jrun-rails_doorman 0.0.1

data/LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2008 Michael D. Ivey <ivey@gweezlebur.com>
+Copyright (c) 2009 Jeremy Burks <jeremy.burks@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,88 @@
+== rails_doorman
+
++rails_doorman+ is an authorization plugin for Ruby on Rails
+applications.
+
+This code was orignally written by Michael D. Ivey for Merb.
+
+== Resources
+
+Development
+
+* http://github.com/jrun/rails_doorman
+
+Source
+
+* git://github.com/jrun/rails_doorman.git
+
+Bugs
+
+* http://github.com/jrun/rails_doorman/issues
+
+== Usage
+
+=== Controllers
+
+  class Admin::ArticlesController < AdminController
+    allow :role => :admin
+  end
+
+  allow :role => :admin                         # current_user.has_role?(:admin)
+  deny :role => :troll 
+  allow :role => :admin, :exclude => :show
+  allow :role => :troll, :only => :index
+
++rails_doorman+ supports more than roles.
+
+  allow :user => :nancy                     # current_user.login.to_sym == 'nancy'.to_sym
+  allow :host => 'allowed.example.org'      # request.host =~ Regexp.new('allowed.example.org')
+  deny :host => 'denied.example.org'
+  deny :user_agent => /MSIE/                # request.user_agent =~ Regexp.new(/MSIE/)
+
+=== Views
+
+All rules can be used in views.
+
+  <% allow(:role => :admin) do %>
+    <h1>Allowed</h1>
+  <% end %>
+
+  <% deny(:role => :troll) do %>
+    <h1>Allowed</h1>
+  <% end %>
+
+=== Unauthorized
+
+When a rule fails a Doorman::Unauthorized error is raised. The error
+can be caught in ApplicationController#rescue_action_in_public.
+
+  class ApplicationController < ActionController::Base
+    private
+    def rescue_action_in_public(exception)
+      case exception
+      when Doorman::InvalidRule
+        render :text => 'Invalid Rule', :status => '500 Internal Server Error'
+      when Doorman::Unauthorized
+        render :text => 'Unauthorized', :status => '401 Unauthorized'
+      else
+        super(exception)
+      end
+    end
+  end
+
+== TODO
+
+=== Rule inheritance
+
+Controller subclasses do not inherit its parents rules. This is more
+like a bug than a todo.
+
+===  More configurable
+
++rails_doorman+ should be configurable. For example, the :user rule
+uses +login+ for comparison. Often times +username+ is used instead of
++login+.
+
+This type of configuration is partially implementd but it is half
+baked and not tested.
+

data/Rakefile

@@ -0,0 +1,57 @@
+require 'rubygems'
+require 'rake/gempackagetask'
+require 'spec/rake/spectask'
+
+GEM_NAME = "rails_doorman"
+GEM_VERSION = "0.0.1"
+AUTHOR = "Jeremy Burks"
+EMAIL = "jeremy.burks@gmail.com"
+HOMEPAGE = "http://github.com/jrun/rails_doorman/"
+SUMMARY = "Rails plugin that provides an allow/deny DSL for controlling access"
+
+spec = Gem::Specification.new do |s|
+  s.name = GEM_NAME
+  s.version = GEM_VERSION
+  s.platform = Gem::Platform::RUBY
+  s.has_rdoc = false
+  s.summary = SUMMARY
+  s.description = s.summary
+  s.author = AUTHOR
+  s.email = EMAIL
+  s.homepage = HOMEPAGE
+  s.add_dependency('rails', '>= 2.3.2')
+  s.require_path = 'lib'
+  s.files = %w(LICENSE README.rdoc Rakefile) + Dir.glob("{rails,lib,spec,features}/**/*")
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+end
+
+namespace :gem do
+  desc "Repackage, uninstall and install gem"
+  task :refresh do
+    Rake::Task[:spec].invoke    
+    Rake::Task[:repackage].invoke
+  end
+end
+
+desc "Create a gemspec file"
+task :gemspec do
+  File.open("#{GEM_NAME}.gemspec", "w") do |file|
+    file.puts spec.to_ruby
+  end
+end
+
+desc "Run the examples"
+Spec::Rake::SpecTask.new do |t|
+  t.spec_files = ["spec/**/*_spec.rb"]
+  t.spec_opts = %w[--color --format specdoc --diff]  
+end
+
+require 'cucumber/rake/task'
+Cucumber::Rake::Task.new(:features) do |t|
+  t.cucumber_opts = "--format pretty"
+end
+
+task :default => [:spec, :features]

