eaco 0.6.1 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4d92e2ed7aceab41d46ba1f57fa2b75f9bb1b298
-  data.tar.gz: 32b88c52a4bf95262a6bd54524e60afa7ea802bd
+  metadata.gz: 2c8f2901fb8524328d3e14a6c08607c553912b7a
+  data.tar.gz: cf36cc16c76467699d29576720a06e1ca612663e
 SHA512:
-  metadata.gz: 2212422e25d4927512160f445e0a25060bbc88bb95040ad99f6b747317a4c09f57f2e29822ab14bb5d9759ace82901b95f6d8abae52a88a7d6a8afab77c7533a
-  data.tar.gz: 99f977abda6d1d732b9b804264d4691f01372e86bb0845a232b9c5a3f1fb344742e6c8bbe6ffd3985cb55e94558fa526752fa4a34ff6b40dec0dd0d8b06f972d
+  metadata.gz: 0bf06b2c70e7dda0a6790d89d7b5e23ce0ebe97e49026001bff0af29f69844eeb7a5b8c1f54f8d01151d86e7d4b4a9911301ef2edbdafac1958cccfdf6be3522
+  data.tar.gz: 2c1c4a9acc88bd4b814e99e1110cabe9e5f5622f29183a90c95180ba378887463091eec7d58dd88436cdb843f1e296b8cd5708adc82062ecf9d866375f22e8ae

data/README.md

@@ -3,7 +3,7 @@
 [![Build Status](https://travis-ci.org/ifad/eaco.svg)](https://travis-ci.org/ifad/eaco)
 [![Coverage Status](https://coveralls.io/repos/ifad/eaco/badge.svg)](https://coveralls.io/r/ifad/eaco) (*currently writing specs*)
 [![Code Climate](https://codeclimate.com/github/ifad/eaco/badges/gpa.svg)](https://codeclimate.com/github/ifad/eaco)
-[![Inline docs](http://inch-ci.org/github/ifad/eaco.svg?branch=master)](http://inch-ci.org/github/ifad/eaco/master)
+[![Inline docs](http://inch-ci.org/github/ifad/eaco.svg?branch=master)](http://inch-ci.org/github/ifad/eaco)
 [![Gem Version](https://badge.fury.io/rb/eaco.svg)](http://badge.fury.io/rb/eaco)
 
 Eacus, the holder of the keys of Hades, is an ACL-based authorization
@@ -52,9 +52,9 @@ Create `config/authorization.rb` [(rdoc)](http://www.rubydoc.info/github/ifad/ea
 ```ruby
 # Defines `Document` to be an authorized resource.
 #
-# Adds Document.accessible_by and Document#allows
+# Adds Document.accessible_by and Document#allows?
 #
-authorize Document, using: :lucene do
+authorize Document, using: :pg_jsonb do
   roles :owner, :editor, :reader
 
   permissions do

data/features/authorization_parse_error.feature

@@ -0,0 +1,157 @@
+Feature: Authorization rules error handling
+  When there's an error in the authorization rules,
+  it is reported in detail with a backtrace showing
+  where it happened.
+
+  Scenario: Giving rubbish
+    When I have a wrong authorization definition such as
+     """
+     if you give me rubbish please go elsewhere
+     """
+    Then I should receive a DSL error SyntaxError saying
+     """
+     \(feature\):1: syntax error.+please go elsewhere
+     """
+
+  Scenario: Referencing a non-existing model
+    When I have a wrong authorization definition such as
+     """
+     authorize ::Nonexistant, using: :pg_jsonb
+     """
+    Then I should receive a DSL error Eaco::Error saying
+     """
+     uninitialized constant Nonexistant
+     """
+
+  Scenario: Specifying an actor class with no Designators namespace
+    When I have a wrong authorization definition such as
+    """
+    class ::Foo
+    end
+
+    actor Foo do
+      designators do
+        frobber yay: true
+      end
+    end
+    """
+    Then I should receive a DSL error Eaco::Error saying
+    """
+    Please put designators implementations in Foo::Designators
+    """
+
+  Scenario: Specifing a non-existing designator implementation
+    When I have a wrong authorization definition on model User such as
+     """
+     actor $MODEL do
+       designators do
+         fropper from: :sgurtz
+       end
+     end
+     """
+    Then I should receive a DSL error Eaco::Error saying
+     """
+     Implementation .+User::Designators::Fropper for Designator fropper not found
+     """
+
+  Scenario: Badly specifying the designator options
+    When I have a wrong authorization definition on model User such as
+     """
+     actor $MODEL do
+       designators do
+         user on_the_rocks: true
+       end
+     end
+     """
+    Then I should receive a DSL error Eaco::Error saying
+    """
+    The designator option :from is required
+    """
+
+  Scenario: Badly specifying the permissions options
+    When I have a wrong authorization definition on model Document such as
+     """
+     authorize $MODEL do
+       permissions do
+         reader "Asdrubbale"
+       end
+     end
+     """
+    Then I should receive a DSL error Eaco::Error saying
+     """
+     Invalid reader permission definition: "Asdrubbale"
