protector 0.0.2 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 098c77da509ed0a347c0a22df9dd6c6a8d34289a
-  data.tar.gz: b9ae1d35809445399fda713c3f0276ac91114659
+  metadata.gz: 5196d6460c7c9550f4be2cef9135916d900dcdc0
+  data.tar.gz: 08886a665e9f57db43dd49d064c23b569e01106b
 SHA512:
-  metadata.gz: d0cc601d414b036f8eb6db9381c9f30a93bc1bdb5bd92a946165f32ea97f9229be9fa76210a7b98ec878da9b0476f6dacffb6bf7e24200c496bf8e6106a6b4bf
-  data.tar.gz: 9994bc1d0e0a3a93f81f4ee07fabf7cf1faf7c02c958952ec8cd80a6452349c20cd8fc7a79bf51665da2cbccdef179ce85963cc4ab0528b039b6b21a735b85bc
+  metadata.gz: 87cd3b93a9b8b3ca0b86d034234385111cd8aa9c793e6440908fc6362a6160e21a7d6010b6c89018a4245a44e1cb043c0086a023cf88ce50e501be7a21cece95
+  data.tar.gz: 2fffcf64bc2669bfb3292e432e52408d1a9207263085a6cac74dde4200882dc645523c93320449ffe9320f76aa94389caf3ce2c7c993ddfc56333e2426d1d5c8

data/.travis.yml

@@ -0,0 +1,6 @@
+before_install:
+  - gem install bundler
+rvm:
+  - 1.9.3
+  - jruby-19mode
+  - 2.0.0

data/Appraisals

@@ -0,0 +1,9 @@
+appraise "AR_3.2" do
+  gem "activerecord", "3.2", require: "active_record"
+  gem "activerecord-jdbcsqlite3-adapter", platform: :jruby, github: "jruby/activerecord-jdbc-adapter"
+end
+
+appraise "AR_4" do
+  gem "activerecord", "4.0.0.rc1", require: "active_record"
+  gem "activerecord-jdbcsqlite3-adapter", platform: :jruby, github: "jruby/activerecord-jdbc-adapter"
+end

data/Gemfile

@@ -7,4 +7,7 @@ gem 'rspec'
 gem 'guard'
 gem 'guard-rspec'
 
-gem 'activerecord', '>= 3.0'
+gem 'appraisal'
+
+gem 'sqlite3', platform: :ruby
+gem 'jdbc-sqlite3', platform: :jruby

