ixtlan-guard 0.1.0

data/lib/generators/ixtlan/controller/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Explain the generator
+
+Example:
+    rails generate guard Thing
+
+    This will create:
+        what/will/it/create

data/lib/generators/ixtlan/controller/controller_generator.rb

@@ -0,0 +1,22 @@
+module Ixtlan
+  class ControllerGenerator < Rails::Generators::NamedBase
+
+    source_root File.expand_path('../../templates', __FILE__)
+      
+    argument :actions, :type => :array, :default => [], :banner => "action action"
+      
+    check_class_collision :suffix => "Guard"
+    
+    def create_guard_file
+      template 'guard.rb', File.join('app', 'guards', class_path, "#{file_name}_guard.rb")
+    end
+
+    def guard_class_name
+      class_name
+    end
+
+    def aliases
+    end
+
+  end
+end

data/lib/generators/ixtlan/scaffold/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Explain the generator
+
+Example:
+    rails generate guard Thing
+
+    This will create:
+        what/will/it/create

data/lib/generators/ixtlan/scaffold/scaffold_generator.rb

@@ -0,0 +1,28 @@
+require 'rails/generators/resource_helpers'
+module Ixtlan
+  class ScaffoldGenerator < Rails::Generators::NamedBase
+    include Rails::Generators::ResourceHelpers
+
+    source_root File.expand_path('../../templates', __FILE__)
+    
+#    check_class_collision :suffix => "Guard"
+    
+    def create_guard_files
+      puts "ASD"
+      template 'guard.rb', File.join('app', 'guards', class_path, "#{plural_file_name}_guard.rb")
+    end
+    
+    def guard_class_name
+      controller_class_name
+    end
+
+    def aliases
+      { :new => :create, :edit => :update }
+    end
+
+    def actions
+      ['index', 'show', 'create', 'update', 'destroy']
+    end
+    
+  end
+end

data/lib/generators/ixtlan/templates/edit.html.erb

@@ -0,0 +1,10 @@
+<h1>Editing <%= singular_table_name %></h1>
+
+<%%= render 'form' %>
+
+<%% if allowed?(:<%= table_name %>, :show) %>
+<%%= link_to 'Show', @<%= singular_table_name %> %> |
+<%% end %>
+<%% if allowed?(:<%= table_name %>, :index) %>
+<%%= link_to 'Back', <%= index_helper %>_path %>
+<%% end %>

data/lib/generators/ixtlan/templates/guard.rb

@@ -0,0 +1,13 @@
+class <%= guard_class_name %>Guard
+  def initialize(guard)
+    #guard.name = "<%= plural_file_name %>"
+<% if aliases -%>
+    guard.aliases = <%= aliases.inspect %>
+<% end -%>
+    guard.action_map= {
+<% for action in actions -%>
+      :<%= action %> => [],
+<% end -%>
+    }
+  end
+end

data/lib/generators/ixtlan/templates/index.html.erb

@@ -0,0 +1,35 @@
+<h1>Listing <%= plural_table_name %></h1>
+
+<table>
+  <tr>
+<% for attribute in attributes -%>
+    <th><%= attribute.human_name %></th>
+<% end -%>
+    <th></th>
+    <th></th>
+    <th></th>
+  </tr>
+
+<%% @<%= plural_table_name %>.each do |<%= singular_table_name %>| %>
+  <tr>
+<% for attribute in attributes -%>
+    <td><%%= <%= singular_table_name %>.<%= attribute.name %> %></td>
+<% end -%>
+<%% if allowed?(:<%= table_name %>, :show) %>
+    <td><%%= link_to 'Show', <%= singular_table_name %> %></td>
+<%% end %>
+<%% if allowed?(:<%= table_name %>, :update) %>
+    <td><%%= link_to 'Edit', edit_<%= singular_table_name %>_path(<%= singular_table_name %>) %></td>
+<%% end %>
+<%% if allowed?(:<%= table_name %>, :destroy) %>
+    <td><%%= link_to 'Destroy', <%= singular_table_name %>, :confirm => 'Are you sure?', :method => :delete %></td>
+<%% end %>
+  </tr>
+<%% end %>
+</table>
+
+<br />
+
+<%% if allowed?(:<%= table_name %>, :create) %>
+<%%= link_to 'New <%= human_name %>', new_<%= singular_table_name %>_path %>
+<%% end %>

