objectbouncer 0.0.1

data/README.mdown

@@ -0,0 +1,117 @@
+# ObjectBouncer
+
+ObjectBouncer provides a way to restrict access to an objects properties or
+methods based upon a series of preconditions.
+
+## Usage
+
+Let's say we have a President who is protected by the SecretService:
+
+    class President
+      def shake_hands
+        "shaking hands"
+      end
+
+      def high_five
+        "high five!"
+      end
+    end
+
+And the following people:
+
+    class Nutjob
+      def dictator?
+        true
+      end
+    end
+
+    class VicePresident
+      def democrat?
+        true
+      end
+
+      def friend?(other)
+        other.class == President
+      end
+    end
+
+    class Hippie
+      def democrat?
+        true
+      end
+    end
+
+To protect the President we'd define a SecretService class like so:
+
+    class SecretService
+      include ObjectBouncer::Doorman
+      door_policy do
+        deny :shake_hands, :if => Proc.new{|person| person.dictator? }
+        allow :shake_hands, :if => Proc.new{|person| person.democrat? }
+        deny :high_five, :unless => Proc.new{|person, president|
+                                      person.friend?(president) }
+      end
+    end
+
+And now, to put our security detail in place we run all contact with
+the President through SecretService first:
+
+    @obama       = President.new
+    @gaddafi     = Nutjob.new
+    @joe_biden   = VicePresident.new
+    @tommy_chong = Hippie.new
+
+    SecretService.as(@gaddafi).on(@president).shake_hands # Raises PermissionDenied
+    SecretService.as(@joe_biden).on(@president).shake_hands # Allowed
+    SecretService.as(@tommy_chong).on(@president).shake_hands # Allowed
+    SecretService.as(@joe_biden).on(@president).high_five # Allowed
+    SecretService.as(@tommy_chong).on(@president).high_five # Raises PermissionDenied
+
+## Why would I want to use this?
+
+Most of the existing RBAC and other access based permission systems are
+implemented at a controller or action level within the MVC stack. ObjectBouncer
+allows you to provide more granular control my limiting access to discrete
+methods on an instance of an object, while keeping the permissions logic
+external to the Model itself.
+
+## Compatibility
+
+Test suite has currently only been confirmed on the following platforms:
+
+ * MRI Ruby 1.9.2
+
+## Contributions
+
+Patches gladly accepted. Please fork this repo, add a relevant test, and send
+me a pull request.
+
+## Status
+
+Currently still under active development and considered alpha, the API is
+liable to change without notice.
+
+## License
+
+ObjectBouncer is released under the MIT license.
+
+Copyright (c) 2011 Glenn Gillen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+ObjectBouncer

data/Rakefile

@@ -0,0 +1,22 @@
+require 'rubygems'
+require 'rake'
+require 'rake/gempackagetask'
+require 'rake/rdoctask'
+
+spec_data = File.open('objectbouncer.gemspec').read
+spec = nil
+Thread.new do
+  spec = eval("#{spec_data}")
+end.join
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.need_zip = false
+  pkg.need_tar = false
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = false
+end

data/lib/objectbouncer.rb

@@ -0,0 +1,4 @@
+base_dir = File.join(File.dirname(__FILE__), "objectbouncer")
+["base", "errors"].each do |lib|
+  require File.join(base_dir, lib)
+end

data/lib/objectbouncer/base.rb

@@ -0,0 +1,123 @@
+module ObjectBouncer
+  module Doorman
+
+    def self.included(klass)
+      klass.extend ClassMethods
+    end
+
+    module ClassMethods
+      def door_policy(&block)
+        @lockdown = false
+        @policies = {}
+        yield
+      end
+
+      def lockdown
+        @lockdown = true
+      end
+
+      def lockdown?
+        @lockdown
+      end
+
+      def allow(method, options = {})
+        @policies[method] ||= blank_policy_template
+        if options.has_key?(:if)
+          @policies[method][:allow][:if] << options[:if]
+        elsif options.has_key?(:unless)
+          @policies[method][:allow][:unless] << options[:unless]
+        else
+          @policies[method][:allow][:if].unshift(Proc.new{ true == true })
+        end
+      end
+
+      def deny(method, options = {})
+        @policies[method] ||= blank_policy_template
+        if options.has_key?(:if)
+          @policies[method][:deny][:if] << options[:if]
+        elsif options.has_key?(:unless)
+          @policies[method][:deny][:unless] << options[:unless]
+        else
+          @policies[method][:deny][:if].unshift(Proc.new{ true == true })
+        end
+      end
+
+      def policies
+        @policies
+      end
+
+      def as(person)
+        doorman = new
+        doorman.send(:person=, person)
+        doorman
+      end
+
+      def on(object)
+        doorman = new
+        doorman.send(:object=, object)
+        doorman
+      end
+
+      def blank_policy_template
+        { :allow => { :if => [], :unless => [] },
+          :deny  => { :if => [], :unless => [] }
+        }
+      end
+
+    end
+
+    def on(object)
+      @object = object
+      self
+    end
+
+    def as(person)
+      @person = person
+      self
+    end
+
+    def method_missing(meth, *args, &block)
+      if respond_to?(meth)
+        raise "adada!!!" if self.class.policies.nil? or self.class.policies.empty?
+        if call_allowed?(meth)
+          @object.send(meth, *args, &block)
+        elsif call_denied?(meth)
+          raise ObjectBouncer::PermissionDenied.new
+        end
+      else
+        super
+      end
+    end
+
+    def respond_to?(meth)
+      @object.respond_to?(meth)
+    end
+
+    private
+      def call_allowed?(meth)
+        if policies = self.class.policies[meth]
+          return true if !policies[:allow][:unless].empty? && !policies[:allow][:unless].detect{|policy| policy.call(@person, @object) rescue nil}
+          return true if policies[:allow][:if].detect{|policy| policy.call(@person, @object) rescue nil}
+          return true if policies[:deny][:unless].detect{|policy| policy.call(@person, @object) rescue nil}
+        end
+      end
+
+      def call_denied?(meth)
+        return true if self.class.lockdown?
+        if policies = self.class.policies[meth]
+          return true if policies[:allow][:unless].detect{|policy| policy.call(@person, @object) rescue nil}
+          return true if policies[:deny][:if].detect{|policy| policy.call(@person, @object) rescue nil}
+          return true if !policies[:deny][:unless].empty? && !call_allowed?(meth)
+        end
+      end
+
+      def person=(val)
+        @person = val
+      end
+
+      def object=(val)
+        @object = val
+      end
+
+  end
+end

data/lib/objectbouncer/errors.rb

@@ -0,0 +1,5 @@
+module ObjectBouncer
+  class Error < StandardError; end
+  class PermissionDenied < Error; end
+end
+

data/test/objectbouncer/base_test.rb

@@ -0,0 +1,114 @@
+$:.unshift File.expand_path("..", File.dirname(__FILE__))
+require "test_helper"
+
+class SecretService
+  include ObjectBouncer::Doorman
+  door_policy do
+    deny :shake_hands, :if => Proc.new{|person, president| person != president}
+    allow :shake_hands, :if => Proc.new{|person, president| person.class == MichelleObama}
+    deny :high_five, :unless => Proc.new{|person, president| person.who? == "it's me, Joe!"}
+  end
+end
+
+class CoastGuard
+  include ObjectBouncer::Doorman
+  door_policy do
+    lockdown # Overly protective are we?
+    allow :watch_tv_appearance
+  end
+end
+
+class President
+  def shake_hands
+    "shaking hands"
+  end
+
+  def high_five
+    "high five!"
+  end
+
+  def watch_tv_appearance
+    "I'm on your TV!"
+  end
+end
+
+class MichelleObama
+end
+
+class JoePublic
+end
+
+class JoeBiden
+  def who?
+    "it's me, Joe!"
+  end
+end
+
+class ObjectBouncerTest < Test::Unit::TestCase
+  context "keeping the president safe" do
+
+    setup do
+      @president = President.new
+    end
+
+    should "not let the public shake hands" do
+      joe_public = JoePublic.new
+      assert_raise ObjectBouncer::PermissionDenied do
+        SecretService.as(joe_public).on(@president).shake_hands
+      end
+    end
+
+    should "let the first lady get in close" do
+      first_lady = MichelleObama.new
+      assert_equal "shaking hands", SecretService.as(first_lady).on(@president).shake_hands
+    end
+
+    should "high five Biden" do
+      vice_pres = JoeBiden.new
+      assert_equal "high five!", SecretService.as(vice_pres).on(@president).high_five
+    end
+
+    should "not let the public high five" do
+      joe_public = JoePublic.new
+      assert_raise ObjectBouncer::PermissionDenied do
+        SecretService.as(joe_public).on(@president).high_five
+      end
+    end
+
+  end
+
+  context "going into complete lockdown" do
+
+    setup do
+      @president = President.new
+    end
+
+    should "deny everything by default" do
+      joe_public = JoePublic.new
+      assert_raise ObjectBouncer::PermissionDenied do
+        CoastGuard.as(joe_public).on(@president).high_five
+      end
+      assert_raise ObjectBouncer::PermissionDenied do
+        CoastGuard.as(joe_public).on(@president).shake_hands
+      end
+    end
+
+    should "allow if explictly said it's ok" do
+      joe_public = JoePublic.new
+      assert_equal "I'm on your TV!", CoastGuard.as(joe_public).on(@president).watch_tv_appearance
+    end
+  end
+
+  context "having a forgiving API" do
+
+    setup do
+      @president = President.new
+    end
+
+    should "let people chain methods either order" do
+      joe_public = JoePublic.new
+      assert_equal "I'm on your TV!", CoastGuard.as(joe_public).on(@president).watch_tv_appearance
+      assert_equal "I'm on your TV!", CoastGuard.on(@president).as(joe_public).watch_tv_appearance
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,9 @@
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require "objectbouncer"
+
+class Test::Unit::TestCase
+end

metadata

@@ -0,0 +1,74 @@
+--- !ruby/object:Gem::Specification 
+name: objectbouncer
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Glenn Gillen
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-03-07 00:00:00 +00:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: httparty
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        version: 0.6.1
+  type: :runtime
+  version_requirements: *id001
+description: ""
+email: glenn@rubypond.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- README.mdown
+- Rakefile
+- lib/objectbouncer/base.rb
+- lib/objectbouncer/errors.rb
+- lib/objectbouncer.rb
+- test/objectbouncer/base_test.rb
+- test/test_helper.rb
+has_rdoc: true
+homepage: http://github.com/rubypond/objectbouncer
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- .
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.6.0
+signing_key: 
+specification_version: 2
+summary: ""
+test_files: 
+- test/objectbouncer/base_test.rb
+- test/test_helper.rb