data/README.md

@@ -1,6 +1,125 @@
 # Protector
 
-TODO: Write a gem description
+[![Build Status](https://travis-ci.org/inossidabile/protector.png?branch=master)](https://travis-ci.org/inossidabile/protector)
+[![Code Climate](https://codeclimate.com/github/inossidabile/protector.png)](https://codeclimate.com/github/inossidabile/protector)
+
+Protector is a Ruby ORM extension for managing security restrictions on a field level. The gem favors white-listing over black-listing (everything is disallowed by default), convention over configuration and is duck-type compatible with most of existing code.
+
+Currently Protector supports the following ORM adapters:
+
+  * [ActiveRecord](http://guides.rubyonrails.org/active_record_querying.html) (>= 3.2)
+
+We are working hard to extend the list with:
+
+  * [Sequel](http://sequel.rubyforge.org/)
+  * [DataMapper](http://datamapper.org/)
+  * [Mongoid](http://mongoid.org/en/mongoid/index.html)
+
+## Basics
+
+DSL of Protector is a Ruby block (or several) describing ACL separated into contexts (authorized user is a very typical example of a context). Each time the context of model changes, DSL blocks reevaluate internally to get an actual ACL that is then utilized internally to cut restricted actions.
+
+Protector follows nondestructive blocking strategy. It returns `nil` when the forbidden field is requested and only checks creation (modification) capability during persisting. Even more: the latter is implemented as a model validation so it will seamlessly integrate into your typical workflow.
+
+This example is based on ActiveRecord but the code is mostly identical for any supported adapter.
+
+```ruby
+class Article < ActiveRecord::Base          # Fields: title, text, user_id, hidden
+  protect do |user|                         # `user` is a context of security
+
+    unless user.admin?
+      scope { where(hidden: false) }        # Non-admins can only read insecure data
+
+      can :view                             # Allow to read any field
+      if user.nil?                          # User is unknown and therefore not authenticated
+        cannot :view, :text                 # Guests can't read the text
+      end
+
+      can :create, %w(title text)           # Non-admins can't set `hidden` flag
+      can :create, user_id: lamda{|x|       # ... and should correctly fill 
+        x == user.id                        # ... the `user_id` association
+      }
+
+      # In this setup non-admins can not destroy or update existing records.
+    else
+      scope { all }                         # Admins can retrieve anything
+
+      can :view                             # ... and view anything
+      can :create                           # ... and create anything
+      can :update                           # ... and update anything
+      can :destroy                          # ... and they can delete
+    end
+  end
+end
+```
+
+Now that we have ACL described we can enable it as easy as:
+
+```ruby
+article.restrict!(current_user)    # Assuming article is an instance of Article
+```
+
+To make model unsafe again call:
+
+```ruby
+article.unrestrict!
+```
+
+**Both methods are chainable!**
+
+## Scopes
+
+Besides the `can` and `cannot` directives Protector also handles relations visibility. In the previous sample the following block is responsible to make hidden articles actually hide:
+
+```ruby
+scope { where(hidden: false) }        # Non-admins can only read unsecure data
+````
+
+Make sure to write the block content of the `scope` directive in the notation of your ORM library.
+
+To finally utilize this function use the same `restrict!` method on a level of Class or Relation. Like this:
+
+```ruby
+Article.restrict!(current_user).where(...)
+# OR
+Article.where(...).restrict!(current_user)
+```
+
+Note that you don't need to explicitly restrict models you get from a restricted scope – they born restricted.
+
+## Self-aware conditions
+
+Sometimes an access decision depends on the object we restrict. `protect` block accepts second argument to fulfill these cases. Keep in mind however that it's not always accessible: we don't have any instance for the restriction of relation and therefore `nil` is passed.
+
+The following example extends Article to allow users edit their own posts:
+
+```ruby
+class Article < ActiveRecord::Base          # Fields: title, text, user_id, hidden
+  protect do |user, article|
+    if user
+      if article.try(:user_id) == user.id   # Checks belonging keeping possible nil in mind
+        can :update, %w(title text)         # Allow authors to modify posts
+      end
+    end
+  end
+end
+```
+
+## Associations
+
+Protector is aware of associations. All the associations retrieved from restricted instance will automatically be restricted to the same context. Therefore you don't have to do anything special – it will respect proper scopes out of the box.
+
+The access to `belongs_to` kind of association depends on corresponding foreign key readability.
+
+## Ideology
+
+Protector is a successor to [Heimdallr](https://github.com/inossidabile/heimdallr). The latter being a proof-of-concept appeared to be way too paranoid and incompatible with the rest of the world. Protector re-implements same idea keeping the Ruby way:
+
+  * it works inside of the model instead of wrapping it into a proxy: that's why it's compatible with every other extension you use
+  * it secures persistence and not object properties: you can modify any properties you want but it's not going to let you save what you can not save
+  * it respects the differentiation between business-logic layer and SQL layer: protection is validation so any method that skips validation will also avoid the security check
+
+**The last thing is really important to understand. No matter if you can read a field or not, methods like `.pluck` are still capable of reading any of your fields and if you tell your model to skip validation it will also skip an ACL check.**
 
 ## Installation
 
@@ -16,9 +135,13 @@ Or install it yourself as:
 
     $ gem install protector
 
-## Usage
+As long as you load Protector after an ORM library it is supposed to activate itself automatically. Otherwise you can enable required adapter manually:
+
+```ruby
+Protector::Adapters::ActiveRecord.activate!
+```
 
-TODO: Write usage instructions here
+Where "ActiveRecord" is the adapter you are about to use. It can be "Sequel", "DataMapper", "Mongoid".
 
