graylog2-declarative_authorization 0.5.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (44) hide show
  1. data/CHANGELOG +153 -0
  2. data/MIT-LICENSE +20 -0
  3. data/README.rdoc +529 -0
  4. data/Rakefile +35 -0
  5. data/app/controllers/authorization_rules_controller.rb +259 -0
  6. data/app/controllers/authorization_usages_controller.rb +23 -0
  7. data/app/helpers/authorization_rules_helper.rb +218 -0
  8. data/app/views/authorization_rules/_change.erb +58 -0
  9. data/app/views/authorization_rules/_show_graph.erb +44 -0
  10. data/app/views/authorization_rules/_suggestions.erb +48 -0
  11. data/app/views/authorization_rules/change.html.erb +169 -0
  12. data/app/views/authorization_rules/graph.dot.erb +68 -0
  13. data/app/views/authorization_rules/graph.html.erb +47 -0
  14. data/app/views/authorization_rules/index.html.erb +17 -0
  15. data/app/views/authorization_usages/index.html.erb +36 -0
  16. data/authorization_rules.dist.rb +20 -0
  17. data/config/routes.rb +20 -0
  18. data/garlic_example.rb +20 -0
  19. data/init.rb +5 -0
  20. data/lib/declarative_authorization.rb +17 -0
  21. data/lib/declarative_authorization/authorization.rb +705 -0
  22. data/lib/declarative_authorization/development_support/analyzer.rb +252 -0
  23. data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
  24. data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
  25. data/lib/declarative_authorization/development_support/development_support.rb +243 -0
  26. data/lib/declarative_authorization/helper.rb +68 -0
  27. data/lib/declarative_authorization/in_controller.rb +645 -0
  28. data/lib/declarative_authorization/in_model.rb +162 -0
  29. data/lib/declarative_authorization/maintenance.rb +212 -0
  30. data/lib/declarative_authorization/obligation_scope.rb +354 -0
  31. data/lib/declarative_authorization/rails_legacy.rb +22 -0
  32. data/lib/declarative_authorization/railsengine.rb +6 -0
  33. data/lib/declarative_authorization/reader.rb +521 -0
  34. data/lib/tasks/authorization_tasks.rake +82 -0
  35. data/test/authorization_test.rb +1104 -0
  36. data/test/controller_filter_resource_access_test.rb +511 -0
  37. data/test/controller_test.rb +480 -0
  38. data/test/dsl_reader_test.rb +178 -0
  39. data/test/helper_test.rb +247 -0
  40. data/test/maintenance_test.rb +46 -0
  41. data/test/model_test.rb +1883 -0
  42. data/test/schema.sql +55 -0
  43. data/test/test_helper.rb +152 -0
  44. metadata +112 -0
data/test/controller_test.rb ADDED
@@ -0,0 +1,480 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+
3
+
4
+ class LoadMockObject < MockDataObject
5
+ def self.name
6
+ "LoadMockObject"
7
+ end
8
+ end
9
+
10
+ ##################
11
+ class SpecificMocksController < MocksController
12
+ filter_access_to :test_action, :require => :test, :context => :permissions
13
+ filter_access_to :test_action_2, :require => :test, :context => :permissions_2
14
+ filter_access_to :show
15
+ filter_access_to :edit, :create, :require => :test, :context => :permissions
16
+ filter_access_to :edit_2, :require => :test, :context => :permissions,
17
+ :attribute_check => true, :model => LoadMockObject
18
+ filter_access_to :new, :require => :test, :context => :permissions
19
+
20
+ filter_access_to [:action_group_action_1, :action_group_action_2]
21
+ define_action_methods :test_action, :test_action_2, :show, :edit, :create,
22
+ :edit_2, :new, :unprotected_action, :action_group_action_1, :action_group_action_2
23
+ end
24
+
25
+ class BasicControllerTest < ActionController::TestCase
26
+ tests SpecificMocksController
27
+
28
+ def test_filter_access_to_receiving_an_explicit_array
29
+ reader = Authorization::Reader::DSLReader.new
30
+
31
+ reader.parse %{
32
+ authorization do
33
+ role :test_action_group_2 do
34
+ has_permission_on :specific_mocks, :to => :action_group_action_2
35
+ end
36
+ end
37
+ }
38
+
39
+ request!(MockUser.new(:test_action_group_2), "action_group_action_2", reader)
40
+ assert @controller.authorized?
