hoodoo 2.5.1 → 2.6.0

data/lib/hoodoo/client/client.rb

@@ -355,5 +355,11 @@ module Hoodoo
         return endpoint
       end
 
+      # Alias of #resource, as syntax sugar for those who prefer to think of
+      # the return value as an endpoint that is used to contact a resource,
+      # rather than a remote abstraction of the resource as an entity.
+      #
+      alias_method :endpoint, :resource
+
   end
 end

data/lib/hoodoo/communicators/pool.rb

@@ -456,7 +456,7 @@ module Hoodoo
       #
       def handle_exception( exception, communicator )
         begin
-          report = "Slow communicator class #{ communicator.class.name } raised exception '#{ exception }': #{ exception.backtrace }"
+          report = "Communicator class #{ communicator.class.name } raised exception '#{ exception }': #{ exception.backtrace }"
           $stderr.puts( report )
 
         rescue

data/lib/hoodoo/services/services/context.rb

@@ -149,5 +149,11 @@ module Hoodoo; module Services
         return endpoint
       end
 
+      # Alias of #resource, as syntax sugar for those who prefer to think of
+      # the return value as an endpoint that is used to contact a resource,
+      # rather than a remote abstraction of the resource as an entity.
+      #
+      alias_method :endpoint, :resource
+
   end
 end; end

data/lib/hoodoo/services/services/request.rb

@@ -74,12 +74,12 @@ module Hoodoo; module Services
       # intentionally compatible so that pass-through / proxy scenarios from
       # resource implementation to another resource are assisted:
       #
-      #   * +"offset"+
-      #   * +"limit"+
-      #   * +"sort"+ (keys from the Hash under attribute #sort_data)
-      #   * +"direction"+ (values from the Hash under #sort_data)
-      #   * +"search"+ (deep-duplcated value of attribute #search_data)
-      #   * +"filter"+ (deep-duplcated value of attribute #filter_data)
+      # * +offset+
+      # * +limit+
+      # * +sort+ (keys from the Hash under attribute #sort_data)
+      # * +direction+ (values from the Hash under #sort_data)
+      # * +search+ (deep-duplicated value of attribute #search_data)
+      # * +filter+ (deep-duplicated value of attribute #filter_data)
       #
       # Sort, direction, search and filter data, if not empty, also have
       # String keys / values. A single sort-direction key-value pair will be

data/lib/hoodoo/version.rb

@@ -12,11 +12,11 @@ module Hoodoo
   # The Hoodoo gem version. If this changes, be sure to re-run
   # <tt>bundle install</tt> or <tt>bundle update</tt>.
   #
-  VERSION = '2.5.1'
+  VERSION = '2.6.0'
 
   # The Hoodoo gem date. If this changes, be sure to re-run
   # <tt>bundle install</tt> or <tt>bundle update</tt>.
   #
-  DATE = '2018-05-18'
+  DATE = '2018-05-23'
 
 end

data/spec/active/active_record/secure_spec.rb

@@ -17,6 +17,11 @@ describe Hoodoo::ActiveRecord::Secure do
       ActiveRecord::Migration.create_table( :r_spec_model_secure_test_as, &migration )
       ActiveRecord::Migration.create_table( :r_spec_model_secure_test_bs, &migration )
       ActiveRecord::Migration.create_table( :r_spec_model_secure_test_cs, &migration )
+      ActiveRecord::Migration.create_table( :r_spec_model_secure_test_ds, &migration )
+      ActiveRecord::Migration.create_table( :r_spec_model_secure_test_es, &migration )
+      ActiveRecord::Migration.create_table( :r_spec_model_secure_test_fs, &migration )
+
+      # ======================================================================
 
       class RSpecModelSecureTestA < ActiveRecord::Base
         include Hoodoo::ActiveRecord::Secure
@@ -27,6 +32,8 @@ describe Hoodoo::ActiveRecord::Secure do
         )
       end
 
+      # ======================================================================
+
       class RSpecModelSecureTestB < ActiveRecord::Base
         include Hoodoo::ActiveRecord::Secure
 
@@ -36,6 +43,8 @@ describe Hoodoo::ActiveRecord::Secure do
         )
       end
 
+      # ======================================================================
+
       class RSpecModelSecureTestC < ActiveRecord::Base
         include Hoodoo::ActiveRecord::Secure
 
