RubyGems - ixtlan-guard - Versions diffs - 0.1.0 → 0.4.0 - Mend

ixtlan-guard 0.1.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

data/lib/ixtlan/guard/controllers/permissions_controller.rb ADDED Viewed

@@ -0,0 +1,41 @@
+module Ixtlan
+  module Guard
+    module Controllers
+      module PermissionsController
+        # GET /permissions
+        # GET /permissions.xml
+        # GET /permissions.json
+        def index
+          respond_to do |format|
+            format.html
+            format.xml  { render :xml => guard.permissions(self).to_xml }
+            format.json  { render :json => guard.permissions(self).to_json }
+          end
+        end
+        # GET /permissions/1
+        # GET /permissions/1.xml
+        # GET /permissions/1.json
+        def show
+          controller = Object.new
+          def controller.current_user(u = nil)
+            @u = u if u
+            @u
+          end
+          if defined? ::DataMapper
+            controller.current_user(current_user.class.get(params[:id]))
+          else
+            controller.current_user(current_user.class.find(params[:id]))
+          end
+          respond_to do |format|
+            format.html
+            format.xml  { render :xml => guard.permissions(controller).to_xml }
+            format.json  { render :json => guard.permissions(controller).to_json }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/guard/guard.rb ADDED Viewed

@@ -0,0 +1,245 @@
+module Ixtlan
+  module Guard
+    class ControllerGuard
+      attr_accessor :name, :action_map, :aliases, :flavor
+      def initialize(name)
+        @name = name.sub(/_guard$/, '').to_sym
+        class_name = name.split(/\//).collect { |part| part.split("_").each { |pp| pp.capitalize! }.join }.join("::")
+        Object.const_get(class_name).new(self)
+      end
+      def flavor=(flavor)
+        @flavor = flavor.to_sym
+      end
+      def name=(name)
+        @name = name.to_sym
+      end
+      def aliases=(map)
+        @aliases = symbolize(map)
+      end
+      def action_map=(map)
+        @action_map = symbolize(map)
+      end
+      private
+      def symbolize(h)
+        result = {}
+        h.each do |k, v|
+          if v.is_a?(Hash)
+            result[k.to_sym] = symbolize_keys(v) unless v.size == 0
+          elsif v.is_a?(Array)
+            val = []
+            v.each {|vv| val << vv.to_sym }
+            result[k.to_sym] = val
+          else
+            result[k.to_sym] = v.to_sym
+          end
+        end
+        result
+      end
+    end
+    class Guard
+      attr_accessor :logger, :guard_dir, :superuser, :groups_of_current_user
+      def initialize(options, &block)
+        @superuser = (options[:superuser] || :root).to_sym
+        @guard_dir = options[:guard_dir] || File.join("app", "guards")
+        @user_groups = (options[:user_groups] || :groups).to_sym
+        @user_groups_name = (options[:user_groups_name] || :name).to_sym
+        @map = {}
+        @aliases = {}
+        @flavor_map = {}
+        @groups_of_current_user =
+          if block
+            block
+          else
+            Proc.new do |controller|
+              # get the groups of the current_user
+              user = controller.send(:current_user) if controller.respond_to?(:current_user)
+              if user
+                (user.send(@user_groups) || []).collect do |group|
+                  name = group.send(@user_groups_name)
+                  name.to_sym if name
+                end
+              end
+            end
+          end
+      end
+      def logger
+        @logger ||= if defined?(Slf4r::LoggerFactory)
+                      Slf4r::LoggerFactory.new(Ixtlan::Guard)
+                    else
+                      require 'logger'
+                      Logger.new(STDOUT)
+                    end
+      end
+      def setup
+        if File.exists?(@guard_dir)
+          Dir.new(guard_dir).to_a.each do |f|
+            if f.match(".rb$")
+              require(File.join(guard_dir, f))
+              controller_guard = ControllerGuard.new(f.sub(/.rb$/, ''))
+              register(controller_guard)
+            end
+          end
+          logger.debug("initialized guard . . .")
+        else
+          raise GuardException.new("guard directory #{guard_dir} not found, skip loading")
+        end
+      end
+      private
+      def register(controller_guard)
+        msg = (controller_guard.aliases || {}).collect {|k,v| "\n\t#{k} == #{v}"} + controller_guard.action_map.collect{ |k,v| "\n\t#{k} => [#{v.join(',')}]"}
+        logger.debug("#{controller_guard.name} guard: #{msg}")
+        @map[controller_guard.name] = controller_guard.action_map
+        @aliases[controller_guard.name] = controller_guard.aliases || {}
+        @flavor_map[controller_guard.name] = controller_guard.flavor if controller_guard.flavor
