graylog2-declarative_authorization 0.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG +153 -0
- data/MIT-LICENSE +20 -0
- data/README.rdoc +529 -0
- data/Rakefile +35 -0
- data/app/controllers/authorization_rules_controller.rb +259 -0
- data/app/controllers/authorization_usages_controller.rb +23 -0
- data/app/helpers/authorization_rules_helper.rb +218 -0
- data/app/views/authorization_rules/_change.erb +58 -0
- data/app/views/authorization_rules/_show_graph.erb +44 -0
- data/app/views/authorization_rules/_suggestions.erb +48 -0
- data/app/views/authorization_rules/change.html.erb +169 -0
- data/app/views/authorization_rules/graph.dot.erb +68 -0
- data/app/views/authorization_rules/graph.html.erb +47 -0
- data/app/views/authorization_rules/index.html.erb +17 -0
- data/app/views/authorization_usages/index.html.erb +36 -0
- data/authorization_rules.dist.rb +20 -0
- data/config/routes.rb +20 -0
- data/garlic_example.rb +20 -0
- data/init.rb +5 -0
- data/lib/declarative_authorization.rb +17 -0
- data/lib/declarative_authorization/authorization.rb +705 -0
- data/lib/declarative_authorization/development_support/analyzer.rb +252 -0
- data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
- data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
- data/lib/declarative_authorization/development_support/development_support.rb +243 -0
- data/lib/declarative_authorization/helper.rb +68 -0
- data/lib/declarative_authorization/in_controller.rb +645 -0
- data/lib/declarative_authorization/in_model.rb +162 -0
- data/lib/declarative_authorization/maintenance.rb +212 -0
- data/lib/declarative_authorization/obligation_scope.rb +354 -0
- data/lib/declarative_authorization/rails_legacy.rb +22 -0
- data/lib/declarative_authorization/railsengine.rb +6 -0
- data/lib/declarative_authorization/reader.rb +521 -0
- data/lib/tasks/authorization_tasks.rake +82 -0
- data/test/authorization_test.rb +1104 -0
- data/test/controller_filter_resource_access_test.rb +511 -0
- data/test/controller_test.rb +480 -0
- data/test/dsl_reader_test.rb +178 -0
- data/test/helper_test.rb +247 -0
- data/test/maintenance_test.rb +46 -0
- data/test/model_test.rb +1883 -0
- data/test/schema.sql +55 -0
- data/test/test_helper.rb +152 -0
- metadata +112 -0
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
namespace :auth do
|
|
2
|
+
desc "Lists all privileges used in controllers, views, models"
|
|
3
|
+
task :used_privileges do
|
|
4
|
+
# TODO note where privileges are used
|
|
5
|
+
require File.join(RAILS_ROOT, 'config', 'boot.rb')
|
|
6
|
+
require File.join(RAILS_ROOT, 'config', 'environment.rb')
|
|
7
|
+
controllers = [ApplicationController]
|
|
8
|
+
Dir.new("#{RAILS_ROOT}/app/controllers").entries.each do |controller_file|
|
|
9
|
+
if controller_file =~ /_controller/
|
|
10
|
+
controllers << controller_file.gsub(".rb","").camelize.constantize
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
perms = controllers.select {|c| c.send(:class_variable_defined?, :@@permissions)}.
|
|
14
|
+
inject([]) do |all, c|
|
|
15
|
+
contr_context = c.name.sub("Controller", "").tableize.to_sym
|
|
16
|
+
contr_perms = c.send(:class_variable_get, :@@permissions).collect do |cp|
|
|
17
|
+
[cp.privilege, cp.context || contr_context, cp]
|
|
18
|
+
end
|
|
19
|
+
if contr_perms.any? {|cp| cp[0].nil?}
|
|
20
|
+
contr_perms += c.send(:action_methods).collect {|am| am.to_sym}.
|
|
21
|
+
reject {|am| contr_perms.any? {|cp| cp[2].actions.include?(am)}}.
|
|
22
|
+
collect {|am| [am, contr_context]}
|
|
23
|
+
end
|
|
24
|
+
all += contr_perms.reject {|cp| cp[0].nil?}.collect {|cp| cp[0..1]}
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
model_files = `grep -l "^[[:space:]]*using_access_control" #{RAILS_ROOT}/app/models/*.rb`.split("\n")
|
|
28
|
+
models_with_ac = model_files.collect {|mf| mf.sub(/^.*\//, "").sub(".rb", "").tableize.to_sym}
|
|
29
|
+
model_security_privs = [:create, :read, :update, :delete]
|
|
30
|
+
models_with_ac.each {|m| perms += model_security_privs.collect{|msp| [msp, m]}}
|
|
31
|
+
|
|
32
|
+
grep_file_pattern = "#{RAILS_ROOT}/app/models/*.rb #{RAILS_ROOT}/app/views/**/* #{RAILS_ROOT}/app/controllers/*.rb"
|
|
33
|
+
`grep "permitted_to?" #{grep_file_pattern}`.split("\n").each do |ptu|
|
|
34
|
+
file, grep_match = ptu.split(':', 2)
|
|
35
|
+
context = privilege = nil
|
|
36
|
+
if (match = grep_match.match(/permitted_to\?\(?\s*:(\w+),\s*(:?@?\w+)/))
|
|
37
|
+
privilege = match[1].to_sym
|
|
38
|
+
if match[2][0..0] == ':'
|
|
39
|
+
context = match[2][1..-1].to_sym
|
|
40
|
+
else
|
|
41
|
+
c = (match[2][0..0] == '@' ? match[2][1..-1] : match[2]).pluralize.to_sym
|
|
42
|
+
context = c if perms.any? {|p| p[1] == c}
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
if privilege.nil? or context.nil?
|
|
46
|
+
puts "Could not handle: #{ptu}"
|
|
47
|
+
else
|
|
48
|
+
perms << [privilege, context]
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
`grep ".with_permissions_to" #{grep_file_pattern}`.split("\n").each do |wpt|
|
|
53
|
+
file, grep_match = wpt.split(':', 2)
|
|
54
|
+
context = privilege = nil
|
|
55
|
+
if match = grep_match.match(/(\w+\.)?with_permissions_to(\(:\w+)?/)
|
|
56
|
+
c = match[1][0..-2].tableize.to_sym if match[1]
|
|
57
|
+
c ||= File.basename(file, '.rb').tableize.to_sym
|
|
58
|
+
context = c if perms.any? {|p| p[1] == c}
|
|
59
|
+
privilege = match[2] && match[2][(match[2][0..0]=='(' ? 2 : 1)..-1].to_sym
|
|
60
|
+
privilege ||= :read
|
|
61
|
+
end
|
|
62
|
+
if privilege.nil? or context.nil?
|
|
63
|
+
puts "Could not handle: #{ptu}"
|
|
64
|
+
else
|
|
65
|
+
perms << [privilege, context]
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
perms.uniq!