 ## Contributing
 

data/Rakefile

@@ -1,8 +1,13 @@
 require 'bundler/setup'
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
+require 'appraisal'
 
 RSpec::Core::RakeTask.new(:spec)
 
-desc "Default: run the unit tests."
-task :default => :spec
+task :default => :all
+
+desc 'Test the plugin under all supported Rails versions.'
+task :all => ["appraisal:install"] do |t|
+  exec('rake appraisal spec')
+end

data/gemfiles/AR_3.2.gemfile

@@ -0,0 +1,16 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rake"
+gem "pry"
+gem "rspec"
+gem "guard"
+gem "guard-rspec"
+gem "appraisal"
+gem "sqlite3", :platform=>:ruby
+gem "jdbc-sqlite3", :platform=>:jruby
+gem "activerecord", "3.2", :require=>"active_record"
+gem "activerecord-jdbcsqlite3-adapter", :platform=>:jruby, :github=>"jruby/activerecord-jdbc-adapter"
+
+gemspec :path=>"../"

data/gemfiles/AR_3.2.gemfile.lock

@@ -0,0 +1,104 @@
+GIT
+  remote: git://github.com/jruby/activerecord-jdbc-adapter.git
+  revision: b1cb2cb59496a7c3ae22799f88c8c4789e6a8cce
+  specs:
+    activerecord-jdbcsqlite3-adapter (1.3.0.DEV)
+      activerecord-jdbc-adapter (~> 1.3.0.DEV)
+      jdbc-sqlite3 (~> 3.7.2)
+
+PATH
+  remote: /Users/inossidabile/Repos/protector
+  specs:
+    protector (0.0.3)
+      activesupport
+      i18n
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (3.2.0)
+      activesupport (= 3.2.0)
+      builder (~> 3.0.0)
+    activerecord (3.2.0)
+      activemodel (= 3.2.0)
+      activesupport (= 3.2.0)
+      arel (~> 3.0.0)
+      tzinfo (~> 0.3.29)
+    activerecord-jdbc-adapter (1.3.0.beta1)
+    activesupport (3.2.0)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    appraisal (0.5.2)
+      bundler
+      rake
+    arel (3.0.2)
+    builder (3.0.4)
+    coderay (1.0.9)
+    diff-lcs (1.2.4)
+    ffi (1.8.1)
+    ffi (1.8.1-java)
+    formatador (0.2.4)
+    guard (1.8.0)
+      formatador (>= 0.2.4)
+      listen (>= 1.0.0)
+      lumberjack (>= 1.0.2)
+      pry (>= 0.9.10)
+      thor (>= 0.14.6)
+    guard-rspec (3.0.0)
+      guard (>= 1.8)
+      rspec (~> 2.13)
+    i18n (0.6.4)
+    jdbc-sqlite3 (3.7.2)
+    listen (1.1.3)
+      rb-fsevent (>= 0.9.3)
+      rb-inotify (>= 0.9)
+      rb-kqueue (>= 0.2)
+    lumberjack (1.0.3)
+    method_source (0.8.1)
+    multi_json (1.7.3)
+    pry (0.9.12.2)
+      coderay (~> 1.0.5)
+      method_source (~> 0.8)
+      slop (~> 3.4)
+    pry (0.9.12.2-java)
+      coderay (~> 1.0.5)
+      method_source (~> 0.8)
+      slop (~> 3.4)
+      spoon (~> 0.0)
+    rake (10.0.4)
+    rb-fsevent (0.9.3)
+    rb-inotify (0.9.0)
+      ffi (>= 0.5.0)
+    rb-kqueue (0.2.0)
+      ffi (>= 0.5.0)
+    rspec (2.13.0)
+      rspec-core (~> 2.13.0)
+      rspec-expectations (~> 2.13.0)
+      rspec-mocks (~> 2.13.0)
+    rspec-core (2.13.1)
+    rspec-expectations (2.13.0)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.13.1)
+    slop (3.4.5)
+    spoon (0.0.4)
+      ffi
+    sqlite3 (1.3.7)
+    thor (0.18.1)
+    tzinfo (0.3.37)
+
+PLATFORMS
+  java
+  ruby
+
+DEPENDENCIES
+  activerecord (= 3.2)
+  activerecord-jdbcsqlite3-adapter!
+  appraisal
+  guard
+  guard-rspec
+  jdbc-sqlite3
+  protector!
+  pry
+  rake
+  rspec
+  sqlite3

data/gemfiles/AR_4.gemfile

@@ -0,0 +1,16 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rake"
+gem "pry"
+gem "rspec"
+gem "guard"
+gem "guard-rspec"
+gem "appraisal"
+gem "sqlite3", :platform=>:ruby
+gem "jdbc-sqlite3", :platform=>:jruby
+gem "activerecord", "4.0.0.rc1", :require=>"active_record"
+gem "activerecord-jdbcsqlite3-adapter", :platform=>:jruby, :github=>"jruby/activerecord-jdbc-adapter"
+
+gemspec :path=>"../"

