ixtlan-guard 0.5.0 → 0.6.0

data/lib/generators/guard/controller/controller_generator.rb

@@ -8,15 +8,7 @@ module Guard
 #    check_class_collision :suffix => "Guard"
     
     def create_guard_file
-      template 'guard.rb', File.join('app', 'guards', class_path, "#{file_name}_guard.rb")
+      template 'guard.yml', File.join('app', 'guards', class_path, "#{file_name}_guard.yml")
     end
-
-    def guard_class_name
-      class_name
-    end
-
-    def aliases
-    end
-
   end
 end

data/lib/generators/guard/scaffold/scaffold_generator.rb

@@ -3,24 +3,17 @@ module Guard
   class ScaffoldGenerator < Rails::Generators::NamedBase
     include Rails::Generators::ResourceHelpers
 
-    source_root File.expand_path('../templates', __FILE__)
+    source_root File.expand_path('../../templates', __FILE__)
     
 #    check_class_collision :suffix => "Guard"
     
     def create_guard_files
-      template 'guard.rb', File.join('app', 'guards', class_path, "#{plural_file_name}_guard.rb")
+      template 'guard.yml', File.join('app', 'guards', class_path, "#{plural_file_name}_guard.yml")
     end
-    
-    def guard_class_name
-      controller_class_name
-    end
-
-    def aliases
-      { :create=>:new, :update=>:edit }
-    end
-
+ 
+    #TODO should be coming from the actual generator
     def actions
-      ['index', 'show', 'new', 'edit', 'destroy']
+      ['index', 'show', 'new', 'create', 'edit', 'update', 'destroy']
     end
   end
 end

data/lib/generators/guard/templates/guard.yml

@@ -0,0 +1,12 @@
+<%= plural_file_name %>:
+  defaults: [] 
+<% case actions
+   when Array
+     for action in actions -%>
+#  <%= action %>: []
+<%   end 
+   when Hash
+     actions.each do |action, groups| -%>
+  <%= action %>: <%= groups.inspect %>
+<%   end
+   end -%>

data/lib/ixtlan-guard.rb

@@ -1,5 +1,4 @@
 require 'ixtlan/guard'
 if defined?(Rails)
   require 'ixtlan/guard/railtie'
-  require 'ixtlan/guard/rails_integration'
 end

data/lib/ixtlan/guard.rb

@@ -1 +1 @@
-require 'ixtlan/guard/guard'
+require 'ixtlan/guard/guard_ng'

data/lib/ixtlan/guard/guard_config.rb

@@ -0,0 +1,55 @@
+require 'yaml'
+module Ixtlan
+  module Guard
+    class Config
+
+      def initialize(options = {})
+        @guards_dir = options[:guards_dir]
+        @load_method = options[:cache] ? :cached_load_from_yaml_file : :load_from_yaml_file
+        raise GuardException.new("guards directory does not exists: #{@guards_dir}") unless File.directory?(@guards_dir)
+      end
+
+      def allowed_groups(resource, action)
+        if resource && action
+          resource = resource.to_s
+          groups = send(@load_method, resource)
+          groups[action.to_s] || groups["defaults"] || []
+        else
+          []
+        end
+      end
+
+      def has_guard?(resource)
+        File.exists? yaml_file(resource)
+      end
+
+      def map_of_all
+        result = {}
+        Dir[File.join(@guards_dir, "*_guard.yml")].each do |file|
+          result.merge!(YAML.load_file(file))
+        end
+        result
+      end
+
+      private
+      
+      def cached_load_from_yaml_file(resource)
+        @cache ||= {}
+        @cache[resource] ||= load_from_yaml_file(resource)
+      end
+
+      def yaml_file(resource)
+        File.join(@guards_dir, "#{resource}_guard.yml")
+      end
+
+      def load_from_yaml_file(resource)
+        file = yaml_file(resource)
+        if File.exists? file
+          YAML.load_file(file)[resource] || {}
+        else
+          {}
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/guard/guard_ng.rb

