RubyGems - rabarber - Versions diffs - 1.4.0 → 2.0.0 - Mend

rabarber 1.4.0 → 2.0.0

Files changed (31) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +44 -18
data/README.md +140 -76
data/lib/generators/rabarber/roles_generator.rb +2 -0
data/lib/generators/rabarber/templates/create_rabarber_roles.rb.erb +3 -3
data/lib/rabarber/audit/events/base.rb +64 -0
data/lib/rabarber/audit/events/roles_assigned.rb +35 -0
data/lib/rabarber/audit/events/roles_revoked.rb +35 -0
data/lib/rabarber/audit/events/unauthorized_attempt.rb +31 -0
data/lib/rabarber/audit/logger.rb +23 -0
data/lib/rabarber/configuration.rb +3 -47
data/lib/rabarber/controllers/concerns/authorization.rb +9 -11
data/lib/rabarber/core/access.rb +5 -9
data/lib/rabarber/core/cache.rb +42 -0
data/lib/rabarber/core/permissions.rb +2 -0
data/lib/rabarber/core/permissions_integrity_checker.rb +39 -0
data/lib/rabarber/core/roleable.rb +15 -0
data/lib/rabarber/core/rule.rb +5 -9
data/lib/rabarber/helpers/helpers.rb +4 -2
data/lib/rabarber/models/concerns/has_roles.rb +6 -14
data/lib/rabarber/models/role.rb +5 -12
data/lib/rabarber/railtie.rb +1 -7
data/lib/rabarber/version.rb +1 -1
data/lib/rabarber.rb +9 -9
data/rabarber.gemspec +2 -2
metadata +19 -7
data/lib/rabarber/cache.rb +0 -29
data/lib/rabarber/logger.rb +0 -40
data/lib/rabarber/missing/actions.rb +0 -24
data/lib/rabarber/missing/base.rb +0 -61
data/lib/rabarber/missing/roles.rb +0 -35

data/lib/rabarber/audit/events/roles_assigned.rb ADDED Viewed

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+module Rabarber
+  module Audit
+    module Events
+      class RolesAssigned < Base
+        private
+        def nil_roleable_allowed?
+          false
+        end
+        def log_level
+          :info
+        end
+        def message
+          "[Role Assignment] #{identity} has been assigned the following roles: #{roles_to_assign}, current roles: #{current_roles}"
+        end
+        def identity_with_roles?
+          false
+        end
+        def roles_to_assign
+          specifics.fetch(:roles_to_assign)
+        end
+        def current_roles
+          specifics.fetch(:current_roles)
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/audit/events/roles_revoked.rb ADDED Viewed

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+module Rabarber
+  module Audit
+    module Events
+      class RolesRevoked < Base
+        private
+        def nil_roleable_allowed?
+          false
+        end
+        def log_level
+          :info
+        end
+        def message
+          "[Role Revocation] #{identity} has been revoked from the following roles: #{roles_to_revoke}, current roles: #{current_roles}"
+        end
+        def identity_with_roles?
+          false
+        end
+        def roles_to_revoke
+          specifics.fetch(:roles_to_revoke)
+        end
+        def current_roles
+          specifics.fetch(:current_roles)
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/audit/events/unauthorized_attempt.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module Rabarber
+  module Audit
+    module Events
+      class UnauthorizedAttempt < Base
+        private
+        def nil_roleable_allowed?
+          true
+        end
+        def log_level
+          :warn
+        end
+        def message
+          "[Unauthorized Attempt] #{identity} attempted to access '#{path}'"
+        end
+        def identity_with_roles?
+          true
+        end
+        def path
+          specifics.fetch(:path)
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/audit/logger.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+require "singleton"
+module Rabarber
+  module Audit
+    class Logger
+      include Singleton
+      attr_reader :logger
+      def initialize
+        @logger = ::Logger.new(Rails.root.join("log/rabarber_audit.log"))
+      end
+      def self.log(log_level, message)
+        return unless Rabarber::Configuration.instance.audit_trail_enabled
+        instance.logger.public_send(log_level, message)
+      end
+    end
+  end
+end

