rails-acu 1.2.1

data/Rakefile

@@ -0,0 +1,26 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Acu'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+load 'rails/tasks/statistics.rake'
+
+
+
+require 'bundler/gem_tasks'
+

data/bin/rails

@@ -0,0 +1,13 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails gems
+# installed from the root of your application.
+
+ENGINE_ROOT = File.expand_path('../..', __FILE__)
+ENGINE_PATH = File.expand_path('../../lib/acu/engine', __FILE__)
+
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
+
+require 'rails/all'
+require 'rails/engine/commands'

data/lib/acu/configs.rb

@@ -0,0 +1,30 @@
+module Acu
+  module Configs
+
+    mattr_accessor :base_controller
+    @@base_controller = 'ApplicationController'
+
+    mattr_accessor :allow_by_default
+    @@allow_by_default = false
+
+    mattr_accessor :audit_log_file
+    @@audit_log_file = nil
+
+    mattr_accessor :use_cache
+    @@use_cache = false
+
+    mattr_accessor :cache_namespace
+    @@cache_namespace = 'acu'
+
+    mattr_accessor :cache_expires_in
+    @@cache_expires_in = nil
+
+    mattr_accessor :cache_race_condition_ttl
+    @@cache_race_condition_ttl = nil
+
+    # for getting options
+    def self.get name
+      eval("@@#{name}")
+    end
+  end
+end

data/lib/acu/engine.rb

@@ -0,0 +1,9 @@
+module Acu
+  class Engine < ::Rails::Engine
+    isolate_namespace Acu
+
+    config.generators do |g|
+      g.test_framework :rspec
+    end
+  end
+end

data/lib/acu/errors.rb

@@ -0,0 +1,37 @@
+module Acu
+  module Errors
+
+    class AccessDenied < StandardError
+    end
+
+    class UncheckedPermissions < StandardError
+    end
+
+    class InvalidSyntax < StandardError
+    end
+
+    class AmbiguousRule < StandardError
+    end
+
+    class InvalidData < StandardError
+    end
+
+    class MissingData < InvalidData
+    end
+
+    class MissingEntity < MissingData
+    end
+
+    class MissingUser < MissingData
+    end
+
+    class MissingAction < MissingData
+    end
+
+    class MissingController < MissingData
+    end
+
+    class MissingNamespace < MissingData
+    end
+  end
+end

data/lib/acu/helpers/helpers.rb

@@ -0,0 +1,9 @@
+def acu_is? symbol
+  flag = false
+  [symbol].flatten.each { |s| flag |= Acu::Monitor.valid_for? s }
+  flag
+end
+
+def acu_as symbol
+  yield if acu_is? symbol
+end

data/lib/acu/injectors.rb

@@ -0,0 +1,15 @@
+require_relative 'helpers/helpers'
+
+module Acu
+  module Injectors
+    class << self
+
+      ActiveSupport::Notifications.subscribe "start_processing.action_controller" do |**args|
+        eval((Acu::Configs.get :base_controller).to_s).class_eval do
+          before_action { Monitor::gaurd }
+        end
+      end
+
+    end
+  end
+end

data/lib/acu/listeners.rb

@@ -0,0 +1,18 @@
+module Acu
+  module Listeners
+
+    @@collective_data = { }
+
+    class << self
+
+      attr_reader :collective_data
+
+      ActiveSupport::Notifications.subscribe "start_processing.action_controller" do |**args|
+        # collects the request parameters for the given [controller, action to be used in Monitor]
+        @@collective_data = @@collective_data.merge([:request, :parameters].reverse.inject(args[:params] || { }) { |v, k| {k => v}})
+      end
+      # get access to collected data
+      def data; @@collective_data end
+    end
+  end
+end

