logical_authz 0.1.6

data/lib/logical_authz/access_control.rb

@@ -0,0 +1,343 @@
+module LogicalAuthz
+  module AccessControl
+    class PolicyDefinitionError < ::Exception; end
+
+    class Builder
+      class << self
+        def register_policy_class(name, klass)
+          define_method(name) { klass.new }
+          define_method("if_#{name}") { klass.new }
+        end
+
+        def register_policy_helper(name, &block)
+          define_method(name, &block)
+        end
+      end
+
+      def initialize(helper_mod = nil)
+        @helper_mod = helper_mod
+        @list = @before = []
+        @after = []
+
+        (class << self; self; end).instance_eval do
+          include(helper_mod) unless helper_mod.nil?
+        end
+      end
+
+      def define(&block)
+        instance_eval(&block)
+      end
+
+      def resolve_rule(rule)
+        case rule
+        when Policy #This is the important case, actually
+        when Symbol, String
+          klass = Policy.names[rule.to_sym]
+          raise "Policy name #{rule} not found in #{Policy.names.keys.inspect}" if klass.nil?
+          Rails.logger.debug { "Using deprecated string/symbol policy naming: #{rule.inspect}" }
+          rule = klass.new
+        when Class
+          rule = rule.new
+          unless rule.responds_to?(:check)
+            raise "Policy classes must respond to #check"
+          end
+        when Proc
+          rule = ProcPolicy.new(&rule)
+        else
+          raise "Authorization Rules have to be Policy objects, a Policy class or a proc"
+        end
+        rule
+      end
+
+      #TODO DSL needs to allow config of rules
+      def add_rule(rule, allows = true, name = nil)
+        rule = resolve_rule(rule)
+
+        rule.decision = allows
+        rule.name = name unless name.nil?
+        @list << rule
+      end
+
+      def allow(rule = nil, name = nil, &block)
+        if rule.nil?
+          if block.nil?
+            raise "Allow needs to have a rule or a block"
+          end
+          rule = block
+        end
+        add_rule(rule, true, name)
+      end
+
+      def deny(rule = nil, name = nil, &block)
+        if rule.nil?
+          if block.nil?
+            raise "Deny needs to have a rule or a block"
+          end
+          rule = block
+        end
+        add_rule(rule, false, name)
+      end
+
+      def if_allowed(&block)
+        IfAllows.new(@helper_mod, &block)
+      end
+
+      def if_denied(&block)
+        IfDenies.new(@helper_mod, &block)
+      end
+
+      def related(&block)
+        raise PolicyDefinitionError, "related called without a block" if block.nil?
+        Owner.new(&block)
+      end
+
+      def except(policy) #This needs a different name
+        policy = resolve_rule(policy)
+        Reversed.new(policy)
+      end
+
+      def with_criteria(policy, &block)
+        raise PolicyDefinitionError, "with_criteria called without a block" if block.nil?
+        policy = resolve_rule(policy)
+        RemappedCriteria.new(policy, &block)
+      end
+
+      def existing_policy
+        @list = @after
+      end
+
+      def list(existing = nil)
+        existing ||= []
+        result = @before + existing + @after
+      end
+    end
+
+    class Policy
+      def initialize
+        @decision = false
+        @name = default_name
+      end
+
+      def laz_debug
+        LogicalAuthz::laz_debug{yield} if block_given?