data/lib/rabarber/configuration.rb CHANGED Viewed

@@ -1,20 +1,18 @@
 # frozen_string_literal: true
+require "singleton"
 module Rabarber
   class Configuration
     include Singleton
-    attr_reader :audit_trail_enabled, :cache_enabled, :current_user_method, :must_have_roles,
-                :when_actions_missing, :when_roles_missing, :when_unauthorized
+    attr_reader :audit_trail_enabled, :cache_enabled, :current_user_method, :must_have_roles
     def initialize
       @audit_trail_enabled = default_audit_trail_enabled
       @cache_enabled = default_cache_enabled
       @current_user_method = default_current_user_method
       @must_have_roles = default_must_have_roles
-      @when_actions_missing = default_when_actions_missing
-      @when_roles_missing = default_when_roles_missing
-      @when_unauthorized = default_when_unauthorized
     end
     def audit_trail_enabled=(value)
@@ -41,24 +39,6 @@ module Rabarber
       ).process
     end
-    def when_actions_missing=(callable)
-      @when_actions_missing = Rabarber::Input::Types::Proc.new(
-        callable, Rabarber::ConfigurationError, "Configuration 'when_actions_missing' must be a Proc"
-      ).process
-    end
-    def when_roles_missing=(callable)
-      @when_roles_missing = Rabarber::Input::Types::Proc.new(
-        callable, Rabarber::ConfigurationError, "Configuration 'when_roles_missing' must be a Proc"
-      ).process
-    end
-    def when_unauthorized=(callable)
-      @when_unauthorized = Rabarber::Input::Types::Proc.new(
-        callable, Rabarber::ConfigurationError, "Configuration 'when_unauthorized' must be a Proc"
-      ).process
-    end
     private
     def default_audit_trail_enabled
@@ -76,29 +56,5 @@ module Rabarber
     def default_must_have_roles
       false
     end
-    def default_when_actions_missing
-      -> (missing_actions, context) {
-        raise(Rabarber::Error, "'grant_access' method called with non-existent actions: #{missing_actions}, context: '#{context[:controller]}'")
-      }
-    end
-    def default_when_roles_missing
-      -> (missing_roles, context) {
-        delimiter = context[:action] ? "#" : ""
-        message = "'grant_access' method called with non-existent roles: #{missing_roles}, context: '#{context[:controller]}#{delimiter}#{context[:action]}'"
-        Rabarber::Logger.log(:warn, message)
-      }
-    end
-    def default_when_unauthorized
-      -> (controller) do
-        if controller.request.format.html?
-          controller.redirect_back fallback_location: controller.main_app.root_path
-        else
-          controller.head(:unauthorized)
-        end
-      end
-    end
   end
 end

data/lib/rabarber/controllers/concerns/authorization.rb CHANGED Viewed

@@ -4,6 +4,8 @@ module Rabarber
   module Authorization
     extend ActiveSupport::Concern
+    include Rabarber::Core::Roleable
     included do
       before_action :verify_access
     end
@@ -25,21 +27,17 @@ module Rabarber
     private
     def verify_access
-      Rabarber::Missing::Actions.new(self.class).handle
-      Rabarber::Missing::Roles.new(self.class).handle
+      Rabarber::Core::PermissionsIntegrityChecker.new(self.class).run! unless Rails.configuration.eager_load
-      roleable = send(Rabarber::Configuration.instance.current_user_method)
+      return if Rabarber::Core::Permissions.access_granted?(roleable_roles, self.class, action_name.to_sym, self)
-      return if Rabarber::Core::Permissions.access_granted?(
-        roleable ? roleable.roles : [], self.class, action_name.to_sym, self
-      )
+      Rabarber::Audit::Events::UnauthorizedAttempt.trigger(roleable, path: request.path)
-      Rabarber::Logger.audit(
-        :warn,
-        "[Unauthorized Attempt] #{Rabarber::Logger.roleable_identity(roleable, with_roles: true)} attempted to access '#{request.path}'"
-      )
+      when_unauthorized
+    end
-      Rabarber::Configuration.instance.when_unauthorized.call(self)
+    def when_unauthorized
+      request.format.html? ? redirect_back(fallback_location: root_path) : head(:unauthorized)
     end
   end
 end

