isomorfeus-policy 1.0.0.zeta18 → 1.0.0.zeta19

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1aee4c32cad717298123ce27886105547501788f19e2bacea4f71254c4422cca
-  data.tar.gz: 7808e6bf4fab3edf94262cb974c07a79dc69abbcc27662521c0226acd93ac3ce
+  metadata.gz: 74830e3a06aa9d24c2f8df1f0e10b8f0a9f69526559e1cccafc9f2e746bf495d
+  data.tar.gz: 2098b84f1bbca4c2b1dec9b68d4b5d377d2eff263477a86b2ccab224700cd0b0
 SHA512:
-  metadata.gz: dbf069935d16daf5eb8dae88d046c0d99e745a491a6ec3564e8c176977d2817e0ce731fc4b166a75e7be3897ab949d954b504d4207797273d912474403da7f67
-  data.tar.gz: 45c97d99ed4d297daada432ba75cbf32896b818568eee4c8b8977266cc0a438d0192ecc9258f211340f848a533f1b5b59d3e8880bea352f3fd44eab0c64f3393
+  metadata.gz: bedbf94292cd24c0056571f10fa1b0604ac77cd321380533af70dff8372496d8539eac27883a2c42606e7065a1cee67b1fa16d8d117b3dd8e43f2b3eebf81d0d
+  data.tar.gz: c4804f473e8e9ca14c812af6e7e8619f1d208c4eb5c5cda33830868b425e5566cba2c2adf8ec8d892734e62c17a99772ade9fd9dcac2763782c4c3bf8f368acf

data/README.md

@@ -12,7 +12,7 @@ Policy is enforced on the server, however, the same policy rules are also availa
 
 Everything that is not explicitly allowed somewhere is denied.
 
-Place the policy file in your projects `isomorfeus/policies`.
+Place the policy files in your projects `isomorfeus/policies`.
 
 Any class that would like to authorize for accessing a resource needs to include the `LucidAuthorization::Mixin` 
 or inherit from `LucidAuthorization::Base`. Example:
@@ -26,34 +26,63 @@ Any instance of that class then has the following methods available:
 - `authorized?(target_class, method_name, props)` - returning true or false
 - `authorized!(target_class, method_name, props)` - raising a exception if access is denied, otherwise returning true
 
-These methods, when called, look for a Policy class. The Policy classs must be named after the user class plus the word 'Policy'.
+These methods, when called, look for a Policy class. The Policy class must be named after the user class plus the word 'Policy'.
 Example:
 
 For a class `MyUser` the policy class must be `MyUserPolicy`.
 
