
-    octokit (4.20.0)
+    octokit (4.21.0)
       faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
     open4 (1.3.4)
@@ -106,6 +115,10 @@ GEM
     pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
+    pry (0.13.1-java)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+      spoon (~> 0.0)
     pry-byebug (3.9.0)
       byebug (~> 11.0)
       pry (~> 0.13.0)
@@ -159,15 +172,18 @@ GEM
       rubocop (~> 0.87)
       rubocop-ast (>= 0.7.1)
     ruby-progressbar (1.11.0)
-    ruby2_keywords (0.0.2)
+    ruby2_keywords (0.0.4)
     sawyer (0.8.2)
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
+    spoon (0.0.6)
+      ffi
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thread_safe (0.3.6)
-    tzinfo (1.2.9)
-      thread_safe (~> 0.1)
+    thread_safe (0.3.6-java)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
     unicode-display_width (1.7.0)
     unparser (0.4.7)
       abstract_type (~> 0.0.7)
@@ -181,17 +197,18 @@ GEM
 
 PLATFORMS
   ruby
+  universal-java-1.8
 
 DEPENDENCIES
-  activesupport (>= 6.0)
+  benchmark
   declarative_policy!
   gitlab-dangerfiles (~> 1.1.0)
   gitlab-styles (~> 6.1.0)
   pry-byebug
   rake (~> 12.0)
-  rspec (~> 3.0)
+  rspec (~> 3.10)
   rspec-parameterized
   rubocop
 
 BUNDLED WITH
-   2.1.4
+   2.2.15

data/LICENSE.txt

@@ -1,6 +1,9 @@
 The MIT License (MIT)
 
-Copyright (c) 2021 Alex Kalderimis
+Copyright (c) 2021 GitLab
+
+The original author of this library is [Jeanine Adkisson](http://jneen.net),
+and copyright is held by GitLab.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -1,5 +1,7 @@
 # `DeclarativePolicy`: A Declarative Authorization Library
 
+[![Gem Version](https://badge.fury.io/rb/declarative_policy.svg)](https://badge.fury.io/rb/declarative_policy)
+
 This library provides a DSL for writing authorization policies.
 
 It can be used to separate logic from permissions, and has been
@@ -61,7 +63,7 @@ class VehiclePolicy < DeclarativePolicy::Base
   # expensive rules can have 'score'. Higher scores are 'more expensive' to calculate
   condition(:owns, score: 0) { @subject.owner == @user }
   condition(:has_access_to, score: 3) { @subject.owner.trusts?(@user) }
-  condition(:intoxicated, score: 5) { @user.blood_alcohol < laws.max_blood_alcohol }
+  condition(:intoxicated, score: 5) { @user.blood_alcohol > laws.max_blood_alcohol }
   
   # conclusions we can draw:
   rule { owns }.enable :drive_vehicle
@@ -116,11 +118,11 @@ policy = DeclarativePolicy.policy_for(user, car, cache: cache)
 policy.can?(:drive_vehicle)
 ```
 
-For more usage details, see the [documentation](docs/usage.md).
+For more usage details, see the [documentation](doc).
 
 ## Development
 
-After checking out the repository, run `bin/setup` to install dependencies.
+After checking out the repository, run `bundle install` to install dependencies.
 Then, run `rake spec` to run the tests. You can also run `bin/console` for an
 interactive prompt that will allow you to experiment.
 
@@ -128,7 +130,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at
+Bug reports and merge requests are welcome on GitLab at
 https://gitlab.com/gitlab-org/declarative-policy. This project is intended to be
 a safe, welcoming space for collaboration, and contributors are expected to
 adhere to the [GitLab code of conduct](https://about.gitlab.com/community/contribute/code-of-conduct/).

data/benchmarks/repeated_invocation.rb

@@ -0,0 +1,37 @@
+#!/usr/bin/env ruby -w
+# frozen_string_literal: true
+
+require 'declarative_policy'
+require 'benchmark'
+
+Dir["./spec/support/policies/*.rb"].sort.each { |f| require f }
+Dir["./spec/support/models/*.rb"].sort.each { |f| require f }
+
+TIMES = 1_000_000
+LABEL = 'allowed?(driver, :drive_vehicle, car)'
+
+DeclarativePolicy.configure! do
+  named_policy :global, GlobalPolicy
+
+  name_transformation do |name|
+    'ReadmePolicy' if name == 'Vehicle'
+  end
+end
+
+Benchmark.bm(LABEL.length) do |b|
+  cache = {}
+  valid_license = License.valid
+  country = Country.moderate
+  registration = Registration.new(number: 'xyz123', country: country)
+  driver = User.new(name: 'The driver', driving_license: valid_license)
+  owner = User.new(name: 'The Owner', trusted: [driver.name])
+  car = Vehicle.new(owner: owner, registration: registration)
+
+  raise 'Expected to drive' unless DeclarativePolicy.policy_for(driver, car).allowed?(:drive_vehicle)
+
+  b.report LABEL do
+    TIMES.times do
+      DeclarativePolicy.policy_for(driver, car, cache: cache).allowed?(:drive_vehicle)
+    end
+  end
+end

data/declarative_policy.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
   DESC
   spec.homepage      = 'https://gitlab.com/gitlab-org/declarative-policy'
   spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.6.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
 
   spec.metadata['homepage_uri'] = spec.homepage
   spec.metadata['source_code_uri'] = 'https://gitlab.com/gitlab-org/declarative-policy'