rbac_rls 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3bc52fa4bdbbc44cf0d4b6ede8d4d142458a169baed9767a30c1f6549a827520
+  data.tar.gz: d289b6293db261f8643b702a70c0f8d9affd094385a898e299f1e7b7d6966c25
+SHA512:
+  metadata.gz: 6a7d8a952d7bbb5af6eedee3338ffd0ff76e71384eb82a2c7e0010f58855519cccb653e6b28e5ec29358b0c4a5f700d9663dfe0a372097d1fb2040ea60a5ff9c
+  data.tar.gz: ae99e701a1bce22e40993385b0f0644a6c49f2aa8e496cf7ed57cd4808133eb8d3ffeb15f70768389728321ddcd741184716a992f35e45dd0cad3aad9fa8528f

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2022 FilipeBeserraMaia
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,53 @@
+# RbacRls
+Short description and motivation.
+
+## Usage
+How to use my plugin.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem "rbac_rls"
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install rbac_rls
+```
+And then add in your manifest.js:
+```bash 
+//= link rbac_rls/application.css
+//= link rbac_rls/application.js
+```
+And then add in your application_record.rb and application_controller.rb:
+```bash 
+ include ConnectionRls
+ include ConnectionRlsUser
+```
+
+And then run this command:
+```bash
+rake rbac_rls:install:migrations  
+```
+
+And then run this command:
+```bash
+rake db:migrate  
+```
+And then run this command:
+```bash
+yarn  install  
+```
+
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"

data/app/assets/config/rbac_rls_manifest.js

@@ -0,0 +1,2 @@
+// = link rbac_rls/application.js
+//= link rbac_rls/application.css

data/app/assets/javascripts/rbac_rls/application.js

@@ -0,0 +1 @@
+// = require vanilla_nested

data/app/assets/stylesheets/rbac_rls/application.css.scss

@@ -0,0 +1,16 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */
+@import "bootstrap";

data/app/controllers/concerns/connection_rls_user_concern.rb

@@ -0,0 +1,31 @@
+module ConnectionRlsUserConcern
+  extend ActiveSupport::Concern
+
+  included do
+    around_action :with_user_id
+    rescue_from ::PG::InsufficientPrivilege, with: :rls_error
+
+    def with_user_id
+      if current_user.present?
+        ApplicationRecord.with_user_id(current_user.id) do
+          yield
+        end
+      else
+        yield
+      end
+    end
+
+    def rls_error(exception)
+      respond_to do |format|
+        format.json { render json: { error: exception.message }.to_json, status: 500 }
+        format.html { redirect_to request.referrer, notice: exception.message }
+        format.js { render :nothing => true, :status => 404, notice: exception.message }
+      end
+
+    end
+
+  end
+
+  class_methods do
+  end
+end

data/app/controllers/rbac_rls/application_controller.rb

@@ -0,0 +1,3 @@
+class RbacRls::ApplicationController < ActionController::Base
+
+end

data/app/controllers/rbac_rls/groups_controller.rb

@@ -0,0 +1,94 @@
+module RbacRls
+  class GroupsController < ApplicationController
+    include ConnectionRlsUserConcern
+    before_action :set_group, only: %i[ show edit update destroy ]
+
+    # GET /groups
+    def index
+      @groups = Group.all
+    end
+
+    # GET /groups/1
+    def show
+    end
+
+    # GET /groups/new
+    def new
+      @group = Group.new
+      @group.group_permissions.build()
+    end
+
+    # GET /groups/1/edit
+    def edit
+    end
+
+    # POST /groups
+    def create
+      @group = Group.new(group_params)
+
+      if @group.save
+        redirect_to @group, notice: "Group was successfully created."
+      else
+        render :new, status: :unprocessable_entity
+      end
+    end
+
+    # PATCH/PUT /groups/1
+    def update
+      if @group.update(group_params)
+        redirect_to @group, notice: "Group was successfully updated."
+      else
+        render :edit, status: :unprocessable_entity
+      end
+    end
+
+    # DELETE /groups/1
+    def destroy
+      @group.destroy
+      redirect_to groups_url, notice: "Group was successfully destroyed."
+    end
+
+    def get_options_select
+      @permission = Permission.find_by(id: params[:permission_object_id])
+
+      if @permission.present?
+        attrs = @permission.table_name.singularize.camelize.constantize.new.attributes.keys
+        if params[:target_select].to_s.to_sym == :table_key_id
+
+          @collection = [attrs, attrs].transpose.to_h if params[:target_select].to_s.to_sym == :table_key_id
+
+        elsif params[:target_select].to_s.to_sym == :table_value_id
+          elements = @permission.table_name.singularize.camelize.constantize.all.map(&params[:permission_id].to_s.to_sym)
+          @collection = [elements, elements].transpose.to_h
+        end
+
+      end
+      render json: @collection.to_h.as_json
+    end
+
+    private
+
+    # Use callbacks to share common setup or constraints between actions.
+    def set_group
+      @group = Group.find(params[:id])
+    end
+
+    # Only allow a list of trusted parameters through.
+    def group_params
+      params.require(:group).permit(:name, :comments, group_permissions_attributes: [:id,
+                                                                                     :group_id,
+                                                                                     :permission_id,
+                                                                                     :table_key,
+                                                                                     :table_value,
+                                                                                     :_destroy],
+                                    group_users_attributes: [
+                                      :id,
+                                      :group_id,
+                                      :user_id,
+                                      :_destroy
+                                    ]
+
+      )
+    end
+  end
+end

