policy_machine 0.0.1

data/lib/policy_machine/association.rb

@@ -0,0 +1,73 @@
+module PM
+  class Association
+    attr_accessor :user_attribute
+    attr_accessor :operation_set
+    attr_accessor :object_attribute
+
+    def initialize(stored_user_attribute, stored_operation_set, stored_object_attribute, pm_storage_adapter)
+      @user_attribute = PM::PolicyElement.convert_stored_pe_to_pe(
+        stored_user_attribute,
+        pm_storage_adapter,
+        PM::UserAttribute
+      )
+
+      @operation_set = Set.new
+      stored_operation_set.each do |stored_op|
+        op = PM::PolicyElement.convert_stored_pe_to_pe(
+          stored_op,
+          pm_storage_adapter,
+          PM::Operation
+        )
+        @operation_set << op
+      end
+
+      @object_attribute = PM::PolicyElement.convert_stored_pe_to_pe(
+        stored_object_attribute,
+        pm_storage_adapter,
+        PM::ObjectAttribute
+      )
+    end
+
+    # Returns true if the operation set of this association includes the given operation.
+    #
+    def includes_operation?(operation)
+      # Note:  operation_set.member? isn't calling PM::PolicyElement ==
+      operation_set.any?{ |op| op == operation }
+    end
+
+    # Create an association given persisted policy elements
+    #
+    def self.create(user_attribute_pe, operation_set, object_attribute_pe, policy_machine_uuid, pm_storage_adapter)
+      # argument errors for user_attribute_pe
+      raise(ArgumentError, "user_attribute_pe must be a UserAttribute.") unless user_attribute_pe.is_a?(PM::UserAttribute)
+      unless user_attribute_pe.policy_machine_uuid == policy_machine_uuid
+        raise(ArgumentError, "user_attribute_pe must be in policy machine with uuid #{policy_machine_uuid}")
+      end
+
+      # argument errors for operation_set
+      raise(ArgumentError, "operation_set must be a Set of Operations") unless operation_set.is_a?(Set)
+      raise(ArgumentError, "operation_set must not be empty") if operation_set.empty?
+      operation_set.each do |op|
+        unless op.is_a?(PM::Operation)
+          raise(ArgumentError, "expected #{op} to be PM::Operation; got #{op.class}")
+        end
+        unless op.policy_machine_uuid == policy_machine_uuid
+          raise(ArgumentError, "expected #{op.unique_identifier} to be in Policy Machine with uuid #{policy_machine_uuid}; got #{op.policy_machine_uuid}")
+        end
+      end
+
+      # argument errors for object_attribute_pe
+      raise(ArgumentError, "object_attribute_pe must be an ObjectAttribute.") unless object_attribute_pe.is_a?(PM::ObjectAttribute)
+      unless object_attribute_pe.policy_machine_uuid == policy_machine_uuid
+        raise(ArgumentError, "object_attribute_pe must be in policy machine with uuid #{policy_machine_uuid}")
+      end
+
+      new_assoc = pm_storage_adapter.add_association(
+        user_attribute_pe.stored_pe,
+        operation_set.map(&:stored_pe),
+        object_attribute_pe.stored_pe,
+        policy_machine_uuid
+      )
+    end
+  end
+end

data/lib/policy_machine/policy_element.rb

@@ -0,0 +1,269 @@
+module PM
+
+  # A generic policy element in a policy machine.
+  # A policy element can be a user, user attribute, object, object attribute
+  # or operation set.
+  # This is an abstract base class and should not itself be instantiated.
+  class PolicyElement
+    attr_accessor   :unique_identifier
+    attr_accessor   :policy_machine_uuid
+    attr_accessor   :stored_pe
+    attr_accessor   :extra_attributes
+
+    ##
+    # Create a new policy element with the given name and type.
+    def initialize(unique_identifier, policy_machine_uuid, pm_storage_adapter, stored_pe = nil, extra_attributes = {})
+      @unique_identifier = unique_identifier.to_s
+      @policy_machine_uuid = policy_machine_uuid.to_s
+      @pm_storage_adapter = pm_storage_adapter
+      @stored_pe = stored_pe
+      @extra_attributes = extra_attributes
+      methodize_extra_attributes!
