policier 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 4f772e41751bc6c685d9f0eb2bfa2690979e58657cdc81b596f2be976d9610c9
+  data.tar.gz: 2eea37673f5297331a41eacc79ad3279de900a3e359fef5d4f0debcf81e4edbf
+SHA512:
+  metadata.gz: 8e163c80ec8a5a9257b5ca86291a1891c43e1aac5f6ce49eea3aa7264d67eb3e1ab8c33a18a8dab8ce832628bd88241029b6c18bb8c1b4cc23f14663023e54c8
+  data.tar.gz: 747fbf5ae7fe59199397531fafea6a62641bb1307013ae798b72e7d512a2f08a20edd2c0d6162ac9e1c3a14f397d641d8dc3f60a9f74ba83e3158f4f1ff5e6b4

data/.editorconfig

@@ -0,0 +1,5 @@
+[*.{rb,rake}]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2

data/.rubocop.yml

@@ -0,0 +1,27 @@
+AllCops:
+  TargetRubyVersion: 3.0
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  EnforcedStyle: double_quotes
+
+Layout/FirstArrayElementIndentation:
+  EnforcedStyle: consistent
+
+Layout/FirstHashElementIndentation:
+  EnforcedStyle: consistent
+
+Style/Documentation:
+  Enabled: false
+
+Metrics/MethodLength:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/BlockLength:
+  Exclude:
+    - test/**/*

data/.ruby-version

@@ -0,0 +1 @@
+3.3.0

data/.vscode/settings.json

@@ -0,0 +1,6 @@
+{
+  "[ruby]": {
+    "editor.defaultFormatter": "misogi.ruby-rubocop",
+    "editor.formatOnSave": false
+  },
+}

data/README.md

@@ -0,0 +1,72 @@
+# Policier
+
+A gem to build ACL policies with style. Comparing to Pundit and Cancan, the gem tries to focus on DSL and structure to enforce writing ACLS in the way you can read them afterwards.
+Policier consists of two big sections:
+
+## Conditions
+
+```ruby
+# Activates whe current user is super
+class SuperuserCondition < Policier::Condition
+    self.data = Struct.new(:authorized_at)
+
+    # This is the main check, it's happenuing always when any policy
+    # is applied against the context (from controller or GraphQL)
+    #
+    # If it's veritied, condition is activated and causes extension
+    # of access rights (see below)
+    verify_with do
+        fail! if payload[:user].blank?
+        fail! unless payload[:user].is_superadmin
+
+        # This is not very useful since data is located next to payload
+        # so this is only here as an example
+        data[:authorized_at] = context[:user].authorized_at
+    end
+
+    # Additional check that can be quuickly used on top of verified
+    # condition to make conditions anagement more flexible.
+    # Think of it as of a Trait in FactoryBot
+    also_ensure(:it_wasnt_thursday) do |important_date|
+        fail! if important_date.wday == 3
+    end
+
+    # You can nhave as many as you want
+    also_ensure(:it_was_thursday) do |important_date|
+        fail! unless important_date.wday == 3
+    end
+end
+```
+
+## Policies
+
+```ruby
+# Creates a dynamic scope over Person model that starts withb Person.none
+# and extends when conditions activate
+
+class PersonPolicy < Policier::Policy
+    scope(Person) do
+        # Collector argument allows you to propagate values you had during
+        # condition verification into actual policy
+        allow SuperuserCondition.and_it_wasnt_thursday(2.weeks.ago)
+            scope where(id: 5000)
+            scope where(id: 6000)
+        end
+
+        # This syntax allows you to combine several conditions and it runs
+        # if  any of them activated for eahc of them
+        allow SuperuserCondition | AnotherCnndition
+            scope where('id < 1000')
+        end
+
+        # Thirsdays are the best
+        allow SuperuserCondition.and_it_was_thursday(2.weeks.ago)
+            scope all
+        end
+    end
+end
+```
+
+As the outcome of this policy, if no conditions activate, `Person.count`
+will be 0. And the every activated condition triggers `to` that get merged
+and you get access to all of parts of relational scope.