+      end
+      public
+      def flavor(controller)
+        @flavor_map[controller.params[:controller].to_sym]
+      end
+      def block_groups(groups)
+        @blocked_groups = (groups || []).collect { |g| g.to_sym}
+        @blocked_groups.delete(@superuser)
+        @blocked_groups
+      end
+      def blocked_groups
+        @blocked_groups ||= []
+      end
+      def current_user_restricted?(controller)
+        groups =  @groups_of_current_user.call(controller)
+        if groups
+          #        groups.select { |g| !blocked_groups.member?(g.to_sym) }.size < groups.size
+          (groups - blocked_groups).size < groups.size
+        else
+          nil
+        end
+      end
+      def permissions(controller)
+        groups = (@groups_of_current_user.call(controller) || []).collect do
+          |g| g.to_sym
+        end
+        map = {}
+        @map.each do |resource, action_map|
+          action_map.each do |action, allowed|
+            if allowed.member? :*
+              allowed = groups.dup
+            end
+            allowed << @superuser unless allowed.member? @superuser
+            # intersection of allowed and groups empty ?
+            if (allowed - groups).size < allowed.size
+              permission = (map[resource] ||= {})
+              permission[:resource] = resource
+              actions = (permission[:actions] ||= [])
+              action_node = {:name => action}
+              flavors.each do |flavor, block|
+                flavor_list = []
+                (allowed - (allowed - groups)).each do |group|
+                  list = block.call(controller, group)
+                  # union - no duplicates
+                  flavor_list = flavor_list - list + list
+                end
+                action_node[flavor.to_s.sub(/s$/, '') + "s"] = flavor_list if flavor_list.size > 0
+              end
+              actions << action_node
+              actions << @aliases[resource][action] if @aliases[resource][action]
+            end
+          end
+        end
+        result = map.values
+        result.class_eval "alias :to_x :to_xml" unless map.respond_to? :to_x
+        def result.to_xml(options = {}, &block)
+          options[:root] = :permissions unless options[:root]
+          to_x(options, &block)
+        end
+        def result.to_json(options = {}, &block)
+          {:permissions => self}.to_json(options, &block)
+        end
+        result
+      end
+      def flavors
+        @flavors ||= {}
+      end
+      def register_flavor(flavor, &block)
+        flavors[flavor.to_sym] = block
+      end
+      def check(controller, resource, action, flavor_selector = nil, &block)
+        resource = resource.to_sym
+        action = action.to_sym
+        groups =  @groups_of_current_user.call(controller)
+        if groups.nil?
+          logger.debug("check #{resource}##{action}: not authenticated")
+          return false
+        end
+        if (@map.key? resource)
+          action = @aliases[resource][action] || action
+          allowed = @map[resource][action]
+          if (allowed.nil?)
+            logger.warn("unknown action '#{action}' for controller '#{resource}'")
+            raise ::Ixtlan::Guard::GuardException.new("unknown action '#{action}' for controller '#{resource}'")
+          else
+            allowed << @superuser unless allowed.member? @superuser
+            allow_all_groups = allowed.member?(:*)
+            if(allow_all_groups && block.nil?)
+              logger.debug("check #{resource}##{action}: allowed for all")
+              return true
+            else
+              groups.each do |group|
+                if (allow_all_groups || allowed.member?(group.to_sym)) && !blocked_groups.member?(group.to_sym)
+                  flavor_for_resource = flavors[@flavor_map[resource]]
+                  if block.nil?
+                    if(flavor_for_resource && flavor_for_resource.call(controller, group).member?(flavor_selector.to_s) || flavor_for_resource.nil?)
+                      logger.debug("check #{resource}##{action}: true")
+                      return true
+                    end
+                  elsif block.call(group)
+                    logger.debug("check #{resource}##{action}: true")
+                    return true
+                  end
+                end
+              end
+            end
+            logger.debug("check #{resource}##{action}: false")
+            return false
+          end
+        else
+          logger.warn("unknown controller for '#{resource}'")
+          raise ::Ixtlan::Guard::GuardException.new("unknown controller for '#{resource}'")
+        end
+      end
+    end
+    class GuardException < Exception; end
+    class PermissionDenied < GuardException; end
+  end
+end