+    end
+
+    ##
+    # Determine if self is connected to other node
+    def connected?(other_pe)
+      @pm_storage_adapter.connected?(self.stored_pe, other_pe.stored_pe)
+    end
+
+    ##
+    # Assign self to destination policy element
+    # This method is sensitive to the type of self and dst_policy_element
+    #
+    def assign_to(dst_policy_element)
+      unless allowed_assignee_classes.any?{|aac| dst_policy_element.is_a?(aac)}
+        raise(ArgumentError, "expected dst_policy_element to be one of #{allowed_assignee_classes.to_s}; got #{dst_policy_element.class} instead.")
+      end
+      @pm_storage_adapter.assign(self.stored_pe, dst_policy_element.stored_pe)
+    end
+
+    ##
+    # Remove assignment from self to destination policy element
+    # Returns boolean indicating whether assignment was successfully removed.
+    #
+    def unassign(dst_policy_element)
+      @pm_storage_adapter.unassign(self.stored_pe, dst_policy_element.stored_pe)
+    end
+
+    ##
+    # Remove self, and any assignments to or from self. Does not remove any other elements.
+    # Returns true if persisted object was successfully removed.
+    #
+    def delete
+      if self.stored_pe && self.stored_pe.persisted
+        @pm_storage_adapter.delete(stored_pe)
+        self.stored_pe = nil
+        true
+      end
+    end
+
+    ##
+    # Updates extra attributes with the passed-in values. Will not remove other
+    # attributes not in the hash. Returns true if no errors occurred.
+    #
+    def update(attr_hash)
+      @extra_attributes.merge!(attr_hash)
+      methodize_extra_attributes!
+      if self.stored_pe && self.stored_pe.persisted
+        @pm_storage_adapter.update(self.stored_pe, attr_hash)
+        true
+      end
+    end
+
+    ##
+    # Convert a stored_pe to an instantiated pe
+    def self.convert_stored_pe_to_pe(stored_pe, pm_storage_adapter, pe_class)
+      pe_class.new(
+        stored_pe.unique_identifier,
+        stored_pe.policy_machine_uuid,
+        pm_storage_adapter,
+        stored_pe
+      )
+    end
+
+    ##
+    # Returns true if self is identical to other and false otherwise.
+    #
+    def ==(other_pe)
+      self.class == other_pe.class &&
+      self.unique_identifier == other_pe.unique_identifier &&
+      self.policy_machine_uuid == other_pe.policy_machine_uuid
+    end
+
+    ##
+    # Delegate extra attribute reads to stored_pe
+    #
+    def method_missing(meth, *args)
+      if args.none? && stored_pe.respond_to?(meth)
+        stored_pe.send(meth)
+      else
+        super
+      end
+    end
+
+    def respond_to_missing?(meth, include_private = false)
+      stored_pe.respond_to?(meth, include_private) || super
+    end
+
+    protected
+      def allowed_assignee_classes
+        raise "Must override this method in a subclass"
+      end
+
+      ##
+      # Allow magic attribute methods like in ActiveRecord
+      #
+      def methodize_extra_attributes!
+        @extra_attributes.keys.each do |attr|
+          define_singleton_method attr, lambda {@extra_attributes[attr]} unless respond_to?(attr)
+        end
+      end
+
+  end
+
+  # TODO:  there is repeated code in the following subclasses which I will DRY in the
+  # next PR.
+  # A user in a policy machine.
+  class User < PolicyElement
+    def self.create(unique_identifier, policy_machine_uuid, pm_storage_adapter, extra_attributes = {})
+      new_pe = new(unique_identifier, policy_machine_uuid, pm_storage_adapter, nil, extra_attributes)
+      new_pe.stored_pe = pm_storage_adapter.add_user(unique_identifier, policy_machine_uuid, extra_attributes)
+      new_pe
+    end
+
+    def user_attributes(pm_storage_adapter)
+      pm_storage_adapter.user_attributes_for_user(stored_pe).map do |stored_ua|
+        self.class.convert_stored_pe_to_pe(stored_ua, pm_storage_adapter, PM::UserAttribute)
+      end
+    end
+
+    # Return all policy elements of a particular type (e.g. all users)
+    def self.all(pm_storage_adapter, options = {})
+      pm_storage_adapter.find_all_of_type_user(options).map do |stored_pe|
+        convert_stored_pe_to_pe(stored_pe, pm_storage_adapter, PM::User)
+      end
+    end
+
+    protected
+    def allowed_assignee_classes
+      [UserAttribute]
+    end
+  end
+
+  # A user attribute in a policy machine.