data/lib/rabarber/core/access.rb CHANGED Viewed

@@ -9,19 +9,15 @@ module Rabarber
       end
       def controller_accessible?(roles, controller, dynamic_rule_receiver)
-        accessible_controllers(roles, dynamic_rule_receiver).any? do |accessible_controller|
-          controller <= accessible_controller
+        controller_rules.any? do |rule_controller, rule|
+          controller <= rule_controller && rule.verify_access(roles, dynamic_rule_receiver)
         end
       end
       def action_accessible?(roles, controller, action, dynamic_rule_receiver)
-        action_rules[controller].any? { |rule| rule.verify_access(roles, dynamic_rule_receiver, action) }
-      end
-      private
-      def accessible_controllers(roles, dynamic_rule_receiver)
-        controller_rules.select { |_, rule| rule.verify_access(roles, dynamic_rule_receiver) }.keys
+        action_rules[controller].any? do |rule|
+          rule.action == action && rule.verify_access(roles, dynamic_rule_receiver)
+        end
       end
     end
   end

data/lib/rabarber/core/cache.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module Rabarber
+  module Core
+    module Cache
+      extend self
+      CACHE_PREFIX = "rabarber"
+      private_constant :CACHE_PREFIX
+      def fetch(roleable_id, options = { expires_in: 1.hour, race_condition_ttl: 5.seconds }, &block)
+        enabled? ? Rails.cache.fetch(key_for(roleable_id), **options, &block) : yield
+      end
+      def delete(*roleable_ids)
+        keys = roleable_ids.map { |roleable_id| key_for(roleable_id) }
+        Rails.cache.delete_multi(keys) if enabled? && keys.any?
+      end
+      def enabled?
+        Rabarber::Configuration.instance.cache_enabled
+      end
+      def clear
+        Rails.cache.delete_matched(/^#{CACHE_PREFIX}/o)
+      end
+      private
+      def key_for(id)
+        "#{CACHE_PREFIX}:roles_#{id}"
+      end
+    end
+  end
+  module Cache
+    def clear
+      Rabarber::Core::Cache.clear
+    end
+    module_function :clear
+  end
+end

data/lib/rabarber/core/permissions.rb CHANGED Viewed

@@ -3,6 +3,8 @@
 require_relative "access"
 require_relative "rule"
+require "singleton"
 module Rabarber
   module Core
     class Permissions

data/lib/rabarber/core/permissions_integrity_checker.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+module Rabarber
+  module Core
+    class PermissionsIntegrityChecker
+      attr_reader :controller
+      def initialize(controller = nil)
+        @controller = controller
+      end
+      def run!
+        return if missing_list.empty?
+        raise(
+          Rabarber::Error,
+          "Following actions were passed to 'grant_access' method but are not defined in the controller: #{missing_list}"
+        )
+      end
+      private
+      def missing_list
+        @missing_list ||= action_rules.each_with_object([]) do |(controller, rules), arr|
+          missing_actions = rules.map(&:action) - controller.action_methods.map(&:to_sym)
+          arr << { controller => missing_actions } if missing_actions.any?
+        end
+      end
+      def action_rules
+        if controller
+          Rabarber::Core::Permissions.action_rules.slice(controller)
+        else
+          Rabarber::Core::Permissions.action_rules
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/core/roleable.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module Rabarber
+  module Core
+    module Roleable
+      def roleable
+        send(Rabarber::Configuration.instance.current_user_method)
+      end
+      def roleable_roles
+        roleable&.roles.to_a
+      end
+    end
+  end
+end

data/lib/rabarber/core/rule.rb CHANGED Viewed

@@ -12,18 +12,14 @@ module Rabarber
         @negated_dynamic_rule = negated_dynamic_rule
       end
-      def verify_access(user_roles, dynamic_rule_receiver, action_name = nil)
-        action_accessible?(action_name) && roles_permitted?(user_roles) && dynamic_rule_followed?(dynamic_rule_receiver)
+      def verify_access(roleable_roles, dynamic_rule_receiver)
+        roles_permitted?(roleable_roles) && dynamic_rule_followed?(dynamic_rule_receiver)
       end
-      def action_accessible?(action_name)
-        action_name.nil? || action_name == action
-      end
-      def roles_permitted?(user_roles)
-        return false if Rabarber::Configuration.instance.must_have_roles && user_roles.empty?
+      def roles_permitted?(roleable_roles)
+        return false if Rabarber::Configuration.instance.must_have_roles && roleable_roles.empty?
-        roles.empty? || (roles & user_roles).any?
+        roles.empty? || roles.intersection(roleable_roles).any?
       end
       def dynamic_rule_followed?(dynamic_rule_receiver)

