proxes 0.3.5 → 0.3.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.dev.lock +10 -9
- data/lib/proxes/controllers/audit_logs.rb +4 -0
- data/lib/proxes/db.rb +1 -1
- data/lib/proxes/listener.rb +1 -0
- data/lib/proxes/models/permission.rb +10 -1
- data/lib/proxes/models/user.rb +4 -0
- data/lib/proxes/policies/audit_log_policy.rb +1 -1
- data/lib/proxes/policies/permission_policy.rb +1 -1
- data/lib/proxes/policies/request/search_policy.rb +1 -1
- data/lib/proxes/policies/request/stats_policy.rb +1 -1
- data/lib/proxes/policies/request_policy.rb +17 -8
- data/lib/proxes/rake_tasks.rb +1 -1
- data/lib/proxes/security.rb +4 -0
- data/lib/proxes/version.rb +1 -1
- data/migrate/20170416_audit_log_details.rb +9 -0
- data/migrate/20170416_user_specific_permissions.rb +9 -0
- data/proxes.gemspec +1 -0
- data/views/audit_logs/index.haml +3 -0
- data/views/permissions/display.haml +4 -1
- data/views/permissions/form.haml +1 -0
- metadata +18 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8d84d569f0a5650fb34b6bd9aede6d9737540323
|
|
4
|
+
data.tar.gz: ac93f76be8bf7ccd7fdfac033e2affe8f9442999
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 725746109ead14f455a36006863ad9bff880d8685b2511d4ddec6cf7c882b85b04e4250f9154e1eb71c12a523c14ef11399430200082fca0bdc85fd6e48565dc
|
|
7
|
+
data.tar.gz: ab5eb8ba0e65a9adf781cd6f2ff977323ae514388f206d4ef7a5e8a0748bc8c4e1241239dfa1acc5117eefc188fa397c5aea561c7fd9d7a8b7df03f475236a8d
|
data/Gemfile.dev.lock
CHANGED
|
@@ -9,7 +9,8 @@ GIT
|
|
|
9
9
|
PATH
|
|
10
10
|
remote: .
|
|
11
11
|
specs:
|
|
12
|
-
proxes (0.3.
|
|
12
|
+
proxes (0.3.5)
|
|
13
|
+
activesupport
|
|
13
14
|
bcrypt
|
|
14
15
|
elasticsearch
|
|
15
16
|
haml
|
|
@@ -34,7 +35,7 @@ GEM
|
|
|
34
35
|
i18n (~> 0.7)
|
|
35
36
|
minitest (~> 5.1)
|
|
36
37
|
tzinfo (~> 1.1)
|
|
37
|
-
backports (3.
|
|
38
|
+
backports (3.7.0)
|
|
38
39
|
bcrypt (3.1.11)
|
|
39
40
|
bcrypt-ruby (3.1.5)
|
|
40
41
|
bcrypt (>= 3.1.3)
|
|
@@ -44,17 +45,17 @@ GEM
|
|
|
44
45
|
database_cleaner (1.5.3)
|
|
45
46
|
diff-lcs (1.2.5)
|
|
46
47
|
docile (1.1.5)
|
|
47
|
-
elasticsearch (5.0.
|
|
48
|
-
elasticsearch-api (= 5.0.
|
|
49
|
-
elasticsearch-transport (= 5.0.
|
|
50
|
-
elasticsearch-api (5.0.
|
|
48
|
+
elasticsearch (5.0.4)
|
|
49
|
+
elasticsearch-api (= 5.0.4)
|
|
50
|
+
elasticsearch-transport (= 5.0.4)
|
|
51
|
+
elasticsearch-api (5.0.4)
|
|
51
52
|
multi_json
|
|
52
|
-
elasticsearch-transport (5.0.
|
|
53
|
+
elasticsearch-transport (5.0.4)
|
|
53
54
|
faraday
|
|
54
55
|
multi_json
|
|
55
56
|
factory_girl (4.8.0)
|
|
56
57
|
activesupport (>= 3.0.0)
|
|
57
|
-
faraday (0.
|
|
58
|
+
faraday (0.12.0.1)
|
|
58
59
|
multipart-post (>= 1.2, < 3)
|
|
59
60
|
ffi (1.9.14)
|
|
60
61
|
git-version-bump (0.15.1)
|
|
@@ -116,7 +117,7 @@ GEM
|
|
|
116
117
|
rspec-support (~> 3.5.0)
|
|
117
118
|
rspec-support (3.5.0)
|
|
118
119
|
ruby_dep (1.5.0)
|
|
119
|
-
sequel (4.