+  class UserAttribute < PolicyElement
+    def self.create(unique_identifier, policy_machine_uuid, pm_storage_adapter, extra_attributes = {})
+      new_pe = new(unique_identifier, policy_machine_uuid, pm_storage_adapter, nil, extra_attributes)
+      new_pe.stored_pe = pm_storage_adapter.add_user_attribute(unique_identifier, policy_machine_uuid, extra_attributes)
+      new_pe
+    end
+
+     # Return all policy elements of a particular type (e.g. all users)
+    def self.all(pm_storage_adapter, options = {})
+      pm_storage_adapter.find_all_of_type_user_attribute(options).map do |stored_pe|
+        convert_stored_pe_to_pe(stored_pe, pm_storage_adapter, PM::UserAttribute)
+      end
+    end
+
+    protected
+    def allowed_assignee_classes
+      [UserAttribute, PolicyClass]
+    end
+  end
+
+  # An object attribute in a policy machine.
+  class ObjectAttribute < PolicyElement
+    def self.create(unique_identifier, policy_machine_uuid, pm_storage_adapter, extra_attributes = {})
+      new_pe = new(unique_identifier, policy_machine_uuid, pm_storage_adapter, nil, extra_attributes)
+      new_pe.stored_pe = pm_storage_adapter.add_object_attribute(unique_identifier, policy_machine_uuid, extra_attributes)
+      new_pe
+    end
+
+    # Returns an array of policy classes in which this ObjectAttribute is included.
+    # Returns empty array if this ObjectAttribute is associated with no policy classes.
+    def policy_classes
+      pcs_for_object = @pm_storage_adapter.policy_classes_for_object_attribute(stored_pe)
+      pcs_for_object.map do |stored_pc|
+        self.class.convert_stored_pe_to_pe(stored_pc, @pm_storage_adapter, PM::PolicyClass)
+      end
+    end
+
+    def self.all(pm_storage_adapter, options = {})
+      pm_storage_adapter.find_all_of_type_object_attribute(options).map do |stored_pe|
+        convert_stored_pe_to_pe(stored_pe, pm_storage_adapter, PM::ObjectAttribute)
+      end
+    end
+
+    protected
+    def allowed_assignee_classes
+      [ObjectAttribute, PolicyClass]
+    end
+  end
+
+  # An object in a policy machine.
+  class Object < ObjectAttribute
+    def self.create(unique_identifier, policy_machine_uuid, pm_storage_adapter, extra_attributes = {})
+      new_pe = new(unique_identifier, policy_machine_uuid, pm_storage_adapter, nil, extra_attributes)
+      new_pe.stored_pe = pm_storage_adapter.add_object(unique_identifier, policy_machine_uuid, extra_attributes)
+      new_pe
+    end
+
+    # Return all policy elements of a particular type (e.g. all users)
+    def self.all(pm_storage_adapter, options = {})
+      pm_storage_adapter.find_all_of_type_object(options).map do |stored_pe|
+        convert_stored_pe_to_pe(stored_pe, pm_storage_adapter, PM::Object)
+      end
+    end
+
+    protected
+    def allowed_assignee_classes
+      [Object, ObjectAttribute]
+    end
+  end
+
+  # An operation set in a policy machine.
+  class Operation < PolicyElement
+    def self.create(unique_identifier, policy_machine_uuid, pm_storage_adapter, extra_attributes = {})
+      new_pe = new(unique_identifier, policy_machine_uuid, pm_storage_adapter, nil, extra_attributes)
+      new_pe.stored_pe = pm_storage_adapter.add_operation(unique_identifier, policy_machine_uuid, extra_attributes)
+      new_pe
+    end
+
+    # Return all policy elements of a particular type (e.g. all users)
+    def self.all(pm_storage_adapter, options = {})
+      pm_storage_adapter.find_all_of_type_operation(options).map do |stored_pe|
+        convert_stored_pe_to_pe(stored_pe, pm_storage_adapter, PM::Operation)
+      end
+    end
+
+    # Return all associations in which this Operation is included
+    # Associations are arrays of PM::Attributes.
+    #
+    def associations
+      @pm_storage_adapter.associations_with(self.stored_pe).map do |assoc|
+        PM::Association.new(assoc[0], assoc[1], assoc[2], @pm_storage_adapter)
+      end
+    end
+
+    protected
+    def allowed_assignee_classes
+      []
+    end
+  end
+
+  # A policy class in a policy machine.
