proxes 0.3.5 → 0.3.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b75db292ccba3287742672927f228a2bd4300b5c
-  data.tar.gz: 130a8c4cee3f14a79fb52a96e97fd08f00bae383
+  metadata.gz: 8d84d569f0a5650fb34b6bd9aede6d9737540323
+  data.tar.gz: ac93f76be8bf7ccd7fdfac033e2affe8f9442999
 SHA512:
-  metadata.gz: 5af0b16dfa99043350bb6cac773493a21c5d4819d2884fc282164f723c80fbea0ccd037a34851dc343c16d2f3e4cae381e99ee538a7c0ee8fff734f47f0bfe61
-  data.tar.gz: 910c24347f4abee41eda9719537b320f61177d6bbae8207337e3c53975e0a53042f11f8431e43ceed4fd4f6cb930539830714ce2f49c6092249cb26c800b30e3
+  metadata.gz: 725746109ead14f455a36006863ad9bff880d8685b2511d4ddec6cf7c882b85b04e4250f9154e1eb71c12a523c14ef11399430200082fca0bdc85fd6e48565dc
+  data.tar.gz: ab5eb8ba0e65a9adf781cd6f2ff977323ae514388f206d4ef7a5e8a0748bc8c4e1241239dfa1acc5117eefc188fa397c5aea561c7fd9d7a8b7df03f475236a8d

data/Gemfile.dev.lock

@@ -9,7 +9,8 @@ GIT
 PATH
   remote: .
   specs:
-    proxes (0.3.2)
+    proxes (0.3.5)
+      activesupport
       bcrypt
       elasticsearch
       haml
@@ -34,7 +35,7 @@ GEM
       i18n (~> 0.7)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    backports (3.6.8)
+    backports (3.7.0)
     bcrypt (3.1.11)
     bcrypt-ruby (3.1.5)
       bcrypt (>= 3.1.3)
@@ -44,17 +45,17 @@ GEM
     database_cleaner (1.5.3)
     diff-lcs (1.2.5)
     docile (1.1.5)
-    elasticsearch (5.0.3)
-      elasticsearch-api (= 5.0.3)
-      elasticsearch-transport (= 5.0.3)
-    elasticsearch-api (5.0.3)
+    elasticsearch (5.0.4)
+      elasticsearch-api (= 5.0.4)
+      elasticsearch-transport (= 5.0.4)
+    elasticsearch-api (5.0.4)
       multi_json
-    elasticsearch-transport (5.0.3)
+    elasticsearch-transport (5.0.4)
       faraday
       multi_json
     factory_girl (4.8.0)
       activesupport (>= 3.0.0)
-    faraday (0.11.0)
+    faraday (0.12.0.1)
       multipart-post (>= 1.2, < 3)
     ffi (1.9.14)
     git-version-bump (0.15.1)
@@ -116,7 +117,7 @@ GEM
       rspec-support (~> 3.5.0)
     rspec-support (3.5.0)
     ruby_dep (1.5.0)
-    sequel (4.44.0)
+    sequel (4.45.0)
     simplecov (0.12.0)
       docile (~> 1.1.0)
       json (>= 1.8, < 3)

data/lib/proxes/controllers/audit_logs.rb

@@ -7,6 +7,10 @@ module ProxES
   class AuditLogs < Component
     set model_class: AuditLog
 
+    def list
+      super.order(:created_at).reverse
+    end
+
     get '/new' do
       halt 404
     end

data/lib/proxes/db.rb

@@ -6,7 +6,7 @@ require 'proxes/services/logger'
 # passed to subprocesses.  DATABASE_URL may contain passwords.
 DB = Sequel.connect(ENV['RACK_ENV'] == 'production' ? ENV.delete('DATABASE_URL') : ENV['DATABASE_URL'])
 
-DB.loggers <<  ProxES::Services::Logger.instance
+DB.loggers << ProxES::Services::Logger.instance
 