+     """
+
+  Scenario: Authorizing an Object with no known ORM
+    When I have a wrong authorization definition such as
+     """
+     class ::Foo
+     end
+
+     authorize Foo
+     """
+    Then I should receive a DSL error Eaco::Error saying
+     """
+     Don't know how to persist ACLs using <Foo>'s ORM
+     """
+
+  Scenario: Authorizing an Resource with no known .accessible_by
+    When I have a wrong authorization definition such as
+     """
+     class ::Bar
+       attr_accessor :acl
+     end
+
+     authorize Bar
+     """
+    Then I should receive a DSL error Eaco::Error saying
+     """
+     Don't know how to look up authorized records on <Bar>'s ORM
+     """
+
+  Scenario: Authorizing a Resource with a known ORM but without the acl field
+    When I have a wrong authorization definition on model Department such as
+     """
+     authorize $MODEL
+     """
+    Then I should receive a DSL error Eaco::Error saying
+     """
+     Please define a jsonb column named `acl` on .+Department
+     """
+
+  Scenario: Authorizing a Resource with a known ORM but unknown strategy
+    When I have a wrong authorization definition on model Document such as
+     """
+     authorize $MODEL
+     """
+    Then I should receive a DSL error Eaco::Error saying
+     """
+     .+Document.+ORM.+ActiveRecord::Base.+ use one of the available strategies: pg_jsonb
+     """
+
+  Scenario: Authorizing a Resource with the wrong ACL column type
+    When I have a wrong authorization definition such as
+     """
+     class ::Grabach < ActiveRecord::Base
+       connection.create_table 'grabaches' do |t|
+         t.string :acl
+       end
+     end
+
+     authorize ::Grabach
+     """
+    Then I should receive a DSL error Eaco::Error saying
+     """
+     The `acl` column on Grabach must be of the jsonb type
+     """
+
+  Scenario: Using an unsupported ActiveRecord version
+    When I am using ActiveRecord 3.0
+     And I have a wrong authorization definition on model Document such as
+     """
+     authorize $MODEL
+     """
+    Then I should receive a DSL error Eaco::Error saying
+     """
+     Unsupported Active Record version: 30
+     """

data/features/enterprise_authorization.feature

@@ -0,0 +1,159 @@
+Feature: Role-based, flexible authorization
+  In an enterprise, rights might be granted to specific users, to any users,
+  or to specific departments or to specific positions in said departments.
+
+  Background:
+    Given I have an User actor defined as
+      """
+      actor $MODEL do
+        designators do
+          authenticated from: :class
+          user          from: :id
+          position      from: :position_ids
+          department    from: :department_names
+        end
+      end
+      """
+    Given I have a Document resource defined as
+      """
+      authorize $MODEL, using: :pg_jsonb do
+        roles :writer, :reader
+
+        role :reader, "R/O"
+        role :writer, "R/W"
+
+        permissions do
+          reader :read
+          writer reader, :write
+        end
+      end
+      """
+
+    Given I have the following User records
+      | id | name            |
+      |  1 | Dennis Ritchie  |
+      |  2 | Rob Pike        |
+      |  3 | William Gates   |
+      |  4 | Steve Jobs      |
+      |  5 | Tim Berners-Lee |
+
+    Given I have the following Department records
+      | id | name |
+      |  1 | ICT  |
+      |  2 | BAR  |
+      |  3 | COM  |
+
+    Given I have the following Position records
+      | id | name                 | department_id | user_id |
+      |  1 | Director             |       1       |    1    |
+      |  2 | Systems Analyst      |       1       |    2    |
+      |  3 | Bartender            |       2       |    3    |
+      |  4 | Director             |       3       |    4    |
+      |  5 | Social Media Manager |       3       |    5    |
+
+    Given I have the following Document records
+      | name              | acl                                                    |
+      | ICT Status Report | {"department:ICT":"reader", "position:1":"writer"}     |
+      | ICT Budget Report | {"position:1":"writer"}                                |
+      | Cafeteria Menu    | {"position:3":"writer", "authenticated:Eaco::Cucumber::ActiveRecord::User":"reader"} |
+      | Tim's Web Project | {"user:5":"writer", "position:2":"reader"}             |
