ixtlan-guard 0.7.2 → 0.8.0

data/spec/guard_rails_spec.rb

@@ -0,0 +1,150 @@
+require 'spec_helper'
+require 'ixtlan/guard/guard'
+require 'ixtlan/guard/guard_rails'
+require 'logger'
+class Logger
+  def debug(&block)
+  end
+end
+
+module Rails
+  def self.application
+    self
+  end
+  def self.config
+    self
+  end
+  def self.guard
+      @guard ||= 
+        begin
+          logger = Logger.new(STDOUT)
+          Ixtlan::Guard::Guard.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), 
+                                   :logger => logger)
+        end
+  end
+end
+
+class Controller
+  include Ixtlan::Guard::ActionController
+
+  attr_accessor :params
+  def new_user
+    user = Object.new
+    def user.groups(groups = ['users'])
+      @groups ||= groups
+    end
+    user
+  end
+  def current_user
+    @user ||= new_user
+  end
+end
+class RestrictedController < Controller
+
+  guard_filter :only => [:index] do |groups|
+    groups.select {|g| g =~ /^user/ }
+  end
+
+  guard_filter :except => [:index] do |groups|
+    groups.select {|g| g == 'admin' }
+  end
+
+  
+end
+
+describe Ixtlan::Guard::ActionController do
+
+  describe "without filter" do
+    subject do
+      Controller.new
+    end
+    
+    it 'should return a guard' do
+      subject.send(:guard).should_not be_nil
+    end
+
+    it 'should have current_groups' do
+      subject.send(:current_groups).should_not be_nil
+    end
+
+    it 'should have no guard_filters' do
+      subject.class.guard_filters.should == []
+    end
+
+    it 'raise error on unknown resource' do
+      lambda{subject.send(:check, "edit", "unknown_resource")}.should raise_error( Ixtlan::Guard::GuardException)
+    end
+    
+    it 'should pass' do
+      subject.send(:check, "index", "users").should == ["users"]
+      begin
+        subject.params = {:controller => "users", :action => "index" }
+        subject.send(:authorize).should be_true
+        subject.params.delete(:action)
+        subject.send(:allowed?, "index").should be_true
+      ensure
+        subject.params = {}
+      end
+    end
+
+    it 'should not pass' do
+      subject.send(:check, "doit", "no_defaults").should be_nil
+      begin
+        subject.params = {:controller => "no_defaults", :action => "doit" }
+        lambda{subject.send(:authorize)}.should raise_error(Ixtlan::Guard::PermissionDenied)
+        subject.params.delete(:action)
+        subject.send(:allowed?, "doitagain").should be_false
+      ensure
+        subject.params = {}
+      end
+    end
+  end  
+
+  describe "with filter" do
+    subject do
+      c = RestrictedController.new
+      c.current_user.groups ['users', 'useradmin', 'admin']
+      c
+    end
+    
+    it 'should return a guard' do
+      subject.send(:guard).should_not be_nil
+    end
+
+    it 'should have current_groups' do
+      subject.send(:current_groups).should_not be_nil
+    end
+
+    it 'should have no guard_filters' do
+      subject.class.guard_filters.size.should == 2
+    end
+
+    it 'raise error on unknown resource' do
+      lambda{subject.send(:check, "edit", "unknown_resource")}.should raise_error( Ixtlan::Guard::GuardException)
+    end
+    
+    it 'should pass' do
+      subject.send(:check, "destroy", "person").should == ["admin"]
+      begin
+        subject.params = {:controller => "person", :action => "destroy" }
+        subject.send(:authorize).should be_true
+        subject.params.delete(:action)
+        subject.send(:allowed?, "destroy").should be_true
+      ensure
+        subject.params = {}
+      end
+    end
+
+    it 'should not pass' do
+      subject.send(:check, "edit", "person").should be_nil
+      begin
+        subject.params = {:controller => "person", :action => "edit" }
+        lambda{subject.send(:authorize)}.should raise_error(Ixtlan::Guard::PermissionDenied)
+        subject.params.delete(:action)
+        subject.send(:allowed?, "edit").should be_false
+      ensure
+        subject.params = {}
+      end
+    end
+  end
+end

