eaco 0.7.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2c8f2901fb8524328d3e14a6c08607c553912b7a
-  data.tar.gz: cf36cc16c76467699d29576720a06e1ca612663e
+  metadata.gz: 9384ef5a98077f6557e1e69eb7f54fb0463d35d5
+  data.tar.gz: 5728d953f8b9aef185fc97a84ae1a236c35ae9eb
 SHA512:
-  metadata.gz: 0bf06b2c70e7dda0a6790d89d7b5e23ce0ebe97e49026001bff0af29f69844eeb7a5b8c1f54f8d01151d86e7d4b4a9911301ef2edbdafac1958cccfdf6be3522
-  data.tar.gz: 2c1c4a9acc88bd4b814e99e1110cabe9e5f5622f29183a90c95180ba378887463091eec7d58dd88436cdb843f1e296b8cd5708adc82062ecf9d866375f22e8ae
+  metadata.gz: 7f5c5de62937bef96163b634a895903cdc4fa76368ac7b1dc56765d395bb5445ca0c41e3ef9b49c6992b5dda264210ecb50b79613a574c31887ec7da83d35aec
+  data.tar.gz: 15d230d2416a2fd7a0ddaf5479433759d494d7a285944d38606f05630567a321f0baf4a787ecbd4a993ff155a9d1031a66c53fb97dbb9ba5876f9ba6b6801b47

data/Guardfile

@@ -34,5 +34,5 @@ end
 
 guard :shell do
   # Rerun scenarios when source code changes
-  watch(%r{^lib/.+\.rb$}) { system 'cucumber' }
+  watch(%r{^lib/.+\.rb$}) { system 'cucumber -f progress' }
 end

data/README.md

@@ -1,7 +1,7 @@
 # Eaco
 
 [![Build Status](https://travis-ci.org/ifad/eaco.svg)](https://travis-ci.org/ifad/eaco)
-[![Coverage Status](https://coveralls.io/repos/ifad/eaco/badge.svg)](https://coveralls.io/r/ifad/eaco) (*currently writing specs*)
+[![Coverage Status](https://coveralls.io/repos/ifad/eaco/badge.svg)](https://coveralls.io/r/ifad/eaco)
 [![Code Climate](https://codeclimate.com/github/ifad/eaco/badges/gpa.svg)](https://codeclimate.com/github/ifad/eaco)
 [![Inline docs](http://inch-ci.org/github/ifad/eaco.svg?branch=master)](http://inch-ci.org/github/ifad/eaco)
 [![Gem Version](https://badge.fury.io/rb/eaco.svg)](http://badge.fury.io/rb/eaco)

data/features/enterprise_authorization.feature

@@ -58,6 +58,25 @@ Feature: Role-based, flexible authorization
       | Cafeteria Menu    | {"position:3":"writer", "authenticated:Eaco::Cucumber::ActiveRecord::User":"reader"} |
       | Tim's Web Project | {"user:5":"writer", "position:2":"reader"}             |
 
+  Scenario: Granting access in batches
+    When I have a confidential Document named "For BAR and ICT"
+     And I grant access to Document "For BAR and ICT" to the following designators as reader
+       | department:BAR |
+       | department:ICT |
+    When I am "Dennis Ritchie"
+    Then I can read the Document "For BAR and ICT" being a reader
+     But I can not write the Document "For BAR and ICT" being a reader
+    When I am "Rob Pike"
+    Then I can read the Document "For BAR and ICT" being a reader
+     But I can not write the Document "For BAR and ICT" being a reader
+    When I am "William Gates"
+    Then I can read the Document "For BAR and ICT" being a reader
+     But I can not write the Document "For BAR and ICT" being a reader
+    When I am "Steve Jobs"
+    Then I can not read the Document "For BAR and ICT"
+     And I can not write the Document "For BAR and ICT"
+
+
   Scenario: The Director can access confidential document
     When I am "Dennis Ritchie"
     Then I can read the Document "ICT Status Report" being a writer
@@ -106,6 +125,7 @@ Feature: Role-based, flexible authorization
     When I parse the Designator "user:4"
     Then it should describe itself as "User 'Steve Jobs'"
      And it should have a label of "User"
+     And it should serialize to JSON as {"label": "User 'Steve Jobs'", "value": "user:4"}
      And it should resolve itself to
        | Steve Jobs |
 
