RubyGems - rabarber - Versions diffs - 1.4.0 → 2.0.0 - Mend

rabarber 1.4.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +44 -18
data/README.md +140 -76
data/lib/generators/rabarber/roles_generator.rb +2 -0
data/lib/generators/rabarber/templates/create_rabarber_roles.rb.erb +3 -3
data/lib/rabarber/audit/events/base.rb +64 -0
data/lib/rabarber/audit/events/roles_assigned.rb +35 -0
data/lib/rabarber/audit/events/roles_revoked.rb +35 -0
data/lib/rabarber/audit/events/unauthorized_attempt.rb +31 -0
data/lib/rabarber/audit/logger.rb +23 -0
data/lib/rabarber/configuration.rb +3 -47
data/lib/rabarber/controllers/concerns/authorization.rb +9 -11
data/lib/rabarber/core/access.rb +5 -9
data/lib/rabarber/core/cache.rb +42 -0
data/lib/rabarber/core/permissions.rb +2 -0
data/lib/rabarber/core/permissions_integrity_checker.rb +39 -0
data/lib/rabarber/core/roleable.rb +15 -0
data/lib/rabarber/core/rule.rb +5 -9
data/lib/rabarber/helpers/helpers.rb +4 -2
data/lib/rabarber/models/concerns/has_roles.rb +6 -14
data/lib/rabarber/models/role.rb +5 -12
data/lib/rabarber/railtie.rb +1 -7
data/lib/rabarber/version.rb +1 -1
data/lib/rabarber.rb +9 -9
data/rabarber.gemspec +2 -2
metadata +19 -7
data/lib/rabarber/cache.rb +0 -29
data/lib/rabarber/logger.rb +0 -40
data/lib/rabarber/missing/actions.rb +0 -24
data/lib/rabarber/missing/base.rb +0 -61
data/lib/rabarber/missing/roles.rb +0 -35

data/lib/rabarber/audit/events/roles_assigned.rb ADDED Viewed

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+module Rabarber
+  module Audit
+    module Events
+      class RolesAssigned < Base
+        private
+        def nil_roleable_allowed?
+          false
+        end
+        def log_level
+          :info
+        end
+        def message
+          "[Role Assignment] #{identity} has been assigned the following roles: #{roles_to_assign}, current roles: #{current_roles}"
+        end
+        def identity_with_roles?
+          false
+        end
+        def roles_to_assign
+          specifics.fetch(:roles_to_assign)
+        end
+        def current_roles
+          specifics.fetch(:current_roles)
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/audit/events/roles_revoked.rb ADDED Viewed

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+module Rabarber
+  module Audit
+    module Events
+      class RolesRevoked < Base
+        private
+        def nil_roleable_allowed?
+          false
+        end
+        def log_level
+          :info
+        end
+        def message
+          "[Role Revocation] #{identity} has been revoked from the following roles: #{roles_to_revoke}, current roles: #{current_roles}"
+        end
+        def identity_with_roles?
+          false
+        end
+        def roles_to_revoke
+          specifics.fetch(:roles_to_revoke)
+        end
+        def current_roles
+          specifics.fetch(:current_roles)
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/audit/events/unauthorized_attempt.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module Rabarber
+  module Audit
+    module Events
+      class UnauthorizedAttempt < Base
+        private
+        def nil_roleable_allowed?
+          true
+        end
+        def log_level
+          :warn
+        end
+        def message
+          "[Unauthorized Attempt] #{identity} attempted to access '#{path}'"
+        end
+        def identity_with_roles?
+          true
+        end
+        def path
+          specifics.fetch(:path)
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/audit/logger.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+require "singleton"
+module Rabarber
+  module Audit
+    class Logger
+      include Singleton
+      attr_reader :logger
+      def initialize
+        @logger = ::Logger.new(Rails.root.join("log/rabarber_audit.log"))
+      end
+      def self.log(log_level, message)
+        return unless Rabarber::Configuration.instance.audit_trail_enabled
+        instance.logger.public_send(log_level, message)
+      end
+    end
+  end
+end