data/spec/guard_rails_spec.rb~

@@ -0,0 +1,150 @@
+require 'spec_helper'
+require 'ixtlan/guard/guard'
+require 'ixtlan/guard/guard_rails'
+require 'logger'
+class Logger
+  def debug(&block)
+  end
+end
+
+class Rails
+  def self.application
+    self
+  end
+  def self.config
+    self
+  end
+  def self.guard
+      @guard ||= 
+        begin
+          logger = Logger.new(STDOUT)
+          Ixtlan::Guard::Guard.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), 
+                                   :logger => logger)
+        end
+  end
+end
+
+class Controller
+  include Ixtlan::ActionController::Guard
+
+  attr_accessor :params
+  def new_user
+    user = Object.new
+    def user.groups(groups = ['users'])
+      @groups ||= groups
+    end
+    user
+  end
+  def current_user
+    @user ||= new_user
+  end
+end
+class RestrictedController < Controller
+
+  guard_filter :only => [:index] do |groups|
+    groups.select {|g| g =~ /^user/ }
+  end
+
+  guard_filter :except => [:index] do |groups|
+    groups.select {|g| g == 'admin' }
+  end
+
+  
+end
+
+describe Ixtlan::ActionController::Guard do
+
+  describe "without filter" do
+    subject do
+      Controller.new
+    end
+    
+    it 'should return a guard' do
+      subject.send(:guard).should_not be_nil
+    end
+
+    it 'should have current_groups' do
+      subject.send(:current_groups).should_not be_nil
+    end
+
+    it 'should have no guard_filters' do
+      subject.class.guard_filters.should == []
+    end
+
+    it 'raise error on unknown resource' do
+      lambda{subject.send(:check, "edit", "unknown_resource")}.should raise_error( Ixtlan::Guard::GuardException)
+    end
+    
+    it 'should pass' do
+      subject.send(:check, "index", "users").should == ["users"]
+      begin
+        subject.params = {:controller => "users", :action => "index" }
+        subject.send(:authorize).should be_true
+        subject.params.delete(:action)
+        subject.send(:allowed?, "index").should be_true
+      ensure
+        subject.params = {}
+      end
+    end
+
+    it 'should not pass' do
+      subject.send(:check, "doit", "no_defaults").should be_nil
+      begin
+        subject.params = {:controller => "no_defaults", :action => "doit" }
+        lambda{subject.send(:authorize)}.should raise_error(Ixtlan::Guard::PermissionDenied)
+        subject.params.delete(:action)
+        subject.send(:allowed?, "doitagain").should be_false
+      ensure
+        subject.params = {}
+      end
+    end
+  end  
+
+  describe "with filter" do
+    subject do
+      c = RestrictedController.new
+      c.current_user.groups ['users', 'useradmin', 'admin']
+      c
+    end
+    
+    it 'should return a guard' do
+      subject.send(:guard).should_not be_nil
+    end
+
+    it 'should have current_groups' do
+      subject.send(:current_groups).should_not be_nil
+    end
+
+    it 'should have no guard_filters' do
+      subject.class.guard_filters.size.should == 2
+    end
+
+    it 'raise error on unknown resource' do
+      lambda{subject.send(:check, "edit", "unknown_resource")}.should raise_error( Ixtlan::Guard::GuardException)
+    end
+    
+    it 'should pass' do
+      subject.send(:check, "destroy", "person").should == ["admin"]
+      begin
+        subject.params = {:controller => "person", :action => "destroy" }
+        subject.send(:authorize).should be_true
+        subject.params.delete(:action)
+        subject.send(:allowed?, "destroy").should be_true
+      ensure
+        subject.params = {}
+      end
+    end
+
+    it 'should not pass' do
+      subject.send(:check, "edit", "person").should be_nil
+      begin
+        subject.params = {:controller => "person", :action => "edit" }
+        lambda{subject.send(:authorize)}.should raise_error(Ixtlan::Guard::PermissionDenied)
+        subject.params.delete(:action)
+        subject.send(:allowed?, "edit").should be_false
+      ensure
+        subject.params = {}
+      end
+    end
+  end
+end

data/spec/guard_spec.rb

@@ -1,19 +1,19 @@
 require 'spec_helper'
-require 'ixtlan/guard/guard_ng'
+require 'ixtlan/guard/guard'
 require 'logger'
 
-describe Ixtlan::Guard::GuardNG do
+describe Ixtlan::Guard::Guard do
 
   subject do
     logger = Logger.new(STDOUT)
     def logger.debug(&block)
       #info("\n\t[debug] " + block.call)
     end
-    Ixtlan::Guard::GuardNG.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
+    Ixtlan::Guard::Guard.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
   end
 
   it 'should fail with missing guard dir' do
-    lambda {Ixtlan::Guard::GuardNG.new(:guards_dir => "does_not_exists") }.should raise_error(Ixtlan::Guard::GuardException)
+    lambda {Ixtlan::Guard::Guard.new(:guards_dir => "does_not_exists") }.should raise_error(Ixtlan::Guard::GuardException)
   end
 
   it 'should initialize' do
@@ -28,13 +28,15 @@ describe Ixtlan::Guard::GuardNG do
     subject.allowed?(:users, :show, [:root]).should be_true
   end
 