data/features/doorman.feature

@@ -0,0 +1,99 @@
+Feature: Manage Access
+  In order to 
+  As a
+  I want to
+
+  Scenario: Allow all by default
+    When I go to /allow_all_by_default
+    Then I should be authorized
+
+  Scenario: Explicitly allow all
+    When I go to /explicitly_allow_all
+    Then I should be authorized
+
+  Scenario: Unauthorized when explicitly denying all
+    When I go to /deny_all
+    Then I should not be authorized
+
+  Scenario: Authorized when the user is allowed
+    Given I am Nancy
+    When I go to /allowed_user
+    Then I should be authorized
+
+  Scenario: Unauthorized when the user is not allowed
+    Given I am Jackie Boy
+    When I go to /allowed_user
+    Then I should not be authorized
+
+  Scenario: Authorized when the user belongs to the allowed rule
+    Given I have the role admin
+    When I go to /allowed_role
+    Then I should be authorized
+
+  Scenario: Unauthorized when the user does not belong to the rule
+    Given I have the role not_admin
+    When I go to /allowed_role
+    Then I should not be authorized
+
+  Scenario: Authorized when the user does not belong to the denied role
+    When I go to /denied_role
+    Then I should be authorized
+
+  Scenario: Unauthorized when the user belongs to the denied role
+    Given I have the role troll
+    When I go to /denied_role
+    Then I should not be authorized
+
+  Scenario: Authorized when the user belongs to an allowed role
+    Given I have the role admin
+    When I go to /allowed_and_denied_roles
+    Then I should be authorized
+
+  Scenario: Unauthorized when the user belongs to the denied role
+    Given I have the role troll
+    When I go to /allowed_and_denied_roles
+    Then I should not be authorized
+
+  Scenario: Unauthorized when the user does not belong to the role
+     Given I have no roles
+     When I go to /allowed_role_with_only/show
+     Then I should not be authorized
+
+  Scenario: Authorized when he user belongs to the role
+    Given I have the role admin
+    When I go to /allowed_role_with_only/show
+    Then I should be authorized
+    Given I have no roles
+    When I go to /allowed_role_with_only
+    Then I should be authorized
+
+  Scenario: Authorized when the rule does not apply to the action
+    Given I have the role admin
+    When I go to /allowed_role_with_only
+    Then I should be authorized
+
+  Scenario: Unauthorized when the host is not explicitly allowed
+    When I go to /access_control_by_host
+    Then I should not be authorized
+
+  Scenario: Unauthorized when authorizing via role and there is not acurrent user
+    When There is no current user
+    And  I go to /allowed_role
+    Then I should not be authorized
+
+
+  Scenario: View Helpers - Allow
+    Given I have the role admin
+    When I go to /view_helpers/allow_via_role
+    Then I should see "Allowed"
+    Given I have no roles
+    When I go to /view_helpers/allow_via_role
+    Then I should not see "Allowed"
+
+  Scenario: View Helpers - Deny
+    Given I have no roles
+    When I go to /view_helpers/deny_via_role
+    Then I should see "Allowed"
+    Given I have the role troll
+    When I go to /view_helpers/deny_via_role
+    Then I should not see "Allowed"

data/features/step_definitions/common_steps.rb

@@ -0,0 +1,25 @@
+Given /^I am (.*)$/ do |name|
+  ApplicationController.reset_current_user
+  ApplicationController.current_user.login = name.downcase
+end
+
+Given /^I have no roles$/ do
+  ApplicationController.reset_current_user
+end
+
+Given /^I have the role (.*)$/ do |role|
+  Given "I have no roles"
+  ApplicationController.current_user.roles << role.to_sym
+end
+
+Then /^I should be authorized$/ do
+  response.should be_authorized
+end
+
+Then /^I should not be authorized$/ do
+  response.should be_unauthorized
+end
+
+When /^There is no current user$/ do
+  ApplicationController.nil_current_user
+end