|
|
70
|
+
perm_hash = {}
|
|
71
|
+
perms.each do |cp|
|
|
72
|
+
perm_hash[cp[1]] ||= []
|
|
73
|
+
perm_hash[cp[1]] << cp[0]
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
puts "Privileges currently in use:"
|
|
77
|
+
perm_hash.each do |context, privileges|
|
|
78
|
+
puts " #{context.inspect}:\t#{privileges.collect {|p| p.inspect}.sort * ', '}"
|
|
79
|
+
#privileges.collect {|p| p.inspect}.sort.each {|p| puts " #{p}"}
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
end
|
|
@@ -0,0 +1,1104 @@
|
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
|
2
|
+
|
|
3
|
+
class AuthorizationTest < Test::Unit::TestCase
|
|
4
|
+
|
|
5
|
+
def test_permit
|
|
6
|
+
reader = Authorization::Reader::DSLReader.new
|
|
7
|
+
reader.parse %{
|
|
8
|
+
authorization do
|
|
9
|
+
role :test_role do
|
|
10
|
+
has_permission_on :permissions, :to => :test
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
}
|
|
14
|
+
engine = Authorization::Engine.new(reader)
|
|
15
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
16
|
+
:user => MockUser.new(:test_role, :test_role_2))
|
|
17
|
+
assert !engine.permit?(:test_2, :context => :permissions_2,
|
|
18
|
+
:user => MockUser.new(:test_role))
|
|
19
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
20
|
+
:user => MockUser.new(:test_role_2))
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def test_permit_context_people
|
|
24
|
+
reader = Authorization::Reader::DSLReader.new
|
|
25
|
+
reader.parse %{
|
|
26
|
+
authorization do
|
|
27
|
+
role :test_role do
|
|
28
|
+
has_permission_on :people, :to => :test
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
}
|
|
32
|
+
engine = Authorization::Engine.new(reader)
|
|
33
|
+
assert engine.permit?(:test, :context => :people,
|
|
34
|
+
:user => MockUser.new(:test_role))
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def test_permit_elevated_people
|
|
38
|
+
reader = Authorization::Reader::DSLReader.new
|
|
39
|
+
reader.parse %{
|
|
40
|
+
authorization do
|
|
41
|
+
role :admin do
|
|
42
|
+
has_omnipotence
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
}
|
|
46
|
+
engine = Authorization::Engine.new(reader)
|
|
47
|
+
assert engine.permit?(:test, :context => :people,
|
|
48
|
+
:user => MockUser.new(:admin))
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
def test_permit_multiple_contexts
|
|
52
|
+
reader = Authorization::Reader::DSLReader.new
|
|
53
|
+
reader.parse %{
|
|
54
|
+
authorization do
|
|
55
|
+
role :test_role do
|
|
56
|
+
has_permission_on [:permissions, :permissions_2], :to => :test
|
|
57
|
+
has_permission_on :permissions_4, :permissions_5, :to => :test
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
}
|
|
61
|
+
engine = Authorization::Engine.new(reader)
|
|
62
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
63
|
+
:user => MockUser.new(:test_role))
|
|
64
|
+
assert engine.permit?(:test, :context => :permissions_2,
|
|
65
|
+
:user => MockUser.new(:test_role))
|
|
66
|
+
assert !engine.permit?(:test, :context => :permissions_3,
|
|
67
|
+
:user => MockUser.new(:test_role))
|
|
68
|
+
|
|
69
|
+
assert engine.permit?(:test, :context => :permissions_4, :user => MockUser.new(:test_role))
|
|
70
|
+
assert engine.permit?(:test, :context => :permissions_5, :user => MockUser.new(:test_role))
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
def test_permit_with_frozen_roles
|
|
74
|
+
reader = Authorization::Reader::DSLReader.new
|
|
75
|
+
reader.parse %{
|
|
76
|
+
authorization do
|
|
77
|
+
role :other_role do
|
|
78
|
+
includes :test_role
|
|
79
|
+
end
|
|
80
|
+
role :test_role do
|
|
81
|
+
has_permission_on :permissions, :to => :test
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
}
|
|
85
|
+
engine = Authorization::Engine.new(reader)
|
|
86
|
+
roles = [:other_role].freeze
|
|
87
|
+
assert_nothing_raised do
|
|
88
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
89
|
+
:user => MockUser.new(:role_symbols => roles))
|
|
90
|
+
end
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
def test_obligations_without_conditions
|
|
94
|
+
reader = Authorization::Reader::DSLReader.new
|
|
95
|
+
reader.parse %{
|
|
96
|
+
authorization do
|
|
97
|
+
role :test_role do
|
|
98
|
+
has_permission_on :permissions, :to => :test
|
|
99
|
+
end
|
|
100
|
+
end
|
|
101
|
+
}
|
|
102
|
+
engine = Authorization::Engine.new(reader)
|
|
103
|
+
assert_equal [{}], engine.obligations(:test, :context => :permissions,
|
|
104
|
+
:user => MockUser.new(:test_role))
|
|
105
|
+
end
|
|
106
|
+
|
|
107
|
+
def test_obligations_with_conditions
|
|
108
|
+
reader = Authorization::Reader::DSLReader.new
|
|
109
|
+
reader.parse %{
|
|
110
|
+
authorization do
|
|
111
|
+
role :test_role do
|
|
112
|
+
has_permission_on :permissions, :to => :test do
|
|
113
|
+
if_attribute :attr => is { user.attr }
|
|
114
|
+
end
|
|
115
|
+
end
|
|
116
|
+
end
|
|
117
|
+
}
|
|
118
|
+
engine = Authorization::Engine.new(reader)
|
|
119
|
+
assert_equal [{:attr => [:is, 1]}],
|
|
120
|
+
engine.obligations(:test, :context => :permissions,
|
|
121
|
+
:user => MockUser.new(:test_role, :attr => 1))
|
|
122
|
+
end
|
|
123
|
+
|
|
124
|
+
def test_obligations_with_anded_conditions
|
|
125
|
+
reader = Authorization::Reader::DSLReader.new
|
|
126
|
+
reader.parse %{
|
|
127
|
+
authorization do
|
|
128
|
+
role :test_role do
|
|
129
|
+
has_permission_on :permissions, :to => :test, :join_by => :and do
|
|
130
|
+
if_attribute :attr => is { user.attr }
|
|
131
|
+
if_attribute :attr_2 => is { user.attr_2 }
|
|
132
|
+
end
|
|
133
|
+
end
|
|
134
|
+
end
|
|
135
|
+
}
|
|
136
|
+
engine = Authorization::Engine.new(reader)
|
|
137
|
+
assert_equal [{:attr => [:is, 1], :attr_2 => [:is, 2]}],
|
|
138
|
+
engine.obligations(:test, :context => :permissions,
|
|
139
|
+
:user => MockUser.new(:test_role, :attr => 1, :attr_2 => 2))
|
|
140
|
+
end
|
|
141
|
+
|
|
142
|
+
def test_obligations_with_deep_anded_conditions
|
|
143
|
+
reader = Authorization::Reader::DSLReader.new
|
|
144
|
+
reader.parse %{
|
|
145
|
+
authorization do
|
|
146
|
+
role :test_role do
|
|
147
|
+
has_permission_on :permissions, :to => :test, :join_by => :and do
|
|
148
|
+
if_attribute :attr => { :deeper_attr => is { user.deeper_attr }}
|
|
149
|
+
if_attribute :attr => { :deeper_attr_2 => is { user.deeper_attr_2 }}
|
|
150
|
+
end
|
|
151
|
+
end
|
|
152
|
+
end
|
|
153
|
+
}
|
|
154
|
+
engine = Authorization::Engine.new(reader)
|
|
155
|
+
assert_equal [{:attr => { :deeper_attr => [:is, 1], :deeper_attr_2 => [:is, 2] } }],
|
|
156
|
+
