protector 0.1.1 → 0.2.1

data/lib/protector/adapters/active_record/relation.rb

@@ -1,8 +1,7 @@
 module Protector
   module Adapters
     module ActiveRecord
-      
-      # Pathces `ActiveRecord::Relation`
+      # Patches `ActiveRecord::Relation`
       module Relation
         extend ActiveSupport::Concern
 
@@ -10,9 +9,6 @@ module Protector
           include Protector::DSL::Base
 
           alias_method_chain :exec_queries, :protector
-          alias_method_chain :eager_loading?, :protector
-
-          attr_accessor :eager_loadable_when_protected
 
           # AR 3.2 workaround. Come on, guys... SQL parsing :(
           unless method_defined?(:references_values)
@@ -67,86 +63,49 @@ module Protector
         #
         # Patching includes:
         #
-        # * turning `includes` into `preload`
+        # * turning `includes` (that are not referenced for eager loading) into `preload`
         # * delaying built-in preloading to the stage where selection is restricted
-        # * merging current relation with restriction
+        # * merging current relation with restriction (of self and every eager association)
         def exec_queries_with_protector(*args)
+          return @records if loaded?
           return exec_queries_without_protector unless @protector_subject
 
           subject  = @protector_subject
           relation = merge(protector_meta.relation).unrestrict!
-
           relation = protector_substitute_includes(relation)
 
-          # We should explicitly allow/deny eager loading now that we know
-          # if we can use it
-          relation.eager_loadable_when_protected = relation.includes_values.any?
-
           # Preserve associations from internal loading. We are going to handle that
           # ourselves respecting security scopes FTW!
           associations, relation.preload_values = relation.preload_values, []
 
-          @records = relation.send(:exec_queries).each{|r| r.restrict!(subject)}
+          @records = relation.send(:exec_queries).each{|record| record.restrict!(subject)}
 
           # Now we have @records restricted properly so let's preload associations!
-          associations.each do |a|
-            ::ActiveRecord::Associations::Preloader.new(@records, a).run
+          associations.each do |association|
+            ::ActiveRecord::Associations::Preloader.new(@records, association).run
           end
 
           @loaded = true
           @records
         end
 
-        # Swaps `includes` with `preload` and adds JOINs to any table referenced
-        # from `where` (or manually with `reference`)
+        # Swaps `includes` with `preload` whether it's not referenced or merges
+        # security scope of proper class otherwise
         def protector_substitute_includes(relation)
           subject = @protector_subject
 
-          # Note that `includes_values` shares reference across relation diffs so
-          # it can not be modified safely and should be copied instead
-          includes, relation.includes_values = relation.includes_values, []
-
-          # We can not allow join-based eager loading for scoped associations
-          # since actual filtering can differ for host model and joined relation.
-          # Therefore we turn all `includes` into `preloads`.
-          includes.each do |iv|
-            protector_expand_include(iv).each do |ive|
-              # First-level associations can stay JOINed if restriction scope
-              # is absent. Checking deep associations would make us to check
-              # every parent. This should probably be done sometimes :\
-              meta = ive[0].protector_meta.evaluate(ive[0], subject) unless ive[1].is_a?(Hash)
-
-              # We leave unscoped restrictions as `includes`
-              # but turn scoped ones into `preloads`
-              if meta && !meta.scoped?
-                relation.includes!(ive[1])
-              else
-                if relation.references_values.include?(ive[0].table_name)
-                  if relation.respond_to?(:joins!)
-                    relation.joins!(ive[1])
-                  else
-                    relation = relation.joins(ive[1])
-                  end
-                end
-
-                # AR 3.2 Y U NO HAVE BANG RELATION MODIFIERS
-                relation.preload_values << ive[1]
-                false
-              end
+          if eager_loading?
+            protector_expand_inclusion(includes_values + eager_load_values).each do |klass, path|
+              relation = relation.merge(klass.protector_meta.evaluate(klass, subject).relation)
             end
+          else
+            relation.preload_values += includes_values
+            relation.includes_values = []
           end
 
