graphql_authorize 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f640cc20c98719bba5885846cc907f328b135cb182a91071b84b82926eb8a71b
+  data.tar.gz: f2ad27f631017079a4383f051a1b0f22f3eedc8b1a01ef8e1dbd63c60d1956d9
+SHA512:
+  metadata.gz: 4f17dbd13315bb98e9220c21958459f5232e34bc17c8b6786ab4209880ff2eb6efbb49748fd0818ac8eaf54c72a295af07726b1bfa9728f75331cd5eba66b47d
+  data.tar.gz: 143d2a7ddbe7b135cdbeae52c5efd9903e320350d0cc53bd0f583ea1cac9e3398f5b54c5d112f28723c366b0e6ef3520f1d6718554c808ad5f1a3a5ee44a9878

data/.gitignore

@@ -0,0 +1,8 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rubocop.yml

@@ -0,0 +1,25 @@
+AllCops:
+  TargetRubyVersion: 2.5
+  Include:
+    - 'lib/**/*.rb'
+    - 'spec/**/*.rb'
+  Exclude:
+    - 'bin/**/*'
+    - 'vendor/**/*'
+    - 'gemfiles/**/*.gemfile'
+    - 'Rakefile'
+    - 'Gemfile'
+    - '*.gemspec'
+
+Documentation:
+  Enabled: false
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Metrics/LineLength:
+  Max: 100
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*.rb'

data/.travis.yml

@@ -0,0 +1,25 @@
+language: ruby
+rvm:
+  - 2.5.1
+
+notifications:
+  email: false
+
+matrix:
+  fast_finish: true
+  include:
+    - rvm: ruby-head
+      gemfile: gemfiles/graphql-1.8.gemfile
+    - rvm: 2.5.0
+      gemfile: gemfiles/graphql-1.8.gemfile
+    - rvm: 2.4.3
+      gemfile: gemfiles/graphql-1.7.gemfile
+    - rvm: 2.3.1
+      gemfile: gemfiles/graphql-1.6.gemfile
+  allow_failures:
+    - rvm: ruby-head
+      gemfile: gemfiles/graphql-1.8.gemfile
+    - rvm: 2.5.0
+      gemfile: gemfiles/graphql-1.8.gemfile
+    - rvm: 2.4.3
+      gemfile: gemfiles/graphql-1.7.gemfile

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in graphql_authorize.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,73 @@
+PATH
+  remote: .
+  specs:
+    graphql_authorize (0.1.0)
+      graphql (= 1.6)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.2.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    ast (2.4.0)
+    cancancan (2.2.0)
+    concurrent-ruby (1.0.5)
+    diff-lcs (1.3)
+    graphql (1.6.0)
+    i18n (1.1.0)
+      concurrent-ruby (~> 1.0)
+    jaro_winkler (1.5.1)
+    minitest (5.11.3)
+    parallel (1.12.1)
+    parser (2.5.1.2)
+      ast (~> 2.4.0)
+    powerpack (0.1.2)
+    pundit (2.0.0)
+      activesupport (>= 3.0.0)
+    rainbow (3.0.0)
+    rake (10.5.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    rubocop (0.58.2)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.5, != 2.5.1.1)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    ruby-progressbar (1.10.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    unicode-display_width (1.4.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport
+  bundler (~> 1.16)
+  cancancan (~> 2.0)
+  graphql_authorize!
+  pundit
+  rake (~> 10.0)
+  rspec
+  rubocop
+
+BUNDLED WITH
+   1.16.2