+      end
+
+      attr_accessor :name, :decision
+
+      def default_name
+        "Unknown Rule"
+      end
+
+      def check(criteria)
+        raise NotImplementedException
+      end
+
+      def evaluate(criteria)
+        laz_debug{"Rule being examined: #{self.inspect}"}
+        if check(criteria) == true
+          laz_debug{"Rule: #@name triggered - authorization allowed: #@decision"}
+          return @decision
+        else
+          return nil
+        end
+      rescue Object => ex
+        Rails.logger.info{ "Exception raised checking rule \"#@name\": #{ex.class.name}: #{ex.message} @ #{ex.backtrace[0..2].inspect}" }
+        return false
+      end
+
+      class << self
+        def names
+          @names ||= {}
+        end
+
+        def register(name)
+          Policy.names[name.to_sym] = self
+          Policy.names["if_#{name}".to_sym] = self
+
+          AccessControl::Builder.register_policy_class(name, self)
+        end
+      end
+    end
+
+    #The policy rule of last resort
+    class ProcPolicy < Policy
+      def initialize(&check)
+        @check = check
+        super()
+      end
+
+      def check(criteria)
+        @check.call(criteria)
+      end
+    end
+
+    class Always < Policy
+      register :always
+
+      def default_name
+        "Always"
+      end
+
+      def check(criteria)
+        true
+      end
+    end
+
+    class Reversed < Policy
+      def initialize(other)
+        @other = other
+        super()
+      end
+
+      def default_name
+        "Unless: #{@other.default_name}"
+      end
+
+      def check(criteria)
+        !@other.check(criteria)
+      end
+    end
+
+    class RemappedCriteria < Policy
+      def initialize(other, &block)
+        @other = other
+        @block = block
+        super()
+      end
+
+      def default_name
+        "Remapped: #{@other.default_name}"
+      end
+
+      def check(criteria)
+        new_criteria = criteria.dup
+        laz_debug{ {:Remapping => new_criteria} }
+        @block.call(new_criteria)
+        laz_debug{ {:Remappped => new_criteria} }
+        @other.check(new_criteria)
+      end
+    end
+
+    class SubPolicy < Policy
+      def initialize(helper_mod, &block)
+        super()
+        builder = Builder.new(helper_mod)
+        builder.define(&block)
+        @criteria_list = builder.list
+      end
+
+      def check(criteria)
+        @criteria_list.each do |control|
+          policy = control.evaluate(criteria)
+          next if policy.nil?
+          return match_policy(policy)
+        end
+        return false
+      end
+    end
+
+    class IfAllows < SubPolicy
+      def default_name
+        "If allowed by..."
+      end
+
+      def match_policy(policy)
+        policy == true
+      end
+    end
+
+    class IfDenies < SubPolicy
+      def default_name
+        "If denied by..."
+      end
+
+      def match_policy(policy)
+        policy == false
+      end
+    end
+
+    class Administrator < Policy
+      register :admin
+
+      def default_name
+        "Admins"
+      end
+
+      def check(criteria)
+        return criteria[:group].include?(Group.admin_group)
+      end
+    end
+
+    class Authenticated < Policy
+      register :authenticated
+
+      def default_name
+        "Authenicated"
+      end
+
+      def check(criteria)
+        criteria[:user] != nil
+      end
+    end
+
+    class Authorized < Policy
+      register :authorized
+
+      def default_name
+        "When Authorized"
+      end
+
+      #This probably needs some assurance that it cannot loop
+      def check(criteria)
+        criteria[:authorization_depth] ||= 0
+        criteria[:authorization_depth] += 1
+
+        if criteria[:authorization_depth] > 10
+          raise "Authorization recursion limit reached" 
+        end
+
+        LogicalAuthz.is_authorized?(criteria)
+      end
+    end
+
+    class Owner < Policy
+      register :owner
+
+      def initialize(&map_owner)
+        @mapper = map_owner
+        super()
+      end
+
+      def default_name
+        "Related"
+      end
+
+      def check(criteria)
+        return false unless criteria.has_key?(:user) and criteria.has_key?(:id)
+        unless @mapper.nil?
