policy_machine 0.0.1 → 0.0.2

data/CHANGELOG.md

@@ -0,0 +1,9 @@
+# 0.0.2
+
+* Fix: Operation sets now silently remove duplicates
+* Transactional rollback available in active_record and in_memory
+* Can now generate a list of all privileges a user has on an object with `#scoped_privileges`
+
+# 0.0.1
+
+* Initial open source release.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright 2013 YOURNAME
+Copyright 2013 Medidata Solutions Worldwide
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/lib/policy_machine.rb

@@ -147,6 +147,25 @@ class PolicyMachine
     privileges
   end
 
+  ##
+  # Returns an array of all privileges encoded in this
+  # policy machine for the given user (attribute) on the given
+  # object (attribute).
+  #
+  # TODO:  might make privilege a class of its own
+  def scoped_privileges(user_or_attribute, object_or_attribute)
+    if policy_machine_storage_adapter.respond_to?(:scoped_privileges)
+      policy_machine_storage_adapter.scoped_privileges(user_or_attribute.stored_pe, object_or_attribute.stored_pe).map do |op|
+        operation = PM::Operation.convert_stored_pe_to_pe(op, policy_machine_storage_adapter, PM::Operation)
+        [user_or_attribute, operation, object_or_attribute]
+      end
+    else
+      operations.grep(->operation{is_privilege?(user_or_attribute, operation, object_or_attribute)}) do |op|
+        [user_or_attribute, op, object_or_attribute]
+      end
+    end
+  end
+
   ##
   # Returns an array of all user_attributes a PM::User is assigned to,
   # directly or indirectly.

data/lib/policy_machine/association.rb

@@ -64,7 +64,7 @@ module PM
 
       new_assoc = pm_storage_adapter.add_association(
         user_attribute_pe.stored_pe,
-        operation_set.map(&:stored_pe),
+        Set.new(operation_set.map(&:stored_pe)),
         object_attribute_pe.stored_pe,
         policy_machine_uuid
       )

data/lib/policy_machine/policy_element.rb

@@ -106,6 +106,10 @@ module PM
       stored_pe.respond_to?(meth, include_private) || super
     end
 
+    def inspect
+      "#<#{self.class} #{unique_identifier}>"
+    end
+
     protected
       def allowed_assignee_classes
         raise "Must override this method in a subclass"

data/lib/policy_machine_storage_adapters/active_record.rb

@@ -21,7 +21,9 @@ module PolicyMachineStorageAdapter
       has_many :assignments, foreign_key: :parent_id, dependent: :destroy
       has_many :children, through: :assignments, dependent: :destroy #this doesn't actually destroy the children, just the assignment
       has_many :transitive_closure, foreign_key: :ancestor_id
+      has_many :inverse_transitive_closure, class_name: :"PolicyMachineStorageAdapter::ActiveRecord::TransitiveClosure", foreign_key: :descendant_id
       has_many :descendants, through: :transitive_closure
+      has_many :ancestors, through: :inverse_transitive_closure
       attr_accessible :unique_identifier, :policy_machine_uuid, :extra_attributes
       attr_accessor :extra_attributes_hash
       before_save :serialize_extra_attributes_hash
@@ -294,8 +296,40 @@ module PolicyMachineStorageAdapter
       PolicyElement.transaction(&block)
     end
 
+    ## Optimized version of PolicyMachine#scoped_privileges
+    # Returns all operations the user has on the object
+    def scoped_privileges(user_or_attribute, object_or_attribute)
+      policy_classes_containing_object = policy_classes_for_object_attribute(object_or_attribute)
+      if policy_classes_containing_object.count < 2
+        scoped_privileges_single_policy_class(user_or_attribute, object_or_attribute)
+      else
+        scoped_privileges_multiple_policy_classes(user_or_attribute, object_or_attribute, policy_classes_containing_object)
+      end
+    end
+
     private
 
+    def scoped_privileges_single_policy_class(user_or_attribute, object_or_attribute)
+      associations = class_for_type('policy_element_association').where(
+        object_attribute_id: object_or_attribute.descendants | [object_or_attribute],
+        user_attribute_id: user_or_attribute.descendants | [user_or_attribute]
+        ).includes(:operations)
+
+      associations.flat_map(&:operations).uniq
+    end
+
+    def scoped_privileges_multiple_policy_classes(user_or_attribute, object_or_attribute, policy_classes_containing_object)
+      base_scope = class_for_type('policy_element_association').where(
+        object_attribute_id: object_or_attribute.descendants | [object_or_attribute],
+        user_attribute_id: user_or_attribute.descendants | [user_or_attribute]
+        )
+      operations_for_policy_classes = policy_classes_containing_object.map do |pc|
+        associations = base_scope.where(object_attribute_id: pc.ancestors).includes(:operations)
+        associations.flat_map(&:operations)
+      end
+      operations_for_policy_classes.inject(:&) || []
+    end
+
     def assert_persisted_policy_element(*arguments)
       arguments.each do |argument|
         raise ArgumentError, "expected policy elements, got #{argument}" unless argument.is_a?(PolicyElement)

