RubyGems - rails-acu - Versions diffs - 1.2.1 - Mend

rails-acu 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (117) hide show

checksums.yaml +7 -0
data/.gitignore +8 -0
data/.project +18 -0
data/.rspec +3 -0
data/.travis.yml +30 -0
data/Gemfile +30 -0
data/Gemfile.lock +169 -0
data/MIT-LICENSE +20 -0
data/README.md +221 -0
data/Rakefile +26 -0
data/bin/rails +13 -0
data/lib/acu/configs.rb +30 -0
data/lib/acu/engine.rb +9 -0
data/lib/acu/errors.rb +37 -0
data/lib/acu/helpers/helpers.rb +9 -0
data/lib/acu/injectors.rb +15 -0
data/lib/acu/listeners.rb +18 -0
data/lib/acu/monitor.rb +201 -0
data/lib/acu/rules.rb +134 -0
data/lib/acu/utilities.rb +14 -0
data/lib/acu/version.rb +3 -0
data/lib/generators/acu/install_generator.rb +20 -0
data/lib/generators/templates/rules.rb +34 -0
data/lib/generators/templates/setup.rb +30 -0
data/lib/rails-acu.rb +26 -0
data/rails-acu-1.2.0.gem +0 -0
data/rails-acu.gemspec +23 -0
data/spec/dummy/Rakefile +6 -0
data/spec/dummy/app/assets/config/manifest.js +5 -0
data/spec/dummy/app/assets/javascripts/admin/manage.js +2 -0
data/spec/dummy/app/assets/javascripts/application.js +15 -0
data/spec/dummy/app/assets/javascripts/books.js +2 -0
data/spec/dummy/app/assets/javascripts/cable.js +12 -0
data/spec/dummy/app/assets/javascripts/comments.js +2 -0
data/spec/dummy/app/assets/javascripts/home.js +2 -0
data/spec/dummy/app/assets/stylesheets/admin/manage.css +4 -0
data/spec/dummy/app/assets/stylesheets/application.css +15 -0
data/spec/dummy/app/assets/stylesheets/books.css +4 -0
data/spec/dummy/app/assets/stylesheets/comments.css +4 -0
data/spec/dummy/app/assets/stylesheets/home.css +4 -0
data/spec/dummy/app/assets/stylesheets/scaffold.css +84 -0
data/spec/dummy/app/channels/application_cable/channel.rb +4 -0
data/spec/dummy/app/channels/application_cable/connection.rb +4 -0
data/spec/dummy/app/controllers/admin/manage_controller.rb +19 -0
data/spec/dummy/app/controllers/application_controller.rb +4 -0
data/spec/dummy/app/controllers/home_controller.rb +7 -0
data/spec/dummy/app/helpers/admin/manage_helper.rb +2 -0
data/spec/dummy/app/helpers/application_helper.rb +2 -0
data/spec/dummy/app/helpers/home_helper.rb +2 -0
data/spec/dummy/app/jobs/application_job.rb +2 -0
data/spec/dummy/app/mailers/application_mailer.rb +4 -0
data/spec/dummy/app/models/application_record.rb +3 -0
data/spec/dummy/app/models/user.rb +8 -0
data/spec/dummy/app/models/user_type.rb +3 -0
data/spec/dummy/app/views/admin/manage/add.html.erb +2 -0
data/spec/dummy/app/views/admin/manage/delete.html.erb +2 -0
data/spec/dummy/app/views/admin/manage/index.html.erb +2 -0
data/spec/dummy/app/views/admin/manage/list.html.erb +2 -0
data/spec/dummy/app/views/admin/manage/prove.html.erb +2 -0
data/spec/dummy/app/views/admin/manage/show.html.erb +2 -0
data/spec/dummy/app/views/home/contact.html.erb +2 -0