@@ -0,0 +1,157 @@
+require 'ixtlan/guard/guard_config'
+
+module Ixtlan
+  module Guard
+    class GuardNG
+
+      def initialize(options = {})
+        options[:guards_dir] ||= File.expand_path(".")
+        @superuser = [(options[:superuser] || "root").to_s]
+        @config = Config.new(options)
+        @logger = options[:logger]
+      end
+
+      def block_groups(groups)
+        @blocked_groups = (groups || []).collect { |g| g.to_s}
+        @blocked_groups.delete(@superuser)
+        @blocked_groups
+      end
+
+      def blocked_groups
+        @blocked_groups ||= []
+      end
+
+      def logger
+        @logger ||= 
+          if defined?(Slf4r::LoggerFactory)
+            Slf4r::LoggerFactory.new(Ixtlan::Guard)
+          else
+            require 'logger'
+            Logger.new(STDOUT)
+          end
+      end
+
+      def allowed_groups(resource, action, current_groups)
+        allowed = @config.allowed_groups(resource, action) - blocked_groups + @superuser
+        if allowed.member?('*')
+          current_groups
+        else
+          intersect(allowed, current_groups)
+        end
+      end
+
+      def allowed?(resource, action, current_groups, flavor = nil, &block)
+        current_groups = current_groups.collect { |g| g.to_s }
+        allowed_groups = self.allowed_groups(resource, action, current_groups)
+        logger.debug { "guard #{resource}##{action}: #{allowed_groups.size > 0}" }
+        if allowed_groups.size > 0
+          if block
+            g = allowed_groups.detect do |group|
+              block.call(group).member?(flavor)
+            end
+            logger.debug do
+              if g
+                "found group #{g} for #{flavor}" 
+              else
+                "no group found for #{flavor}"
+              end
+            end
+            g != nil
+          else
+            true
+          end
+        else
+          unless @config.has_guard?(resource)
+            raise ::Ixtlan::Guard::GuardException.new("no guard config for '#{resource}'")
+          else
+            false
+          end
+        end
+      end
+
+      def permissions(current_groups, flavors = {})
+        perms = []
+        m = @config.map_of_all
+        m.each do |resource, actions|
+          nodes = []
+          perm = Node.new(:permission)
+          perm[:resource] = resource
+          perm[:actions] = nodes
+          defaults = intersect(current_groups, (actions.delete('defaults') || []) + @superuser)
+          deny = perm[:deny] = defaults.size != 0
+          actions.each do |action, groups|
+            node = Node.new(:action)
+            allowed_groups = 
+              if groups && groups.member?('*')
+                current_groups
+              else
+                intersect(current_groups, (groups || []) + @superuser)
+              end
+            if (deny && allowed_groups.size == 0) || (!deny && allowed_groups.size > 0)
+              node[:name] = action
+#                f = {}
+#                flavors.each do |fl, block|
+#                  f[fl] = block.call(allowed_groups)
+#                end
+#                node[:flavors] = f if f.size > 0
+              nodes << node
+            end
+          end
+          perms << perm
+        end
+        perms
+      end
+
+      def permission_map(current_groups, flavors = {})
+        # TODO fix it - think first !!
+        perms = {}
+        m = @config.map_of_all
+        m.each do |resource, actions|
+          nodes = {}
+          actions.each do |action, groups|
+            if action == 'defaults'
+              nodes[action] = {}
+            else
+              allowed_groups = intersect(current_groups, (groups || []) + @superuser)
+              if allowed_groups.size > 0
+                f = {}
+                flavors.each do |fl, block|
+                  flav = block.call(allowed_groups)
+                  f[fl] = flav if flav.size > 0
+                end
+                nodes[action] = f
+              else
+                nodes[action] = nil # indicates not default action
+              end
+            end
+          end
+          perms[resource] = nodes if nodes.size > 0
+        end
+        perms
+      end
+
+      private
+      
+      def intersect(set1, set2)
+        set1 - (set1 - set2)
+      end
+    end
+    class Node < Hash
+      
+      def initialize(name)
+        map = super
+        @content = {}
+        merge!({ name => @content })
+      end
+
+      def []=(k,v)
+        @content[k] = v
+      end
+      def [](k)
+        @content[k]
+      end
+    end
+    class GuardException < Exception; end
+    class PermissionDenied < GuardException; end
+  end
+end

data/lib/ixtlan/guard/guard_rails.rb

@@ -0,0 +1,76 @@
+module Ixtlan
+  module ActionController #:nodoc:
+    module Guard #:nodoc:
+      def self.included(base)
+        base.send(:include, InstanceMethods)
+        unless base.respond_to?(:groups_for_current_user)
+          base.send(:include, GroupsMethod)
+        end
+      end
+
+      module GroupsMethod
+
+        protected
+
+        def groups_for_current_user
+          if respond_to?(:current_user) && current_user
+            current_user.groups.collect do |group|
+              group.name
+            end
+          else
+            []
+          end
+        end
+      end
+
+      module RootGroup
+        protected
+
+        def groups_for_current_user
+          ['root']
+        end
+      end
+
+      module InstanceMethods #:nodoc:
+
+        protected
+
+        def guard
+          Rails.application.config.guard
+        end
+
+        def check(flavor = nil, &block)
+          unless guard.allowed?(params[:controller], 
+                                params[:action],
+                                groups_for_current_user, 
+                                flavor, 
+                                &block)
+            if flavor
+              raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}##{flavor}'")
+            else
+              raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{params[:controller]}##{params[:action]}'")
+            end
+          end
+          true
+        end
+
+        def authorization
+          check
+        end
+      end
+    end
+  end
+
+  module Allowed #:nodoc:
+    # Inclusion hook to make #allowed available as method
+    def self.included(base)
+      base.send(:include, InstanceMethods)
+    end
+    
+    module InstanceMethods #:nodoc:
+      def allowed?(resource, action)
+        controller.send(:guard).allowed?(resource, action, controller.send(:groups_for_current_user))
+      end
+    end
+  end
+end

data/lib/ixtlan/guard/railtie.rb

@@ -1,24 +1,30 @@
 require 'rails'
-require 'ixtlan/guard'
+require 'ixtlan/guard/guard_ng'
+require 'ixtlan/guard/guard_rails'
 require 'logger'
+require 'fileutils'
 