engine.obligations(:test, :context => :permissions,
|
|
157
|
+
:user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2))
|
|
158
|
+
end
|
|
159
|
+
|
|
160
|
+
def test_obligations_with_has_many
|
|
161
|
+
reader = Authorization::Reader::DSLReader.new
|
|
162
|
+
reader.parse %{
|
|
163
|
+
authorization do
|
|
164
|
+
role :test_role do
|
|
165
|
+
has_permission_on :permissions, :to => :test do
|
|
166
|
+
if_attribute :attrs => { :deeper_attr => is { user.deeper_attr } }
|
|
167
|
+
end
|
|
168
|
+
end
|
|
169
|
+
end
|
|
170
|
+
}
|
|
171
|
+
engine = Authorization::Engine.new(reader)
|
|
172
|
+
assert_equal [{:attrs => {:deeper_attr => [:is, 1]}}],
|
|
173
|
+
engine.obligations(:test, :context => :permissions,
|
|
174
|
+
:user => MockUser.new(:test_role, :deeper_attr => 1))
|
|
175
|
+
end
|
|
176
|
+
|
|
177
|
+
def test_obligations_with_conditions_and_empty
|
|
178
|
+
reader = Authorization::Reader::DSLReader.new
|
|
179
|
+
reader.parse %{
|
|
180
|
+
authorization do
|
|
181
|
+
role :test_role do
|
|
182
|
+
has_permission_on :permissions, :to => :test
|
|
183
|
+
has_permission_on :permissions, :to => :test do
|
|
184
|
+
if_attribute :attr => is { user.attr }
|
|
185
|
+
end
|
|
186
|
+
end
|
|
187
|
+
end
|
|
188
|
+
}
|
|
189
|
+
engine = Authorization::Engine.new(reader)
|
|
190
|
+
assert_equal [{}, {:attr => [:is, 1]}],
|
|
191
|
+
engine.obligations(:test, :context => :permissions,
|
|
192
|
+
:user => MockUser.new(:test_role, :attr => 1))
|
|
193
|
+
end
|
|
194
|
+
|
|
195
|
+
def test_obligations_with_permissions
|
|
196
|
+
reader = Authorization::Reader::DSLReader.new
|
|
197
|
+
reader.parse %{
|
|
198
|
+
authorization do
|
|
199
|
+
role :test_role do
|
|
200
|
+
has_permission_on :permissions, :to => :test do
|
|
201
|
+
if_attribute :attr => is { user.attr }
|
|
202
|
+
end
|
|
203
|
+
has_permission_on :permission_children, :to => :test do
|
|
204
|
+
if_permitted_to :test, :permission, :context => :permissions
|
|
205
|
+
end
|
|
206
|
+
has_permission_on :permission_children_2, :to => :test do
|
|
207
|
+
if_permitted_to :test, :permission
|
|
208
|
+
end
|
|
209
|
+
has_permission_on :permission_children_children, :to => :test do
|
|
210
|
+
if_permitted_to :test, :permission_child => :permission,
|
|
211
|
+
:context => :permissions
|
|
212
|
+
end
|
|
213
|
+
end
|
|
214
|
+
end
|
|
215
|
+
}
|
|
216
|
+
engine = Authorization::Engine.new(reader)
|
|
217
|
+
assert_equal [{:permission => {:attr => [:is, 1]}}],
|
|
218
|
+
engine.obligations(:test, :context => :permission_children,
|
|
219
|
+
:user => MockUser.new(:test_role, :attr => 1))
|
|
220
|
+
assert_equal [{:permission => {:attr => [:is, 1]}}],
|
|
221
|
+
engine.obligations(:test, :context => :permission_children_2,
|
|
222
|
+
:user => MockUser.new(:test_role, :attr => 1))
|
|
223
|
+
assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}}],
|
|
224
|
+
engine.obligations(:test, :context => :permission_children_children,
|
|
225
|
+
:user => MockUser.new(:test_role, :attr => 1))
|
|
226
|
+
end
|
|
227
|
+
|
|
228
|
+
def test_obligations_with_has_many_permissions
|
|
229
|
+
reader = Authorization::Reader::DSLReader.new
|
|
230
|
+
reader.parse %{
|
|
231
|
+
authorization do
|
|
232
|
+
role :test_role do
|
|
233
|
+
has_permission_on :permissions, :to => :test do
|
|
234
|
+
if_attribute :attr => is { user.attr }
|
|
235
|
+
end
|
|
236
|
+
has_permission_on :permission_children, :to => :test do
|
|
237
|
+
if_permitted_to :test, :permissions, :context => :permissions
|
|
238
|
+
end
|
|
239
|
+
has_permission_on :permission_children_2, :to => :test do
|
|
240
|
+
if_permitted_to :test, :permissions
|
|
241
|
+
end
|
|
242
|
+
has_permission_on :permission_children_children, :to => :test do
|
|
243
|
+
if_permitted_to :test, :permission_child => :permissions,
|
|
244
|
+
:context => :permissions
|
|
245
|
+
end
|
|
246
|
+
end
|
|
247
|
+
end
|
|
248
|
+
}
|
|
249
|
+
engine = Authorization::Engine.new(reader)
|
|
250
|
+
assert_equal [{:permissions => {:attr => [:is, 1]}}],
|
|
251
|
+
engine.obligations(:test, :context => :permission_children,
|
|
252
|
+
:user => MockUser.new(:test_role, :attr => 1))
|
|
253
|
+
assert_equal [{:permissions => {:attr => [:is, 1]}}],
|
|
254
|
+
engine.obligations(:test, :context => :permission_children_2,
|
|
255
|
+
:user => MockUser.new(:test_role, :attr => 1))
|
|
256
|
+
assert_equal [{:permission_child => {:permissions => {:attr => [:is, 1]}}}],
|
|
257
|
+
engine.obligations(:test, :context => :permission_children_children,
|
|
258
|
+
:user => MockUser.new(:test_role, :attr => 1))
|
|
259
|
+
end
|
|
260
|
+
|
|
261
|
+
def test_obligations_with_permissions_multiple
|
|
262
|
+
reader = Authorization::Reader::DSLReader.new
|
|
263
|
+
reader.parse %{
|
|
264
|
+
authorization do
|
|
265
|
+
role :test_role do
|
|
266
|
+
has_permission_on :permissions, :to => :test do
|
|
267
|
+
if_attribute :attr => is { 1 }
|
|
268
|
+
if_attribute :attr => is { 2 }
|
|
269
|
+
end
|
|
270
|
+
has_permission_on :permission_children_children, :to => :test do
|
|
271
|
+
if_permitted_to :test, :permission_child => :permission
|
|
272
|
+
end
|
|
273
|
+
end
|
|
274
|
+
end
|
|
275
|
+
}
|
|
276
|
+
engine = Authorization::Engine.new(reader)
|
|
277
|
+
assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}},
|
|
278
|
+
{:permission_child => {:permission => {:attr => [:is, 2]}}}],
|
|
279
|
+
engine.obligations(:test, :context => :permission_children_children,
|
|
280
|
+
:user => MockUser.new(:test_role))
|
|
281
|
+
end
|
|
282
|
+
|
|
283
|
+
def test_obligations_with_permissions_and_anded_conditions
|
|
284
|
+
reader = Authorization::Reader::DSLReader.new
|
|
285
|
+
reader.parse %{
|
|
286
|
+
authorization do
|
|
287
|
+
role :test_role do
|
|
288
|
+
has_permission_on :permission_children, :to => :test, :join_by => :and do
|
|
289
|
+
if_permitted_to :test, :permission
|
|
290
|
+
if_attribute :test_attr => 1
|
|
291
|
+
end
|
|
292
|
+
has_permission_on :permissions, :to => :test do
|
|
293
|
+
if_attribute :test_attr => 1
|
|
294
|
+
end
|
|
295
|
+
end
|
|
296
|
+
end
|
|
297
|
+
}
|
|
298
|
+
engine = Authorization::Engine.new(reader)
|
|
299
|
+
|
|
300
|
+
assert_equal [{:test_attr => [:is, 1], :permission => {:test_attr => [:is, 1]}}],
|
|
301
|
+
engine.obligations(:test, :context => :permission_children,
|
|
302
|
+
:user => MockUser.new(:test_role))
|
|
303
|
+
end
|
|
304
|
+
|
|
305
|
+
def test_guest_user
|
|
306
|
+
reader = Authorization::Reader::DSLReader.new
|
|
307
|
+
reader.parse %{
|
|
308
|
