graylog2-declarative_authorization 0.5.2

data/Rakefile

@@ -0,0 +1,35 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the authorization plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the authorization plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Authorization'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.options << '--charset' << 'utf-8'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('CHANGELOG')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+# load up garlic if it's here
+if File.directory?(File.join(File.dirname(__FILE__), 'garlic'))
+  require File.join(File.dirname(__FILE__), 'garlic/lib/garlic_tasks')
+  require File.join(File.dirname(__FILE__), 'garlic')
+end
+
+desc "clone the garlic repo (for running ci tasks)"
+task :get_garlic do
+  sh "git clone git://github.com/ianwhite/garlic.git garlic"
+end

data/app/controllers/authorization_rules_controller.rb

@@ -0,0 +1,259 @@
+if Authorization::activate_authorization_rules_browser?
+
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization development_support analyzer})
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization development_support change_supporter})
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization development_support development_support})
+
+begin
+  # for nice auth_rules output:
+  require "parse_tree"
+  require "parse_tree_extensions"
+  require "ruby2ruby"
+rescue LoadError; end
+
+class AuthorizationRulesController < ApplicationController
+  unloadable
+  
+  filter_access_to :all, :require => :read
+  def index
+    respond_to do |format|
+      format.html do
+        @auth_rules_script = File.read("#{::Rails.root}/config/authorization_rules.rb")
+      end
+    end
+  end
+
+  def graph
+    if params[:format] == "svg"
+      render :text => dot_to_svg(auth_to_dot(graph_options)),
+          :content_type => "image/svg+xml"
+    end
+  end
+
+  def change
+    @users = find_all_users
+    @users.sort! {|a, b| a.login <=> b.login }
+    
+    @privileges = authorization_engine.auth_rules.collect {|rule| rule.privileges.to_a}.flatten.uniq
+    @privileges = @privileges.collect do |priv|
+      priv = Authorization::DevelopmentSupport::AnalyzerEngine::Privilege.for_sym(priv, authorization_engine)
+      ([priv] + priv.descendants + priv.ancestors).map(&:to_sym)
+    end.flatten.uniq
+    @privileges.sort_by {|priv| priv.to_s}
+    @privilege = params[:privilege].to_sym rescue @privileges.first
+    @contexts = authorization_engine.auth_rules.collect {|rule| rule.contexts.to_a}.flatten.uniq
+    @context = params[:context].to_sym rescue @contexts.first
+
+    respond_to do |format|
+      format.html
+      format.js do
+        render :partial => 'change'
+      end
+    end
+  end
+
+  def suggest_change
+    users_permission = params[:user].inject({}) do |memo, (user_id, data)|
+      if data[:permission] != "undetermined"
+        begin
+          memo[find_user_by_id(user_id)] = (data[:permission] == 'yes')
+        rescue ActiveRecord::NotFound
+        end
+      end
+      memo
+    end
+
+    prohibited_actions = (params[:prohibited_action] || []).collect do |spec|
+      deserialize_changes(spec).flatten
+    end
+
+    analyzer = Authorization::DevelopmentSupport::ChangeSupporter.new(authorization_engine)
+    
+    privilege = params[:privilege].to_sym
+    context = params[:context].to_sym
+    all_users = User.all
+    @context = context
+    @approaches = analyzer.find_approaches_for(:users => all_users, :prohibited_actions => prohibited_actions) do
+      users.each_with_index do |user, idx|
+        unless users_permission[all_users[idx]].nil?