 module Ixtlan
   module Guard
     class Railtie < Rails::Railtie
 
       config.before_configuration do |app|
-        app.config.guard = 
-          Ixtlan::Guard::Guard.new(:guard_dir => File.join(Rails.root, "app", "guards")) 
+        app.config.guards_dir = File.join(Rails.root, "app", "guards")
       end
       
       config.after_initialize do |app|
         logger = app.config.logger || Rails.logger || Logger.new(STDERR)
-        app.config.guard.logger = logger unless defined?(Slf4r)
-        begin
-          app.config.guard.setup
-        rescue Ixtlan::Guard::GuardException => e
-          logger.warn e.message
-        end
+        options = {
+          :guards_dir => app.config.guards_dir,
+          :cache => app.config.cache_classes
+        }
+        options[:logger] = logger unless defined?(Slf4r)
+        FileUtils.mkdir_p(app.config.guards_dir)
+        app.config.guard = Ixtlan::Guard::GuardNG.new(options)
+
+        ::ActionController::Base.send(:include, Ixtlan::ActionController::Guard)
+        ::ActionController::Base.send(:before_filter, :authorization)
+        ::ActionView::Base.send(:include, Ixtlan::Allowed)
       end
       
       config.generators do

data/spec/guard_cache_spec.rb

@@ -0,0 +1,58 @@
+require 'spec_helper'
+require 'ixtlan/guard/guard_ng'
+require 'logger'
+require 'fileutils'
+
+$target = File.join("target", "guards", "users_guard.yml")
+FileUtils.mkdir_p(File.dirname($target))
+$source1 = File.join(File.dirname(__FILE__), "guards", "users1_guard.yml")
+$source2 = File.join(File.dirname(__FILE__), "guards", "users2_guard.yml")
+$logger = Logger.new(STDOUT)
+def $logger.debug(&block)
+  info("\n\t[debug] " + block.call)
+end
+
+describe Ixtlan::Guard::GuardNG do
+
+  context "without caching" do
+    def not_cached
+      $not_cached ||= Ixtlan::Guard::GuardNG.new(:guards_dir => File.dirname($target), 
+                                                 :logger => $logger )
+    end
+      
+    subject { not_cached }
+
+    it 'should pass' do
+      FileUtils.cp($source1, $target)
+      subject.allowed?(:users, :index, [:users]).should be_true
+      subject.allowed?(:users, :index, [:admin]).should be_false
+    end
+
+    it 'should not pass' do
+      FileUtils.cp($source2, $target)
+      subject.allowed?(:users, :index, [:users]).should be_false
+      subject.allowed?(:users, :index, [:admin]).should be_true
+    end
+  end
+
+  context "with caching" do
+    def cached
+      $cached ||= Ixtlan::Guard::GuardNG.new(:guards_dir => File.dirname($target), 
+                                             :logger => $logger,
+                                             :cache => true)
+    end
+    subject { cached }
+
+    it 'should pass' do
+      FileUtils.cp($source1, $target)
+      subject.allowed?(:users, :index, [:users]).should be_true
+      subject.allowed?(:users, :index, [:admin]).should be_false
+    end
+
+    it 'should not pass' do
+      FileUtils.cp($source2, $target)
+      subject.allowed?(:users, :index, [:users]).should be_true
+      subject.allowed?(:users, :index, [:admin]).should be_false
+    end
+  end
+end