data/gemfiles/AR_4.gemfile.lock

@@ -0,0 +1,113 @@
+GIT
+  remote: git://github.com/jruby/activerecord-jdbc-adapter.git
+  revision: b1cb2cb59496a7c3ae22799f88c8c4789e6a8cce
+  specs:
+    activerecord-jdbcsqlite3-adapter (1.3.0.DEV)
+      activerecord-jdbc-adapter (~> 1.3.0.DEV)
+      jdbc-sqlite3 (~> 3.7.2)
+
+PATH
+  remote: /Users/inossidabile/Repos/protector
+  specs:
+    protector (0.0.3)
+      activesupport
+      i18n
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (4.0.0.rc1)
+      activesupport (= 4.0.0.rc1)
+      builder (~> 3.1.0)
+    activerecord (4.0.0.rc1)
+      activemodel (= 4.0.0.rc1)
+      activerecord-deprecated_finders (~> 1.0.2)
+      activesupport (= 4.0.0.rc1)
+      arel (~> 4.0.0)
+    activerecord-deprecated_finders (1.0.2)
+    activerecord-jdbc-adapter (1.3.0.beta1)
+    activesupport (4.0.0.rc1)
+      i18n (~> 0.6, >= 0.6.4)
+      minitest (~> 4.2)
+      multi_json (~> 1.3)
+      thread_safe (~> 0.1)
+      tzinfo (~> 0.3.37)
+    appraisal (0.5.2)
+      bundler
+      rake
+    arel (4.0.0)
+    atomic (1.1.9)
+    atomic (1.1.9-java)
+    builder (3.1.4)
+    coderay (1.0.9)
+    diff-lcs (1.2.4)
+    ffi (1.8.1)
+    ffi (1.8.1-java)
+    formatador (0.2.4)
+    guard (1.8.0)
+      formatador (>= 0.2.4)
+      listen (>= 1.0.0)
+      lumberjack (>= 1.0.2)
+      pry (>= 0.9.10)
+      thor (>= 0.14.6)
+    guard-rspec (3.0.0)
+      guard (>= 1.8)
+      rspec (~> 2.13)
+    i18n (0.6.4)
+    jdbc-sqlite3 (3.7.2)
+    listen (1.1.3)
+      rb-fsevent (>= 0.9.3)
+      rb-inotify (>= 0.9)
+      rb-kqueue (>= 0.2)
+    lumberjack (1.0.3)
+    method_source (0.8.1)
+    minitest (4.7.4)
+    multi_json (1.7.3)
+    pry (0.9.12.2)
+      coderay (~> 1.0.5)
+      method_source (~> 0.8)
+      slop (~> 3.4)
+    pry (0.9.12.2-java)
+      coderay (~> 1.0.5)
+      method_source (~> 0.8)
+      slop (~> 3.4)
+      spoon (~> 0.0)
+    rake (10.0.4)
+    rb-fsevent (0.9.3)
+    rb-inotify (0.9.0)
+      ffi (>= 0.5.0)
+    rb-kqueue (0.2.0)
+      ffi (>= 0.5.0)
+    rspec (2.13.0)
+      rspec-core (~> 2.13.0)
+      rspec-expectations (~> 2.13.0)
+      rspec-mocks (~> 2.13.0)
+    rspec-core (2.13.1)
+    rspec-expectations (2.13.0)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.13.1)
+    slop (3.4.5)
+    spoon (0.0.4)
+      ffi
+    sqlite3 (1.3.7)
+    thor (0.18.1)
+    thread_safe (0.1.0)
+      atomic
+    tzinfo (0.3.37)
+
+PLATFORMS
+  java
+  ruby
+
+DEPENDENCIES
+  activerecord (= 4.0.0.rc1)
+  activerecord-jdbcsqlite3-adapter!
+  appraisal
+  guard
+  guard-rspec
+  jdbc-sqlite3
+  protector!
+  pry
+  rake
+  rspec
+  sqlite3

