iron_hide 0.2.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 43f6efb8400709edf09c958d29466af574d7bbeb
+  data.tar.gz: 122df1373619876ef2cd2c5e1d7c109839b59373
+SHA512:
+  metadata.gz: 50020dee2524090274d7191e43bfb24a4271e8da4dfa6ddb4a73df560badfc4fc42f1090536171d9221ff352d0d72694cf3fda2a29b5b60249b0c68badc23574
+  data.tar.gz: 03112c2cee64e74ed11962aa6fcc2308b13686654726c617978df4700478c7bd15dc2cd67a907e2504afb11531be4dbae036582608880dac31fea47829c8ff26

data/lib/iron_hide/condition.rb

@@ -0,0 +1,148 @@
+require 'set'
+
+module IronHide
+  class Condition
+    VALID_TYPES = {
+      'equal'=> :EqualCondition,
+      'not_equal'=> :NotEqualCondition
+    }.freeze
+
+    # @param params [Hash] It has a single key, which is the conditional operator
+    #   type. The value is the set of conditionals that must be met.
+    #
+    # @example
+    #   { :equal => {
+    #       'resource::manager_id' => ['user::manager_id'],
+    #       'user::user_role_ids' => ['8']
+    #     }
+    #   }
+    #
+    # @return [EqualCondition, NotEqualCondition]
+    # @raise [IronHide::InvalidConditional] for too many keys
+    #
+    def self.new(params)
+      if params.length > 1
+        raise InvalidConditional, "Expected #{params} to have one key"
+      end
+      type, conditionals = params.first
+      #=> :equal, { key: val, key: val }
+      #
+      # See: http://ruby-doc.org/core-1.9.3/Class.html#method-i-allocate
+      klass = VALID_TYPES.fetch(type){ raise InvalidConditional, "#{type} is not valid"}
+      cond  = IronHide.const_get(klass).allocate
+      cond.send(:initialize, (conditionals))
+      cond
+    end
+
+    # @param conditionals [Hash]
+    # @example
+    #  {
+    #    'resource::manager_id' => ['user::manager_id'],
+    #    'user::user_role_ids' => ['8']
+    #  }
+    #
+    def initialize(conditionals)
+      @conditionals = conditionals
+    end
+
+    attr_reader :conditionals
+
+    # @param user [Object]
+    # @param resource [Object]
+    # return [Boolean] if is met
+    def met?(user, resource)
+      raise NotImplementedError
+    end
+
+    protected
+
+    EVALUATE_REGEX = /
+      (
+       \Auser\z|    # 'user' or 'resource'
+       \Aresource\z
+      )
+      |             # OR
+      \A\w+:{2}\w+  # "word::word"
+      (:{2}\w+)*    # Followed by any number of "::word"
+      \z            # End of string
+      /x
+
+    # *Safely* evaluate a conditional expression
+    #
+    # @note
+    # This does not guarantee that conditions are correctly specified.
+    # For example, 'user:::manager' will not resolve to anything, and
+    # and an exception will *not* be raised. The same goes for 'user:::' and
+    # 'user:id'.
+    #
+    # @param expressions [Array<String, Object>, String, Object] an array or
+    # a single expression. This represents either an immediate value (e.g.,
+    # '1', 99) or a valid expression that can be interpreted (see example)
+    #
+    # @example
+    #   ['user::manager_id']     #=> [1]
+    #   ['user::role_ids']       #=> [1,2,3,4]
+    #   ['resource::manager_id'] #=> [1]
+    #   [1,2,3,4]                #=> [1,2,3,4]
+    #   'user::id'               #=> [1]
+    #   'resource::id'           #=> [2]
+    #
+    # @return [Array<Object>] a collection of 0 or more objects
+    # representing attributes on the user or resource
+    #
+    def evaluate(expression, user, resource)
+      Array(expression).flat_map do |el|
+        if expression?(el)
+          type, *ary  = el.split('::')
+          if type == 'user'
+            Array(ary.inject(user) do |rval, attr|
+              rval.freeze.public_send(attr)
+            end)
+          elsif type == 'resource'
+            Array(ary.inject(resource) do |rval, attr|
+              rval.freeze.public_send(attr)
+            end)
+          else
+            raise "Expected #{type} to be 'resource' or 'user'"
+          end
+        else
+          el
+        end
+      end
+    end
+
+    def expression?(expression)
+      !!(expression =~ EVALUATE_REGEX)
+    end
+
+    def with_error_handling
+      yield
+    rescue => e
+      new_exception = InvalidConditional.new(e.to_s)
+      new_exception.set_backtrace(e.backtrace)
+      raise new_exception
+    end
+  end
+
+  # @api private
+  class EqualCondition < Condition
+    def met?(user, resource)
+      with_error_handling do
+        conditionals.all? do |left, right|
+          (evaluate(left, user, resource) & evaluate(right, user, resource)).size > 0
+        end
+      end
+    end
+  end
+
+  # @api private
+  class NotEqualCondition < Condition
+    def met?(user, resource)
+      with_error_handling do
+        conditionals.all? do |left, right|
+          !((evaluate(left, user, resource) & evaluate(right, user, resource)).size > 0)
+        end
+      end
+    end
+  end
+end

