graphql-pundit-387 0.7.1

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'graphql/pundit'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/graphql-pundit.gemspec

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'graphql-pundit/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'graphql-pundit-387'
+  spec.version       = GraphQL::Pundit::VERSION
+  spec.authors       = ['Ontohub Core Developers']
+  spec.email         = ['ontohub-dev-l@ovgu.de']
+
+  spec.summary       = 'Pundit authorization support for graphql'
+  spec.description   = spec.summary
+  spec.homepage      = 'https://github.com/ontohub/graphql-pundit'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'graphql', '>= 1.6.4', '< 1.10.0'
+  spec.add_dependency 'pundit', '~> 1.1.0'
+
+  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_development_dependency 'codecov', '~> 0.1.10'
+  spec.add_development_dependency 'fuubar', '~> 2.3.0'
+  spec.add_development_dependency 'pry', '~> 0.11.0'
+  spec.add_development_dependency 'pry-byebug', '~> 3.6.0'
+  spec.add_development_dependency 'pry-rescue', '~> 1.4.4'
+  spec.add_development_dependency 'pry-stack_explorer', '~> 0.4.9.2'
+  spec.add_development_dependency 'rake', '~> 12.0'
+  spec.add_development_dependency 'rspec', '~> 3.6'
+  spec.add_development_dependency 'rubocop', '~> 0.57.0'
+  spec.add_development_dependency 'simplecov', '~> 0.16.1'
+end

data/lib/graphql-pundit.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'graphql-pundit/instrumenter'
+require 'graphql-pundit/field'
+require 'graphql-pundit/authorization'
+require 'graphql-pundit/scope'
+require 'graphql-pundit/version'
+
+require 'graphql'
+
+# Defines authorization related helpers
+module GraphQL
+  # Defines `authorize` and `authorize!` helpers
+  class AuthorizationHelper
+    attr_reader :raise_unauthorized
+
+    def initialize(raise_unauthorized)
+      @raise_unauthorized = raise_unauthorized
+    end
+
+    def call(defn, *args, policy: nil, record: nil)
+      query = args[0] || defn.name
+      opts = {record: record,
+              query: query,
+              policy: policy,
+              raise: raise_unauthorized}
+      if query.respond_to?(:call)
+        opts = {proc: query, raise: raise_unauthorized}
+      end
+      Define::InstanceDefinable::AssignMetadataKey.new(:authorize).
+        call(defn, opts)
+    end
+  end
+
+  # Defines `scope` helper
+  class ScopeHelper
+    def initialize(before_or_after, deprecated: false)
+      @before_or_after = before_or_after
+      @deprecated = deprecated
+    end
+
+    def call(defn, proc = :infer_scope)
+      opts = {proc: proc, deprecated: @deprecated}
+      Define::InstanceDefinable::AssignMetadataKey.
+        new(:"#{@before_or_after}_scope").
+        call(defn, opts)
+    end
+  end
+
+  Field.accepts_definitions(authorize: AuthorizationHelper.new(false),
+                            authorize!: AuthorizationHelper.new(true),
+                            after_scope: ScopeHelper.new(:after),
+                            before_scope: ScopeHelper.new(:before),
+                            scope: ScopeHelper.new(:before, deprecated: true))
+end