data/spec/guard_export_spec.rb

@@ -0,0 +1,161 @@
+require 'spec_helper'
+require 'ixtlan/guard/guard_ng'
+require 'logger'
+
+describe Ixtlan::Guard::GuardNG do
+
+  subject do
+    logger = Logger.new(STDOUT)
+    def logger.debug(&block)
+      info("\n\t[debug] " + block.call)
+    end
+    Ixtlan::Guard::GuardNG.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
+  end
+  
+  context '#permissions' do
+    
+    it 'should deny all without defaults but wildcard "*" actions' do
+      subject.permissions(['unknown_group']).should == [
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
+         {:permission=>
+           {
+             :resource=>"no_defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
+         {
+           :permission=>
+           {
+             :resource=>"defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
+         #allow nothing
+         {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}]
+    end
+    it 'should deny some without defaults but wildcard "*" actions' do
+      subject.permissions(['no_admin']).should == [
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
+         {:permission=>
+           {
+             :resource=>"no_defaults",
+             :actions=>
+             [{:action=>{:name=>"edit"}},
+              {:action=>{:name=>"index"}},
+              {:action=>{:name=>"show"}}],
+             :deny=>false #allow
+           }
+         },
+         {
+           :permission=>
+           {
+             :resource=>"defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
+         #allow nothing
+         {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}]
+    end
+    it 'should allow "root"' do
+      subject.permissions(['root']).should == [
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"no_defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"defaults", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"person", :actions=>[], :deny=>true}},
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>true}}]
+    end   
+    it 'should allow with default group' do
+      subject.permissions(['_master']).should == [
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
+         {:permission=>
+           {
+             :resource=>"no_defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
+         {
+           :permission=>
+           {
+             :resource=>"defaults",
+             :actions=>[{:action=>{:name=>"show"}}, 
+                          {:action=>{:name=>"destroy"}}],
+             :deny=>true
+           }
+         },
+         #allow nothing
+         {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}]
+    end 
+    it 'should allow with non-default group' do
+      subject.permissions(['_admin']).should == [
+         #allow nothing
+         {:permission=>{:resource=>"users", :actions=>[], :deny=>false}},
+         {:permission=>
+           {
+             :resource=>"no_defaults",
+             :actions=>[{:action=>{:name=>"index"}}],
+             :deny=>false #allow
+           }
+         },
+         {
+           :permission=>
+           {
+             :resource=>"defaults",
+             :actions=>[{:action=>{:name=>"edit"}}, 
+                        {:action=>{:name=>"index"}}, 
+                        {:action=>{:name=>"show"}}],
+             :deny=>false # allow
+           }
+         },
+         #allow nothing
+         {:permission=>{:resource=>"person", :actions=>[], :deny=>false}},
+         #allow nothing
+         {:permission=>{:resource=>"accounts", :actions=>[], :deny=>false}}]
+    end
+  end
+
+  context '#permission_map' do
+    it 'should export' do
+      pending "check expectations before implementing specs"
+      subject.permission_map(['admin']).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{}, "index"=>{}}, "accounts"=>{"defaults"=>nil, "destroy"=>{}, "show"=>nil}}
+      
+      subject.permission_map(['manager']).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>{}}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>{}}}
+      
+      subject.permission_map(['manager', 'admin']).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{}, "index"=>{}}, "accounts"=>{"defaults"=>nil, "destroy"=>{}, "show"=>{}}}
+      
+      subject.permission_map(['users']).should == {"users"=>{"defaults"=>{}}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>nil}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>nil}}
+    end
+    
+    it 'should export with flavor' do
+      pending "check expectations before implementing specs"
+      
+      flavors = { 'admin' => ['example', 'dummy'], 'manager' => ['example', 'master'] }
+      
+      domains = Proc.new do |groups|
+        groups.collect do |g|
+          flavors[g] || []
+        end.flatten.uniq
+      end
+      
+      subject.permission_map(['admin'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{'domains'=>["example", "dummy"]}, "index"=>{'domains'=>["example", "dummy"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>{'domains'=>["example", "dummy"]}, "show"=>nil}}
+      
+      subject.permission_map(['manager'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>{"domains"=>["example", "master"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>{"domains"=>["example", "master"]}}}
+      
+      subject.permission_map(['manager', 'admin'], 'domains' => domains).should == {"users"=>{"defaults"=>nil}, "person"=>{"defaults"=>nil, "destroy"=>{"domains"=>["example", "dummy"]}, "index"=>{"domains"=>["example", "master", "dummy"]}}, "accounts"=>{"defaults"=>nil, "destroy"=>{"domains"=>["example", "dummy"]}, "show"=>{"domains"=>["example", "master"]}}}
+      
+      subject.permission_map(['users'], 'domains' => domains).should == {"users"=>{"defaults"=>{}}, "person"=>{"defaults"=>nil, "destroy"=>nil, "index"=>nil}, "accounts"=>{"defaults"=>nil, "destroy"=>nil, "show"=>nil}}
+    end
+  end
+end

data/spec/guard_spec.rb

@@ -1,130 +1,89 @@
 require 'spec_helper'
-require 'ixtlan/guard'
-
-describe Ixtlan::Guard do
-
-  before :all do
-    @guard = Ixtlan::Guard::Guard.new(:guard_dir => File.join(File.dirname(__FILE__), "guards") )
-
-    @guard.setup
-    @current_user = Object.new
-    def @current_user.groups(g = nil)
-      if g
-        @groups = g.collect do |gg|
-          group = Object.new
-          def group.name(name =nil)
-            @name = name if name
-            @name
-          end
-          group.name(gg)
-          group
-        end
-      end
-      @groups || []
-    end
+require 'ixtlan/guard/guard_ng'
+require 'logger'
+
+describe Ixtlan::Guard::GuardNG do
 
-    @controller = Object.new
-    def @controller.current_user(u = nil)
-      @u = u if u
-      @u
+  subject do
+    logger = Logger.new(STDOUT)
+    def logger.debug(&block)
+      info("\n\t[debug] " + block.call)
     end
-    @controller.current_user( @current_user )
+    Ixtlan::Guard::GuardNG.new(:guards_dir => File.join(File.dirname(__FILE__), "guards"), :logger => logger )
   end
 
   it 'should fail with missing guard dir' do
-    lambda {Ixtlan::Guard::Guard.new(:guard_dir => "does_not_exists").setup }.should raise_error(Ixtlan::Guard::GuardException)
+    lambda {Ixtlan::Guard::GuardNG.new(:guards_dir => "does_not_exists") }.should raise_error(Ixtlan::Guard::GuardException)
   end
 
   it 'should initialize' do
-    @guard.should_not be_nil
-  end
-
-  it 'should fail check without current user' do
-    controller = Object.new
-    def controller.current_user
-    end
-    @guard.check(controller, :none, :something).should be_false
+    subject.should_not be_nil
   end
 
-  it 'should pass check with user being root' do
-    @current_user.groups([:root])
-    @guard.check(@controller, :users, :show).should be_true
+  it 'should fail without groups' do
+    subject.allowed?(:users, :something, []).should be_false
   end
 