+          args = [privilege, {:context => context, :user => user}]
+          assert(users_permission[all_users[idx]] ? permit?(*args) : !permit?(*args))
+        end
+      end
+    end
+
+    @affected_users = @approaches.each_with_object({}) do |approach, memo|
+      memo[approach] = approach.affected_users(authorization_engine, all_users, privilege, context).length
+    end
+    max_affected_users = @affected_users.values.max
+    if params[:affected_users]
+      @approaches = @approaches.sort_by do |approach|
+        affected_users_count = @affected_users[approach]
+        if params[:affected_users] == "many"
+          #approach.weight.to_f / [affected_users_count, 0.1].min
+          approach.weight + (max_affected_users - affected_users_count) * 10
+        else
+          #approach.weight * affected_users_count
+          approach.weight + affected_users_count * 10
+        end
+      end
+    end
+
+    @grouped_approaches = analyzer.group_approaches(@approaches)
+
+    respond_to do |format|
+      format.js do
+        render :partial => 'suggestions'
+      end
+    end
+  end
+
+  private
+  def auth_to_dot (options = {})
+    options = {
+      :effective_role_privs => true,
+      :privilege_hierarchy => false,
+      :stacked_roles => false,
+      :only_relevant_contexts => true,
+      :only_relevant_roles => false,
+      :filter_roles => nil,
+      :filter_contexts => nil,
+      :highlight_privilege => nil,
+      :changes => nil,
+      :users => nil
+    }.merge(options)
+
+    @has_changes = options[:changes] && !options[:changes].empty?
+    @highlight_privilege = options[:highlight_privilege]
+    @stacked_roles = options[:stacked_roles]
+
+    @users = options[:users]
+
+    engine = authorization_engine.clone
+    @changes = replay_changes(engine, @users, options[:changes]) if options[:changes]
+
+    options[:filter_roles] ||= @users.collect {|user| user.role_symbols}.flatten.uniq if options[:only_relevant_roles] and @users
+
+    filter_roles_flattened = nil
+    if options[:filter_roles]
+      filter_roles_flattened = options[:filter_roles].collect do |role_sym|
+        Authorization::DevelopmentSupport::AnalyzerEngine::Role.for_sym(role_sym, engine).
+            ancestors.map(&:to_sym) + [role_sym]
+      end.flatten.uniq
+    end
+
+    @roles = engine.roles
+    @roles = @roles.select {|r| filter_roles_flattened.include?(r) } if options[:filter_roles]
+    @role_hierarchy = engine.role_hierarchy
+    @privilege_hierarchy = engine.privilege_hierarchy
+    
+    @contexts = engine.auth_rules.
+                    collect {|ar| ar.contexts.to_a}.flatten.uniq
+    @contexts = @contexts.select {|c| c == options[:filter_contexts] } if options[:filter_contexts]
+    @context_privs = {}
+    @role_privs = {}
+    engine.auth_rules.each do |auth_rule|
+      @role_privs[auth_rule.role] ||= []
+      auth_rule.contexts.
+            select {|c| options[:filter_contexts].nil? or c == options[:filter_contexts]}.
+            each do |context|
+        @context_privs[context] ||= []
+        @context_privs[context] += auth_rule.privileges.to_a
+        @context_privs[context].uniq!
+        @role_privs[auth_rule.role] += auth_rule.privileges.collect {|p| [context, p, auth_rule.attributes.empty?, auth_rule.to_long_s]}
+      end
+    end
+
+    if options[:effective_role_privs]
+      @roles.each do |role|
+        role = Authorization::DevelopmentSupport::AnalyzerEngine::Role.for_sym(role, engine)
+        @role_privs[role.to_sym] ||= []
+        role.ancestors.each do |lower_role|
+          @role_privs[role.to_sym].concat(@role_privs[lower_role.to_sym]).uniq!
+        end
+      end
+    end
+
+    @roles.delete_if do |role|
+      role = Authorization::DevelopmentSupport::AnalyzerEngine::Role.for_sym(role, engine)
+      ([role] + role.ancestors).all? {|inner_role| @role_privs[inner_role.to_sym].blank? }
+    end
+
+    if options[:only_relevant_contexts]
+      @contexts.delete_if do |context|
+        @roles.all? {|role| !@role_privs[role] || !@role_privs[role].any? {|info| info[0] == context}}
+      end
+    end
+    
+    if options[:privilege_hierarchy]
+      @context_privs.each do |context, privs|
+        privs.each do |priv|
+          context_lower_privs = (@privilege_hierarchy[priv] || []).
+                                  select {|p,c| c.nil? or c == context}.
+                                  collect {|p,c| p}
+          privs.concat(context_lower_privs).uniq!