data/app/controllers/rbac_rls/home_controller.rb

@@ -0,0 +1,5 @@
+class RbacRls::HomeController < RbacRls::ApplicationController
+  def index
+
+  end
+end

data/app/controllers/rbac_rls/permissions_controller.rb

@@ -0,0 +1,69 @@
+module RbacRls
+  class PermissionsController < RbacRls::ApplicationController
+    before_action :set_permission, only: %i[ show edit update destroy ]
+
+    # GET /permissions
+    def index
+      @permissions = Permission.all
+    end
+
+    # GET /permissions/1
+    def show
+    end
+
+    # GET /permissions/new
+    def new
+      @permission = Permission.new
+    end
+
+    # GET /permissions/1/edit
+    def edit
+    end
+
+    # POST /permissions
+    def create
+      @permission = Permission.new(permission_params)
+
+      if @permission.save
+
+        redirect_to @permission, notice: "Permission was successfully created."
+      else
+        render :new, status: :unprocessable_entity
+      end
+    end
+
+    # PATCH/PUT /permissions/1
+    def update
+      if @permission.update(permission_params)
+        redirect_to @permission, notice: "Permission was successfully updated."
+      else
+        render :edit, status: :unprocessable_entity
+      end
+    end
+
+    # DELETE /permissions/1
+    def destroy
+      @permission.destroy
+      redirect_to permissions_url, notice: "Permission was successfully destroyed."
+    end
+
+    private
+
+    # Use callbacks to share common setup or constraints between actions.
+    def set_permission
+      @permission = Permission.find(params[:id])
+    end
+
+    # Only allow a list of trusted parameters through.
+    def permission_params
+      params.require(:permission).permit(:name, :table_name, :read, :write, :change, :remove, :permission_id,
+                                         :owner_read, :owner_change, :owner_remove,
+                                         role_permissions_attributes: [:id,
+                                                                       :role_id,
+                                                                       :permission_id,
+                                                                       :_destroy]
+      )
+    end
+  end
+end
+

data/app/controllers/rbac_rls/roles_controller.rb

@@ -0,0 +1,61 @@
+module RbacRls
+  class RolesController < RbacRls::ApplicationController
+    before_action :set_role, only: %i[ show edit update destroy ]
+
+    # GET /roles
+    def index
+      @roles = Role.all
+    end
+
+    # GET /roles/1
+    def show
+    end
+
+    # GET /roles/new
+    def new
+      @role = RbacRls::Role.new
+    end
+
+    # GET /roles/1/edit
+    def edit
+    end
+
+    # POST /roles
+    def create
+      @role = Role.new(role_params)
+
+      if @role.save
+        redirect_to @role, notice: "Role was successfully created."
+      else
+        render :new, status: :unprocessable_entity
+      end
+    end
+
+    # PATCH/PUT /roles/1
+    def update
+      if @role.update(role_params)
+        redirect_to @role, notice: "Role was successfully updated."
+      else
+        render :edit, status: :unprocessable_entity
+      end
+    end
+
+    # DELETE /roles/1
+    def destroy
+      @role.destroy
+      redirect_to roles_url, notice: "Role was successfully destroyed."
+    end
+
+    private
+
+    # Use callbacks to share common setup or constraints between actions.
+    def set_role
+      @role = Role.find(params[:id])
+    end
+
+    # Only allow a list of trusted parameters through.
+    def role_params
+      params.require(:role).permit(:name, :comments, user_roles_attributes: [:id, :_destroy, :user_id])
+    end
+  end
+end