           relation
         end
 
-        # Checks whether current object can be eager loaded respecting
-        # protector flags
-        def eager_loading_with_protector?
-          flag = eager_loading_without_protector?
-          flag &&= !!@eager_loadable_when_protected unless @eager_loadable_when_protected.nil?
-          flag
-        end
-
         # Indexes `includes` format by actual entity class
         #
         # Turns `{foo: :bar}` into `[[Foo, :foo], [Bar, {foo: :bar}]`
@@ -155,13 +114,13 @@ module Protector
         # @param [Array] results                        Resulting set
         # @param [Array] base                           Association path ([:foo, :bar])
         # @param [Class] klass                          Base class
-        def protector_expand_include(inclusion, results=[], base=[], klass=@klass)
+        def protector_expand_inclusion(inclusion, results=[], base=[], klass=@klass)
           if inclusion.is_a?(Hash)
-            protector_expand_include_hash(inclusion, results, base, klass)
+            protector_expand_inclusion_hash(inclusion, results, base, klass)
           else
             Array(inclusion).each do |i|
               if i.is_a?(Hash)
-                protector_expand_include_hash(i, results, base, klass)
+                protector_expand_inclusion_hash(i, results, base, klass)
               else
                 results << [
                   klass.reflect_on_association(i.to_sym).klass,
@@ -176,7 +135,7 @@ module Protector
 
       private
 
-        def protector_expand_include_hash(inclusion, results=[], base=[], klass=@klass)
+        def protector_expand_inclusion_hash(inclusion, results=[], base=[], klass=@klass)
           inclusion.each do |key, value|
             model = klass.reflect_on_association(key.to_sym).klass
             value = [value] unless value.is_a?(Array)
@@ -184,7 +143,7 @@ module Protector
 
             value.each do |v|
               if v.is_a?(Hash)
-                protector_expand_include_hash(v, results, nest)
+                protector_expand_inclusion_hash(v, results, nest)
               else
                 results << [
                   model.reflect_on_association(v.to_sym).klass,

data/lib/protector/adapters/sequel/dataset.rb

@@ -0,0 +1,66 @@
+module Protector
+  module Adapters
+    module Sequel
+      # Patches `Sequel::Dataset`
+      module Dataset extend ActiveSupport::Concern
+
+        # Wrapper for the Dataset `row_proc` adding restriction function
+        class Restrictor
+          attr_accessor :subject
+          attr_accessor :mutator
+
+          def initialize(subject, mutator)
+            @subject = subject
+            @mutator = mutator
+          end
+
+          # Mutate entity through `row_proc` if available and then protect
+          #
+          # @param entity [Object]          Entity coming from Dataset
+          def call(entity)
+            entity = mutator.call(entity) if mutator
+            return entity if !entity.respond_to?(:restrict!)
+            entity.restrict!(@subject)
+          end
+        end
+
+        included do |klass|
+          include Protector::DSL::Base
+
+          alias_method_chain :each, :protector
+        end
+
+        # Gets {Protector::DSL::Meta::Box} of this dataset
+        def protector_meta
+          model.protector_meta.evaluate(model, @protector_subject)
+        end
+
+        # Substitutes `row_proc` with {Protector} and injects protection scope
+        def each_with_protector(*args, &block)
+          return each_without_protector(*args, &block) if !@protector_subject
+
+          relation = protector_defend_graph(clone, @protector_subject)
+          relation = relation.instance_eval(&protector_meta.scope_proc) if protector_meta.scoped?
+
+          relation.row_proc = Restrictor.new(@protector_subject, relation.row_proc)
+          relation.each_without_protector(*args, &block)
+        end
+
+        # Injects protection scope for every joined graph association
+        def protector_defend_graph(relation, subject)
+          return relation unless @opts[:eager_graph]
+
+          @opts[:eager_graph][:reflections].each do |association, reflection|
+            model = reflection[:cache][:class] if reflection[:cache].is_a?(Hash) && reflection[:cache][:class]
+            model = reflection[:class_name].constantize unless model
+            meta  = model.protector_meta.evaluate(model, subject)
+
+            relation = relation.instance_eval(&meta.scope_proc) if meta.scoped?
+          end
+
+          relation
+        end
+      end
+    end
+  end
+end

data/lib/protector/adapters/sequel/eager_graph_loader.rb

@@ -0,0 +1,24 @@
+module Protector
+  module Adapters
+    module Sequel
+      # Patches `Sequel::Model::Associations::EagerGraphLoader`
+      module EagerGraphLoader extend ActiveSupport::Concern
+
+        included do
+          alias_method_chain :initialize, :protector
+        end
+
+        def initialize_with_protector(dataset)
+          initialize_without_protector(dataset)
+
+          if dataset.protector_subject
+            @row_procs.each do |k,v|
+              @row_procs[k] = Dataset::Restrictor.new(dataset.protector_subject, v)
+              @ta_map[k][1] = @row_procs[k] if @ta_map.has_key?(k)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/protector/adapters/sequel/model.rb

