graylog2-declarative_authorization 0.5.2
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +153 -0
- data/MIT-LICENSE +20 -0
- data/README.rdoc +529 -0
- data/Rakefile +35 -0
- data/app/controllers/authorization_rules_controller.rb +259 -0
- data/app/controllers/authorization_usages_controller.rb +23 -0
- data/app/helpers/authorization_rules_helper.rb +218 -0
- data/app/views/authorization_rules/_change.erb +58 -0
- data/app/views/authorization_rules/_show_graph.erb +44 -0
- data/app/views/authorization_rules/_suggestions.erb +48 -0
- data/app/views/authorization_rules/change.html.erb +169 -0
- data/app/views/authorization_rules/graph.dot.erb +68 -0
- data/app/views/authorization_rules/graph.html.erb +47 -0
- data/app/views/authorization_rules/index.html.erb +17 -0
- data/app/views/authorization_usages/index.html.erb +36 -0
- data/authorization_rules.dist.rb +20 -0
- data/config/routes.rb +20 -0
- data/garlic_example.rb +20 -0
- data/init.rb +5 -0
- data/lib/declarative_authorization.rb +17 -0
- data/lib/declarative_authorization/authorization.rb +705 -0
- data/lib/declarative_authorization/development_support/analyzer.rb +252 -0
- data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
- data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
- data/lib/declarative_authorization/development_support/development_support.rb +243 -0
- data/lib/declarative_authorization/helper.rb +68 -0
- data/lib/declarative_authorization/in_controller.rb +645 -0
- data/lib/declarative_authorization/in_model.rb +162 -0
- data/lib/declarative_authorization/maintenance.rb +212 -0
- data/lib/declarative_authorization/obligation_scope.rb +354 -0
- data/lib/declarative_authorization/rails_legacy.rb +22 -0
- data/lib/declarative_authorization/railsengine.rb +6 -0
- data/lib/declarative_authorization/reader.rb +521 -0
- data/lib/tasks/authorization_tasks.rake +82 -0
- data/test/authorization_test.rb +1104 -0
- data/test/controller_filter_resource_access_test.rb +511 -0
- data/test/controller_test.rb +480 -0
- data/test/dsl_reader_test.rb +178 -0
- data/test/helper_test.rb +247 -0
- data/test/maintenance_test.rb +46 -0
- data/test/model_test.rb +1883 -0
- data/test/schema.sql +55 -0
- data/test/test_helper.rb +152 -0
- metadata +112 -0
@@ -0,0 +1,178 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
2
|
+
|
3
|
+
class DSLReaderTest < Test::Unit::TestCase
|
4
|
+
def test_privileges
|
5
|
+
reader = Authorization::Reader::DSLReader.new
|
6
|
+
reader.parse %{
|
7
|
+
privileges do
|
8
|
+
privilege :test_priv do
|
9
|
+
includes :lower_priv
|
10
|
+
end
|
11
|
+
end
|
12
|
+
}
|
13
|
+
assert_equal 2, reader.privileges_reader.privileges.length
|
14
|
+
assert_equal [[:lower_priv, nil]],
|
15
|
+
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
16
|
+
end
|
17
|
+
|
18
|
+
def test_privileges_with_context
|
19
|
+
reader = Authorization::Reader::DSLReader.new
|
20
|
+
reader.parse %{
|
21
|
+
privileges do
|
22
|
+
privilege :test_priv, :test_context do
|
23
|
+
includes :lower_priv
|
24
|
+
end
|
25
|
+
end
|
26
|
+
}
|
27
|
+
assert_equal [[:lower_priv, :test_context]],
|
28
|
+
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
29
|
+
end
|
30
|
+
|
31
|
+
def test_privileges_one_line
|
32
|
+
reader = Authorization::Reader::DSLReader.new
|
33
|
+
reader.parse %{
|
34
|
+
privileges do
|
35
|
+
privilege :test_priv, :test_context, :includes => :lower_priv
|
36
|
+
privilege :test_priv_2, :test_context, :includes => [:lower_priv]
|
37
|
+
privilege :test_priv_3, :includes => [:lower_priv]
|
38
|
+
end
|
39
|
+
}
|