+        end
+      end
+    end
+    
+    render_to_string :template => 'authorization_rules/graph.dot.erb', :layout => false
+  end
+
+  def replay_changes (engine, users, changes)
+    changes.inject({}) do |memo, info|
+      case info[0]
+      when :add_privilege, :add_role
+        Authorization::DevelopmentSupport::AnalyzerEngine.apply_change(engine, info)
+      when :assign_role_to_user
+        user = users.find {|u| u.login == info[2]}
+        user.role_symbols << info[1] if user
+      end
+      (memo[info[0]] ||= Set.new) << info[1..-1]
+      memo
+    end
+  end
+  
+  def dot_to_svg (dot_data)
+    gv = IO.popen("#{Authorization.dot_path} -q -Tsvg", "w+")
+    gv.puts dot_data
+    gv.close_write
+    gv.read
+  rescue IOError, Errno::EPIPE => e
+    raise Exception, "Error in call to graphviz: #{e}"
+  end
+  
+  def graph_options
+    {
+      :effective_role_privs => !params[:effective_role_privs].blank?,
+      :privilege_hierarchy => !params[:privilege_hierarchy].blank?,
+      :stacked_roles => !params[:stacked_roles].blank?,
+      :only_relevant_roles => !params[:only_relevant_roles].blank?,
+      :filter_roles => params[:filter_roles].blank? ? nil : (params[:filter_roles].is_a?(Array) ? params[:filter_roles].map(&:to_sym) : [params[:filter_roles].to_sym]),
+      :filter_contexts => params[:filter_contexts].blank? ? nil : params[:filter_contexts].to_sym,
+      :highlight_privilege => params[:highlight_privilege].blank? ? nil : params[:highlight_privilege].to_sym,
+      :changes => deserialize_changes(params[:changes]),
+      :users => params[:user_ids] && params[:user_ids].collect {|user_id| find_user_by_id(user_id)}
+    }
+  end
+
+  def deserialize_changes (changes)
+    if changes
+      changes.split(';').collect do |info|
+        info.split(',').collect do |info_part|
+          info_part[0,1] == ':' ? info_part[1..-1].to_sym : info_part
+        end
+      end
+    end
+  end
+
+  def find_user_by_id (id)
+    User.find(id)
+  end
+  def find_all_users
+    User.all.select {|user| !user.login.blank?}
+  end
+end
+
+else
+class AuthorizationRulesController < ApplicationController; end
+end # activate_authorization_rules_browser?

data/app/controllers/authorization_usages_controller.rb

@@ -0,0 +1,23 @@
+if Authorization::activate_authorization_rules_browser?
+
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization maintenance})
+
+class AuthorizationUsagesController < ApplicationController
+  unloadable
+  
+  helper :authorization_rules
+  filter_access_to :all, :require => :read
+  # TODO set context?
+
+  def index
+    respond_to do |format|
+      format.html do
+        @auth_usages_by_controller = Authorization::Maintenance::Usage.usages_by_controller
+      end
+    end
+  end
+end
+
+else
+class AuthorizationUsagesController < ApplicationController; end
+end # activate_authorization_rules_browser?

data/app/helpers/authorization_rules_helper.rb

@@ -0,0 +1,218 @@
+module AuthorizationRulesHelper
+  def syntax_highlight (rules)
+    regexps = {
+      :constant => [/(:)(\w+)/], 
+      :proc => ['role', 'authorization', 'privileges'],
+      :statement => ['has_permission_on', 'if_attribute', 'if_permitted_to', 'includes', 'privilege', 'to'],
+      :operator => ['is', 'contains', 'is_in', 'is_not', 'is_not_in', 'intersects'],
+      :special => ['user', 'true', 'false'],
+      :preproc => ['do', 'end', /()(=>)/, /()(\{)/, /()(\})/, /()(\[)/, /()(\])/],
+      :comment => [/()(#.*$)/]#,
+      #:privilege => [:read],
+      #:context => [:conferences]
+    }
+    regexps.each do |name, res|
+      res.each do |re|
+        rules.gsub!(
+          re.is_a?(String) ? Regexp.new("(^|[^:])\\b(#{Regexp.escape(re)})\\b") :
+             (re.is_a?(Symbol) ? Regexp.new("()(:#{Regexp.escape(re.to_s)})\\b") : re), 
+          "\\1<span class=\"#{name}\">\\2</span>")
+      end
+    end
+    rules
+  end
+
+  def policy_analysis_hints (marked_up, policy_data)
+    analyzer = Authorization::DevelopmentSupport::Analyzer.new(controller.authorization_engine)
+    analyzer.analyze(policy_data)
+    marked_up_by_line = marked_up.split("\n")
+    reports_by_line = analyzer.reports.inject({}) do |memo, report|
+      memo[report.line || 1] ||= []
+      memo[report.line || 1] << report
+      memo
+    end
+    reports_by_line.each do |line, reports|
+      text = reports.collect {|report| "#{report.type}: #{report.message}"} * " "
+      note = %Q{<span class="note" title="#{h text}">[i]</span>}
+      marked_up_by_line[line - 1] = note + marked_up_by_line[line - 1]
+    end
+    (marked_up_by_line * "\n").html_safe
+  end
+
+  def link_to_graph (title, options = {})
+    type = options[:type] || ''
+    link_to_function title, "$$('object')[0].data = '#{url_for :action => 'index', :format => 'svg', :type => type}'"
+  end
+
+  def navigation
+    link_to("Rules", authorization_rules_path) << ' | ' <<
+    link_to("Change Support", change_authorization_rules_path) << ' | ' <<
+    link_to("Graphical view", graph_authorization_rules_path) << ' | ' <<
+    link_to("Usages", authorization_usages_path) #<< ' | ' <<
+  #  'Edit | ' <<
+  #  link_to("XACML export", :action => 'index', :format => 'xacml')
+  end
+  
+  def role_color (role, fill = false)
+    if @has_changes
+      if has_changed(:add_role, role)
+        fill ? '#ddffdd' : '#000000'
+      elsif has_changed(:remove_role, role)
+        fill ? '#ffdddd' : '#000000'
+      else
+        fill ? '#ddddff' : '#000000'
+      end
+    else
+      fill_colors = %w{#ffdddd #ddffdd #ddddff #ffffdd #ffddff #ddffff}
+      colors = %w{#dd0000 #00dd00 #0000dd #dddd00 #dd00dd #00dddd}
+      @@role_colors ||= {}
+      @@role_colors[role] ||= begin
+        idx = @@role_colors.length % colors.length
+        [colors[idx], fill_colors[idx]]
+      end
+      @@role_colors[role][fill ? 1 : 0]
+    end
+  end
+  
+  def role_fill_color (role)
+    role_color(role, true)
+  end
+
+  def privilege_color (privilege, context, role)
+    has_changed(:add_privilege, privilege, context, role) ? '#00dd00' :
+        (has_changed(:remove_privilege, privilege, context, role) ? '#dd0000' :
+          role_color(role))
+  end
+
+  def human_privilege (privilege)
+    begin
+      I18n.t(privilege, :scope => [:declarative_authorization, :privilege], :raise => true)
+    rescue
+      privilege.to_s
+    end
+  end
+
+  def human_context (context)
+    begin
+      context.to_s.classify.constantize.human_name
+    rescue
+      context.to_s
+    end
+  end
+
+  def human_privilege_context (privilege, context)
+    human = [human_privilege(privilege), human_context(context)]
+    begin
+      unless I18n.t(:verb_in_front_of_object, :scope => :declarative_authorization, :raise => true)
+        human.reverse!