+  class PolicyClass < PolicyElement
+    def self.create(unique_identifier, policy_machine_uuid, pm_storage_adapter, extra_attributes = {})
+      new_pe = new(unique_identifier, policy_machine_uuid, pm_storage_adapter, nil, extra_attributes)
+      new_pe.stored_pe = pm_storage_adapter.add_policy_class(unique_identifier, policy_machine_uuid, extra_attributes)
+      new_pe
+    end
+
+    protected
+    def allowed_assignee_classes
+      []
+    end
+  end
+
+end

data/lib/policy_machine/version.rb

@@ -0,0 +1,3 @@
+module PolicyMachine
+  VERSION = "0.0.1"
+end

data/lib/policy_machine_storage_adapters/active_record.rb

@@ -0,0 +1,306 @@
+require 'policy_machine'
+require 'set'
+
+# This class stores policy elements in a SQL database using whatever
+# database configuration and adapters are provided by active_record.
+# Currently only MySQL is supported via this adapter.
+
+begin
+  require 'active_record'
+rescue LoadError
+  active_record_unavailable = true
+end
+
+module PolicyMachineStorageAdapter
+
+  class ActiveRecord
+
+    class PolicyElement < ::ActiveRecord::Base
+      alias :persisted :persisted?
+      # needs unique_identifier, policy_machine_uuid, type, extra_attributes columns
+      has_many :assignments, foreign_key: :parent_id, dependent: :destroy
+      has_many :children, through: :assignments, dependent: :destroy #this doesn't actually destroy the children, just the assignment
+      has_many :transitive_closure, foreign_key: :ancestor_id
+      has_many :descendants, through: :transitive_closure
+      attr_accessible :unique_identifier, :policy_machine_uuid, :extra_attributes
+      attr_accessor :extra_attributes_hash
+      before_save :serialize_extra_attributes_hash
+
+      def method_missing(meth, *args, &block)
+        methodize_extra_attributes_hash
+        if respond_to?(meth)
+          send(meth, *args)
+        elsif meth.to_s[-1] == '='
+          @extra_attributes_hash[meth.to_s] = args.first
+          methodize_extra_attributes_hash
+        else
+          super
+        end
+      end
+
+      def respond_to_missing?(meth, *args)
+        methodize_extra_attributes_hash unless @extra_attributes_hash
+        @extra_attributes_hash[meth.to_s] || super
+      end
+
+      def methodize_extra_attributes_hash
+        @extra_attributes_hash = JSON.parse(self.extra_attributes, quirks_mode: true) if self.extra_attributes
+        @extra_attributes_hash ||= {}
+        @extra_attributes_hash.extract!(*self.class.column_names).each do |key, value|
+          send("#{key}=", value) unless value.nil?
+        end
+        @extra_attributes_hash.each do |key, value|
+          define_singleton_method key, lambda {@extra_attributes_hash[key.to_s]}
+          define_singleton_method "#{key}=", lambda { | value | @extra_attributes_hash[key.to_s] = value }
+        end
+      end
+
+      def serialize_extra_attributes_hash
+        methodize_extra_attributes_hash unless @extra_attributes_hash
+        self.extra_attributes = extra_attributes_hash.to_json
+      end
+
+    end
+
+    class User < PolicyElement
+    end
+
+    class UserAttribute < PolicyElement
+      has_many :policy_element_associations, dependent: :destroy
+    end
+
+    class ObjectAttribute < PolicyElement
+      has_many :policy_element_associations, dependent: :destroy
+    end
+
+    class Object < ObjectAttribute
+    end
+
+    class Operation < PolicyElement
+      has_and_belongs_to_many :policy_element_associations, class_name: :"PolicyMachineStorageAdapter::ActiveRecord::PolicyElementAssociation"
+    end
+
+    class PolicyClass < PolicyElement
+    end
+
+    class PolicyElementAssociation < ::ActiveRecord::Base
+      # requires a join table (should be indexed!)