data/spec/dummy/app/views/home/index.html.erb +21 -0
data/spec/dummy/app/views/layouts/application.html.erb +14 -0
data/spec/dummy/app/views/layouts/mailer.html.erb +13 -0
data/spec/dummy/app/views/layouts/mailer.text.erb +1 -0
data/spec/dummy/bin/bundle +3 -0
data/spec/dummy/bin/rails +4 -0
data/spec/dummy/bin/rake +4 -0
data/spec/dummy/bin/setup +34 -0
data/spec/dummy/bin/update +29 -0
data/spec/dummy/config.ru +5 -0
data/spec/dummy/config/application.rb +23 -0
data/spec/dummy/config/boot.rb +5 -0
data/spec/dummy/config/cable.yml +9 -0
data/spec/dummy/config/database.yml +25 -0
data/spec/dummy/config/environment.rb +5 -0
data/spec/dummy/config/environments/development.rb +54 -0
data/spec/dummy/config/environments/production.rb +86 -0
data/spec/dummy/config/environments/test.rb +42 -0
data/spec/dummy/config/initializers/acu_rules.rb +31 -0
data/spec/dummy/config/initializers/acu_setup.rb +14 -0
data/spec/dummy/config/initializers/application_controller_renderer.rb +6 -0
data/spec/dummy/config/initializers/assets.rb +11 -0
data/spec/dummy/config/initializers/backtrace_silencers.rb +7 -0
data/spec/dummy/config/initializers/cookies_serializer.rb +5 -0
data/spec/dummy/config/initializers/devise.rb +277 -0
data/spec/dummy/config/initializers/filter_parameter_logging.rb +4 -0
data/spec/dummy/config/initializers/inflections.rb +16 -0
data/spec/dummy/config/initializers/mime_types.rb +4 -0
data/spec/dummy/config/initializers/new_framework_defaults.rb +24 -0
data/spec/dummy/config/initializers/session_store.rb +3 -0
data/spec/dummy/config/initializers/wrap_parameters.rb +14 -0
data/spec/dummy/config/locales/devise.en.yml +64 -0
data/spec/dummy/config/locales/en.yml +23 -0
data/spec/dummy/config/puma.rb +47 -0
data/spec/dummy/config/routes.rb +19 -0
data/spec/dummy/config/secrets.yml +22 -0
data/spec/dummy/config/spring.rb +6 -0
data/spec/dummy/db/migrate/20170329111257_create_books.rb +9 -0
data/spec/dummy/db/migrate/20170329111323_create_comments.rb +10 -0
data/spec/dummy/db/migrate/20170329114943_devise_create_users.rb +42 -0
data/spec/dummy/db/migrate/20170329120950_create_admin_user_types.rb +15 -0
data/spec/dummy/db/migrate/20170329121612_add_user_type_id_to_users.rb +5 -0
data/spec/dummy/db/schema.rb +59 -0
data/spec/dummy/db/seeds.rb +39 -0
data/spec/dummy/public/404.html +67 -0
data/spec/dummy/public/422.html +67 -0
data/spec/dummy/public/500.html +66 -0
data/spec/dummy/public/apple-touch-icon-precomposed.png +0 -0
data/spec/dummy/public/apple-touch-icon.png +0 -0
data/spec/dummy/public/favicon.ico +0 -0
data/spec/dummy/spec/controllers/admin/manage_controller_spec.rb +72 -0
data/spec/dummy/spec/controllers/application_controller_spec.rb +14 -0
data/spec/dummy/spec/controllers/home_controller_spec.rb +560 -0
data/spec/rails_helper.rb +59 -0
data/spec/spec_helper.rb +104 -0
metadata +268 -0