 DB.extension(:pagination)
 

data/lib/proxes/listener.rb

@@ -5,6 +5,7 @@ module ProxES
     def method_missing(method, *args, &block)
       vals = { action: method }
       vals[:user] = args[0][:user] if (args[0] && args[0].has_key?(:user))
+      vals[:details] = args[0][:details] if (args[0] && args[0].has_key?(:details))
       AuditLog.create vals
     end
 

data/lib/proxes/models/permission.rb

@@ -4,9 +4,18 @@ require 'proxes/models/base'
 module ProxES
   class Permission < Base
     many_to_one :role
+    many_to_one :user
+
+    dataset_module do
+      def for_user(a_user, action)
+        where(verb: action).where{Sequel.|({role: a_user.roles}, {user_id: a_user.id})}
+      end
+    end
 
     def validate
-      validates_presence [:role_id, :verb, :pattern]
+      validates_presence [:verb, :pattern]
+      validates_presence :role_id unless user_id
+      validates_presence :user_id unless role_id
       validates_includes self.class.verbs, :verb
     end
 

data/lib/proxes/models/user.rb

@@ -53,5 +53,9 @@ module ProxES
     def index_prefix
       email
     end
+
+    def username
+      identity_dataset.first.username
+    end
   end
 end

data/lib/proxes/policies/audit_log_policy.rb

@@ -24,7 +24,7 @@ module ProxES
     end
 
     def permitted_attributes
-      [:action]
+      [:action, :details]
     end
 
     class Scope < ApplicationPolicy::Scope

data/lib/proxes/policies/permission_policy.rb

@@ -24,7 +24,7 @@ module ProxES
     end
 
     def permitted_attributes
-      [:verb, :pattern, :role_id]
+      [:verb, :pattern, :role_id, :user_id]
     end
 
     class Scope < ApplicationPolicy::Scope

data/lib/proxes/policies/request/search_policy.rb

@@ -4,7 +4,7 @@ module ProxES
     class SearchPolicy < RequestPolicy
       class Scope < RequestPolicy::Scope
         def resolve
-          patterns = Permission.where(verb: 'INDEX', role: user.roles).map do |permission|
+          patterns = Permission.for_user(user, 'INDEX').map do |permission|
             permission.pattern.gsub(/\{user.(.*)\}/) { |match| user.send(Regexp.last_match[1].to_sym) }
           end
           filter scope.index, patterns

data/lib/proxes/policies/request/stats_policy.rb

@@ -4,7 +4,7 @@ module ProxES
     class StatsPolicy < RequestPolicy
       class Scope < RequestPolicy::Scope
         def resolve
-          patterns = Permission.where(verb: 'INDEX', role: user.roles).map do |permission|
+          patterns = Permission.for_user(user, 'INDEX').map do |permission|
             permission.pattern.gsub(/\{user.(.*)\}/) { |match| user.send(Regexp.last_match[1].to_sym) }
           end
           filter scope.index, patterns

data/lib/proxes/policies/request_policy.rb

@@ -20,15 +20,9 @@ module ProxES
         return false if user.nil?
 
         if record.indices?
-          patterns = Permission.where(verb: 'INDEX', role: user.roles).map do |permission|
-            permission.pattern.gsub(/\{user.(.*)\}/) { |match| user.send(Regexp.last_match[1].to_sym) }
-          end
-          return filter(record.index, patterns).count.positive?
+          return true if index_allowed?
         else
-          # Give me all the user's permissions that match the verb
-          Permission.where(verb: method_sym[0..-2].upcase, role: user.roles).each do |permission|
-            return true if record.path =~ %r{#{permission.pattern}}
-          end
+          return true if action_allowed? method_sym[0..-2].upcase
         end
         false
       else
@@ -36,6 +30,21 @@ module ProxES
       end
     end
 