+      end
+    rescue
+    end
+    human * " "
+  end
+
+  def human_role (role)
+    Authorization::Engine.instance.title_for(role) or role.to_s
+  end
+
+  def describe_step (step, options = {})
+    options = {:with_removal => false}.merge(options)
+
+    case step[0]
+    when :add_privilege
+      dont_assign = prohibit_link(step[0,3],
+          "Add privilege <strong>#{h human_privilege_context(step[1], step[2])}</strong> to any role",
+          "Don't suggest adding #{h human_privilege_context(step[1], step[2])}.", options)
+      "Add privilege <strong>#{h human_privilege_context(step[1], step[2])}</strong>#{dont_assign} to role <strong>#{h human_role(step[3].to_sym)}</strong>"
+    when :remove_privilege
+      dont_remove = prohibit_link(step[0,3], 
+          "Remove privilege <strong>#{h human_privilege_context(step[1], step[2])}</strong> from any role",
+          "Don't suggest removing #{h human_privilege_context(step[1], step[2])}.", options)
+      "Remove privilege <strong>#{h human_privilege_context(step[1], step[2])}</strong>#{dont_remove} from role <strong>#{h human_role(step[3].to_sym)}</strong>"
+    when :add_role
+      "New role <strong>#{h human_role(step[1].to_sym)}</strong>"
+    when :assign_role_to_user
+      dont_assign = prohibit_link(step[0,2],
+          "Assign role <strong>#{h human_role(step[1].to_sym)}</strong> to any user",
+          "Don't suggest assigning #{h human_role(step[1].to_sym)}.", options)
+      "Assign role <strong>#{h human_role(step[1].to_sym)}</strong>#{dont_assign} to <strong>#{h readable_step_info(step[2])}</strong>"
+    when :remove_role_from_user
+      dont_remove = prohibit_link(step[0,2],
+          "Remove role <strong>#{h human_role(step[1].to_sym)}</strong> from any user",
+          "Don't suggest removing #{h human_role(step[1].to_sym)}.", options)
+      "Remove role <strong>#{h human_role(step[1].to_sym)}</strong>#{dont_remove} from <strong>#{h readable_step_info(step[2])}</strong>"
+    else
+      step.collect {|info| readable_step_info(info) }.map {|str| h str } * ', '
+    end + prohibit_link(step, options[:with_removal] ? "#{escape_javascript(describe_step(step))}" : '',
+                        "Don't suggest this action.", options)
+  end
+
+  def prohibit_link (step, text, title, options)
+    options[:with_removal] ?
+          link_to_function("[x]", "prohibit_action('#{serialize_action(step)}', '#{text}')",
+                    :class => 'prohibit', :title => title) :
+          ''
+  end
+  
+  def readable_step_info (info)
+    case info
+    when Symbol   then info.inspect
+    when User     then info.login
+    else               info.to_sym.inspect
+    end
+  end
+
+  def serialize_changes (approach)
+    changes = approach.changes.collect {|step| step.to_a.first.is_a?(Enumerable) ? step.to_a : [step.to_a]}
+    changes.collect {|multi_step| multi_step.collect {|step| serialize_action(step) }}.flatten * ';'
+  end
+
+  def serialize_action (step)
+    step.collect {|info| readable_step_info(info) } * ','
+  end
+
+  def serialize_relevant_roles (approach)
+    {:filter_roles => (Authorization::DevelopmentSupport::AnalyzerEngine.relevant_roles(approach.engine, approach.users).
+        map(&:to_sym) + [:new_role_for_change_analyzer]).uniq}.to_param
+  end
+
+  def has_changed (*args)
+    @changes && @changes[args[0]] && @changes[args[0]].include?(args[1..-1])
+  end
+
+  def affected_users_count (approach)
+    @affected_users[approach]
+  end
+
+  def auth_usage_info_classes (auth_info)
+    classes = []
+    if auth_info[:controller_permissions]
+      if auth_info[:controller_permissions][0]
+        classes << "catch-all" if auth_info[:controller_permissions][0].actions.include?(:all)
+        classes << "default-privilege" unless auth_info[:controller_permissions][0].privilege
+        classes << "default-context" unless auth_info[:controller_permissions][0].context
+        classes << "no-attribute-check" unless auth_info[:controller_permissions][0].attribute_check
+      end
+    else
+      classes << "unprotected"
+    end
+    classes * " "
+  end
+
+  def auth_usage_info_title (auth_info)
+    titles = []
+    if auth_usage_info_classes(auth_info) =~ /unprotected/
+      titles << "No filter_access_to call protects this action"
+    end
+    if auth_usage_info_classes(auth_info) =~ /no-attribute-check/
+      titles << "Action is not protected with attribute check"
+    end
+    if auth_usage_info_classes(auth_info) =~ /default-privilege/
+      titles << "Privilege set automatically from action name by :all rule"
+    end
+    if auth_usage_info_classes(auth_info) =~ /default-context/
+      titles << "Context set automatically from controller name by filter_access_to call without :context option"
+    end
+    titles * ". "
+  end
+end