ixtlan-user-management 0.1.3 → 0.2.0

data/lib/ixtlan/user_management/{session_plugin.rb → guard.rb}

@@ -18,35 +18,46 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'ixtlan/user_management/authenticator'
-
+require 'ixtlan/user_management/permission_model'
 module Ixtlan
   module UserManagement
-    module SessionPlugin
+    class Guard
+      METHODS = {
+        :post => 'create',
+        :get => 'retrieve',
+        :put => 'update',
+        :delete => 'delete'
+      }
 
-      module ClassMethods
-        def authenticator
-          self[ :authenticator ] ||= Authenticator.new( self[ :rest ] )
-        end
+      def allow?( resource ,method, association = nil )
+        perm = permissions( resource )
+        (perm.associations.empty? || 
+          perm.associations.include?( association.to_s ) ) && 
+          perm.allow?( METHODS[ method ] ) #TODO, associations )
       end
 
-      def log( msg )
-        if self.respond_to? :audit
-          audit( msg, { :username => login } )
-        else
-          warn( "[#{login}] #{msg}" )
+      def associations( resource, method )
+        perm = permissions( resource )
+        unless perm.associations.empty?
+          perm.associations
         end
+        # TODO method 
       end
-  
-      def login_and_password
-        source = parse_request_body
-        source = req if source && source.empty?
-        auth = source[ 'authentication' ] || source
-        [ auth[ 'login' ] || auth[ 'email' ], auth[ 'password' ] ]
+      
+      def all_permissions
+        @permissions.values
+      end
+
+      def permissions( resource )
+        @permissions ||= {}
+        @permissions[ resource ] ||= Permission.new( :resource => resource )
       end
       
-      def login
-        login_and_password[ 0 ]
+      def permission( resource, *associations, &block ) 
+        current = permissions( resource )
+        current.associations = associations unless associations.empty?
+        block.call current if block
+        current
       end
     end
   end

data/lib/ixtlan/user_management/permission_model.rb

@@ -0,0 +1,79 @@
+#
+# Copyright (C) 2013 Christian Meier
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'virtus'
+module Ixtlan
+  module UserManagement
+    class Action   
+      include Virtus
+      
+      attribute :verb, String
+      attribute :name, String
+#      attribute :associations, Array[String]
+    end
+    class Permission   
+      include Virtus
+      
+      METHODS = [ :allow_retrieve, 
+                  :allow_create, 
+                  :allow_update, 
+                  :allow_delete ]
+      
+      attribute :resource, String
+      attribute :actions, Array[Action], :default => []
+      attribute :allow, Boolean, :default => true
+      attribute :associations, Array[String]
+      
+      def allow?( method )#TODO, association = nil )
+        action = self.actions.detect { |a| a.name == method }
+        if self.allow 
+          ! action.nil? #TODO && ( associations.nil || action.associations.include?( association ) )
+        else
+          action.nil? #TODO associations
+        end
+      end
+
+      def allow_all
+        self.allow = false
+        self.actions.clear
+      end
+
+      def deny_all
+        self.allow = true
+        self.actions.clear
+      end
+
+      def allow_mutate( *associations )
+        allow_retrieve( *associations )
+        allow_create( *associations )
+        allow_update( *associations )
+      end
+      
+      def method_missing( method, *args )
+        if METHODS.include?( method )
+          actions << Action.new( :name => method.to_s.sub( /allow_/, '' ),
+                                 :associations => args )
+        else
+          super
+        end
+      end
+    end
+  end
+end

data/lib/ixtlan/user_management/session_cuba.rb

@@ -64,10 +64,11 @@ module Ixtlan
             # be compliant with rack-protection and rack-csrf
             csrf = session[ :csrf ] || session[ "csrf.token" ]
             res[ 'X-CSRF-TOKEN' ] = csrf if csrf
+            # self.class.sessions is from CubaApi::CurrentUser
             write self.class.sessions.create( user )
           else
             log "access denied"
-            head :forbidden # 403
+            no_body :forbidden # 403
           end
         end
         