41
+ request!(MockUser.new(:test_action_group_2), "action_group_action_1", reader)
42
+ assert !@controller.authorized?
43
+ request!(nil, "action_group_action_2", reader)
44
+ assert !@controller.authorized?
45
+ end
46
+
47
+ def test_filter_access
48
+ assert !@controller.class.before_filters.empty?
49
+
50
+ reader = Authorization::Reader::DSLReader.new
51
+ reader.parse %{
52
+ authorization do
53
+ role :test_role do
54
+ has_permission_on :permissions, :to => :test
55
+ has_permission_on :specific_mocks, :to => :show
56
+ end
57
+ end
58
+ }
59
+
60
+ request!(MockUser.new(:test_role), "test_action", reader)
61
+ assert @controller.authorized?
62
+
63
+ request!(MockUser.new(:test_role), "test_action_2", reader)
64
+ assert !@controller.authorized?
65
+
66
+ request!(MockUser.new(:test_role_2), "test_action", reader)
67
+ assert_response :forbidden
68
+ assert !@controller.authorized?
69
+
70
+ request!(MockUser.new(:test_role), "show", reader)
71
+ assert @controller.authorized?
72
+ end
73
+
74
+ def test_filter_access_multi_actions
75
+ reader = Authorization::Reader::DSLReader.new
76
+ reader.parse %{
77
+ authorization do
78
+ role :test_role do
79
+ has_permission_on :permissions, :to => :test
80
+ end
81
+ end
82
+ }
83
+ request!(MockUser.new(:test_role), "create", reader)
84
+ assert @controller.authorized?
85
+ end
86
+
87
+ def test_filter_access_unprotected_actions
88
+ reader = Authorization::Reader::DSLReader.new
89
+ reader.parse %{
90
+ authorization do
91
+ role :test_role do
92
+ end
93
+ end
94
+ }
95
+ request!(MockUser.new(:test_role), "unprotected_action", reader)
96
+ assert @controller.authorized?
97
+ end
98
+
99
+ def test_filter_access_priv_hierarchy
100
+ reader = Authorization::Reader::DSLReader.new
101
+ reader.parse %{
102
+ privileges do
103
+ privilege :read do
104
+ includes :list, :show
105
+ end
106
+ end
107
+ authorization do
108
+ role :test_role do
109
+ has_permission_on :specific_mocks, :to => :read
110
+ end
111
+ end
112
+ }
113
+ request!(MockUser.new(:test_role), "show", reader)
114
+ assert @controller.authorized?
115
+ end
116
+
117
+ def test_filter_access_skip_attribute_test
118
+ reader = Authorization::Reader::DSLReader.new
119
+ reader.parse %{
120
+ authorization do
121
+ role :test_role do
122
+ has_permission_on :permissions, :to => :test do
123
+ if_attribute :id => is { user }
124
+ end
125
+ end
126
+ end
127
+ }
128
+ request!(MockUser.new(:test_role), "new", reader)
129
+ assert @controller.authorized?
130
+ end
131
+
132
+ def test_existing_instance_var_remains_unchanged
133
+ reader = Authorization::Reader::DSLReader.new
134
+ reader.parse %{
135
+ authorization do
136
+ role :test_role do
137
+ has_permission_on :permissions, :to => :test do
138
+ if_attribute :id => is { 5 }
139
+ end
140
+ end
141
+ end
142
+ }
143
+ mock_object = MockDataObject.new(:id => 5)
144
+ @controller.send(:instance_variable_set, :"@load_mock_object",
145
+ mock_object)
146
+ request!(MockUser.new(:test_role), "edit_2", reader)
147
+ assert_equal mock_object,
148
+ @controller.send(:instance_variable_get, :"@load_mock_object")
149
+ assert @controller.authorized?