+
authorization do
|
|
309
|
+
role :guest do
|
|
310
|
+
has_permission_on :permissions, :to => :test
|
|
311
|
+
end
|
|
312
|
+
end
|
|
313
|
+
}
|
|
314
|
+
engine = Authorization::Engine.new(reader)
|
|
315
|
+
assert engine.permit?(:test, :context => :permissions)
|
|
316
|
+
assert !engine.permit?(:test, :context => :permissions_2)
|
|
317
|
+
end
|
|
318
|
+
|
|
319
|
+
def test_default_role
|
|
320
|
+
previous_default_role = Authorization.default_role
|
|
321
|
+
Authorization.default_role = :anonymous
|
|
322
|
+
reader = Authorization::Reader::DSLReader.new
|
|
323
|
+
reader.parse %{
|
|
324
|
+
authorization do
|
|
325
|
+
role :anonymous do
|
|
326
|
+
has_permission_on :permissions, :to => :test
|
|
327
|
+
end
|
|
328
|
+
end
|
|
329
|
+
}
|
|
330
|
+
engine = Authorization::Engine.new(reader)
|
|
331
|
+
assert engine.permit?(:test, :context => :permissions)
|
|
332
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
333
|
+
:user => MockUser.new(:guest))
|
|
334
|
+
# reset the default role, so that it does not mess up other tests
|
|
335
|
+
Authorization.default_role = previous_default_role
|
|
336
|
+
end
|
|
337
|
+
|
|
338
|
+
def test_invalid_user_model
|
|
339
|
+
reader = Authorization::Reader::DSLReader.new
|
|
340
|
+
reader.parse %{
|
|
341
|
+
authorization do
|
|
342
|
+
role :guest do
|
|
343
|
+
has_permission_on :permissions, :to => :test
|
|
344
|
+
end
|
|
345
|
+
end
|
|
346
|
+
}
|
|
347
|
+
engine = Authorization::Engine.new(reader)
|
|
348
|
+
assert_raise(Authorization::AuthorizationUsageError) do
|
|
349
|
+
engine.permit?(:test, :context => :permissions, :user => MockUser.new(1, 2))
|
|
350
|
+
end
|
|
351
|
+
assert_raise(Authorization::AuthorizationUsageError) do
|
|
352
|
+
engine.permit?(:test, :context => :permissions, :user => MockDataObject.new)
|
|
353
|
+
end
|
|
354
|
+
end
|
|
355
|
+
|
|
356
|
+
def test_role_hierarchy
|
|
357
|
+
reader = Authorization::Reader::DSLReader.new
|
|
358
|
+
reader.parse %{
|
|
359
|
+
authorization do
|
|
360
|
+
role :test_role do
|
|
361
|
+
includes :lower_role
|
|
362
|
+
has_permission_on :permissions, :to => :test
|
|
363
|
+
end
|
|
364
|
+
role :lower_role do
|
|
365
|
+
has_permission_on :permissions, :to => :lower
|
|
366
|
+
end
|
|
367
|
+
end
|
|
368
|
+
}
|
|
369
|
+
engine = Authorization::Engine.new(reader)
|
|
370
|
+
assert engine.permit?(:lower, :context => :permissions,
|
|
371
|
+
:user => MockUser.new(:test_role))
|
|
372
|
+
end
|
|
373
|
+
|
|
374
|
+
def test_role_hierarchy_infinity
|
|
375
|
+
reader = Authorization::Reader::DSLReader.new
|
|
376
|
+
reader.parse %{
|
|
377
|
+
authorization do
|
|
378
|
+
role :test_role do
|
|
379
|
+
includes :lower_role
|
|
380
|
+
has_permission_on :permissions, :to => :test
|
|
381
|
+
end
|
|
382
|
+
role :lower_role do
|
|
383
|
+
includes :higher_role
|
|
384
|
+
has_permission_on :permissions, :to => :lower
|
|
385
|
+
end
|
|
386
|
+
end
|
|
387
|
+
}
|
|
388
|
+
engine = Authorization::Engine.new(reader)
|
|
389
|
+
assert engine.permit?(:lower, :context => :permissions,
|
|
390
|
+
:user => MockUser.new(:test_role))
|
|
391
|
+
end
|
|
392
|
+
|
|
393
|
+
def test_privilege_hierarchy
|
|
394
|
+
reader = Authorization::Reader::DSLReader.new
|
|
395
|
+
reader.parse %{
|
|
396
|
+
privileges do
|
|
397
|
+
privilege :test, :permissions do
|
|
398
|
+
includes :lower
|
|
399
|
+
end
|
|
400
|
+
end
|
|
401
|
+
authorization do
|
|
402
|
+
role :test_role do
|
|
403
|
+
has_permission_on :permissions, :to => :test
|
|
404
|
+
end
|
|
405
|
+
end
|
|
406
|
+
}
|
|
407
|
+
engine = Authorization::Engine.new(reader)
|
|
408
|
+
assert engine.permit?(:lower, :context => :permissions,
|
|
409
|
+
:user => MockUser.new(:test_role))
|
|
410
|
+
end
|
|
411
|
+
|
|
412
|
+
def test_privilege_hierarchy_without_context
|
|
413
|
+
reader = Authorization::Reader::DSLReader.new
|
|
414
|
+
reader.parse %{
|
|
415
|
+
privileges do
|
|
416
|
+
privilege :read do
|
|
417
|
+
includes :list, :show
|
|
418
|
+
end
|
|
419
|
+
end
|
|
420
|
+
authorization do
|
|
421
|
+
role :test_role do
|
|
422
|
+
has_permission_on :permissions, :to => :read
|
|
423
|
+
end
|
|
424
|
+
end
|
|
425
|
+
}
|
|
426
|
+
engine = Authorization::Engine.new(reader)
|
|
427
|
+
assert engine.permit?(:list, :context => :permissions,
|
|
428
|
+
:user => MockUser.new(:test_role))
|
|
429
|
+
end
|
|
430
|
+
|
|
431
|
+
def test_attribute_is
|
|
432
|
+
reader = Authorization::Reader::DSLReader.new
|
|
433
|
+
reader.parse %|
|
|
434
|
+
authorization do
|
|
435
|
+
role :test_role do
|
|
436
|
+
has_permission_on :permissions, :to => :test do
|
|
437
|
+
if_attribute :test_attr => is { user.test_attr }
|
|
438
|
+
if_attribute :test_attr => 3
|
|
439
|
+
end
|
|
440
|
+
end
|
|
441
|
+
end
|
|
442
|
+
|
|
|
443
|
+
engine = Authorization::Engine.new(reader)
|
|
444
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
445
|
+
:user => MockUser.new(:test_role, :test_attr => 1),
|
|
446
|
+
:object => MockDataObject.new(:test_attr => 1))
|
|
447
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
448
|
+
:user => MockUser.new(:test_role, :test_attr => 2),
|
|
449
|
+
:object => MockDataObject.new(:test_attr => 3))
|
|
450
|
+
assert((not(engine.permit?(:test, :context => :permissions,
|
|
451
|
+
:user => MockUser.new(:test_role, :test_attr => 2),
|
|
452
|
+
:object => MockDataObject.new(:test_attr => 1)))))
|
|
453
|
+
end
|
|
454
|
+
|
|
455
|
+
def test_attribute_is_not
|
|
456
|
+
reader = Authorization::Reader::DSLReader.new
|
|
457
|
+
reader.parse %|
|
|
458
|
+
authorization do
|
|
459
|
+
role :test_role do
|
|
460
|
+
has_permission_on :permissions, :to => :test do
|
|
461
|
+
if_attribute :test_attr => is_not { user.test_attr }
|
|
462
|
+
end
|
|
463
|
+
end
|
|
464
|
+
end
|
|
465
|
+
|
|
|
466
|
+
engine = Authorization::Engine.new(reader)
|
|
467
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
468
|
+
:user => MockUser.new(:test_role, :test_attr => 1),
|
|
469
|
+
:object => MockDataObject.new(:test_attr => 1))
|
|
470
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
471
|
+
:user => MockUser.new(:test_role, :test_attr => 2),
|
|
472
|
+
:object => MockDataObject.new(:test_attr => 1))
|
|
473
|
+
end
|
|
474
|
+
|
|
475
|
+
def test_attribute_contains
|
|
476
|
+
reader = Authorization::Reader::DSLReader.new
|
|
477
|
+
reader.parse %|
|
|
478
|
+
authorization do
|
|
479
|
+
role :test_role do
|
|
480
|
+
has_permission_on :permissions, :to => :test do
|
|
481
|
+
if_attribute :test_attr => contains { user.test_attr }