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "minitest/test_task"
+
+Minitest::TestTask.create
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[test rubocop]

data/lib/policier/condition.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require "dry/inflector"
+
+require_relative "condition_union"
+
+module Policier
+  module ConditionResolve
+    def resolve
+      Context.current.ensure_condiiton(self)
+    end
+
+    def union
+      resolve.union
+    end
+
+    def |(other)
+      union | other
+    end
+  end
+
+  class Condition
+    class FailedException < StandardError; end
+
+    extend ConditionResolve
+
+    class << self
+      attr_accessor :data_class
+    end
+
+    attr_reader :data
+
+    def initialize
+      @context = Context.current
+      @data = @context.init_data(self.class, self.class.data_class) if self.class.data_class.present?
+      @failed = false
+      @executed = false
+    end
+
+    def depend_on!(condition_klass)
+      condition = condition_klass.resolve
+      return fail! if condition.failed?
+
+      condition.data
+    end
+
+    def fail!
+      raise FailedException
+    end
+
+    def payload
+      @context.payload
+    end
+
+    def failed?
+      @failed
+    end
+
+    def verify
+      return self if @executed
+
+      @failed ||= !instance_exec_with_failures(&self.class.verification_block)
+      @executed = true
+      self
+    end
+
+    def override!(failing: false, data_replacement: {})
+      @failed = failing
+      @executed = true
+      data_replacement.each { |k, v| data[k] = v }
+      self
+    end
+
+    def instance_exec_with_failures(*args, &block)
+      instance_exec(*args, &block)
+      true
+    rescue FailedException
+      false
+    end
+
+    def union
+      ConditionUnion.new(self)
+    end
+
+    class << self
+      attr_reader :verification_block
+      attr_accessor :collector
+
+      def verify_with(&block)
+        @verification_block = block
+      end
+
+      def also_ensure(name, &block)
+        define_method :"and_#{name}" do |data|
+          @failed ||= !instance_exec_with_failures(data, &block)
+          self
+        end
+      end
+
+      def handle
+        Dry::Inflector.new.underscore(name).gsub("/", "_").to_sym
+      end
+    end
+  end
+end

data/lib/policier/condition_union.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Policier
+  class ConditionUnion
+    attr_reader :conditions, :context
+
+    def initialize(*conditions)
+      @context = Context.current
+      @conditions = []
+      conditions.each { |c| self | c }
+    end
+
+    def |(other)
+      other = other.resolve if other.is_a?(Class)
+      @conditions << other
+      self
+    end
+
+    def union
+      self
+    end
+
+    def payload
+      @context.payload
+    end
+  end
+end

data/lib/policier/context.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "dry/inflector"
+
+require_relative "condition_union"
+
+module Policier
+  class Context
+    class NotInScopeException < StandardError; end
+    class ScopeStartedEvaluation < StandardError; end
+    class DuplicatePayloadKey < StandardError; end
+
+    THREAD_CURRENT_KEY = :policier_context_current
+
+    class << self
+      def current
+        raise NotInScopeException unless Thread.current[THREAD_CURRENT_KEY]
+
+        Thread.current[THREAD_CURRENT_KEY]
+      end
+
+      def scope(payload = {})
+        if Thread.current[THREAD_CURRENT_KEY].present? && Context.current.evaluation_started?
+          raise ScopeStartedEvaluation
+        end
+
+        if Thread.current[THREAD_CURRENT_KEY].blank?
+          Thread.current[THREAD_CURRENT_KEY] = new(payload)
+        else
+          raise ScopeStartedEvaluation if Context.current.evaluation_started? && payload.any?
+
+          Context.current.payload.merge!(payload)
+        end
+
+        yield
+      ensure
+        Thread.current[THREAD_CURRENT_KEY] = nil
+      end
+    end
+
+    attr_reader :payload
+
+    def initialize(payload)
+      @payload = payload
+      @conditions = {}
+      @data = {}
+    end
+
+    def init_data(condition_class, data_class)
+      @data[condition_class] = data_class.new
+    end
+
+    def mock_condition(*condtion_classes, failed: false, data_replacement: {})
+      condtion_classes.each do |condition_class|
+        @condition[condition_class] ||= condition_class.new.iverride!(
+          failed: failed,
+          data_replacement: data_replacement
+        )
+      end
+    end
+
+    def evaluation_started?
+      @conditions.present?
+    end
+
+    def ensure_condiiton(condition_class)
+      @conditions[condition_class] ||= condition_class.new.verify
+    end
+  end
+end

