fortress 0.1.0

data/fortress.gemspec

@@ -0,0 +1,35 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'fortress/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'fortress'
+  spec.version       = Fortress::VERSION
+  spec.authors       = ['Guillaume Hain']
+  spec.email         = ['zedtux@zedroot.org']
+  spec.summary       = 'Secure your Rails application from preventing access ' \
+                       'to everything to opening allowed actions.'
+  spec.description   = 'The rigths management libraries available today are ' \
+                       'all based on the principle: everything is open and ' \
+                       'you close it explicitely. Fortress is immediately ' \
+                       'closing access to every actions of every controllers' \
+                       ' when you install it. It\'s then up to you to open ' \
+                       'the allowed actions.'
+  spec.homepage      = 'https://github.com/YourCursus/fortress'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(/^bin/) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(/^(test|spec|features)/)
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'actionpack', '> 3.1'
+  spec.add_dependency 'activesupport', '> 3.1'
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec-rails'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop'
+end

data/lib/fortress.rb

@@ -0,0 +1,6 @@
+require 'fortress/controller'
+require 'fortress/controller_interface'
+require 'fortress/mechanism'
+require 'fortress/version'
+
+ActionController::Base.send(:include, Fortress::Controller)

data/lib/fortress/controller.rb

@@ -0,0 +1,48 @@
+require 'active_support/concern'
+
+module Fortress
+  #
+  # The Controller module embbed all the code to "hook" Fortress to your Rails
+  # application.
+  #
+  # @author zedtux
+  #
+  module Controller
+    extend ActiveSupport::Concern
+
+    included do
+      Mechanism.initialize_authorisations
+
+      # Add a new before_filter for all controllers
+      append_before_filter :prevent_access!
+    end
+
+    def prevent_access!
+      controller = Fortress::ControllerInterface.new(self)
+      Mechanism.authorised?(controller, action_name) ? true : access_deny
+    end
+
+    #
+    # Default access_deny method used when not re-defined in the Rails
+    # application.
+    #
+    # You can re-define it within the ApplicationController of you rails
+    # application.
+    def access_deny
+      flash[:error] = 'You are not authorised to access this page.'
+      redirect_to Rails.application.routes.url_helpers.root_url
+    end
+
+    #
+    # Class methods added to all controllers in a Rails application.
+    #
+    # @author zedtux
+    #
+    module ClassMethods
+      def fortress_allow(actions, options = {})
+        Mechanism.authorise!(name, actions)
+        Mechanism.parse_options(self, actions, options) if options.present?
+      end
+    end
+  end
+end

data/lib/fortress/controller_interface.rb

@@ -0,0 +1,58 @@
+module Fortress
+  #
+  # Object to easily use the Mechanism stored rules. It's a kind of helper
+  # class
+  #
+  # @author zedtux
+  #
+  class ControllerInterface
+    attr_accessor :instance, :params
+
+    def initialize(controller_instance)
+      self.instance = controller_instance
+    end
+
+    def params
+      @params ||= Mechanism.authorisations[instance.class.name]
+    end
+
+    def blocked?
+      params.nil?
+    end
+
+    def allow_all?
+      params[:all] == true
+    end
+
+    def allow_all_without_except?
+      allow_all? && params.key?(:except) == false
+    end
+
+    def allow_action?(name)
+      return false if Array(params[:except]).include?(name.to_sym)
+
+      if params.key?(:if) && params[:if].key?(:actions)
+        if params[:if][:actions].include?(name.to_sym)
+          return params[:if][:method] == true
+        end
+      end
+
+      return true if Array(params[:only]).include?(name.to_sym)
+
+      allow_all?
+    end
+
+    def allow_method?
+      params.key?(:if) && params[:if].key?(:method)
+    end
+
+    def needs_to_check_action?(name)
+      params.key?(:if) && params[:if].key?(:actions) &&
+        Array(params[:if][:actions]).include?(name)
+    end
+
+    def call_allow_method
+      instance.send(params[:if][:method])
+    end
+  end
+end