data/lib/ixtlan/user_management/session_model.rb

@@ -19,6 +19,7 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 require 'virtus'
+require 'ixtlan/user_management/permission_model'
 module Ixtlan
   module UserManagement
     class Session
@@ -26,7 +27,7 @@ module Ixtlan
 
       attribute :idle_session_timeout, Integer, :default => 30
       attribute :user, User
-      attribute :permissions, Array[Object]
+      attribute :permissions, Array[Permission]
 
       def to_s
         "Session( #{user.name}<#{user.login}> groups:[ #{user.groups.collect { |g| g.name }.join ',' } ] idle_timeout:#{idle_session_timeout} )"

data/lib/ixtlan/user_management/session_serializer.rb

@@ -26,10 +26,12 @@ module Ixtlan
       root 'session'
 
       add_context( :single,
-                   :only => [ :idle_session_timeout ],
+                   :only => [],
+                   :methods => [:idle_session_timeout ],
                    :include => { 
                      :user => {
-                       :only => [ :id, :login, :name ]
+                       :only => [],
+                       :methods => [ :id, :login, :name ]
                      },
                      :permissions => {
                        :include => [ :actions, :associations ]

data/lib/ixtlan/user_management/user_serializer.rb

@@ -24,12 +24,14 @@ module Ixtlan
     class UserSerializer < Ixtlan::Babel::Serializer
 
       add_context(:session,
-                  :only => [:login, :name],
+                  :only => [],
+                  :methods => [:login, :name],
                   :include=> { 
                     :groups => {
-                      :only => [:name]
+                      :only => [],
+                      :methods => [:name]
                     }
                   })
     end
   end
-end
+end

data/spec/guard_spec.rb

@@ -0,0 +1,110 @@
+# -*- coding: utf-8 -*-
+require File.expand_path( File.join( File.dirname( __FILE__ ),
+                                     'spec_helper.rb' ) )
+
+require 'ixtlan/user_management/guard'
+
+describe Ixtlan::UserManagement::Guard do
+
+  subject { Ixtlan::UserManagement::Guard.new }
+
+  let( :root ) do
+    unless u = Ixtlan::UserManagement::User.first
+      u = Ixtlan::UserManagement::User.create( :login => 'root',
+                                               :name => 'Root',
+                                               :updated_at => DateTime.now )
+      u.groups << Ixtlan::UserManagement::Group.create( :name => 'root' )
+    end
+    u
+  end
+
+  let( :resources ) { %w( audits errors configuration ) }
+
+  before do
+    %w( audits errors configuration ).each do |resource|
+      subject.permission( resource ).deny_all
+    end
+  end
+
+  it 'allows all' do
+    subject.all_permissions.each { |p| p.allow_all }
+    
+    [ :get, :post, :put, :delete ].each do |m|
+      %w( audits errors configuration ).each do |resource|
+        [ 'domain1', nil ].each do |asso|
+          subject.allow?( resource, m, asso ).must_equal true
+        end
+      end
+    end
+  end
+
+  it 'allows all with associations' do
+    subject.all_permissions.each do |p| 
+      p.allow_all
+      p.associations = [ 'domain', 'nodomain' ]
+    end
+    
+    [ :get, :post, :put, :delete ].each do |m|
+      %w( audits errors configuration ).each do |resource|
+        [ 'something', nil ].each do |asso|
+          subject.allow?( resource, m, asso ).must_equal false
+        end
+      end
+    end
+    [ :get, :post, :put, :delete ].each do |m|
+      %w( audits errors configuration ).each do |resource|
+        subject.allow?( resource, m, 'domain' ).must_equal true
+      end
+    end
+  end
+
+  it 'denies all' do    
+    [ :get, :post, :put, :delete ].each do |m|
+      %w( audits errors configuration ).each do |resource|
+        [ 'domain', nil ].each do |asso|
+          subject.allow?( resource, m, asso ).must_equal false
+        end
+      end
+    end
+  end
+
+  Ixtlan::UserManagement::Permission::METHODS.each do |method|
+
+    it "#{method.to_s.sub( /_/, 's ')}" do
+      subject.all_permissions.each { |p| p.send method }
+    
+      #subject.all_permissions.each { |p| puts p.attributes.to_yaml }
+      meth = method.to_s.sub( /allow_/, '' )
+      [ :get, :post, :put, :delete ].each do |m|
+        %w( audits errors configuration ).each do |resource|
+          [ 'domain', nil ].each do |asso|
+            expected = Ixtlan::UserManagement::Guard::METHODS[ m ] 
+            subject.allow?( resource, m, asso ).must_equal (expected == meth)
+          end
+        end
+      end
+    end
+
+    it "#{method.to_s.sub( /_/, 's ')} with associations" do
+      subject.all_permissions.each do |p| 
+        p.send method
+        p.associations = [ 'domain', 'nodomain' ]
+      end
+    
+      meth = method.to_s.sub( /allow_/, '' )
+      [ :get, :post, :put, :delete ].each do |m|
+        %w( audits errors configuration ).each do |resource|
+          [ 'something', nil ].each do |asso|
+            subject.allow?( resource, m, asso ).must_equal false
+          end
+        end
+      end
+      [ :get, :post, :put, :delete ].each do |m|
+        %w( audits errors configuration ).each do |resource|
+          expected = Ixtlan::UserManagement::Guard::METHODS[ m ] 
+          subject.allow?( resource, m, 'domain' ).must_equal (expected == meth)
+        end
+      end
+    end
+  end
+end