|
|
120
|
+
sequel (4.45.0)
|
|
120
121
|
simplecov (0.12.0)
|
|
121
122
|
docile (~> 1.1.0)
|
|
122
123
|
json (>= 1.8, < 3)
|
data/lib/proxes/db.rb
CHANGED
|
@@ -6,7 +6,7 @@ require 'proxes/services/logger'
|
|
|
6
6
|
# passed to subprocesses. DATABASE_URL may contain passwords.
|
|
7
7
|
DB = Sequel.connect(ENV['RACK_ENV'] == 'production' ? ENV.delete('DATABASE_URL') : ENV['DATABASE_URL'])
|
|
8
8
|
|
|
9
|
-
DB.loggers <<
|
|
9
|
+
DB.loggers << ProxES::Services::Logger.instance
|
|
10
10
|
|
|
11
11
|
DB.extension(:pagination)
|
|
12
12
|
|
data/lib/proxes/listener.rb
CHANGED
|
@@ -5,6 +5,7 @@ module ProxES
|
|
|
5
5
|
def method_missing(method, *args, &block)
|
|
6
6
|
vals = { action: method }
|
|
7
7
|
vals[:user] = args[0][:user] if (args[0] && args[0].has_key?(:user))
|
|
8
|
+
vals[:details] = args[0][:details] if (args[0] && args[0].has_key?(:details))
|
|
8
9
|
AuditLog.create vals
|
|
9
10
|
end
|
|
10
11
|
|
|
@@ -4,9 +4,18 @@ require 'proxes/models/base'
|
|
|
4
4
|
module ProxES
|
|
5
5
|
class Permission < Base
|
|
6
6
|
many_to_one :role
|
|
7
|
+
many_to_one :user
|
|
8
|
+
|
|
9
|
+
dataset_module do
|
|
10
|
+
def for_user(a_user, action)
|
|
11
|
+
where(verb: action).where{Sequel.|({role: a_user.roles}, {user_id: a_user.id})}
|
|
12
|
+
end
|
|
13
|
+
end
|
|
7
14
|
|
|
8
15
|
def validate
|
|
9
|
-
validates_presence [:
|
|
16
|
+
validates_presence [:verb, :pattern]
|
|
17
|
+
validates_presence :role_id unless user_id
|
|
18
|
+
validates_presence :user_id unless role_id
|
|
10
19
|
validates_includes self.class.verbs, :verb
|
|
11
20
|
end
|
|
12
21
|
|
data/lib/proxes/models/user.rb
CHANGED
|
@@ -4,7 +4,7 @@ module ProxES
|
|
|
4
4
|
class SearchPolicy < RequestPolicy
|
|
5
5
|
class Scope < RequestPolicy::Scope
|
|
6
6
|
def resolve
|
|
7
|
-
patterns = Permission.
|
|
7
|
+
patterns = Permission.for_user(user, 'INDEX').map do |permission|
|
|
8
8
|
permission.pattern.gsub(/\{user.(.*)\}/) { |match| user.send(Regexp.last_match[1].to_sym) }
|
|
9
9
|
end
|
|
10
10
|
filter scope.index, patterns
|
|
@@ -4,7 +4,7 @@ module ProxES
|
|
|
4
4
|
class StatsPolicy < RequestPolicy
|
|
5
5
|
class Scope < RequestPolicy::Scope
|
|
6
6
|
def resolve
|
|
7
|
-
patterns = Permission.
|
|
7
|
+
patterns = Permission.for_user(user, 'INDEX').map do |permission|
|
|
8
8
|
permission.pattern.gsub(/\{user.(.*)\}/) { |match| user.send(Regexp.last_match[1].to_sym) }
|
|
9
9
|
end
|
|
10
10
|
filter scope.index, patterns
|
|
@@ -20,15 +20,9 @@ module ProxES
|
|
|
20
20
|
return false if user.nil?
|
|
21
21
|
|
|
22
22
|
if record.indices?
|
|
23
|
-
|
|
24
|
-
permission.pattern.gsub(/\{user.(.*)\}/) { |match| user.send(Regexp.last_match[1].to_sym) }
|
|
25
|
-
end
|
|
26
|
-
return filter(record.index, patterns).count.positive?
|
|
23
|
+
return true if index_allowed?
|
|
27
24
|
else
|
|
28
|
-
|
|
29
|
-
Permission.where(verb: method_sym[0..-2].upcase, role: user.roles).each do |permission|
|
|
30
|
-
return true if record.path =~ %r{#{permission.pattern}}
|
|
31
|
-
end
|
|
25
|
+
return true if action_allowed? method_sym[0..-2].upcase
|
|
32
26
|
end
|
|
33
27
|
false
|
|
34
28
|
else
|
|
@@ -36,6 +30,21 @@ module ProxES
|
|
|
36
30
|
end
|
|
37
31
|
end
|
|
38
32
|
|
|
33
|
+
def index_allowed?
|
|
34
|
+
patterns = Permission.for_user(user, 'INDEX').map do |permission|
|
|
35
|
+
permission.pattern.gsub(/\{user.(.*)\}/) { |match| user.send(Regexp.last_match[1].to_sym) }
|
|
36
|
+
end
|
|
37
|
+
return filter(record.index, patterns).count.positive?