-  it 'should pass "allow all groups" with user with any groups' do
-    subject.allowed?(:users, :index, [:any_possible_group]).should be_true
+  it 'should pass "allow all groups" with any groups' do
+    # users resource ask for a block since it is restricted
+    subject.allowed?(:users, :index, [:any_possible_group]){|g| g}.should be_true
     subject.allowed?(:only_defaults, :index, [:any_possible_group]).should be_true
   end
 
   it 'should pass' do
-    subject.allowed?(:users, :update, [:users]).should be_true
+    # users resource ask for a block since it is restricted
+    subject.allowed?(:users, :update, [:users]){|g| g}.should be_true
     subject.allowed?(:only_defaults, :update, [:users]).should be_true
     subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
   end
@@ -42,7 +44,8 @@ describe Ixtlan::Guard::GuardNG do
   it 'should not pass with user when in blocked group' do
     subject.block_groups([:users])
     begin
-      subject.allowed?(:users, :update, [:users]).should be_false
+      # users resource ask for a block since it is restricted
+      subject.allowed?(:users, :update, [:users]){|g| g}.should be_false
       subject.allowed?(:only_defaults, :update, [:users]).should be_false
     subject.allowed?(:allow_all_defaults, :update, [:users]).should be_false
     ensure
@@ -53,7 +56,8 @@ describe Ixtlan::Guard::GuardNG do
   it 'should pass with user when not in blocked group' do
     subject.block_groups([:accounts])
     begin
-      subject.allowed?(:users, :update, [:users]).should be_true
+      # users resource ask for a block since it is restricted
+      subject.allowed?(:users, :update, [:users]){|g| g}.should be_true
       subject.allowed?(:only_defaults, :update, [:users]).should be_true
       subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
     ensure
@@ -64,7 +68,8 @@ describe Ixtlan::Guard::GuardNG do
   it 'should not block root group' do
     subject.block_groups([:root])
     begin
-      subject.allowed?(:users, :update, [:root]).should be_true
+      # users resource ask for a block since it is restricted
+      subject.allowed?(:users, :update, [:root]){|g| g}.should be_true
       subject.allowed?(:only_defaults, :update, [:root]).should be_true
     subject.allowed?(:allow_all_defaults, :update, [:root]).should be_true
     ensure
@@ -78,7 +83,8 @@ describe Ixtlan::Guard::GuardNG do
   end
 
   it 'should should use defaults on unknown action' do
-    subject.allowed?(:users, :unknow, [:users]).should be_true
+      # users resource ask for a block since it is restricted
+    subject.allowed?(:users, :unknow, [:users]){|g| g}.should be_true
     subject.allowed?(:only_defaults, :unknow, [:users]).should be_true
     subject.allowed?(:allow_all_defaults, :update, [:users]).should be_true
   end

data/spec/guard_with_associations_spec.rb

@@ -1,5 +1,5 @@
 require 'spec_helper'
-require 'ixtlan/guard/guard_ng'
+require 'ixtlan/guard/guard'
 require 'logger'
 
 class Group
@@ -12,103 +12,119 @@ class Group
   end
 end
 
-describe Ixtlan::Guard::GuardNG do
+describe Ixtlan::Guard::Guard do
 
   subject do
     logger = Logger.new(STDOUT)
     def logger.debug(&block)
      # info("\n\t[debug] " + block.call)
     end
-    Ixtlan::Guard::GuardNG.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
+    Ixtlan::Guard::Guard.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
   end
 
-  it 'should pass without association without block' do
-    subject.allowed?(:users, :update, [Group.new(:users)]).should be_true
+  it 'should pass without block' do
+    subject.allowed?(:users, :edit, [Group.new(:users)]).should be_true
   end
 
-  it 'should deny without association with block' do
-    subject.allowed?(:users, :update, [Group.new(:users)]){}.should be_false
+  it 'should deny with block returning empty array' do
+    subject.allowed?(:users, :update, [Group.new(:users)]){ |groups| [] }.should be_false
   end
 
-  it 'should deny with association without block' do
-    subject.allowed?(:users, :update, [Group.new(:users, :manager)], :manager).should be_false
+  it 'should allow root user' do
+    subject.allowed?(:users, :update, [Group.new(:root)]){ |groups| [] }.should be_true
   end
 
-  it 'should pass with matching association with block' do
-    subject.allowed?(:users, :update, [Group.new(:users, :manager)], :manager) do |group, association|
-      group.domains.detect {|d| d == association.to_s }
-    end.should be_false
+  it 'should pass with matching association' do
+    subject.allowed?(:users, :update, [Group.new(:users, :manager)]) do |groups|
+      groups.select { |g| g.domains.member? :manager }
+    end.should be_true
   end
 