150
+ end
151
+
152
+ def test_permitted_to_without_context
153
+ reader = Authorization::Reader::DSLReader.new
154
+ reader.parse %{
155
+ authorization do
156
+ role :test_role do
157
+ has_permission_on :specific_mocks, :to => :test
158
+ end
159
+ end
160
+ }
161
+ @controller.current_user = MockUser.new(:test_role)
162
+ @controller.authorization_engine = Authorization::Engine.new(reader)
163
+ assert @controller.permitted_to?(:test)
164
+ end
165
+ end
166
+
167
+
168
+ ##################
169
+ class AllMocksController < MocksController
170
+ filter_access_to :all
171
+ filter_access_to :view, :require => :test, :context => :permissions
172
+ define_action_methods :show, :view
173
+ end
174
+ class AllActionsControllerTest < ActionController::TestCase
175
+ tests AllMocksController
176
+ def test_filter_access_all
177
+ reader = Authorization::Reader::DSLReader.new
178
+ reader.parse %{
179
+ authorization do
180
+ role :test_role do
181
+ has_permission_on :permissions, :to => :test
182
+ has_permission_on :all_mocks, :to => :show
183
+ end
184
+ end
185
+ }
186
+
187
+ request!(MockUser.new(:test_role), "show", reader)
188
+ assert @controller.authorized?
189
+
190
+ request!(MockUser.new(:test_role), "view", reader)
191
+ assert @controller.authorized?
192
+
193
+ request!(MockUser.new(:test_role_2), "show", reader)
194
+ assert !@controller.authorized?
195
+ end
196
+ end
197
+
198
+
199
+ ##################
200
+ class LoadMockObjectsController < MocksController
201
+ before_filter { @@load_method_call_count = 0 }
202
+ filter_access_to :show, :attribute_check => true, :model => LoadMockObject
203
+ filter_access_to :edit, :attribute_check => true
204
+ filter_access_to :update, :delete, :attribute_check => true,
205
+ :load_method => proc {MockDataObject.new(:test => 1)}
206
+ filter_access_to :create do
207
+ permitted_to! :edit, :load_mock_objects
208
+ end
209
+ filter_access_to :view, :attribute_check => true, :load_method => :load_method
210
+ def load_method
211
+ self.class.load_method_called
212
+ MockDataObject.new(:test => 2)
213
+ end
214
+ define_action_methods :show, :edit, :update, :delete, :create, :view
215
+
216
+ def self.load_method_called
217
+ @@load_method_call_count ||= 0
218
+ @@load_method_call_count += 1
219
+ end
220
+ def self.load_method_call_count
221
+ @@load_method_call_count || 0
222
+ end
223
+ end
224
+ class LoadObjectControllerTest < ActionController::TestCase
225
+ tests LoadMockObjectsController
226
+
227
+ def test_filter_access_with_object_load
228
+ reader = Authorization::Reader::DSLReader.new
229
+ reader.parse %{
230
+ authorization do
231
+ role :test_role do
232
+ has_permission_on :load_mock_objects, :to => [:show, :edit] do
233
+ if_attribute :id => 1
234
+ if_attribute :id => "1"
235
+ end
236
+ end
237
+ end
238
+ }
239
+
240
+ request!(MockUser.new(:test_role), "show", reader, :id => 2)
241
+ assert !@controller.authorized?
242
+
243
+ request!(MockUser.new(:test_role), "show", reader, :id => 1,
244
+ :clear => [:@load_mock_object])
245
+ assert @controller.authorized?
246
+
247
+ request!(MockUser.new(:test_role), "edit", reader, :id => 1,
248
+ :clear => [:@load_mock_object])
249
+ assert @controller.authorized?