-  it 'should not pass check with user - no groups' do
-    @current_user.groups([])
-    @guard.check(@controller, :users, :show).should be_false
+  it 'should pass with user being root' do
+    subject.allowed?(:users, :show, [:root]).should be_true
   end
 
-  it 'should pass unguarded check with user - no groups' do
-    @current_user.groups([])
-    @guard.check(@controller, :users, :index).should be_true
+  it 'should pass "allow all groups" with user with any groups' do
+    subject.allowed?(:users, :index, [:any]).should be_true
   end
 
-  it 'should pass check with user on aliased action' do
-    @current_user.groups([:users])
-    @guard.check(@controller, :users, :edit).should be_true
+  it 'should pass' do
+    subject.allowed?(:users, :update, [:users]).should be_true
   end
 
-  it 'should pass check with user' do
-    @current_user.groups([:users])
-    @guard.check(@controller, :users, :update).should be_true
-  end
-
-  it 'should not pass check with user when in blocked group' do
-    @current_user.groups([:users])
-    @guard.block_groups([:users])
+  it 'should not pass with user when in blocked group' do
+    subject.block_groups([:users])
     begin
-      @guard.check(@controller, :users, :update).should be_false
+      subject.allowed?(:users, :update, [:users]).should be_false
     ensure
-      @guard.block_groups([])
+      subject.block_groups([])
     end
   end
 
-  it 'should pass check with user when not in blocked group' do
-    @current_user.groups([:users])
-    @guard.block_groups([:accounts])
+  it 'should pass with user when not in blocked group' do
+    subject.block_groups([:accounts])
     begin
-      @guard.check(@controller, :users, :update).should be_true
+      subject.allowed?(:users, :update, [:users]).should be_true
     ensure
-      @guard.block_groups([])
+      subject.block_groups([])
     end
   end
 
-  it 'should pass check with root-user when not in blocked group' do
-    @current_user.groups([:root])
-    @guard.block_groups([:root])
+  it 'should not block root group' do
+    subject.block_groups([:root])
     begin
-      @guard.check(@controller, :users, :update).should be_true
+      subject.allowed?(:users, :update, [:root]).should be_true
     ensure
-      @guard.block_groups([])
+      subject.block_groups([])
     end
   end
 
-  it 'should not pass check with user' do
-    @current_user.groups([:accounts])
-    @guard.check(@controller, :users, :update).should be_false
+  it 'should not pass' do
+    subject.allowed?(:users, :update, [:accounts]).should be_false
+  end
+
+  it 'should should use defaults on unknown action' do
+    subject.allowed?(:users, :unknow, [:users]).should be_true
   end
 
-  it 'should pass check with user with passing extra check' do
-    @current_user.groups([:users])
-    @guard.check(@controller, :users, :update) do |g|
-      true
-    end.should be_true
+  it 'should pass with right group and allowed flavor' do
+    subject.allowed?(:users, :update, [:users], :example){ |g| [:example]}.should be_true
   end
 
-  it 'should not pass check with user with failing extra check' do
-    @current_user.groups([:users])
-    @guard.check(@controller, :users, :update) do |g|
-      false
-    end.should be_false
+  it 'should not pass with wrong group but allowed flavor' do
+    subject.allowed?(:users, :update, [:accounts], :example){ |g| [:example]}.should be_false
   end
 
-  it 'should raise exception on unknown action' do
-    lambda {@guard.check(@controller, :users, :unknown_action) }.should raise_error(Ixtlan::Guard::GuardException)
+  it 'should not pass with wrong group but disallowed flavor' do
+    subject.allowed?(:users, :update, [:accounts], :example){ |g| []}.should be_false
   end
 
-  it 'should raise exception on unknown resource' do
-    lambda {@guard.check(@controller, :unknown_resource, :update) }.should raise_error(Ixtlan::Guard::GuardException)
+  it 'should not pass with right group and disallowed flavor' do
+    subject.allowed?(:users, :update, [:users], :example){ |g| []}.should be_false
   end
 end

data/spec/guards/accounts_guard.yml

@@ -0,0 +1,6 @@
+accounts: 
+  defaults: 
+  -  group
+  destroy:
+  - admin 
+  show: [manager, guest]

data/spec/guards/defaults_guard.yml

@@ -0,0 +1,6 @@
+defaults:
+  defaults: [_master]
+  edit: [_admin, _master]
+  index: [*]
+  show: [_admin]
+  destroy: 

data/spec/guards/no_defaults_guard.yml

@@ -0,0 +1,5 @@
+no_defaults:
+  edit: [no_admin, no_master]
+  index: [*]
+  show: [no_admin]
+  destroy: 

data/spec/guards/person_guard.yml

@@ -0,0 +1,7 @@
+person: 
+  defaults: 
+  -  group1
+  -  group2  
+  destroy:
+  -  admin
+  index: [admin, manager, guest]

data/spec/guards/users1_guard.yml

@@ -0,0 +1,2 @@
+users:
+  defaults: [users]

data/spec/guards/users2_guard.yml

@@ -0,0 +1,3 @@
+users:
+  defaults: [users]
+  index: [admin]