data/lib/generators/ixtlan/templates/new.html.erb

@@ -0,0 +1,7 @@
+<h1>New <%= singular_table_name %></h1>
+
+<%%= render 'form' %>
+
+<%% if allowed?(:<%= table_name %>, :index) %>
+<%%= link_to 'Back', <%= index_helper %>_path %>
+<%% end %>

data/lib/generators/ixtlan/templates/show.html.erb

@@ -0,0 +1,16 @@
+<p id="notice"><%%= notice %></p>
+
+<% for attribute in attributes -%>
+<p>
+  <b><%= attribute.human_name %>:</b>
+  <%%= @<%= singular_table_name %>.<%= attribute.name %> %>
+</p>
+
+<% end -%>
+
+<%% if allowed?(:<%= table_name %>, :update) %>
+<%%= link_to 'Edit', edit_<%= singular_table_name %>_path(@<%= singular_table_name %>) %> |
+<%% end %>
+<%% if allowed?(:<%= table_name %>, :index) %>
+<%%= link_to 'Back', <%= index_helper %>_path %>
+<%% end %>

data/lib/generators/scaffold/scaffold/scaffold_generator.rb

@@ -0,0 +1,23 @@
+# use this extended copy of Rails::Generators::ScaffoldGenerator
+# since the search path is the following:
+# ["scaffold:scaffold", "rails:scaffold", "scaffold"]
+# which allows to override orignal generator
+# adding a  Rails::Generators::ScaffoldGenerator.hook_for did not work
+# since it looses the ORM config somehow
+require  'rails/generators/rails/resource/resource_generator'
+module Rails
+  module Generators
+    class ScaffoldGenerator < ResourceGenerator #metagenerator
+
+      remove_hook_for :resource_controller
+      remove_class_option :actions
+    
+      hook_for :scaffold_controller, :required => true, :in => :rails
+      hook_for :stylesheets, :in => :rails
+
+      hook_for :ixtlan, :type => :boolean, :default => true do |controller|
+        invoke controller, [class_name]
+      end
+    end
+  end
+end

data/lib/ixtlan-guard.rb

@@ -0,0 +1,5 @@
+require 'ixtlan/guard'
+if defined?(Rails)
+  require 'ixtlan/guard_railtie'
+  require 'ixtlan/rails_integration'
+end