-  it 'should fail with mismatching association with block' do
-    subject.allowed?(:users, :update, [Group.new(:users, :manager)], :nomanager) do |group, association|
-      group.domains.detect {|d| d == association }
+  it 'should fail with mismatching association' do
+    subject.allowed?(:users, :update, [Group.new(:users, :manager)]) do |groups|
+      groups.select { |g| g.domains.detect {|d| d == 'nomanager' } }
     end.should be_false
   end
 
   it 'should add associations to node' do
-    subject.permissions([Group.new('admin', [:german, :french])]) do |resource, action, groups|
+    perms = subject.permissions([Group.new('admin', [:german, :french])]) do |resource, groups|
       if groups && groups.first && groups.first.name == 'admin'
-        { :domains => groups.first.domains }
+        groups.first.domains
       else
         {}
       end
-    end.sort { |m,n| m[:resource] <=> n[:resource]}.should == 
-      [{
-         :permission=>{
-           :resource=>"accounts", 
-           :actions=>[{:action=>{ 
-                          :name=>"destroy",
-                          :domains=>[:german, :french]}}], 
-           :deny=>false}},
-       {
-         :permission=>{
-           :resource=>"allow_all_defaults",
-           :actions=>[{:action=>{:name=>"index"}}], 
-           :deny=>true, 
-           :domains=>[:german, :french]}},
-       {
-         :permission=>{
-           :resource=>"defaults", 
-           :actions=>[{:action=>{
-                          :name=>"index",
-                          :domains=>[:german, :french]}}], 
-           :deny=>false}}, 
-       {
-         :permission=>{
-           :resource=>"no_defaults", 
-           :actions=>[{:action=>{
-                          :name=>"index",
-                          :domains=>[:german, :french]}}], 
-           :deny=>false}}, 
-       {
-         :permission=>{
-           :resource=>"only_defaults", 
-           :domains=>[:german, :french],
-           :actions=>[],
-           :deny=>true}}, 
-       {
-         :permission=>{
-           :resource=>"person", 
-           :actions=> [{:action=>{ 
-                           :name=>"destroy",
-                           :domains=>[:german, :french]}}, 
-                       {:action=>{ 
-                           :name=>"index",
-                           :domains=>[:german, :french]}}], 
-           :deny=>false}},
-       {
-          :permission=>{
-            :resource=>"regions",
-            :actions=>[
-              {:action=>{:name=>"show", :domains=>[:german, :french]}},
-              {:action=>{:name=>"create", :domains=>[:german, :french]}}
-            ],
-            :deny=>false}},
-       {
-         :permission=>{
-           :resource=>"users", 
-           :actions=>[], 
-           :deny=>false}}]  
+    end
+
+    expected = {}
+    expected[:accounts] = {
+      :permission=>{
+        :resource=>"accounts", 
+        :actions=>[{:action=>{ 
+                       :name=>"destroy",
+                       :associations=>[:german, :french]}}], 
+        :deny=>false}
+    }
+    expected[:allow_all_defaults] = {
+      :permission=>{
+        :resource=>"allow_all_defaults",
+        :actions=>[{:action=>{:name=>"index"}}], 
+        :deny=>true, 
+        :associations=>[:german, :french]}
+    }
+    expected[:defaults] = {
+      :permission=>{
+        :resource=>"defaults", 
+        :actions=>[{:action=>{
+                       :name=>"index",
+                       :associations=>[:german, :french]}}], 
+        :deny=>false}
+    }
+    expected[:no_defaults] = {
+      :permission=>{
+        :resource=>"no_defaults", 
+        :actions=>[{:action=>{
+                       :name=>"index",
+                       :associations=>[:german, :french]}}], 
+        :deny=>false}
+    } 
+    expected[:only_defaults] = {
+      :permission=>{
+        :resource=>"only_defaults", 
+        :actions=>[],
+        :associations=>[:german, :french],
+        :deny=>true}
+    }
+    expected[:person]= {
+      :permission=>{
+        :resource=>"person", 
+        :actions=> [{:action=>{ 
+                        :name=>"destroy",
+                        :associations=>[:german, :french]}}, 
+                    {:action=>{ 
+                        :name=>"index",
+                        :associations=>[:german, :french]}}], 
+        :deny=>false}
+    }
+    expected[:regions] = {
+      :permission=>{
+        :resource=>"regions",
+        :actions=>[
+                   {:action=>{:name=>"create", :associations=>[:german, :french]}},
+                   {:action=>{:name=>"show", :associations=>[:german, :french]}}
+                  ],
+        :deny=>false}
+    }
+    expected[:users] = {
+      :permission=>{
+        :resource=>"users", 
+        :actions=>[], 
+        :deny=>false}
+    } 
+    perms.each do |perm|
+      if perm[:actions]
+        perm[:actions].sort!{ |n,m| n.content[:name] <=> m.content[:name] }
+      end
+      expected[perm[:resource].to_sym].should == perm
+    end
   end
 end