data/lib/rabarber/configuration.rb CHANGED Viewed

@@ -1,20 +1,18 @@
 # frozen_string_literal: true
+require "singleton"
 module Rabarber
   class Configuration
     include Singleton
-    attr_reader :audit_trail_enabled, :cache_enabled, :current_user_method, :must_have_roles,
-                :when_actions_missing, :when_roles_missing, :when_unauthorized
+    attr_reader :audit_trail_enabled, :cache_enabled, :current_user_method, :must_have_roles
     def initialize
       @audit_trail_enabled = default_audit_trail_enabled
       @cache_enabled = default_cache_enabled
       @current_user_method = default_current_user_method
       @must_have_roles = default_must_have_roles
-      @when_actions_missing = default_when_actions_missing
-      @when_roles_missing = default_when_roles_missing
-      @when_unauthorized = default_when_unauthorized
     end
     def audit_trail_enabled=(value)
@@ -41,24 +39,6 @@ module Rabarber
       ).process
     end
-    def when_actions_missing=(callable)
-      @when_actions_missing = Rabarber::Input::Types::Proc.new(
-        callable, Rabarber::ConfigurationError, "Configuration 'when_actions_missing' must be a Proc"
-      ).process
-    end
-    def when_roles_missing=(callable)
-      @when_roles_missing = Rabarber::Input::Types::Proc.new(
-        callable, Rabarber::ConfigurationError, "Configuration 'when_roles_missing' must be a Proc"
-      ).process
-    end
-    def when_unauthorized=(callable)
-      @when_unauthorized = Rabarber::Input::Types::Proc.new(
-        callable, Rabarber::ConfigurationError, "Configuration 'when_unauthorized' must be a Proc"
-      ).process
-    end
     private
     def default_audit_trail_enabled
@@ -76,29 +56,5 @@ module Rabarber
     def default_must_have_roles
       false
     end
-    def default_when_actions_missing
-      -> (missing_actions, context) {
-        raise(Rabarber::Error, "'grant_access' method called with non-existent actions: #{missing_actions}, context: '#{context[:controller]}'")
-      }
-    end
-    def default_when_roles_missing
-      -> (missing_roles, context) {
-        delimiter = context[:action] ? "#" : ""
-        message = "'grant_access' method called with non-existent roles: #{missing_roles}, context: '#{context[:controller]}#{delimiter}#{context[:action]}'"
-        Rabarber::Logger.log(:warn, message)
-      }
-    end
-    def default_when_unauthorized
-      -> (controller) do
-        if controller.request.format.html?
-          controller.redirect_back fallback_location: controller.main_app.root_path
-        else
-          controller.head(:unauthorized)
-        end
-      end
-    end
   end
 end

data/lib/rabarber/controllers/concerns/authorization.rb CHANGED Viewed

@@ -4,6 +4,8 @@ module Rabarber
   module Authorization
     extend ActiveSupport::Concern
+    include Rabarber::Core::Roleable
     included do
       before_action :verify_access
     end
@@ -25,21 +27,17 @@ module Rabarber
     private
     def verify_access
-      Rabarber::Missing::Actions.new(self.class).handle
-      Rabarber::Missing::Roles.new(self.class).handle
+      Rabarber::Core::PermissionsIntegrityChecker.new(self.class).run! unless Rails.configuration.eager_load
-      roleable = send(Rabarber::Configuration.instance.current_user_method)
+      return if Rabarber::Core::Permissions.access_granted?(roleable_roles, self.class, action_name.to_sym, self)
-      return if Rabarber::Core::Permissions.access_granted?(
-        roleable ? roleable.roles : [], self.class, action_name.to_sym, self
-      )
+      Rabarber::Audit::Events::UnauthorizedAttempt.trigger(roleable, path: request.path)
-      Rabarber::Logger.audit(
-        :warn,
-        "[Unauthorized Attempt] #{Rabarber::Logger.roleable_identity(roleable, with_roles: true)} attempted to access '#{request.path}'"
-      )
+      when_unauthorized
+    end
-      Rabarber::Configuration.instance.when_unauthorized.call(self)
+    def when_unauthorized
+      request.format.html? ? redirect_back(fallback_location: root_path) : head(:unauthorized)
     end
   end
 end