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 DmitryTsepelev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,94 @@
+[![Build Status](https://travis-ci.org/anjlab/graphql_authorize.svg?branch=master)](https://travis-ci.org/anjlab/graphql_authorize)
+
+# GraphqlAuthorize
+
+
+This gem allows you to authorize an access to you graphql-fields (defined by [graphql-ruby](https://github.com/rmosolgo/graphql-ruby)). For now, we support only 1.6 version :(
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'graphql_authorize'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install graphql_authorize
+
+## Usage
+
+You can define a proc and pass it to `authorize` inside the field block:
+
+```ruby
+field :posts, types[PostType] do
+  authorize lambda { |_obj, _args, context|
+    current_user = context[:current_user]
+    current_user && current_user.admin
+  }
+
+  resolve ->(_obj, _args, _context) { ... }
+end
+```
+
+Don't forget to pass `current_user` to the context when you execute the query, e.g.:
+
+```ruby
+Schema.execute(query, context: { current_user: current_user })
+```
+
+### CanCanCan
+
+If you are using CanCanCan, you can just pass an array with two values - permission to check and a model class:
+
+```ruby
+field :posts, types[PostType] do
+  authorize [:read, Post]
+  resolve ->(_obj, _args, _context) { ... }
+end
+```
+
+In order to let GraphqlAuthorize know that it should use CanCanCan, please configure it somewhere in your app:
+
+```ruby
+GraphqlAuthorize.config.auth_adapter = GraphqlAuthorize::AuthAdapters::CanCanCan
+```
+
+By default it will try to call `can?` on the module called `Ability` (you have it if you follow the [guide](https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities)). However, when you've done it in a different way, you must also configure `auth_adapter_source` - a proc, which will get a current context and will need to return something, which can respond to `can?`:
+
+```ruby
+GraphqlAuthorize.configure do |config|
+  config.auth_adapter = GraphqlAuthorize::AuthAdapters::CanCanCan
+  config.auth_adapter_source = ->(context) { context[:current_user] }
+end
+```
+
+### Pundit
+
+Pundit integration is very similar with CanCanCan - you should pass an array with two values in a following way:
+
+```ruby
+field :posts, types[PostType] do
+  authorize [:read, Post]
+  resolve ->(_obj, _args, _context) { ... }
+end
+```
+
+Don't forget to configure GraphqlAuthorize to use the proper adapter:
+
+```ruby
+GraphqlAuthorize.config.auth_adapter = GraphqlAuthorize::AuthAdapters::Pundit
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/anjlab/graphql_authorize.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "rubocop/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new
+
+task default: [:rubocop, :spec]

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "graphql_authorize"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/gemfiles/graphql-1.6.gemfile

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gem "graphql", "1.6"
+
+gemspec path: ".."

data/gemfiles/graphql-1.7.gemfile

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gem "graphql", "1.7"
+
+gemspec path: ".."

data/gemfiles/graphql-1.8.gemfile

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gem "graphql", "1.8"
+
+gemspec path: ".."

data/graphql_authorize.gemspec

@@ -0,0 +1,37 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "graphql_authorize/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "graphql_authorize"
+  spec.version       = GraphqlAuthorize::VERSION
+  spec.authors       = ["DmitryTsepelev"]
+  spec.email         = ["dmitry.a.tsepelev@gmail.com"]
+
+  spec.summary       = %q{Auth support for ruby-graphql}
+  spec.description   = %q{Auth support for ruby-graphql}
+  spec.homepage      = "https://github.com/anjlab/graphql_authorize"
+  spec.license       = "MIT"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = ">= 2.3"
+
+  spec.add_dependency "graphql", "1.6"
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "rubocop"
+  spec.add_development_dependency "cancancan", "~> 2.0"
+  spec.add_development_dependency "pundit"
+  spec.add_development_dependency "activesupport"
+end

data/lib/graphql_authorize.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require "graphql"
+
+require "graphql_authorize/version"
+require "graphql_authorize/configuration"
+require "graphql_authorize/auth_adapters/base"
+require "graphql_authorize/auth_adapters/can_can_can"
+require "graphql_authorize/auth_adapters/pundit"
+require "graphql_authorize/ext/field"
+require "graphql_authorize/ext/field_resolve_step"
+
+module GraphqlAuthorize
+  class << self
+    def config
+      @config ||= Configuration.new
+    end
+
+    def configure
+      yield config
+    end
+  end
+
+  GraphQL::Field.include(GraphqlAuthorize::Field)
+
+  GraphQL::Execution::Execute::FieldResolveStep.singleton_class.prepend(
+    GraphqlAuthorize::FieldResolveStep
+  )
+end

data/lib/graphql_authorize/auth_adapters/base.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module GraphqlAuthorize
+  module AuthAdapters
+    class Base
+      attr_reader :field_definition, :context
+
+      def initialize(field_definition, context)
+        @field_definition = field_definition
+        @context = context
+      end
+    end
+  end
+end