data/spec/session_manager_spec.rb

@@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+require File.expand_path( File.join( File.dirname( __FILE__ ),
+                                     'spec_helper.rb' ) )
+
+require 'ixtlan/user_management/session_manager'
+require 'ixtlan/user_management/user_resource'
+require 'ixtlan/user_management/group_model'
+
+describe Ixtlan::UserManagement::SessionManager do
+
+  subject { Ixtlan::UserManagement::SessionManager.new }
+
+  let( :user ) do
+    unless u = Ixtlan::UserManagement::User.first
+      u = Ixtlan::UserManagement::User.create( :login => 'root',
+                                               :name => 'Root',
+                                               :updated_at => DateTime.now )
+    end
+    u.groups = [ Ixtlan::UserManagement::Group.new( :name => 'root' ),
+                 Ixtlan::UserManagement::Group.new( :name => 'admin' )]
+    u
+  end
+
+  it 'roundtrip convert the session' do
+    expected = {
+      "login"=>"root",
+      "name"=>"Root",
+      "groups"=>[{"name"=>"root"},
+                 {"name"=>"admin"}]
+    }
+
+    data = subject.to_session( user )
+    data.must_equal expected
+
+    roundtrip = subject.from_session( data )
+    user.must_equal roundtrip
+  end
+
+end