+      has_and_belongs_to_many :operations, class_name: :"PolicyMachineStorageAdapter::ActiveRecord::Operation"
+      belongs_to :user_attribute
+      belongs_to :object_attribute
+    end
+
+    class TransitiveClosure < ::ActiveRecord::Base
+      self.table_name = 'transitive_closure'
+      # needs ancestor_id, descendant_id columns
+      belongs_to :ancestor, class_name: :PolicyElement
+      belongs_to :descendant, class_name: :PolicyElement
+    end
+
+    class Assignment < ::ActiveRecord::Base
+      # needs parent_id, child_id columns
+      after_create :add_to_transitive_closure
+      after_destroy :remove_from_transitive_closure
+      belongs_to :parent, class_name: :PolicyElement
+      belongs_to :child, class_name: :PolicyElement
+
+      def self.transitive_closure?(ancestor, descendant)
+        TransitiveClosure.exists?(ancestor_id: ancestor.id, descendant_id: descendant.id)
+      end
+
+      def add_to_transitive_closure
+        connection.execute("Insert ignore into transitive_closure values (#{parent_id}, #{child_id})")
+        connection.execute("Insert ignore into transitive_closure
+             select parents_ancestors.ancestor_id, childs_descendants.descendant_id from
+              transitive_closure parents_ancestors,
+              transitive_closure childs_descendants
+             where
+              (parents_ancestors.descendant_id = #{parent_id} or parents_ancestors.ancestor_id = #{parent_id})
+              and (childs_descendants.ancestor_id = #{child_id} or childs_descendants.descendant_id = #{child_id})")
+      end
+
+      def remove_from_transitive_closure
+        parents_ancestors = connection.execute("Select ancestor_id from transitive_closure where descendant_id=#{parent_id}")
+        childs_descendants = connection.execute("Select descendant_id from transitive_closure where ancestor_id=#{child_id}")
+        parents_ancestors = parents_ancestors.to_a.<<(parent_id).join(',')
+        childs_descendants = childs_descendants.to_a.<<(child_id).join(',')
+
+        connection.execute("Delete from transitive_closure where
+          ancestor_id in (#{parents_ancestors}) and
+          descendant_id in (#{childs_descendants}) and
+          not exists (Select * from assignments where parent_id=ancestor_id and child_id=descendant_id)
+        ")
+
+        connection.execute("Insert ignore into transitive_closure
+            select ancestors_surviving_relationships.ancestor_id, descendants_surviving_relationships.descendant_id
+            from
+              transitive_closure ancestors_surviving_relationships,
+              transitive_closure descendants_surviving_relationships
+            where
+              (ancestors_surviving_relationships.ancestor_id in (#{parents_ancestors}))
+              and (descendants_surviving_relationships.descendant_id in (#{childs_descendants}))
+              and (ancestors_surviving_relationships.descendant_id = descendants_surviving_relationships.ancestor_id)
+        ")
+      end
+
+    end
+
+    POLICY_ELEMENT_TYPES = %w(user user_attribute object object_attribute operation policy_class)
+
+    POLICY_ELEMENT_TYPES.each do |pe_type|
+      ##
+      # Store a policy element of type pe_type.
+      # The unique_identifier identifies the element within the policy machine.
+      # The policy_machine_uuid is the uuid of the containing policy machine.
+      #
+      define_method("add_#{pe_type}") do |unique_identifier, policy_machine_uuid, extra_attributes = {}|
+        active_record_attributes = extra_attributes.stringify_keys
+        extra_attributes = active_record_attributes.slice!(*PolicyElement.column_names)
+        element_attrs = {
+          :unique_identifier => unique_identifier,
+          :policy_machine_uuid => policy_machine_uuid,
+          :extra_attributes => extra_attributes.to_json
+        }.merge(active_record_attributes)
+        class_for_type(pe_type).create(element_attrs, without_protection: true)
+      end
+
+      define_method("find_all_of_type_#{pe_type}") do |options = {}|
+        conditions = options.stringify_keys
+        extra_attribute_conditions = conditions.slice!(*PolicyElement.column_names)
+        all = class_for_type(pe_type).where(conditions)
+        extra_attribute_conditions.each do |key, value|
+          warn "WARNING: #{self.class} is filtering #{pe_type} on #{key} in memory, which won't scale well. " <<
+            "To move this query to the database, add a '#{key}' column to the policy_elements table " <<
+            "and re-save existing records"
+          all.select!{ |pe| pe.methodize_extra_attributes_hash and pe.extra_attributes_hash[key] == value }
+        end
+        all
+      end
+    end
+
+    def class_for_type(pe_type)
+      @pe_type_class_hash ||= Hash.new { |h,k| h[k] = "PolicyMachineStorageAdapter::ActiveRecord::#{k.camelize}".constantize }
+      @pe_type_class_hash[pe_type]
+    end
+
+    ##
+    # Assign src to dst in policy machine.