data/lib/ixtlan/guard.rb

@@ -0,0 +1,159 @@
+require 'logger'
+module Ixtlan
+  class ControllerGuard
+    
+    attr_accessor :name, :action_map, :aliases
+
+    def initialize(name)
+      @name = name.sub(/_guard$/, '').to_sym
+      class_name = name.split(/\//).collect { |part| part.split("_").each { |pp| pp.capitalize! }.join }.join("::")
+      Object.const_get(class_name).new(self)
+    end
+
+    def name=(name)
+      @name = name.to_sym
+    end
+
+    def aliases=(map)
+      @aliases = symbolize(map)
+    end
+
+    def action_map=(map)
+      @action_map = symbolize(map)
+    end
+
+    private
+
+    def symbolize(h)
+      result = {}
+      
+      h.each do |k, v|
+        if v.is_a?(Hash)
+          result[k.to_sym] = symbolize_keys(v) unless v.size == 0
+        elsif v.is_a?(Array)
+          val = []
+          v.each {|vv| val << vv.to_sym }
+          result[k.to_sym] = val
+        else
+          result[k.to_sym] = v.to_sym
+        end
+      end
+      
+      result
+    end
+
+  end
+
+  class Guard 
+
+    attr_accessor :logger, :guard_dir, :superuser, :block
+
+    def initialize(logger = Logger.new(STDOUT), superuser = :root, guard_dir = File.join("app", "guards"), &block)
+      @map = {}
+      @aliases = {}
+
+      @block =
+        if block
+          block
+        else
+          Proc.new do |controller|
+            # get the groups of the current_user
+            user = controller.send(:current_user) if controller.respond_to? :current_user
+            user.groups if user
+          end
+        end
+      @logger = logger
+      @superuser = superuser
+      @guard_dir = guard_dir
+    end
+
+    def setup
+      if File.exists?(@guard_dir)
+        Dir.new(guard_dir).to_a.each do |f|
+          if f.match(".rb$")
+            require(File.join(guard_dir, f))
+            controller_guard = ControllerGuard.new(f.sub(/.rb$/, ''))
+            register(controller_guard)
+          end
+        end
+        logger.debug("initialized guard . . .")
+      else
+        raise GuardException.new("guard directory #{guard_dir} not found, skip loading")
+      end
+    end
+
+    private
+
+    def register(controller_guard)
+      msg = controller_guard.action_map.collect{ |k,v| "\n\t#{k} => [#{v.join(',')}]"}
+      @logger.debug("#{controller_guard.name} guard: #{msg}")
+      @map[controller_guard.name] = controller_guard.action_map
+      @aliases[controller_guard.name] = controller_guard.aliases || {}
+    end
+
+    public
+
+    def block_groups(groups)
+      @blocked = (groups || []).collect { |g| g.to_sym}
+    end
+
+    def blocked
+      @blocked ||= []
+    end
+
+    def current_user_restricted?(controller)
+      groups =  @block.call(controller)
+      if groups
+p groups
+p blocked
+p groups.select { |g| !blocked.member?(g.to_sym) }
+        groups.select { |g| !blocked.member?(g.to_sym) }.size < groups.size
+      else
+        nil
+      end
+    end
+
+     def check(controller, resource, action, &block)
+      groups =  @block.call(controller)
+      if groups.nil?
+        @logger.debug("check #{resource}##{action}: not authenticated")
+        return true 
+      end
+      resource = resource.to_sym
+      action = action.to_sym
+      if (@map.key? resource)
+        action = @aliases[resource][action] || action
+        allowed = @map[resource][action]
+        if (allowed.nil?)
+          @logger.warn("unknown action '#{action}' for controller '#{resource}'")
+          raise ::Ixtlan::GuardException.new("unknown action '#{action}' for controller '#{resource}'")
+        else
+          allowed << @superuser unless allowed.member? @superuser
+          allow_all_groups = allowed.member?(:*) 
+          if(allow_all_groups && block.nil?)
+            @logger.debug("check #{resource}##{action}: allowed for all")
+            return true
+          else
+            groups.each do |group|
+              if (allow_all_groups || allowed.member?(group.to_sym)) && !blocked.member?(group.to_sym)
+                if(block.nil? || block.call(group))
+                  @logger.debug("check #{resource}##{action}: true")
+                  return true
+                end
+              end
+            end
+          end
+          @logger.debug("check #{resource}##{action}: false")
+          return false
+        end
+      else
+        @logger.warn("unknown controller for '#{resource}'")
+        raise ::Ixtlan::GuardException.new("unknown controller for '#{resource}'")
+      end
+    end
+  end
+
+  class GuardException < Exception; end
+  class PermissionDenied < GuardException; end
+end
+

data/lib/ixtlan/guard_railtie.rb

@@ -0,0 +1,43 @@
+require 'rails'
+require 'ixtlan/guard'
+require 'logger'
+
+class GuardRailtie < Rails::Railtie
+
+  config.before_configuration do |app|
+    app.config.class.class_eval do
+      attr_accessor :guard
+    end
+    app.config.guard = 
+      Ixtlan::Guard.new(Logger.new(STDERR), 
+                        :root, 
+                        File.join(Rails.root, "app", "guards")) 
+  end
+
+  config.after_initialize do |app|
+    logger = app.config.logger || Rails.logger || Logger.new(STDERR)
+    app.config.guard.logger = logger
+    begin
+      app.config.guard.setup
+    rescue Ixtlan::GuardException => e
+      logger.warn e.message
+    end
+  end
+
+  config.generators do
+    require 'rails/generators'
+    require 'rails/generators/rails/controller/controller_generator'
+    require 'rails/generators/erb/scaffold/scaffold_generator'
+    Rails::Generators::ControllerGenerator.hook_for :ixtlan, :type => :boolean, :default => true do |controller|
+      invoke controller, [ class_name, actions ]
+    end
+    Erb::Generators::ScaffoldGenerator.source_paths.insert(0, File.expand_path('../../generators/ixtlan/templates', __FILE__))
+    #require 'rails/generators/rails/scaffold/scaffold_generator'
+      # somehow the check is before the value is set, 
+      # so just ignore the require flag
+      #Rails::Generators::ScaffoldGenerator.class_options[:orm].instance_variable_set(:@required, false)
+      #Rails::Generators::ScaffoldGenerator.hook_for :ixtlan, :as => :scaffold, :type => :boolean, :default => true do |controller|
+      #  invoke controller, [class_name]
+      #end
+  end
+end