+          @mapper.call(criteria[:user], criteria[:id].to_i)
+        else
+          criteria[:user].id == criteria[:id].to_i
+        end
+      end
+    end
+
+    class Permitted < Policy
+      register :permitted
+
+      def initialize(specific_criteria = {})
+        @criteria = specific_criteria
+        super()
+      end
+
+      def default_name
+        "Permitted"
+      end
+
+      def check(criteria)
+        crits = criteria.merge(@criteria)
+        return LogicalAuthz::check_permitted(crits)
+      end
+    end
+  end
+end

data/lib/logical_authz/application.rb

@@ -0,0 +1,350 @@
+require 'logical_authz_helper'
+
+module LogicalAuthz
+  module Application
+    def self.included(klass)
+      klass.extend(ClassMethods)
+    end
+    include Helper
+
+    def redirect_to_lobby(message = nil)
+      back = request.headers["Referer"]
+      laz_debug{"Sending user back to: #{back} Authz'd?"}
+      back_criteria = criteria_from_url(back)
+      if back_criteria.nil? 
+        laz_debug{"Back is nil - going to the default_unauthorized_url"}
+        redirect_to default_unauthorized_url
+      elsif LogicalAuthz::is_authorized?(back_criteria)
+        laz_debug{"Back authorized - going to #{back}"}
+        redirect_to back
+      else
+        laz_debug{"Back is unauthorized - going to the default_unauthorized_url"}
+        redirect_to default_unauthorized_url
+      end
+    end
+
+    def strip_record(record)
+      {
+        :rule => record[:determining_rule].try(:name),
+        :logged_in => !record[:user].nil?,
+        :reason => record[:reason],
+        :result => record[:result]
+      }
+    end
+
+    def check_authorized
+      current_user = AuthnFacade.current_user(self)
+
+      criteria = {
+        :user => current_user, 
+        :controller => self.class,
+        :action => action_name, 
+        :id => params[:id],
+        :params => params.dup
+      }
+
+      logical_authz_record = {:authz_path => request.path.dup}
+      LogicalAuthz.is_authorized?(criteria, logical_authz_record)
+      laz_debug{"Logical Authz result: #{logical_authz_record.inspect}"}
+      flash[:logical_authz_record] = strip_record(logical_authz_record)
+      if logical_authz_record[:result]
+        return true
+      else
+        request.session[:unauthzd_path] = request.path
+        redirect_to_lobby("Your account is not authorized to perform this action.")
+        return false
+      end
+    end
+
+    module ClassMethods
+      def laz_debug
+        LogicalAuthz::laz_debug{yield} if block_given?
+      end
+
+      def publicly_allowed(*actions)
+        if actions.empty?
+          authorization_by_default(true)
+          reset_policy
+        else
+          reset_policy(*actions)
+          policy(*actions) do |pol|
+            allow :always
+          end
+        end
+      end
+
+      def policy_helper_module
+        @policy_helper_module ||= 
+          begin
+            mod = Module.new
+            parent_mod = read_inheritable_attribute(:policy_helper_module)
+            unless parent_mod.nil?
+              mod.class_eval {
+                include(parent_mod)
+              }
+            end
+            write_inheritable_attribute(:policy_helper_module, mod)
+            mod
+          end
+      end
+
+      def policy_helper(name, &body)
+        policy_helper_module.module_eval do
+          define_method name, &body
+        end
+      end
+
+      def policy(*actions, &block)
+        before_filter CheckAuthorization
+        builder = AccessControl::Builder.new(policy_helper_module)
+        builder.define(&block)
+        if actions.empty?
+          set_policy(builder.list(get_policy(nil)), nil)
+        else
+          actions = unalias_actions(actions)
+          actions.each do |action|
+            set_policy(builder.list(get_policy(action)), action)
+          end
+        end
+      end
+
+      def reset_policy(*actions)
+        if actions.empty?
+          set_policy([], nil)
+        else
+          unalias_actions(actions).each do |action|
+            set_policy([], action)
+          end
+        end
+      end
+
+      def clear_policies!
+        write_inheritable_attribute(:controller_access_control, [])
+        write_inheritable_attribute(:action_access_control, {})
+      end
+
+      def get_policy(action)
+        if action.nil?
+          read_inheritable_attribute(:controller_access_control) || []
+        else
+          (read_inheritable_attribute(:action_access_control) || {})[action.to_sym]
+        end
+      end
+
+      def set_policy(acl, action)
+        if action.nil?
+          laz_debug{ "Policy set: #{self.name} - all: #{acl.inspect}" }
+          write_inheritable_attribute(:controller_access_control, acl)
+        else
+          laz_debug{ "Policy set: #{self.name}##{action}: #{acl.inspect}" }
+          write_inheritable_hash(:action_access_control, {})
+          policies = read_inheritable_attribute(:action_access_control)
+          policies[action.to_sym] = acl
+        end
+      end
+
+      def authorization_by_default(default_allow)
+        write_inheritable_attribute(:authorization_policy, default_allow)
+      end
+
+      def default_authorization
+        policy = read_inheritable_attribute(:authorization_policy)
+        if policy.nil?
+          true
+        else
+          policy
+        end
+      end
+
+      def authorization_needed?(action)
+        acl = access_controls(action)
+        return true unless acl.empty?
+        return !read_inheritable_attribute(:authorization_policy) || false
+      end
+
+      def move_policies(from, to)
+        policies = read_inheritable_attribute(:action_access_control)
+        if policies.nil?
+          policies = {}
+          write_inheritable_attribute(:action_access_control, policies)
+        end
+
+        if policies.has_key?(from.to_sym)
+          if policies.has_key?(to.to_sym)
+            #Should be raise, at some future point
+            warn "Moving policies defined on #{self.name} for #{from} would clobber policies on #{to}"
+          end
+          policies[to.to_sym] = policies[from.to_sym]
+          policies.delete(from.to_sym)
+        end
+      end
+
+      # grant_aliases :new => :create  # =>
+      # anyone with authorization to :create can also access :new
+      # (Read as: "for 'new' read 'create'")
+      def grant_aliases(hash)
+        aliases = read_inheritable_attribute(:grant_alias_hash) || Hash.new{|h,k| h[k] = []}
+        aliased = read_inheritable_attribute(:aliased_grants) || {}
+        hash.each_pair do |grant, allows|
+          [*allows].each do |allowed|
+            aliases[allowed.to_sym] << grant.to_sym
+            aliased[grant.to_sym] = allowed.to_sym
+            move_policies(grant, allowed)
+          end
+        end
+        write_inheritable_attribute(:grant_alias_hash, aliases)
+        write_inheritable_attribute(:aliased_grants, aliased)
+      end
+      alias grant_alias grant_aliases
+      
+      def standard_grant_aliases
+        grant_aliases :edit => :update
+      end
+
+      def unalias_actions(actions)
+        aliased_actions = read_inheritable_attribute(:aliased_grants) || {}
+        actions.compact.map do |action|
+          aliased_actions[action.to_sym] || action
+        end.compact.uniq
+      end
+
+      def grant_aliases_for(action)
+        grant_aliases = read_inheritable_attribute(:grant_alias_hash)
+        action = action.to_sym
+
+        if not grant_aliases.nil? and grant_aliases.has_key?(action)
+          return grant_aliases[action]
+        else
+          return []
+        end
+      end
+
+      def inspect_criteria(criteria)
+        criteria.inject({}) do |hash, name_value|
+          name, value = *name_value
+          case value
+          when ActiveRecord::Base
+            hash[name] = {value.class.name => value.id}
+          when ActionController::Base
+            hash[name] = value.class
+          else
+            hash[name] = value
+          end
+
+          hash
+        end.inspect
+      end
+
+      def normalize_criteria(criteria)
+        criteria[:group] = criteria[:group].nil? ? [] : [*criteria[:group]]
+        if criteria.has_key?(:user) and not criteria[:user].nil?
+          criteria[:group] += criteria[:user].groups
+        end
+        #if criteria[:group].empty?
+        #  criteria[:group] += LogicalAuthz::unauthorized_groups
+        #end
+        criteria[:group], not_groups = criteria[:group].partition do |group|
+          LogicalAuthz::Configuration::group_model === group
+        end
+        Rails.logger.warn{ "Found in criteria[:groups]: #{not_groups.inspect}"} unless not_groups.empty?
+        actions = [*criteria[:action]].compact
+        criteria[:action_aliases] = actions.map do |action|
+          grant_aliases_for(action)
+        end.flatten + actions.map{|action| action.to_sym}
+
+        criteria[:controller] = self
+        criteria[:controller_path] = controller_path
+
+        laz_debug{"LogicalAuthz: final computed authz criteria: #{inspect_criteria(criteria)}"}
+
+        return criteria
+      end
+
+      def access_controls(action)
+        controller_acl = read_inheritable_attribute(:controller_access_control) || []
+        return controller_acl if action.nil?
+        action = unalias_actions([action]).first
+        action_acl = (read_inheritable_attribute(:action_access_control) || {})[action.to_sym] || []
+        laz_debug{ { :checking_policy_for => action, :policies_exist_for => (read_inheritable_attribute(:action_access_control) || {}).keys, :action_acl => action_acl, :controller_acl => controller_acl } }
+        action_acl + controller_acl
+      end
+
+      def check_acls(criteria, result_hash = nil)
+        result_hash ||= {}
+        policy = nil
+
+        acl = access_controls(criteria[:action])
+        result_hash.merge! :checked_rules => [], :determining_rule => nil, :all_rules => acl
+        acl.each do |control|
+          result_hash[:checked_rules] << control
+          policy = control.evaluate(criteria)
+          unless policy.nil?
+            laz_debug{"Rule triggered - result: #{policy.inspect}"}
+            result_hash.merge! :determining_rule => control, :reason => :rule_triggered, :result => policy
+            break 
+          end
+        end
+        return policy
+      end
+
+      #It was tempting to build this on before_filter directly - however, 
+      #inspecting a controller to see if a particular filter will run for a 
+      #particular action is fragile.
+      def needs_authorization(*actions)
+        policy(*actions) do
+          allow if_allowed {
+            deny :authenticated
+            allow AccessControl::Permitted.new({:group => LogicalAuthz::Configuration.unauthorized_groups})
+          }
+          allow :permitted
+          existing_policy
+        end
+
+        policy do
+          existing_policy
+          deny :always
+        end
+      end
+
+      alias authorized_if_permitted needs_authorization
+
+      #This method exists for backwards compatibility.  It's likely more 
+      #readable to use the policy DSL
+      def dynamic_authorization(&block)
+        policy do |pol|
+          allow(&block)
+          existing_policy
+        end
+      end
+
+      #This method exists for backwards compatibility.  It's likely more 
+      #readable to use the policy DSL
+      def owner_authorized(*actions, &block)
+        policy(*actions) do |pol|
+          allow AccessControl::Owner.new(&block)
+          existing_policy
+        end
+      end
+
+      #This method exists for backwards compatibility.  It's likely more 
+      #readable to use the policy DSL
+      def admin_authorized(*actions)
+        policy(*actions) do |pol|
+          allow :if_admin
+          existing_policy
+        end
+      end
+    end
+
+    class CheckAuthorization
+      def self.filter(controller)
+        if controller.class.authorization_needed?(controller.action_name)
+          return controller.check_authorized
+        else
+          Rails.logger.debug{"Logical Authorization: #{controller} doesn't need authz"}
+          return true
+        end
+      end
+    end
+  end
+end

data/lib/logical_authz/authn_facade/authlogic.rb

@@ -0,0 +1,13 @@
+if defined? LogicalAuthz::AuthnFacade
+  warn "logical_authz authentication facade (LogicalAuthz::AuthnFacade) already defined - not redefining."
+else
+  module LogicalAuthz
+    class AuthnFacade
+      def self.current_user(controller)
+        #This assumes authlogic is implemented as recommended - otherwise 
+        #you'll need to develop your own AuthnFacade
+        return controller.current_user
+      end
+    end
+  end
+end