data/lib/fortress/mechanism.rb

@@ -0,0 +1,121 @@
+require 'active_support/core_ext/module/attribute_accessors'
+
+module Fortress
+  #
+  # Mechanism embbed all the logic of the Fortress library.
+  #
+  # @author zedtux
+  #
+  module Mechanism
+    # Authorisations stores the authorisations per controllers.
+    #
+    # This is a big picture of the structured data:
+    # {
+    #   "UsersController": {
+    #     "all": true
+    #   },
+    #   "LogsController": {
+    #     "all": true,
+    #     "except": [
+    #       "destroy"
+    #     ]
+    #   },
+    #   "NotificationsController": {
+    #     "only": [
+    #       "new",
+    #       "create",
+    #       "edit",
+    #       "update"
+    #     ]
+    #   }
+    #   "PostsController": {
+    #     "only": [
+    #       "edit",
+    #       "update"
+    #     ]
+    #     "if": {
+    #       "method": :can_create_post?,
+    #       "actions": [
+    #         "new",
+    #         "create"
+    #       ]
+    #     }
+    #   },
+    #   "CommentsController": {
+    #     "if": {
+    #       "method": :is_admin?,
+    #       "actions": :destroy
+    #     }
+    #   }
+    # }
+    mattr_accessor :authorisations
+
+    def self.initialize_authorisations
+      self.authorisations = {}
+    end
+
+    def self.parse_options(controller, actions, options)
+      options.each do |key, value|
+        case key
+        when :if
+          Mechanism.authorise_if_truthy(controller.name, value, actions)
+        when :except
+          Mechanism.authorise_excepted(controller.name, value)
+        end
+      end
+    end
+
+    def self.append_or_update(controller_name, key, value)
+      authorisations[controller_name] ||= {}
+      if authorisations[controller_name].key?(key)
+        if authorisations[controller_name][key].is_a?(Hash)
+          authorisations[controller_name][key].merge!(value)
+        else
+          authorisations[controller_name][key] = value
+        end
+      else
+        authorisations[controller_name].merge!(key => value)
+      end
+    end
+
+    def self.authorise!(class_name, actions)
+      if actions == :all
+        append_or_update(class_name, :all, true)
+        return
+      end
+      append_or_update(class_name, :only, Array(actions))
+    end
+
+    private
+
+    def self.authorise_if_truthy(class_name, method_sym, actions)
+      append_or_update(class_name, :if, method: method_sym,
+                                        actions: Array(actions))
+    end
+
+    def self.authorise_excepted(class_name, action)
+      append_or_update(class_name, :except, Array(action))
+    end
+
+    def self.authorised?(controller, action_name)
+      return false if controller.blocked?
+
+      # When the complete controller is authorised
+      return true if controller.allow_all_without_except?
+
+      # When the controller allows some actions and the current action is
+      # allowed
+      return true if controller.allow_action?(action_name)
+
+      # When the controller implement the authorisation method
+      if controller.allow_method?
+        if controller.needs_to_check_action?(action_name)
+          allowed = controller.call_allow_method
+          return true if allowed
+        end
+      end
+
+      false
+    end
+  end
+end

data/lib/fortress/version.rb

@@ -0,0 +1,8 @@
+#
+# Version manager module
+#
+# @author zedtux
+#
+module Fortress
+  VERSION = '0.1.0'
+end

data/spec/fixtures/application.rb

@@ -0,0 +1,33 @@
+require 'active_support/all'
+require 'action_controller'
+require 'action_dispatch'
+
+#
+# Re-define the Rails module
+#
+module Rails
+  #
+  # Fake Rails application
+  #
+  class App
+    def env_config
+      {}
+    end
+
+    def routes
+      return @routes if defined?(@routes)
+      @routes = ActionDispatch::Routing::RouteSet.new
+      @routes.draw do
+        root 'home#index'
+        resources :guitars
+      end
+      @routes
+    end
+  end
+
+  def self.application
+    @app ||= App.new
+  end
+end
+
+Rails.application.routes.default_url_options[:host] = 'http://test.host'

data/spec/fixtures/controllers.rb

@@ -0,0 +1,29 @@
+require 'fortress'
+
+#
+# Mother class for all controller used to test Fortress
+#
+class TestController < ActionController::Base
+  include Rails.application.routes.url_helpers
+  def render(*_)
+  end
+end
+
+#
+# This controller is the one used in all the tests
+#
+class GuitarsController < TestController
+  def index; end
+
+  def show; end
+
+  def new; end
+
+  def create; end
+
+  def edit; end
+
+  def update; end
+
+  def destroy; end
+end