|
|
482
|
+
end
|
|
483
|
+
end
|
|
484
|
+
end
|
|
485
|
+
|
|
|
486
|
+
engine = Authorization::Engine.new(reader)
|
|
487
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
488
|
+
:user => MockUser.new(:test_role, :test_attr => 1),
|
|
489
|
+
:object => MockDataObject.new(:test_attr => [1,2]))
|
|
490
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
491
|
+
:user => MockUser.new(:test_role, :test_attr => 3),
|
|
492
|
+
:object => MockDataObject.new(:test_attr => [1,2]))
|
|
493
|
+
end
|
|
494
|
+
|
|
495
|
+
def test_attribute_does_not_contain
|
|
496
|
+
reader = Authorization::Reader::DSLReader.new
|
|
497
|
+
reader.parse %|
|
|
498
|
+
authorization do
|
|
499
|
+
role :test_role do
|
|
500
|
+
has_permission_on :permissions, :to => :test do
|
|
501
|
+
if_attribute :test_attr => does_not_contain { user.test_attr }
|
|
502
|
+
end
|
|
503
|
+
end
|
|
504
|
+
end
|
|
505
|
+
|
|
|
506
|
+
engine = Authorization::Engine.new(reader)
|
|
507
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
508
|
+
:user => MockUser.new(:test_role, :test_attr => 1),
|
|
509
|
+
:object => MockDataObject.new(:test_attr => [1,2]))
|
|
510
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
511
|
+
:user => MockUser.new(:test_role, :test_attr => 3),
|
|
512
|
+
:object => MockDataObject.new(:test_attr => [1,2]))
|
|
513
|
+
end
|
|
514
|
+
|
|
515
|
+
def test_attribute_in_array
|
|
516
|
+
reader = Authorization::Reader::DSLReader.new
|
|
517
|
+
reader.parse %|
|
|
518
|
+
authorization do
|
|
519
|
+
role :test_role do
|
|
520
|
+
has_permission_on :permissions, :to => :test do
|
|
521
|
+
if_attribute :test_attr => is_in { [1,2] }
|
|
522
|
+
if_attribute :test_attr => [2,3]
|
|
523
|
+
end
|
|
524
|
+
end
|
|
525
|
+
end
|
|
526
|
+
|
|
|
527
|
+
engine = Authorization::Engine.new(reader)
|
|
528
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
529
|
+
:user => MockUser.new(:test_role),
|
|
530
|
+
:object => MockDataObject.new(:test_attr => 1))
|
|
531
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
532
|
+
:user => MockUser.new(:test_role),
|
|
533
|
+
:object => MockDataObject.new(:test_attr => 3))
|
|
534
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
535
|
+
:user => MockUser.new(:test_role),
|
|
536
|
+
:object => MockDataObject.new(:test_attr => 4))
|
|
537
|
+
end
|
|
538
|
+
|
|
539
|
+
def test_attribute_not_in_array
|
|
540
|
+
reader = Authorization::Reader::DSLReader.new
|
|
541
|
+
reader.parse %|
|
|
542
|
+
authorization do
|
|
543
|
+
role :test_role do
|
|
544
|
+
has_permission_on :permissions, :to => :test do
|
|
545
|
+
if_attribute :test_attr => is_not_in { [1,2] }
|
|
546
|
+
end
|
|
547
|
+
end
|
|
548
|
+
end
|
|
549
|
+
|
|
|
550
|
+
engine = Authorization::Engine.new(reader)
|
|
551
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
552
|
+
:user => MockUser.new(:test_role),
|
|
553
|
+
:object => MockDataObject.new(:test_attr => 1))
|
|
554
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
555
|
+
:user => MockUser.new(:test_role),
|
|
556
|
+
:object => MockDataObject.new(:test_attr => 4))
|
|
557
|
+
end
|
|
558
|
+
|
|
559
|
+
def test_attribute_intersects_with
|
|
560
|
+
reader = Authorization::Reader::DSLReader.new
|
|
561
|
+
reader.parse %{
|
|
562
|
+
authorization do
|
|
563
|
+
role :test_role do
|
|
564
|
+
has_permission_on :permissions, :to => :test do
|
|
565
|
+
if_attribute :test_attrs => intersects_with { [1,2] }
|
|
566
|
+
end
|
|
567
|
+
end
|
|
568
|
+
role :test_role_2 do
|
|
569
|
+
has_permission_on :permissions, :to => :test do
|
|
570
|
+
if_attribute :test_attrs => intersects_with { 1 }
|
|
571
|
+
end
|
|
572
|
+
end
|
|
573
|
+
end
|
|
574
|
+
}
|
|
575
|
+
|
|
576
|
+
engine = Authorization::Engine.new(reader)
|
|
577
|
+
assert_raise Authorization::AuthorizationUsageError do
|
|
578
|
+
engine.permit?(:test, :context => :permissions,
|
|
579
|
+
:user => MockUser.new(:test_role),
|
|
580
|
+
:object => MockDataObject.new(:test_attrs => 1 ))
|
|
581
|
+
end
|
|
582
|
+
assert_raise Authorization::AuthorizationUsageError do
|
|
583
|
+
engine.permit?(:test, :context => :permissions,
|
|
584
|
+
:user => MockUser.new(:test_role_2),
|
|
585
|
+
:object => MockDataObject.new(:test_attrs => [1, 2] ))
|
|
586
|
+
end
|
|
587
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
588
|
+
:user => MockUser.new(:test_role),
|
|
589
|
+
:object => MockDataObject.new(:test_attrs => [1,3] ))
|
|
590
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
591
|
+
:user => MockUser.new(:test_role),
|
|
592
|
+
:object => MockDataObject.new(:test_attrs => [3,4] ))
|
|
593
|
+
end
|
|
594
|
+
|
|
595
|
+
def test_attribute_lte
|
|
596
|
+
reader = Authorization::Reader::DSLReader.new
|
|
597
|
+
reader.parse %|
|
|
598
|
+
authorization do
|
|
599
|
+
role :test_role do
|
|
600
|
+
has_permission_on :permissions, :to => :test do
|
|
601
|
+
if_attribute :test_attr => lte { user.test_attr }
|
|
602
|
+
if_attribute :test_attr => 3
|
|
603
|
+
end
|
|
604
|
+
end
|
|
605
|
+
end
|
|
606
|
+
|
|
|
607
|
+
engine = Authorization::Engine.new(reader)
|
|
608
|
+
# object < user -> pass
|
|
609
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
610
|
+
:user => MockUser.new(:test_role, :test_attr => 2),
|
|
611
|
+
:object => MockDataObject.new(:test_attr => 1))
|
|
612
|
+
# object > user && object = control -> pass
|
|
613
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
614
|
+
:user => MockUser.new(:test_role, :test_attr => 2),
|
|
615
|
+
:object => MockDataObject.new(:test_attr => 3))
|
|
616
|
+
# object = user -> pass
|
|
617
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
618
|
+
:user => MockUser.new(:test_role, :test_attr => 1),
|
|
619
|
+
:object => MockDataObject.new(:test_attr => 1))
|
|
620
|
+
# object > user -> fail
|
|
621
|
+
assert((not(engine.permit?(:test, :context => :permissions,
|
|
622
|
+
:user => MockUser.new(:test_role, :test_attr => 1),
|
|
623
|
+
:object => MockDataObject.new(:test_attr => 2)))))
|
|
624
|
+
end
|
|
625
|
+
|
|
626
|
+
def test_attribute_gt
|
|
627
|
+
reader = Authorization::Reader::DSLReader.new
|
|
628
|
+
reader.parse %|
|
|
629
|
+
authorization do
|
|
630
|
+
role :test_role do
|
|
631
|
+
has_permission_on :permissions, :to => :test do
|
|
632
|
+
if_attribute :test_attr => gt { user.test_attr }
|
|
633
|
+
if_attribute :test_attr => 3
|
|
634
|
+
end
|
|
635
|
+
end
|
|
636
|
+
end
|
|
637
|
+
|
|
|
638
|
+
engine = Authorization::Engine.new(reader)
|
|
639
|
+
# object > user -> pass
|
|
640