data/spec/dummy/public/500.html ADDED

@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <div>
+      <h1>We're sorry, but something went wrong.</h1>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>

data/spec/dummy/public/apple-touch-icon-precomposed.png ADDED

File without changes

data/spec/dummy/public/apple-touch-icon.png ADDED

File without changes

data/spec/dummy/public/favicon.ico ADDED

File without changes

data/spec/dummy/spec/controllers/admin/manage_controller_spec.rb ADDED

@@ -0,0 +1,72 @@
+require 'rails_helper'
+RSpec.describe Admin::ManageController, type: :controller do
+  before(:each) {
+    # reset rules
+    Acu::Rules.reset
+    # reset configs
+    Acu.setup do |config|
+      config.base_controller  = :ApplicationController
+      config.allow_by_default = false
+      config.audit_log_file   = '/tmp/acu-rspec.log'
+    end
+  }
+  it "should work with namespaces" do
+    Acu::Rules.define do
+      whois :everyone { true }
+      allow :everyone
+    end
+    get :index
+    Acu::Rules.define do
+      namespace do
+        controller :home do
+          deny :everyone, on: [:index, :contact]
+        end
+      end
+    end
+    # we filtered the default namespace not this
+    get :index
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+    Acu::Rules.define do
+      namespace :admin, except: [:posts] do
+        deny :everyone, on: [:show, :list]
+      end
+      namespace :admin, only: [:manage] do
+        deny :everyone, on: [:index]
+      end
+    end
+    expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+    expect {get :show}.to raise_error(Acu::Errors::AccessDenied)
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="show".*as `:everyone`/
+    expect {get :list}.to raise_error(Acu::Errors::AccessDenied)
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="list".*as `:everyone`/
+  end
+  it '[local-global & args]' do
+    Acu::Rules.define do
+      whois :admin, args: [:c] { |c| c == :admin }
+      whois :client, args: [:c] { |c| c == :client }
+      namespace :admin do
+        allow :admin
+        controller :manage, only: [:show] do
+          allow :client
+        end
+      end
+    end
+    Acu::Monitor.by c: :admin
+    get :index
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:admin`/
+    Acu::Monitor.by c: :client
+    expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+    expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+    [:client, :admin].each do |cc|
+      Acu::Monitor.by c: cc
+      get :show
+    end
+  end
+end

data/spec/dummy/spec/controllers/application_controller_spec.rb ADDED

@@ -0,0 +1,14 @@
+require 'rails_helper'
+RSpec.describe ApplicationController, type: :controller do
+  context 'database' do
+    it 'validate database' do
+      expect(User.count).to be 10
+      expect(UserType.count).to be 10
+      User.all.each do |u|
+        expect(u.user_type).not_to be_nil
+        expect(u.user_type.id == u.id).to be true
+      end
+    end
+  end
+end