data/spec/guards/users_guard.yml

@@ -0,0 +1,3 @@
+users:
+  defaults: [users]
+  index: [*]

metadata

@@ -2,7 +2,7 @@
 name: ixtlan-guard
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors: 
   - mkristian
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-08-06 00:00:00 +05:30
+date: 2011-09-05 00:00:00 +05:30
 default_executable: 
 dependencies: 
   - !ruby/object:Gem::Dependency 
@@ -19,9 +19,12 @@ dependencies:
     requirement: &id001 !ruby/object:Gem::Requirement 
       none: false
       requirements: 
-        - - "="
+        - - ">="
+          - !ruby/object:Gem::Version 
+            version: 0.6.0
+        - - <
           - !ruby/object:Gem::Version 
-            version: 0.5.0
+            version: 0.6.99999
     type: :runtime
     version_requirements: *id001
   - !ruby/object:Gem::Dependency 
@@ -96,8 +99,7 @@ files:
   - lib/generators/guard/controller/controller_generator.rb
   - lib/generators/guard/scaffold/USAGE
   - lib/generators/guard/scaffold/scaffold_generator.rb
-  - lib/generators/guard/scaffold/templates/guard.rb
-  - lib/generators/guard/templates/guard.rb
+  - lib/generators/guard/templates/guard.yml
   - lib/generators/ixtlan/user_management_scaffold/user_management_scaffold_generator.rb
   - lib/generators/ixtlan/user_management_controller/USAGE
   - lib/generators/ixtlan/user_management_controller/user_management_controller_generator.rb
@@ -114,26 +116,34 @@ files:
   - lib/generators/active_record/templates/group_user_migration.rb
   - lib/generators/active_record/templates/flavor_model.rb
   - lib/ixtlan/guard.rb
-  - lib/ixtlan/guard/rails_integration.rb
-  - lib/ixtlan/guard/guard.rb
+  - lib/ixtlan/guard/guard_ng.rb
+  - lib/ixtlan/guard/guard_config.rb
+  - lib/ixtlan/guard/guard_rails.rb
   - lib/ixtlan/guard/railtie.rb
   - lib/ixtlan/guard/controllers/maintenance_controller.rb
   - lib/ixtlan/guard/controllers/permissions_controller.rb
   - lib/ixtlan/guard/spec/user_management_models_spec.rb
   - lib/ixtlan/guard/models/maintenance.rb
   - lib/ixtlan/guard/models/user_update_manager.rb
+  - spec/guard_export_spec.rb
   - spec/spec_helper.rb
+  - spec/guard_cache_spec.rb
   - spec/guard_spec.rb
   - spec/railtie_spec.rb
-  - spec/guards/users_guard.rb
+  - spec/guards/users_guard.yml
+  - spec/guards/users2_guard.yml
+  - spec/guards/no_defaults_guard.yml
+  - spec/guards/defaults_guard.yml
+  - spec/guards/users1_guard.yml
+  - spec/guards/person_guard.yml
+  - spec/guards/accounts_guard.yml
 has_rdoc: true
 homepage: http://github.com/mkristian/ixtlan-guard
 licenses: 
   - MIT-LICENSE
 post_install_message: 
-rdoc_options: 
-  - --main
-  - README.textile
+rdoc_options: []
+
 require_paths: 
   - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
@@ -156,5 +166,7 @@ signing_key:
 specification_version: 3
 summary: guard your controller actions
 test_files: 
+  - spec/guard_export_spec.rb
+  - spec/guard_cache_spec.rb
   - spec/guard_spec.rb
   - spec/railtie_spec.rb

data/lib/generators/guard/scaffold/templates/guard.rb

@@ -1,20 +0,0 @@
-class <%= guard_class_name %>Guard
-  def initialize(guard)
-    #guard.name = "<%= plural_file_name %>"
-<% if aliases -%>
-    guard.aliases = <%= aliases.inspect %>
-<% end -%>
-    guard.action_map= {
-<% case actions
-   when Array
-     for action in actions -%>
-       :<%= action %> => [],
-<%   end 
-   when Hash
-     actions.each do |action, groups| -%>
-      :<%= action %> => <%= groups.inspect %>,
-<%   end
-   end -%>
-    }
-  end
-end

data/lib/generators/guard/templates/guard.rb

@@ -1,20 +0,0 @@
-class <%= guard_class_name %>Guard
-  def initialize(guard)
-    #guard.name = "<%= plural_file_name %>"
-<% if aliases -%>
-    guard.aliases = <%= aliases.inspect %>
-<% end -%>
-    guard.action_map= {
-<% case actions
-   when Array
-     for action in actions -%>
-       :<%= action %> => [],
-<%   end 
-   when Hash
-     actions.each do |action, groups| -%>
-      :<%= action %> => <%= groups.inspect %>,
-<%   end
-   end -%>
-    }
-  end
-end

