request_refinery 0.0.1

data/db/migrate/20141003181010_devise_create_request_refinery_users.rb

@@ -0,0 +1,76 @@
+class DeviseCreateRequestRefineryUsers < ActiveRecord::Migration
+  def change
+    create_table(:request_refinery_users) do |t|
+      ## Database authenticatable
+      t.string :email,              null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer  :sign_in_count, default: 0, null: false
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, default: 0, null: false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      t.string :first_name
+      t.string :last_name
+      t.string :username, null: false, default: ""
+
+      t.timestamps
+    end
+
+    add_index :request_refinery_users, :email,                unique: true
+    add_index :request_refinery_users, :username,             unique: true
+    add_index :request_refinery_users, :reset_password_token, unique: true
+    # add_index :request_refinery_users, :confirmation_token,   unique: true
+    # add_index :request_refinery_users, :unlock_token,         unique: true
+
+    create_table :request_refinery_permissions_users, id:false do |t|
+      t.belongs_to :permission
+      t.belongs_to :user
+
+      t.timestamps
+    end
+
+    create_table :request_refinery_roles_users, id:false do |t|
+      t.belongs_to :role
+      t.belongs_to :user
+
+      t.timestamps
+    end
+
+    create_table :request_refinery_customers_users, id:false do |t|
+      t.belongs_to :customer
+      t.belongs_to :user
+
+      t.timestamps
+    end
+
+    create_table :request_refinery_inverse_users_restrictions, id:false do |t|
+      t.belongs_to :permission
+      t.belongs_to :user
+
+      t.timestamps
+    end
+
+
+  end
+end

data/db/migrate/20141003190734_create_request_refinery_controller_filters.rb

@@ -0,0 +1,18 @@
+class CreateRequestRefineryControllerFilters < ActiveRecord::Migration
+  def change
+    create_table :request_refinery_controller_filters do |t|
+      t.string :http_method
+      t.string :controller
+      t.string :action_name
+
+      t.timestamps
+    end
+
+    create_table :request_refinery_controller_filters_permissions do |t|
+      t.belongs_to :controller_filter
+      t.belongs_to :permission
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20141003190741_create_request_refinery_permissions.rb

@@ -0,0 +1,31 @@
+class CreateRequestRefineryPermissions < ActiveRecord::Migration
+  def change
+    create_table :request_refinery_roles do |t|
+      t.string :group
+
+      t.timestamps
+    end
+    add_index :request_refinery_roles, :group, unique: true
+
+    create_table :request_refinery_permissions do |t|
+      t.string :name
+
+      t.timestamps
+    end
+    add_index :request_refinery_permissions, :name, unique: true
+
+    create_table :request_refinery_permissions_roles, id:false do |t|
+      t.belongs_to :role
+      t.belongs_to :permission
+
+      t.timestamps
+    end
+
+    create_table :request_refinery_restrictions_inverse_roles, id:false do |t|
+      t.belongs_to :role
+      t.belongs_to :permission
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20141003194717_create_request_refinery_customers.rb

@@ -0,0 +1,12 @@
+class CreateRequestRefineryCustomers < ActiveRecord::Migration
+  def change
+    create_table :request_refinery_customers do |t|
+      t.string :cust_id
+      t.string :prefix
+      t.string :folder_name
+      t.string :error_email_recipients
+
+      t.timestamps
+    end
+  end
+end

data/lib/generators/request_refinery/install_generator.rb

@@ -0,0 +1,79 @@
+require 'rails/generators/base'
+
+module RequestRefinery
+	module Generators
+		class InstallGenerator < Rails::Generators::Base
+			# include Rails::Generators::Actions::CreateMigration
+			# Mount the engine in routes.rb of the host app
+			# route "mount RequestRefinery::Engine, at:'/'"
+
+			############################################################
+			# Seed data ################################################
+			############################################################
+
+			# Create an initial set of Permissions
+			puts "Creating default permission set\n\tview\n\tedit\n\tcreate\n\tdelete\n\tall"
+			perms = []
+			perms << view = Permission.new(name:"view")
+			perms << edit = Permission.new(name:"edit")
+			perms << create = Permission.new(name:"create")
+			perms << delete = Permission.new(name:"delete")
+			perms << all = Permission.new(name:"all")
+			perms.each{|x| x.save}
+
+			# Create an initial admin role
+			puts "Creating admin role with permission 'all'"
+			admin = Role.new(group: "admin")
+			admin.permissions = [all]
+			admin.save
+
+			# Create an initial admin user
+			puts "Creating user 'temporary admin' with 'admin' role"
+			email = "admin@admin.fake"
+			password = "password"
+			puts "\tUsername: #{email}\n\tPassword: #{password}"
+			admin_user = User.new(email:email,password:password,first_name:"temporary",last_name:"admin")
+			admin_user.roles << admin
+			admin_user.save
+
+			# Create default set of controller filters
+			puts "Creating default http_method permissions
+			\n\tGET    permissions: view
+			\n\tPOST   permissions: create
+			\n\tPUT    permissions: edit
+			\n\tPATCH  permissions: edit
+			\n\tDELETE permissions: delete"
+			ControllerFilter.new(http_method:"get",permissions:[view]).save
+			ControllerFilter.new(http_method:"post",permissions:[create]).save
+			ControllerFilter.new(http_method:"put",permissions:[edit]).save
+			ControllerFilter.new(http_method:"patch",permissions:[edit]).save
+			ControllerFilter.new(http_method:"delete",permissions:[delete]).save
+
+
+
+
+
+
+			# source_root File.expand_path("../../templates", __FILE__)
+
+			# desc "Creates a Devise initializer and copy locale files to your application."
+			# # class_option :orm
+
+			# def copy_initializer
+			# template "devise.rb", "config/initializers/devise.rb"
+			# end
+
+			# def copy_locale
+			# copy_file "../../../config/locales/en.yml", "config/locales/devise.en.yml"
+			# end
+
+			# def show_readme
+			# readme "README" if behavior == :invoke
+			# end
+
+			# def rails_4?
+			# Rails::VERSION::MAJOR == 4
+			# end
+		end
+	end
+end