@@ -113,6 +133,7 @@ Feature: Role-based, flexible authorization
     When I make a Designator with "position" and "1"
     Then it should describe itself as "Director in ICT"
      And it should have a label of "Position"
+     And it should serialize to JSON as {"label": "Director in ICT", "value": "position:1"}
      And it should resolve itself to
       | Dennis Ritchie |
 
@@ -120,6 +141,7 @@ Feature: Role-based, flexible authorization
     When I parse the Designator "department:ICT"
     Then it should describe itself as "ICT"
      And it should have a label of "Department"
+     And it should serialize to JSON as {"label": "ICT", "value": "department:ICT"}
      And it should resolve itself to
       | Dennis Ritchie |
       | Rob Pike       |
@@ -128,6 +150,7 @@ Feature: Role-based, flexible authorization
     When I make a Designator with "authenticated" and "Eaco::Cucumber::ActiveRecord::User"
     Then it should describe itself as "Any authenticated user"
      And it should have a label of "Any user"
+     And it should serialize to JSON as {"label": "Any authenticated user", "value": "authenticated:Eaco::Cucumber::ActiveRecord::User"}
      And it should resolve itself to
        | Dennis Ritchie  |
        | Rob Pike        |
@@ -152,8 +175,76 @@ Feature: Role-based, flexible authorization
     Designator not found: "foo"
     """
 
+  Scenario: Obtaining the role of a valid designator
+    When I parse the Designator "department:ICT"
+    Then its role on the Document "ICT Status Report" should be reader
+     And its role on the Documents "Cafeteria Menu, ICT Budget Report, Tim's Web Project" should be nil
+    When I make a Designator with "position" and "1"
+    Then its role on the Documents "ICT Status Report, ICT Budget Report" should be writer
+     And its role on the Documents "Cafeteria Menu, Tim's Web Project" should be nil
+
+  Scenario: Obtaining the role of an invalid object
+    When I have a plain object as a Designator
+    Then its role on the Document "ICT Status Report" should give an Eaco::Error error saying
+    """
+    role_of expects .+Object.+ to be a Designator or to .+respond_to.+:designators
+    """
+
   Scenario: Obtaining labels for roles
     When I ask the Document the list of roles and labels
     Then I should get the following roles and labels
       | writer | R/W   |
       | reader | R/O   |
+
+  Scenario: Authorizing a controller
+    When I have an authorized Controller defined as
+    """
+      before_filter :find_document
+
+      authorize :show, [:document, :read ]
+      authorize :edit, [:document, :write]
+
+      def show
+        head :ok
+      end
+
+      def edit
+        head :ok
+      end
+
+      private
+
+      def find_document
+        @document = Eaco::Cucumber::ActiveRecord::Document.where(name: params[:name]).first
+      end
+    """
+    When I am "Dennis Ritchie"
+     And I invoke the Controller "show" action with query string "name=ICT Status Report"
+    Then the Controller should not raise an error
+     And I invoke the Controller "edit" action with query string "name=ICT Status Report"
+    Then the Controller should not raise an error
+
+    When I am "Rob Pike"
+     And I invoke the Controller "show" action with query string "name=ICT Status Report"
+    Then the Controller should not raise an error
+     And I invoke the Controller "edit" action with query string "name=ICT Status Report"
+    Then the Controller should raise an Eaco::Forbidden error saying
+    """
+    User.+not authorized to `edit' on .+Document
+    """
+
+    When I am "William Gates"
+     And I invoke the Controller "edit" action with query string "name=Cafeteria Menu"
+    Then the Controller should not raise an error
+     And I invoke the Controller "show" action with query string "name=ICT Status Report"
+    Then the Controller should raise an Eaco::Forbidden error saying
+    """
+    User.+not authorized to `show' on .+Document
+    """
+
+    When I am "Steve Jobs"
+     And I invoke the Controller "show" action with query string "name=One More Thing"
+    Then the Controller should raise an Eaco::Error error saying
+    """
+    @document is not set, can't authorize .+show
+    """

data/features/step_definitions/actor_steps.rb

@@ -18,6 +18,14 @@ When(/I grant (\w+) access to (\w+) "(.+?)" as a (\w+) in quality of (\w+)/) do
   resource.save!
 end
 