data/lib/ixtlan/guard/guard.rb

@@ -1,247 +0,0 @@
-module Ixtlan
-  module Guard
-    class ControllerGuard
-      
-      attr_accessor :name, :action_map, :aliases, :flavor
-
-      def initialize(name)
-        @name = name.sub(/_guard$/, '').to_sym
-        class_name = name.split(/\//).collect { |part| part.split("_").each { |pp| pp.capitalize! }.join }.join("::")
-        Object.const_get(class_name).new(self)
-      end
-
-      def flavor=(flavor)
-        @flavor = flavor.to_sym
-      end
-
-      def name=(name)
-        @name = name.to_sym
-      end
-
-      def aliases=(map)
-        @aliases = symbolize(map)
-      end
-
-      def action_map=(map)
-        @action_map = symbolize(map)
-      end
-
-      private
-
-      def symbolize(h)
-        result = {}
-        
-        h.each do |k, v|
-          if v.is_a?(Hash)
-            result[k.to_sym] = symbolize_keys(v) unless v.size == 0
-          elsif v.is_a?(Array)
-            val = []
-            v.each {|vv| val << vv.to_sym }
-            result[k.to_sym] = val
-          else
-            result[k.to_sym] = v.to_sym
-          end
-        end
-        
-        result
-      end
-
-    end
-
-    class Guard 
-
-      attr_accessor :logger, :guard_dir, :superuser, :groups_of_current_user
-
-      def initialize(options, &block)
-        @superuser = (options[:superuser] || :root).to_sym
-        @guard_dir = options[:guard_dir] || File.join("app", "guards")
-        @user_groups = (options[:user_groups] || :groups).to_sym
-        @user_groups_name = (options[:user_groups_name] || :name).to_sym
-        
-        @map = {}
-        @aliases = {}
-        @flavor_map = {}
-
-        @groups_of_current_user =
-          if block
-            block
-          else
-            Proc.new do |controller|
-              # get the groups of the current_user
-              user = controller.send(:current_user) if controller.respond_to?(:current_user)
-              if user
-                (user.send(@user_groups) || []).collect do |group|
-                  name = group.send(@user_groups_name)
-                  name.to_sym if name
-                end
-              end
-            end
-          end
-      end
-
-      def logger
-        @logger ||= if defined?(Slf4r::LoggerFactory)
-                      Slf4r::LoggerFactory.new(Ixtlan::Guard)
-                    else
-                      require 'logger'
-                      Logger.new(STDOUT)
-                    end
-      end
-
-      def setup
-        if File.exists?(@guard_dir)
-          Dir.new(guard_dir).to_a.each do |f|
-            if f.match(".rb$")
-              require(File.join(guard_dir, f))
-              controller_guard = ControllerGuard.new(f.sub(/.rb$/, ''))
-              register(controller_guard)
-            end
-          end
-          logger.debug("initialized guard . . .")
-        else
-          raise GuardException.new("guard directory #{guard_dir} not found, skip loading")
-        end
-      end
-
-      private
-
-      def register(controller_guard)
-        msg = (controller_guard.aliases || {}).collect {|k,v| "\n\t#{k} == #{v}"} + controller_guard.action_map.collect{ |k,v| "\n\t#{k} => [#{v.join(',')}]"}
-        logger.debug("#{controller_guard.name} guard: #{msg}")
-        @map[controller_guard.name] = controller_guard.action_map
-        @aliases[controller_guard.name] = controller_guard.aliases || {}
-        @flavor_map[controller_guard.name] = controller_guard.flavor if controller_guard.flavor
-      end
-
-      public
-
-      def flavor(controller)
-        @flavor_map[controller.params[:controller].to_sym]
-      end
-
-      def block_groups(groups)
-        @blocked_groups = (groups || []).collect { |g| g.to_sym}
-        @blocked_groups.delete(@superuser)
-        @blocked_groups
-      end
-
-      def blocked_groups
-        @blocked_groups ||= []
-      end
-
-      def current_user_restricted?(controller)
-        groups =  @groups_of_current_user.call(controller)
-        if groups
-          #        groups.select { |g| !blocked_groups.member?(g.to_sym) }.size < groups.size
-          (groups - blocked_groups).size < groups.size
-        else
-          nil
-        end
-      end
-      
-      def permissions(controller)
-        groups = (@groups_of_current_user.call(controller) || []).collect do
-          |g| g.to_sym
-        end
-        map = {}
-        @map.each do |resource, action_map|
-          action_map.each do |action, allowed|
-            if allowed.member? :*
-              allowed = groups.dup
-            end
-            allowed << @superuser unless allowed.member? @superuser
-            
-            # intersection of allowed and groups empty ?
-            if (allowed - groups).size < allowed.size
-              permission = (map[resource] ||= {})
-              permission[:resource] = resource
-              actions = (permission[:actions] ||= [])
-              action_node = {:name => action}
-              flavors.each do |flavor, block|
-                flavor_list = []
-                (allowed - (allowed - groups)).each do |group|
-                  list = block.call(controller, group) 
-                  # union - no duplicates
-                  flavor_list = flavor_list - list + list
-                end
-                action_node[flavor.to_s.sub(/s$/, '') + "s"] = flavor_list if flavor_list.size > 0
-              end
-              actions << { :action => action_node }
-              actions << @aliases[resource][action] if @aliases[resource][action]
-            end
-          end
-        end
-
-        result = map.values.collect do |perm|
-          { :permission => perm }
-        end
-        result.class_eval "alias :to_x :to_xml" unless map.respond_to? :to_x
-        def result.to_xml(options = {}, &block)
-          options[:root] = :permissions unless options[:root]
-          to_x(options, &block)
-        end
-
-        def result.to_json(options = {}, &block)
-          {:permissions => self}.to_json(options, &block)
-        end
-        result
-      end
-
-      def flavors
-        @flavors ||= {}
-      end
-
-      def register_flavor(flavor, &block)
-        flavors[flavor.to_sym] = block
-      end
-
-      def check(controller, resource, action, flavor_selector = nil, &block)
-        resource = resource.to_sym
-        action = action.to_sym
-        groups =  @groups_of_current_user.call(controller)
-        if groups.nil?
-          logger.debug("check #{resource}##{action}: not authenticated")
-          return false 
-        end
-        if (@map.key? resource)
-          action = @aliases[resource][action] || action
-          allowed = @map[resource][action]
-          if (allowed.nil?)
-            logger.warn("unknown action '#{action}' for controller '#{resource}'")
-            raise ::Ixtlan::Guard::GuardException.new("unknown action '#{action}' for controller '#{resource}'")
-          else
-            allowed << @superuser unless allowed.member? @superuser
-            allow_all_groups = allowed.member?(:*) 
-            if(allow_all_groups && block.nil?)
-              logger.debug("check #{resource}##{action}: allowed for all")
-              return true
-            else
-              groups.each do |group|
-                if (allow_all_groups || allowed.member?(group.to_sym)) && !blocked_groups.member?(group.to_sym)
-                  flavor_for_resource = flavors[@flavor_map[resource]]
-                  if block.nil?
-                    if(flavor_for_resource && flavor_for_resource.call(controller, group).member?(flavor_selector.to_s) || flavor_for_resource.nil?)
-                      logger.debug("check #{resource}##{action}: true")
-                      return true
-                    end
-                  elsif block.call(group)
-                    logger.debug("check #{resource}##{action}: true")
-                    return true
-                  end
-                end
-              end
-            end
-            logger.debug("check #{resource}##{action}: false")
-            return false
-          end
-        else
-          logger.warn("unknown controller for '#{resource}'")
-          raise ::Ixtlan::Guard::GuardException.new("unknown controller for '#{resource}'")
-        end
-      end
-    end
-
-    class GuardException < Exception; end
-    class PermissionDenied < GuardException; end
-  end
-end