data/spec/fortress/controller_interface_spec.rb

@@ -0,0 +1,250 @@
+require 'spec_helper'
+require 'fortress/controller_interface'
+
+describe Fortress::ControllerInterface do
+  before do
+    Fortress::Mechanism.initialize_authorisations
+    @controller = GuitarsController.new
+  end
+
+  describe '.blocked?' do
+    context 'when controller is unknown from the Fortress::Mechanism module' do
+      subject { Fortress::ControllerInterface.new(@controller) }
+      it 'should return true' do
+        expect(subject.blocked?).to be_truthy
+      end
+    end
+    context 'when controller is known from the Fortress::Mechanism module' do
+      before do
+        Fortress::Mechanism.authorisations['GuitarsController'] = { all: true }
+      end
+      subject { Fortress::ControllerInterface.new(@controller) }
+      it 'should return false' do
+        expect(subject.blocked?).to be_falsy
+      end
+    end
+  end
+
+  describe '.allow_all?' do
+    context 'when controller has the `:all` key to true in the ' \
+            'Fortress::Mechanism module' do
+      before do
+        Fortress::Mechanism.authorisations['GuitarsController'] = { all: true }
+      end
+      subject { Fortress::ControllerInterface.new(@controller) }
+      it 'should return true' do
+        expect(subject.allow_all?).to be_truthy
+      end
+    end
+    context 'when controller doesn\'t have the `:all` key to true in the ' \
+            'Fortress::Mechanism module' do
+      before do
+        Fortress::Mechanism.authorisations['GuitarsController'] = {}
+      end
+      before { Fortress::Mechanism.authorise!('GuitarsController', :index) }
+      subject { Fortress::ControllerInterface.new(@controller) }
+      it 'should return false' do
+        expect(subject.allow_all?).to be_falsy
+      end
+    end
+  end
+
+  describe '.allow_all_without_except?' do
+    context 'when controller has the `:all` key to true in the ' \
+            'Fortress::Mechanism module and doesn\'t have the `:except` key' do
+      before do
+        Fortress::Mechanism.authorisations['GuitarsController'] = { all: true }
+      end
+      subject { Fortress::ControllerInterface.new(@controller) }
+      it 'should return true' do
+        expect(subject.allow_all_without_except?).to be_truthy
+      end
+    end
+    context 'when controller has the `:all` key to true in the ' \
+            'Fortress::Mechanism module and do have the `:except` key' do
+      before do
+        Fortress::Mechanism.authorisations['GuitarsController'] = {
+          all: true, except: [:index]
+        }
+      end
+      subject { Fortress::ControllerInterface.new(@controller) }
+      it 'should return false' do
+        expect(subject.allow_all_without_except?).to be_falsy
+      end
+    end
+  end
+
+  describe '.allow_action?' do
+    describe 'passing `:index` as parameter' do
+      context 'when the controller has the `:except` key containing `:index` ' \
+              'in the Fortress::Mechanism module' do
+        before do
+          Fortress::Mechanism.authorisations['GuitarsController'] = {
+            except: :index
+          }
+        end
+        subject { Fortress::ControllerInterface.new(@controller) }
+        it 'should return false' do
+          expect(subject.allow_action?(:index)).to be_falsy
+        end
+      end
+      context 'when the controller has the `:except` key which doesn\'t ' \
+              'contain the `:index` action in the Fortress::Mechanism module' do
+        context 'and the controller has the `:if` key with `:action` ' \
+                'including `:index`' do
+          context 'the `:method` return false' do
+            before do
+              Fortress::Mechanism.authorisations['GuitarsController'] = {
+                if: { actions: [:index], method: false }
+              }
+            end
+            subject { Fortress::ControllerInterface.new(@controller) }
+            it 'should return false' do
+              expect(subject.allow_action?(:index)).to be_falsy
+            end
+          end
+          context 'the `:method` return true' do
+            before do
+              Fortress::Mechanism.authorisations['GuitarsController'] = {
+                if: { actions: [:index], method: true }
+              }
+            end
+            subject { Fortress::ControllerInterface.new(@controller) }
+            it 'should return true' do
+              expect(subject.allow_action?(:index)).to be_truthy
+            end
+          end
+        end
+        context 'and the controller has the `:if` key with `:action` ' \
+                'which doesn\'t includ the `:index` action' do
+          context 'and the controller has the `:only` key' do
+            context 'which do include `:index`' do