data/lib/graphql-pundit/authorization.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'graphql-pundit/common'
+
+module GraphQL
+  module Pundit
+    # Authorization methods to be included in the used Field class
+    module Authorization
+      def self.prepended(base)
+        base.include(GraphQL::Pundit::Common)
+      end
+
+      # rubocop:disable Metrics/ParameterLists
+      def initialize(*args, authorize: nil,
+                            record: nil,
+                            policy: nil,
+                            **kwargs, &block)
+        # rubocop:enable Metrics/ParameterLists
+        # authorize! is not a valid variable name
+        authorize_bang = kwargs.delete(:authorize!)
+        @record = record if record
+        @policy = policy if policy
+        @authorize = authorize_bang || authorize
+        @do_raise = !!authorize_bang
+        super(*args, **kwargs, &block)
+      end
+
+      def authorize(*args, record: nil, policy: nil)
+        @authorize = args[0] || true
+        @record = record if record
+        @policy = policy if policy
+      end
+
+      def authorize!(*args, record: nil, policy: nil)
+        @do_raise = true
+        authorize(*args, record: record, policy: policy)
+      end
+
+      def resolve_field(obj, args, ctx)
+        raise ::Pundit::NotAuthorizedError unless do_authorize(obj, args, ctx)
+        super(obj, args, ctx)
+      rescue ::Pundit::NotAuthorizedError
+        if @do_raise
+          raise GraphQL::ExecutionError, "You're not authorized to do this"
+        end
+      end
+
+      private
+
+      def do_authorize(root, arguments, context)
+        return true unless @authorize
+        return @authorize.call(root, arguments, context) if callable? @authorize
+
+        query = infer_query(@authorize)
+        record = infer_record(@record, root, arguments, context)
+        policy = infer_policy(@policy, record, arguments, context)
+
+        policy.new(context[self.class.current_user], record).public_send query
+      end
+
+      def infer_query(auth_value)
+        # authorize can be callable, true (for inference) or a policy query
+        query = auth_value.equal?(true) ? method_sym : auth_value
+        query.to_s + '?'
+      end
+
+      def infer_record(record, root, arguments, context)
+        # record can be callable, nil (for inference) or just any other value
+        if callable?(record)
+          record.call(root, arguments, context)
+        elsif record.equal?(nil)
+          root
+        else
+          record
+        end
+      end
+
+      def infer_policy(policy, record, arguments, context)
+        # policy can be callable, nil (for inference) or a policy class
+        if callable?(policy)
+          policy.call(record, arguments, context)
+        elsif policy.equal?(nil)
+          infer_from = model?(record) ? record.model : record
+          ::Pundit::PolicyFinder.new(infer_from).policy!
+        else
+          policy
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/common.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module Pundit
+    # Common methods used for authorization and scopes
+    module Common
+      # Class methods to be included in the Field class
+      module ClassMethods
+        def current_user(current_user = nil)
+          return @current_user unless current_user
+          @current_user = current_user
+        end
+      end
+
+      def self.included(base)
+        @current_user = :current_user
+        base.extend(ClassMethods)
+      end
+
+      def callable?(thing)
+        thing.respond_to?(:call)
+      end
+
+      def model?(thing)
+        thing.respond_to?(:model)
+      end
+    end
+  end
+end

data/lib/graphql-pundit/field.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'graphql'
+require 'graphql-pundit/authorization'
+require 'graphql-pundit/scope'
+
+module GraphQL
+  module Pundit
+    if defined?(GraphQL::Schema::Field)
+      # Field class that contains authorization and scope behavior
+      # This only works with graphql >= 1.8.0
+      class Field < GraphQL::Schema::Field
+        # prepend GraphQL::Pundit::Scope
+        prepend GraphQL::Pundit::Authorization
+      end
+    end
+  end
+end

data/lib/graphql-pundit/instrumenter.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'pundit'
+require 'graphql-pundit/instrumenters/authorization'
+require 'graphql-pundit/instrumenters/before_scope'
+require 'graphql-pundit/instrumenters/after_scope'
+
+module GraphQL
+  module Pundit
+    # Intrumenter combining the authorization and scope instrumenters
+    class Instrumenter
+      attr_reader :current_user,
+                  :authorization_instrumenter,
+                  :before_scope_instrumenter,
+                  :after_scope_instrumenter
+
+      def initialize(current_user = :current_user)
+        @current_user = current_user
+        @authorization_instrumenter =
+          Instrumenters::Authorization.new(current_user)
+        @before_scope_instrumenter =
+          Instrumenters::BeforeScope.new(current_user)
+        @after_scope_instrumenter = Instrumenters::AfterScope.new(current_user)
+      end
+
+      def instrument(type, field)
+        before_scoped_field = before_scope_instrumenter.instrument(type, field)
+        after_scoped_field = after_scope_instrumenter.
+          instrument(type, before_scoped_field)
+        authorization_instrumenter.instrument(type, after_scoped_field)
+      end
+    end
+  end
+end