+### Simple Rules
 Example Policy:
 ```ruby
-  class MyUserPolicy < LucidPolicy::Base
-
-    allow BlaBlaGraph, :load
-
-    deny BlaGraph, SuperOperation
-
-    deny others # or: allow others
+class MyUserPolicy < LucidPolicy::Base
+  # allow access to all methods of a class
+  allow BlaBlaGraph
+  # class names can be given as strings which benefits autoload performance as the class can be loaded later on
+  allow 'BlaBlaGraph' 
+
+  # allow access to all methods of multiple classes
+  allow BlaBlaGraph, BlaComposition
+  
+  # allow access to a single method of a class 
+  allow BlaBlaGraph, :load
+
+  # or allow multiple methods of a class
+  allow BlaBlaGraph, :load, :save
+
+  # deny access to all methods of multiple classes
+  deny BlaGraph, SuperOperation
+    
+  deny others # or: allow others
+    
+  # in a otherwise empty policy the following can be used too: 
+  # allow all
+  # deny all
+    
+  # further conditions can be used
+  allow BlaBlaGraph, :member_feature, only_if: :registered?
+    # this will call the method registered? on the user instance. The method must return a boolean.  
+    # permission is granted if the method returned true
+    # method name must be given as symbol 
+    # other versions: 
+    allow BlaBlaGraph, :member_feature, if: :registered?
+    
+  allow BlaBlaGraph, :public_feature, only_if_not: :registered? 
+    # this will call the method registered? on the user instance. The method must return a boolean.  
+    # permission is granted if the method returned false
+    # method name must be given as symbol
+    # other versions: 
+    allow BlaBlaGraph, :member_feature, only_unless: :registered?
+    allow BlaBlaGraph, :member_feature, unless: :registered? 
+    allow BlaBlaGraph, :member_feature, if_not: :registered?
    
-    # in a otherwise empty policy the following can be used too: 
-    # allow all
-    # deny all
-
-    with_condition do |user_instance, target_class, target_method, props|
-       user_instance.class == AdminRole
-    end
-
-    refine BlaGraph, :load, :count do |user_instance, target_class, target_method, props|
-      allow if user_instance.verified?
-      deny
-    end
-  end
+  # a block can be passed directly to a rules condition
+  allow BlaBlaGraph, :member_feature, if: proc { |user, props| user.registered? }
+  # permission is granted if the block returns true
+  
+  # similar for deny, though:
+  deny BlaBlaGraph, :member_feature, if: proc { |user, props| !user.registered? }
+  # permission is denied if the block returns true
+end
 ```
 and then any of:
 ```ruby
@@ -68,3 +97,59 @@ user.authorized!(target_class, target_method)
 user.authorized!(target_class, target_method, *props)
 ```
 which will raise a LucidPolicy::Exception unless authorized
+
+### Custom Rules
+Besides calling methods or executing blocks from allow or deny, custom rules can be defined. Example:
+```ruby
+class MyUserPolicy < LucidPolicy::Base
+  rule BlaGraph, :load, :count do |user, target_class, target_method, props|
+    allow if user.verified?
+    allow if user.admin?
+    deny
+  end
+end
+```
+Within the rule block the `allow` and `deny` methods must be used to allow or deny access.
+They accept no arguments. Within the block the default is to deny, so any matching allow wins.
+
+### Combining Policies
+Policies can be combined. Across policies, the first Policy rule that permits access wins.
+The local policy is considered first, then the other policies.
+If the local policy allows, then the other policies are not considered.
+If the local policy has a `allow all` or a `allow others` rule, then there is a good chance the other policies are never considered. 
+The recommended default rule for combined policies is `deny others`. 
+
+Given a:
+```ruby
+  class AdminRolePolicy < LucidPolicy::Base
+    rule BlaGraph, :load, :count do |user, target_class, target_method, props|
+      allow if user.verified?
+      deny
+    end
+  end
+```
+another policy can include the rules. Example:
+```ruby
+class MyUserPolicy < LucidPolicy::Base
+  combine_with AdminRolePolicy
+
+  # conditions as for allow and deny can be used too
+  combine_with AdminRolePolicy, if: :admin?
+    # this will call the method admin? on the user instance. The method must return a boolean.  
+    # this will execute the AdminRolePolicy rules only if the method returned true
+    # method name must be given as symbol 
+ 
+  combine_with AdminRolePolicy, if_not: :normal_guy? 
+    # this will call the method normal_guy?? on the user instance. The method must return a boolean.  
+    # this will execute the AdminRolePolicy rules only if the method returned false
+    # method name must be given as symbol
+    # other versions: 
+    combine_with AdminRolePolicy, unless: :normal_guy?
+
+  # a block can be passed directly to a rules condition
+  combine_with AdminRolePolicy, if: proc { |user| user.admin? }
+  # this will execute the AdminRolePolicy rules only if the condition block returns true 
+
+  deny others
+end
+```

data/lib/isomorfeus/policy/version.rb

@@ -1,5 +1,5 @@
 module Isomorfeus
   module Policy
-    VERSION = '1.0.0.zeta18'
+    VERSION = '1.0.0.zeta19'
   end
 end

data/lib/isomorfeus_policy/lucid_authorization/mixin.rb

@@ -9,7 +9,7 @@ module LucidAuthorization
         policy_class = nil
       end
       return false unless policy_class
-      policy_class.new(self).authorized?(target_class, target_method, props = nil)
+      policy_class.new(self).authorized?(target_class, target_method, props)
     end
 
     def authorized!(target_class, target_method = nil, props = nil)
@@ -17,7 +17,7 @@ module LucidAuthorization
       class_name = class_name.split('>::').last if class_name.start_with?('#<')
       policy_class = Isomorfeus.cached_policy_class("#{class_name}Policy")
       Isomorfeus.raise_error(error_class: LucidPolicy::Exception, message: "#{self}: policy class #{class_name}Policy not found!") unless policy_class
-      policy_class.new(self).authorized!(target_class, target_method, props = nil)
+      policy_class.new(self).authorized!(target_class, target_method, props)
     end
   end
 end

data/lib/isomorfeus_policy/lucid_policy/exception.rb

@@ -1,4 +1,4 @@
 module LucidPolicy
-  class Exception < Exception
+  class Exception < ::Exception
   end
-end
+end

data/lib/isomorfeus_policy/lucid_policy/helper.rb

@@ -3,16 +3,15 @@ module LucidPolicy
     attr_reader :result
 
     def initialize
-      @result= nil
+      @result = :deny
     end
 
     def allow
-      @result = :allow if @result.nil?
+      @result = :allow
       nil
     end
 