+              before do
+                Fortress::Mechanism.authorisations['GuitarsController'] = {
+                  only: [:index]
+                }
+              end
+              subject { Fortress::ControllerInterface.new(@controller) }
+              it 'should return true' do
+                expect(subject.allow_action?(:index)).to be_truthy
+              end
+            end
+            context 'which do not include `:index`' do
+              before do
+                Fortress::Mechanism.authorisations['GuitarsController'] = {
+                  only: [:update]
+                }
+              end
+              subject { Fortress::ControllerInterface.new(@controller) }
+              it 'should return false' do
+                expect(subject.allow_action?(:index)).to be_falsy
+              end
+            end
+          end
+          context 'and the controller hasn\'t the `:only` key' do
+            context 'and the controller has the `:all` key' do
+              before do
+                Fortress::Mechanism.authorisations['GuitarsController'] = {
+                  only: [], except: [], all: true
+                }
+              end
+              subject { Fortress::ControllerInterface.new(@controller) }
+              it 'should return true' do
+                expect(subject.allow_action?(:index)).to be_truthy
+              end
+            end
+            context 'and the controller do not have the `:all` key' do
+              before do
+                Fortress::Mechanism.authorisations['GuitarsController'] = {
+                  only: [], except: []
+                }
+              end
+              subject { Fortress::ControllerInterface.new(@controller) }
+              it 'should return false' do
+                expect(subject.allow_action?(:index)).to be_falsy
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+
+  describe '.allow_method?' do
+    context 'when controller do have a `:if` key but no `:method` key in ' \
+            'the Fortress::Mechanism' do
+      before do
+        Fortress::Mechanism.authorisations['GuitarsController'] = { if: {} }
+      end
+      subject { Fortress::ControllerInterface.new(@controller) }
+      it 'should return false' do
+        expect(subject.allow_method?).to be_falsy
+      end
+    end
+    context 'when controller do have a `:if` key and a `:method` key in ' \
+            'the Fortress::Mechanism' do
+      before do
+        Fortress::Mechanism.authorisations['GuitarsController'] = {
+          if: { method: :test }
+        }
+      end
+      subject { Fortress::ControllerInterface.new(@controller) }
+      it 'should return true' do
+        expect(subject.allow_method?).to be_truthy
+      end
+    end
+  end
+
+  describe '.needs_to_check_action?' do
+    describe 'passing `:index` as parameter' do
+      context 'when controller do not have the `:if` key in ' \
+              'the Fortress::Mechanism' do
+        before do
+          Fortress::Mechanism.authorisations['GuitarsController'] = {}
+        end
+        subject { Fortress::ControllerInterface.new(@controller) }
+        it 'should return false' do
+          expect(subject.needs_to_check_action?(:index)).to be_falsy
+        end
+      end
+      context 'when controller do have the `:if` key in ' \
+              'the Fortress::Mechanism without the `actions` key' do
+        before do
+          Fortress::Mechanism.authorisations['GuitarsController'] = {
+            if: { method: :is_admin? }
+          }
+        end
+        subject { Fortress::ControllerInterface.new(@controller) }
+        it 'should return false' do
+          expect(subject.needs_to_check_action?(:index)).to be_falsy
+        end
+      end
+      context 'when controller do have the `:if` key in ' \
+              'the Fortress::Mechanism and the `actions` key ' \
+              'containing :update' do
+        before do
+          Fortress::Mechanism.authorisations['GuitarsController'] = {
+            if: { actions: :update }
+          }
+        end
+        subject { Fortress::ControllerInterface.new(@controller) }
+        it 'should return false' do
+          expect(subject.needs_to_check_action?(:index)).to be_falsy
+        end
+      end
+      context 'when controller do have the `:if` key in ' \
+              'the Fortress::Mechanism and the `actions` key ' \
+              'containing :index' do
+        before do
+          Fortress::Mechanism.authorisations['GuitarsController'] = {
+            if: { actions: :index }
+          }
+        end
+        subject { Fortress::ControllerInterface.new(@controller) }
+        it 'should return true' do
+          expect(subject.needs_to_check_action?(:index)).to be_truthy
+        end
+      end
+    end
+  end
+end