logical_authz 0.1.6

data/lib/logical_authz/generators/specs/templates/spec/helpers/logical_authz_helper_spec.rb

@@ -0,0 +1,90 @@
+require 'spec/spec_helper'
+
+class FooController < AuthzController
+end
+
+class BarController < AuthzController
+end
+
+class WireController < AuthzController
+end
+
+describe LogicalAuthz::Helper do
+  include LogicalAuthz::MockAuth
+
+  before do
+    @group = Factory(:group)
+    Factory(:permission, :group => @group, :controller => "foo")
+    Factory(:permission, :group => @group, :controller => "bar", :action => "baz")
+    Factory(:permission, :group => @group, :controller => "wire", :action => "vinyl", :subject_id => 1)
+  end
+
+  it "should refuse authorization to guests" do
+    logout
+
+    helper.authorized?(:controller => "foo").should == false
+    helper.authorized?(:controller => "bar", :action => "baz").should == false
+    helper.authorized?(:controller => "wire", :action => "vinyl", :id => 1).should == false
+  end
+
+  describe "should recognize authorized users" do
+    before do
+      user = Factory(:authz_account, :groups => [@group])
+      login_as(user)
+    end
+
+    it "on a controller level" do
+      helper.authorized?(:controller => "foo",
+                        :action => "nerf",
+                        :id => 7).should == true
+    end
+
+    it "on an action level" do
+      helper.authorized?(:controller => "bar",
+                        :action => "baz",
+                        :id => 23).should == true
+    end
+
+    it "not on the wrong action level" do
+      helper.authorized?(:controller => "bar",
+                        :action => "bat",
+                        :id => 23).should == false
+    end
+
+    it "on a record level" do
+      helper.authorized?(:controller => "wire",
+                        :action => "vinyl",
+                        :id => 1).should == true
+    end
+
+    it "not on the wrong record level" do
+      helper.authorized?(:controller => "wire",
+                        :action => "vinyl",
+                        :id => 2).should == false
+    end
+  end
+
+  describe "should refuse unauthorized users" do
+    before do
+      login_as(:authz_account)
+    end
+
+    it "on a controller level" do
+      helper.authorized?(:controller => "foo",
+                        :action => "nerf",
+                        :id => 7).should == false
+    end
+
+    it "on an action level" do
+      helper.authorized?(:controller => "bar",
+                        :action => "baz",
+                        :id => 23).should == false
+    end
+
+    it "on a record level" do
+      helper.authorized?(:controller => "wire",
+                        :action => "vinyl",
+                        :id => 1).should == false
+    end
+  end
+end

data/lib/logical_authz/generators/specs/templates/spec/support/logical_authz.rb

@@ -0,0 +1 @@
+require 'logical_authz/spec_helper'

data/lib/logical_authz/generators/specs/templates/spec/support/mock_auth.rb

@@ -0,0 +1,30 @@
+module LogicalAuthz
+  if defined?(:AuthnFacade)
+    remove_const(:AuthnFacade)
+  end
+  module AuthnFacade
+    @@current_user = nil
+
+    def self.current_user(controller)
+      @@current_user
+    end
+
+    def self.current_user=(user)
+      @@current_user = user
+    end
+  end
+
+  module MockAuth
+    def logout
+      AuthnFacade.current_user = nil
+    end
+
+    def login_as(user)
+      if <%= user_class %> === user
+        AuthnFacade.current_user = user
+      else
+        AuthnFacade.current_user = Factory(user)
+      end
+    end
+  end
+end