     def deny
-      @result = :deny if @result.nil?
       nil
     end
   end

data/lib/isomorfeus_policy/lucid_policy/mixin.rb

@@ -7,74 +7,75 @@ module LucidPolicy
         end
 
         def authorization_rules
-          @authorization_rules ||= { classes: {}, conditions: [], others: :deny }
+          @authorization_rules ||= { rules: {}.dup, policies: {}.dup, others: :deny }.dup
         end
 
         def all
           :others
         end
 
-        def allow(*classes_and_methods)
-          _raise_allow_deny_first if @refine_used
-          @allow_deny_used = true
-          _allow_or_deny(:allow, *classes_and_methods)
+        def allow(*classes_and_methods_and_options)
+          _allow_or_deny(:allow, *classes_and_methods_and_options)
         end
 
-        def deny(*classes_and_methods)
-          _raise_allow_deny_first if @refine_used
-          @allow_deny_used = true
-          _allow_or_deny(:deny, *classes_and_methods)
+        def deny(*classes_and_methods_and_options)
+          _allow_or_deny(:deny, *classes_and_methods_and_options)
         end
 
         def others
           :others
         end
 
-        def refine(*classes_and_methods, &block)
-          _raise_allow_deny_first unless @allow_deny_used
-          @refine_used = true
-          _allow_or_deny(nil, *classes_and_methods, &block)
+        def rule(*classes_and_methods, &block)
+          _allow_or_deny(:rule, *classes_and_methods, &block)
         end
 
-        def with_condition(&block)
-          authorization_rules[:conditions] << block
+        def combine_with(policy_class, **options)
+          authorization_rules[:policies] = { policy_class => options }
         end
 
         private
 
-        def _raise_allow_deny_first
-          Isomorfeus.raise_error(error_class: LucidPolicy::Exception, message: "#{self}: 'allow' or 'deny' must appear before 'refine'")
-        end
+        def _allow_or_deny(thing, *classes_methods_options, &block)
+          rules = authorization_rules
 
-        def _allow_or_deny(allow_or_deny, *classes_and_methods, &block)
-          rules              = authorization_rules
-          allow_or_deny_or_block = block_given? ? block : allow_or_deny.to_sym
+          if %i[allow deny].include?(thing) && classes_methods_options.first == :others
+            rules[:others] = thing
+            return
+          end
 
           target_classes = []
           target_methods = []
+          target_options = {}
 
-          if classes_and_methods.first == :others
-            rules[:others] = allow_or_deny_or_block
-            return
-          end
-
-          classes_and_methods.each do |class_or_method|
-            if (class_or_method.class == String || class_or_method.class == Symbol) && class_or_method.to_s[0].downcase == class_or_method.to_s[0]
-              target_methods << class_or_method.to_sym
+          classes_methods_options.each do |class_method_option|
+            if class_method_option.class == Hash
+              target_options = class_method_option
             else
-              target_classes << class_or_method
+              class_or_method_s = class_method_option.to_s
+              if class_method_option.class == Symbol && class_or_method_s[0].downcase == class_or_method_s[0]
+                target_methods << class_method_option
+              else
+                class_method_option = class_method_option.to_s unless class_method_option.class == String
+                target_classes << class_method_option
+              end
             end
           end
 
+          thing_or_block = block_given? ? block : thing
+
           target_classes.each do |target_class|
-            rules[:classes][target_class] = {} unless rules[:classes].key?(target_class)
-            if allow_or_deny && target_methods.empty?
-              rules[:classes][target_class][:default] = allow_or_deny_or_block
+            rules[:rules][target_class] = {} unless rules[:rules].key?(target_class)
+
+            if target_methods.empty?
+              rules[:rules][target_class][:rule] = thing_or_block
+              rules[:rules][target_class][:options] = target_options unless target_options.empty?
             else
-              rules[:classes][target_class][:default] = :deny unless rules[:classes][target_class].key?(:default)
-              rules[:classes][target_class][:methods] = {} unless rules[:classes][target_class].key?(:methods)
+              rules[:rules][target_class][:rule] = :deny unless rules[:rules][target_class].key?(:rule)
+              rules[:rules][target_class][:methods] = {} unless rules[:rules][target_class].key?(:methods)
               target_methods.each do |target_method|
-                rules[:classes][target_class][:methods][target_method] = allow_or_deny_or_block
+                rules[:rules][target_class][:methods][target_method] = { rule: thing_or_block }
+                rules[:rules][target_class][:methods][target_method][:options] = target_options unless target_options.empty?
               end
             end
           end
@@ -87,35 +88,50 @@ module LucidPolicy
 
       def authorized?(target_class, target_method = nil, props = nil)
         Isomorfeus.raise_error(error_class: LucidPolicy::Exception, message: "#{self}: At least the class must be given!") unless target_class
-        result = :deny
-
-        rules = self.class.authorization_rules
-
-        props = LucidProps.new(props) unless props.class == LucidProps
-
-        condition_result = true
-        rules[:conditions].each do |condition|
-          condition_result = condition.call(@object, target_class, target_method, props, &condition)
-          break unless condition_result == true
-        end
 