data/lib/rabarber/core/access.rb CHANGED Viewed

@@ -9,19 +9,15 @@ module Rabarber
       end
       def controller_accessible?(roles, controller, dynamic_rule_receiver)
-        accessible_controllers(roles, dynamic_rule_receiver).any? do |accessible_controller|
-          controller <= accessible_controller
+        controller_rules.any? do |rule_controller, rule|
+          controller <= rule_controller && rule.verify_access(roles, dynamic_rule_receiver)
         end
       end
       def action_accessible?(roles, controller, action, dynamic_rule_receiver)
-        action_rules[controller].any? { |rule| rule.verify_access(roles, dynamic_rule_receiver, action) }
-      end
-      private
-      def accessible_controllers(roles, dynamic_rule_receiver)
-        controller_rules.select { |_, rule| rule.verify_access(roles, dynamic_rule_receiver) }.keys
+        action_rules[controller].any? do |rule|
+          rule.action == action && rule.verify_access(roles, dynamic_rule_receiver)
+        end
       end
     end
   end

data/lib/rabarber/core/cache.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module Rabarber
+  module Core
+    module Cache
+      extend self
+      CACHE_PREFIX = "rabarber"
+      private_constant :CACHE_PREFIX
+      def fetch(roleable_id, options = { expires_in: 1.hour, race_condition_ttl: 5.seconds }, &block)
+        enabled? ? Rails.cache.fetch(key_for(roleable_id), **options, &block) : yield
+      end
+      def delete(*roleable_ids)
+        keys = roleable_ids.map { |roleable_id| key_for(roleable_id) }
+        Rails.cache.delete_multi(keys) if enabled? && keys.any?
+      end
+      def enabled?
+        Rabarber::Configuration.instance.cache_enabled
+      end
+      def clear
+        Rails.cache.delete_matched(/^#{CACHE_PREFIX}/o)
+      end
+      private
+      def key_for(id)
+        "#{CACHE_PREFIX}:roles_#{id}"
+      end
+    end
+  end
+  module Cache
+    def clear
+      Rabarber::Core::Cache.clear
+    end
+    module_function :clear
+  end
+end

data/lib/rabarber/core/permissions.rb CHANGED Viewed

@@ -3,6 +3,8 @@
 require_relative "access"
 require_relative "rule"
+require "singleton"
 module Rabarber
   module Core
     class Permissions

data/lib/rabarber/core/permissions_integrity_checker.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+module Rabarber
+  module Core
+    class PermissionsIntegrityChecker
+      attr_reader :controller
+      def initialize(controller = nil)
+        @controller = controller
+      end
+      def run!
+        return if missing_list.empty?
+        raise(
+          Rabarber::Error,
+          "Following actions were passed to 'grant_access' method but are not defined in the controller: #{missing_list}"
+        )
+      end
+      private
+      def missing_list
+        @missing_list ||= action_rules.each_with_object([]) do |(controller, rules), arr|
+          missing_actions = rules.map(&:action) - controller.action_methods.map(&:to_sym)
+          arr << { controller => missing_actions } if missing_actions.any?
+        end
+      end
+      def action_rules
+        if controller
+          Rabarber::Core::Permissions.action_rules.slice(controller)
+        else
+          Rabarber::Core::Permissions.action_rules
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/core/roleable.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module Rabarber
+  module Core
+    module Roleable
+      def roleable
+        send(Rabarber::Configuration.instance.current_user_method)
+      end
+      def roleable_roles
+        roleable&.roles.to_a
+      end
+    end
+  end
+end

data/lib/rabarber/core/rule.rb CHANGED Viewed

@@ -12,18 +12,14 @@ module Rabarber
         @negated_dynamic_rule = negated_dynamic_rule
       end
-      def verify_access(user_roles, dynamic_rule_receiver, action_name = nil)
-        action_accessible?(action_name) && roles_permitted?(user_roles) && dynamic_rule_followed?(dynamic_rule_receiver)
+      def verify_access(roleable_roles, dynamic_rule_receiver)
+        roles_permitted?(roleable_roles) && dynamic_rule_followed?(dynamic_rule_receiver)
       end
-      def action_accessible?(action_name)
-        action_name.nil? || action_name == action
-      end
-      def roles_permitted?(user_roles)
-        return false if Rabarber::Configuration.instance.must_have_roles && user_roles.empty?
+      def roles_permitted?(roleable_roles)
+        return false if Rabarber::Configuration.instance.must_have_roles && roleable_roles.empty?
-        roles.empty? || (roles & user_roles).any?
+        roles.empty? || roles.intersection(roleable_roles).any?
       end
       def dynamic_rule_followed?(dynamic_rule_receiver)