40
|
+
assert_equal [[:lower_priv, :test_context]],
|
41
|
+
reader.privileges_reader.privilege_hierarchy[:test_priv]
|
42
|
+
assert_equal [[:lower_priv, :test_context]],
|
43
|
+
reader.privileges_reader.privilege_hierarchy[:test_priv_2]
|
44
|
+
assert_equal [[:lower_priv, nil]],
|
45
|
+
reader.privileges_reader.privilege_hierarchy[:test_priv_3]
|
46
|
+
end
|
47
|
+
|
48
|
+
def test_auth_role
|
49
|
+
reader = Authorization::Reader::DSLReader.new
|
50
|
+
reader.parse %{
|
51
|
+
authorization do
|
52
|
+
role :test_role do
|
53
|
+
includes :lesser_role
|
54
|
+
has_permission_on :items, :to => :read
|
55
|
+
end
|
56
|
+
end
|
57
|
+
}
|
58
|
+
assert_equal 1, reader.auth_rules_reader.roles.length
|
59
|
+
assert_equal [:lesser_role], reader.auth_rules_reader.role_hierarchy[:test_role]
|
60
|
+
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
61
|
+
end
|
62
|
+
|
63
|
+
def test_auth_role_permit_on
|
64
|
+
reader = Authorization::Reader::DSLReader.new
|
65
|
+
reader.parse %|
|
66
|
+
authorization do
|
67
|
+
role :test_role do
|
68
|
+
has_permission_on :test_context do
|
69
|
+
to :test_perm, :manage
|
70
|
+
if_attribute :test_attr => is { user.test_attr }
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
|
|
75
|
+
assert_equal 1, reader.auth_rules_reader.roles.length
|
76
|
+
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
77
|
+
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test_perm], :test_context)
|
78
|
+
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:manage], :test_context)
|
79
|
+
end
|
80
|
+
|
81
|
+
def test_permit_block
|
82
|
+
reader = Authorization::Reader::DSLReader.new
|
83
|
+
reader.parse %|
|
84
|
+
authorization do
|
85
|
+
role :test_role do
|
86
|
+
has_permission_on :perms, :to => :test do
|
87
|
+
if_attribute :test_attr => is { user.test_attr }
|
88
|
+
if_attribute :test_attr_2 => is_not { user.test_attr }
|
89
|
+
if_attribute :test_attr_3 => contains { user.test_attr }
|
90
|
+
if_attribute :test_attr_4 => does_not_contain { user.test_attr }
|
91
|
+
if_attribute :test_attr_5 => is_in { user.test_attr }
|
92
|
+
if_attribute :test_attr_5 => is_not_in { user.test_attr }
|
93
|
+
if_attribute :test_attr_6 => lt { user.test_attr }
|
94
|
+
if_attribute :test_attr_6 => lte { user.test_attr }
|
95
|
+
if_attribute :test_attr_6 => gt { user.test_attr }
|
96
|
+
if_attribute :test_attr_6 => gte { user.test_attr }
|
97
|
+
end
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
|
101
|
+
assert_equal 1, reader.auth_rules_reader.roles.length
|
102
|
+
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
103
|
+
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
|
104
|
+
end
|
105
|
+
|
106
|
+
def test_has_permission_to_with_context
|
107
|
+
reader = Authorization::Reader::DSLReader.new
|
108
|
+
reader.parse %|
|
109
|
+
authorization do
|
110
|
+
role :test_role do
|
111
|
+
has_permission_on :perms, :to => :test
|
112
|
+
end
|
113
|
+
end
|
114
|
+
|
|
115
|
+
assert_equal 1, reader.auth_rules_reader.roles.length
|
116
|
+
assert_equal 1, reader.auth_rules_reader.auth_rules.length
|
117
|
+
assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
|
118
|
+
end
|
119
|
+
|
120
|
+
def test_context
|
121
|
+
reader = Authorization::Reader::DSLReader.new
|
122
|
+
reader.parse %{
|
123
|
+
contexts do
|
124
|
+
context :high_level_context do
|
125
|
+
includes :low_level_context_1, :low_level_context_2
|
126
|
+
end
|
127
|
+
end
|
128
|
+
}
|
129
|
+
end
|
130
|
+
|
131
|
+
def test_dsl_error
|
132
|
+
reader = Authorization::Reader::DSLReader.new