data/lib/logical_authz/spec_helper.rb

@@ -0,0 +1,75 @@
+module LogicalAuthz
+  module Matcher
+    class Authorized
+      def initialize
+        @controller = nil
+      end
+
+      def match_state
+        "authorized"
+      end
+
+      def check_authorization_flag
+        return false unless @flash.has_key? :logical_authz_record
+        return true if @flash[:logical_authz_record][:result] == true
+        return false
+      end
+
+      def matches?(controller)
+        @controller = controller
+        @flash = controller.__send__(:flash)
+        #controller should be a controller
+        return check_authorization_flag
+      end
+
+      def failure_message(match_text)
+        if @flash.has_key? :logical_authz_record
+          laz_rec = @flash[:logical_authz_record]
+          "Expected #{@controller.class.name}(#{@controller.params.inspect})" + 
+            " #{match_text} #{match_state}, but flash[:logical_authz_record][:result] " + 
+              "is <#{laz_rec[:result].inspect}> (reason: #{laz_rec[:reason].inspect}, " +
+            "rule: #{laz_rec[:determining_rule].try(:name)})"
+        else
+          "Expected #{@controller.class.name}(#{@controller.params.inspect}) #{match_text} #{match_state}, but flash did not have key :logical_authz_record"
+        end
+      end
+
+      def failure_message_for_should
+        failure_message("to be")
+      end
+
+      def failure_message_for_should_not
+        failure_message("not to be")
+      end
+    end
+
+    class Forbidden < Authorized
+      def match_state
+        "forbidden"
+      end
+
+      def check_authorization_flag
+        return false unless @flash.has_key? :logical_authz_record
+        return true if @flash[:logical_authz_record][:result] == false
+        return false
+      end
+    end
+  end
+
+
+  module ControllerExampleGroupMixin
+    def be_authorized
+      return Matcher::Authorized.new
+    end
+
+    def be_forbidden
+      return Matcher::Forbidden.new
+    end
+  end
+end
+
+module RSpec::Rails
+  module ControllerExampleGroup
+    include LogicalAuthz::ControllerExampleGroupMixin
+  end
+end

data/lib/logical_authz.rb

@@ -0,0 +1,110 @@
+require 'logical_authz/access_control'
+require 'logical_authz/application'
+require 'logical_authz/configuration'
+
+module LogicalAuthz
+  PermissionSelect = "controller = :controller AND " +
+    "group_id IN (:group_ids) AND " +
+    "((action IS NULL AND subject_id IS NULL) OR " +
+    "(action IN (:action_names) AND " +
+    "(subject_id IS NULL OR subject_id = :subject_id)))"
+
+  class << self
+    def inspect_criteria(criteria)
+      criteria.inject({}) do |hash, name_value|
+        name, value = *name_value
+        case value
+        when ActiveRecord::Base
+          hash[name] = {value.class.name => value.id}
+        when ActionController::Base
+          hash[name] = value.class
+        else
+          hash[name] = value
+        end
+
+        hash
+      end.inspect
+    end
+
+    def find_controller(reference)
+      klass = nil
+
+      case reference
+      when Class
+        if LogicalAuthz::Application > reference
+          klass = reference
+        end
+      when LogicalAuthz::Application
+        klass = reference.class
+      when String, Symbol
+        klass_name = reference.to_s.camelize + "Controller"
+        begin 
+          klass = klass_name.constantize
+        rescue NameError
+        end
+      end
+
+      return klass
+    end
+
+    def check_controller(klass, from_criteria)
+      if klass.nil?
+        raise "Could not determine controller class - criteria[:controller] => #{from_criteria}"
+      end
+    end
+
+    def check_permitted(criteria)
+      select_on = {
+        :group_ids => criteria[:group].map {|grp| grp.id},
+        :controller => criteria[:controller_path],
+        :action_names => criteria[:action_aliases].map {|a| a.to_s},
+        :subject_id => criteria[:id] 
+      }
+
+      laz_debug{ "LogicalAuthz: checking permissions: #{select_on.inspect}" }
+      allowed = LogicalAuthz::Configuration::permission_model.exists?([PermissionSelect, select_on])
+      unless allowed
+        laz_debug{ "Denied: #{select_on.inspect}"}
+      else
+        laz_debug{ "Allowed: #{select_on.inspect}"}
+      end
+      return allowed
+    end
+
+
+    def is_authorized?(criteria=nil, authz_record=nil)
+      criteria ||= {}
+      authz_record ||= {}
+      authz_record.merge! :criteria => criteria, :result => nil, :reason => nil
+
+      laz_debug{"LogicalAuthz: asked to authorize #{inspect_criteria(criteria)}"}
+
+      controller_class = find_controller(criteria[:controller])
+      
+      laz_debug{"LogicalAuthz: determined controller: #{controller_class.name}"}
+
+      check_controller(controller_class, criteria[:controller])
+
+      unless controller_class.authorization_needed?(criteria[:action])
+        laz_debug{"LogicalAuthz: controller says no authz needed."}
+        authz_record.merge! :reason => :no_authorization_needed, :result => true
+      else
+        laz_debug{"LogicalAuthz: checking authorization"}
+
+        controller_class.normalize_criteria(criteria)
+
+        #TODO Fail if group unspecified and user unspecified?
+
+        unless (acl_result = controller_class.check_acls(criteria, authz_record)).nil?
+          authz_record[:result] = acl_result
+        else
+          authz_record.merge! :reason => :default, :result => controller_class.default_authorization
+        end
+      end
+
+      laz_debug{authz_record}
+
+      return authz_record[:result]
+    end
+  end
+end

data/lib/tasks/rspec.rake

@@ -0,0 +1,15 @@
+require 'rake'
+begin
+  require 'rspec/core/rake_task'
+
+  namespace :logical_authz do
+    desc 'Run the specs'
+    RSpec::Core::RakeTask.new(:spec) do |t|
+      t.pattern = File::expand_path("../../../spec/**/*_spec.rb", __FILE__)
+    end
+  end
+
+  task :spec => 'logical_authz:spec'
+rescue LoadError
+  warn "Not defining logical_authz:spec"
+end

data/spec/gem_test_suite.rb

@@ -0,0 +1,17 @@
+puts Dir::pwd
+require 'test/unit'
+begin
+  require 'spec'
+rescue LoadError
+  false
+end
+
+class RSpecTest < Test::Unit::TestCase
+  def test_that_rspec_is_available
+    assert_nothing_raised("\n\n *  RSpec isn't available - please run: gem install rspec  *\n\n"){ ::Spec }
+  end
+
+  def test_that_specs_pass
+    assert(system(*%w{spec -f e -p **/*.rb spec}),"\n\n *  Specs failed  *\n\n")
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,43 @@
+ENV["RAILS_ENV"] ||= 'test'
+
+$" << File.expand_path(File.join(File.dirname(__FILE__), '..','..','..','..','app','controllers','authz_controller.rb'))
+
+
+require File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','..','config','environment'))
+require 'spec/rails' 
+require 'logical_authz/spec_helper'
+
+# Requires supporting files with custom matchers and macros, etc,
+# in ./support/ and its subdirectories.
+Dir[File.expand_path(File.join(File.dirname(__FILE__),'support','**','*.rb'))].each {|f| require f}
+
+plugin_spec_dir = File.dirname(__FILE__)
+$: << File::join(plugin_spec_dir, "spec_helper", "models")
+RSpec::Runner.configure do |config|
+  # If you're not using ActiveRecord you should remove these
+  # lines, delete config/database.yml and disable :active_record
+  # in your config/boot.rb
+#  config.use_transactional_fixtures = true
+  config.use_instantiated_fixtures  = true
+  config.fixture_path = File::join(File.dirname(__FILE__), 'fixtures')
+  config.global_fixtures = [
+    :az_accounts, :groups, :permissions
+  ]
+end
+               
+ActiveRecord::Base.logger = Logger.new(plugin_spec_dir + "/debug.log")
+
+databases = YAML::load(IO.read(plugin_spec_dir + "/db/database.yml"))
+ActiveRecord::Base.establish_connection(databases[ENV["DB"] || "sqlite3"])
+load(File.join(plugin_spec_dir, "db", "schema.rb"))
+
+require File::join(plugin_spec_dir, "mock_auth")
+require File::join(plugin_spec_dir, "routes")
+
+Dir.glob(File::join(plugin_spec_dir, "factories", "*.rb")) do |path|
+  require path
+end
+
+
+Group::member_class = AzAccount
+

metadata

@@ -0,0 +1,127 @@
+--- !ruby/object:Gem::Specification 
+name: logical_authz
+version: !ruby/object:Gem::Version 
+  hash: 23
+  prerelease: false
+  segments: 
+  - 0
+  - 1
+  - 6
+  version: 0.1.6
+platform: ruby
+authors: 
+- Judson Lester
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-11-30 00:00:00 -08:00
+default_executable: 
+dependencies: []
+
+description: "  LogicalAuthorization allows authorization in a finely grained framework, including\n  ACLs and database based permissions, designed to slide into your project seamlessly.\n\n  You should be able to add logical_authz to your Gemfile and add needs_authorization to\n  your base controller class and be done.\n"
+email: judson@lrdesign.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/tasks/rspec.rake
+- lib/logical_authz.rb
+- lib/logical_authz/configuration.rb
+- lib/logical_authz/spec_helper.rb
+- lib/logical_authz/generator.rb
+- lib/logical_authz/authn_facade/authlogic.rb
+- lib/logical_authz/generators/specs/generator.rb
+- lib/logical_authz/generators/specs/templates/spec/factories/az_groups.rb
+- lib/logical_authz/generators/specs/templates/spec/factories/az_accounts.rb
+- lib/logical_authz/generators/specs/templates/spec/factories/permissions.rb
+- lib/logical_authz/generators/specs/templates/spec/support/logical_authz.rb
+- lib/logical_authz/generators/specs/templates/spec/support/mock_auth.rb
+- lib/logical_authz/generators/specs/templates/spec/controllers/permissions_controller_spec.rb
+- lib/logical_authz/generators/specs/templates/spec/controllers/groups_controller_spec.rb
+- lib/logical_authz/generators/specs/templates/spec/controllers/groups_users_controller_spec.rb
+- lib/logical_authz/generators/specs/templates/spec/helpers/logical_authz_helper_spec.rb
+- lib/logical_authz/generators/controllers/generator.rb
+- lib/logical_authz/generators/controllers/templates/app/controllers/authz_controller.rb
+- lib/logical_authz/generators/models/generator.rb
+- lib/logical_authz/generators/models/templates/db/seeds_logical_authz.rb
+- lib/logical_authz/generators/models/templates/app/models/group.rb
+- lib/logical_authz/generators/models/templates/app/models/permission.rb
+- lib/logical_authz/generators/models/templates/config/initializers/logical_authz.rb
+- lib/logical_authz/generators/models/templates/migrations/create_users_groups.rb
+- lib/logical_authz/generators/models/templates/migrations/create_groups.rb
+- lib/logical_authz/generators/models/templates/migrations/create_permissions.rb
+- lib/logical_authz/generators/routes/generator.rb
+- lib/logical_authz/engine.rb
+- lib/logical_authz/access_control.rb
+- lib/logical_authz/application.rb
+- app/views/permissions/index.html.haml
+- app/views/permissions/create.rjs
+- app/views/permissions/new.html.haml
+- app/views/permissions/_controls.html.haml
+- app/views/permissions/_form.html.haml
+- app/views/permissions/edit.html.haml
+- app/views/groups/index.html.haml
+- app/views/groups/create.rjs
+- app/views/groups/new.html.haml
+- app/views/groups/_controls.html.haml
+- app/views/groups/_form.html.haml
+- app/views/groups/edit.html.haml
+- app/views/groups/show.html.haml
+- app/controllers/groups_controller.rb
+- app/controllers/permissions_controller.rb
+- app/controllers/groups_users_controller.rb
+- app/helpers/logical_authz_helper.rb
+- config/initializers/activate.rb
+- generators/logical_authz_specs/logical_authz_specs_generator.rb
+- generators/logical_authz/logical_authz_generator.rb
+- generators/logical_authz/templates/app/views/layouts/_explain_authz.html.haml.erb
+- generators/logical_authz/templates/app/controllers/authz_controller.rb.erb
+- generators/logical_authz/templates/README
+- generators/logical_authz_models/logical_authz_models_generator.rb
+- generators/logical_authz_routes/logical_authz_routes_generator.rb
+- spec/spec_helper.rb
+- spec/gem_test_suite.rb
+has_rdoc: true
+homepage: http://lrdesign.com/tools
+licenses: []
+
+post_install_message: Another tidy package brought to you by Logical Reality Design
+rdoc_options: 
+- --inline-source
+- --main
+- doc/README
+- --title
+- logical_authz-0.1.6 RDoc
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: logical_authz
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Full fledged authorization, starting from one line
+test_files: 
+- spec/gem_test_suite.rb