data/lib/rabarber/helpers/helpers.rb CHANGED Viewed

@@ -2,14 +2,16 @@
 module Rabarber
   module Helpers
+    include Rabarber::Core::Roleable
     def visible_to(*roles, &block)
-      return unless send(Rabarber::Configuration.instance.current_user_method).has_role?(*roles)
+      return unless roleable_roles.intersection(Rabarber::Input::Roles.new(roles).process).any?
       capture(&block)
     end
     def hidden_from(*roles, &block)
-      return if send(Rabarber::Configuration.instance.current_user_method).has_role?(*roles)
+      return if roleable_roles.intersection(Rabarber::Input::Roles.new(roles).process).any?
       capture(&block)
     end

data/lib/rabarber/models/concerns/has_roles.rb CHANGED Viewed

@@ -15,13 +15,11 @@ module Rabarber
     end
     def roles
-      Rabarber::Cache.fetch(Rabarber::Cache.key_for(roleable_id), expires_in: 1.hour, race_condition_ttl: 5.seconds) do
-        rabarber_roles.names
-      end
+      Rabarber::Core::Cache.fetch(roleable_id) { rabarber_roles.names }
     end
     def has_role?(*role_names)
-      (roles & process_role_names(role_names)).any?
+      roles.intersection(process_role_names(role_names)).any?
     end
     def assign_roles(*role_names, create_new: true)
@@ -29,16 +27,13 @@ module Rabarber
       create_new_roles(processed_role_names) if create_new
-      roles_to_assign = Rabarber::Role.where(name: processed_role_names) - rabarber_roles
+      roles_to_assign = Rabarber::Role.where(name: processed_role_names - rabarber_roles.names)
       if roles_to_assign.any?
         delete_roleable_cache
         rabarber_roles << roles_to_assign
-        Rabarber::Logger.audit(
-          :info,
-          "[Role Assignment] #{Rabarber::Logger.roleable_identity(self, with_roles: false)} has been assigned the following roles: #{roles_to_assign.pluck(:name).map(&:to_sym)}, current roles: #{roles}"
-        )
+        Rabarber::Audit::Events::RolesAssigned.trigger(self, roles_to_assign: roles_to_assign.names, current_roles: roles)
       end
       roles
@@ -52,10 +47,7 @@ module Rabarber
         delete_roleable_cache
         self.rabarber_roles -= roles_to_revoke
-        Rabarber::Logger.audit(
-          :info,
-          "[Role Revocation] #{Rabarber::Logger.roleable_identity(self, with_roles: false)} has been revoked from the following roles: #{roles_to_revoke.pluck(:name).map(&:to_sym)}, current roles: #{roles}"
-        )
+        Rabarber::Audit::Events::RolesRevoked.trigger(self, roles_to_revoke: roles_to_revoke.names, current_roles: roles)
       end
       roles
@@ -78,7 +70,7 @@ module Rabarber
     end
     def delete_roleable_cache
-      Rabarber::Cache.delete(Rabarber::Cache.key_for(roleable_id))
+      Rabarber::Core::Cache.delete(roleable_id)
     end
     def roleable_id