data/features/step_definitions/webrat_steps.rb

@@ -0,0 +1,115 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "..", "support", "paths"))
+
+# Commonly used webrat steps
+# http://github.com/brynary/webrat
+
+Given /^I am on (.+)$/ do |page_name|
+  visit path_to(page_name)
+end
+
+When /^I go to (.+)$/ do |page_name|
+  visit path_to(page_name)
+end
+
+When /^I press "([^\"]*)"$/ do |button|
+  click_button(button)
+end
+
+When /^I follow "([^\"]*)"$/ do |link|
+  click_link(link)
+end
+
+When /^I fill in "([^\"]*)" with "([^\"]*)"$/ do |field, value|
+  fill_in(field, :with => value) 
+end
+
+When /^I select "([^\"]*)" from "([^\"]*)"$/ do |value, field|
+  select(value, :from => field) 
+end
+
+# Use this step in conjunction with Rail's datetime_select helper. For example:
+# When I select "December 25, 2008 10:00" as the date and time 
+When /^I select "([^\"]*)" as the date and time$/ do |time|
+  select_datetime(time)
+end
+
+# Use this step when using multiple datetime_select helpers on a page or 
+# you want to specify which datetime to select. Given the following view:
+#   <%= f.label :preferred %><br />
+#   <%= f.datetime_select :preferred %>
+#   <%= f.label :alternative %><br />
+#   <%= f.datetime_select :alternative %>
+# The following steps would fill out the form:
+# When I select "November 23, 2004 11:20" as the "Preferred" data and time
+# And I select "November 25, 2004 10:30" as the "Alternative" data and time
+When /^I select "([^\"]*)" as the "([^\"]*)" date and time$/ do |datetime, datetime_label|
+  select_datetime(datetime, :from => datetime_label)
+end
+
+# Use this step in conjunction with Rail's time_select helper. For example:
+# When I select "2:20PM" as the time
+# Note: Rail's default time helper provides 24-hour time-- not 12 hour time. Webrat
+# will convert the 2:20PM to 14:20 and then select it. 
+When /^I select "([^\"]*)" as the time$/ do |time|
+  select_time(time)
+end
+
+# Use this step when using multiple time_select helpers on a page or you want to
+# specify the name of the time on the form.  For example:
+# When I select "7:30AM" as the "Gym" time
+When /^I select "([^\"]*)" as the "([^\"]*)" time$/ do |time, time_label|
+  select_time(time, :from => time_label)
+end
+
+# Use this step in conjunction with Rail's date_select helper.  For example:
+# When I select "February 20, 1981" as the date
+When /^I select "([^\"]*)" as the date$/ do |date|
+  select_date(date)
+end
+
+# Use this step when using multiple date_select helpers on one page or
+# you want to specify the name of the date on the form. For example:
+# When I select "April 26, 1982" as the "Date of Birth" date
+When /^I select "([^\"]*)" as the "([^\"]*)" date$/ do |date, date_label|
+  select_date(date, :from => date_label)
+end
+
+When /^I check "([^\"]*)"$/ do |field|
+  check(field) 
+end
+
+When /^I uncheck "([^\"]*)"$/ do |field|
+  uncheck(field) 
+end
+
+When /^I choose "([^\"]*)"$/ do |field|
+  choose(field)
+end
+
+When /^I attach the file at "([^\"]*)" to "([^\"]*)"$/ do |path, field|
+  attach_file(field, path)
+end
+
+Then /^I should see "([^\"]*)"$/ do |text|
+  response.should contain(text)
+end
+
+Then /^I should not see "([^\"]*)"$/ do |text|
+  response.should_not contain(text)
+end
+
+Then /^the "([^\"]*)" field should contain "([^\"]*)"$/ do |field, value|
+  field_labeled(field).value.should =~ /#{value}/
+end
+
+Then /^the "([^\"]*)" field should not contain "([^\"]*)"$/ do |field, value|
+  field_labeled(field).value.should_not =~ /#{value}/
+end
+    
+Then /^the "([^\"]*)" checkbox should be checked$/ do |label|
+  field_labeled(label).should be_checked
+end
+
+Then /^I should be on (.+)$/ do |page_name|
+  URI.parse(current_url).path.should == path_to(page_name)
+end