+    # The two policy elements must be persisted policy elements
+    # Returns true if the assignment occurred, false otherwise.
+    #
+    def assign(src, dst)
+      assert_persisted_policy_element(src, dst)
+      src.children << dst
+    end
+
+    ##
+    # Determine if there is a path from src to dst in the policy machine.
+    # The two policy elements must be persisted policy elements; otherwise the method should raise
+    # an ArgumentError.
+    # Returns true if there is a such a path and false otherwise.
+    # Should return true if src == dst
+    #
+    def connected?(src, dst)
+      assert_persisted_policy_element(src, dst)
+      src == dst || Assignment.transitive_closure?(src, dst)
+    end
+
+    ##
+    # Disconnect two policy elements in the machine
+    # The two policy elements must be persisted policy elements; otherwise the method should raise
+    # an ArgumentError.
+    # Returns true if unassignment occurred and false otherwise.
+    # Generally, false will be returned if the assignment didn't exist in the PM in the
+    # first place.
+    #
+    def unassign(src, dst)
+      assert_persisted_policy_element(src, dst)
+      if assignment = src.assignments.where(child_id: dst.id).first
+        assignment.destroy
+      end
+    end
+
+    ##
+    # Remove a persisted policy element. This should remove its assignments and
+    # associations but must not cascade to any connected policy elements.
+    # Returns true if the delete succeeded.
+    #
+    def delete(element)
+      element.destroy
+    end
+
+    ##
+    # Update the extra_attributes of a persisted policy element.
+    # This should only affect attributes corresponding to the keys passed in.
+    # Returns true if the update succeeded or was redundant.
+    #
+    def update(element, changes_hash)
+      changes_hash.each { |k,v| element.send("#{k}=",v) }
+      element.save
+    end
+
+    ##
+    # Determine if the given node is in the policy machine or not.
+    # Returns true or false accordingly.
+    # TODO: This seems wrong.
+    #
+    def element_in_machine?(pe)
+      pe.persisted?
+    end
+
+    ##
+    # Add the given association to the policy map.  If an association between user_attribute
+    # and object_attribute already exists, then replace it with that given in the arguments.
+    # Returns true if the association was added and false otherwise.
+    #
+    def add_association(user_attribute, operation_set, object_attribute, policy_machine_uuid)
+      PolicyElementAssociation.where(
+        user_attribute_id: user_attribute.id,
+        object_attribute_id: object_attribute.id
+      ).first_or_create.operations = operation_set.to_a
+    end
+
+    ##
+    # Return an array of all associations in which the given operation is included.
+    # Each element of the array should itself be an array in which the first element
+    # is the user_attribute member of the association, the second element is a
+    # Ruby Set, each element of which is an operation, the third element is the
+    # object_attribute member of the association.
+    # If no associations are found then the empty array should be returned.
+    #
+    def associations_with(operation)
+      assocs = operation.policy_element_associations.all(include: [:user_attribute, :operations, :object_attribute])
+      assocs.map { |assoc| [assoc.user_attribute, Set.new(assoc.operations), assoc.object_attribute] }
+    end
+
+    ##
+    # Return array of all policy classes which contain the given object_attribute (or object).
+    # Return empty array if no such policy classes found.
+    def policy_classes_for_object_attribute(object_attribute)
+      object_attribute.descendants.where(type: class_for_type('policy_class'))
+    end
+
+    ##
+    # Return array of all user attributes which contain the given user.
+    # Return empty array if no such user attributes are found.
+    def user_attributes_for_user(user)
+      user.descendants.where(type: class_for_type('user_attribute'))
+    end
+
+    ##
+    # Execute the passed-in block transactionally: any error raised out of the block causes
+    # all the block's changes to be rolled back.
+    def transaction(&block)
+      PolicyElement.transaction(&block)
+    end
+
+    private
+
+    def assert_persisted_policy_element(*arguments)
+      arguments.each do |argument|
+        raise ArgumentError, "expected policy elements, got #{argument}" unless argument.is_a?(PolicyElement)
+      end
+    end
+
+  end
+end unless active_record_unavailable