data/spec/session_serializer_spec.rb

@@ -0,0 +1,155 @@
+# -*- coding: utf-8 -*-
+require File.expand_path( File.join( File.dirname( __FILE__ ),
+                                     'spec_helper.rb' ) )
+
+require 'ixtlan/user_management/session_model'
+require 'ixtlan/user_management/session_serializer'
+require 'ixtlan/user_management/guard'
+require 'ixtlan/babel/factory'
+
+describe Ixtlan::UserManagement::Session do
+
+  subject do
+    c = Ixtlan::UserManagement::Session.new
+    c.user = root
+    c
+  end
+
+  let( :root ) do
+    unless u = Ixtlan::UserManagement::User.first
+      u = Ixtlan::UserManagement::User.create( :login => 'root',
+                                               :name => 'Root',
+                                               :updated_at => DateTime.now )
+    end
+    u
+  end
+
+  let( :factory ) { Ixtlan::Babel::Factory.new }
+
+  let( :guard ) { Ixtlan::UserManagement::Guard.new }
+
+  it 'serializes without permissions' do
+    expected = {
+      "session"=>{"idle_session_timeout"=>30,
+        "user"=>{
+          "id"=>1,
+          "login"=>"root",
+          "name"=>"Root"
+        },
+        "permissions"=>[]
+      }
+    }
+    result = factory.new_serializer( subject ).to_hash
+    result.must_equal expected
+  end
+
+  it 'serializes with root permissions' do
+    %w( audits errors configuration ).each do |resource|
+      guard.permission( resource ).allow_all
+    end
+
+    subject.permissions = guard.all_permissions
+
+    expected = {
+      "session"=>{"idle_session_timeout"=>30,
+        "user"=>{
+          "id"=>1,
+          "login"=>"root",
+          "name"=>"Root"
+        },
+        "permissions"=>[{"resource"=>"audits",
+                          "actions"=>[],
+                          "allow"=>false,
+                          "associations"=>[]},
+                        {"resource"=>"errors",
+                          "actions"=>[],
+                          "allow"=>false,
+                          "associations"=>[]},
+                        {"resource"=>"configuration",
+                          "actions"=>[],
+                          "allow"=>false,
+                          "associations"=>[]}
+                       ]
+      }
+    }
+    result = factory.new_serializer( subject ).to_hash
+    result.must_equal expected
+  end
+
+  it 'serializes with some permissions' do
+    guard.permission( 'audits' ).allow_retrieve
+    guard.permission( 'errors' ).allow_create
+    guard.permission( 'configuration' ).allow_update
+    guard.permission( 'users' ).allow_delete
+
+    subject.permissions = guard.all_permissions
+
+    expected = {
+      "session"=>{"idle_session_timeout"=>30,
+        "user"=>{
+          "id"=>1,
+          "login"=>"root",
+          "name"=>"Root"
+        },
+        "permissions"=>[{"resource"=>"audits",
+                          "actions"=>[{"verb"=>nil,
+                                        "name"=>"retrieve"}],
+                          "allow"=>true,
+                          "associations"=>[]},
+                        {"resource"=>"errors",
+                          "actions"=>[{"verb"=>nil,
+                                        "name"=>"create"}],
+                          "allow"=>true,
+                          "associations"=>[]},
+                        {"resource"=>"configuration",
+                          "actions"=>[{"verb"=>nil,
+                                        "name"=>"update"}],
+                          "allow"=>true,
+                          "associations"=>[]},
+                        {"resource"=>"users",
+                          "actions"=>[{"verb"=>nil,
+                                        "name"=>"delete"}],
+                          "allow"=>true,
+                          "associations"=>[]}
+                       ]
+      }
+    }
+    result = factory.new_serializer( subject ).to_hash
+    result.must_equal expected
+  end
+
+  it 'serializes permissions with assoications' do
+    guard.permission( 'audits', 'domain' ).allow_mutate
+    guard.permission( 'users', 'nodomain', 'domain' ).allow_delete
+
+    subject.permissions = guard.all_permissions
+
+    expected = {
+      "session"=>{"idle_session_timeout"=>30,
+        "user"=>{
+          "id"=>1,
+          "login"=>"root",
+          "name"=>"Root"
+        },
+        "permissions"=>[{"resource"=>"audits",
+                          "actions"=>[{"verb"=>nil, 
+                                        "name"=>"retrieve"},
+                                      {"verb"=>nil,
+                                        "name"=>"create"},
+                                      {"verb"=>nil,
+                                        "name"=>"update"}],
+                          "allow"=>true,
+                          "associations"=>["domain"]},
+                        {"resource"=>"users",
+                          "actions"=>[{"verb"=>nil,
+                                        "name"=>"delete"}],
+                          "allow"=>true,
+                          "associations"=>["nodomain", "domain"]}
+                       ]
+      }
+    }
+    result = factory.new_serializer( subject ).to_hash
+    result.must_equal expected
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,40 @@
+# single spec setup
+$LOAD_PATH.unshift File.join( File.dirname( File.expand_path( File.dirname( __FILE__ ) ) ),
+                              'lib' )
+
+begin
+  require 'minitest'
+rescue LoadError
+end
+require 'minitest/autorun'
+
+require 'dm-timestamps'
+require 'dm-migrations'
+require 'dm-validations'
+#DataMapper::Logger.new(STDOUT, :debug)
+
+#require 'ixtlan/session'
+require 'ixtlan/user_management/user_resource'
+require 'ixtlan/audit/resource'
+require 'ixtlan/errors/resource'
+require 'ixtlan/remote'
+require 'ixtlan/gettext'
+
+require 'ixtlan/configuration/resource'
+
+DataMapper.setup :default, 'sqlite3::memory:'
+DataMapper.finalize
+
+# single entry in pool for the memory sqlite3
+# otherwise sqlite3 sometimes does not find certain tables :(
+class DataObjects::Pooling::Pool
+
+  alias :initialize_old :initialize
+
+  def initialize(max_size, resource, args)
+    initialize_old( 1, resource, args)
+  end
+end
+
+DataObjects::Pooling.pools
+DataMapper.auto_migrate!