data/features/support/authorized_matcher.rb

@@ -0,0 +1,29 @@
+class BeAuthorized
+  def matches?(response)
+    @response = response
+    @response.status == "200 OK" && @response.body == 'Allowed Access'
+  end
+
+  # ==== Returns
+  # String:: The failure message.
+  def failure_message
+<<-EOS
+expected the response from #{@response.request.url}
+to have the status 200 OK and body 'Allowed Access'"
+but the status is #{@response.status} and the body is '#{@response.body}'"
+EOS
+end
+
+  # ==== Returns
+  # String:: The failure message to be displayed in negative matches.
+  def negative_failure_message
+<<-EOS
+expected the response from #{@response.request.url}
+not to have the status 200 Ok and body 'Allowed Access'"
+EOS
+  end
+end
+
+def be_authorized
+  BeAuthorized.new
+end

data/features/support/env.rb

@@ -0,0 +1,13 @@
+ENV["RAILS_ENV"] ||= "test"
+
+require File.expand_path(File.dirname(__FILE__) + '/../../spec/fixtures/app/config/environment')  
+require 'cucumber/rails/world'
+require 'cucumber/rails/rspec'
+require 'cucumber/formatter/unicode'
+
+require 'webrat'
+require 'webrat/core/matchers'
+
+Webrat.configure do |config|
+  config.mode = :rails
+end

data/features/support/paths.rb

@@ -0,0 +1,19 @@
+module NavigationHelpers
+  # Maps a static name to a static route.
+  #
+  # This method is *not* designed to map from a dynamic name to a 
+  # dynamic route like <tt>post_comments_path(post)</tt>. For dynamic 
+  # routes like this you should *not* rely on #path_to, but write 
+  # your own step definitions instead. Example:
+  #
+  #   Given /I am on the comments page for the "(.+)" post/ |name|
+  #     post = Post.find_by_name(name)
+  #     visit post_comments_path(post)
+  #   end
+  #
+  def path_to(page_name)
+    page_name
+  end
+end
+
+World(NavigationHelpers)

data/features/support/unauthorized_matcher.rb

@@ -0,0 +1,29 @@
+class BeUnauthorized
+  def matches?(response)
+    @response = response
+    @response.status == '401 Unauthorized' && @response.body == 'Unauthorized'
+  end
+
+  # ==== Returns
+  # String:: The failure message.
+  def failure_message
+<<-EOS
+expected the response from #{@response.request.url}
+to have the status 401 Unauthorized and body 'Unauthorized'"
+but the status is #{@response.status} and the body is '#{@response.body}'"
+EOS
+  end
+
+  # ==== Returns
+  # String:: The failure message to be displayed in negative matches.
+  def negative_failure_message
+<<-EOS
+expected the response from #{@response.request.url}
+not to have the status 200 Ok and body 'Allowed Access'"
+EOS
+  end
+end
+
+def be_unauthorized
+  BeUnauthorized.new
+end

data/lib/rails_doorman/helpers.rb

@@ -0,0 +1,17 @@
+
+module Doorman
+  module Helpers
+    def allow(*args, &blk)
+      _capture_within_rule_context(:allow, args, &blk)
+    end
+    
+    def deny(*args, &blk)
+      _capture_within_rule_context(:deny, args, &blk)
+    end        
+    
+    def _capture_within_rule_context(type, args, &blk)
+      _check_rule(Doorman::Rule.from_hash(type, args.first)) ? blk.call  : ""
+    end
+    private :_capture_within_rule_context
+  end  
+end

