hydra-access-controls 0.0.1

data/lib/hydra/role_mapper_behavior.rb

@@ -0,0 +1,33 @@
+# this code will be moved/renamed to Hydra::AccessControl::RoleMapperBehavior (with the appropriate namespace changes) in Hydra 5.0
+require 'yaml'
+module Hydra::RoleMapperBehavior
+  extend ActiveSupport::Concern
+
+  module ClassMethods
+    def role_names
+      map.keys
+    end
+    def roles(username)
+      byname[username]||[]
+    end
+    
+    def whois(r)
+      map[r]||[]
+    end
+
+    def map
+      @map ||= YAML.load(File.open(File.join(Rails.root, "config/role_map_#{Rails.env}.yml")))
+    end
+
+
+    def byname
+      return @byname if @byname
+      m = Hash.new{|h,k| h[k]=[]}
+      @byname = map.inject(m) do|memo, (role,usernames)| 
+        ((usernames if usernames.respond_to?(:each)) || [usernames]).each { |x| memo[x]<<role}
+        memo
+      end
+    end
+  end
+end
+

data/lib/role_mapper.rb

@@ -0,0 +1,6 @@
+# RoleMapper This is used by AccessControlsEnforcement to get users' Roles (used in access permissions)
+# If you are using something like Shibboleth or LDAP to get users' Roles, you should override this Class.  
+# Your override should include a Module that implements the same behaviors as Hydra::RoleMapperBehavior 
+class RoleMapper
+  include Hydra::RoleMapperBehavior
+end

data/spec/spec_helper.rb

@@ -0,0 +1,20 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+
+
+
+# if ENV['COVERAGE'] and RUBY_VERSION =~ /^1.9/
+#   require 'simplecov'
+#   require 'simplecov-rcov'
+# 
+#   SimpleCov.formatter = SimpleCov::Formatter::RcovFormatter
+#   SimpleCov.start
+# end
+# 
+require 'rspec/autorun'
+require 'hydra-access-controls'
+require 'support/mods_asset'
+RSpec.configure do |config|
+
+end
+

data/spec/support/config/role_map_test.yml

@@ -0,0 +1,14 @@
+archivist:
+  - archivist1@example.com
+  - archivist2@example.com
+  - leland_himself@example.com
+admin_policy_object_editor:
+  - archivist1@example.com
+donor:
+  - donor1@example.com
+  - leland_himself@example.com
+researcher:
+  - researcher1@example.com
+patron:
+  - patron1@example.com
+  - leland_himself@example.com

data/spec/support/mods_asset.rb

@@ -0,0 +1,6 @@
+require 'active-fedora'
+class ModsAsset < ActiveFedora::Base
+  include Hydra::ModelMixins::RightsMetadata
+  has_metadata :name => "rightsMetadata", :type => Hydra::Datastream::RightsMetadata
+
+end