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
641
|
+
:user => MockUser.new(:test_role, :test_attr => 1),
|
|
642
|
+
:object => MockDataObject.new(:test_attr => 2))
|
|
643
|
+
# object < user && object = control -> pass
|
|
644
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
645
|
+
:user => MockUser.new(:test_role, :test_attr => 4),
|
|
646
|
+
:object => MockDataObject.new(:test_attr => 3))
|
|
647
|
+
# object = user -> fail
|
|
648
|
+
assert((not(engine.permit?(:test, :context => :permissions,
|
|
649
|
+
:user => MockUser.new(:test_role, :test_attr => 1),
|
|
650
|
+
:object => MockDataObject.new(:test_attr => 1)))))
|
|
651
|
+
# object < user -> fail
|
|
652
|
+
assert((not(engine.permit?(:test, :context => :permissions,
|
|
653
|
+
:user => MockUser.new(:test_role, :test_attr => 2),
|
|
654
|
+
:object => MockDataObject.new(:test_attr => 1)))))
|
|
655
|
+
end
|
|
656
|
+
|
|
657
|
+
def test_attribute_gte
|
|
658
|
+
reader = Authorization::Reader::DSLReader.new
|
|
659
|
+
reader.parse %|
|
|
660
|
+
authorization do
|
|
661
|
+
role :test_role do
|
|
662
|
+
has_permission_on :permissions, :to => :test do
|
|
663
|
+
if_attribute :test_attr => gte { user.test_attr }
|
|
664
|
+
if_attribute :test_attr => 3
|
|
665
|
+
end
|
|
666
|
+
end
|
|
667
|
+
end
|
|
668
|
+
|
|
|
669
|
+
engine = Authorization::Engine.new(reader)
|
|
670
|
+
# object > user -> pass
|
|
671
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
672
|
+
:user => MockUser.new(:test_role, :test_attr => 1),
|
|
673
|
+
:object => MockDataObject.new(:test_attr => 2))
|
|
674
|
+
# object < user && object = control -> pass
|
|
675
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
676
|
+
:user => MockUser.new(:test_role, :test_attr => 4),
|
|
677
|
+
:object => MockDataObject.new(:test_attr => 3))
|
|
678
|
+
# object = user -> pass
|
|
679
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
680
|
+
:user => MockUser.new(:test_role, :test_attr => 1),
|
|
681
|
+
:object => MockDataObject.new(:test_attr => 1))
|
|
682
|
+
# object < user -> fail
|
|
683
|
+
assert((not(engine.permit?(:test, :context => :permissions,
|
|
684
|
+
:user => MockUser.new(:test_role, :test_attr => 2),
|
|
685
|
+
:object => MockDataObject.new(:test_attr => 1)))))
|
|
686
|
+
end
|
|
687
|
+
|
|
688
|
+
def test_attribute_deep
|
|
689
|
+
reader = Authorization::Reader::DSLReader.new
|
|
690
|
+
reader.parse %|
|
|
691
|
+
authorization do
|
|
692
|
+
role :test_role do
|
|
693
|
+
has_permission_on :permissions, :to => :test do
|
|
694
|
+
if_attribute :test_attr_1 => {:test_attr_2 => contains { 1 }}
|
|
695
|
+
end
|
|
696
|
+
end
|
|
697
|
+
end
|
|
698
|
+
|
|
|
699
|
+
engine = Authorization::Engine.new(reader)
|
|
700
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
701
|
+
:user => MockUser.new(:test_role),
|
|
702
|
+
:object => MockDataObject.new(:test_attr_1 =>
|
|
703
|
+
MockDataObject.new(:test_attr_2 => [1,2])))
|
|
704
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
705
|
+
:user => MockUser.new(:test_role),
|
|
706
|
+
:object => MockDataObject.new(:test_attr_1 =>
|
|
707
|
+
MockDataObject.new(:test_attr_2 => [3,4])))
|
|
708
|
+
assert_equal [{:test_attr_1 => {:test_attr_2 => [:contains, 1]}}],
|
|
709
|
+
engine.obligations(:test, :context => :permissions,
|
|
710
|
+
:user => MockUser.new(:test_role))
|
|
711
|
+
end
|
|
712
|
+
|
|
713
|
+
def test_attribute_has_many
|
|
714
|
+
reader = Authorization::Reader::DSLReader.new
|
|
715
|
+
reader.parse %|
|
|
716
|
+
authorization do
|
|
717
|
+
role :test_role do
|
|
718
|
+
has_permission_on :companies, :to => :read do
|
|
719
|
+
if_attribute :branches => {:city => is { user.city } }
|
|
720
|
+
end
|
|
721
|
+
end
|
|
722
|
+
end
|
|
723
|
+
|
|
|
724
|
+
engine = Authorization::Engine.new(reader)
|
|
725
|
+
|
|
726
|
+
company = MockDataObject.new(:branches => [
|
|
727
|
+
MockDataObject.new(:city => 'Barcelona'),
|
|
728
|
+
MockDataObject.new(:city => 'Paris')
|
|
729
|
+
])
|
|
730
|
+
assert engine.permit!(:read, :context => :companies,
|
|
731
|
+
:user => MockUser.new(:test_role, :city => 'Paris'),
|
|
732
|
+
:object => company)
|
|
733
|
+
assert !engine.permit?(:read, :context => :companies,
|
|
734
|
+
:user => MockUser.new(:test_role, :city => 'London'),
|
|
735
|
+
:object => company)
|
|
736
|
+
end
|
|
737
|
+
|
|
738
|
+
def test_attribute_non_block
|
|
739
|
+
reader = Authorization::Reader::DSLReader.new
|
|
740
|
+
reader.parse %|
|
|
741
|
+
authorization do
|
|
742
|
+
role :test_role do
|
|
743
|
+
has_permission_on :permissions, :to => :test do
|
|
744
|
+
if_attribute :test_attr => 1
|
|
745
|
+
end
|
|
746
|
+
end
|
|
747
|
+
end
|
|
748
|
+
|
|
|
749
|
+
engine = Authorization::Engine.new(reader)
|
|
750
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
751
|
+
:user => MockUser.new(:test_role),
|
|
752
|
+
:object => MockDataObject.new(:test_attr => 1))
|
|
753
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
754
|
+
:user => MockUser.new(:test_role),
|
|
755
|
+
:object => MockDataObject.new(:test_attr => 2))
|
|
756
|
+
end
|
|
757
|
+
|
|
758
|
+
def test_attribute_multiple
|
|
759
|
+
reader = Authorization::Reader::DSLReader.new
|
|
760
|
+
reader.parse %{
|
|
761
|
+
authorization do
|
|
762
|
+
role :test_role do
|
|
763
|
+
has_permission_on :permissions, :to => :test do
|
|
764
|
+
if_attribute :test_attr => 1
|
|
765
|
+
if_attribute :test_attr => 2 # or
|
|
766
|
+
end
|
|
767
|
+
end
|
|
768
|
+
end
|
|
769
|
+
}
|
|
770
|
+
engine = Authorization::Engine.new(reader)
|
|
771
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
772
|
+
:user => MockUser.new(:test_role),
|
|
773
|
+
:object => MockDataObject.new(:test_attr => 1))
|
|
774
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
775
|
+
:user => MockUser.new(:test_role),
|
|
776
|
+
:object => MockDataObject.new(:test_attr => 2))
|
|
777
|
+
end
|
|
778
|
+
|
|
779
|
+
class PermissionMock < MockDataObject
|
|
780
|
+
def self.name
|
|
781
|
+
"Permission"
|
|
782
|
+
end
|
|
783
|
+
end
|
|
784
|
+
def test_attribute_with_permissions
|
|
785
|
+
reader = Authorization::Reader::DSLReader.new
|
|
786
|
+
reader.parse %{
|
|
787
|
+
authorization do
|
|
788
|
+
role :test_role do
|
|
789
|
+
has_permission_on :permissions, :to => :test do
|
|
790
|
+
if_attribute :test_attr => 1
|
|
791
|
+
end
|
|
792
|
+
has_permission_on :permission_children, :to => :test do
|
|
793
|
+
if_permitted_to :test, :permission
|
|
794
|
+
end
|
|
795
|
+
end
|
|
796
|
+
end
|
|
797
|
+
}
|
|
798
|
+