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def action_allowed?(action)
|
|
41
|
+
# Give me all the user's permissions that match the verb
|
|
42
|
+
Permission.for_user(user, action).each do |permission|
|
|
43
|
+
return true if record.path =~ %r{#{permission.pattern}}
|
|
44
|
+
end
|
|
45
|
+
false
|
|
46
|
+
end
|
|
47
|
+
|
|
39
48
|
def respond_to_missing?(name, _include_private = false)
|
|
40
49
|
name[-1] == '?'
|
|
41
50
|
end
|
data/lib/proxes/rake_tasks.rb
CHANGED
data/lib/proxes/security.rb
CHANGED
|
@@ -4,6 +4,7 @@ require 'proxes/request'
|
|
|
4
4
|
require 'proxes/policies/request_policy'
|
|
5
5
|
require 'proxes/helpers/pundit'
|
|
6
6
|
require 'proxes/helpers/authentication'
|
|
7
|
+
require 'proxes/helpers/wisper'
|
|
7
8
|
require 'proxes/services/logger'
|
|
8
9
|
|
|
9
10
|
module ProxES
|
|
@@ -12,6 +13,8 @@ module ProxES
|
|
|
12
13
|
|
|
13
14
|
include Helpers::Authentication
|
|
14
15
|
include Helpers::Pundit
|
|
16
|
+
include Helpers::Wisper
|
|
17
|
+
include Wisper::Publisher
|
|
15
18
|
|
|
16
19
|
def initialize(app, logger = nil)
|
|
17
20
|
@app = app
|
|
@@ -36,6 +39,7 @@ module ProxES
|
|
|
36
39
|
check_basic
|
|
37
40
|
authorize request
|
|
38
41
|
rescue StandardError => e
|
|
42
|
+
log_action(:es_request_denied, details: "#{request.request_method.upcase} #{request.fullpath} (#{request.class.name})")
|
|
39
43
|
logger.debug "Access denied by security layer: #{e.message}"
|
|
40
44
|
return error 'Forbidden', 403
|
|
41
45
|
end
|
data/lib/proxes/version.rb
CHANGED
data/proxes.gemspec
CHANGED
|
@@ -27,6 +27,7 @@ Gem::Specification.new do |spec|
|
|
|
27
27
|
spec.add_development_dependency 'database_cleaner'
|
|
28
28
|
spec.add_development_dependency 'factory_girl'
|
|
29
29
|
|
|
30
|
+
spec.add_dependency 'activesupport'
|
|
30
31
|
spec.add_dependency 'rake', '~> 10.0'
|
|
31
32
|
spec.add_dependency 'rack-contrib'
|
|
32
33
|
spec.add_dependency 'sinatra'
|
data/views/audit_logs/index.haml
CHANGED
data/views/permissions/form.haml
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
1
|
= form_control(:role_id, entity, type: 'select', options: ProxES::Role.to_hash(:id, :name))
|
|
2
|
+
= form_control(:user_id, entity, type: 'select', options: ProxES::User.to_hash(:id, :email))
|
|
2
3
|
= form_control(:verb, entity, type: 'select', options: ProxES::Permission.verbs)
|
|
3
4
|
= form_control(:pattern, entity)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: proxes
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jurgens du Toit
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-04-
|
|
11
|
+
date: 2017-04-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -94,6 +94,20 @@ dependencies:
|
|
|
94
94
|
- - ">="
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
96
|
version: '0'
|
|
97
|
+
- !ruby/object:Gem::Dependency
|
|
98
|
+
name: activesupport
|
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
|
100
|
+
requirements:
|
|
101
|
+
- - ">="
|
|
102
|
+
- !ruby/object:Gem::Version
|
|
103
|
+
version: '0'
|
|
104
|
+
type: :runtime
|
|
105
|
+
prerelease: false
|
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
+
requirements:
|
|
108
|
+
- - ">="
|
|
109
|
+
- !ruby/object:Gem::Version
|
|
110
|
+
version: '0'
|
|
97
111
|
- !ruby/object:Gem::Dependency
|
|
98
112
|
name: rake
|
|
99
113
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -384,6 +398,8 @@ files:
|
|
|
384
398
|
- lib/proxes/version.rb
|
|
385
399
|
- migrate/20170207_01_base_tables.rb
|
|
386
400
|
- migrate/20170207_02_audit_log.rb
|
|
401
|
+
- migrate/20170416_audit_log_details.rb
|
|
402
|
+
- migrate/20170416_user_specific_permissions.rb
|
|
387
403
|
- package.json
|
|
388
404
|
- proxes.gemspec
|
|
389
405
|
- public/js/bundle.js
|