data/lib/ixtlan/guard/models/maintenance.rb ADDED Viewed

@@ -0,0 +1,55 @@
+unless String.respond_to? "plural"
+  class String
+    def plural
+      self + "s"
+    end
+  end
+end
+module Ixtlan
+  module SerializableModel
+    def self.included(model)
+      model.send :include, ActiveModel::Serializers::JSON
+      model.send :include, ActiveModel::Serializers::Xml
+    end
+    def attributes=(attributes)
+      attributes.each do |k, v|
+        if k == k.plural
+          v = case v
+              when String
+                [v]
+              when Array
+                v
+              when Hash
+                v.values.flatten
+              end
+        end
+        send("#{k}=", v)
+      end
+    end
+    def attributes
+      map = instance_variables.collect do |name|
+        [name[1,1000], send(name[1,1000].to_sym)]
+      end.reject do |x|
+        x[1] == nil
+      end
+      Hash[map]
+    end
+  end
+end
+module Ixtlan
+  module Guard
+    module Models
+      class Maintenance
+        include Ixtlan::SerializableModel
+        attr_accessor :groups
+      end
+    end
+  end
+end

data/lib/ixtlan/guard/models/user_update_manager.rb ADDED Viewed

@@ -0,0 +1,95 @@
+module Ixtlan
+  module Guard
+    module Models
+      class UserUpdateManager
+        def initialize(options)
+          @group_model = options[:group_model]
+          @user_id = options[:user_id].to_sym
+          @plural_group_name = options[:plural_group_name].to_sym
+          @group_id = options[:group_id].to_sym
+          @group_ids = "#{options[:group_id]}s"
+        end
+        def update_groups(user, params = [])
+          allowed_ids = user.current_user.all_groups.collect { |g| g.id.to_s }
+          group_ids = params[@group_ids] || []
+          group_ids = intersect(group_ids, allowed_ids)
+          current_ids = user.send(@plural_group_name).collect { |g| g.id.to_s }
+          current_ids = intersect(current_ids, allowed_ids)
+          # add
+          (group_ids - current_ids).each do |gid|
+            user.send(@plural_group_name) << @group_model.find(gid)
+          end
+          #delete
+          (current_ids - group_ids).each do |gid|
+            user.groups.delete(@group_model.find(gid))
+          end
+          user.save
+        end
+        def update(user, params = {}, options = {})
+          raise "no user" unless user
+          user.current_user = params.delete("current_user") || params.delete(:current_user) unless user.current_user
+          raise "'current_user' not set" unless user.current_user
+          flavor_id = options[:flavor_id].to_sym
+          flavor_ids = "#{options[:flavor_id]}s"
+          association_model = options[:association_model]
+          retrieve_flavors_method = options[:flavors_for_group].to_sym
+          allowed_ids = user.current_user.send(retrieve_flavors_method, @group_model.admin_group).collect {|i| i.id }
+          allowed_group_ids = user.current_user.all_groups.collect { |g| g.id.to_s }
+          group_ids = params[@group_ids] || []
+          group_ids = intersect(group_ids, allowed_group_ids)
+          group_ids.each do |gid|
+            g = @group_model.find(gid)
+            # calculate intersection of current and allowed
+            current_ids = user.send(retrieve_flavors_method, gid.to_i).collect { |d| d.id }
+            current_ids = intersect(current_ids, allowed_ids)
+            # calculate intersection of target and allowed
+            target_ids = ((params.delete(g.to_name) || {})[flavor_ids] || []).collect { |i| i.to_i }
+            target_ids = intersect(target_ids, allowed_ids)
+            # delete
+            (current_ids - target_ids).each do |id|
+              return false unless association_model.delete_all(["user_id=? and group_id=? and #{flavor_id}=?", user.id, gid, id])
+            end
+            # add
+            (target_ids - current_ids).each do |id|
+              return false unless association_model.create(@user_id => user.id, @group_id => gid, flavor_id => id)
+            end
+          end
+          true
+        end
+        def managed_flavors_for_group(user, group_or_id, options)
+          retrieve_flavors_method = options[:flavors_for_group].to_sym
+          group = @group_model.get(group_or_id)
+          if group.root?
+            []
+          else
+            existing = user.send(retrieve_flavors_method, group)
+            managed = user.send(retrieve_flavors_method, @group_model.admin_group)
+            intersect(managed, existing)
+          end
+        end
+        private
+        def intersect(set1, set2)
+          set1 - (set1 - set2)
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/guard/rails_integration.rb ADDED Viewed

