RubyGems - ixtlan-guard - Versions diffs - 0.1.0 → 0.4.0 - Mend

ixtlan-guard 0.1.0 → 0.4.0

Files changed (44) hide show

data/lib/ixtlan/guard/controllers/permissions_controller.rb ADDED Viewed

@@ -0,0 +1,41 @@
+module Ixtlan
+  module Guard
+    module Controllers
+      module PermissionsController
+        # GET /permissions
+        # GET /permissions.xml
+        # GET /permissions.json
+        def index
+          respond_to do |format|
+            format.html
+            format.xml  { render :xml => guard.permissions(self).to_xml }
+            format.json  { render :json => guard.permissions(self).to_json }
+          end
+        end
+        # GET /permissions/1
+        # GET /permissions/1.xml
+        # GET /permissions/1.json
+        def show
+          controller = Object.new
+          def controller.current_user(u = nil)
+            @u = u if u
+            @u
+          end
+          if defined? ::DataMapper
+            controller.current_user(current_user.class.get(params[:id]))
+          else
+            controller.current_user(current_user.class.find(params[:id]))
+          end
+          respond_to do |format|
+            format.html
+            format.xml  { render :xml => guard.permissions(controller).to_xml }
+            format.json  { render :json => guard.permissions(controller).to_json }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/guard/guard.rb ADDED Viewed