@@ -62,9 +71,49 @@ describe Hoodoo::ActiveRecord::Secure do
           }
         )
       end
+
+      # ======================================================================
+
+      class RSpecModelSecureTestD < ActiveRecord::Base
+        include Hoodoo::ActiveRecord::Secure
+
+        secure_with(
+          :creator => {
+            :session_field_name => 'authorised_creators',
+            :exemptions         => Hoodoo::ActiveRecord::Secure::ENUMERABLE_INCLUDES_STAR
+          }
+        )
+      end
+
+      class RSpecModelSecureTestE < ActiveRecord::Base
+        include Hoodoo::ActiveRecord::Secure
+
+        secure_with(
+          'distributor' => {
+            :session_field_name => :authorised_distributor,
+            :exemptions         => Hoodoo::ActiveRecord::Secure::OBJECT_EQLS_STAR
+          }
+        )
+      end
+
+      class RSpecModelSecureTestF < ActiveRecord::Base
+        include Hoodoo::ActiveRecord::Secure
+
+        secure_with(
+          :field => {
+            :session_field_name => :authorised_suppliers,
+            :exemptions         => Proc.new { | security_values |
+              security_values.is_a?( Enumerable ) &&
+              security_values.include?( 'Dolphin' ) rescue false
+            }
+          }
+        )
+      end
     end
   end
 
+  # ==========================================================================
+
   before :each do
     # Get a good-enough-for-test interaction which has a context
     # that contains a Session we can modify.
@@ -202,6 +251,8 @@ describe Hoodoo::ActiveRecord::Secure do
     it_behaves_like 'a secure model'
   end
 
+  # ==========================================================================
+
   context 'works with custom Procs' do
     before :each do
       @scoped_4 = RSpecModelSecureTestC.new
@@ -265,6 +316,168 @@ describe Hoodoo::ActiveRecord::Secure do
     end
   end
 
