express_access 1.0.0.a

data/app/views/express_access/routes/index.html.et

@@ -0,0 +1,20 @@
+pane(
+    title: "Routes for #{Rails.application.class.to_s.titleize}",
+    status: "#{ExpressAccess::Route.all.count} routes",
+    class: ['large-table-container']
+    ) {
+    smart_table(:routes,
+            actions: false,
+            sortable: ['Path', 'Endpoint', 'Description'],
+            columns: {
+              "Path" => :path_link,
+              "Endpoint" => :endp_link,
+              "Description" => :description_link,
+              "Applicable Permission" => -> (route) { route.permission ? (helpers.link_to route.permission.name, permission_path(route.permission.id)) : 'Any'},
+              "Roles" => -> (route) { route.permission ?
+              (route.permission.all_roles.map do |role|
+                helpers.link_to role.name, role_path(role.id)
+              end.join(", ")) : 'Anyone'
+              }
+    })
+}

data/app/views/express_access/routes/show.html.et

@@ -0,0 +1,46 @@
+pane(title: "Resource: #{route.verb} #{route.path}") {
+  dl {
+    dt { "Action:" }
+    dd { route.description }
+
+    dt { "Scope:" }
+    dd { "#{route.path.split('/').select {|part| part.match(/:/) }.join(', ')}" }
+
+    dt { "Endpoint:"}
+    dd { route.endp }
+
+    dt { "Protected by:" }
+    dd { route.permission ? link_to(route.permission.name, permission_path(route.permission)) : 'Not protected'}
+
+    dt { "Roles Permitted:" }
+    dd { route.permission ? route.permission.all_roles.map {|role| helpers.link_to role.name, role_path(role)}.join(", ").html_safe : "Anyone"}
+
+    dt { "Access Log:" }
+    dd {
+      if route.log.any?
+        route.log.each do |log|
+          if log.any?
+            log.each do |day, logs|
+              ul(class: 'circle'){
+                li { "#{day.strftime("%B %d, %Y")}" }
+                logs.each do |each_log|
+                  ul(class: 'no-bullet') {
+                    pane(status: each_log.created_at.strftime("%H:%M %Z")) {
+                      li { "By: #{each_log.user_email}" }
+                      li { "With Permission: #{each_log.permission_name}"}
+                     }
+                  }
+                end
+              }
+            end
+          else
+            li { "none" }
+          end
+        end
+      else
+        "none"
+      end
+    }
+
+  }
+}

data/app/views/express_access/users/index.html.et

@@ -0,0 +1,26 @@
+main_region {
+  h2 { 'Users' }
+  smart_table(:users, resource_class: "::User", resource_path: -> (user) { express_access.user_path(user) },
+      columns: {
+      "Email"               => :email_link,
+      "Sign In Count"       => :sign_in_count,
+      "Current Sign in At"  => :current_sign_in_at,
+      "Last Sign In At"     => :last_sign_in_at
+      })
+}
+sidebar_region {
+  pane(title: "User") {
+    smart_form(:user, resource_class: "::User", collection_path: -> { express_access.users_path },
+                                                resource_path: -> (user) { express_access.user_path(user) },
+        virtual: [:password, :password_confirmation],
+        exclude: [:encrypted_password,
+        :reset_password_token,
+        :reset_password_sent_at,
+        :remember_created_at,
+        :sign_in_count,
+        :current_sign_in_at,
+        :last_sign_in_at,
+        :current_sign_in_ip,
+        :last_sign_in_ip])
+  }
+}