data/spec/unit/ability_spec.rb

@@ -0,0 +1,82 @@
+require 'spec_helper'
+
+describe Ability do
+  before do
+    class Rails; end
+    class User; end
+    class Devise; end
+    class SolrDocument
+      def initialize(one, two)
+        @one = one
+      end
+      def fetch(field, default)
+        @one[field]
+      end
+    end
+    class Hydra::SuperuserAttributes; end
+    module Blacklight
+      module Exceptions
+        class InvalidSolrID < StandardError
+          def initialize(opt)
+          end
+        end
+      end
+    end
+    Devise.stub(:authentication_keys).and_return(['email'])
+    # User.any_instance.stub(:email).and_return('archivist1@example.com')
+    # User.any_instance.stub(:new_record?).and_return(false)
+    # User.any_instance.stub(:is_being_superuser?).and_return(false)
+    Hydra::SuperuserAttributes.stub(:silenced)
+    Hydra::SuperuserAttributes.stub(:silenced=)
+    @solr_resp = stub("solr response")
+    Blacklight.stub(:solr).and_return(stub("solr", :find=>@solr_resp))
+    
+    Rails.stub(:root).and_return('spec/support')
+    Rails.stub(:env).and_return('test')
+
+    Hydra.stub(:config).and_return({:permissions=>{
+      :catchall => "access_t",
+      :discover => {:group =>"discover_access_group_t", :individual=>"discover_access_person_t"},
+      :read => {:group =>"read_access_group_t", :individual=>"read_access_person_t"},
+      :edit => {:group =>"edit_access_group_t", :individual=>"edit_access_person_t"},
+      :owner => "depositor_t",
+      :embargo_release_date => "embargo_release_date_dt"
+    }})
+  end
+
+  context "for a not-signed in user" do
+    before do
+      User.any_instance.stub(:email).and_return(nil)
+      User.any_instance.stub(:new_record?).and_return(true)
+      User.any_instance.stub(:is_being_superuser?).and_return(false)
+    end
+    subject { Ability.new(nil) }
+    it "should call custom_permissions" do
+      Ability.any_instance.should_receive(:custom_permissions)
+      subject.can?(:delete, 7)
+    end
+    it "should be able to read objects that are public" do
+      @solr_resp.stub(:docs).and_return([{'read_access_group_t' =>['public']}])
+      public_object = ModsAsset.new
+      subject.can?(:read, public_object).should be_true
+    end
+    it "should not be able to read objects that are registered" do
+      registered_object = ModsAsset.new
+      @solr_resp.stub(:docs).and_return([{'read_access_group_t' =>['registered']}])
+      subject.can?(:read, registered_object).should_not be_true
+    end
+  end
+  context "for a signed in user" do
+    subject { Ability.new(stub("user", :email=>'archivist1@example.com', :new_record? => false, :is_being_superuser? =>false)) }
+    it "should be able to read objects that are public" do
+      public_object = ModsAsset.new
+      @solr_resp.stub(:docs).and_return([{'read_access_group_t' =>['public']}])
+      subject.can?(:read, public_object).should be_true
+    end
+    it "should be able to read objects that are registered" do
+      registered_object = ModsAsset.new
+      @solr_resp.stub(:docs).and_return([{'read_access_group_t' =>['registered']}])
+      subject.can?(:read, registered_object).should be_true
+    end
+  end
+end