+  # ==========================================================================
+
+  # We assume that security_helper_spec.rb takes care of all of the security
+  # helper Proc generators, so all that's left to test is the out-of-box Procs
+  # defined in constants within 'secure.rb' and make sure a custom Proc works
+  # as expected.
+  #
+  context 'with security exemptions' do
+
+    # Call the shared examples with the Hash to set in the @session scoping
+    # value, then true/false values for whether a scoped find-by-ID query
+    # should find the three records created below (true => should find it).
+    #
+    shared_examples 'a secure model' do | session_scoping, s4_bool, s5_bool, s6_bool |
+      before :each do
+        @scoped_4 = @class_to_test.new
+        @scoped_4.creator     = 'C1'
+        @scoped_4.distributor = 'D1'
+        @scoped_4.field       = 'S1'
+        @scoped_4.save!
+
+        @scoped_5 = @class_to_test.new
+        @scoped_5.creator     = 'C2'
+        @scoped_5.distributor = 'D2'
+        @scoped_5.field       = 'S2'
+        @scoped_5.save!
+
+        @scoped_6 = @class_to_test.new
+        @scoped_6.creator     =  'C3'
+        @scoped_6.distributor =  'D3'
+        @scoped_6.field       =  'S3'
+        @scoped_6.save!
+
+        @results = [ @scoped4, @scoped5, @scoped6 ]
+      end
+
+      # Convenience method to DRY up a few tests later.
+      #
+      def expect_none
+        found = @class_to_test.secure( @context ).find_by_id( @scoped_4.id )
+        expect( found ).to be_nil
+
+        found = @class_to_test.secure( @context ).find_by_id( @scoped_5.id )
+        expect( found ).to be_nil
+
+        found = @class_to_test.secure( @context ).find_by_id( @scoped_6.id )
+        expect( found ).to be_nil
+      end
+
+      it 'finds with exemptions from the class' do
+        @session.scoping = session_scoping
+
+        found = @class_to_test.secure( @context ).find_by_id( @scoped_4.id )
+        expect( found ).to eq( s4_bool ? @scoped_4 : nil )
+
+        found = @class_to_test.secure( @context ).find_by_id( @scoped_5.id )
+        expect( found ).to eq( s5_bool ? @scoped_5 : nil )
+
+        found = @class_to_test.secure( @context ).find_by_id( @scoped_6.id )
+        expect( found ).to eq( s6_bool ? @scoped_6 : nil )
+      end
+
+      # Only fully effective if at some point there is a "true, true, true"
+      # case which expects to match all. Otherwise, some of the expectations
+      # aren't useful (the "expects daft lookup to be nil" cases would be
+      # nil anyway, if 'false' indicates no-find-result-expected).
+      #
+      it 'finds with exemptions with a chain' do
+        @session.scoping = session_scoping
+
+        found = @class_to_test.where( :field => @scoped_4.field ).secure( @context ).find_by_id( @scoped_4.id )
+        expect( found ).to eq( s4_bool ? @scoped_4 : nil )
+
+        found = @class_to_test.where( :field => @scoped_4.field + '!' ).secure( @context ).find_by_id( @scoped_4.id )
+        expect( found ).to be_nil
+
+        found = @class_to_test.where( :field => @scoped_5.field ).secure( @context ).find_by_id( @scoped_5.id )
+        expect( found ).to eq( s5_bool ? @scoped_5 : nil )
+
+        found = @class_to_test.where( :field => @scoped_5.field + '!' ).secure( @context ).find_by_id( @scoped_5.id )
+        expect( found ).to be_nil
+
+        found = @class_to_test.where( :field => @scoped_6.field ).secure( @context ).find_by_id( @scoped_6.id )
+        expect( found ).to eq( s6_bool ? @scoped_6 : nil )
+
+        found = @class_to_test.where( :field => @scoped_6.field + '!' ).secure( @context ).find_by_id( @scoped_6.id )
+        expect( found ).to be_nil
+      end
+
+      it 'finds nothing if scope lacks required values' do
+        new_session_scoping = {}
+
+        session_scoping.each do | key, value |
+          new_session_scoping[ key ] = if value.is_a?( Array )
+            [ 'will not match any records' ]
+          else
+            'will not match any records'
+          end
+        end
+
+        @session.scoping = new_session_scoping
+        expect_none()
+      end
+
+      it 'finds nothing if scope lacks required keys' do
+        @session.scoping = { :some_authorised_thing => '*' }
+        expect_none()
+      end
+
+      it 'finds nothing if scope is missing' do
+        expect_none()
+      end
+    end
+
+    # A reminder of RSpecModelSecureTestD rules:
+    #
+    # :creator => {
+    #   :session_field_name => 'authorised_creators',
+    #   :exemptions         => Hoodoo::ActiveRecord::Secure::ENUMERABLE_INCLUDES_STAR
+    # }
+    #
+    context 'works with ENUMERABLE_INCLUDES_STAR' do
+      before( :all ) { @class_to_test = RSpecModelSecureTestD }
+
+      it_behaves_like 'a secure model', { :authorised_creators  => [ 'C1', '*' ] }, true,  true, true
+      it_behaves_like 'a secure model', { 'authorised_creators' => [ 'C2'      ] }, false, true, false
+    end
+
+    # A reminder of RSpecModelSecureTestE rules:
+    #
+    # 'distributor' => {
+    #   :session_field_name => :authorised_distributor,
+    #   :exemptions         => Hoodoo::ActiveRecord::Secure::OBJECT_EQLS_STAR
+    # }
+    #
+    context 'works with OBJECT_EQLS_STAR' do
+      before( :all ) { @class_to_test = RSpecModelSecureTestE }
+
+      it_behaves_like 'a secure model', { :authorised_distributor  => '*'  }, true,  true,  true
+      it_behaves_like 'a secure model', { 'authorised_distributor' => 'D3' }, false, false, true
+    end
+
+    # A reminder of RSpecModelSecureTestF rules:
+    #
+    # :field => {
+    #   :session_field_name => :authorised_suppliers,
+    #   :exemptions         => Proc.new { | security_values |
+    #     security_values.is_a?( Enumerable ) &&
+    #     security_values.include?( 'Dolphin' ) rescue false
+    #   }
+    # }
+    #
+    context 'works with a custom Proc' do
+      before( :all ) { @class_to_test = RSpecModelSecureTestF }
+
+      it_behaves_like 'a secure model', { :authorised_suppliers  => [ 'Dolphin'  ] }, true, true,  true
+      it_behaves_like 'a secure model', { 'authorised_suppliers' => [ 'S1', 'S3' ] }, true, false, true
+    end
+  end
+
+  # ==========================================================================
+
   # See also presenters/base_spec.rb
   #
   context 'rendering' do