@@ -0,0 +1,99 @@
+module Protector
+  module Adapters
+    module Sequel
+      # Patches `Sequel::Model`
+      module Model extend ActiveSupport::Concern
+
+        included do
+          include Protector::DSL::Base
+          include Protector::DSL::Entry
+
+          # Drops {Protector::DSL::Meta::Box} cache when subject changes
+          def restrict!(*args)
+            @protector_meta = nil
+            super
+          end
+        end
+
+        module ClassMethods
+          # Gets default restricted `Dataset`
+          def restrict!(subject)
+            dataset.clone.restrict! subject
+          end
+        end
+
+        # Storage for {Protector::DSL::Meta::Box}
+        def protector_meta
+          @protector_meta ||= self.class.protector_meta.evaluate(
+            self.class,
+            @protector_subject,
+            self.class.columns,
+            self
+          )
+        end
+
+        # Checks if current model can be selected in the context of current subject
+        def visible?
+          protector_meta.relation.where(pk_hash).any?
+        end
+
+        # Checks if current model can be created in the context of current subject
+        def creatable?
+          fields = HashWithIndifferentAccess[keys.map{|x| [x.to_s, @values[x]]}]
+          protector_meta.creatable?(fields)
+        end
+
+        # Checks if current model can be updated in the context of current subject
+        def updatable?
+          fields = HashWithIndifferentAccess[changed_columns.map{|x| [x.to_s, @values[x]]}]
+          protector_meta.updatable?(fields)
+        end
+
+        # Checks if current model can be destroyed in the context of current subject
+        def destroyable?
+          protector_meta.destroyable?
+        end
+
+        # Basic security validations
+        def validate
+          super
+          return unless @protector_subject
+          method = new? ? :creatable? : :updatable?
+          errors.add(:base, I18n.t('protector.invalid')) unless __send__(method)
+        end
+
+        # Destroy availability check
+        def before_destroy
+          return false if @protector_subject && !destroyable?
+          super
+        end
+
+        # Security-checking attributes reader
+        #
+        # @param name [Symbol]          Name of attribute to read
+        def [](name)
+          if (
+            !@protector_subject || 
+            name == self.class.primary_key ||
+            (self.class.primary_key.is_a?(Array) && self.class.primary_key.include?(name)) ||
+            protector_meta.readable?(name.to_s)
+          )
+            @values[name]
+          else
+            nil
+          end
+        end
+
+        # This is used whenever we fetch data
+        def _associated_dataset(*args)
+          super.restrict!(@protector_subject)
+        end
+
+        # This is used whenever we call counters and existance checkers
+        def _dataset(*args)
+          super.restrict!(@protector_subject)
+        end
+      end
+    end
+  end
+end

data/lib/protector/adapters/sequel.rb

@@ -0,0 +1,17 @@
+require 'protector/adapters/sequel/model'
+require 'protector/adapters/sequel/dataset'
+require 'protector/adapters/sequel/eager_graph_loader'
+
+module Protector
+  module Adapters
+    # Sequel adapter
+    module Sequel
+      # YIP YIP! Monkey-Patch the Sequel.
+      def self.activate!
+        ::Sequel::Model.send :include, Protector::Adapters::Sequel::Model
+        ::Sequel::Dataset.send :include, Protector::Adapters::Sequel::Dataset
+        ::Sequel::Model::Associations::EagerGraphLoader.send :include, Protector::Adapters::Sequel::EagerGraphLoader
+      end
+    end
+  end
+end

data/lib/protector/dsl.rb

@@ -5,7 +5,7 @@ module Protector
 
       # Single DSL evaluation result
       class Box
-        attr_accessor :access, :relation, :destroyable
+        attr_accessor :access, :scope_proc, :relation, :destroyable
 
         # @param model [Class]              The class of protected entity
         # @param fields [Array<String>]     All the fields the model has
@@ -50,7 +50,8 @@ module Protector
         #     scope { none }
         #   end
         def scope(&block)
-          @relation = @model.instance_eval(&block)
+          @scope_proc = block
+          @relation   = @model.instance_eval(&block)
         end
 