data/lib/graphql_authorize/auth_adapters/can_can_can.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module GraphqlAuthorize
+  module AuthAdapters
+    class CanCanCan < Base
+      def authorize
+        unless field_definition.authorize.is_a?(Array)
+          raise ArgumentError,
+                "#authorize arguments should be passed as array, e.g. `authorize [:read, Post]`"
+        end
+
+        unless source.respond_to?(:can?)
+          raise ArgumentError,
+                "an object returned by #auth_adapter_source call does not respond to #can?"
+        end
+
+        source.can?(*field_definition.authorize)
+      end
+
+      private
+
+      def auth_adapter_source
+        GraphqlAuthorize.config.auth_adapter_source
+      end
+
+      def source
+        @source ||=
+          if auth_adapter_source
+            auth_adapter_source.call(context)
+          else
+            Ability.new(context[:current_user])
+          end
+      end
+    end
+  end
+end

data/lib/graphql_authorize/auth_adapters/pundit.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module GraphqlAuthorize
+  module AuthAdapters
+    class Pundit < Base
+      def authorize
+        if policy&.respond_to?(pundit_action)
+          policy.send(pundit_action)
+        else
+          false
+        end
+      end
+
+      private
+
+      def policy
+        @policy ||= ::Pundit.policy(context[:current_user], subject)
+      end
+
+      def pundit_action
+        "#{action}?"
+      end
+
+      def action
+        field_definition.authorize.first
+      end
+
+      def subject
+        field_definition.authorize.last
+      end
+    end
+  end
+end

data/lib/graphql_authorize/configuration.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module GraphqlAuthorize
+  class Configuration
+    attr_accessor :auth_adapter_source, :auth_adapter
+
+    def initialize
+      @auth_adapter = nil
+      @auth_adapter_source = nil
+    end
+  end
+end

data/lib/graphql_authorize/ext/field.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module GraphqlAuthorize
+  module Field
+    def self.included(base)
+      base.accepts_definitions :authorize
+    end
+
+    attr_accessor :authorize
+  end
+end

data/lib/graphql_authorize/ext/field_resolve_step.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module GraphqlAuthorize
+  module FieldResolveStep
+    # rubocop:disable Metrics/ParameterLists
+    def call(_parent_type, parent_object, field_definition, field_args, context, _next = nil)
+      if authorized?(field_definition, parent_object, field_args, context)
+        super
+      else
+        GraphQL::ExecutionError.new("Access to the field '#{field_definition.name}' is denied!")
+      end
+    rescue StandardError => err
+      GraphQL::ExecutionError.new(err.inspect)
+    end
+    # rubocop:enable Metrics/ParameterLists
+
+    private
+
+    def authorized?(field_definition, object, args, context)
+      return true if field_definition.authorize.nil?
+
+      if field_definition.authorize.is_a?(Proc)
+        return field_definition.authorize.call(object, args, context)
+      end
+
+      return false if auth_adapter.nil?
+
+      auth_adapter.new(field_definition, context).authorize
+    end
+
+    def auth_adapter
+      GraphqlAuthorize.config.auth_adapter
+    end
+  end
+end

data/lib/graphql_authorize/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module GraphqlAuthorize
+  VERSION = "0.1.0"
+end

metadata

@@ -0,0 +1,178 @@
+--- !ruby/object:Gem::Specification
+name: graphql_authorize
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- DmitryTsepelev
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-09-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: graphql
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cancancan
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: pundit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Auth support for ruby-graphql
+email:
+- dmitry.a.tsepelev@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- gemfiles/graphql-1.6.gemfile
+- gemfiles/graphql-1.7.gemfile
+- gemfiles/graphql-1.8.gemfile
+- graphql_authorize.gemspec
+- lib/graphql_authorize.rb
+- lib/graphql_authorize/auth_adapters/base.rb
+- lib/graphql_authorize/auth_adapters/can_can_can.rb
+- lib/graphql_authorize/auth_adapters/pundit.rb
+- lib/graphql_authorize/configuration.rb
+- lib/graphql_authorize/ext/field.rb
+- lib/graphql_authorize/ext/field_resolve_step.rb
+- lib/graphql_authorize/version.rb
+homepage: https://github.com/anjlab/graphql_authorize
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.3'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Auth support for ruby-graphql
+test_files: []