|
133
|
+
assert_raise(Authorization::Reader::DSLError) do
|
134
|
+
reader.parse %{
|
135
|
+
authorization do
|
136
|
+
includes :lesser_role
|
137
|
+
end
|
138
|
+
}
|
139
|
+
end
|
140
|
+
end
|
141
|
+
|
142
|
+
def test_syntax_error
|
143
|
+
reader = Authorization::Reader::DSLReader.new
|
144
|
+
assert_raise(Authorization::Reader::DSLSyntaxError) do
|
145
|
+
reader.parse %{
|
146
|
+
authorizations do
|
147
|
+
end
|
148
|
+
}
|
149
|
+
end
|
150
|
+
end
|
151
|
+
|
152
|
+
def test_syntax_error_2
|
153
|
+
reader = Authorization::Reader::DSLReader.new
|
154
|
+
assert_raise(Authorization::Reader::DSLSyntaxError) do
|
155
|
+
reader.parse %{
|
156
|
+
authorizations
|
157
|
+
end
|
158
|
+
}
|
159
|
+
end
|
160
|
+
end
|
161
|
+
|
162
|
+
def test_factory_returns_self
|
163
|
+
reader = Authorization::Reader::DSLReader.new
|
164
|
+
assert_equal(Authorization::Reader::DSLReader.factory(reader).object_id, reader.object_id)
|
165
|
+
end
|
166
|
+
|
167
|
+
def test_factory_loads_file
|
168
|
+
reader = Authorization::Reader::DSLReader.factory((DA_ROOT + "authorization_rules.dist.rb").to_s)
|
169
|
+
assert_equal(Authorization::Reader::DSLReader, reader.class)
|
170
|
+
end
|
171
|
+
|
172
|
+
def test_load_file_not_found
|
173
|
+
assert_raise(Authorization::Reader::DSLFileNotFoundError) do
|
174
|
+
Authorization::Reader::DSLReader.load("nonexistent_file.rb")
|
175
|
+
end
|
176
|
+
end
|
177
|
+
end
|
178
|
+
|
data/test/helper_test.rb
ADDED
@@ -0,0 +1,247 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
2
|
+
require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization helper})
|
3
|
+
|
4
|
+
|
5
|
+
class HelperMocksController < MocksController
|
6
|
+
filter_access_to :action, :require => :show, :context => :mocks
|
7
|
+
define_action_methods :action
|
8
|
+
end
|
9
|
+
class HelperTest < ActionController::TestCase
|
10
|
+
tests HelperMocksController
|
11
|
+
include Authorization::AuthorizationHelper
|
12
|
+
attr_reader :controller
|
13
|
+
|
14
|
+
def test_permit
|
15
|
+
reader = Authorization::Reader::DSLReader.new
|
16
|
+
reader.parse %{
|
17
|
+
authorization do
|
18
|
+
role :test_role do
|
19
|
+
has_permission_on :mocks, :to => :show
|
20
|
+
end
|
21
|
+
role :test_role_2 do
|
22
|
+
has_permission_on :mocks, :to => :update
|
23
|
+
end
|
24
|
+
end
|
25
|
+
}
|
26
|
+
user = MockUser.new(:test_role)
|
27
|
+
request!(user, :action, reader)
|
28
|
+
|
29
|
+
assert permitted_to?(:show, :mocks)
|
30
|
+
assert !permitted_to?(:update, :mocks)
|
31
|
+
|
32
|
+
block_evaled = false
|
33
|
+
permitted_to?(:show, :mocks) do
|
34
|
+
block_evaled = true
|
35
|
+
end
|
36
|
+
assert block_evaled
|
37
|
+
|
38
|
+
block_evaled = false
|
39
|
+
permitted_to?(:update, :mocks) do
|
40
|
+
block_evaled = true
|
41
|
+
end
|
42
|
+
assert !block_evaled
|
43
|
+
end
|
44
|
+
|
45
|
+
def test_permit_with_object
|
46
|
+
reader = Authorization::Reader::DSLReader.new
|
47
|
+
reader.parse %{
|
48
|
+
authorization do
|
49
|
+
role :test_role do
|
50
|
+
has_permission_on :mocks do
|
51
|
+
to :show
|
52
|
+
if_attribute :test_attr => is {user.test_attr}
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
56
|
+
}
|
57
|
+
user = MockUser.new(:test_role, :test_attr => 1)
|
58
|
+
mock = MockDataObject.new(:test_attr => 1)
|
59
|
+
mock_2 = MockDataObject.new(:test_attr => 2)
|
60
|
+
request!(user, :action, reader)
|
61
|
+
|
62
|
+
assert permitted_to?(:show, mock)
|
63
|
+
assert permitted_to?(:show, :mocks)
|
64
|
+
assert !permitted_to?(:show, mock_2)
|
65
|
+
end