data/lib/ixtlan/rails_integration.rb

@@ -0,0 +1,55 @@
+require 'ixtlan/guard'
+module Ixtlan
+  module ActionController #:nodoc:
+    module Guard #:nodoc:
+      def self.included(base)
+        base.send(:include, InstanceMethods)
+      end
+      module InstanceMethods #:nodoc:
+
+        protected
+
+        def guard
+          Rails.configuration.guard
+        end
+
+        def authorization(&block)
+          resource_authorization(params[:controller], params[:action], &block)
+        end
+
+        def resource_authorization(resource, action, &block)
+          unless guard.check(self, resource, action, &block)
+            raise ::Ixtlan::PermissionDenied.new("permission denied for '#{resource}##{action}'")
+          end
+          true
+        end
+
+        def allowed?(action, &block)
+          guard.check(self, params[:controller], action, &block)
+        end
+      end
+    end
+  end
+
+  module Allowed #:nodoc:
+    # Inclusion hook to make #allowed available as method
+    def self.included(base)
+      base.send(:include, InstanceMethods)
+    end
+
+    module InstanceMethods #:nodoc:
+      def allowed?(resource, action, &block)
+        controller.send(:guard).check(controller, resource, action, &block)
+      end
+    end
+  end
+end
+
+ActionController::Base.send(:include, Ixtlan::ActionController::Guard)
+ActionController::Base.send(:before_filter, :authorization)
+ActionView::Base.send(:include, Ixtlan::Allowed)
+module Erector
+  class Widget
+    include Ixtlan::Allowed
+  end
+end

data/spec/guard_spec.rb

@@ -0,0 +1,94 @@
+require 'spec_helper'
+require 'ixtlan/guard'
+
+describe Ixtlan::Guard do
+
+  before :all do
+    @guard = Ixtlan::Guard.new(Logger.new(STDOUT), 
+                               :root, 
+                               File.join(File.dirname(__FILE__), "guards") )
+
+    @guard.setup
+    @current_user = Object.new
+    def @current_user.groups(g = nil)
+      @g = g if g
+      @g || []
+    end
+
+    @controller = Object.new
+    def @controller.current_user(u = nil)
+      @u = u if u
+      @u
+    end
+    @controller.current_user( @current_user )
+  end
+
+  it 'should fail with missing guard dir' do
+    lambda {Ixtlan::Guard.new(Logger.new(STDOUT), 
+                              :root, 
+                              "does_not_exists").setup }.should raise_error(Ixtlan::GuardException)
+  end
+
+  it 'should initialize' do
+    @guard.should_not be_nil
+  end
+
+  it 'should pass check without user' do
+    controller = Object.new
+    def controller.current_user
+    end
+    @guard.check(controller, :none, :something).should be_true
+  end
+
+  it 'should pass check with user being root' do
+    @current_user.groups([:root])
+    @guard.check(@controller, :users, :show).should be_true
+  end
+
+  it 'should not pass check with user - no groups' do
+    @current_user.groups([])
+    @guard.check(@controller, :users, :show).should be_false
+  end
+
+  it 'should pass unguarded check with user - no groups' do
+    @current_user.groups([])
+    @guard.check(@controller, :users, :index).should be_true
+  end
+
+  it 'should pass check with user on aliased action' do
+    @current_user.groups([:users])
+    @guard.check(@controller, :users, :edit).should be_true
+  end
+
+  it 'should pass check with user' do
+    @current_user.groups([:users])
+    @guard.check(@controller, :users, :update).should be_true
+  end
+
+  it 'should not pass check with user' do
+    @current_user.groups([:accounts])
+    @guard.check(@controller, :users, :update).should be_false
+  end
+
+  it 'should pass check with user with passing extra check' do
+    @current_user.groups([:users])
+    @guard.check(@controller, :users, :update) do |g|
+      true
+    end.should be_true
+  end
+
+  it 'should not pass check with user with failing extra check' do
+    @current_user.groups([:users])
+    @guard.check(@controller, :users, :update) do |g|
+      false
+    end.should be_false
+  end
+
+  it 'should raise exception on unknown action' do
+    lambda {@guard.check(@controller, :users, :unknown_action) }.should raise_error(Ixtlan::GuardException)
+  end
+
+  it 'should raise exception on unknown resource' do
+    lambda {@guard.check(@controller, :unknown_resource, :update) }.should raise_error(Ixtlan::GuardException)
+  end
+end