data/lib/policy_machine_storage_adapters/template.rb

@@ -163,6 +163,14 @@ module PolicyMachineStorageAdapter
     # all the block's changes to be rolled back. Should raise NotImplementedError if the
     # persistence layer does not support this.
     def transaction
+
+    end
+
+    ## Optimized version of PolicyMachine#scoped_privileges
+    # Return all operations the user has on the object
+    # Optional: only add this method if you can do it better than policy_machine.rb
+    def scoped_privileges(user_or_attribute, object_or_attribute)
+
     end
 
   end

data/policy_machine.gemspec

@@ -1,11 +1,12 @@
 Gem::Specification.new do |s|
   s.name        = "policy_machine"
-  s.version     = "0.0.1"
+  s.version     = "0.0.2"
   s.summary     = "Policy Machine!"
   s.description = "A ruby implementation of the Policy Machine authorization formalism."
   s.authors     = ['Matthew Szenher', 'Aaron Weiner']
   s.email       = s.authors.map{|name|name.sub(/(.).* (.*)/,'\1\2@mdsol.com')}
   s.homepage    = 'https://github.com/mdsol/the_policy_machine'
+  s.license     = 'MIT'
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.require_paths = ["lib"]

data/spec/spec_helper.rb

@@ -1,11 +1,12 @@
-require_relative '../test/test_helper.rb'
-
 require 'simplecov'
 SimpleCov.start do
   add_group 'lib', 'lib'
   add_filter 'spec'
+  add_filter 'test'
 end
 
+require_relative '../test/test_helper.rb'
+
 require 'rspec'
 require 'debugger'
 

data/spec/support/policy_machine_helpers.rb

@@ -19,4 +19,18 @@ def assert_pm_privilege_expectations(actual_privileges, expected_privileges)
   end
 
   actual_privileges.count.should == expected_privileges.size
+  assert_pm_scoped_privilege_expectations
+end
+
+# Make sure all scoped_privileges calls behave as expected
+def assert_pm_scoped_privilege_expectations
+  users_or_attributes = policy_machine.users | policy_machine.user_attributes
+  objects_or_attributes = policy_machine.objects | policy_machine.object_attributes
+  users_or_attributes.product(objects_or_attributes) do |u, o|
+    expected_scoped_privileges = policy_machine.operations.grep(->op{policy_machine.is_privilege?(u, op, o)}) do |op|
+      [u, op, o]
+    end
+    policy_machine.scoped_privileges(u,o).should =~ expected_scoped_privileges
+  end
+
 end

data/spec/support/{shared_examples_policy_machine_spec.rb → shared_examples_policy_machine.rb}

@@ -187,6 +187,12 @@ shared_examples "a policy machine" do
       it 'allows an association to be made between an existing user_attribute, operation set and object attribute (returns true)' do
         policy_machine.add_association(@user_attribute, @operation_set, @object_attribute).should be_true
       end
+
+      it 'handles non-unique operation sets' do
+        @operation_set << @operation1.dup
+        policy_machine.add_association(@user_attribute, @operation_set, @object_attribute).should be_true
+      end
+
     end
   end
 

data/test/test_helper.rb

@@ -2,7 +2,6 @@
 ENV["RAILS_ENV"] = "test"
 
 require File.expand_path("../dummy/config/environment.rb",  __FILE__)
-require "rails/test_help"
 
 Rails.backtrace_cleaner.remove_silencers!
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: policy_machine
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-28 00:00:00.000000000 Z
+date: 2013-11-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -148,6 +148,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.md
 - CONTRIBUTING.md
 - Gemfile
 - MIT-LICENSE
@@ -174,8 +175,8 @@ files:
 - spec/spec_helper.rb
 - spec/support/neography_helpers.rb
 - spec/support/policy_machine_helpers.rb
-- spec/support/shared_examples_policy_machine_spec.rb
-- spec/support/shared_examples_policy_machine_storage_adapter_spec.rb
+- spec/support/shared_examples_policy_machine.rb
+- spec/support/shared_examples_shared_examples_policy_machine_storage_adapter.rb
 - spec/support/shared_examples_storage_adapter_public_methods.rb
 - spec/support/storage_adapter_helpers.rb
 - test/dummy/Rakefile
@@ -204,7 +205,8 @@ files:
 - test/policy_machine_test.rb
 - test/test_helper.rb
 homepage: https://github.com/mdsol/the_policy_machine
-licenses: []
+licenses:
+- MIT
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -238,8 +240,8 @@ test_files:
 - spec/spec_helper.rb
 - spec/support/neography_helpers.rb
 - spec/support/policy_machine_helpers.rb
-- spec/support/shared_examples_policy_machine_spec.rb
-- spec/support/shared_examples_policy_machine_storage_adapter_spec.rb
+- spec/support/shared_examples_policy_machine.rb
+- spec/support/shared_examples_shared_examples_policy_machine_storage_adapter.rb
 - spec/support/shared_examples_storage_adapter_public_methods.rb
 - spec/support/storage_adapter_helpers.rb
 - test/dummy/Rakefile