data/app/helpers/rbac_rls/application_helper.rb

@@ -0,0 +1,4 @@
+module RbacRls
+  module ApplicationHelper
+  end
+end

data/app/helpers/rbac_rls/groups_helper.rb

@@ -0,0 +1,4 @@
+module RbacRls
+  module GroupsHelper
+  end
+end

data/app/helpers/rbac_rls/permissions_helper.rb

@@ -0,0 +1,41 @@
+module RbacRls
+  module PermissionsHelper
+
+    def permission_options_for_select(form)
+      c = RbacRls::Permission.all
+      options_for_select(c.collect { |p| [p.name, p.id] }, form.object.permission_id)
+    end
+
+    def table_selected_key_options_for_select(form)
+      return options_for_select({}, nil) if form.object.permission_id.nil?
+      c = RbacRls::GroupPermission.all
+      options_for_select(c.collect { |p| [p.table_key, p.table_key] }, form.object.table_key)
+    end
+
+    def table_selected_value_options_for_select(form)
+      return options_for_select({}, nil) if form.object.permission_id.nil?
+      c = RbacRls::GroupPermission.all
+      options_for_select(c.collect { |p| [p.table_value, p.table_value] }, form.object.table_value)
+    end
+
+    def role_options_for_select(form)
+      c = RbacRls::Role.all
+      options_for_select(c.collect { |p| [p.name, p.id] }, form.object.role_id)
+    end
+
+    def permission_options_for_select(form)
+      c = RbacRls::Permission.all
+      options_for_select(c.collect { |p| [p.name, p.id] }, form.object.permission_id)
+    end
+
+    def user_options_for_select(form)
+      c = User.all
+      options_for_select(c.collect { |p| [p.email, p.id] }, form.object.user_id)
+    end
+
+    def table_name_options_for_select(form)
+      c = RbacRls::Permission.all_tables
+      options_for_select(c.collect { |t| [t, t] }, form.object.table_name)
+    end
+  end
+end

data/app/helpers/rbac_rls/roles_helper.rb

@@ -0,0 +1,4 @@
+module RbacRls
+  module RolesHelper
+  end
+end

data/app/jobs/rbac_rls/application_job.rb

@@ -0,0 +1,4 @@
+module RbacRls
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/rbac_rls/application_mailer.rb

@@ -0,0 +1,6 @@
+module RbacRls
+  class ApplicationMailer < ActionMailer::Base
+    default from: "from@example.com"
+    layout "mailer"
+  end
+end

data/app/models/concerns/connection_rls_concern.rb

@@ -0,0 +1,19 @@
+module ConnectionRlsConcern
+  extend ActiveSupport::Concern
+
+  included do
+    SET_USER_ID_SQL = 'SET rls.user_id = %s'.freeze
+    RESET_USER_ID_SQL = 'RESET rls.user_id'.freeze
+  end
+
+  class_methods do
+    def with_user_id(user_id, &block)
+      begin
+        connection.execute format(SET_USER_ID_SQL, connection.quote(user_id))
+        block.call
+      ensure
+        connection.execute RESET_USER_ID_SQL
+      end
+    end
+  end
+end

data/app/models/rbac_rls/application_record.rb

@@ -0,0 +1,3 @@
+class RbacRls::ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+end

data/app/models/rbac_rls/group.rb

@@ -0,0 +1,14 @@
+class RbacRls::Group < ApplicationRecord
+
+  self.table_name = :groups
+  has_many :group_permissions, :class_name => 'RbacRls::GroupPermission'
+  has_many :group_users, :class_name => 'RbacRls::GroupUser'
+  accepts_nested_attributes_for :group_permissions, reject_if: :all_blank, allow_destroy: true
+  accepts_nested_attributes_for :group_users, reject_if: :all_blank, allow_destroy: true
+
+
+  private
+
+
+
+end