data/spec/unit/hydra_rights_metadata_spec.rb

@@ -0,0 +1,173 @@
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+require "nokogiri"
+
+describe Hydra::Datastream::RightsMetadata do
+  
+  before(:each) do
+    # The way RubyDora loads objects prevents us from stubbing the fedora connection :(
+    # ActiveFedora::RubydoraConnection.stubs(:instance).returns(stub_everything())
+    obj = ActiveFedora::Base.new
+    @sample = Hydra::Datastream::RightsMetadata.new(obj.inner_object, nil)
+    @sample.stub(:content).and_return('')
+  end
+  
+  describe "permissions" do
+    describe "setter" do
+      it "should create/update/delete permissions for the given user/group" do
+        @sample.class.terminology.xpath_for(:access, :person, "person_123").should == '//oxns:access/oxns:machine/oxns:person[contains(., "person_123")]'
+        
+        person_123_perms_xpath = @sample.class.terminology.xpath_for(:access, :person, "person_123")
+        group_zzz_perms_xpath = @sample.class.terminology.xpath_for(:access, :group, "group_zzz")
+        
+        @sample.find_by_terms(person_123_perms_xpath).should be_empty 
+        @sample.permissions({"person"=>"person_123"}, "edit").should == "edit"
+        @sample.permissions({"group"=>"group_zzz"}, "edit").should == "edit"      
+        
+        @sample.find_by_terms(person_123_perms_xpath).first.ancestors("access").first.attributes["type"].text.should == "edit"
+        @sample.find_by_terms(group_zzz_perms_xpath).first.ancestors("access").first.attributes["type"].text.should == "edit"
+        
+        @sample.permissions({"person"=>"person_123"}, "read")
+        @sample.permissions({"group"=>"group_zzz"}, "read")
+        @sample.find_by_terms(person_123_perms_xpath).length.should == 1
+        
+        @sample.find_by_terms(person_123_perms_xpath).first.ancestors("access").first.attributes["type"].text.should == "read"
+        @sample.find_by_terms(group_zzz_perms_xpath).first.ancestors("access").first.attributes["type"].text.should == "read"
+      
+        @sample.permissions({"person"=>"person_123"}, "none").should == "none"
+        @sample.permissions({"group"=>"group_zzz"}, "none").should == "none"
+        @sample.find_by_terms(person_123_perms_xpath).should be_empty 
+        @sample.find_by_terms(person_123_perms_xpath).should be_empty 
+      end
+      it "should remove existing permissions (leaving only one permission level per user/group)" do
+        person_123_perms_xpath = @sample.class.terminology.xpath_for(:access, :person, "person_123")
+        group_zzz_perms_xpath = @sample.class.terminology.xpath_for(:access, :group, "group_zzz")
+                        
+        @sample.find_by_terms(person_123_perms_xpath).length.should == 0
+        @sample.find_by_terms(group_zzz_perms_xpath).length.should == 0
+        @sample.permissions({"person"=>"person_123"}, "read")
+        @sample.permissions({"group"=>"group_zzz"}, "read")
+        @sample.find_by_terms(person_123_perms_xpath).length.should == 1
+        @sample.find_by_terms(group_zzz_perms_xpath).length.should == 1
+        
+        @sample.permissions({"person"=>"person_123"}, "edit")
+        @sample.permissions({"group"=>"group_zzz"}, "edit")
+        @sample.find_by_terms(person_123_perms_xpath).length.should == 1
+        @sample.find_by_terms(group_zzz_perms_xpath).length.should == 1
+      end
+      it "should not impact other users permissions" do
+        @sample.permissions({"person"=>"person_123"}, "read")
+        @sample.permissions({"person"=>"person_789"}, "edit")
+        
+        @sample.permissions({"person"=>"person_123"}).should == "read"
+        @sample.permissions({"person"=>"person_456"}, "read")
+        @sample.permissions({"person"=>"person_123"}).should == "read"
+        @sample.permissions({"person"=>"person_456"}).should == "read"
+        @sample.permissions({"person"=>"person_789"}).should == "edit"
+        
+        
+      end
+    end
+    describe "getter" do
+      it "should return permissions level for the given user/group" do
+        @sample.permissions({"person"=>"person_123"}, "edit")
+        @sample.permissions({"group"=>"group_zzz"}, "discover")
+        @sample.permissions({"person"=>"person_123"}).should == "edit"
+        @sample.permissions({"group"=>"group_zzz"}).should == "discover"
+        @sample.permissions({"group"=>"foo_people"}).should == "none"
+      end
+    end
+  end
+  describe "groups" do