250
+ assert @controller.instance_variable_defined?(:@load_mock_object)
251
+ end
252
+
253
+ def test_filter_access_object_load_without_param
254
+ reader = Authorization::Reader::DSLReader.new
255
+ reader.parse %{
256
+ authorization do
257
+ role :test_role do
258
+ has_permission_on :load_mock_objects, :to => [:show, :edit] do
259
+ if_attribute :id => is {"1"}
260
+ end
261
+ end
262
+ end
263
+ }
264
+
265
+ assert_raise StandardError, "No id param supplied" do
266
+ request!(MockUser.new(:test_role), "show", reader)
267
+ end
268
+
269
+ Authorization::AuthorizationInController.failed_auto_loading_is_not_found = false
270
+ assert_nothing_raised "Load error is only logged" do
271
+ request!(MockUser.new(:test_role), "show", reader)
272
+ end
273
+ assert !@controller.authorized?
274
+ Authorization::AuthorizationInController.failed_auto_loading_is_not_found = true
275
+ end
276
+
277
+ def test_filter_access_with_object_load_custom
278
+ reader = Authorization::Reader::DSLReader.new
279
+ reader.parse %{
280
+ authorization do
281
+ role :test_role do
282
+ has_permission_on :load_mock_objects, :to => :view do
283
+ if_attribute :test => is {2}
284
+ end
285
+ has_permission_on :load_mock_objects, :to => :update do
286
+ if_attribute :test => is {1}
287
+ end
288
+ has_permission_on :load_mock_objects, :to => :delete do
289
+ if_attribute :test => is {2}
290
+ end
291
+ end
292
+ end
293
+ }
294
+
295
+ request!(MockUser.new(:test_role), "delete", reader)
296
+ assert !@controller.authorized?
297
+
298
+ request!(MockUser.new(:test_role), "view", reader)
299
+ assert @controller.authorized?
300
+ assert_equal 1, @controller.class.load_method_call_count
301
+
302
+ request!(MockUser.new(:test_role_2), "view", reader)
303
+ assert !@controller.authorized?
304
+ assert_equal 1, @controller.class.load_method_call_count
305
+
306
+ request!(MockUser.new(:test_role), "update", reader)
307
+ assert @controller.authorized?
308
+ end
309
+
310
+ def test_filter_access_custom
311
+ reader = Authorization::Reader::DSLReader.new
312
+ reader.parse %{
313
+ authorization do
314
+ role :test_role do
315
+ has_permission_on :load_mock_objects, :to => :edit
316
+ end
317
+ role :test_role_2 do
318
+ has_permission_on :load_mock_objects, :to => :create
319
+ end
320
+ end
321
+ }
322
+
323
+ request!(MockUser.new(:test_role), "create", reader)
324
+ assert @controller.authorized?
325
+
326
+ request!(MockUser.new(:test_role_2), "create", reader)
327
+ assert !@controller.authorized?
328
+ end
329
+ end
330
+
331
+
332
+ ##################
333
+ class AccessOverwritesController < MocksController
334
+ filter_access_to :test_action, :test_action_2,
335
+ :require => :test, :context => :permissions_2
336
+ filter_access_to :test_action, :require => :test, :context => :permissions
337
+ define_action_methods :test_action, :test_action_2
338
+ end
339
+ class AccessOverwritesControllerTest < ActionController::TestCase
340
+ def test_filter_access_overwrite
341
+ reader = Authorization::Reader::DSLReader.new
342
+ reader.parse %{
343
+ authorization do
344
+ role :test_role do
345
+ has_permission_on :permissions, :to => :test
346
+ end
347
+ end
348
+ }
349
+ request!(MockUser.new(:test_role), "test_action_2", reader)
350
+ assert !@controller.authorized?
351
+
352
+ request!(MockUser.new(:test_role), "test_action", reader)
353
+ assert @controller.authorized?
354
+ end
355
+ end
356
+
357
+
358
+ ##################
359
+ class PeopleController < MocksController
360
+ filter_access_to :all
361
+ define_action_methods :show
362
+ end
363
+ class PluralizationControllerTest < ActionController::TestCase
364
+ tests PeopleController
365
+
366
+ def test_filter_access_people_controller
367
+ reader = Authorization::Reader::DSLReader.new
368
+ reader.parse %{
369
+ authorization do
370
+ role :test_role do
371
+ has_permission_on :people, :to => :show
372
+ end
373
+ end
374
+ }
375
+ request!(MockUser.new(:test_role), "show", reader)
376
+ assert @controller.authorized?