+
+  Scenario: The Director can access confidential document
+    When I am "Dennis Ritchie"
+    Then I can read the Document "ICT Status Report" being a writer
+     And I can write the Document "ICT Budget Report" being a writer
+     And I can read the Document "Cafeteria Menu" being a reader
+     But I can not read the Document "Tim's Web Project"
+    When I ask for Documents I can access, I get
+       | ICT Status Report |
+       | ICT Budget Report |
+       | Cafeteria Menu    |
+
+  Scenario: Rob can see Tim's document
+    When I am "Rob Pike"
+    Then I can read the Documents "ICT Status Report, Tim's Web Project" being a reader
+     But I can not write the Document "Tim's Web Project" being a reader
+    When I ask for Documents I can access, I get
+       | ICT Status Report |
+       | Tim's Web Project |
+       | Cafeteria Menu    |
+
+  Scenario: Tim can work on his project
+    When I am "Tim Berners-Lee"
+    Then I can not read the Document "ICT Status Report, ICT Budget Report"
+     And I can read the Document "Tim's Web Project" being a writer
+     And I can write the Document "Tim's Web Project" being a writer
+    When I ask for Documents I can access, I get
+       | Tim's Web Project |
+       | Cafeteria Menu    |
+
+  Scenario: Bill is maintaining the Cafeteria Menu
+    When I am "William Gates"
+    Then I can not read the Documents "ICT Status Report, ICT Budget Report, Tim's Web Project"
+     But I can write the Document "Cafeteria Menu" being a writer
+    When I ask for Documents I can access, I get
+       | Cafeteria Menu    |
+
+  Scenario: Steve can just read the menu
+    When I am "Steve Jobs"
+    Then I can not read the Documents "ICT Status Report, ICT Budget Report, Tim's Web Project"
+     And I can not write the Document "Cafeteria Menu" being a reader
+     But I can read the Document "Cafeteria Menu" being a reader
+    When I ask for Documents I can access, I get
+       | Cafeteria Menu    |
+
+  Scenario: Resolving a specific user
+    When I parse the Designator "user:4"
+    Then it should describe itself as "User 'Steve Jobs'"
+     And it should have a label of "User"
+     And it should resolve itself to
+       | Steve Jobs |
+
+  Scenario: Resolving the ICT Director
+    When I make a Designator with "position" and "1"
+    Then it should describe itself as "Director in ICT"
+     And it should have a label of "Position"
+     And it should resolve itself to
+      | Dennis Ritchie |
+
+  Scenario: Resolving the ICT Department
+    When I parse the Designator "department:ICT"
+    Then it should describe itself as "ICT"
+     And it should have a label of "Department"
+     And it should resolve itself to
+      | Dennis Ritchie |
+      | Rob Pike       |
+
+  Scenario: Resolving all authenticated users
+    When I make a Designator with "authenticated" and "Eaco::Cucumber::ActiveRecord::User"
+    Then it should describe itself as "Any authenticated user"
+     And it should have a label of "Any user"
+     And it should resolve itself to
+       | Dennis Ritchie  |
+       | Rob Pike        |
+       | William Gates   |
+       | Steve Jobs      |
+       | Tim Berners-Lee |
+
+  Scenario: Resolving different designators
+    When I have the following designators
+      | department:ICT |
+      | position:3     |
+      | user:1         |
+    Then they should resolve to
+      | Dennis Ritchie  |
+      | Rob Pike        |
+      | William Gates   |
+
+  Scenario: Resolving an invalid designator
+    When I parse the invalid Designator "foo:on the rocks"
+    Then I should receive a Designator error Eaco::Error saying
+    """
+    Designator not found: "foo"
+    """
+
+  Scenario: Obtaining labels for roles
+    When I ask the Document the list of roles and labels
+    Then I should get the following roles and labels
+      | writer | R/W   |
+      | reader | R/O   |

data/features/rails_integration.feature

@@ -8,4 +8,4 @@ Feature: Rails integration
      """
 
   Scenario:
-    Then I should be able to set an ACL on it
+    Then I should be able to set an ACL on the Document

data/features/role_based_authorization.feature

@@ -18,25 +18,48 @@ Feature: Role-Based authorization
     And I have an User actor defined as
      """
      actor $MODEL do
+       admin do |user|
+         user.admin?