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ixtlan-user-management
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.2.0
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-10-01 00:00:00.000000000 Z
+date: 2013-10-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -27,6 +27,22 @@ dependencies:
     none: false
   prerelease: false
   type: :runtime
+- !ruby/object:Gem::Dependency
+  name: virtus
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.5'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.5'
+    none: false
+  prerelease: false
+  type: :runtime
 - !ruby/object:Gem::Dependency
   name: rake
   version_requirements: !ruby/object:Gem::Requirement
@@ -91,6 +107,118 @@ dependencies:
     none: false
   prerelease: false
   type: :development
+- !ruby/object:Gem::Dependency
+  name: dm-timestamps
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+    none: false
+  prerelease: false
+  type: :development
+- !ruby/object:Gem::Dependency
+  name: dm-validations
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+    none: false
+  prerelease: false
+  type: :development
+- !ruby/object:Gem::Dependency
+  name: ixtlan-audit
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  prerelease: false
+  type: :development
+- !ruby/object:Gem::Dependency
+  name: ixtlan-error-handler
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  prerelease: false
+  type: :development
+- !ruby/object:Gem::Dependency
+  name: ixtlan-remote
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  prerelease: false
+  type: :development
+- !ruby/object:Gem::Dependency
+  name: ixtlan-gettext
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  prerelease: false
+  type: :development
+- !ruby/object:Gem::Dependency
+  name: ixtlan-configuration
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  prerelease: false
+  type: :development
 - !ruby/object:Gem::Dependency
   name: json
   version_requirements: !ruby/object:Gem::Requirement
@@ -143,11 +271,12 @@ files:
 - lib/ixtlan/user_management/session_cuba.rb
 - lib/ixtlan/user_management/session_model.rb
 - lib/ixtlan/user_management/dummy_authentication.rb
-- lib/ixtlan/user_management/session_plugin.rb
 - lib/ixtlan/user_management/authenticator.rb
 - lib/ixtlan/user_management/user_serializer.rb
 - lib/ixtlan/user_management/session_manager.rb
 - lib/ixtlan/user_management/session_serializer.rb
+- lib/ixtlan/user_management/permission_model.rb
+- lib/ixtlan/user_management/guard.rb
 - lib/ixtlan/user_management/authentication_model.rb
 - lib/ixtlan/user_management/application_model.rb
 - lib/ixtlan/user_management/group_model.rb
@@ -155,6 +284,10 @@ files:
 - lib/ixtlan/user_management/user_model.rb
 - lib/ixtlan/user_management/application_resource.rb
 - lib/ixtlan/user_management/user_resource.rb
+- spec/session_serializer_spec.rb
+- spec/guard_spec.rb
+- spec/session_manager_spec.rb
+- spec/spec_helper.rb
 - MIT-LICENSE
 - README.md
 - Gemfile
@@ -183,4 +316,7 @@ rubygems_version: 1.8.24
 signing_key:
 specification_version: 3
 summary: helper for managing users with login/password
-test_files: []
+test_files:
+- spec/session_serializer_spec.rb
+- spec/guard_spec.rb
+- spec/session_manager_spec.rb