data/spec/dummy/spec/controllers/home_controller_spec.rb ADDED

@@ -0,0 +1,560 @@
+require 'rails_helper'
+RSpec.describe HomeController, type: :controller do
+  before(:each) {
+    # reset rules
+    Acu::Rules.reset
+    # reset configs
+    Acu.setup do |config|
+      config.base_controller  = :ApplicationController
+      config.allow_by_default = false
+      config.audit_log_file   = '/tmp/acu-rspec.log'
+      config.use_cache = false
+      config.cache_namespace = 'acu'
+      config.cache_expires_in = nil
+      config.cache_race_condition_ttl = nil
+    end
+  }
+  def setup **kwargs
+    kwargs.each do |k, v|
+      Acu.setup { |c| eval("c.#{k} = #{v}") }
+    end
+  end
+  context 'Acu::Config' do
+    it '.base_controller' do
+      setup base_controller: ":FooBarController"
+      expect {get :index}.to raise_error(NameError)
+    end
+    it '.allow_by_default = false' do
+      expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+    end
+    it '.allow_by_default = true' do
+      begin
+        setup allow_by_default: true
+        get :index
+      rescue Acu::Errors::AccessDenied
+        fail "didn't expect to get Acu::Errors::AccessDenied, but got one!"
+      end
+    end
+    it '.audit_log_file' do
+      setup audit_log_file: "'/tmp/acu-rspec.log'"
+      expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+      expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to .* \[autherized by :allow_by_default\]/
+      setup allow_by_default: true
+      get :index
+      expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to .* \[autherized by :allow_by_default\]/
+    end
+  end
+  context "Acu::Rules" do
+    context "[globals]" do
+      it "[single rule]" do
+        Acu::Rules.define do
+          whois :everyone { true }
+          allow :everyone
+        end
+        get :index
+      end
+      it "[multiple rules]" do
+        Acu::Rules.define do
+          whois :everyone { true }
+          whois :client { true }
+          allow :everyone
+          allow :client
+        end
+        expect(Acu::Rules.rules.length).to be 1
+        expect(Acu::Rules.rules[{}].length).to be 2
+        get :index
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone, :client`/
+      end
+      it "{ one of rules failed = AccessDenied }" do
+        Acu::Rules.define do
+          whois :everyone { true }
+          whois :client { true }
+          # every request is :everyone
+          allow :everyone
+          # every reqyest is also :client
+          deny :client
+        end
+        expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone, :client`/
+        Acu::Rules.define do
+          whois :client { false }
+          # every reqyest is also :client
+          deny :client
+        end
+        get :index
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+      end
+    end
+    context "[levels]" do
+      context "[namespace]" do
+        it "[default]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            whois :client { false }
+            namespace do
+              allow :everyone
+            end
+          end
+          get :index
+          Acu::Rules.define do
+            namespace do
+              deny :everyone
+            end
+          end
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+          Acu::Rules.define do
+            namespace do
+              allow :everyone
+            end
+            namespace :FooBar do
+              deny :everyone
+            end
+          end
+          get :index
+        end
+        it "[default & global]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            whois :client { false }
+            namespace do
+              allow :everyone
+            end
+            deny :everyone
+          end
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+        end
+        it "[with only]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            namespace only: [:home] do
+              allow :everyone
+            end
+          end
+          get :index
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+          Acu::Rules.define do
+            whois :everyone { true }
+            # override previous one
+            namespace only: [:home] do
+              deny :everyone
+            end
+            namespace only: [:foobar] do
+              allow :everyone
+            end
+          end
+          # by override
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+        end
+        it "[with except]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            namespace except: [:home] do
+              allow :everyone
+            end
+          end
+          # by default
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to .* \[autherized by :allow_by_default\]/
+          Acu::Rules.define do
+            whois :everyone { true }
+            namespace except: [:foobar] do
+              allow :everyone
+            end
+          end
+          get :index
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+        end
+      end
+      context "[controller]" do
+        it "[solo]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            controller :home do
+            end
+          end
+          # deny by default
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          Acu::Rules.define do
+            controller :home do
+              allow :everyone
+            end
+          end
+          get :index
+        end
+        it "[with only]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            controller :home, only: [:contact] do
+            end
+          end
+          # deny by default
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*\[autherized by :allow_by_default\]/
+          Acu::Rules.define do
+            controller :home, only: [:contact] do
+              allow :everyone
+            end
+          end
+          get :contact
+          # deny by default
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          # the rules won't override with above, this will give us the needed flexibility for multi-dimentional rules
+          Acu::Rules.define do
+            controller :home, only: [:index] do
+              allow :everyone
+            end
+          end
+          get :index
+          get :contact
+          Acu::Rules.define do
+            controller :home, only: [:index] do
+              deny :everyone
+            end
+          end
+          get :contact
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+        end
+        it "[with except]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            controller :home, except: [:contact] do
+            end
+          end
+          # deny by default
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+          Acu::Rules.define do
+            controller :home, except: [:contact] do
+              allow :everyone
+            end
+          end
+          get :index
+          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+          # this will override the previous excepts
+          Acu::Rules.define do
+            controller :home, only: [:index] do
+              deny :everyone
+            end
+          end
+          # we have rule for this
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+          # and this is by detailt
+          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*\[autherized by :allow_by_default\]/
+        end
+      end
+      context "[action]" do
+        it "[parent: namespace]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            namespace do
+              action :index   { allow :everyone }
+              action :contact { allow :everyone }
+            end
+          end
+          get :index
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+          get :contact
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="contact".*as `:everyone`/
+          Acu::Rules.define do
+            namespace do
+              action :index   { allow :everyone }
+              action :contact { deny :everyone }
+            end
+          end
+          get :index