engine = Authorization::Engine.new(reader)
|
|
799
|
+
|
|
800
|
+
perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
|
|
801
|
+
perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
|
|
802
|
+
assert engine.permit?(:test, :context => :permission_children,
|
|
803
|
+
:user => MockUser.new(:test_role),
|
|
804
|
+
:object => MockDataObject.new(:permission => perm_data_attr_1))
|
|
805
|
+
assert !engine.permit?(:test, :context => :permission_children,
|
|
806
|
+
:user => MockUser.new(:test_role),
|
|
807
|
+
:object => MockDataObject.new(:permission => perm_data_attr_2))
|
|
808
|
+
end
|
|
809
|
+
|
|
810
|
+
def test_attribute_with_has_many_permissions
|
|
811
|
+
reader = Authorization::Reader::DSLReader.new
|
|
812
|
+
reader.parse %{
|
|
813
|
+
authorization do
|
|
814
|
+
role :test_role do
|
|
815
|
+
has_permission_on :permissions, :to => :test do
|
|
816
|
+
if_attribute :test_attr => 1
|
|
817
|
+
end
|
|
818
|
+
has_permission_on :permission_children, :to => :test do
|
|
819
|
+
if_permitted_to :test, :permissions
|
|
820
|
+
end
|
|
821
|
+
end
|
|
822
|
+
end
|
|
823
|
+
}
|
|
824
|
+
engine = Authorization::Engine.new(reader)
|
|
825
|
+
|
|
826
|
+
perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
|
|
827
|
+
perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
|
|
828
|
+
assert engine.permit?(:test, :context => :permission_children,
|
|
829
|
+
:user => MockUser.new(:test_role),
|
|
830
|
+
:object => MockDataObject.new(:permissions => [perm_data_attr_1]))
|
|
831
|
+
assert !engine.permit?(:test, :context => :permission_children,
|
|
832
|
+
:user => MockUser.new(:test_role),
|
|
833
|
+
:object => MockDataObject.new(:permissions => [perm_data_attr_2]))
|
|
834
|
+
end
|
|
835
|
+
|
|
836
|
+
def test_attribute_with_deep_permissions
|
|
837
|
+
reader = Authorization::Reader::DSLReader.new
|
|
838
|
+
reader.parse %{
|
|
839
|
+
authorization do
|
|
840
|
+
role :test_role do
|
|
841
|
+
has_permission_on :permissions, :to => :test do
|
|
842
|
+
if_attribute :test_attr => 1
|
|
843
|
+
end
|
|
844
|
+
has_permission_on :permission_children, :to => :test do
|
|
845
|
+
if_permitted_to :test, :shallow_permission => :permission
|
|
846
|
+
end
|
|
847
|
+
end
|
|
848
|
+
end
|
|
849
|
+
}
|
|
850
|
+
engine = Authorization::Engine.new(reader)
|
|
851
|
+
|
|
852
|
+
perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
|
|
853
|
+
perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
|
|
854
|
+
assert engine.permit?(:test, :context => :permission_children,
|
|
855
|
+
:user => MockUser.new(:test_role),
|
|
856
|
+
:object => MockDataObject.new(:shallow_permission =>
|
|
857
|
+
MockDataObject.new(:permission => perm_data_attr_1)))
|
|
858
|
+
assert !engine.permit?(:test, :context => :permission_children,
|
|
859
|
+
:user => MockUser.new(:test_role),
|
|
860
|
+
:object => MockDataObject.new(:shallow_permission =>
|
|
861
|
+
MockDataObject.new(:permission => perm_data_attr_2)))
|
|
862
|
+
end
|
|
863
|
+
|
|
864
|
+
def test_attribute_with_deep_has_many_permissions
|
|
865
|
+
reader = Authorization::Reader::DSLReader.new
|
|
866
|
+
reader.parse %{
|
|
867
|
+
authorization do
|
|
868
|
+
role :test_role do
|
|
869
|
+
has_permission_on :permissions, :to => :test do
|
|
870
|
+
if_attribute :test_attr => 1
|
|
871
|
+
end
|
|
872
|
+
has_permission_on :permission_children, :to => :test do
|
|
873
|
+
if_permitted_to :test, :shallow_permissions => :permission
|
|
874
|
+
end
|
|
875
|
+
end
|
|
876
|
+
end
|
|
877
|
+
}
|
|
878
|
+
engine = Authorization::Engine.new(reader)
|
|
879
|
+
|
|
880
|
+
perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
|
|
881
|
+
perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
|
|
882
|
+
assert engine.permit?(:test, :context => :permission_children,
|
|
883
|
+
:user => MockUser.new(:test_role),
|
|
884
|
+
:object => MockDataObject.new(:shallow_permissions =>
|
|
885
|
+
[MockDataObject.new(:permission => perm_data_attr_1)]))
|
|
886
|
+
assert !engine.permit?(:test, :context => :permission_children,
|
|
887
|
+
:user => MockUser.new(:test_role),
|
|
888
|
+
:object => MockDataObject.new(:shallow_permissions =>
|
|
889
|
+
[MockDataObject.new(:permission => perm_data_attr_2)]))
|
|
890
|
+
end
|
|
891
|
+
|
|
892
|
+
def test_attribute_with_permissions_nil
|
|
893
|
+
reader = Authorization::Reader::DSLReader.new
|
|
894
|
+
reader.parse %{
|
|
895
|
+
authorization do
|
|
896
|
+
role :test_role do
|
|
897
|
+
has_permission_on :permissions, :to => :test do
|
|
898
|
+
if_attribute :test_attr => 1
|
|
899
|
+
end
|
|
900
|
+
has_permission_on :permission_children, :to => :test do
|
|
901
|
+
if_permitted_to :test, :permission
|
|
902
|
+
end
|
|
903
|
+
end
|
|
904
|
+
end
|
|
905
|
+
}
|
|
906
|
+
engine = Authorization::Engine.new(reader)
|
|
907
|
+
|
|
908
|
+
assert_nothing_raised do
|
|
909
|
+
engine.permit?(:test, :context => :permission_children,
|
|
910
|
+
:user => MockUser.new(:test_role),
|
|
911
|
+
:object => MockDataObject.new(:permission => nil))
|
|
912
|
+
end
|
|
913
|
+
|
|
914
|
+
assert !engine.permit?(:test, :context => :permission_children,
|
|
915
|
+
:user => MockUser.new(:test_role),
|
|
916
|
+
:object => MockDataObject.new(:permission => nil))
|
|
917
|
+
end
|
|
918
|
+
|
|
919
|
+
def test_attribute_with_permissions_on_self
|
|
920
|
+
reader = Authorization::Reader::DSLReader.new
|
|
921
|
+
reader.parse %{
|
|
922
|
+
authorization do
|
|
923
|
+
role :test_role do
|
|
924
|
+
has_permission_on :permissions, :to => :test do
|
|
925
|
+
if_attribute :test_attr => 1
|
|
926
|
+
end
|
|
927
|
+
has_permission_on :permissions, :to => :another_test do
|
|
928
|
+
if_permitted_to :test
|
|
929
|
+
end
|
|
930
|
+
end
|
|
931
|
+
end
|
|
932
|
+
}
|
|
933
|
+
engine = Authorization::Engine.new(reader)
|
|
934
|
+
|
|
935
|
+
perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
|
|
936
|
+
perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
|
|
937
|
+
assert engine.permit?(:another_test, :context => :permissions,
|
|
938
|
+
:user => MockUser.new(:test_role),
|
|
939
|
+
:object => perm_data_attr_1)
|
|
940
|
+
assert !engine.permit?(:another_test, :context => :permissions,
|
|
941
|
+
:user => MockUser.new(:test_role),
|
|
942
|
+
:object => perm_data_attr_2)
|
|
943
|
+
end
|
|
944
|
+
|
|
945
|
+
def test_attribute_with_permissions_on_self_with_context
|
|
946
|
+
reader = Authorization::Reader::DSLReader.new
|
|
947
|
+
reader.parse %{
|
|
948
|
+
authorization do
|
|
949
|
+
role :test_role do
|
|
950
|
+
has_permission_on :permissions, :to => :test do