data/lib/ixtlan/guard/rails_integration.rb

@@ -1,88 +0,0 @@
-require 'ixtlan/guard'
-module Ixtlan
-  module ActionController #:nodoc:
-    module Guard #:nodoc:
-      def self.included(base)
-        base.send(:include, InstanceMethods)
-      end
-      module InstanceMethods #:nodoc:
-
-        protected
-
-        def guard
-          Rails.application.config.guard
-        end
-
-        def authorization(flavor = nil, &block)
-          if flavor.nil?
-            flavor = guard.flavor(self)
-            if flavor 
-              method = "#{flavor}_authorization".to_sym
-              if self.respond_to?(method)
-                return send "#{flavor}_authorization".to_sym, &block
-              else
-                logger.warn "flavor #{flavor} configured in guard, but there is not method '#{method}'"
-                flavor = nil
-              end
-            end
-          end
-          resource_authorization(params[:controller], params[:action], flavor, &block)
-        end
-
-        def resource_authorization(resource, action, flavor = nil, &block)
-          unless guard.check(self, 
-                             resource, 
-                             action, 
-                             &flavored_block(flavor, &block))
-            raise ::Ixtlan::Guard::PermissionDenied.new("permission denied for '#{resource}##{action}'")
-          end
-          true
-        end
-
-        def flavored_block(flavor = nil, &block)
-          if block
-            if flavor
-              Proc.new do |group|
-                allowed_flavors = guard.flavors[flavor.to_sym].call(self, group)
-                block.call(allowed_flavors)
-              end
-            else
-              block
-            end
-          end
-        end
-
-        private :flavored_block
-
-        def allowed?(action, flavor = nil, &block)
-          guard.check(self, 
-                      params[:controller], 
-                      action, 
-                      &flavored_block(flavor, &block))
-        end
-      end
-    end
-  end
-
-  module Allowed #:nodoc:
-    # Inclusion hook to make #allowed available as method
-    def self.included(base)
-      base.send(:include, InstanceMethods)
-    end
-
-    module InstanceMethods #:nodoc:
-      def allowed?(resource, action, flavor_selector = nil, &block)
-        controller.send(:guard).check(controller, resource, action, flavor_selector, &block)
-      end
-    end
-  end
-end
-
-ActionController::Base.send(:include, Ixtlan::ActionController::Guard)
-ActionController::Base.send(:before_filter, :authorization)
-ActionView::Base.send(:include, Ixtlan::Allowed)
-module Erector
-  class Widget
-    include Ixtlan::Allowed
-  end
-end

data/spec/guards/users_guard.rb

@@ -1,13 +0,0 @@
-class UsersGuard
-  def initialize(guard)
-    guard.name = "users"
-    guard.aliases= {:edit => :update}
-    guard.action_map= {
-      :index => [:*],
-      :show => [:users],
-      :create => [:users],
-      :update => [:users],
-      :destroy => [:users]
-    }
-  end
-end