+When(/I grant access to (\w+) "(.+?)" to the following designators as (\w+)/) do |resource_model, resource_name, role, table|
+  resource = fetch_resource(resource_model, resource_name)
+  designators = table.raw.flatten.map {|d| Eaco::Designator.parse(d) }
+
+  resource.batch_grant role, designators
+  resource.save!
+end
+
 When(/I revoke (\w+) access to (\w+) "(.+?)" in quality of (\w+)/) do |actor_name, resource_model, resource_name, designator|
   actor = fetch_actor(actor_name)
   resource = fetch_resource(resource_model, resource_name)

data/features/step_definitions/controller_steps.rb

@@ -0,0 +1,34 @@
+When(/I have an authorized Controller defined as/) do |controller_code|
+  require 'action_controller'
+  require 'eaco/controller'
+
+  @controller_class = Class.new(ActionController::Base)
+  @controller_class.send(:attr_accessor, :current_user)
+  @controller_class.instance_eval { include Eaco::Controller }
+  @controller_class.class_eval controller_code
+end
+
+When(/I invoke the Controller "(.+?)" action with query string "(.+?)"$/) do |action_name, query|
+  @controller  = @controller_class.new
+  @action_name = action_name
+
+  @controller.current_user = @current_user
+
+  @controller.request = ActionDispatch::TestRequest.new('QUERY_STRING' => query).tap do |request|
+    request.params.update('action' => @action_name)
+  end
+
+  @controller.response = ActionDispatch::TestResponse.new
+end
+
+Then(/the Controller should not raise an error/) do
+  expect { @controller.process @action_name }.to_not raise_error
+end
+
+Then(/the Controller should raise an (.+?) error saying/) do |error_class, error_contents|
+  error_class = error_class.constantize
+
+  expect { @controller.process @action_name }.to \
+    raise_error(error_class).
+    with_message(/#{error_contents}/)
+end

data/features/step_definitions/enterprise_steps.rb

@@ -5,22 +5,14 @@ When(/I am "(.+?)"$/) do |user_name|
 end
 
 Then(/I can (\w+) the Documents? "(.+?)" being a (\w+)$/) do |permission, document_names, role|
-  model = find_model('Document')
-  names = document_names.split(/,\s*/)
-  documents = model.where(name: names)
-
-  documents.each do |document|
+  check_documents document_names do |document|
     expect(@current_user.can?(permission, document)).to eq(true)
     expect(document.role_of(@current_user)).to eq(role.intern)
   end
 end
 
 Then(/I can not (\w+) the Documents? "(.+?)" *(?:being a (\w+))?$/) do |permission, document_names, role|
-  model = find_model('Document')
-  names = document_names.split(/,\s*/)
-  documents = model.where(name: names)
-
-  documents.each do |document|
+  check_documents document_names do |document|
     expect(@current_user.cannot?(permission, document)).to eq(true)
     expect(document.role_of(@current_user)).to eq(role ? role.intern : nil)
   end
@@ -41,10 +33,20 @@ When(/I parse the Designator "(.+?)"/) do |text|
   @designator = Eaco::Designator.parse(text)
 end
 
+When(/I have a plain object as a Designator/) do
+  @designator = Object.new
+end
+
 Then(/it should describe itself as "(.+?)"/) do |description|
   expect(@designator.describe).to eq(description)
 end
 
+Then(/it should serialize to JSON as (.+?)$/) do |json|
+  json = MultiJson.load(json).symbolize_keys
+
+  expect(@designator.as_json).to eq(json)
+end
+
 Then(/it should have a label of "(.+?)"/) do |label|
   expect(@designator.label).to eq(label)
 end
@@ -66,6 +68,24 @@ Then(/they should resolve to/) do |table|
   expect(resolved.map(&:name)).to match_array(names)
 end
 
+Then(/its role on the Documents? "(.+?)" should be (\w+)/) do |document_names, role|
+  role = role == 'nil' ? nil : role.intern
+
+  check_documents document_names do |document|
+    expect(document.role_of(@designator)).to eq(role)
+  end
+end
+
+Then(/its role on the Documents? "(.+?)" should give an (.+?) error saying/) do |document_names, error_class, error_contents|
+  error_class = error_class.constantize
+
+  check_documents document_names do |document|
+    expect { document.role_of(@designator) }.to \
+      raise_error(error_class).
+      with_message(/#{error_contents}/)
+  end
+end
+
 When(/I ask the Document the list of roles and labels/) do
   model = find_model('Document')
 

data/lib/eaco/adapters/couchrest_model.rb

@@ -9,6 +9,8 @@ module Eaco
     # @see ACL
     # @see CouchDBLucene
     #
+    # :nocov: because there are too many moving parts here and anyway we are
+    # going to deprecate this in favour of jsonb
     module CouchrestModel
       autoload :CouchDBLucene, 'eaco/adapters/couchrest_model/couchdb_lucene'
 