data/lib/rabarber/helpers/helpers.rb CHANGED Viewed

@@ -2,14 +2,16 @@
 module Rabarber
   module Helpers
+    include Rabarber::Core::Roleable
     def visible_to(*roles, &block)
-      return unless send(Rabarber::Configuration.instance.current_user_method).has_role?(*roles)
+      return unless roleable_roles.intersection(Rabarber::Input::Roles.new(roles).process).any?
       capture(&block)
     end
     def hidden_from(*roles, &block)
-      return if send(Rabarber::Configuration.instance.current_user_method).has_role?(*roles)
+      return if roleable_roles.intersection(Rabarber::Input::Roles.new(roles).process).any?
       capture(&block)
     end

data/lib/rabarber/models/concerns/has_roles.rb CHANGED Viewed

@@ -15,13 +15,11 @@ module Rabarber
     end
     def roles
-      Rabarber::Cache.fetch(Rabarber::Cache.key_for(roleable_id), expires_in: 1.hour, race_condition_ttl: 5.seconds) do
-        rabarber_roles.names
-      end
+      Rabarber::Core::Cache.fetch(roleable_id) { rabarber_roles.names }
     end
     def has_role?(*role_names)
-      (roles & process_role_names(role_names)).any?
+      roles.intersection(process_role_names(role_names)).any?
     end
     def assign_roles(*role_names, create_new: true)
@@ -29,16 +27,13 @@ module Rabarber
       create_new_roles(processed_role_names) if create_new
-      roles_to_assign = Rabarber::Role.where(name: processed_role_names) - rabarber_roles
+      roles_to_assign = Rabarber::Role.where(name: processed_role_names - rabarber_roles.names)
       if roles_to_assign.any?
         delete_roleable_cache
         rabarber_roles << roles_to_assign
-        Rabarber::Logger.audit(
-          :info,
-          "[Role Assignment] #{Rabarber::Logger.roleable_identity(self, with_roles: false)} has been assigned the following roles: #{roles_to_assign.pluck(:name).map(&:to_sym)}, current roles: #{roles}"
-        )
+        Rabarber::Audit::Events::RolesAssigned.trigger(self, roles_to_assign: roles_to_assign.names, current_roles: roles)
       end
       roles
@@ -52,10 +47,7 @@ module Rabarber
         delete_roleable_cache
         self.rabarber_roles -= roles_to_revoke
-        Rabarber::Logger.audit(
-          :info,
-          "[Role Revocation] #{Rabarber::Logger.roleable_identity(self, with_roles: false)} has been revoked from the following roles: #{roles_to_revoke.pluck(:name).map(&:to_sym)}, current roles: #{roles}"
-        )
+        Rabarber::Audit::Events::RolesRevoked.trigger(self, roles_to_revoke: roles_to_revoke.names, current_roles: roles)
       end
       roles
@@ -78,7 +70,7 @@ module Rabarber
     end
     def delete_roleable_cache
-      Rabarber::Cache.delete(Rabarber::Cache.key_for(roleable_id))
+      Rabarber::Core::Cache.delete(roleable_id)
     end
     def roleable_id