data/lib/iron_hide/errors.rb

@@ -0,0 +1,18 @@
+module IronHide
+  # All exceptions inherit from IronHideError to allow rescuing from all
+  # exceptions that occur in this gem.
+  #
+  class IronHideError < StandardError      ; end
+
+  # Exception raised when an authorization failure occurs.
+  # Typically when IronHide::authorize! is invoked
+  #
+  class AuthorizationError < IronHideError ; end
+
+  # Exception raised when a conditional is incorrectly defined
+  # in the rules.
+  # @see IronHide::Condition
+  #
+  class InvalidConditional < IronHideError ; end
+
+end

data/lib/iron_hide/rule.rb

@@ -0,0 +1,69 @@
+module IronHide
+  class Rule
+    ALLOW     = 'allow'.freeze
+    DENY      = 'deny'.freeze
+
+    attr_reader :description, :effect, :conditions, :user, :resource
+
+    def initialize(user, resource, params = {})
+      @user        = user
+      @resource    = resource
+      @description = params['description']
+      @effect      = params.fetch('effect', DENY) # Default DENY
+      @conditions  = Array(params['conditions']).map { |c| Condition.new(c) }
+    end
+
+    # Returns all applicable rules matching on resource and action
+    #
+    # @param user [Object]
+    # @param action [String]
+    # @param resource [Object]
+    # @return [Array<IronHide::Rule>]
+    def self.find(user, action, resource)
+      ns_resource = "#{IronHide.namespace}::#{resource.class.name}"
+      storage.where(resource: ns_resource, action: action).map do |json|
+        new(user, resource, json)
+      end
+    end
+
+    # NOTE: If any Rule is an explicit DENY, then an allow cannot override the Rule
+    #       If any Rule is explicit ALLOW, and there is no explicit DENY, then ALLOW
+    #       If no Rules match, then DENY
+    #
+    # @return [Boolean]
+    # @param user [Object]
+    # @param action [String]
+    # @param resource [String]
+    #
+    def self.allow?(user, action, resource)
+      find(user, action, resource).inject(false) do |rval, rule|
+        # For an explicit DENY, stop evaluating, and return false
+        rval = false and break if rule.explicit_deny?
+
+        # For an explicit ALLOW, true
+        rval = true if rule.allow?
+
+        rval
+      end
+    end
+
+    # An abstraction over the storage of the rules
+    # @see IronHide::Storage
+    # @return [IronHide::Storage]
+    def self.storage
+      IronHide.storage
+    end
+
+    # @return [Boolean]
+    def allow?
+      effect == ALLOW && conditions.all? { |c| c.met?(user,resource) }
+    end
+
+    # @return [Boolean]
+    def explicit_deny?
+      effect == DENY && conditions.all? { |c| c.met?(user,resource) }
+    end
+
+    alias_method :deny?, :explicit_deny?
+  end
+end

data/lib/iron_hide/storage/file_adapter.rb

@@ -0,0 +1,71 @@
+module IronHide
+  class Storage
+    # @api private
+    class FileAdapter < AbstractAdapter
+      attr_reader :rules
+
+      def initialize
+        json = IronHide.json.each_with_object([]) do |files, ary|
+          Array(files).map do |file|
+            ary.concat(MultiJson.load(File.open(file).read, minify: true))
+          end
+        end
+        @rules = unfold(json)
+      rescue MultiJson::ParseError => e
+        raise IronHideError, "#{e.cause}: #{e.data}"
+      rescue => e
+        raise IronHideError, "Invalid or missing JSON file: #{e.to_s}"
+      end
+
+      def where(opts = {})
+        self[opts[:resource]][opts[:action]]
+      end
+
+      # Unfold the JSON definitions of the rules into a Hash with this structure:
+      # {
+      #   "com::test::TestResource" => {
+      #     "action" => [
+      #       { ... }, { ... }, { ... }
+      #     ]
+      #   }
+      # }
+      #
+      # @param json [Array<Hash>]
+      # @return [Hash]
+      def unfold(json)
+        json.inject(hash_of_hashes) do |rules, json_rule|
+          resource, actions = json_rule["resource"], json_rule["action"]
+          actions.each { |act| rules[resource][act] << json_rule }
+          rules
+        end
+      end
+
+      private
+
+      # Return a Hash with default value that is a Hash with default value of Array
+      # @return [Hash<Hash, Array>]
+      def hash_of_hashes
+        Hash.new { |h1,k1|
+          h1[k1] = Hash.new { |h,k| h[k] = [] }
+        }
+      end
+
+      # Implements an interface that makes selecting rules look like a Hash:
+      # @example
+      #   {
+      #     'com::test::TestResource' => {
+      #       'read' => [],
+      #       ...
+      #     }
+      #   }
+      #  adapter['com::test::TestResource']['read']
+      #  #=> [Array<Hash>]
+      #
+      # @param [Symbol] val
+      # @return [Array<Hash>] array of canonical JSON representation of rules
+      def [](val)
+        rules[val]
+      end
+    end
+  end
+end