@@ -32,6 +34,7 @@ module Eaco
         end
       end
     end
+    # :nocov:
 
   end
 end

data/lib/eaco/adapters/couchrest_model/couchdb_lucene.rb

@@ -48,6 +48,8 @@ module Eaco
       # @see Actor
       # @see Resource
       #
+      # :nocov: because there are too many moving parts here and anyway we are
+      # going to deprecate this in favour of jsonb
       module CouchDBLucene
 
         ##
@@ -58,13 +60,14 @@ module Eaco
         # @return [CouchRest::Model::Search::View] the authorized collection scope.
         #
         def accessible_by(actor)
-         return search(nil) if actor.is_admin?
+          return search(nil) if actor.is_admin?
 
-         designators = actor.designators.map {|item| '"%s"' % item }
+          designators = actor.designators.map {|item| '"%s"' % item }
 
-         search "acl:(#{designators.join(' OR ')})"
+          search "acl:(#{designators.join(' OR ')})"
         end
       end
+      # :nocov:
 
     end
   end

data/lib/eaco/controller.rb

@@ -2,7 +2,7 @@ begin
   require 'active_support/concern'
 rescue LoadError
   # :nocov: This is falsely true during specs ran by Guard. FIXME.
-  abort 'Eaco::Controller requires activesupport. Please add it to Gemfile.'
+  abort 'Eaco::Controller requires actioncontroller. Please add it to Gemfile.'
   # :nocov:
 end
 
@@ -87,6 +87,8 @@ module Eaco
         end
     end
 
+    protected
+
     ##
     # Asks Eaco whether thou shalt pass or not.
     #

data/lib/eaco/cucumber/world.rb

@@ -220,7 +220,7 @@ module Eaco
         resources.fetch(model).fetch(name)
       rescue KeyError
         # :nocov:
-        raise "Resource #{model} '#{resource}' not found in registry"
+        raise "Resource #{model} '#{name}' not found in registry"
         # :nocov:
       end
 
@@ -243,6 +243,22 @@ module Eaco
         @resources ||= {}
       end
 
+      ##
+      # Checks the given block on the given set of +Document+
+      #
+      # @param names [String] the document names, separated by +,+
+      # @param block [Proc] the code to run on each +Document+
+      #
+      # @return [void]
+      #
+      # @see Eaco::Cucumber::ActiveRecord::Document
+      #
+      def check_documents(names, &block)
+        model = find_model('Document')
+        names = names.split(/,\s*/)
+        model.where(name: names).each(&block)
+      end
+
       ##
       # Returns a model in the {ActiveRecord} namespace.
       #

data/lib/eaco/designator.rb

@@ -175,7 +175,9 @@ module Eaco
       # @raise [NotImplementedError]
       #
       def search(query)
+        # :nocov:
         raise NotImplementedError
+        # :nocov:
       end
     end
 
@@ -224,7 +226,9 @@ module Eaco
     # @raise [NotImplementedError]
     #
     def resolve
+      # :nocov:
       raise NotImplementedError
+      # :nocov:
     end
 
     ##

data/lib/eaco/version.rb

@@ -2,6 +2,6 @@ module Eaco
 
   # Current version
   #
-  VERSION = '0.7.0'
+  VERSION = '0.8.0'
 
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: eaco
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Marcello Barnaba
@@ -217,6 +217,7 @@ files:
 - features/rails_integration.feature
 - features/role_based_authorization.feature
 - features/step_definitions/actor_steps.rb
+- features/step_definitions/controller_steps.rb
 - features/step_definitions/enterprise_steps.rb
 - features/step_definitions/error_steps.rb
 - features/step_definitions/fixture_steps.rb
@@ -319,6 +320,7 @@ test_files:
 - features/rails_integration.feature
 - features/role_based_authorization.feature
 - features/step_definitions/actor_steps.rb
+- features/step_definitions/controller_steps.rb
 - features/step_definitions/enterprise_steps.rb
 - features/step_definitions/error_steps.rb
 - features/step_definitions/fixture_steps.rb