data/lib/rabarber/models/role.rb CHANGED Viewed

@@ -18,8 +18,6 @@ module Rabarber
         return false if exists?(name: name)
-        delete_roles_cache
         !!create!(name: name)
       end
@@ -29,7 +27,6 @@ module Rabarber
         return false if !role || exists?(name: name) || assigned_to_roleables(role).any? && !force
-        delete_roles_cache
         delete_roleables_cache(role)
         role.update!(name: name)
@@ -40,13 +37,12 @@ module Rabarber
         return false if !role || assigned_to_roleables(role).any? && !force
-        delete_roles_cache
         delete_roleables_cache(role)
         !!role.destroy!
       end
-      def assignees_for(name)
+      def assignees(name)
         Rabarber::HasRoles.roleable_class.joins(:rabarber_roles).where(
           rabarber_roles: { name: Rabarber::Input::Role.new(name).process }
         )
@@ -54,18 +50,15 @@ module Rabarber
       private
-      def delete_roles_cache
-        Rabarber::Cache.delete(Rabarber::Cache::ALL_ROLES_KEY)
-      end
       def delete_roleables_cache(role)
-        keys = assigned_to_roleables(role).map { |roleable_id| Rabarber::Cache.key_for(roleable_id) }
-        Rabarber::Cache.delete(*keys) if keys.any?
+        Rabarber::Core::Cache.delete(*assigned_to_roleables(role))
       end
       def assigned_to_roleables(role)
         ActiveRecord::Base.connection.select_values(
-          "SELECT roleable_id FROM rabarber_roles_roleables WHERE role_id = #{role.id}"
+          ActiveRecord::Base.sanitize_sql(
+            ["SELECT roleable_id FROM rabarber_roles_roleables WHERE role_id = ?", role.id]
+          )
         )
       end

data/lib/rabarber/railtie.rb CHANGED Viewed

@@ -6,13 +6,7 @@ module Rabarber
   class Railtie < Rails::Railtie
     initializer "rabarber.after_initialize" do |app|
       app.config.after_initialize do
-        Rabarber::Missing::Actions.new.handle
-        Rabarber::Missing::Roles.new.handle if Rabarber::Role.table_exists?
-        Rabarber::Logger.log(
-          :warn,
-          "DEPRECATION WARNING: Configurations 'when_actions_missing' and 'when_roles_missing' are deprecated and will be removed in v2.0.0"
-        )
+        Rabarber::Core::PermissionsIntegrityChecker.new.run! if Rails.configuration.eager_load
       end
     end
   end

data/lib/rabarber/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Rabarber
-  VERSION = "1.4.0"
+  VERSION = "2.0.0"
 end

data/lib/rabarber.rb CHANGED Viewed

@@ -1,9 +1,6 @@
 # frozen_string_literal: true
-require "singleton"
 require_relative "rabarber/version"
-require_relative "rabarber/logger"
 require_relative "rabarber/configuration"
 require "active_record"
@@ -18,11 +15,14 @@ require_relative "rabarber/input/types/boolean"
 require_relative "rabarber/input/types/proc"
 require_relative "rabarber/input/types/symbol"
-require_relative "rabarber/missing/base"
-require_relative "rabarber/missing/actions"
-require_relative "rabarber/missing/roles"
+require_relative "rabarber/core/cache"
+require_relative "rabarber/audit/events/base"
+require_relative "rabarber/audit/events/roles_assigned"
+require_relative "rabarber/audit/events/roles_revoked"
+require_relative "rabarber/audit/events/unauthorized_attempt"
-require_relative "rabarber/cache"
+require_relative "rabarber/core/roleable"
 require_relative "rabarber/controllers/concerns/authorization"
 require_relative "rabarber/helpers/helpers"
@@ -30,12 +30,11 @@ require_relative "rabarber/models/concerns/has_roles"
 require_relative "rabarber/models/role"
 require_relative "rabarber/core/permissions"
+require_relative "rabarber/core/permissions_integrity_checker"
 require_relative "rabarber/railtie"
 module Rabarber
-  module_function
   class Error < StandardError; end
   class ConfigurationError < Rabarber::Error; end
   class InvalidArgumentError < Rabarber::Error; end
@@ -43,4 +42,5 @@ module Rabarber
   def configure
     yield(Rabarber::Configuration.instance)
   end
+  module_function :configure
 end

data/rabarber.gemspec CHANGED Viewed

@@ -11,7 +11,7 @@ Gem::Specification.new do |spec|
   spec.summary = "Simple role-based authorization library for Ruby on Rails."
   spec.homepage = "https://github.com/enjaku4/rabarber"
   spec.license = "MIT"
-  spec.required_ruby_version = ">= 3.0"
+  spec.required_ruby_version = ">= 3.0", "< 3.4"
   spec.files = [
     "rabarber.gemspec", "README.md", "CHANGELOG.md", "LICENSE.txt"
@@ -19,5 +19,5 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
-  spec.add_runtime_dependency "rails", ">= 6.1"
+  spec.add_runtime_dependency "rails", ">= 6.1", "< 7.2"
 end