@@ -0,0 +1,245 @@
+module Ixtlan
+  module Guard
+    class ControllerGuard
+      attr_accessor :name, :action_map, :aliases, :flavor
+      def initialize(name)
+        @name = name.sub(/_guard$/, '').to_sym
+        class_name = name.split(/\//).collect { |part| part.split("_").each { |pp| pp.capitalize! }.join }.join("::")
+        Object.const_get(class_name).new(self)
+      end
+      def flavor=(flavor)
+        @flavor = flavor.to_sym
+      end
+      def name=(name)
+        @name = name.to_sym
+      end
+      def aliases=(map)
+        @aliases = symbolize(map)
+      end
+      def action_map=(map)
+        @action_map = symbolize(map)
+      end
+      private
+      def symbolize(h)
+        result = {}
+        h.each do |k, v|
+          if v.is_a?(Hash)
+            result[k.to_sym] = symbolize_keys(v) unless v.size == 0
+          elsif v.is_a?(Array)
+            val = []
+            v.each {|vv| val << vv.to_sym }
+            result[k.to_sym] = val
+          else
+            result[k.to_sym] = v.to_sym
+          end
+        end
+        result
+      end
+    end
+    class Guard
+      attr_accessor :logger, :guard_dir, :superuser, :groups_of_current_user
+      def initialize(options, &block)
+        @superuser = (options[:superuser] || :root).to_sym
+        @guard_dir = options[:guard_dir] || File.join("app", "guards")
+        @user_groups = (options[:user_groups] || :groups).to_sym
+        @user_groups_name = (options[:user_groups_name] || :name).to_sym
+        @map = {}
+        @aliases = {}
+        @flavor_map = {}
+        @groups_of_current_user =
+          if block
+            block
+          else
+            Proc.new do |controller|
+              # get the groups of the current_user
+              user = controller.send(:current_user) if controller.respond_to?(:current_user)
+              if user
+                (user.send(@user_groups) || []).collect do |group|
+                  name = group.send(@user_groups_name)
+                  name.to_sym if name
+                end
+              end
+            end
+          end
+      end
+      def logger
+        @logger ||= if defined?(Slf4r::LoggerFactory)
+                      Slf4r::LoggerFactory.new(Ixtlan::Guard)
+                    else
+                      require 'logger'
+                      Logger.new(STDOUT)
+                    end
+      end
+      def setup
+        if File.exists?(@guard_dir)
+          Dir.new(guard_dir).to_a.each do |f|
+            if f.match(".rb$")
+              require(File.join(guard_dir, f))
+              controller_guard = ControllerGuard.new(f.sub(/.rb$/, ''))
+              register(controller_guard)
+            end
+          end
+          logger.debug("initialized guard . . .")
+        else
+          raise GuardException.new("guard directory #{guard_dir} not found, skip loading")
+        end
+      end
+      private
+      def register(controller_guard)
+        msg = (controller_guard.aliases || {}).collect {|k,v| "\n\t#{k} == #{v}"} + controller_guard.action_map.collect{ |k,v| "\n\t#{k} => [#{v.join(',')}]"}
+        logger.debug("#{controller_guard.name} guard: #{msg}")
+        @map[controller_guard.name] = controller_guard.action_map
+        @aliases[controller_guard.name] = controller_guard.aliases || {}
+        @flavor_map[controller_guard.name] = controller_guard.flavor if controller_guard.flavor
+      end
+      public
+      def flavor(controller)
+        @flavor_map[controller.params[:controller].to_sym]
+      end
+      def block_groups(groups)
+        @blocked_groups = (groups || []).collect { |g| g.to_sym}
+        @blocked_groups.delete(@superuser)
+        @blocked_groups
+      end
+      def blocked_groups
+        @blocked_groups ||= []
+      end
+      def current_user_restricted?(controller)
+        groups =  @groups_of_current_user.call(controller)
+        if groups
+          #        groups.select { |g| !blocked_groups.member?(g.to_sym) }.size < groups.size
+          (groups - blocked_groups).size < groups.size
+        else
+          nil
+        end
+      end
+      def permissions(controller)
+        groups = (@groups_of_current_user.call(controller) || []).collect do
+          |g| g.to_sym
+        end
+        map = {}
+        @map.each do |resource, action_map|
+          action_map.each do |action, allowed|
+            if allowed.member? :*
+              allowed = groups.dup
+            end
+            allowed << @superuser unless allowed.member? @superuser
+            # intersection of allowed and groups empty ?
+            if (allowed - groups).size < allowed.size
+              permission = (map[resource] ||= {})
+              permission[:resource] = resource
+              actions = (permission[:actions] ||= [])
+              action_node = {:name => action}
+              flavors.each do |flavor, block|
+                flavor_list = []
+                (allowed - (allowed - groups)).each do |group|
+                  list = block.call(controller, group)
+                  # union - no duplicates
+                  flavor_list = flavor_list - list + list
+                end
+                action_node[flavor.to_s.sub(/s$/, '') + "s"] = flavor_list if flavor_list.size > 0
+              end
+              actions << action_node
+              actions << @aliases[resource][action] if @aliases[resource][action]
+            end
+          end
+        end
+        result = map.values
+        result.class_eval "alias :to_x :to_xml" unless map.respond_to? :to_x
+        def result.to_xml(options = {}, &block)
+          options[:root] = :permissions unless options[:root]
+          to_x(options, &block)
+        end
+        def result.to_json(options = {}, &block)
+          {:permissions => self}.to_json(options, &block)
+        end
+        result
+      end
+      def flavors
+        @flavors ||= {}
+      end
+      def register_flavor(flavor, &block)
+        flavors[flavor.to_sym] = block
+      end
+      def check(controller, resource, action, flavor_selector = nil, &block)
+        resource = resource.to_sym
+        action = action.to_sym
+        groups =  @groups_of_current_user.call(controller)
+        if groups.nil?
+          logger.debug("check #{resource}##{action}: not authenticated")
+          return false
+        end
+        if (@map.key? resource)
+          action = @aliases[resource][action] || action
+          allowed = @map[resource][action]
+          if (allowed.nil?)
+            logger.warn("unknown action '#{action}' for controller '#{resource}'")
+            raise ::Ixtlan::Guard::GuardException.new("unknown action '#{action}' for controller '#{resource}'")
+          else
+            allowed << @superuser unless allowed.member? @superuser
+            allow_all_groups = allowed.member?(:*)
+            if(allow_all_groups && block.nil?)
+              logger.debug("check #{resource}##{action}: allowed for all")
+              return true
+            else
+              groups.each do |group|
+                if (allow_all_groups || allowed.member?(group.to_sym)) && !blocked_groups.member?(group.to_sym)
+                  flavor_for_resource = flavors[@flavor_map[resource]]
+                  if block.nil?
+                    if(flavor_for_resource && flavor_for_resource.call(controller, group).member?(flavor_selector.to_s) || flavor_for_resource.nil?)
+                      logger.debug("check #{resource}##{action}: true")
+                      return true
+                    end
+                  elsif block.call(group)
+                    logger.debug("check #{resource}##{action}: true")
+                    return true
+                  end
+                end
+              end
+            end
+            logger.debug("check #{resource}##{action}: false")
+            return false
+          end
+        else
+          logger.warn("unknown controller for '#{resource}'")
+          raise ::Ixtlan::Guard::GuardException.new("unknown controller for '#{resource}'")
+        end
+      end
+    end
+    class GuardException < Exception; end
+    class PermissionDenied < GuardException; end
+  end
+end