+       end
+
        designators do
          user from: :id
        end
      end
      """
-    Given I have an actor named Bob
-      And I have an actor named Tom
+    Given I have an User actor named "Bob"
+      And I have an User actor named "Tom"
 
   Scenario: Discretionary access to a Resource
     When I have a confidential Document named "Supa Dupa Fly"
-     And I grant Bob access to "Supa Dupa Fly" as a reader in quality of user
-    Then Bob should be able to read "Supa Dupa Fly"
-     And Tom should not be able to read "Supa Dupa Fly"
+     And I grant Bob access to Document "Supa Dupa Fly" as a reader in quality of user
+    Then Bob should be able to read Document "Supa Dupa Fly"
+     But Bob should not be able to write Document "Supa Dupa Fly"
+     And Tom should not be able to read Document "Supa Dupa Fly"
+     But I revoke Bob access to Document "Supa Dupa Fly" in quality of user
+    Then Bob should not be able to read Document "Supa Dupa Fly"
 
   Scenario: Extraction of accessible Resources
     When I have a confidential Document named "Strategic Plan"
-     And I grant Bob access to "Strategic Plan" as a reader in quality of user
+     And I grant Bob access to Document "Strategic Plan" as a reader in quality of user
      And I have a confidential Document named "For Tom"
-     And I grant Tom access to "For Tom" as a reader in quality of user
+     And I grant Tom access to Document "For Tom" as a reader in quality of user
      And I have a confidential Document named "For no one"
     Then Bob can see only "Strategic Plan" in the Document authorized list
      And Tom can see only "For Tom" in the Document authorized list
+
+  Scenario: Admin can see everything
+    When I have an admin User actor named "Boss"
+     And I have a confidential Document named "For Bob"
+     And I grant Bob access to Document "For Bob" as a reader in quality of user
+     And I have a confidential Document named "For no one"
+    Then Bob can see only "For Bob" in the Document authorized list
+     But Boss can see "For Bob, For no one" in the Document authorized list
+
+  Scenario: Handling invalid roles
+    When I have a confidential Document named "Foo Bar"
+     And I grant Bob access to Document "Foo Bar" as an invalid role frupper in quality of zomg
+    Then I should receive a Resource error Eaco::Error saying
+    """
+    The `frupper' role is not valid for .+Document' objects. Valid roles are: `reader, writer'
+    """

data/features/step_definitions/actor_steps.rb

@@ -1,37 +1,41 @@
-Given(/I have an (\w+) actor defined as/) do |model_name, author_definition|
-  @actor_model = find_model(model_name)
-
-  eval_dsl author_definition, @actor_model
+Given(/I have an (\w+) actor defined as/) do |model_name, actor_definition|
+  authorize_model model_name, actor_definition
 end
 
-Given(/I have an actor named (\w+)/) do |actor_name|
-  actor = @actor_model.new
-  actor.name = actor_name
-  actor.save!
+Given(/I have an (\w+) actor named "(.+?)"/) do |model_name, actor_name|
+  register_actor model_name, actor_name
+end
 
-  @actors ||= {}
-  @actors[actor_name] = actor
+Given(/I have an admin (\w+) actor named "(.+?)"/) do |model_name, actor_name|
+  register_actor model_name, actor_name, admin: true
 end
 
-When(/I grant (\w+) access to "(.+?)" as a (\w+) in quality of (\w+)/) do |actor_name, resource_name, role_name, designator|
-  actor = @actors.fetch(actor_name)
-  @resources[resource_name].grant role_name, designator, actor
-  @resources[resource_name].save!
+When(/I grant (\w+) access to (\w+) "(.+?)" as a (\w+) in quality of (\w+)/) do |actor_name, resource_model, resource_name, role_name, designator|
+  actor = fetch_actor(actor_name)
+  resource = fetch_resource(resource_model, resource_name)
+
+  resource.grant role_name, designator, actor
+  resource.save!
 end
 
-Then(/^(\w+) should be able to (\w+) "(.+?)"$/) do |actor_name, permission_name, resource_name|
-  actor = @actors.fetch(actor_name)
-  resource = @resources.fetch(resource_name)
+When(/I revoke (\w+) access to (\w+) "(.+?)" in quality of (\w+)/) do |actor_name, resource_model, resource_name, designator|
+  actor = fetch_actor(actor_name)
+  resource = fetch_resource(resource_model, resource_name)
 
-  unless actor.can? permission_name, resource
-    raise "Expected #{actor_name} to be able to #{permission_name} #{resource_name}"
-  end
+  resource.revoke designator, actor
+  resource.save!
 end
 
-Then(/^(\w+) should not be able to (\w+) "(.+?)"$/) do |actor_name, permission_name, resource_name|
-  actor = @actors.fetch(actor_name)
-  unless actor.cannot? permission_name, @resources.fetch(resource_name)
-    raise "Expected #{actor_name} to not be able to #{permission_name} #{resource_name}"
-  end
+Then(/^(\w+) should be able to (\w+) (\w+) "(.+?)"$/) do |actor_name, permission_name, resource_model, resource_name|
+  actor = fetch_actor(actor_name)
+  resource = fetch_resource(resource_model, resource_name)
+
+  expect(actor.can?(permission_name, resource)).to be(true)
 end
 
+Then(/^(\w+) should not be able to (\w+) (\w+) "(.+?)"$/) do |actor_name, permission_name, resource_model, resource_name|
+  actor = fetch_actor(actor_name)
+  resource = fetch_resource(resource_model, resource_name)
+
+  expect(actor.cannot?(permission_name, resource)).to be(true)
+end