data/app/models/rbac_rls/group_permission.rb

@@ -0,0 +1,20 @@
+module RbacRls
+  class GroupPermission < ApplicationRecord
+    self.table_name = :group_permissions
+    belongs_to :permission
+    belongs_to :group
+    after_save :create_group_rls_policy
+
+    #rails generate rbac_rls:group_permission table_name description:table_key 'produto':table_value
+    def create_group_rls_policy
+      cmd = ""
+      if self.permission.table_name.present? and self.table_key.present? and self.table_value.present?
+        cmd = "rails generate rbac_rls:group_permission #{self.permission.table_name} '#{self.table_key}':table_key '#{self.table_value}':table_value"
+      end
+      if cmd.present?
+        system(cmd)
+        system('rake db:migrate RAILS_ENV=migrations')
+      end
+    end
+  end
+end

data/app/models/rbac_rls/group_user.rb

@@ -0,0 +1,7 @@
+module RbacRls
+  class GroupUser < ApplicationRecord
+    self.table_name = :group_users
+    belongs_to :user
+    belongs_to :group
+  end
+end

data/app/models/rbac_rls/permission.rb

@@ -0,0 +1,68 @@
+class RbacRls::Permission < ApplicationRecord
+
+  self.table_name = :permissions
+  belongs_to :permission, :class_name => 'RbacRls::Permission', optional: true
+  has_many :role_permissions, :class_name => 'RbacRls::RolePermission'
+  accepts_nested_attributes_for :role_permissions, reject_if: :all_blank, allow_destroy: true
+
+  #validations
+  validate :validate_self_relationship, if: Proc.new { |obj| obj.permission.present? }
+  validates_uniqueness_of :name, message: "This permission already exists"
+  validates_presence_of :table_name
+  before_validation :set_permission_name
+  after_commit :create_rls_policy
+
+  def self.all_tables(schema = :public)
+
+    sql = "SELECT table_name FROM information_schema.tables #{where_schema(schema)} "
+    result = ActiveRecord::Base.connection.select_all(sql)
+    tables = result.map { |k| k['table_name'] }
+    tables
+  end
+
+  def self.where_schema(schema_name = nil)
+    schema_name.present? ? "WHERE table_schema  = '#{schema_name}'" : ''
+  end
+
+  private
+
+  def validate_self_relationship
+    self.errors.add(:permission, "cannot add self relationship with the same record") if self.id == self.permission_id
+  end
+
+  #@example rails generate rbac_rls:custom_migration transictions insert:role update:role select:all  delete:user
+  def create_rls_policy
+    type_policies = ->() do
+      cmd = ""
+      cmd += " select:role " if read.present?
+      cmd += " insert:role " if write.present?
+      cmd += " update:role " if change.present?
+      cmd += " delete:role " if remove.present?
+      cmd
+    end
+    type_options = -> () do
+      cmd = ""
+      cmd += " --permission_identifier #{self.id} " if self.id.present?
+      cmd
+    end
+
+    if (type_policies.===).present? and (type_options.===).present? &&
+      RbacRls::Permission.all.map(&:table_name).exclude?(table_name)
+
+      cmd = "rails generate rbac_rls:custom_migration  #{table_name}  #{type_policies.===} #{type_options.===}"
+      system(cmd)
+      system('rake db:migrate RAILS_ENV=migrations')
+    end
+  end
+
+  def set_permission_name
+    self.name = self.table_name.to_s if self.table_name.present?
+    self.name += "_rd" if self.read
+    self.name += "_wt" if self.write
+    self.name += "_cg" if self.change
+    self.name += "_rv" if self.remove
+  end
+
+  def has_role_permission?() end
+
+end

data/app/models/rbac_rls/role.rb

@@ -0,0 +1,10 @@
+class RbacRls::Role < ApplicationRecord
+  self.table_name = :roles
+
+  # has_many :permissions, :class_name => 'RbacRls::Permission'
+
+  has_many :user_roles, :class_name => 'RbacRls::UserRole'
+  accepts_nested_attributes_for :user_roles, reject_if: :all_blank, allow_destroy: true
+
+end
+

data/app/models/rbac_rls/role_permission.rb

@@ -0,0 +1,6 @@
+class RbacRls::RolePermission < ApplicationRecord
+  belongs_to :role
+  belongs_to :permission
+
+  self.table_name = :role_permissions
+end

data/app/models/rbac_rls/user_role.rb

@@ -0,0 +1,7 @@
+module RbacRls
+  class UserRole < ApplicationRecord
+    self.table_name = :user_roles
+    belongs_to :user
+    belongs_to :role
+  end
+end