|
66
|
+
|
67
|
+
def test_permit_with_object_and_context
|
68
|
+
reader = Authorization::Reader::DSLReader.new
|
69
|
+
reader.parse %{
|
70
|
+
authorization do
|
71
|
+
role :test_role do
|
72
|
+
has_permission_on :other_mocks do
|
73
|
+
to :show
|
74
|
+
if_attribute :test_attr => is {user.test_attr}
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
78
|
+
}
|
79
|
+
user = MockUser.new(:test_role, :test_attr => 1)
|
80
|
+
mock = MockDataObject.new(:test_attr => 1)
|
81
|
+
mock_2 = MockDataObject.new(:test_attr => 2)
|
82
|
+
request!(user, :action, reader)
|
83
|
+
|
84
|
+
assert permitted_to?(:show, mock, :context => :other_mocks)
|
85
|
+
assert !permitted_to?(:show, mock_2, :context => :other_mocks)
|
86
|
+
end
|
87
|
+
|
88
|
+
def test_has_role
|
89
|
+
reader = Authorization::Reader::DSLReader.new
|
90
|
+
reader.parse %{
|
91
|
+
authorization do
|
92
|
+
role :test_role do
|
93
|
+
has_permission_on :mocks, :to => :show
|
94
|
+
end
|
95
|
+
end
|
96
|
+
}
|
97
|
+
user = MockUser.new(:test_role)
|
98
|
+
request!(user, :action, reader)
|
99
|
+
|
100
|
+
assert has_role?(:test_role)
|
101
|
+
assert !has_role?(:test_role2)
|
102
|
+
assert !has_role?(:test_role, :test_role2)
|
103
|
+
|
104
|
+
block_evaled = false
|
105
|
+
has_role?(:test_role) do
|
106
|
+
block_evaled = true
|
107
|
+
end
|
108
|
+
assert block_evaled
|
109
|
+
|
110
|
+
block_evaled = false
|
111
|
+
has_role?(:test_role2) do
|
112
|
+
block_evaled = true
|
113
|
+
end
|
114
|
+
assert !block_evaled
|
115
|
+
end
|
116
|
+
|
117
|
+
def test_has_any_role
|
118
|
+
reader = Authorization::Reader::DSLReader.new
|
119
|
+
reader.parse %{
|
120
|
+
authorization do
|
121
|
+
role :test_role do
|
122
|
+
has_permission_on :mocks, :to => :show
|
123
|
+
end
|
124
|
+
end
|
125
|
+
}
|
126
|
+
user = MockUser.new(:test_role)
|
127
|
+
request!(user, :action, reader)
|
128
|
+
|
129
|
+
assert has_any_role?(:test_role)
|
130
|
+
assert !has_any_role?(:test_role2)
|
131
|
+
assert has_any_role?(:test_role, :test_role2)
|
132
|
+
|
133
|
+
block_evaled = false
|
134
|
+
has_any_role?(:test_role) do
|
135
|
+
block_evaled = true
|
136
|
+
end
|
137
|
+
assert block_evaled
|
138
|
+
|
139
|
+
block_evaled = false
|
140
|
+
has_any_role?(:test_role2) do
|
141
|
+
block_evaled = true
|
142
|
+
end
|
143
|
+
assert !block_evaled
|
144
|
+
|
145
|
+
block_evaled = false
|
146
|
+
has_any_role?(:test_role,:test_role2) do
|
147
|
+
block_evaled = true
|
148
|
+
end
|
149
|
+
assert block_evaled
|
150
|
+
end
|
151
|
+
|
152
|
+
def test_has_role_with_guest_user
|
153
|
+
reader = Authorization::Reader::DSLReader.new
|
154
|
+
reader.parse %{
|
155
|
+
authorization do
|
156
|
+
end
|
157
|
+
}
|
158
|
+
request!(nil, :action, reader)
|
159
|
+
|
160
|
+
assert !has_role?(:test_role)
|
161
|
+
|
162
|
+
block_evaled = false
|
163
|
+
has_role?(:test_role) do
|
164
|
+
block_evaled = true
|
165
|
+
end
|
166
|
+
assert !block_evaled
|
167
|
+
end
|
168
|
+
|
169
|
+
def test_has_role_with_hierarchy
|
170
|
+
reader = Authorization::Reader::DSLReader.new
|
171
|
+
reader.parse %{
|
172
|
+
authorization do
|
173
|
+
role :test_role do
|
174
|
+
has_permission_on :mocks, :to => :show
|
175
|
+
end
|
176
|
+
role :other_role do
|
177
|
+
has_permission_on :another_mocks, :to => :show
|
178
|
+
end
|
179
|
+
|
180
|
+
role :root do
|
181
|
+
includes :test_role
|
182
|
+
end
|
183
|
+
end
|
184
|
+
}
|
185
|
+
|
186
|
+
user = MockUser.new(:root)
|
187
|
+
request!(user, :action, reader)
|
188
|
+
|
189
|
+
assert has_role_with_hierarchy?(:test_role)