data/lib/rabarber/models/role.rb CHANGED Viewed

@@ -18,8 +18,6 @@ module Rabarber
         return false if exists?(name: name)
-        delete_roles_cache
         !!create!(name: name)
       end
@@ -29,7 +27,6 @@ module Rabarber
         return false if !role || exists?(name: name) || assigned_to_roleables(role).any? && !force
-        delete_roles_cache
         delete_roleables_cache(role)
         role.update!(name: name)
@@ -40,13 +37,12 @@ module Rabarber
         return false if !role || assigned_to_roleables(role).any? && !force
-        delete_roles_cache
         delete_roleables_cache(role)
         !!role.destroy!
       end
-      def assignees_for(name)
+      def assignees(name)
         Rabarber::HasRoles.roleable_class.joins(:rabarber_roles).where(
           rabarber_roles: { name: Rabarber::Input::Role.new(name).process }
         )
@@ -54,18 +50,15 @@ module Rabarber
       private
-      def delete_roles_cache
-        Rabarber::Cache.delete(Rabarber::Cache::ALL_ROLES_KEY)
-      end
       def delete_roleables_cache(role)
-        keys = assigned_to_roleables(role).map { |roleable_id| Rabarber::Cache.key_for(roleable_id) }
-        Rabarber::Cache.delete(*keys) if keys.any?
+        Rabarber::Core::Cache.delete(*assigned_to_roleables(role))
       end
       def assigned_to_roleables(role)
         ActiveRecord::Base.connection.select_values(
-          "SELECT roleable_id FROM rabarber_roles_roleables WHERE role_id = #{role.id}"
+          ActiveRecord::Base.sanitize_sql(
+            ["SELECT roleable_id FROM rabarber_roles_roleables WHERE role_id = ?", role.id]
+          )
         )
       end

data/lib/rabarber/railtie.rb CHANGED Viewed

@@ -6,13 +6,7 @@ module Rabarber
   class Railtie < Rails::Railtie
     initializer "rabarber.after_initialize" do |app|
       app.config.after_initialize do
-        Rabarber::Missing::Actions.new.handle
-        Rabarber::Missing::Roles.new.handle if Rabarber::Role.table_exists?
-        Rabarber::Logger.log(
-          :warn,
-          "DEPRECATION WARNING: Configurations 'when_actions_missing' and 'when_roles_missing' are deprecated and will be removed in v2.0.0"
-        )
+        Rabarber::Core::PermissionsIntegrityChecker.new.run! if Rails.configuration.eager_load
       end
     end
   end

data/lib/rabarber/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Rabarber
-  VERSION = "1.4.0"
+  VERSION = "2.0.0"
 end

data/lib/rabarber.rb CHANGED Viewed

@@ -1,9 +1,6 @@
 # frozen_string_literal: true
-require "singleton"
 require_relative "rabarber/version"
-require_relative "rabarber/logger"
 require_relative "rabarber/configuration"
 require "active_record"
@@ -18,11 +15,14 @@ require_relative "rabarber/input/types/boolean"
 require_relative "rabarber/input/types/proc"
 require_relative "rabarber/input/types/symbol"
-require_relative "rabarber/missing/base"
-require_relative "rabarber/missing/actions"
-require_relative "rabarber/missing/roles"
+require_relative "rabarber/core/cache"
+require_relative "rabarber/audit/events/base"
+require_relative "rabarber/audit/events/roles_assigned"
+require_relative "rabarber/audit/events/roles_revoked"
+require_relative "rabarber/audit/events/unauthorized_attempt"
-require_relative "rabarber/cache"
+require_relative "rabarber/core/roleable"
 require_relative "rabarber/controllers/concerns/authorization"
 require_relative "rabarber/helpers/helpers"
@@ -30,12 +30,11 @@ require_relative "rabarber/models/concerns/has_roles"
 require_relative "rabarber/models/role"
 require_relative "rabarber/core/permissions"
+require_relative "rabarber/core/permissions_integrity_checker"
 require_relative "rabarber/railtie"
 module Rabarber
-  module_function
   class Error < StandardError; end
   class ConfigurationError < Rabarber::Error; end
   class InvalidArgumentError < Rabarber::Error; end
@@ -43,4 +42,5 @@ module Rabarber
   def configure
     yield(Rabarber::Configuration.instance)
   end
+  module_function :configure
 end

data/rabarber.gemspec CHANGED Viewed

@@ -11,7 +11,7 @@ Gem::Specification.new do |spec|
   spec.summary = "Simple role-based authorization library for Ruby on Rails."
   spec.homepage = "https://github.com/enjaku4/rabarber"
   spec.license = "MIT"
-  spec.required_ruby_version = ">= 3.0"
+  spec.required_ruby_version = ">= 3.0", "< 3.4"
   spec.files = [
     "rabarber.gemspec", "README.md", "CHANGELOG.md", "LICENSE.txt"
@@ -19,5 +19,5 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
-  spec.add_runtime_dependency "rails", ">= 6.1"
+  spec.add_runtime_dependency "rails", ">= 6.1", "< 7.2"
 end