data/spec/active/active_record/security_helper_spec.rb

@@ -0,0 +1,201 @@
+require 'spec_helper'
+
+describe Hoodoo::ActiveRecord::Secure::SecurityHelper do
+
+  class TestAllMatchersObject
+    include Enumerable
+
+    def     eql?( thing ); true; end
+    def include?( thing ); true; end
+    def   match?( thing ); true; end
+  end
+
+  class TestRescueAllMatchersObject
+    include Enumerable
+
+    def     eql?( thing ); raise "boo!"; end
+    def include?( thing ); raise "boo!"; end
+    def   match?( thing ); raise "boo!"; end
+  end
+
+  context '::eqls_wildcard' do
+    before :each do
+      @proc = Hoodoo::ActiveRecord::Secure::SecurityHelper.eqls_wildcard( '!' )
+    end
+
+    it 'matches when it should' do
+      expect( @proc.call( '!' ) ).to eql( true )
+      expect( @proc.call( TestAllMatchersObject.new ) ).to eql( true )
+    end
+
+    it 'misses when it should' do
+      expect( @proc.call( '*' ) ).to eql( false )
+      expect( @proc.call( ' !' ) ).to eql( false )
+      expect( @proc.call( '! ' ) ).to eql( false )
+      expect( @proc.call( "!\n" ) ).to eql( false )
+      expect( @proc.call( 42 ) ).to eql( false )
+      expect( @proc.call( { :hello => :world } ) ).to eql( false )
+      expect( @proc.call( [ 1, 2, 3, 4 ] ) ).to eql( false )
+    end
+
+    it 'rescues' do
+      expect( @proc.call( TestRescueAllMatchersObject.new ) ).to eql( false )
+    end
+  end
+
+  context '::includes_wildcard' do
+    before :each do
+      @proc = Hoodoo::ActiveRecord::Secure::SecurityHelper.includes_wildcard( '!' )
+    end
+
+    it 'matches when it should' do
+      expect( @proc.call( [ '!' ] ) ).to eql( true )
+      expect( @proc.call( [ '!', 1, 2, 3, 4 ] ) ).to eql( true )
+      expect( @proc.call( [ 1, 2, '!', 3, 4 ] ) ).to eql( true )
+      expect( @proc.call( [ 1, 2, 3, 4, '!' ] ) ).to eql( true )
+      expect( @proc.call( TestAllMatchersObject.new ) ).to eql( true )
+    end
+
+    it 'misses when it should' do
+      expect( @proc.call( '!' ) ).to eql( false )
+      expect( @proc.call( [ '*' ] ) ).to eql( false )
+      expect( @proc.call( [ ' !' ] ) ).to eql( false )
+      expect( @proc.call( [ '! ' ] ) ).to eql( false )
+      expect( @proc.call( [ "!\n" ] ) ).to eql( false )
+      expect( @proc.call( 42 ) ).to eql( false )
+      expect( @proc.call( { :hello => :world } ) ).to eql( false )
+    end
+
+    it 'rescues' do
+      expect( @proc.call( TestRescueAllMatchersObject.new ) ).to eql( false )
+    end
+  end
+
+  context '::matches_wildcard' do
+    let( :param ) { '^..!.*' }
+    let( :proc  ) { Hoodoo::ActiveRecord::Secure::SecurityHelper.matches_wildcard( param ) }
+
+    shared_examples 'a ::matches_wildcard Proc' do
+      it 'and matches when it should' do
+        expect( proc().call( '12!' ) ).to eql( true )
+        expect( proc().call( '12!3' ) ).to eql( true )
+
+        if ''.respond_to?( :match? )
+          expect( proc().call( TestAllMatchersObject.new ) ).to eql( true )
+        else
+          expect_any_instance_of( Regexp ).to receive( :match ).and_return( true )
+          proc().call( TestAllMatchersObject.new )
+        end
+      end
+
+      it 'and misses when it should' do
+        expect( proc().call( '123!4' ) ).to eql( false )
+        expect( proc().call( '1!4' ) ).to eql( false )
+        expect( proc().call( 42 ) ).to eql( false )
+        expect( proc().call( { :hello => :world } ) ).to eql( false )
+        expect( proc().call( [ 1, 2, 3, 4 ] ) ).to eql( false )