-        if condition_result == true
-          result = if rules[:classes].key?(target_class)
-                     if target_method && rules[:classes][target_class].key?(:methods) &&
-                       rules[:classes][target_class][:methods].key?(target_method)
-                       rules[:classes][target_class][:methods][target_method]
-                     else
-                       rules[:classes][target_class][:default]
-                     end
-                   else
-                     rules[:others]
-                   end
-
-          if result.class == Proc
-            policy_helper = LucidPolicy::Helper.new
-            policy_helper.instance_exec(@object, target_class, target_method, props, &result)
-            result = policy_helper.result
+        target_class = target_class.to_s unless target_class.class == String
+
+        rules  =  self.class.authorization_rules
+
+        result =  if rules[:rules].key?(target_class)
+                    if target_method && rules[:rules][target_class].key?(:methods) && rules[:rules][target_class][:methods].key?(target_method)
+                      options = rules[:rules][target_class][:methods][target_method][:options]
+                      rule = rules[:rules][target_class][:methods][target_method][:rule]
+                    else
+                      options = rules[:rules][target_class][:options]
+                      rule = rules[:rules][target_class][:rule]
+                    end
+
+                    if rule.class == Symbol
+                      if options
+                        condition, method_result = __get_condition_and_result(options)
+                        rule if (condition == :if && method_result == true) || (condition == :if_not && method_result == false)
+                      else
+                        rule
+                      end
+                    else
+                      props = LucidProps.new(props) unless props.class == LucidProps
+                      policy_helper = LucidPolicy::Helper.new
+                      policy_helper.instance_exec(@object, target_class, target_method, props, &rule)
+                      policy_helper.result
+                    end
+                  else
+                    rules[:others]
+                  end
+
+        return true if result == :allow
+
+        rules[:policies].each do |policy_class, options|
+          combined_policy_result = nil
+          if options.empty?
+            combined_policy_result = policy_class.new(@object).authorized?(target_class, target_method, props)
+          else
+            condition, method_result = __get_condition_and_result(options)
+            if (condition == :if && method_result == true) || (condition == :if_not && method_result == false)
+              combined_policy_result = policy_class.new(@object).authorized?(target_class, target_method, props)
+            end
           end
+          return true if combined_policy_result == true
         end
 
         result == :allow ? true : false
@@ -125,6 +141,29 @@ module LucidPolicy
         return true if authorized?(target_class, target_method, props)
         Isomorfeus.raise_error(error_class: LucidPolicy::Exception, message: "#{@object}: not authorized to call #{target_class}.#{target_method}(#{props})!")
       end
+
+      private
+
+      def __get_condition_and_result(options)
+        condition = nil
+        method_name_or_block = if options.key?(:if)
+                                 condition = :if
+                                 options[:if]
+                               elsif options.key?(:if_not)
+                                 condition = :if_not
+                                 options[:if_not]
+                               elsif options.key?(:unless)
+                                 condition = :if_not
+                                 options[:unless]
+                               end
+        method_result = if method_name_or_block && method_name_or_block.class == Symbol
+                          @object.__send__(method_name_or_block)
+                        else
+                          props = LucidProps.new(props) unless props.class == LucidProps
+                          method_name_or_block.call(@object, props)
+                        end
+        [condition, method_result]
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: isomorfeus-policy
 version: !ruby/object:Gem::Version
-  version: 1.0.0.zeta18
+  version: 1.0.0.zeta19
 platform: ruby
 authors:
 - Jan Biedermann
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-14 00:00:00.000000000 Z
+date: 2020-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: opal
@@ -30,42 +30,42 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 16.12.18
+        version: 16.12.20
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 16.12.18
+        version: 16.12.20
 - !ruby/object:Gem::Dependency
   name: isomorfeus-redux
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.17
+        version: 4.0.18
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.17
+        version: 4.0.18
 - !ruby/object:Gem::Dependency
   name: isomorfeus
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.0.zeta18
+        version: 1.0.0.zeta19
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.0.zeta18
+        version: 1.0.0.zeta19
 - !ruby/object:Gem::Dependency
   name: opal-webpack-loader
   requirement: !ruby/object:Gem::Requirement