data/app/views/express_access/users/show.html.et

@@ -0,0 +1,55 @@
+v_box {
+  h_box{
+    pane(title: "<strong>#{user.email}</strong>".html_safe) {
+      dl {
+        dt { "User Created At:" }
+        dd { user.created_at ? user.created_at.to_date : "unknown"}
+
+        dt { "Last Sign In:" }
+        dd { user.last_sign_in_at ? "#{time_ago_in_words(user.last_sign_in_at) << ' ago'}" : "never"}
+      }
+    }
+    v_box{
+      pane(title: "Roles of #{user.email}") {
+      smart_table(:user_roles,
+          collection: -> { user.user_roles },
+          columns: {"Name"               => -> (role) { helpers.link_to role.name, role_path(role.role_id) },
+                    "Date Assigned"      => :created_at_in_words})
+      }
+
+      pane(title: "All Permissions for #{user.email}") {
+      smart_table(:user_permissions, actions: false,
+        collection: -> { user.user_permissions.sort_by(&:name) },
+        columns: {
+        'Permissions' => -> (permission) { helpers.link_to permission.name, permission_path(permission.permission_id)},
+        'Date Assigned' => :created_at_in_words }) # not yet correct date
+      }
+    }
+  }
+
+  pane(title: "Resources Access for #{user.email}", class: 'large-table-container') {
+  smart_table(:routes, actions: false,
+      collection: -> { user.permissions.flat_map { |permission| permission.all_routes } },
+      columns: {
+      "Path" => :path_link,
+      "Endpoint" => :endp_link,
+      "Description" => :description_link
+      })
+  }
+}
+
+v_box {
+  pane(title: 'Edit User') {
+    smart_form(:user, resource_class: "::User", resource_path: -> (user) { express_access.user_path(user) },
+        virtual: [:password, :password_confirmation],
+        exclude: [:encrypted_password,
+        :reset_password_token,
+        :reset_password_sent_at,
+        :remember_created_at,
+        :sign_in_count,
+        :current_sign_in_at,
+        :last_sign_in_at,
+        :current_sign_in_ip,
+        :last_sign_in_ip])
+  }
+}

data/app/views/layouts/express_access/admin.html.et

@@ -0,0 +1 @@
+render(template: 'layouts/express_admin/admin')

data/app/views/layouts/express_access/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>ExpressAccess</title>
+  <%= stylesheet_link_tag    "express_access/application", media: "all" %>
+  <%= javascript_include_tag "express_access/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/initializers/mount_engine.rb

@@ -0,0 +1,3 @@
+ExpressAdmin::Routes.register do |routes|
+  routes.mount ExpressAccess::Engine, at: ExpressAccess::Engine.config.express_access_mount_point
+end

data/config/menu.yml

@@ -0,0 +1,18 @@
+title: 'Express Access'
+path: 'express_access.users_path'
+items:
+  -
+    title: 'Users'
+    path: 'express_access.users_path'
+
+  -
+    title: 'Roles'
+    path: 'express_access.roles_path'
+
+  -
+    title: 'Permissions'
+    path: 'express_access.permissions_path'
+
+  -
+    title: 'Routes'
+    path: 'express_access.routes_path'

data/config/routes.rb

@@ -0,0 +1,6 @@
+ExpressAccess::Engine.routes.draw do
+  resources :permissions, except: [:edit]
+  resources :users, except: [:edit]
+  resources :roles, except: [:edit]
+  resources :routes, except: [:edit]
+end

data/db/migrate/20141029223053_create_express_access_roles.rb

@@ -0,0 +1,10 @@
+class CreateExpressAccessRoles < ActiveRecord::Migration
+  def change
+    create_table :express_access_roles do |t|
+      t.string :name
+      t.integer :parent_id
+
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20141029223158_create_express_access_permissions.rb

@@ -0,0 +1,9 @@
+class CreateExpressAccessPermissions < ActiveRecord::Migration
+  def change
+    create_table :express_access_permissions do |t|
+      t.string :name
+
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20141029223233_create_express_access_role_permissions.rb

@@ -0,0 +1,10 @@
+class CreateExpressAccessRolePermissions < ActiveRecord::Migration
+  def change
+    create_table :express_access_role_permissions do |t|
+      t.integer :role_id
+      t.integer :permission_id
+
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20141029223250_create_express_access_user_permissions.rb

@@ -0,0 +1,10 @@
+class CreateExpressAccessUserPermissions < ActiveRecord::Migration
+  def change
+    create_table :express_access_user_permissions do |t|
+      t.integer :user_id
+      t.integer :permission_id
+
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20150528222337_create_express_access_user_roles.rb

@@ -0,0 +1,9 @@
+class CreateExpressAccessUserRoles < ActiveRecord::Migration
+  def change
+    create_table :express_access_user_roles do |t|
+      t.integer :user_id
+      t.integer :role_id
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20150609124815_add_description_to_role.rb

@@ -0,0 +1,5 @@
+class AddDescriptionToRole < ActiveRecord::Migration
+  def change
+    add_column :express_access_roles, :description, :string
+  end
+end

data/db/migrate/20150914023030_create_express_access_audit_logs.rb

@@ -0,0 +1,15 @@
+class CreateExpressAccessAuditLogs < ActiveRecord::Migration
+  def change
+    create_table :express_access_audit_logs do |t|
+      t.string  :user_email
+      t.string  :permission_name
+      t.string  :request_path
+      t.boolean :granted
+      t.string  :controller_name
+      t.string  :action_name
+      t.string  :ip_address
+
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20150921063153_add_after_sign_in_path_to_role.rb

@@ -0,0 +1,5 @@
+class AddAfterSignInPathToRole < ActiveRecord::Migration
+  def change
+    add_column :express_access_roles, :after_sign_in_path, :string
+  end
+end

data/lib/express_access/after_sign_in_filter.rb

@@ -0,0 +1,7 @@
+module ExpressAccess
+  module AfterSignInFilter
+    def after_sign_in_path_for(user)
+      stored_location_for(user) || user.after_sign_in_path || root_path
+    end
+  end
+end

data/lib/express_access/authorization_filter.rb

@@ -0,0 +1,39 @@
+module ExpressAccess
+  class AuthorizationFilter
+    def self.before(controller)
+      if permission = ExpressAccess::Permission.for(controller: controller.request.params[:controller],
+                                                      action: controller.request.params[:action],
+                                                        path: controller.request.path)
+        if controller.current_user
+          unless controller.current_user.has?(permission)
+            Rails.logger.info("DOES NOT HAVE PERMISSION #{permission.name}")
+            AuditLog.create(user_email: controller.current_user.email,
+                            permission_name: permission.name,
+                            request_path: controller.request.path,
+                            granted: false,
+                            controller_name: controller.controller_path,
+                            action_name: controller.action_name,
+                            ip_address: controller.request.env['REMOTE_ADDR'])
+            controller.access_authorization_failed!
+          else
+            Rails.logger.info("HAS PERMISSION #{permission.name}")
+            AuditLog.create(user_email: controller.current_user.email,
+                            permission_name: permission.name,
+                            request_path: controller.request.path,
+                            granted: true,
+                            controller_name: controller.controller_path,
+                            action_name: controller.action_name,
+                            ip_address: controller.request.env['REMOTE_ADDR'])
+            nil # success
+          end
+        else
+          if defined?(Devise)
+            controller.authenticate_user!
+          else
+            controller.access_authorization_failed!
+          end
+        end
+      end
+    end
+  end
+end

data/lib/express_access/engine.rb

@@ -0,0 +1,12 @@
+require 'express_admin'
+
+module ExpressAccess
+  class Engine < ::Rails::Engine
+    ExpressAccess::Engine.config.express_access_mount_point = '/admin/access'
+    initializer :assets do |config|
+      Rails.application.config.assets.precompile += %w( express_access.css express_access/admin.js express_access/admin.css ) 
+    end
+    include ::ExpressAdmin::Menu::Loader
+    isolate_namespace ExpressAccess
+  end
+end

data/lib/express_access/route.rb

@@ -0,0 +1,127 @@
+require 'request_store'
+module ExpressAccess
+  class Route
+    attr :name, :verb, :path, :endp, :reqs
+
+    def initialize(name, verb, path, endp, reqs = nil)
+      @name, @verb, @path, @endp, @reqs = name, verb, path, endp, reqs
+    end
+
+    def self.find(id)
+      @routes ||= all.inject({}) {|hash, route| hash[route.id] = route; hash}
+      @routes[id]
+    end
+
+    def self.columns
+      [OpenStruct.new(name: :name),
+        OpenStruct.new(name: :verb),
+        OpenStruct.new(name: :path),
+        OpenStruct.new(name: :endp),
+        OpenStruct.new(name: :reqs)]
+    end
+
+    def status_for_role(role)
+      if perm = permission
+        if role.permissions.include?(perm)
+          "granted"
+        else
+          "denied"
+        end
+      else
+        ""
+      end
+    end
+
+    def id
+      path.slice(1..-1).split('/').unshift(verb).join('-').downcase
+    end
+
+    alias :to_param :id
+
+    # these should be decorators
+    def description
+      if action.eql?('index')
+        "#{action_phrase.capitalize} #{object_phrase.titleize.pluralize}"
+      else
+        "#{action_phrase.capitalize} #{object_phrase.titleize}"
+      end
+    end
+
+    def article
+      (object_phrase.match(/^[aeiou]/) &&
+             !object_phrase.match(/^user/)) ? 'an' : 'a'
+    end
+
+    def action_phrase
+      ({
+              'new'    => "view the form for a new",
+              'edit'   => "view the form to edit #{article}",
+              'update' => "update #{article}",
+              'show'   => "show details for #{article}",
+              'destroy'=> "delete #{article}",
+              'create' => "create a new",
+              'index'  => "view a list of"
+            }[action] || action.pluralize)
+    end
+
+    def object_phrase
+      controller.split('/').last.singularize rescue 'Unknown'
+    end
+
+    def controller
+      endp.split('#').first || 'None'
+    end
+
+    def action
+      endp.split('#').last || 'None'
+    end
+
+    def permission
+      @permission ||= Permission.for(controller: controller, action: action, path: path)
+    end
+
+    def log
+      @log ||= AuditLog.for(endp)
+    end
+
+    class Formatter
+      attr :routes
+      attr :engines
+      def initialize
+        @routes = []
+        @engine_paths = {}
+      end
+      def result
+        @routes
+      end
+
+      def header(routes) ; end
+      def section_title(title) ; end
+      def no_routes ; end
+
+      def section(routes)
+        @routes += routes.map do |route|
+          endpoint = route[:reqs].match(/^(\S+)/).try(:[], 0)
+          requirements = route[:reqs].match(/^\S+\s(.*)/).try(:[], 1)
+          path = route[:path].gsub(/\(\.:format\)/, '')
+          if possible_engine = (endpoint.classify.constantize rescue nil)
+            if possible_engine.ancestors.include?(::Rails::Engine)
+              @engine_paths[endpoint.split("::").first.underscore] = path
+            end
+          end
+          if engine_path = @engine_paths[endpoint.split(/[\#\/]/).first]
+            path = [engine_path, path].join unless engine_path.eql?('/')
+          end
+          Route.new(route[:name], route[:verb], path, endpoint, requirements)
+        end
+      end
+    end
+
+    def self.all
+      RequestStore.store[:all_routes] ||= begin
+        inspector = ActionDispatch::Routing::RoutesInspector.new(Rails.application.routes.set)
+        inspector.format(Formatter.new)
+      end
+    end
+  end
+end

data/lib/express_access/user.rb

@@ -0,0 +1,79 @@
+require 'set'
+module ExpressAccess
+  module User
+    def self.included(base)
+      base.class_eval do
+        include InstanceMethods
+
+        has_many :user_permissions, class_name: "::ExpressAccess::UserPermission"
+
+        has_many :direct_permissions,    through: :user_permissions,
+                                         source: :permission,
+                                         class_name: "::ExpressAccess::Permission"
+
+        has_many :user_roles, class_name: "::ExpressAccess::UserRole"
+
+        has_many :roles,   through: :user_roles,
+                           source: :role,
+                           class_name: "::ExpressAccess::Role"
+      end
+    end
+
+    module InstanceMethods
+
+      def role_permissions
+        roles.map(&:permissions).flatten
+      end
+
+      def permissions
+        (direct_permissions + role_permissions).to_set
+      end
+
+      def may?(permission_name)
+        if Permission[permission_name].nil?
+          true
+        else
+          permissions.map(&:name).include?(permission_name.to_s)
+        end
+      end
+
+      alias may_do? may?
+      alias may_use? may?
+
+      def has?(permission)
+        raise "not a permission" unless permission.kind_of?(Permission)
+        may?(permission.name)
+      end
+
+
+      def method_missing(*args)
+        name = args.first
+        if (action = name.to_s.match(/^may_(\w+)?/).try(:[], 1)) && args.size.eql?(2)
+          may?("#{args[1]}##{action}")
+        else
+          super(*args)
+        end
+      end
+
+      def name
+        super.send(:name) rescue email
+      end
+
+      def after_sign_in_path
+        return nil if role_with_after_sign_in_paths.nil?
+
+        role_with_after_sign_in_paths.after_sign_in_path
+      end
+
+      private
+
+      # The decision to keep this simple for now assume two things:
+      # 1. The user, more often than not, would only contain the most specific role. This means that it is unlikely that a user would have roles which have an ancestor-descendant relationship with each other. It would get a bit more complex though when we think about adding direct permissions to the roles.
+      # 2. If we have roles which are unrelated to each other and is possessed by a user, we wouldn't really be able to determine the user's preffered after_sign_in_path. This means that we just choose from any of those. We could also allow a per-user after_sign_in_path setting if possible for better fine tuning.
+
+      def role_with_after_sign_in_paths
+        roles.where.not(after_sign_in_path: nil).first
+      end
+    end
+  end
+end

data/lib/express_access/version.rb

@@ -0,0 +1,3 @@
+module ExpressAccess
+  VERSION = "1.0.0.a"
+end

data/lib/express_access.rb

@@ -0,0 +1,51 @@
+require "express_access/engine"
+require 'express_access/user'
+require 'express_access/authorization_filter'
+require 'express_access/route'
+require 'express_access/after_sign_in_filter'
+
+module ExpressAccess
+  def self.initialize!
+    setup!
+
+    ActionDispatch::Reloader.to_prepare do
+      ExpressAccess.setup!
+    end
+  end
+
+  def self.initialize_user!
+    User unless defined? ::User
+
+    ::User.include ExpressAccess::User unless ::User.ancestors.include?(ExpressAccess::User)
+    puts "Added ExpressAccess::User to User" unless Rails.env.test?
+  end
+
+  def self.initialize_filter!
+    unless ActionController::Base.method_defined? 'access_authorization_failed!'
+      ActionController::Base.class_eval do
+        before_filter ExpressAccess::AuthorizationFilter
+
+        def access_authorization_failed!
+          render :not_authorized, body: "Not authorized"
+        end
+      end
+      puts "Added ExpressAccess::AuthorizationFilter to ActionController::Base" unless Rails.env.test?
+    end
+  end
+
+  def self.initialize_after_sign_in_filter!
+    return nil if !defined?(Devise)
+
+    ApplicationController.include ExpressAccess::AfterSignInFilter
+    puts "Added ExpressAccess::AfterSignInFilter to ApplicationController" unless Rails.env.test?
+  end
+
+  private
+
+    def self.setup!
+      initialize_user!
+      initialize_filter!
+      initialize_after_sign_in_filter!
+    end
+end
+

data/lib/generators/express_access/install/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Explain the generator
+
+Example:
+    rails generate install Thing
+
+    This will create:
+        what/will/it/create

data/lib/generators/express_access/install/install_generator.rb

@@ -0,0 +1,10 @@
+class ExpressAccess::InstallGenerator < Rails::Generators::Base
+  source_root File.expand_path('../templates', __FILE__)
+
+  desc "install express_access engine"
+  def install
+    rake "express_access:install:migrations"
+    create_file "config/initializers/express_access.rb", "ExpressAccess.initialize!"
+  end
+
+end

data/lib/tasks/express_access_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :express_rbac do
+#   # Task goes here
+# end

data/test/dummy/README.rdoc

@@ -0,0 +1,28 @@
+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.

data/test/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks