picky_guard 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: dae068b49826c41bc05bdfcc15ddb02cc31fe69c
+  data.tar.gz: 828592f4204f3cde8748ac1be0e61a56a4466525
+SHA512:
+  metadata.gz: 68bc8fbca4bd9931c65c2dfd5b5c1a08e83450b6f4974bdd5d132c3e57e7b45b3f8088d0ebc0225a507231dcdb278157d931495a036cee65206d29f7d33bb7fb
+  data.tar.gz: 800cba86587b463f310444fe3b15d9ea24bb28ccebc297a57abc1b72dc9c444c7648cf2df97bb3d9da62f032c8bac70eb3e47a87bcdd232cc87c51fe9783ef5b

data/.gitignore

@@ -0,0 +1,87 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/.idea/
+
+
+# Created by https://www.gitignore.io/api/rubymine
+
+### RubyMine ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/dictionaries
+
+# Sensitive or high-churn files:
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.xml
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+
+# Gradle:
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# CMake
+cmake-build-debug/
+
+# Mongo Explorer plugin:
+.idea/**/mongoSettings.xml
+
+## File-based project format:
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+/out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Ruby plugin and RubyMine
+/.rakeTasks
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+### RubyMine Patch ###
+# Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721
+
+# *.iml
+# modules.xml
+# .idea/misc.xml
+# *.ipr
+
+# Sonarlint plugin
+.idea/sonarlint
+
+
+# End of https://www.gitignore.io/api/rubymine
+
+# Created by https://www.gitignore.io/api/idea
+
+#!! ERROR: idea is undefined. Use list command to see defined gitignore types !!#
+
+
+# End of https://www.gitignore.io/api/idea

data/.rspec

@@ -0,0 +1 @@
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,16 @@
+Documentation:
+  Enabled: false
+Metrics/LineLength:
+  Max: 100
+Metrics/BlockLength:
+  Exclude:
+    - "**/*_spec.rb"
+Metrics/ModuleLength:
+  Exclude:
+    - "**/*_spec.rb"
+Metrics/MethodLength:
+  Max: 5
+  Exclude:
+    - "**/*_spec.rb"
+Metrics/ParameterLists:
+  Max: 4

data/.ruby-version

@@ -0,0 +1 @@
+2.4.1

data/CHANGELOG.md

@@ -0,0 +1,4 @@
+# Changelog
+
+## 0.1.0
+Initial deployment.

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in picky_guard.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,59 @@
+PATH
+  remote: .
+  specs:
+    picky_guard (0.1.0)
+      activerecord
+      cancancan
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (5.2.0)
+      activesupport (= 5.2.0)
+    activerecord (5.2.0)
+      activemodel (= 5.2.0)
+      activesupport (= 5.2.0)
+      arel (>= 9.0)
+    activesupport (5.2.0)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    arel (9.0.0)
+    cancancan (2.2.0)
+    concurrent-ruby (1.0.5)
+    diff-lcs (1.3)
+    i18n (1.0.0)
+      concurrent-ruby (~> 1.0)
+    minitest (5.11.3)
+    rake (10.5.0)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.1)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-support (3.7.1)
+    sqlite3 (1.3.13)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  picky_guard!
+  rake (~> 10.0)
+  rspec (~> 3.2)
+  sqlite3
+
+BUNDLED WITH
+   1.16.1

data/README.md

@@ -0,0 +1,285 @@
+# PickyGuard
+
+PickyGuard is an opinionated authorization library which wraps [CanCanCan](https://github.com/CanCanCommunity/cancancan).
+
+This library helps to write authorization policies in an opinionated hierarchy.
+
+Briefly,
+* **User** has many **roles**.
+* Each **role** has many **policies**.
+* Each **policy** has many **statements** describing which **actions** has what **effect** on which **resources**.
+
+For example,
+* User `Paul` has a role named `CampaignManager`.
+* The role `CampaignManager` has a policy named `crud_all_campaigns`.
+* The policy `crud_all_campaigns` means,
+  * Actions : `[:read, :update, :create, :delete]` are
+  * Effect : `Allow`ed
+  * Resources : for `All campaigns under user's company`.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'picky_guard'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install picky_guard
+
+## Usage
+
+To generate initial files, execute:
+
+```
+$ rails generate picky_guard:install
+```
+
+This will create the following files:
+
+```
+app/
+  - models/
+    - ability.rb
+  - picky_guard/
+    - role_policies.rb
+    - resource_actions.rb
+    - user_role_checker.rb
+```
+
+## Generated Files
+
+### ability.rb
+
+The generated file is like this:
+
+```ruby
+class Ability < PickyGuard::Loader
+  def initialize(user)
+    adjust(user, UserRoleChecker, ResourceActions, RolePolicies)
+  end
+end
+```
+
+Normally, you don't have to do anything about it.
+
+### user_role_checker.rb
+
+The generated file is like this:
+
+```ruby
+class UserRoleChecker < PickyGuard::UserRoleChecker
+  def self.check(user, role)
+    # ...
+  end
+end
+```
+
+This class defines the way to check if user has specific role. It assumes some roles already have been given to the user somehow.
+
+You can implement this on your own, or if you're using a gem like [rolify](https://github.com/RolifyCommunity/rolify), then it should be like this:
+
+```ruby
+class UserRoleChecker < PickyGuard::UserRoleChecker
+  def self.check(user, role)
+    user.has_role? role
+  end
+end
+```
+
+### resource_actions.rb
+
+The generated file is like this:
+
+```ruby
+class ResourceActions < PickyGuard::ResourceActions
+  def initialize
+    map(Report, [:create, :read, :update, :delete])
+  end
+end
+```
+
+This class defines which resource can have which actions. Actions can be an array of either `String` or `Symbol`.
+
+By defining this, you can explicitly manage list of actions per resource and filter out unexpected and unknown actions.
+
+### role_policies.rb
+
+The generated file is like this:
+
+```ruby
+class RolePolicies < PickyGuard::RolePolicies
+  def initialize
+    map(:role_report_manager, [ManageAllReports])
+    # map(:role_report_reader, [AnotherPolicy])
+  end
+end
+```
+
+This class defines which role has which policies. From the example code above, we could assume there is a role named `:role_report_manager` and it has one policy named `ManageAllReports`.
+
+Then how do we define policy?
+
+## Defining Policies
+
+To generate new policy, execute this:
+
+```
+$ rails generate picky_guard:policy manage_all_reports
+```
+
+From the command line, name should be underscored. Otherwise, it will raise an error.
+
+Once created, you will find the policy file under `app/picky_guard/policies/`.
+
+If you get to have many policies, you can group them into a folder like this:
+
+```
+$ rails generate picky_guard:policy reports/manage_all_reports
+```
+
+Then it will generate `app/picky_guard/policies/reports/manage_all_reports.rb`.
+
+The generated file is like this:
+
+```ruby
+class ManageAllReports < PickyGuard::Policy
+  def initialize(current_user)
+    statement_for Campaign do
+      allow
+      actions [:create]
+      conditions({})
+    end
+
+    statement_for Campaign do
+      allow
+      actions [:create]
+      class_resource
+    end
+  end
+end
+```
+
+`register` method takes a parameter and a block.
+* The parameter is a resource class. It should extend `ActiveRecord::Base`.
+* The block consists of simple DSL, describing the statement.
+
+### Building Statement
+
+There are two types of resources: `instance resource` and `class resource`.
+
+```ruby
+can? :read, Campaign.first    # Checking permission against an instance resource
+
+can? :create, Campaign        # Checking permission against a class resource
+```
+
+### Instance Resource
+
+In case of `instance resource`, we need
+* effect(`allow` or `deny`)
+* actions
+* conditions
+
+```ruby
+statement_for Campaign do  # Instances of `Campaign` are the resources.
+  allow                    # Possibly `deny` instead of `allow`. If omitted, it's `allow` by default.
+  actions [:create]        # Array of `string` or `symbol`.
+  instance_resource        # If omitted, it's an instance resource by default.
+  conditions({})
+end
+```
+
+In a short way,
+
+```ruby
+statement_for Campaign do
+  actions [:create]
+  conditions({})
+end
+```
+
+### Class Resource
+
+In case of `class resource`, we need
+* effect
+* actions
+* class_resource
+
+```ruby
+statement_for Campaign do  # `Campaign` is the resource.
+  allow                    # Possibly `deny` instead of `allow`. If omitted, it's `allow` by default.
+  actions [:create]        # Array of `string` or `symbol`.
+  class_resource           # You need this explicit declaration when it comes to a class resource.
+end
+```
+
+You cannot specify any conditions on class resource.
+
+In a short way,
+
+```ruby
+statement_for Campaign do
+  actions [:create]
+  class_resource
+end
+```
+
+### `conditions` on instance resource
+
+`conditions` is a hash. This is directly used to query database, so it should be real database column names. You can refer to `Hash of Conditions` section from [Defining Abilities - CanCanCan](https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities#hash-of-conditions).
+
+When things are too complicated and it's hard to express it a hash, then there's a little detour.
+
+```ruby
+ids = extract_campaign_ids_somehow
+statement_for Campaign do
+  actions [:create]
+  conditions({ id: ids })
+end
+```
+
+First, you can extract ids or other values through some complicated business logic of yours. Then, pass it to conditions like the above.
+
+However we can make this better by wrapping the conditions with `proc`. This enables lazy-loading.
+
+```ruby
+statement_for Campaign do
+  actions [:create]
+  conditions(proc {
+    ids = extract_campaign_ids_somehow
+
+    { id: ids }
+  })
+end
+```
+
+So basically this `conditions` method takes `a hash` or `a proc returning a hash` as a parameter.
+
+## Using `Ability`
+
+You can use `Ability` class just as you did with `CanCanCan`. The constructor takes one parameter: `user`.
+
+With `PickyGuard`, you can pass optional second parameter which is `resource`.
+
+```ruby
+Ability.new(user, Campaign).can? :read, Campaign.first
+```
+
+This will load only relevant policies.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/eunjae-lee/picky_guard.

data/Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+task default: :spec

data/bin/console

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'picky_guard'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/db/schema.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+ActiveRecord::Schema.define do
+  create_table 'apps', force: true do |t|
+    t.integer 'status1'
+    t.integer 'status2'
+    t.integer 'status3'
+  end
+
+  create_table 'campaigns', force: true do
+  end
+end

data/lib/generators/picky_guard/install_generator.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module PickyGuard
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      # rubocop:disable Metrics/LineLength
+      def generate_install
+        copy_file 'ability.rb', 'app/models/ability.rb'
+        copy_file 'role_policies.rb', 'app/picky_guard/role_policies.rb'
+        copy_file 'resource_actions.rb', 'app/picky_guard/resource_actions.rb'
+        copy_file 'user_role_checker.rb', 'app/picky_guard/user_role_checker.rb'
+      end
+      # rubocop:enable Metrics/LineLength
+    end
+  end
+end

data/lib/generators/picky_guard/policy_generator.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module PickyGuard
+  module Generators
+    class PolicyGenerator < Rails::Generators::NamedBase
+      source_root File.expand_path('../templates', __FILE__)
+
+      desc 'Generates a policy with the given NAME'
+
+      def generate_policy
+        return unless validate_name(name)
+        create_file dest_path(name), content(name)
+      end
+
+      private
+
+      def dest_path(name)
+        "app/picky_guard/policies/#{name}.rb"
+      end
+
+      def content(name)
+        class_name = class_name(name)
+        puts "class_name : #{class_name}"
+        path = File.join(File.expand_path('../templates', __FILE__), 'policy.rb.erb')
+        ERB.new(File.read(path)).result binding
+      end
+
+      def class_name(name)
+        name.split('/').last.camelize
+      end
+
+      def validate_name(name)
+        return true if underscored?(name)
+        puts_name_requirement(name)
+      end
+
+      def puts_name_requirement(name)
+        puts ''
+        puts 'Name should be underscored'
+        puts "Expected : #{name.underscore}"
+        puts "Actual : #{name}"
+      end
+
+      def underscored?(name)
+        name.underscore == name
+      end
+    end
+  end
+end

data/lib/generators/picky_guard/templates/ability.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'picky_guard/loader'
+
+class Ability < PickyGuard::Loader
+  def initialize(user)
+    adjust(user, UserRoleChecker, ResourceActions, RolePolicies)
+  end
+end

data/lib/generators/picky_guard/templates/policy.rb.erb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'picky_guard/policy'
+
+class <%= class_name %> < PickyGuard::Policy
+  def initialize(current_user)
+    # register(App, proc {
+    #   PickyGuard::StatementBuilder.new
+    #       .allow
+    #       .actions(%w[Create Read Update Delete])
+    #       .resource(App)
+    #       .conditions({})
+    #       .build
+    # })
+
+    # register(Campaign, PickyGuard::StatementBuilder.new
+    #                                                .allow
+    #                                                .actions(%w[Create])
+    #                                                .class_resource(Campaign)
+    #                                                .build)
+  end
+end

data/lib/generators/picky_guard/templates/resource_actions.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'picky_guard/resource_actions'
+
+class ResourceActions < PickyGuard::ResourceActions
+  def initialize
+    # map(Report, %w[Create Read Update Delete])
+
+    # [App, Campaign].each do |resource|
+    #   map(resource, %w[Create Read Update])
+    # end
+  end
+end

data/lib/generators/picky_guard/templates/role_policies.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require 'picky_guard/role_policies'
+
+class RolePolicies < PickyGuard::RolePolicies
+  def initialize
+    map(:role_report_manager, [ManageAllReports])
+    # map(:role_report_reader, [AnotherPolicy])
+  end
+end

data/lib/generators/picky_guard/templates/user_role_checker.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'picky_guard/user_role_checker'
+
+class UserRoleChecker < PickyGuard::UserRoleChecker
+  def self.check(user, role)
+    # ...
+  end
+end

data/lib/picky_guard/loader.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'cancancan'
+
+module PickyGuard
+  class Loader
+    include CanCan::Ability
+
+    def initialize(user, *resources_whitelist)
+      @resources_whitelist = resources_whitelist
+    end
+
+    def adjust(user, user_role_checker_class, resource_actions_class, role_policies_class)
+      validate_parameters(user_role_checker_class, resource_actions_class, role_policies_class)
+      policies = gather_policies(user, user_role_checker_class, role_policies_class.new)
+      statements = gather_statements(user, policies, resource_actions_class.new)
+      adjust_statements(statements)
+    end
+
+    private
+
+    def validate_parameters(user_role_checker_class, resource_actions_class, role_policies_class)
+      raise ArgumentError unless user_role_checker_class < PickyGuard::UserRoleChecker
+      raise ArgumentError unless role_policies_class < PickyGuard::RolePolicies
+      raise ArgumentError unless resource_actions_class < PickyGuard::ResourceActions
+    end
+
+    def adjust_statements(statements)
+      statements.each do |statement|
+        adjust_statement(statement)
+      end
+    end
+
+    def adjust_statement(statement)
+      statement.actions.each do |action|
+        rule = build_rule(action, statement)
+        add_rule(rule)
+      end
+    end
+
+    def build_rule(action, statement)
+      conditions = eval_conditions_if_needed(statement)
+      CanCan::Rule.new(positive?(statement.effect), action, statement.resource, conditions, nil)
+    end
+
+    def eval_conditions_if_needed(statement)
+      if statement.conditions.is_a? Proc
+        statement.conditions.call
+      else
+        statement.conditions
+      end
+    end
+
+    def positive?(effect)
+      effect == Statement::EFFECT_ALLOW
+    end
+
+    def gather_policies(user, user_role_checker_class, role_policies)
+      role_policies.roles
+                   .select { |role| user_role_checker_class.check(user, role) }
+                   .map { |role| role_policies.policies_for(role) }
+                   .flatten
+    end
+
+    def gather_statements(user, policies, resource_actions)
+      policies.map { |policy_class| policy_class.new(user) }
+              .map do |policy|
+                statements = policy.statements(@resources_whitelist)
+                validate_statements!(resource_actions, statements)
+              end.flatten
+    end
+
+    def validate_statements!(resource_actions, statements)
+      statements.each do |statement|
+        validate_statement!(resource_actions, statement)
+      end
+      statements
+    end
+
+    def validate_statement!(resource_actions, statement)
+      statement.actions.each do |action|
+        valid = resource_actions.action_exist?(statement.resource, action)
+        raise 'Unknown action!' unless valid
+      end
+      statement
+    end
+  end
+end

data/lib/picky_guard/path_helper.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module PickyGuard
+  class PathHelper
+    def self.user_project_path
+      Dir.pwd
+    end
+
+    def self.lib_path
+      File.expand_path(File.join(project_root, 'lib'))
+    end
+
+    def self.project_root
+      File.expand_path(File.join(File.dirname(__FILE__), '../..'))
+    end
+  end
+end

data/lib/picky_guard/policy.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'picky_guard/validator'
+require 'picky_guard/statement_proxy'
+
+module PickyGuard
+  class Policy
+    def initialize(current_user)
+      # do nothing here
+    end
+
+    def statements(resource_whitelist)
+      @cached_statements ||= gather_statements(resource_whitelist)
+    end
+
+    def statement_for(resource, &statement_definition)
+      proxy = StatementProxy.new(resource)
+      proxy.instance_eval(&statement_definition)
+      register(resource, proxy.build)
+    end
+
+    private
+
+    def register(resource, statement)
+      safe_array << [resource, statement]
+      @cached_statements = nil
+    end
+
+    def gather_statements(resource_whitelist)
+      filtered_array(resource_whitelist).map do |_resource, statement|
+        Validator.validate_statement!(statement)
+      end
+    end
+
+    def filtered_array(resource_whitelist)
+      return safe_array if resource_whitelist.empty?
+
+      safe_array.select { |item| resource_whitelist.include? item[0] }
+    end
+
+    def safe_array
+      (@statements ||= [])
+    end
+  end
+end

data/lib/picky_guard/resource_actions.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'picky_guard/validator'
+
+module PickyGuard
+  class ResourceActions
+    def map(resource, actions)
+      validate_parameters(actions, resource)
+      safe_hash[resource] = actions
+    end
+
+    def action_exist?(resource, action)
+      raise 'Unknown resource!' if safe_hash[resource].nil?
+      safe_hash[resource].include? action
+    end
+
+    private
+
+    def safe_hash
+      (@map ||= {})
+    end
+
+    def validate_parameters(actions, resource)
+      Validator.validate_resource_class!(resource)
+      Validator.validate_all_actions!(actions)
+    end
+  end
+end

data/lib/picky_guard/role_policies.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'picky_guard/validator'
+
+module PickyGuard
+  class RolePolicies
+    def map(role, policies)
+      validate_parameters(policies, role)
+      safe_map[role] = policies
+    end
+
+    def roles
+      safe_map.keys
+    end
+
+    def policies_for(role)
+      safe_map[role]
+    end
+
+    private
+
+    def safe_map
+      (@map ||= {})
+    end
+
+    def validate_parameters(policies, role)
+      Validator.validate_all_policy_classes!(policies)
+      Validator.validate_role!(role)
+    end
+  end
+end

data/lib/picky_guard/statement.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'picky_guard/validator'
+
+module PickyGuard
+  class Statement
+    attr_reader :effect, :actions, :resource, :conditions
+
+    EFFECT_ALLOW = :allow
+    EFFECT_DENY = :deny
+    EFFECTS = [EFFECT_ALLOW, EFFECT_DENY].freeze
+
+    RESOURCE_TYPE_INSTANCE = :instance
+    RESOURCE_TYPE_CLASS = :class
+
+    def initialize(effect, actions, resource, conditions)
+      @effect = effect
+      @actions = actions
+      @resource = resource
+      @conditions = conditions
+    end
+
+    def allow?
+      @effect == EFFECT_ALLOW
+    end
+
+    def deny?
+      @effect == EFFECT_DENY
+    end
+  end
+end

data/lib/picky_guard/statement_proxy.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'picky_guard/statement'
+
+module PickyGuard
+  class StatementProxy
+    def initialize(resource)
+      @resource = resource
+      allow
+      instance_resource
+    end
+
+    def allow
+      @effect = PickyGuard::Statement::EFFECT_ALLOW
+    end
+
+    def deny
+      @effect = PickyGuard::Statement::EFFECT_DENY
+    end
+
+    def actions(actions)
+      @actions = actions
+    end
+
+    def conditions(conditions)
+      @conditions = conditions
+    end
+
+    def instance_resource
+      @resource_type = PickyGuard::Statement::RESOURCE_TYPE_INSTANCE
+    end
+
+    def class_resource
+      @resource_type = PickyGuard::Statement::RESOURCE_TYPE_CLASS
+    end
+
+    def validate!
+      Validator.validate_effect!(@effect)
+      Validator.validate_all_actions!(@actions)
+      Validator.validate_resource_class!(@resource)
+      Validator.validate_conditions!(@conditions) if instance_resource?
+    end
+
+    def build
+      validate!
+      build_statement
+    end
+
+    private
+
+    def build_statement
+      PickyGuard::Statement.new(@effect, @actions, @resource, conditions_or_nil)
+    end
+
+    def conditions_or_nil
+      @conditions if instance_resource?
+    end
+
+    def instance_resource?
+      @resource_type == PickyGuard::Statement::RESOURCE_TYPE_INSTANCE
+    end
+  end
+end

data/lib/picky_guard/user_role_checker.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module PickyGuard
+  class UserRoleChecker
+    def self.check(user, role)
+      raise 'fill me'
+    end
+  end
+end

data/lib/picky_guard/validator.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require 'picky_guard/statement'
+require 'picky_guard/policy'
+
+module PickyGuard
+  class Validator
+    def self.valid_resource_class?(resource)
+      child_and_parent?(resource, ActiveRecord::Base)
+    end
+
+    def self.valid_role?(role)
+      role.is_a?(Symbol) || role.is_a?(String)
+    end
+
+    def self.valid_statement?(statement)
+      statement.is_a? PickyGuard::Statement
+    end
+
+    def self.valid_action?(action)
+      action.is_a?(Symbol) || action.is_a?(String)
+    end
+
+    def self.all_valid_actions?(actions)
+      return false unless actions.is_a? Array
+      actions.all? do |action|
+        valid_action?(action)
+      end
+    end
+
+    def self.valid_policy?(policy)
+      child_and_parent?(policy, PickyGuard::Policy)
+    end
+
+    def self.all_valid_policy_classes?(policies)
+      return false unless policies.is_a? Array
+      policies.all? do |policy|
+        valid_policy?(policy)
+      end
+    end
+
+    def self.valid_conditions?(conditions)
+      conditions.instance_of?(Hash) || conditions.instance_of?(Proc)
+    end
+
+    def self.child_and_parent?(child_class, parent_class)
+      child_class < parent_class
+    end
+
+    def self.valid_effect?(effect)
+      PickyGuard::Statement::EFFECTS.include? effect
+    end
+
+    def self.validate_statement!(statement)
+      raise ArgumentError, 'Invalid Statement' unless Validator.valid_statement?(statement)
+      statement
+    end
+
+    def self.validate_resource_class!(resource)
+      raise ArgumentError, 'Invalid Resource' unless Validator.valid_resource_class?(resource)
+      resource
+    end
+
+    def self.validate_all_actions!(actions)
+      raise ArgumentError, 'Invalid actions' unless Validator.all_valid_actions?(actions)
+      actions
+    end
+
+    def self.validate_all_policy_classes!(policies)
+      raise ArgumentError, 'Invalid policies' unless Validator.all_valid_policy_classes?(policies)
+      policies
+    end
+
+    def self.validate_role!(role)
+      raise ArgumentError, 'Invalid roles' unless Validator.valid_role?(role)
+      role
+    end
+
+    def self.validate_conditions!(conditions)
+      raise ArgumentError, 'Invalid conditions' unless Validator.valid_conditions?(conditions)
+      conditions
+    end
+
+    def self.validate_effect!(effect)
+      raise ArgumentError, 'Invalid effect' unless Validator.valid_effect?(effect)
+      effect
+    end
+  end
+end

data/lib/picky_guard/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module PickyGuard
+  VERSION = '0.1.0'
+end

data/lib/picky_guard.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require 'picky_guard/version'
+
+module PickyGuard
+  # Your code goes here...
+end

data/picky_guard.gemspec

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'picky_guard/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'picky_guard'
+  spec.version       = PickyGuard::VERSION
+  spec.authors       = ['Eunjae Lee']
+  spec.email         = ['karis612@gmail.com']
+
+  spec.summary       = 'PickyGuard is an opinionated authorization library.'
+  spec.description   = spec.description
+  spec.homepage      = 'https://github.com/eunjae-lee/picky_guard'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'activerecord'
+  spec.add_dependency 'cancancan'
+
+  spec.add_development_dependency 'bundler', '~> 1.16'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.2'
+  spec.add_development_dependency 'sqlite3'
+end

metadata

@@ -0,0 +1,158 @@
+--- !ruby/object:Gem::Specification
+name: picky_guard
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Eunjae Lee
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-04-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cancancan
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: ''
+email:
+- karis612@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- db/schema.rb
+- lib/generators/picky_guard/install_generator.rb
+- lib/generators/picky_guard/policy_generator.rb
+- lib/generators/picky_guard/templates/ability.rb
+- lib/generators/picky_guard/templates/policy.rb.erb
+- lib/generators/picky_guard/templates/resource_actions.rb
+- lib/generators/picky_guard/templates/role_policies.rb
+- lib/generators/picky_guard/templates/user_role_checker.rb
+- lib/picky_guard.rb
+- lib/picky_guard/loader.rb
+- lib/picky_guard/path_helper.rb
+- lib/picky_guard/policy.rb
+- lib/picky_guard/resource_actions.rb
+- lib/picky_guard/role_policies.rb
+- lib/picky_guard/statement.rb
+- lib/picky_guard/statement_proxy.rb
+- lib/picky_guard/user_role_checker.rb
+- lib/picky_guard/validator.rb
+- lib/picky_guard/version.rb
+- picky_guard.gemspec
+homepage: https://github.com/eunjae-lee/picky_guard
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: PickyGuard is an opinionated authorization library.
+test_files: []