data/lib/acu/monitor.rb

@@ -0,0 +1,201 @@
+require_relative 'errors'
+
+module Acu
+
+  class Monitor
+
+    @kwargs = { }
+
+    class << self
+
+      protected :new
+      attr_reader :kwargs
+
+      def by kwargs
+        @kwargs = @kwargs.merge(kwargs)
+      end
+
+      def clear_args
+        @kwargs = { }
+      end
+
+      def gaurd
+        # fetch the request & process it
+        _info = process Acu::Listeners.data[:request]
+
+        # return if we hit the cache
+        return if hit_cache _info
+
+        rules = Rules.rules.select do |cond, _|
+          flag = true;
+
+          # check if this is a global rule!
+          next true if cond.empty?
+
+          {namespace: nil, controller: :namespace, action: :controller}.each do |current, parent|
+            t = -1
+            # either mentioned explicitly
+            if cond[current]
+              t = (cond[current][:name].to_s == eval("_info.#{current}").to_s) ? 1 : 0
+            # or in `only|except` tags
+            elsif parent and cond[parent]
+              # if nothing mentioned in parent, assume for all
+              t = 1 if not(cond[parent][:only] or cond[parent][:except])
+              # flag true if it checked in namespace's only tag
+              {only: {on_true: 1, on_false: 0} , except: {on_true: 0, on_false: 1}}.each do |tag, val|
+                if cond[parent][tag]
+                  case cond[parent][tag].include? eval("_info.#{current}").to_sym
+                  when true
+                    t = val[:on_true]
+                    break
+                  when false
+                    t = val[:on_false]
+                  end
+                end
+              end
+            end
+            flag &= (t == 1) if t.between? 0, 1;
+            break if not flag
+          end
+          flag
+        end
+        # flag so we can process all the related rule and it all passed this should be false
+        # if any failed, and exception will be raised
+        _granted = -1
+        _entitled_entities = [];
+        # for each mached rule
+        rules.each do |_, rule|
+          # for each entity and it's actions in the rule
+          rule.each do |entity, action|
+            # check it the current request can relay to the entity?
+            if valid_for? entity
+              _entitled_entities << entity.to_s
+              # current entity is granted to have the access?
+              if is_allowed? action
+                # grant the access if already not denied
+                _granted = 1 if _granted == -1
+              else
+                # deny it, period!
+                _granted = 0
+              end
+            end
+          end
+        end
+        # if the access is granted? i.e if all the rules are satisfied with the request
+        return if _granted == 1 and access_granted _info, _entitled_entities
+        # if the access is denied? i.e at least one of rules are NOT satisfied with the request
+        return if _granted == 0 and access_denied  _info, _entitled_entities
+        # if we reached here it measn that have found no rule to deny/allow the request and we have to fallback to the defaults
+        access_denied  _info, [:__ACU_BY_DEFAULT__], by_default: true if not Configs.get :allow_by_default
+        access_granted _info, [:__ACU_BY_DEFAULT__], by_default: true
+      end
+
+      def valid_for? entity
+        # check for existance
+        raise Errors::MissingEntity.new("whois :#{entity}?") if not Rules.entities[entity]
+        # fetch the entity's identity
+        e = Rules.entities[entity]
+        # fetch the related args to the entity from the `kwargs`
+        kwargs = @kwargs.reject { |x| !e[:args].include?(x) }
+        # if fetched args and pre-defined arg didn't match?
+        raise Errors::MissingData.new("at least one of arguments for `whois :#{entity}` is not provided!") if kwargs.length != e[:args].length