data/lib/policier/policy.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require_relative "runner"
+
+module Policier
+  class Policy
+    extend Runner::DSL
+  end
+end

data/lib/policier/runner.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "dry/inflector"
+
+require_relative "condition_union"
+
+module Policier
+  class Runner
+    module DSL
+      def self.extended(_base)
+        attr_reader :model
+      end
+
+      def scope(model, &block)
+        @model = model
+        @scope = block
+      end
+
+      def run
+        runner = Runner.new(self)
+        runner.instance_eval(&@scope)
+        runner.scope_union
+      end
+    end
+
+    attr_reader :scope_union
+
+    def initialize(policy)
+      @policy = policy
+      @scope_union = ScopeUnion.new(policy.model)
+    end
+
+    def allow(condition_union, &block)
+      condition_union.union.conditions.each do |condition|
+        next if condition.failed?
+
+        @scope_union.instance_exec(condition, &block)
+      end
+    end
+  end
+end

data/lib/policier/scope_union.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Policier
+  class ScopeUnion
+    attr_reader :relation
+
+    def initialize(model = nil)
+      @context = Context.current
+      @model = model
+      @relation = model.none if model.present?
+      @visible = false
+      @allowed_methods = Set.new
+    end
+
+    def can?(method)
+      @allowed_methods.include?(method)
+    end
+
+    def visible?
+      @visible
+    end
+
+    def view
+      @visible = true
+    end
+
+    def scope(update)
+      @relation = @relation.or(update)
+    end
+
+    def exec(method)
+      @allowed_methods.add(method)
+    end
+
+    def payload
+      @context.payload
+    end
+  end
+end

data/lib/policier/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Policier
+  VERSION = "0.1.0"
+end

data/lib/policier.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+# frozen_string_literal: tue
+
+require_relative "policier/version"
+require_relative "policier/context"
+require_relative "policier/policy"
+require_relative "policier/runner"
+require_relative "policier/condition"
+require_relative "policier/condition_union"
+require_relative "policier/scope_union"
+
+module Policier
+  class Error < StandardError; end
+  # Your code goes here...
+end

data/sig/policier.rbs

@@ -0,0 +1,4 @@
+module Policier
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,72 @@
+--- !ruby/object:Gem::Specification
+name: policier
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Boris Staal
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2024-04-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dry-inflector
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+description:
+email:
+- boris@staal.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".editorconfig"
+- ".rubocop.yml"
+- ".ruby-version"
+- ".vscode/settings.json"
+- README.md
+- Rakefile
+- lib/policier.rb
+- lib/policier/condition.rb
+- lib/policier/condition_union.rb
+- lib/policier/context.rb
+- lib/policier/policy.rb
+- lib/policier/runner.rb
+- lib/policier/scope_union.rb
+- lib/policier/version.rb
+- sig/policier.rbs
+homepage: https://github.com/inossidabile/policier
+licenses: []
+metadata:
+  homepage_uri: https://github.com/inossidabile/policier
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.3
+signing_key:
+specification_version: 4
+summary: The policier
+test_files: []