data/lib/request_refinery/engine.rb

@@ -0,0 +1,15 @@
+module RequestRefinery
+  class Engine < ::Rails::Engine
+    isolate_namespace RequestRefinery
+
+    # to avoid the railties migration step
+    initializer :append_migrations do |app|
+      unless app.root.to_s.match root.to_s
+        config.paths["db/migrate"].expanded.each do |expanded_path|
+          app.config.paths["db/migrate"] << expanded_path
+        end
+      end
+    end
+    
+  end
+end

data/lib/request_refinery/version.rb

@@ -0,0 +1,3 @@
+module RequestRefinery
+  VERSION = "0.0.1"
+end

data/lib/request_refinery.rb

@@ -0,0 +1,70 @@
+require 'devise'
+require "request_refinery/engine"
+
+module RequestRefinery
+	module ControllerMethods
+
+		# returns a boolean indicating whether the user has the permission/permissions in omniParam
+		# the intended use is to pass it a symbol or an array of symbols, but there are various other options below:
+		# 	omniParam can be a string representing Permission.name, a symbol representing the same, or the actual Permission object
+		# 	omniParam can also be an array containg any combination of the aforementioned single parameters
+		def authorized_to? omniParam, user:current_user, permissions:nil
+			perms = permissions
+			perms = user.permission_syms if perms === nil or (!perms.is_a? Array or !perms[0].is_a? Symbol)
+
+			return true if perms.include? :all
+
+			if omniParam.is_a? Symbol
+				return perms.include? omniParam
+			elsif omniParam.is_a? String
+				return perms.include? omniParam.to_sym
+			elsif omniParam.is_a? RequestRefinery::Permission
+				return perms.include? omniParam.name.to_sym
+			elsif omniParam.is_a? Array
+				return omniParam.all?{|x| authorized_to? x,user:user, permissions:perms}
+			elsif omniParam.is_a? RequestRefinery::Permission::ActiveRecord_Associations_CollectionProxy
+				return authorized_to? omniParam.to_a, user:user, permissions:perms
+			elsif omniParam.is_a? Role	# not going to handle Role because that would weaken the connection between access to a resource and a specific permission
+			elsif omniParam.is_a? Hash 	# does not make sense
+			elsif omniParam.is_a? User 	# does not make sense
+			else
+				return false
+			end
+			return false
+		end
+
+		def enforce_request_permissions user:current_user
+			# Allow all DeviseController methods
+			return if self.class.superclass.to_s == DeviseController.to_s
+
+			# collect the method, controller, and action
+			# look for a matching controller filter
+			filter = RequestRefinery::ControllerFilter.where(http_method:request.method.downcase,controller:self.class.to_s,action_name:@_action_name).first
+
+			# look for a http_method specific controller-wide filter (ie - the action_name will be blank) if there is not one for the method, and use that filter for the request instead
+			filter = RequestRefinery::ControllerFilter.where(http_method:request.method.downcase,controller:self.class.to_s,action_name:nil).first if filter.blank?
+
+			# look for a controller-wide filter (ie - the action_name and http_method will be blank) if there is not one for the method, and use that filter for the request instead
+			filter = RequestRefinery::ControllerFilter.where(http_method:nil,controller:self.class.to_s,action_name:nil).first if filter.blank?
+
+			# look for an http_method-wide filter (only the http_method will be filled in) if there is not one for the controller (not recommended since this loosens the security)
+			filter = RequestRefinery::ControllerFilter.where(http_method:request.method.downcase,controller:nil,action_name:nil).first if filter.blank?
+
+			# handle unauthorized request with unauthorized_request method if filter.blank?
+			return unauthorized_request if filter.blank?
+
+			# get the required permissions and user permissions
+			# handle unauthorized request with unauthorized_request method unless authorized_to? filter.permissions
+			unauthorized_request(filter:filter) unless authorized_to? filter.permissions
+
+			puts "\n\nConfirmed that #{user.email} is authorized to #{filter.http_method.upcase}::>#{filter.controller}.#{filter.action_name}\n\n" if authorized_to? filter.permissions
+		end
+
+		# can render any page, but a redirect will result in a redirect loop
+		def unauthorized_request user:current_user,filter:nil
+			puts "\n\nNo filter matches the given http method, controller, or controller method, rerouting..." if filter.blank?
+			puts "\n\nUser #{user.email} is not authorized to #{filter.http_method.upcase}::>#{filter.controller || 'all'}.#{filter.action_name || 'all'}, rerouting...\n\n" unless filter.blank?
+			render json: "Unauthorized Request"
+		end
+	end
+end