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*as `:everyone`/
+        end
+        it "[parent: controller]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            controller :home do
+            end
+          end
+          # deny by default
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          Acu::Rules.define do
+            controller :home do
+              action :contact { allow :everyone }
+            end
+          end
+          get :contact
+          # deny by default
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          Acu::Rules.define do
+            controller :home do
+              action :index { allow :everyone }
+              action :contact { deny :everyone }
+            end
+          end
+          get :index
+          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+        end
+        it "[parent: namespace, controller]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            namespace do
+              controller :home do
+              end
+            end
+          end
+          # deny by default
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          Acu::Rules.define do
+            namespace do
+              controller :home do
+                action :contact { allow :everyone }
+              end
+            end
+          end
+          get :contact
+          # deny by default
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          Acu::Rules.define do
+            namespace do
+              controller :home do
+                action :index { allow :everyone }
+                action :contact { deny :everyone }
+              end
+            end
+          end
+          get :index
+          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+          # reset to change namespace
+          Acu::Rules.reset
+          Acu::Rules.define do
+            whois :everyone { true }
+            namespace :foobar do
+              controller :home do
+                action :index { allow :everyone }
+                action :contact { deny :everyone }
+              end
+            end
+          end
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*\[autherized by :allow_by_default\]/
+        end
+        it '[local-global]' do
+          Acu::Rules.define do
+            whois :everyone { true }
+            namespace do
+              allow :everyone
+              controller :home, only: [:index] do
+                deny :everyone
+              end
+            end
+          end
+          get :contact
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="contact".*as `:everyone`/
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+        end
+      end
+      context "[allow/deny]" do
+        it "[allow]" do
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*\[autherized by :allow_by_default\]/
+          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*\[autherized by :allow_by_default\]/
+          Acu::Rules.define do
+            whois :everyone { true }
+            namespace do
+              controller :home do
+                allow :everyone, on: [:index, :contact]
+              end
+            end
+          end
+          get :index
+          get :contact
+        end
+        it "[deny]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            allow :everyone
+          end
+          get :index
+          get :contact
+          Acu::Rules.define do
+            whois :everyone { true }
+            namespace do
+              controller :home do
+                deny :everyone, on: [:index, :contact]
+              end
+            end
+          end
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone`/
+          expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="contact".*as `:everyone`/
+        end
+        it "[bulk settings]" do
+          Acu::Rules.define do
+            whois :everyone { true }
+            whois :client { false }
+            namespace do
+              controller :home do
+                allow [:everyone, :client], on: [:index, :contact]
+              end
+            end
+          end
+          get :index
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone`/
+          get :contact
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="contact".*as `:everyone`/
+          Acu::Rules.define { whois :client { true } }
+          get :index
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="index".*as `:everyone, :client`/
+          get :contact
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="contact".*as `:everyone, :client`/
+          Acu::Rules.define do
+            namespace do
+              controller :home do
+                action :index { deny [:everyone, :client] }
+              end
+            end
+          end
+          expect {get :index}.to raise_error(Acu::Errors::AccessDenied)
+          # the first rule that failed is going to mention
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access DENIED to.*action="index".*as `:everyone, :client`/
+          get :contact
+          expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /access GRANTED to.*action="contact".*as `:everyone, :client`/
+        end
+      end
+    end
+  end
+  context "Acu::Helpers" do
+    it "acu_is?" do
+      Acu::Rules.define do
+        whois :everyone { true }
+        whois :client { false }
+      end
+      expect(acu_is? :everyone).to be true
+      expect(acu_is? :client).to be false
+    end
+    it "acu_do" do
+      Acu::Rules.define do
+        whois :everyone { true }
+        whois :client { false }
+      end
+      acu_as :everyone do
+        # a valid syntax
+        expect(false).not_to be true
+      end
+      acu_as :client do
+        # an invalid syntax, this should never run
+        expect(true).to be false
+      end
+      # the :everyone should get true
+      acu_as [:client, :everyone] do
+        expect(acu_is? :everyone).to be true
+      end
+    end
+  end
+  context 'caching' do
+    it '[Rails.cache]' do
+      # make we didn't used the caching until now!
+      expect(Acu::Configs.get :use_cache).to be false
+      Rails.cache.delete :FooBar
+      expect(Rails.cache.exist? :FooBar).to be false
+      Rails.cache.write :FooBar, __FILE__
+      expect(Rails.cache.exist? :FooBar).to be true
+    end
+    it '[caches?]' do
+      Acu::Rules.define do
+        whois :everyone { true }
+        namespace do
+          controller :home do
+            action :index { allow :everyone }
+            action :contact { deny :everyone }
+          end
+        end
+      end
+      # it shouldn't use cache because we haven't told it yet
+      5.times do
+        get :index
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[-\] access GRANTED to.*action="index".*as `:everyone`/
+        expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[x\] access DENIED to.*action="contact".*as `:everyone`/
+      end
+      setup use_cache: true
+      Acu::Monitor.clear_cache
+      # make intial accesses, and cache
+      get :index
+      expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+      # both request should be ruled by cache now!
+      5.times do
+        get :index
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[-\]\[c\] access GRANTED to.*action="index".*as `:everyone`/
+        expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[x\]\[c\] access DENIED to.*action="contact".*as `:everyone`/
+      end
+    end
+    it '[maintains cache]' do
+      setup use_cache: true
+      Acu::Rules.define do
+        whois :everyone { true }
+        namespace do
+          controller :home do
+            action :index { allow :everyone }
+            action :contact { deny :everyone }
+          end
+        end
+      end
+      5.times do
+        get :index
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[-\]\[c\] access GRANTED to.*action="index".*as `:everyone`/
+        expect {get :contact}.to raise_error(Acu::Errors::AccessDenied)
+        expect(`tail -n 1 #{Acu::Configs.get :audit_log_file}`).to match /\[x\]\[c\] access DENIED to.*action="contact".*as `:everyone`/
+      end
+    end
+  end
+end