data/lib/graphql-pundit/instrumenters/after_scope.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'pundit'
+require_relative 'scope'
+
+module GraphQL
+  module Pundit
+    module Instrumenters
+      # Instrumenter that supplies `after_scope`
+      class AfterScope < Scope
+        SCOPE_KEY = :after_scope
+
+        # Applies the scoping to the passed object
+        class ScopeResolver < ScopeResolver
+          def call(root, arguments, context)
+            resolver_result = old_resolver.call(root, arguments, context)
+            scope_proc = new_scope(scope)
+            scope_proc.call(resolver_result, arguments, context)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/instrumenters/authorization.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'pundit'
+
+module GraphQL
+  module Pundit
+    module Instrumenters
+      # Instrumenter that supplies `authorize`
+      class Authorization
+        # This does the actual Pundit authorization
+        class AuthorizationResolver
+          attr_reader :current_user, :old_resolver, :options
+          def initialize(current_user, old_resolver, options)
+            @current_user = current_user
+            @old_resolver = old_resolver
+            @options = options
+          end
+
+          def call(root, arguments, context)
+            unless authorize(root, arguments, context)
+              raise ::Pundit::NotAuthorizedError
+            end
+            old_resolver.call(root, arguments, context)
+          rescue ::Pundit::NotAuthorizedError
+            if options[:raise]
+              raise GraphQL::ExecutionError, "You're not authorized to do this"
+            end
+          end
+
+          private
+
+          def authorize(root, arguments, context)
+            if options[:proc]
+              options[:proc].call(root, arguments, context)
+            else
+              record = record(root, arguments, context)
+              ::Pundit::PolicyFinder.new(policy(record)).policy!.
+                new(context[current_user], record).public_send(query)
+            end
+          end
+
+          def query
+            @query ||= options[:query].to_s + '?'
+          end
+
+          def policy(record)
+            options[:policy] || record
+          end
+
+          def record(root, arguments, context)
+            if options[:record].respond_to?(:call)
+              options[:record].call(root, arguments, context)
+            else
+              options[:record] || root
+            end
+          end
+        end
+
+        attr_reader :current_user
+
+        def initialize(current_user = :current_user)
+          @current_user = current_user
+        end
+
+        def instrument(_type, field)
+          return field unless field.metadata[:authorize]
+          old_resolver = field.resolve_proc
+          resolver = AuthorizationResolver.new(current_user,
+                                               old_resolver,
+                                               field.metadata[:authorize])
+          field.redefine do
+            resolve resolver
+          end
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/instrumenters/before_scope.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'pundit'
+require_relative 'scope'
+
+module GraphQL
+  module Pundit
+    module Instrumenters
+      # Instrumenter that supplies `before_scope`
+      class BeforeScope < Scope
+        SCOPE_KEY = :before_scope
+
+        # Applies the scoping to the passed object
+        class ScopeResolver < ScopeResolver
+          def call(root, arguments, context)
+            if field.metadata[:before_scope][:deprecated]
+              Kernel.warn <<~DEPRECATION_WARNING
+                Using `scope` is deprecated and might be removed in the future.
+                Please use `before_scope` or `after_scope` instead.
+              DEPRECATION_WARNING
+            end
+            scope_proc = new_scope(scope)
+            resolver_result = scope_proc.call(root, arguments, context)
+            old_resolver.call(resolver_result, arguments, context)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/instrumenters/scope.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'pundit'
+
+module GraphQL
+  module Pundit
+    module Instrumenters
+      # Base instrumenter for `before_scope` and `after_scope`
+      class Scope
+        # Applies the scoping to the passed object
+        class ScopeResolver
+          attr_reader :current_user, :scope, :old_resolver, :field
+
+          def initialize(current_user, scope, old_resolver, field)
+            @current_user = current_user
+            @old_resolver = old_resolver
+            @field = field
+
+            unless valid_value?(scope)
+              raise ArgumentError, 'Invalid value passed to `scope`'
+            end
+
+            @scope = scope
+          end
+
+          private
+
+          def new_scope(scope)
+            return scope if proc?(scope)
+
+            lambda do |root, _arguments, context|
+              scope = find_scope(root, scope)
+              scope.new(context[current_user], root).resolve
+            end
+          end
+
+          def find_scope(root, scope)
+            if !inferred?(scope)
+              scope::Scope
+            else
+              # Special case for Sequel datasets that do not respond to
+              # ActiveModel's model_name
+              infer_from = if root.respond_to?(:model)
+                             root.model
+                           else
+                             root
+                           end
+              ::Pundit::PolicyFinder.new(infer_from).scope!
+            end
+          end
+
+          def valid_value?(value)
+            value.is_a?(Class) || inferred?(value) || proc?(value)
+          end
+
+          def proc?(value)
+            value.respond_to?(:call)
+          end
+
+          def inferred?(value)
+            value == :infer_scope
+          end
+        end
+
+        attr_reader :current_user
+
+        def initialize(current_user = :current_user)
+          @current_user = current_user
+        end
+
+        # rubocop:disable Metrics/MethodLength
+        def instrument(_type, field)
+          # rubocop:enable Metrics/MethodLength
+          scope_metadata = field.metadata[self.class::SCOPE_KEY]
+          return field unless scope_metadata
+          scope = scope_metadata[:proc]
+
+          old_resolver = field.resolve_proc
+          resolver = self.class::ScopeResolver.new(current_user,
+                                                   scope,
+                                                   old_resolver,
+                                                   field)
+
+          field.redefine do
+            resolve resolver
+          end
+        end
+      end
+    end
+  end
+end