@@ -0,0 +1,88 @@
+require 'ixtlan/guard'
+module Ixtlan
+  module ActionController #:nodoc:
+    module Guard #:nodoc:
+      def self.included(base)
+        base.send(:include, InstanceMethods)
+      end
+      module InstanceMethods #:nodoc:
+        protected
+        def guard
+          Rails.application.config.guard
+        end
+        def authorization(flavor = nil, &block)
+          if flavor.nil?
+            flavor = guard.flavor(self)
+            if flavor
+              method = "#{flavor}_authorization".to_sym
+              if self.respond_to?(method)
+                return send "#{flavor}_authorization".to_sym, &block
+              else
+                logger.warn "flavor #{flavor} configured in guard, but there is not method '#{method}'"
+                flavor = nil
+              end
+            end
+          end
+          resource_authorization(params[:controller], params[:action], flavor, &block)
+        end
+        def resource_authorization(resource, action, flavor = nil, &block)
+          unless guard.check(self,
+                             resource,
+                             action,
+                             &flavored_block(flavor, &block))
+            raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{resource}##{action}'")
+          end
+          true
+        end
+        def flavored_block(flavor = nil, &block)
+          if block
+            if flavor
+              Proc.new do |group|
+                allowed_flavors = guard.flavors[flavor.to_sym].call(self, group)
+                block.call(allowed_flavors)
+              end
+            else
+              block
+            end
+          end
+        end
+        private :flavored_block
+        def allowed?(action, flavor = nil, &block)
+          guard.check(self,
+                      params[:controller],
+                      action,
+                      &flavored_block(flavor, &block))
+        end
+      end
+    end
+  end
+  module Allowed #:nodoc:
+    # Inclusion hook to make #allowed available as method
+    def self.included(base)
+      base.send(:include, InstanceMethods)
+    end
+    module InstanceMethods #:nodoc:
+      def allowed?(resource, action, flavor_selector = nil, &block)
+        controller.send(:guard).check(controller, resource, action, flavor_selector, &block)
+      end
+    end
+  end
+end
+ActionController::Base.send(:include, Ixtlan::ActionController::Guard)
+ActionController::Base.send(:before_filter, :authorization)
+ActionView::Base.send(:include, Ixtlan::Allowed)
+module Erector
+  class Widget
+    include Ixtlan::Allowed
+  end
+end