data/lib/protector/adapters/active_record/association.rb

@@ -0,0 +1,29 @@
+module Protector
+  module Adapters
+    module ActiveRecord
+      module Association
+        extend ActiveSupport::Concern
+
+        included do
+          alias_method_chain :scope, :protector
+        end
+
+        def scope_with_protector(*args)
+          scope_without_protector(*args).restrict!(owner.protector_subject)
+        end
+      end
+
+      module PreloaderAssociation
+        extend ActiveSupport::Concern
+
+        included do
+          alias_method_chain :scope, :protector
+        end
+
+        def scope_with_protector
+          scope_without_protector
+        end
+      end
+    end
+  end
+end

data/lib/protector/adapters/active_record/base.rb

@@ -0,0 +1,100 @@
+module Protector
+  module Adapters
+    module ActiveRecord
+      module Base
+        extend ActiveSupport::Concern
+
+        included do
+          include Protector::DSL::Base
+          include Protector::DSL::Entry
+
+          validate(on: :create) do
+            return unless @protector_subject
+            errors[:base] << I18n.t('protector.invalid') unless creatable?
+          end
+
+          validate(on: :update) do
+            return unless @protector_subject
+            errors[:base] << I18n.t('protector.invalid') unless updatable?
+          end
+
+          before_destroy do
+            return true unless @protector_subject
+            destroyable?
+          end
+
+          if Gem::Version.new(::ActiveRecord::VERSION::STRING) < Gem::Version.new('4.0.0.rc1')
+            def self.restrict!(subject)
+              scoped.restrict!(subject)
+            end
+          else
+            def self.restrict!(subject)
+              all.restrict!(subject)
+            end
+          end
+
+          def [](name)
+            if !@protector_subject || name == self.class.primary_key || protector_meta.readable?(name)
+              read_attribute(name)
+            else
+              nil
+            end
+          end
+        end
+
+        module ClassMethods
+          def define_method_attribute(name)
+            super
+
+            unless (primary_key == name || (primary_key.is_a?(Array) && primary_key.include?(name)))
+              generated_attribute_methods.module_eval <<-STR, __FILE__, __LINE__ + 1
+                alias_method #{"#{name}_unprotected".inspect}, #{name.inspect}
+
+                def #{name}
+                  if !@protector_subject || protector_meta.readable?(#{name.inspect})
+                    #{name}_unprotected
+                  else
+                    nil
+                  end
+                end
+              STR
+            end
+          end
+        end
+
+        def protector_meta
+          unless @protector_subject
+            raise "Unprotected entity detected: use `restrict` method to protect it."
+          end
+
+          self.class.protector_meta.evaluate(
+            self.class,
+            self.class.column_names,
+            @protector_subject,
+            self
+          )
+        end
+
+        def visible?
+          protector_meta.relation.where(
+            self.class.primary_key => id
+          ).any?
+        end
+
+        def creatable?
+          fields = HashWithIndifferentAccess[changed.map{|x| [x, read_attribute(x)]}]
+          protector_meta.creatable?(fields)
+        end
+
+        def updatable?
+          fields = HashWithIndifferentAccess[changed.map{|x| [x, read_attribute(x)]}]
+          protector_meta.updatable?(fields)
+        end
+
+        def destroyable?
+          protector_meta.destroyable?
+        end
+      end
+    end
+  end
+end

data/lib/protector/adapters/active_record/relation.rb

@@ -0,0 +1,49 @@
+module Protector
+  module Adapters
+    module ActiveRecord
+      module Relation
+        extend ActiveSupport::Concern
+
+        included do
+          include Protector::DSL::Base
+
+          alias_method_chain :exec_queries, :protector
+        end
+
+        def protector_meta
+          @klass.protector_meta.evaluate(@klass, @klass.column_names, @protector_subject)
+        end
+
+        def unscoped
+          super.restrict!(@protector_subject)
+        end
+
+        def count(*args)
+          super || 0
+        end
+
+        def sum(*args)
+          super || 0
+        end
+
+        def calculate(*args)
+          return super unless @protector_subject
+          merge(protector_meta.relation).unrestrict!.calculate *args
+        end
+
+        def exists?(*args)
+          return super unless @protector_subject
+          merge(protector_meta.relation).unrestrict!.exists? *args
+        end
+
+        def exec_queries_with_protector(*args)
+          return exec_queries_without_protector unless @protector_subject
+
+          subject  = @protector_subject
+          relation = merge(protector_meta.relation).unrestrict!
+          @records = relation.send(:exec_queries).each{|r| r.restrict!(subject)}
+        end
+      end
+    end
+  end
+end