data/lib/ixtlan/guard/models/maintenance.rb ADDED Viewed

@@ -0,0 +1,55 @@
+unless String.respond_to? "plural"
+  class String
+    def plural
+      self + "s"
+    end
+  end
+end
+module Ixtlan
+  module SerializableModel
+    def self.included(model)
+      model.send :include, ActiveModel::Serializers::JSON
+      model.send :include, ActiveModel::Serializers::Xml
+    end
+    def attributes=(attributes)
+      attributes.each do |k, v|
+        if k == k.plural
+          v = case v
+              when String
+                [v]
+              when Array
+                v
+              when Hash
+                v.values.flatten
+              end
+        end
+        send("#{k}=", v)
+      end
+    end
+    def attributes
+      map = instance_variables.collect do |name|
+        [name[1,1000], send(name[1,1000].to_sym)]
+      end.reject do |x|
+        x[1] == nil
+      end
+      Hash[map]
+    end
+  end
+end
+module Ixtlan
+  module Guard
+    module Models
+      class Maintenance
+        include Ixtlan::SerializableModel
+        attr_accessor :groups
+      end
+    end
+  end
+end

data/lib/ixtlan/guard/models/user_update_manager.rb ADDED Viewed

@@ -0,0 +1,95 @@
+module Ixtlan
+  module Guard
+    module Models
+      class UserUpdateManager
+        def initialize(options)
+          @group_model = options[:group_model]
+          @user_id = options[:user_id].to_sym
+          @plural_group_name = options[:plural_group_name].to_sym
+          @group_id = options[:group_id].to_sym
+          @group_ids = "#{options[:group_id]}s"
+        end
+        def update_groups(user, params = [])
+          allowed_ids = user.current_user.all_groups.collect { |g| g.id.to_s }
+          group_ids = params[@group_ids] || []
+          group_ids = intersect(group_ids, allowed_ids)
+          current_ids = user.send(@plural_group_name).collect { |g| g.id.to_s }
+          current_ids = intersect(current_ids, allowed_ids)
+          # add
+          (group_ids - current_ids).each do |gid|
+            user.send(@plural_group_name) << @group_model.find(gid)
+          end
+          #delete
+          (current_ids - group_ids).each do |gid|
+            user.groups.delete(@group_model.find(gid))
+          end
+          user.save
+        end
+        def update(user, params = {}, options = {})
+          raise "no user" unless user
+          user.current_user = params.delete("current_user") || params.delete(:current_user) unless user.current_user
+          raise "'current_user' not set" unless user.current_user
+          flavor_id = options[:flavor_id].to_sym
+          flavor_ids = "#{options[:flavor_id]}s"
+          association_model = options[:association_model]
+          retrieve_flavors_method = options[:flavors_for_group].to_sym
+          allowed_ids = user.current_user.send(retrieve_flavors_method, @group_model.admin_group).collect {|i| i.id }
+          allowed_group_ids = user.current_user.all_groups.collect { |g| g.id.to_s }
+          group_ids = params[@group_ids] || []
+          group_ids = intersect(group_ids, allowed_group_ids)
+          group_ids.each do |gid|
+            g = @group_model.find(gid)
+            # calculate intersection of current and allowed
+            current_ids = user.send(retrieve_flavors_method, gid.to_i).collect { |d| d.id }
+            current_ids = intersect(current_ids, allowed_ids)
+            # calculate intersection of target and allowed
+            target_ids = ((params.delete(g.to_name) || {})[flavor_ids] || []).collect { |i| i.to_i }
+            target_ids = intersect(target_ids, allowed_ids)
+            # delete
+            (current_ids - target_ids).each do |id|
+              return false unless association_model.delete_all(["user_id=? and group_id=? and #{flavor_id}=?", user.id, gid, id])
+            end
+            # add
+            (target_ids - current_ids).each do |id|
+              return false unless association_model.create(@user_id => user.id, @group_id => gid, flavor_id => id)
+            end
+          end
+          true
+        end
+        def managed_flavors_for_group(user, group_or_id, options)
+          retrieve_flavors_method = options[:flavors_for_group].to_sym
+          group = @group_model.get(group_or_id)
+          if group.root?
+            []
+          else
+            existing = user.send(retrieve_flavors_method, group)
+            managed = user.send(retrieve_flavors_method, @group_model.admin_group)
+            intersect(managed, existing)
+          end
+        end
+        private
+        def intersect(set1, set2)
+          set1 - (set1 - set2)
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/guard/rails_integration.rb ADDED Viewed