data/lib/rails_doorman/rule.rb

@@ -0,0 +1,59 @@
+
+module Doorman
+  class InvalidRule < StandardError
+    def initialize(*args)
+      super "rails_doorman: invalid rule #{args.inspect}"
+    end
+  end
+      
+  class Rule
+    def self.from_hash(type, opts)
+      rule = new(type)
+      h = opts.except(:only, :exclude)
+      if h.size > 1
+        raise InvalidRule.new(type, opts)
+      end
+      rule.method = h.keys.first.to_sym
+      unless Doorman.supported_method?(rule.method)
+        raise InvalidRule.new(type, opts)
+      end
+      rule.value = h.values.first
+      rule.limits = extract_limits(opts)
+      rule
+    end
+    
+    def self.from_block(type, opts = nil, &block)
+      unless block.arity == 1
+        raise InvalidRule.new(type, opts, block)
+      end
+      opts ||= {}
+      rule = new(type)
+      rule.method = :block
+      rule.value = block
+      rule.limits = extract_limits(opts)
+      rule
+    end
+    
+    def self.extract_limits(h)
+      h.slice(:only, :exclude).inject({}) do |limits, kv| 
+        limits.merge!(kv.first => Array(kv.last).map {|limit| limit.to_sym })
+      end
+    end
+    
+    attr_accessor :type, :method, :value, :limits
+    
+    def initialize(type)
+      @type, @limits = type, {}
+    end
+    
+    def deny?
+      type == :deny
+    end
+    
+    def evaluate?(action_name)
+      (!limits.key?(:only) || limits[:only].include?(action_name.to_sym)) &&
+        (!limits.key?(:exclude) || !limits[:exclude].include?(action_name.to_sym))
+    end
+  end
+  
+end

data/lib/rails_doorman.rb

@@ -0,0 +1,111 @@
+require 'rails_doorman/rule'
+require 'rails_doorman/helpers'
+
+module Doorman
+  class Unauthorized < StandardError; end
+  
+  class << self
+    def options
+      @options ||= {
+        :user_identifier_method => :login,
+        :has_role_method => :has_role?
+      }
+    end
+    
+    SUPPORTED_METHODS = [:block, :host, :role, :user, :user_agent].freeze
+    
+    def supported_method?(method)
+      SUPPORTED_METHODS.include?(method)
+    end
+              
+    def included(base)
+      base.extend(ClassMethods)
+      base.class_eval do
+        include InstanceMethods
+        include SharedMethods
+        helper Doorman::SharedMethods, Doorman::Helpers
+        before_filter :_doorman_check_acl
+      end
+    end
+  end
+      
+  module ClassMethods
+    def _doorman_list
+      @_doorman_list ||= []
+    end
+    
+    def _doorman_default
+      @_doorman_default ||= :allow
+    end
+    
+    def  deny(*args, &block)
+      _add_acl(:deny, args, block)
+    end
+    
+    def allow(*args, &block)
+      _add_acl(:allow, args, block)
+    end
+    
+    def _clear_acl_list
+      @_doorman_list = nil
+    end
+    
+    def _add_acl(type, args, block)
+      opts = args.is_a?(Array) ? args.first : args
+      if opts == :all
+        @_doorman_default = type
+        return true
+      end
+      if block
+        _doorman_list << Rule.from_block(type, opts, &block)
+      else
+        _doorman_list << Rule.from_hash(type, opts)
+      end
+    end
+  end
+  
+  module InstanceMethods
+    private
+    def _doorman_check_acl
+      allowed = false
+      self.class._doorman_list.each do |rule|
+        next unless rule.evaluate?(self.action_name)
+        if _check_rule(rule)
+          allowed = true
+        else
+          raise Unauthorized
+        end
+      end
+      if self.class._doorman_default == :deny && !allowed
+        raise Unauthorized
+      end
+    end
+  end
+
+  module SharedMethods
+    # self can either be in a controller or view context. 
+    private
+    def _check_rule(rule)
+      match = case rule.method
+        when :block
+          rule.value.call(self)            
+        when :host
+          request.host =~ Regexp.new(rule.value)
+        when :role
+          current_user && current_user.send(Doorman.options[:has_role_method], rule.value)
+        when :user
+          current_user && current_user.send(Doorman.options[:user_identifier_method]).to_sym  == rule.value.to_sym
+        when :user_agent 
+          request.user_agent =~ Regexp.new(rule.value)
+        else
+          false
+        end
+      rule.deny? ? !match : match
+    end
+  end
+  
+end
+
+ActionController::Base.class_eval do
+  include Doorman
+end

data/rails/init.rb

@@ -0,0 +1 @@
+require 'rails_doorman'