data/spec/guards/users_guard.rb

@@ -0,0 +1,13 @@
+class UsersGuard
+  def initialize(guard)
+    guard.name = "users"
+    guard.aliases= {:edit => :update}
+    guard.action_map= {
+      :index => [:*],
+      :show => [:users],
+      :create => [:users],
+      :update => [:users],
+      :destroy => [:users]
+    }
+  end
+end

data/spec/railtie_spec.rb

@@ -0,0 +1,2 @@
+require 'spec_helper'
+require 'ixtlan/guard_railtie'

data/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+lib_path = (Pathname(__FILE__).dirname.parent.expand_path + 'lib').to_s
+$LOAD_PATH.unshift lib_path unless $LOAD_PATH.include?(lib_path)

metadata

@@ -0,0 +1,137 @@
+--- !ruby/object:Gem::Specification 
+name: ixtlan-guard
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+    - 0
+    - 1
+    - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+  - mkristian
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-10-17 00:00:00 +05:30
+default_executable: 
+dependencies: 
+  - !ruby/object:Gem::Dependency 
+    name: rails
+    prerelease: false
+    requirement: &id001 !ruby/object:Gem::Requirement 
+      requirements: 
+        - - "="
+          - !ruby/object:Gem::Version 
+            segments: 
+              - 3
+              - 0
+              - 0
+            version: 3.0.0
+    type: :development
+    version_requirements: *id001
+  - !ruby/object:Gem::Dependency 
+    name: rspec
+    prerelease: false
+    requirement: &id002 !ruby/object:Gem::Requirement 
+      requirements: 
+        - - "="
+          - !ruby/object:Gem::Version 
+            segments: 
+              - 1
+              - 3
+              - 1
+            version: 1.3.1
+    type: :development
+    version_requirements: *id002
+  - !ruby/object:Gem::Dependency 
+    name: cucumber
+    prerelease: false
+    requirement: &id003 !ruby/object:Gem::Requirement 
+      requirements: 
+        - - "="
+          - !ruby/object:Gem::Version 
+            segments: 
+              - 0
+              - 9
+              - 2
+            version: 0.9.2
+    type: :development
+    version_requirements: *id003
+  - !ruby/object:Gem::Dependency 
+    name: rake
+    prerelease: false
+    requirement: &id004 !ruby/object:Gem::Requirement 
+      requirements: 
+        - - "="
+          - !ruby/object:Gem::Version 
+            segments: 
+              - 0
+              - 8
+              - 7
+            version: 0.8.7
+    type: :development
+    version_requirements: *id004
+description: simple authorization framework for rails controllers
+email: 
+  - m.kristian@web.de
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+  - lib/ixtlan-guard.rb
+  - lib/generators/scaffold/scaffold/scaffold_generator.rb
+  - lib/generators/ixtlan/controller/USAGE
+  - lib/generators/ixtlan/controller/controller_generator.rb
+  - lib/generators/ixtlan/scaffold/USAGE
+  - lib/generators/ixtlan/scaffold/scaffold_generator.rb
+  - lib/generators/ixtlan/templates/new.html.erb
+  - lib/generators/ixtlan/templates/show.html.erb
+  - lib/generators/ixtlan/templates/guard.rb
+  - lib/generators/ixtlan/templates/edit.html.erb
+  - lib/generators/ixtlan/templates/index.html.erb
+  - lib/ixtlan/guard_railtie.rb
+  - lib/ixtlan/rails_integration.rb
+  - lib/ixtlan/guard.rb
+  - spec/guard_spec.rb
+  - spec/spec_helper.rb
+  - spec/railtie_spec.rb
+  - spec/guards/users_guard.rb
+has_rdoc: true
+homepage: http://github.com/mkristian/ixtlan-guard
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+  - --main
+  - README.textile
+require_paths: 
+  - lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+          - 0
+        version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+          - 0
+        version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: guard your controller actions
+test_files: 
+  - spec/guard_spec.rb
+  - spec/railtie_spec.rb