+        # send varibles in order the have defined
+        e[:callback].call(*e[:args].map { |i| kwargs[i] })
+      end
+
+      def clear_cache
+        return if not Configs.get :use_cache
+        Rails.cache.clear namespace: (Configs.get :cache_namespace)
+      end
+
+      protected
+
+      def hit_cache _info
+        # return [didn't hit] if not allowed to use cache
+        return false if not Configs.get :use_cache
+        # fetch the relative entities to this request
+        _entitled_entities = Rules.entities.select { |name, _| valid_for? name }
+        # fetch the cache-name
+        cname = cache_name _info, _entitled_entities
+        # return [didn't hit] if not found in cache
+        return false if not Rails.cache.exist? cname, cache_options
+        # check if the request is allowed in cache?
+        if is_allowed?(Rails.cache.read(cname, cache_options).to_s.to_sym)
+          # grant the access
+          access_granted _info, _entitled_entities.keys, from_cache: true
+        else
+          # deny the access
+          access_denied _info, _entitled_entities.keys, from_cache: true
+        end
+        # hit the cache
+        return true
+      end
+
+      def cache_name _info, entities
+        "%s-%s" %[_info.to_a.join('::'), (entities.kind_of?(Array) ? entities : entities.keys).join("-")]
+      end
+
+      def is_allowed? action
+        case action
+        when Rules.GRANT_SYMBOL
+          return true
+        when Rules.DENY_SYMBOL
+          return false
+        else
+          log_audit "> access DENIED to undefined action as `:#{action}`"
+          raise Exception.new("action `#{action}` is undefined!")
+        end
+      end
+
+      def cache_options
+        out = { }
+        # fetch cache options from config
+        [:namespace, :expires_in, :race_condition_ttl].each { |k| out[k] = Configs.get "cache_#{k}".to_sym }
+        return out
+      end
+
+      def log_audit log
+        # fetch the log file from configuration
+        file = Configs.get :audit_log_file
+        # log if allowed?
+        Logger.new(Configs.get :audit_log_file).info(log) if file and not file.blank?
+      end
+
+      def access_granted _info, entities, by_default: false, from_cache: false
+        # log the event
+        log_audit ("[-]" + (from_cache ? '[c]' : '') + " access GRANTED to `#{_info}` as `:#{entities.uniq.join(", :")}`" + (by_default ? " [autherized by :allow_by_default]" : ""))
+        # cache the event if not already from cache
+        Rails.cache.write(cache_name(_info, entities), Rules.GRANT_SYMBOL, cache_options) if not from_cache and Configs.get :use_cache
+        # grant the access
+        true
+      end
+
+      def access_denied _info, entities, by_default: false, from_cache: false
+        # log the event
+        log_audit ("[x]" + (from_cache ? '[c]' : '') + " access DENIED to `#{_info}` as `:#{entities.uniq.join(", :")}`" + (by_default ? " [autherized by :allow_by_default]" : ""))
+        # cache the event if not already from cache
+        Rails.cache.write(cache_name(_info, entities), Rules.DENY_SYMBOL, cache_options) if not from_cache and Configs.get :use_cache
+        # deny the access
+        raise Errors::AccessDenied.new("you don't have the enough access for process this request!")
+      end
+
+      def process request
+        # validate the request parameters
+        raise Errors::InvalidData.new("the request object needs to provided!") if not(request and request[:parameters])
+        # fetch the params
+        p = request[:parameters]
+        # try find the namespace/controller set
+        nc = p["controller"].split('/');
+
+        n = nc.length > 1 ? nc.first : nil
+        c = nc.length > 1 ? nc.second : nc.first
+        a = p["action"]
+
+        # return it with structure
+        Struct.new(:namespace, :controller, :action).new(n, c, a)
+      end
+
+    end # /class << self
+  end # /class Monitor
+
+end # /module Acu