|
|
951
|
+
if_attribute :test_attr => 1
|
|
952
|
+
end
|
|
953
|
+
has_permission_on :permissions, :to => :another_test do
|
|
954
|
+
if_permitted_to :test, :context => :permissions
|
|
955
|
+
end
|
|
956
|
+
end
|
|
957
|
+
end
|
|
958
|
+
}
|
|
959
|
+
engine = Authorization::Engine.new(reader)
|
|
960
|
+
|
|
961
|
+
perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
|
|
962
|
+
perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
|
|
963
|
+
assert engine.permit?(:another_test, :context => :permissions,
|
|
964
|
+
:user => MockUser.new(:test_role),
|
|
965
|
+
:object => perm_data_attr_1)
|
|
966
|
+
assert !engine.permit?(:another_test, :context => :permissions,
|
|
967
|
+
:user => MockUser.new(:test_role),
|
|
968
|
+
:object => perm_data_attr_2)
|
|
969
|
+
end
|
|
970
|
+
|
|
971
|
+
def test_attribute_with_permissions_and_anded_rules
|
|
972
|
+
reader = Authorization::Reader::DSLReader.new
|
|
973
|
+
reader.parse %{
|
|
974
|
+
authorization do
|
|
975
|
+
role :test_role do
|
|
976
|
+
has_permission_on :permissions, :to => :test do
|
|
977
|
+
if_attribute :test_attr => 1
|
|
978
|
+
end
|
|
979
|
+
has_permission_on :permission_children, :to => :test, :join_by => :and do
|
|
980
|
+
if_permitted_to :test, :permission
|
|
981
|
+
if_attribute :test_attr => 1
|
|
982
|
+
end
|
|
983
|
+
end
|
|
984
|
+
end
|
|
985
|
+
}
|
|
986
|
+
engine = Authorization::Engine.new(reader)
|
|
987
|
+
|
|
988
|
+
perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
|
|
989
|
+
perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
|
|
990
|
+
assert engine.permit?(:test, :context => :permission_children,
|
|
991
|
+
:user => MockUser.new(:test_role),
|
|
992
|
+
:object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 1))
|
|
993
|
+
assert !engine.permit?(:test, :context => :permission_children,
|
|
994
|
+
:user => MockUser.new(:test_role),
|
|
995
|
+
:object => MockDataObject.new(:permission => perm_data_attr_2, :test_attr => 1))
|
|
996
|
+
assert !engine.permit?(:test, :context => :permission_children,
|
|
997
|
+
:user => MockUser.new(:test_role),
|
|
998
|
+
:object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 2))
|
|
999
|
+
end
|
|
1000
|
+
|
|
1001
|
+
def test_attribute_with_anded_rules
|
|
1002
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1003
|
+
reader.parse %{
|
|
1004
|
+
authorization do
|
|
1005
|
+
role :test_role do
|
|
1006
|
+
has_permission_on :permissions, :to => :test, :join_by => :and do
|
|
1007
|
+
if_attribute :test_attr => 1
|
|
1008
|
+
if_attribute :test_attr_2 => 2
|
|
1009
|
+
end
|
|
1010
|
+
end
|
|
1011
|
+
end
|
|
1012
|
+
}
|
|
1013
|
+
engine = Authorization::Engine.new(reader)
|
|
1014
|
+
|
|
1015
|
+
assert engine.permit?(:test, :context => :permissions,
|
|
1016
|
+
:user => MockUser.new(:test_role),
|
|
1017
|
+
:object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 2))
|
|
1018
|
+
assert !engine.permit?(:test, :context => :permissions,
|
|
1019
|
+
:user => MockUser.new(:test_role),
|
|
1020
|
+
:object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 3))
|
|
1021
|
+
end
|
|
1022
|
+
|
|
1023
|
+
def test_raise_on_if_attribute_hash_on_collection
|
|
1024
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1025
|
+
reader.parse %{
|
|
1026
|
+
authorization do
|
|
1027
|
+
role :test_role do
|
|
1028
|
+
has_permission_on :permissions, :to => :test do
|
|
1029
|
+
if_attribute :test_attrs => {:attr => is {1}}
|
|
1030
|
+
end
|
|
1031
|
+
end
|
|
1032
|
+
end
|
|
1033
|
+
}
|
|
1034
|
+
engine = Authorization::Engine.new(reader)
|
|
1035
|
+
assert_raise Authorization::AuthorizationUsageError do
|
|
1036
|
+
engine.permit?(:test, :context => :permissions,
|
|
1037
|
+
:user => MockUser.new(:test_role),
|
|
1038
|
+
:object => MockDataObject.new(:test_attrs => [1, 2, 3]))
|
|
1039
|
+
end
|
|
1040
|
+
end
|
|
1041
|
+
|
|
1042
|
+
def test_role_title_description
|
|
1043
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1044
|
+
reader.parse %{
|
|
1045
|
+
authorization do
|
|
1046
|
+
role :test_role, :title => 'Test Role' do
|
|
1047
|
+
description "Test Role Description"
|
|
1048
|
+
end
|
|
1049
|
+
end
|
|
1050
|
+
}
|
|
1051
|
+
engine = Authorization::Engine.new(reader)
|
|
1052
|
+
assert engine.roles.include?(:test_role)
|
|
1053
|
+
assert_equal "Test Role", engine.role_titles[:test_role]
|
|
1054
|
+
assert_equal "Test Role", engine.title_for(:test_role)
|
|
1055
|
+
assert_nil engine.title_for(:test_role_2)
|
|
1056
|
+
assert_equal "Test Role Description", engine.role_descriptions[:test_role]
|
|
1057
|
+
assert_equal "Test Role Description", engine.description_for(:test_role)
|
|
1058
|
+
assert_nil engine.description_for(:test_role_2)
|
|
1059
|
+
end
|
|
1060
|
+
|
|
1061
|
+
def test_multithread
|
|
1062
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1063
|
+
reader.parse %{
|
|
1064
|
+
authorization do
|
|
1065
|
+
role :test_role do
|
|
1066
|
+
has_permission_on :permissions, :to => :test
|
|
1067
|
+
end
|
|
1068
|
+
end
|
|
1069
|
+
}
|
|
1070
|
+
|
|
1071
|
+
engine = Authorization::Engine.new(reader)
|
|
1072
|
+
Authorization.current_user = MockUser.new(:test_role)
|
|
1073
|
+
assert engine.permit?(:test, :context => :permissions)
|
|
1074
|
+
Thread.new do
|
|
1075
|
+
Authorization.current_user = MockUser.new(:test_role2)
|
|
1076
|
+
assert !engine.permit?(:test, :context => :permissions)
|
|
1077
|
+
end
|
|
1078
|
+
assert engine.permit?(:test, :context => :permissions)
|
|
1079
|
+
Authorization.current_user = nil
|
|
1080
|
+
end
|
|
1081
|
+
|
|
1082
|
+
def test_clone
|
|
1083
|
+
reader = Authorization::Reader::DSLReader.new
|
|
1084
|
+
reader.parse %{
|
|
1085
|
+
authorization do
|
|
1086
|
+
role :test_role do
|
|
1087
|
+
has_permission_on :permissions, :to => :test do
|
|
1088
|
+
if_attribute :attr => { :sub_attr => is { user } }
|
|
1089
|
+
if_permitted_to :read, :attr_2 => :attr_3
|
|
1090
|
+
if_permitted_to :read, :attr_2
|
|
1091
|
+
end
|
|
1092
|
+
end
|
|
1093
|
+
end
|
|
1094
|
+
}
|
|
1095
|
+
|
|
1096
|
+
engine = Authorization::Engine.new(reader)
|
|
1097
|
+
cloned_engine = engine.clone
|
|
1098
|
+
assert_not_equal engine.auth_rules[0].contexts.object_id,
|
|
1099
|
+
cloned_engine.auth_rules[0].contexts.object_id
|
|
1100
|
+
assert_not_equal engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
|
|
1101
|
+
cloned_engine.auth_rules[0].attributes[0].send(:instance_variable_get, :@conditions_hash)[:attr].object_id
|
|
1102
|
+
end
|
|
1103
|
+
end
|
|
1104
|
+
|