377
+ end
378
+ end
379
+
380
+
381
+ ##################
382
+ class CommonController < MocksController
383
+ filter_access_to :delete, :context => :common
384
+ filter_access_to :all
385
+ end
386
+ class CommonChild1Controller < CommonController
387
+ filter_access_to :all, :context => :context_1
388
+ end
389
+ class CommonChild2Controller < CommonController
390
+ filter_access_to :delete
391
+ define_action_methods :show, :delete
392
+ end
393
+ class HierachicalControllerTest < ActionController::TestCase
394
+ tests CommonChild2Controller
395
+ def test_controller_hierarchy
396
+ reader = Authorization::Reader::DSLReader.new
397
+ reader.parse %{
398
+ authorization do
399
+ role :test_role do
400
+ has_permission_on :mocks, :to => [:delete, :show]
401
+ end
402
+ end
403
+ }
404
+ request!(MockUser.new(:test_role), "show", reader)
405
+ assert !@controller.authorized?
406
+ request!(MockUser.new(:test_role), "delete", reader)
407
+ assert !@controller.authorized?
408
+ end
409
+ end
410
+
411
+ ##################
412
+ module Name
413
+ class SpacedThingsController < MocksController
414
+ filter_access_to :show
415
+ filter_access_to :update, :context => :spaced_things
416
+ define_action_methods :show, :update
417
+ end
418
+ end
419
+ class NameSpacedControllerTest < ActionController::TestCase
420
+ tests Name::SpacedThingsController
421
+ def test_context
422
+ reader = Authorization::Reader::DSLReader.new
423
+ reader.parse %{
424
+ authorization do
425
+ role :permitted_role do
426
+ has_permission_on :name_spaced_things, :to => :show
427
+ has_permission_on :spaced_things, :to => :update
428
+ end
429
+ role :prohibited_role do
430
+ has_permission_on :name_spaced_things, :to => :update
431
+ has_permission_on :spaced_things, :to => :show
432
+ end
433
+ end
434
+ }
435
+ request!(MockUser.new(:permitted_role), "show", reader)
436
+ assert @controller.authorized?
437
+ request!(MockUser.new(:prohibited_role), "show", reader)
438
+ assert !@controller.authorized?
439
+ request!(MockUser.new(:permitted_role), "update", reader)
440
+ assert @controller.authorized?
441
+ request!(MockUser.new(:prohibited_role), "update", reader)
442
+ assert !@controller.authorized?
443
+ end
444
+ end
445
+
446
+ module Deep
447
+ module NameSpaced
448
+ class ThingsController < MocksController
449
+ filter_access_to :show
450
+ filter_access_to :update, :context => :things
451
+ define_action_methods :show, :update
452
+ end
453
+ end
454
+ end
455
+ class DeepNameSpacedControllerTest < ActionController::TestCase
456
+ tests Deep::NameSpaced::ThingsController
457
+ def test_context
458
+ reader = Authorization::Reader::DSLReader.new
459
+ reader.parse %{
460
+ authorization do
461
+ role :permitted_role do
462
+ has_permission_on :deep_name_spaced_things, :to => :show
463
+ has_permission_on :things, :to => :update
464
+ end
465
+ role :prohibited_role do
466
+ has_permission_on :deep_name_spaced_things, :to => :update
467
+ has_permission_on :things, :to => :show
468
+ end
469
+ end
470
+ }
471
+ request!(MockUser.new(:permitted_role), "show", reader)
472
+ assert @controller.authorized?
473
+ request!(MockUser.new(:prohibited_role), "show", reader)
474
+ assert !@controller.authorized?
475
+ request!(MockUser.new(:permitted_role), "update", reader)
476
+ assert @controller.authorized?
477
+ request!(MockUser.new(:prohibited_role), "update", reader)
478
+ assert !@controller.authorized?
479
+ end
480
+ end