|
190
|
+
assert !has_role_with_hierarchy?(:other_role)
|
191
|
+
|
192
|
+
block_evaled = false
|
193
|
+
has_role_with_hierarchy?(:test_role) do
|
194
|
+
block_evaled = true
|
195
|
+
end
|
196
|
+
assert block_evaled
|
197
|
+
|
198
|
+
block_evaled = false
|
199
|
+
has_role_with_hierarchy?(:test_role2) do
|
200
|
+
block_evaled = true
|
201
|
+
end
|
202
|
+
assert !block_evaled
|
203
|
+
end
|
204
|
+
|
205
|
+
def test_has_any_role_with_hierarchy
|
206
|
+
reader = Authorization::Reader::DSLReader.new
|
207
|
+
reader.parse %{
|
208
|
+
authorization do
|
209
|
+
role :test_role do
|
210
|
+
has_permission_on :mocks, :to => :show
|
211
|
+
end
|
212
|
+
role :other_role do
|
213
|
+
has_permission_on :another_mocks, :to => :show
|
214
|
+
end
|
215
|
+
|
216
|
+
role :root do
|
217
|
+
includes :test_role
|
218
|
+
end
|
219
|
+
end
|
220
|
+
}
|
221
|
+
|
222
|
+
user = MockUser.new(:root)
|
223
|
+
request!(user, :action, reader)
|
224
|
+
|
225
|
+
assert has_any_role_with_hierarchy?(:test_role)
|
226
|
+
assert !has_any_role_with_hierarchy?(:other_role)
|
227
|
+
assert has_any_role_with_hierarchy?(:test_role,:other_role)
|
228
|
+
|
229
|
+
block_evaled = false
|
230
|
+
has_any_role_with_hierarchy?(:test_role) do
|
231
|
+
block_evaled = true
|
232
|
+
end
|
233
|
+
assert block_evaled
|
234
|
+
|
235
|
+
block_evaled = false
|
236
|
+
has_any_role_with_hierarchy?(:test_role2) do
|
237
|
+
block_evaled = true
|
238
|
+
end
|
239
|
+
assert !block_evaled
|
240
|
+
|
241
|
+
block_evaled = false
|
242
|
+
has_any_role_with_hierarchy?(:test_role,:test_role2) do
|
243
|
+
block_evaled = true
|
244
|
+
end
|
245
|
+
assert block_evaled
|
246
|
+
end
|
247
|
+
end
|
@@ -0,0 +1,46 @@
|
|
1
|
+
require File.join(File.dirname(__FILE__), 'test_helper.rb')
|
2
|
+
require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization maintenance})
|
3
|
+
|
4
|
+
class MaintenanceTest < Test::Unit::TestCase
|
5
|
+
include Authorization::TestHelper
|
6
|
+
|
7
|
+
def test_usages_by_controllers
|
8
|
+
usage_test_controller = Class.new(ActionController::Base)
|
9
|
+
usage_test_controller.send(:define_method, :an_action) {}
|
10
|
+
usage_test_controller.filter_access_to :an_action
|
11
|
+
|
12
|
+
assert Authorization::Maintenance::Usage::usages_by_controller.
|
13
|
+
include?(usage_test_controller)
|
14
|
+
end
|
15
|
+
|
16
|
+
def test_without_access_control
|
17
|
+
reader = Authorization::Reader::DSLReader.new
|
18
|
+
reader.parse %{
|
19
|
+
authorization do
|
20
|
+
role :test_role do
|
21
|
+
has_permission_on :permissions, :to => :test
|
22
|
+
end
|
23
|
+
end
|
24
|
+
}
|
25
|
+
engine = Authorization::Engine.new(reader)
|
26
|
+
assert !engine.permit?(:test_2, :context => :permissions,
|
27
|
+
:user => MockUser.new(:test_role))
|
28
|
+
Authorization::Maintenance::without_access_control do
|
29
|
+
assert engine.permit!(:test_2, :context => :permissions,
|
30
|
+
:user => MockUser.new(:test_role))
|
31
|
+
end
|
32
|
+
without_access_control do
|
33
|
+
assert engine.permit?(:test_2, :context => :permissions,
|
34
|
+
:user => MockUser.new(:test_role))
|
35
|
+
end
|
36
|
+
Authorization::Maintenance::without_access_control do
|
37
|
+
Authorization::Maintenance::without_access_control do
|
38
|
+
assert engine.permit?(:test_2, :context => :permissions,
|
39
|
+
:user => MockUser.new(:test_role))
|
40
|
+
end
|
41
|
+
assert engine.permit?(:test_2, :context => :permissions,
|
42
|
+
:user => MockUser.new(:test_role))
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
end
|