+    def index_allowed?
+      patterns = Permission.for_user(user, 'INDEX').map do |permission|
+        permission.pattern.gsub(/\{user.(.*)\}/) { |match| user.send(Regexp.last_match[1].to_sym) }
+      end
+      return filter(record.index, patterns).count.positive?
+    end
+
+    def action_allowed?(action)
+      # Give me all the user's permissions that match the verb
+      Permission.for_user(user, action).each do |permission|
+        return true if record.path =~ %r{#{permission.pattern}}
+      end
+      false
+    end
+
     def respond_to_missing?(name, _include_private = false)
       name[-1] == '?'
     end

data/lib/proxes/rake_tasks.rb

@@ -36,7 +36,7 @@ module ProxES
         namespace :migrate do
           require_relative './db'
           Sequel.extension :migration
-          folder = File.expand_path(File.dirname(__FILE__) + '/../../migrate')
+          folder = 'migrations'
 
           desc 'Check if the migration is current'
           task :check do

data/lib/proxes/security.rb

@@ -4,6 +4,7 @@ require 'proxes/request'
 require 'proxes/policies/request_policy'
 require 'proxes/helpers/pundit'
 require 'proxes/helpers/authentication'
+require 'proxes/helpers/wisper'
 require 'proxes/services/logger'
 
 module ProxES
@@ -12,6 +13,8 @@ module ProxES
 
     include Helpers::Authentication
     include Helpers::Pundit
+    include Helpers::Wisper
+    include Wisper::Publisher
 
     def initialize(app, logger = nil)
       @app = app
@@ -36,6 +39,7 @@ module ProxES
         check_basic
         authorize request
       rescue StandardError => e
+        log_action(:es_request_denied, details: "#{request.request_method.upcase} #{request.fullpath} (#{request.class.name})")
         logger.debug "Access denied by security layer: #{e.message}"
         return error 'Forbidden', 403
       end

data/lib/proxes/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ProxES
-  VERSION = '0.3.5'
+  VERSION = '0.3.6'
 end

data/migrate/20170416_audit_log_details.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+Sequel.migration do
+  change do
+    alter_table :audit_logs do
+      add_column :details, String, text: true
+    end
+  end
+end

data/migrate/20170416_user_specific_permissions.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+Sequel.migration do
+  change do
+    alter_table :permissions do
+      add_foreign_key :user_id, :users
+    end
+  end
+end

data/proxes.gemspec

@@ -27,6 +27,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'database_cleaner'
   spec.add_development_dependency 'factory_girl'
 
+  spec.add_dependency 'activesupport'
   spec.add_dependency 'rake', '~> 10.0'
   spec.add_dependency 'rack-contrib'
   spec.add_dependency 'sinatra'

data/views/audit_logs/index.haml

@@ -6,6 +6,7 @@
           %tr
             %th User email
             %th Action
+            %th Details
             %th Created at
         %tbody
           -list.each do |entity|
@@ -17,5 +18,7 @@
                   None
               %td
                 = entity.action
+              %td
+                = entity.details
               %td
                 = entity.created_at.strftime('%Y-%m-%d %H:%M:%S')

data/views/permissions/display.haml

@@ -5,7 +5,10 @@
       .panel-body
         %p.description
           %label Role:
-          = entity.role.name
+          = entity.role ? entity.role.name : 'None'
+        %p.description
+          %label User:
+          = entity.user ? entity.user.username : 'None'
         %p.description
           %label Verb:
           = entity.verb

data/views/permissions/form.haml

@@ -1,3 +1,4 @@
 = form_control(:role_id, entity, type: 'select', options: ProxES::Role.to_hash(:id, :name))
+= form_control(:user_id, entity, type: 'select', options: ProxES::User.to_hash(:id, :email))
 = form_control(:verb, entity, type: 'select', options: ProxES::Permission.verbs)
 = form_control(:pattern, entity)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: proxes
 version: !ruby/object:Gem::Version
-  version: 0.3.5
+  version: 0.3.6
 platform: ruby
 authors:
 - Jurgens du Toit
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-04-12 00:00:00.000000000 Z
+date: 2017-04-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -94,6 +94,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -384,6 +398,8 @@ files:
 - lib/proxes/version.rb
 - migrate/20170207_01_base_tables.rb
 - migrate/20170207_02_audit_log.rb
+- migrate/20170416_audit_log_details.rb
+- migrate/20170416_user_specific_permissions.rb
 - package.json
 - proxes.gemspec
 - public/js/bundle.js