+    it "should return a hash of all groups with permissions set, along with their permission levels" do
+      @sample.permissions({"group"=>"group_zzz"}, "edit")
+      @sample.permissions({"group"=>"public"}, "discover")
+
+      #@sample.groups.should == {"group_zzz"=>"edit", "public"=>"discover"}
+      @sample.groups.should == {"public"=>"discover", "group_zzz"=>"edit"}
+    end
+  end
+  describe "individuals" do
+    it "should return a hash of all individuals with permissions set, along with their permission levels" do
+      @sample.permissions({"person"=>"person_123"}, "read")
+      @sample.permissions({"person"=>"person_456"}, "edit")
+      @sample.individuals.should == {"person_123"=>"read", "person_456"=>"edit"}
+    end
+  end
+  
+  describe "update_permissions" do
+    it "should accept a hash of groups and persons, updating their permissions accordingly" do
+      @sample.should_receive(:permissions).with({"group" => "group1"}, "discover")
+      @sample.should_receive(:permissions).with({"group" => "group2"}, "edit")
+      @sample.should_receive(:permissions).with({"person" => "person1"}, "read")
+      @sample.should_receive(:permissions).with({"person" => "person2"}, "discover")
+      
+      @sample.update_permissions( {"group"=>{"group1"=>"discover","group2"=>"edit"}, "person"=>{"person1"=>"read","person2"=>"discover"}} )
+    end
+  end
+  
+  describe "update_indexed_attributes" do
+    it "should update the declared properties" do
+      @sample.find_by_terms(*[:edit_access, :person]).length.should == 0
+      @sample.update_values([:edit_access, :person]=>"user id").should == {"edit_access_person"=>{"0"=>"user id"}}
+      @sample.find_by_terms(*[:edit_access, :person]).length.should == 1
+      @sample.find_by_terms(*[:edit_access, :person]).first.text.should == "user id"
+    end
+  end
+  describe "to_solr" do
+    it "should populate solr doc with the correct fields" do
+      params = {[:edit_access, :person]=>"Lil Kim", [:edit_access, :group]=>["group1","group2"], [:discover_access, :group]=>["public"],[:discover_access, :person]=>["Joe Schmoe"]}
+      @sample.update_values(params)
+      solr_doc = @sample.to_solr
+      
+      solr_doc["edit_access_person_t"].should == ["Lil Kim"]
+      solr_doc["edit_access_group_t"].sort.should == ["group1", "group2"]
+      solr_doc["discover_access_person_t"].should == ["Joe Schmoe"]
+      solr_doc["discover_access_group_t"].should == ["public"]
+    end
+    it "should solrize fixture content correctly" do
+      lsample = Hydra::Datastream::RightsMetadata.new(nil, nil)
+      lsample.update_permissions({'person' => {'researcher1' => 'edit'},
+                                  'group' => {'archivist' => 'edit', 'public' =>'read', 'bob'=>'discover'}})
+
+      solr_doc = lsample.to_solr
+      solr_doc["edit_access_person_t"].should == ["researcher1"]
+      solr_doc["edit_access_group_t"].should == ["archivist"]
+      solr_doc["read_access_group_t"].should == ["public"]
+      solr_doc["discover_access_group_t"].should == ["bob"]
+    end
+  end
+  describe "embargo_release_date=" do
+    it "should update the appropriate node with the value passed" do
+      @sample.embargo_release_date=("2010-12-01")
+      @sample.embargo_release_date.should == "2010-12-01"
+    end
+    it "should only accept valid date values" do
+      
+    end
+  end
+  describe "embargo_release_date" do
+    it "should return solr formatted date" do
+      @sample.embargo_release_date=("2010-12-01")
+      @sample.embargo_release_date(:format=>:solr_date).should == "2010-12-01T23:59:59Z"
+    end
+    
+    # this test was returning '' under 1.9 and returning nil under ree and 1.8.7
+    it "should not return anything if the date is empty string" do
+      @sample.update_values({[:embargo,:machine,:date]=>''})
+      @sample.embargo_release_date(:format=>:solr_date).should be_blank
+    end
+  end
+  describe "under_embargo?" do
+    it "should return true if the current date is before the embargo release date" do
+      @sample.embargo_release_date=Date.today+1.month
+      @sample.under_embargo?.should be_true
+    end
+    it "should return false if the current date is after the embargo release date" do
+      @sample.embargo_release_date=Date.today-1.month
+      @sample.under_embargo?.should be_false
+    end
+    it "should return false if there is no embargo date" do
+      @sample.under_embargo?.should be_false
+    end
+  end
+end