@@ -0,0 +1,88 @@
+require 'ixtlan/guard'
+module Ixtlan
+  module ActionController #:nodoc:
+    module Guard #:nodoc:
+      def self.included(base)
+        base.send(:include, InstanceMethods)
+      end
+      module InstanceMethods #:nodoc:
+        protected
+        def guard
+          Rails.application.config.guard
+        end
+        def authorization(flavor = nil, &block)
+          if flavor.nil?
+            flavor = guard.flavor(self)
+            if flavor
+              method = "#{flavor}_authorization".to_sym
+              if self.respond_to?(method)
+                return send "#{flavor}_authorization".to_sym, &block
+              else
+                logger.warn "flavor #{flavor} configured in guard, but there is not method '#{method}'"
+                flavor = nil
+              end
+            end
+          end
+          resource_authorization(params[:controller], params[:action], flavor, &block)
+        end
+        def resource_authorization(resource, action, flavor = nil, &block)
+          unless guard.check(self,
+                             resource,
+                             action,
+                             &flavored_block(flavor, &block))
+            raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{resource}##{action}'")
+          end
+          true
+        end
+        def flavored_block(flavor = nil, &block)
+          if block
+            if flavor
+              Proc.new do |group|
+                allowed_flavors = guard.flavors[flavor.to_sym].call(self, group)
+                block.call(allowed_flavors)
+              end
+            else
+              block
+            end
+          end
+        end
+        private :flavored_block
+        def allowed?(action, flavor = nil, &block)
+          guard.check(self,
+                      params[:controller],
+                      action,
+                      &flavored_block(flavor, &block))
+        end
+      end
+    end
+  end
+  module Allowed #:nodoc:
+    # Inclusion hook to make #allowed available as method
+    def self.included(base)
+      base.send(:include, InstanceMethods)
+    end
+    module InstanceMethods #:nodoc:
+      def allowed?(resource, action, flavor_selector = nil, &block)
+        controller.send(:guard).check(controller, resource, action, flavor_selector, &block)
+      end
+    end
+  end
+end
+ActionController::Base.send(:include, Ixtlan::ActionController::Guard)
+ActionController::Base.send(:before_filter, :authorization)
+ActionView::Base.send(:include, Ixtlan::Allowed)
+module Erector
+  class Widget
+    include Ixtlan::Allowed
+  end
+end