         # Enables action for given fields.
@@ -198,6 +199,8 @@ module Protector
       # @param fields [Array<String>]     All the fields the model has
       # @param entry [Object]             An instance of the model
       def evaluate(model, subject, fields=[], entry=nil)
+        raise "Unprotected entity detected: use `restrict` method to protect it." unless subject
+
         Box.new(model, fields, subject, entry, blocks)
       end
     end

data/lib/protector/version.rb

@@ -1,4 +1,4 @@
 module Protector
   # Gem version
-  VERSION = "0.1.1"
+  VERSION = "0.2.1"
 end

data/lib/protector.rb

@@ -4,7 +4,9 @@ require "i18n"
 require "protector/version"
 require "protector/dsl"
 require "protector/adapters/active_record"
+require "protector/adapters/sequel"
 
 I18n.load_path << Dir[File.join File.expand_path(File.dirname(__FILE__)), '..', 'locales', '*.yml']
 
-Protector::Adapters::ActiveRecord.activate! if defined?(ActiveRecord)
+Protector::Adapters::ActiveRecord.activate! if defined?(ActiveRecord)
+Protector::Adapters::Sequel.activate! if defined?(Sequel)

data/migrations/active_record.rb

@@ -23,7 +23,6 @@ end
     t.integer     :number
     t.text        :text
     t.belongs_to  :dummy
-    t.timestamps
   end
 end
 

data/migrations/sequel.rb

@@ -0,0 +1,49 @@
+### Connection
+
+DB = if RUBY_PLATFORM == 'java'
+  Jdbc::SQLite3.load_driver
+  Sequel.connect('jdbc:sqlite::memory:')
+else
+  Sequel.sqlite
+end
+
+Sequel::Model.instance_eval do
+  def none
+    where('1 = 0')
+  end
+end
+
+### Tables
+
+[:dummies, :fluffies, :bobbies].each do |m|
+  DB.create_table m do
+    primary_key :id
+    String :string
+    Integer :number
+    Text :text
+    Integer :dummy_id
+  end
+end
+
+DB.create_table :loonies do
+  Integer :fluffy_id
+  String :string
+end
+
+### Classes
+
+class Dummy < Sequel::Model
+  one_to_many :fluffies
+  one_to_many :bobbies
+end
+
+class Fluffy < Sequel::Model
+  many_to_one :dummy
+  one_to_one :loony
+end
+
+class Bobby < Sequel::Model
+end
+
+class Loony < Sequel::Model
+end

data/perf/{active_record.rb → active_record_perf.rb}

@@ -1,3 +1,5 @@
+require 'ruby-prof'
+
 migrate
 
 seed do

data/perf/perf_helpers/boot.rb

@@ -2,7 +2,7 @@ class Perf
   def self.load(adapter)
     perf = Perf.new(adapter.camelize)
     base = Pathname.new(File.expand_path '../..', __FILE__)
-    file = base.join(adapter+'.rb').to_s
+    file = base.join(adapter+'_perf.rb').to_s
     perf.instance_eval File.read(file), file
     perf.run!
   end
@@ -11,6 +11,7 @@ class Perf
     @blocks = {}
     @adapter = adapter
     @activated = false
+    @profiling = {}
   end
 
   def migrate
@@ -32,15 +33,22 @@ class Perf
     @activation = block
   end
 
-  def benchmark(subject, &block)
+  def benchmark(subject, options={}, &block)
     @blocks[subject] = block
   end
 
+  def benchmark!(subject, options={min_percent: 4}, &block)
+    @profiling[subject] = options
+    benchmark(subject, &block)
+  end
+
   def activated?
     @activated
   end
 
   def run!
+    require 'ruby-prof' if @profiling.any?
+
     results = {}
 
     results[:off] = run_state('disabled', :red)
@@ -65,11 +73,21 @@ class Perf
 
   def run_state(state, color)
     data = {}
+    prof = @profiling
 
     print_block "Protector #{state.send color}" do
       @blocks.each do |s, b|
+        RubyProf.start if prof.include?(s)
+
         data[s] = Benchmark.realtime(&b)
         print_result s, data[s].to_s
+
+        if prof.include?(s)
+          result = RubyProf.stop 
+
+          printer = RubyProf::FlatPrinter.new(result)
+          printer.print(STDOUT, prof[s])
+        end
       end
     end
 