data/spec/unit/rights_metadata_spec.rb

@@ -0,0 +1,80 @@
+require 'spec_helper'
+
+describe Hydra::ModelMixins::RightsMetadata do
+  subject { ModsAsset.new }
+  it "should have a set of permissions" do
+    subject.discover_groups=['group1', 'group2']
+    subject.edit_users=['user1']
+    subject.read_users=['user2', 'user3']
+    subject.permissions.should include({:type=>"group", :access=>"discover", :name=>"group1"},
+        {:type=>"group", :access=>"discover", :name=>"group2"},
+        {:type=>"user", :access=>"read", :name=>"user2"},
+        {:type=>"user", :access=>"read", :name=>"user3"},
+        {:type=>"user", :access=>"edit", :name=>"user1"})
+  end
+
+  describe "updating permissions" do
+    it "should create new group permissions" do
+      subject.permissions = [{:name=>'group1', :access=>'discover', :type=>'group'}]
+      subject.permissions.should == [{:type=>'group', :access=>'discover', :name=>'group1'}]
+    end
+    it "should create new user permissions" do
+      subject.permissions = [{:name=>'user1', :access=>'discover', :type=>'user'}]
+      subject.permissions.should == [{:type=>'user', :access=>'discover', :name=>'user1'}]
+    end
+    it "should not replace existing groups" do
+      subject.permissions = [{:name=>'group1', :access=>'discover', :type=>'group'}]
+      subject.permissions = [{:name=>'group2', :access=>'discover', :type=>'group'}]
+      subject.permissions.should == [{:type=>'group', :access=>'discover', :name=>'group1'},
+                                   {:type=>'group', :access=>'discover', :name=>'group2'}]
+    end
+    it "should not replace existing users" do
+      subject.permissions = [{:name=>'user1', :access=>'discover', :type=>'user'}]
+      subject.permissions = [{:name=>'user2', :access=>'discover', :type=>'user'}]
+      subject.permissions.should == [{:type=>'user', :access=>'discover', :name=>'user1'},
+                                   {:type=>'user', :access=>'discover', :name=>'user2'}]
+    end
+    it "should update permissions on existing users" do
+      subject.permissions = [{:name=>'user1', :access=>'discover', :type=>'user'}]
+      subject.permissions = [{:name=>'user1', :access=>'edit', :type=>'user'}]
+      subject.permissions.should == [{:type=>'user', :access=>'edit', :name=>'user1'}]
+    end
+    it "should update permissions on existing groups" do
+      subject.permissions = [{:name=>'group1', :access=>'discover', :type=>'group'}]
+      subject.permissions = [{:name=>'group1', :access=>'edit', :type=>'group'}]
+      subject.permissions.should == [{:type=>'group', :access=>'edit', :name=>'group1'}]
+    end
+
+  end
+
+  context "with rightsMetadata" do
+    before do
+      subject.rightsMetadata.update_permissions("person"=>{"person1"=>"read","person2"=>"discover"}, "group"=>{'group-6' => 'read', "group-7"=>'read', 'group-8'=>'edit'})
+      subject.save
+    end
+    it "should have read groups accessor" do
+      subject.read_groups.should == ['group-6', 'group-7']
+    end
+    it "should have read groups string accessor" do
+      subject.read_groups_string.should == 'group-6, group-7'
+    end
+    it "should have read groups writer" do
+      subject.read_groups = ['group-2', 'group-3']
+      subject.rightsMetadata.groups.should == {'group-2' => 'read', 'group-3'=>'read', 'group-8' => 'edit'}
+      subject.rightsMetadata.individuals.should == {"person1"=>"read","person2"=>"discover"}
+    end
+
+    it "should have read groups string writer" do
+      subject.read_groups_string = 'umg/up.dlt.staff, group-3'
+      subject.rightsMetadata.groups.should == {'umg/up.dlt.staff' => 'read', 'group-3'=>'read', 'group-8' => 'edit'}
+      subject.rightsMetadata.individuals.should == {"person1"=>"read","person2"=>"discover"}
+    end
+    it "should only revoke eligible groups" do
+      subject.set_read_groups(['group-2', 'group-3'], ['group-6'])
+      # 'group-7' is not eligible to be revoked
+      subject.rightsMetadata.groups.should == {'group-2' => 'read', 'group-3'=>'read', 'group-7' => 'read', 'group-8' => 'edit'}
+      subject.rightsMetadata.individuals.should == {"person1"=>"read","person2"=>"discover"}
+    end
+  end
+
+end

data/spec/unit/role_mapper_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+describe RoleMapper do
+  before do
+    class Rails; end
+    
+    Rails.stub(:root).and_return('spec/support')
+    Rails.stub(:env).and_return('test')
+  end
+  
+  it "should define the 4 roles" do
+    RoleMapper.role_names.sort.should == %w(admin_policy_object_editor archivist donor patron researcher) 
+  end
+  it "should quer[iy]able for roles for a given user" do
+    RoleMapper.roles('leland_himself@example.com').sort.should == ['archivist', 'donor', 'patron']
+    RoleMapper.roles('archivist2@example.com').should == ['archivist']
+  end
+
+  it "should return an empty array if there are no roles" do
+    RoleMapper.roles('zeus@olympus.mt').empty?.should == true
+  end
+  it "should know who is what" do
+    RoleMapper.whois('archivist').sort.should == %w(archivist1@example.com archivist2@example.com leland_himself@example.com)
+    RoleMapper.whois('salesman').empty?.should == true
+    RoleMapper.whois('admin_policy_object_editor').sort.should == %w(archivist1@example.com)
+  end
+
+end