data/lib/acu/rules.rb

@@ -0,0 +1,134 @@
+require_relative 'utilities'
+
+module Acu
+  class Rules
+
+    @rules = { }
+    @entities = { }
+
+    @GRANT_SYMBOL = :allow
+    @DENY_SYMBOL  = :deny
+
+    class << self
+
+      protected :new
+      attr_reader :rules
+      attr_reader :entities
+      attr_reader :GRANT_SYMBOL
+      attr_reader :DENY_SYMBOL
+
+      include Utilities
+
+      def initialize
+        reset
+      end
+
+      def reset
+        @rules = { }
+        @entities = { }
+      end
+
+      # only: only the defined `controllers` in the `namespace`
+      # except: except the defined `controllers` in the `namespace`
+      def namespace name = nil, except: nil, only: nil
+        only = nil if only and not (only.kind_of?(Array) or only.length == 0)
+        except = nil if except and not (except.kind_of?(Array) or except.length == 0)
+        raise Errors::AmbiguousRule.new('cannot have both `only` and `except` options at the same time for namespace `%s`' %name) if only and except
+        pass namespace: { name: name ? name.downcase : name, except: except, only: only } do
+          yield
+        end
+      end
+
+      # only: only the defined `actions` in the `controller`
+      # except: except the defined `actions` in the `controller`
+      def controller name, except: nil, only: nil
+        only = nil if only and not (only.kind_of?(Array) or only.length == 0)
+        except = nil if except and not (except.kind_of?(Array) or except.length == 0)
+        raise Errors::AmbiguousRule.new("there is already an `except` or `only` constraints defined in container namespace `#{@_params[:namespace][:name]}`") if @_params[:namespace] and (@_params[:namespace][:except] || @_params[:namespace][:only])
+        raise Errors::AmbiguousRule.new('cannot have both `only` and `except` options at the same time for controller `%s`' %name) if only and except
+        pass controller: { name: name.downcase, except: except, only: only } do
+          yield
+        end
+      end
+
+      def action name
+        raise Errors::AmbiguousRule.new("at least one of the parent `controller` or `namespace` needs to be defined for the this action") if not (@_params[:namespace] || @_params[:controller])
+        raise Errors::AmbiguousRule.new("there is already an `except` or `only` constraints defined in container controller `#{@_params[:controller][:name]}`") if @_params[:controller] and (@_params[:controller][:except] || @_params[:controller][:only])
+        pass action: { name: name.downcase } do
+          yield
+        end
+      end
+
+      def define(&block)
+        helper_initialize
+        self.instance_eval(&block)
+      end
+
+      # locks the rules to be read-only
+      def lock
+        self.freeze
+      end
+
+      def whois(symbol, args: nil, &block)
+        @entities[symbol] = {
+          args: [args || []].flatten,
+          callback: block
+        }
+      end
+
+      #################### the ops ######################
+      # at this point we assign the class varible rules #
+      ###################################################
+
+      def allow symbol, on: []
+        op symbol, @GRANT_SYMBOL, on
+      end
+
+      def deny symbol, on: []
+        op symbol, @DENY_SYMBOL, on
+      end
+
+      ################### end of ops ####################
+
+      protected
+
+      def op symbol, opr, on
+        symbol = [symbol].flatten if symbol
+        raise Errors::InvalidData.new("invalid argument") if not symbol or symbol.to_s.blank? or opr.to_s.blank?
+        raise Errors::AmbiguousRule.new("cannot have `on` argument inside the action `#{@_params[:action][:name]}`") if not on.empty? and @_params[:action]
+        raise Errors::InvalidData.new("the symbol `#{symbol}` is not defined by `whois`") if not symbol.all? { |s| @entities.include? s }
+        return if on.empty? and symbol.each { |s| build_rule({"#{s}": opr}) }
+        # for each action in the `on` create a new rule
+        on.each do |a|
+          action a do
+            symbol.each { |s| build_rule({"#{s}": opr}) }
+          end
+        end
+      end
+
+      def build_rule rule
+        @rules[@_params.clone] ||= {}
+        @rules[@_params.clone] = rules[@_params.clone].merge(rule);
+      end
+
+      def build_rule_entry
+        n = @_params[:namespace]
+        c = @_params[:controller]
+        a = @_params[:action]
+        raise Errors::AmbiguousRule.new('invalid input') if not ( n or c or a )
+        raise Errors::AmbiguousRule.new('cannot have rule for controller `%s` inside the namespace `%s` that `except`ed it!' %[c[:name], n[:name]]) if n and n[:except] and c and n[:except].include? c[:name]
+        raise Errors::AmbiguousRule.new('cannot have rule for action `%s` inside the controler `%s` that `except`ed it!' %[a[:name], c[:name]]) if c and c[:except] and a and c[:except].include? a[:name]
+        raise Errors::AmbiguousRule.new('cannot have rule for controller `%s` inside the namespace `%s` that has bounded to `only` some other controllers!' %[c[:name], n[:name]]) if n and n[:only] and c and not(n[:only].include? c[:name])
+        raise Errors::AmbiguousRule.new('cannot have rule for action `%s` inside the controller `%s` that has bounded to `only` some other actions!' %[a[:name], c[:name]]) if c and c[:only] and a and not(c[:only].include? a[:name])
+
+        entries = [];
+
+        entries << :namespace if n
+        entries << :controller if c
+        entries << :action if a
+
+        return entries
+      end
+    end
+  end
+end