+      end
+
+      it 'and rescues' do
+        if ''.respond_to?( :match? )
+          expect( proc().call( TestRescueAllMatchersObject.new ) ).to eql( false )
+        else
+          expect_any_instance_of( Regexp ).to receive( :match ).and_raise( RuntimeError )
+          proc().call( TestRescueAllMatchersObject.new )
+        end
+      end
+    end
+
+    # Tests running on Ruby >= 2.4 need String#match? knocking out for a
+    # while, for code coverage.
+    #
+    context 'with slow matcher' do
+      before :each do
+        @unbound_method = nil
+
+        if ''.respond_to?( :match? )
+          @unbound_method = String.instance_method( :match? )
+          String.send( :remove_method, :match? )
+        end
+      end
+
+      after :each do
+        unless @unbound_method.nil?
+          String.send( :define_method, :match?, @unbound_method )
+        end
+      end
+
+      context 'constructed with a String' do
+        it_behaves_like 'a ::matches_wildcard Proc'
+      end
+
+      context 'constructed with a Regexp' do
+        let( :param ) { /^..!.*/ }
+        it_behaves_like 'a ::matches_wildcard Proc'
+      end
+    end
+
+    # Tests running on Ruby < 2.4 can't do the fast match tests.
+    #
+    if ''.respond_to?( :match? )
+      context 'with fast matcher' do
+        context 'constructed with a String' do
+          it_behaves_like 'a ::matches_wildcard Proc'
+        end
+
+        context 'constructed with a Regexp' do
+          let( :param ) { /^..!.*/ }
+          it_behaves_like 'a ::matches_wildcard Proc'
+        end
+      end
+    end
+  end
+
+  context '::matches_wildcard_enumerable' do
+    let( :proc  ) { Hoodoo::ActiveRecord::Secure::SecurityHelper.matches_wildcard_enumerable( param ) }
+    let( :param ) { '^..!.*' }
+
+    shared_examples 'a ::matches_wildcard Proc' do
+      it 'and matches when it should' do
+        expect( proc().call( [ '12!34', '1', 2, :three, 4 ] ) ).to eql( true )
+        expect( proc().call( [ '1', 2, :three, '12!34', 4 ] ) ).to eql( true )
+        expect( proc().call( [ '1', 2, :three, 4, '12!34' ] ) ).to eql( true )
+        expect( proc().call( [ '12!' ] ) ).to eql( true )
+
+        if ''.respond_to?( :match? )
+          expect( proc().call( [ TestAllMatchersObject.new ] ) ).to eql( true )
+        else
+          expect_any_instance_of( Regexp ).to receive( :match ).and_return( true )
+          proc().call( [ TestAllMatchersObject.new ] )
+        end
+      end
+
+      it 'and misses when it should' do
+        expect( proc().call( [ '123!34' ] ) ).to eql( false )
+        expect( proc().call( [ '1!4' ] ) ).to eql( false )
+        expect( proc().call( { :hello => :world } ) ).to eql( false )
+        expect( proc().call( [ 1, 2, 3, 4 ] ) ).to eql( false )
+      end
+
+      it 'and rescues' do
+        expect( proc().call( 42 ) ).to eql( false )
+
+        if ''.respond_to?( :match? )
+          expect( proc().call( [ TestRescueAllMatchersObject.new ] ) ).to eql( false )
+        else
+          expect_any_instance_of( Regexp ).to receive( :match ).and_raise( RuntimeError )
+          proc().call( [ TestRescueAllMatchersObject.new ] )
+        end
+      end
+    end
+
+    context 'constructed with a String' do
+      it_behaves_like 'a ::matches_wildcard Proc'
+    end
+
+    context 'constructed with a Regexp' do
+      let( :param ) { /^..!.*/ }
+      it_behaves_like 'a ::matches_wildcard Proc'
+    end
+  end
+end