data/perf/sequel_perf.rb

@@ -0,0 +1,84 @@
+migrate
+
+seed do
+  500.times do
+    d = Dummy.create string: 'zomgstring', number: [999,777].sample, text: 'zomgtext'
+
+    2.times do
+      f = Fluffy.create string: 'zomgstring', number: [999,777].sample, text: 'zomgtext', dummy_id: d.id
+      b = Bobby.create string: 'zomgstring', number: [999,777].sample, text: 'zomgtext', dummy_id: d.id
+      l = Loony.create string: 'zomgstring', fluffy_id: f.id
+    end
+  end
+end
+
+activate do
+  Dummy.instance_eval do
+    protect do
+      scope { where }
+      can :view, :string
+    end
+  end
+
+  Fluffy.instance_eval do
+    protect do
+      scope { where }
+      can :view
+    end
+  end
+
+  # Define attributes methods
+  Dummy.first
+end
+
+benchmark 'Read from unprotected model (100k)' do
+  d = Dummy.first
+  100_000.times { d.string }
+end
+
+benchmark 'Read open field (100k)' do
+  d = Dummy.first
+  d = d.restrict!('!') if activated?
+  100_000.times { d.string }
+end
+
+benchmark 'Read nil field (100k)' do
+  d = Dummy.first
+  d = d.restrict!('!') if activated?
+  100_000.times { d.text }
+end
+
+benchmark 'Check existance' do
+  scope = activated? ? Dummy.restrict!('!') : Dummy.where
+  1000.times { scope.any? }
+end
+
+benchmark 'Count' do
+  scope = Dummy.limit(1)
+  scope = scope.restrict!('!') if activated?
+  1000.times { scope.count }
+end
+
+benchmark 'Select one' do
+  scope = Dummy.limit(1)
+  scope = scope.restrict!('!') if activated?
+  1000.times { scope.to_a }
+end
+
+benchmark 'Select many' do
+  scope = Dummy.where
+  scope = scope.restrict!('!') if activated?
+  200.times { scope.to_a }
+end
+
+benchmark 'Select with eager loading' do
+  scope = Dummy.eager(:fluffies)
+  scope = scope.restrict!('!') if activated?
+  200.times { scope.to_a }
+end
+
+benchmark 'Select with filtered eager loading' do
+  scope = Dummy.eager_graph(fluffies: :loony)
+  scope = scope.restrict!('!') if activated?
+  200.times { scope.to_a }
+end

data/spec/lib/adapters/active_record_spec.rb

@@ -7,6 +7,19 @@ if defined?(ActiveRecord)
     before(:all) do
       load 'migrations/active_record.rb'
 
+      module ProtectionCase
+        extend ActiveSupport::Concern
+
+        included do |klass|
+          protect do |x|
+            scope{ where('1=0') } if x == '-'
+            scope{ where(klass.table_name => {number: 999}) } if x == '+' 
+
+            can :view, :dummy_id unless x == '-'
+          end
+        end
+      end
+
       [Dummy, Fluffy].each{|c| c.send :include, ProtectionCase}
 
       Dummy.create! string: 'zomgstring', number: 999, text: 'zomgtext'
@@ -127,7 +140,7 @@ if defined?(ActiveRecord)
 
         context "joined to filtered association" do
           it "scopes" do
-            d = Dummy.restrict!('+').includes(:fluffies).where(fluffies: {number: 777})
+            d = Dummy.restrict!('+').includes(:fluffies).where(fluffies: {string: 'zomgstring'})
             d.length.should == 2
             d.first.fluffies.length.should == 1
           end
@@ -136,18 +149,18 @@ if defined?(ActiveRecord)
         context "joined to plain association" do
           it "scopes" do
             d = Dummy.restrict!('+').includes(:bobbies, :fluffies).where(
-              bobbies: {number: 777}, fluffies: {number: 777}
+              bobbies: {string: 'zomgstring'}, fluffies: {string: 'zomgstring'}
             )
             d.length.should == 2
             d.first.fluffies.length.should == 1
-            d.first.bobbies.length.should == 1
+            d.first.bobbies.length.should == 2
           end
         end
 
         context "with complex include" do
           it "scopes" do
             d = Dummy.restrict!('+').includes(fluffies: :loony).where(
-              fluffies: {number: 777},
+              fluffies: {string: 'zomgstring'},
               loonies: {string: 'zomgstring'}
             )
             d.length.should == 2