data/lib/tasks/request_refinery_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :request_refinery do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,172 @@
+--- !ruby/object:Gem::Specification
+name: request_refinery
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Nathan Hanna
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-10-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.1.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.1.6
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |-
+  Creates the following tables:
+                        Users
+                        Roles
+                        Permissions
+                        ControllerFilters
+                      Implements a devise authentication strategy already configured.
+                      Makes available an 'authorized_to? method in application controller that returns true if the users permissions match the given permissions/list of permissions.
+                      Implements whitelisting of all requests.  Every http request needs to have an associated ControllerFilter.  If the filter exists, then the current_user's permissions must satisfy the permissions required by the filter.
+email:
+- jnathanhdev@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.rdoc
+- Rakefile
+- app/assets/javascripts/request_refinery/application.js
+- app/assets/javascripts/request_refinery/controller_filters.js
+- app/assets/javascripts/request_refinery/customers.js
+- app/assets/javascripts/request_refinery/permissions.js
+- app/assets/javascripts/request_refinery/roles.js
+- app/assets/stylesheets/request_refinery/application.css
+- app/assets/stylesheets/request_refinery/controller_filters.css
+- app/assets/stylesheets/request_refinery/customers.css
+- app/assets/stylesheets/request_refinery/permissions.css
+- app/assets/stylesheets/request_refinery/roles.css
+- app/assets/stylesheets/scaffold.css
+- app/controllers/request_refinery/application_controller.rb
+- app/controllers/request_refinery/controller_filters_controller.rb
+- app/controllers/request_refinery/customers_controller.rb
+- app/controllers/request_refinery/permissions_controller.rb
+- app/controllers/request_refinery/roles_controller.rb
+- app/helpers/request_refinery/application_helper.rb
+- app/helpers/request_refinery/controller_filters_helper.rb
+- app/helpers/request_refinery/customers_helper.rb
+- app/helpers/request_refinery/permissions_helper.rb
+- app/helpers/request_refinery/roles_helper.rb
+- app/models/request_refinery/controller_filter.rb
+- app/models/request_refinery/customer.rb
+- app/models/request_refinery/permission.rb
+- app/models/request_refinery/role.rb
+- app/models/request_refinery/user.rb
+- app/views/layouts/request_refinery/application.html.erb
+- app/views/request_refinery/controller_filters/_form.html.erb
+- app/views/request_refinery/controller_filters/edit.html.erb
+- app/views/request_refinery/controller_filters/index.html.erb
+- app/views/request_refinery/controller_filters/new.html.erb
+- app/views/request_refinery/controller_filters/show.html.erb
+- app/views/request_refinery/customers/_form.html.erb
+- app/views/request_refinery/customers/edit.html.erb
+- app/views/request_refinery/customers/index.html.erb
+- app/views/request_refinery/customers/new.html.erb
+- app/views/request_refinery/customers/show.html.erb
+- app/views/request_refinery/permissions/_form.html.erb
+- app/views/request_refinery/permissions/edit.html.erb
+- app/views/request_refinery/permissions/index.html.erb
+- app/views/request_refinery/permissions/new.html.erb
+- app/views/request_refinery/permissions/show.html.erb
+- app/views/request_refinery/roles/_form.html.erb
+- app/views/request_refinery/roles/edit.html.erb
+- app/views/request_refinery/roles/index.html.erb
+- app/views/request_refinery/roles/new.html.erb
+- app/views/request_refinery/roles/show.html.erb
+- config/initializers/application_controller.rb
+- config/initializers/devise.rb
+- config/locales/devise.en.yml
+- config/routes.rb
+- db/migrate/20141003181010_devise_create_request_refinery_users.rb
+- db/migrate/20141003190734_create_request_refinery_controller_filters.rb
+- db/migrate/20141003190741_create_request_refinery_permissions.rb
+- db/migrate/20141003194717_create_request_refinery_customers.rb
+- db/seeds.rb
+- lib/generators/request_refinery/install_generator.rb
+- lib/request_refinery.rb
+- lib/request_refinery/engine.rb
+- lib/request_refinery/version.rb
+- lib/tasks/request_refinery_tasks.rake
+homepage: https://github.com/jnathanh/request_refinery
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Implements a permissions system for Rails api endpoints and devise users
+test_files: []