data/lib/iron_hide/storage.rb

@@ -0,0 +1,37 @@
+# IronHide::Storage provides a common interface regardless of storage type
+# by implementing the Adapter pattern to decouple _how_ JSON
+#
+require 'multi_json'
+
+module IronHide
+  # @api private
+  class Storage
+
+    ADAPTERS = {
+      file: :FileAdapter
+    }
+
+    attr_reader :adapter
+
+    def initialize(adapter_type)
+      @adapter = self.class.const_get(ADAPTERS[adapter_type]).new
+    end
+
+    # @see AbstractAdapter#where
+    def where(opts = {})
+      adapter.where(opts)
+    end
+  end
+
+  # @abstract Subclass and override {#where} to implement an Adapter class
+  class AbstractAdapter
+
+    # @option opts [String] :resource *required*
+    # @option opts [String] :action *required*
+    def where(opts = {})
+      raise NotImplementedError
+    end
+  end
+end
+
+require 'iron_hide/storage/file_adapter'

data/lib/iron_hide/version.rb

@@ -0,0 +1,6 @@
+module IronHide
+  MAJOR = "0"
+  MINOR = "2"
+  BUILD = "1"
+  VERSION = [MAJOR, MINOR, BUILD].join(".")
+end

data/lib/iron_hide.rb

@@ -0,0 +1,91 @@
+module IronHide
+  # @raise [IronHide::AuthorizationError] if authorization fails
+  # @return [true] if authorization succeeds
+  #
+  def self.authorize!(user, action, resource)
+    unless can?(user, action, resource)
+      raise AuthorizationError
+    end
+    true
+  end
+
+  # @return [Boolean]
+  # @param user [Object]
+  # @param action [Symbol, String]
+  # @param resource [Object]
+  # @see IronHide::Rule::allow?
+  #
+  def self.can?(user, action, resource)
+    Rule.allow?(user, action.to_s, resource)
+  end
+
+  # Specify where to load rules from. This is specified in a config file
+  # @param type [:file] Specify the adapter type. Only json is supported
+  # for now
+  def self.adapter=(type)
+    @adapter_type = type
+  end
+
+  def self.adapter
+    @adapter_type
+  end
+
+  # Set the top-level namespace for the application's Rules
+  #
+  # @param val [String]
+  # @example
+  #   'com::myCompany::myProject'
+  def self.namespace=(val)
+    @namespace = val
+  end
+
+  # Default namespace is com::IronHide
+  #
+  # @return [String]
+  def self.namespace
+    @namespace || 'com::IronHide'
+  end
+
+  # Specify the file path for the JSON flat-file for rules
+  # Only applicable if using the JSON adapter
+  # @param files [String, Array<String>]
+  #
+  def self.json=(*files)
+    @json_files = files
+  end
+
+  # @return [Array<String>]
+  def self.json
+    @json_files
+  end
+
+  # @return [IronHide::Storage]
+  def self.storage
+    @storage ||= begin
+      if @adapter_type.nil?
+        raise IronHideError, "Storage adapter not defined"
+      end
+      IronHide::Storage.new(@adapter_type)
+    end
+  end
+
+  # Allow the module to be configurable from a config file
+  # See: {file:README.md}
+  # @yield [IronHide]
+  def self.config
+    yield self
+  end
+
+  # Resets internal state
+  #
+  # @return [void]
+  def self.reset
+    instance_variables.each { |i| instance_variable_set(i,nil) }
+  end
+end
+
+require "iron_hide/version"
+require 'iron_hide/errors'
+require 'iron_hide/rule'
+require 'iron_hide/condition'
+require 'iron_hide/storage'

metadata

@@ -0,0 +1,150 @@
+--- !ruby/object:Gem::Specification
+name: iron_hide
+version: !ruby/object:Gem::Version
+  version: 0.2.1
+platform: ruby
+authors:
+- Alan Cohen
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-04-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json_minify
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A Ruby authorization library
+email:
+- acohen@climate.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/iron_hide.rb
+- lib/iron_hide/condition.rb
+- lib/iron_hide/errors.rb
+- lib/iron_hide/rule.rb
+- lib/iron_hide/storage.rb
+- lib/iron_hide/storage/file_adapter.rb
+- lib/iron_hide/version.rb
+homepage: http://github.com/TheClimateCorporation/iron_hide
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Describe your authorization rules with JSON
+test_files: []
+has_rdoc: