resource_policy 1.0.0

data/lib/resource_policy/policy/attributes_policy/attributes_policy_model.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module ResourcePolicy
+  module Policy
+    module AttributesPolicy
+      # Class which isolates methods defined via attributes_policy config
+      class AttributesPolicyModel
+        require 'resource_policy/policy/attributes_policy/attribute_policy'
+
+        def initialize(policy)
+          @policy = policy
+          @policy_item_by_name ||= {}
+        end
+
+        def all
+          @all ||= config.attributes.keys.map do |attribute_name|
+            policy_item(attribute_name)
+          end
+        end
+
+        def all_allowed_to(status)
+          all.select { |attribute| attribute.allowed_to?(status) }
+        end
+
+        def method_missing(method_name)
+          return super unless config.attributes.key?(method_name.to_sym)
+
+          policy_item(method_name.to_sym)
+        end
+
+        def respond_to_missing?(method_name, *args)
+          config.attributes.key?(method_name.to_sym) || super
+        end
+
+        private
+
+        attr_reader :policy
+
+        def config
+          policy.class.policy
+        end
+
+        def policy_item(name)
+          @policy_item_by_name[name] ||= begin
+            attribute = config.attributes.fetch(name)
+            AttributePolicy.new(attribute, policy: policy)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/resource_policy/policy/attributes_policy.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module ResourcePolicy
+  module Policy
+    # Allows to define fields policy using configuration block.
+    #
+    # Usage example:
+    #
+    # class SomeModelPolicy
+    #   include ResourcePolicy::AttributesPolicy
+    #
+    #   policy do |c|
+    #     c.attribute(:some_name)
+    #       .allowed(:read, if: :readable?)
+    #       .allowed(:write, if: :writable?)
+    #
+    #     c.group(:current_user_is_admin?) do |g|
+    #       g.attribute(:password).allowed(:write)
+    #     end
+    #   end
+    #
+    #   def current_user_is_admin?
+    #      current_user.admin?
+    #   end
+    #   ...
+    # end
+    #
+    module AttributesPolicy
+      require 'resource_policy/policy/attributes_policy/attributes_policy_model'
+
+      def protected_resource
+        @protected_resource ||= ProtectedResource.new(self)
+      end
+
+      def action(name)
+        actions_policy.public_send(name) if actions_policy.respond_to?(name)
+      end
+
+      def attribute(name)
+        attributes_policy.public_send(name) if attributes_policy.respond_to?(name)
+      end
+
+      def policy_target
+        send(self.class.policy.policy_target)
+      end
+
+      def attributes_policy
+        @attributes_policy ||= AttributesPolicyModel.new(self)
+      end
+
+      private
+
+      def resource_policy_initialize(*args)
+        @policy_target = args.first
+      end
+    end
+  end
+end

data/lib/resource_policy/policy/merge_policies.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module ResourcePolicy
+  module Policy
+    # Service object using for merging two policy configurations
+    class MergePolicies
+      class OverlappingActionError < ResourcePolicy::Error; end
+
+      def self.call(*args)
+        new(*args).call
+      end
+
+      def initialize(policy, other_policy)
+        @policy = policy
+        @other_policy = other_policy
+      end
+
+      def call
+        merge_actions
+        merge_attributes
+        policy
+      end
+
+      private
+
+      attr_reader :policy, :other_policy
+
+      def merge_actions
+        other_policy.actions.values.each do |action|
+          policy.action(action.name).allowed(if: action.conditions)
+        end
+      end
+
+      def merge_attributes
+        other_policy.attributes.values.each do |attribute|
+          attribute.defined_actions.each do |action_name|
+            conditions = attribute.conditions_for(action_name)
+            policy.attribute(attribute.name).allowed(action_name, if: conditions)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/resource_policy/policy/policy_configuration.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module ResourcePolicy
+  module Policy
+    # Stores all configuration about policy
+    class PolicyConfiguration
+      require 'resource_policy/policy/action_policy_configuration'
+
+      require 'resource_policy/policy/attributes_policy/attribute_configuration'
+      require 'resource_policy/policy/merge_policies'
+
+      EmptyConfiguration = Class.new do
+        def group_conditions
+          []
+        end
+      end
+
+      EMPTY_CONFIGURATION = EmptyConfiguration.new
+
+      def initialize(parent_configuration: EMPTY_CONFIGURATION, extra_group_conditions: [])
+        @actions = {}
+        @attributes = {}
+        @parent_configuration = parent_configuration
+        @extra_group_conditions = extra_group_conditions
+      end
+
+      def initialize_copy(_other)
+        @actions = @actions.dup.each.with_object({}) { |(key, value), result| result[key] = value.dup }
+        @attributes = @attributes.dup.each.with_object({}) { |(key, value), result| result[key] = value.dup }
+      end
+
+      def policy_target(policy_target_name = nil)
+        @policy_target = policy_target_name if policy_target_name
+        @policy_target
+      end
+
+      def attribute(attribute_name)
+        symbolized_name = attribute_name.to_sym
+
+        @attributes[symbolized_name] ||= AttributesPolicy::AttributeConfiguration.new(
+          symbolized_name, policy_configuration: self
+        )
+      end
+
+      def attributes
+        @attributes.select { |_name, action| action.configured? }
+      end
+
+      def actions
+        @actions.select { |_name, action| action.configured? }
+      end
+
+      def action(attribute_name)
+        symbolized_name = attribute_name.to_sym
+
+        @actions[symbolized_name] ||= ActionPolicyConfiguration.new(
+          symbolized_name, policy_configuration: self
+        )
+      end
+
+      def group(*new_conditions)
+        return @group if new_conditions.empty?
+
+        unique_new_conditions = new_conditions.map(&:to_sym).uniq
+        group_config = self.class.new(
+          parent_configuration: self,
+          extra_group_conditions: unique_new_conditions
+        )
+
+        yield(group_config)
+        tap { |config| config.merge(group_config) }
+      end
+
+      def group_conditions
+        (parent_configuration.group_conditions + extra_group_conditions).uniq
+      end
+
+      def merge(other)
+        MergePolicies.call(self, other)
+      end
+
+      protected
+
+      attr_reader :extra_group_conditions, :parent_configuration
+    end
+  end
+end

data/lib/resource_policy/policy.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module ResourcePolicy
+  # Gives policy configuration methods for any policy class
+  module Policy
+    require 'resource_policy/protected_resource'
+    require 'resource_policy/policy/policy_configuration'
+    require 'resource_policy/policy/attributes_policy'
+    require 'resource_policy/policy/actions_policy'
+
+    # Class methods.
+    module ClassMethods
+      def policy
+        @policy ||= Policy::PolicyConfiguration.new
+        yield(@policy) if block_given?
+        @policy
+      end
+
+      def inherited(subclass)
+        super
+        subclass.instance_variable_set(:@policy, policy.dup)
+      end
+    end
+
+    def self.included(receiver)
+      receiver.send(:extend, ClassMethods)
+      receiver.send(:include, ::ResourcePolicy::Policy::ActionsPolicy)
+      receiver.send(:include, ::ResourcePolicy::Policy::AttributesPolicy)
+    end
+  end
+end

data/lib/resource_policy/protected_resource.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module ResourcePolicy
+  # Generates resource which has same attributes as policy target,
+  # but returns `nil` when attribute in not readable according to policy
+  class ProtectedResource
+    def initialize(policy)
+      @policy = policy
+    end
+
+    def method_missing(method_name, *args)
+      return super unless target_respond_to?(method_name, *args)
+      return nil unless policy.attribute(method_name).readable?
+
+      policy_target.public_send(method_name, *args)
+    end
+
+    def respond_to_missing?(*args)
+      target_respond_to?(*args) || super
+    end
+
+    private
+
+    attr_reader :policy
+
+    def target_respond_to?(method_name, *args)
+      accessible_attributes.include?(method_name.to_sym) &&
+        policy_target.respond_to?(method_name, *args)
+    end
+
+    def accessible_attributes
+      attributes = policy.class.policy.attributes.values.select do |attribute|
+        attribute.defined_action?(:read)
+      end
+
+      attributes.map(&:name)
+    end
+
+    def policy_target
+      policy.policy_target
+    end
+  end
+end

data/lib/resource_policy/rails.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+# Incudes resource policy and rails specific helpers
+require 'resource_policy'
+require 'resource_policy/validators/action_policy_validator'

data/lib/resource_policy/validators/action_policy_validator.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+# Available options:
+#
+#   * `:allowed_to` (required) - action type which we need to check.
+#   * `:as` (optional) - key which will be used to display errors.
+#
+# Usage example:
+#
+#   class SomeClass
+#     validates :some_policy, 'resource_policy/action': { allowed_to: :create, as: :some_item }
+#
+#     def some_policy
+#       SomePolicy.new
+#     end
+#   end
+#
+module ResourcePolicy
+  class ActionValidator < ActiveModel::EachValidator
+    def validate_each(record, default_attribute, policy)
+      attribute = options.fetch(:as, default_attribute)
+      action_policy = policy.action(action_name)
+      validate_action_policy(action_policy, record:, attribute:)
+    end
+
+    private
+
+    def validate_action_policy(policy, record:, attribute:)
+      if policy.nil?
+        add_missing_policy_error_for(record, attribute:)
+      elsif !policy.allowed?
+        add_not_permitted_error_for(record, attribute:)
+      end
+    end
+
+    def action_name
+      @action_name ||= options.fetch(:allowed_to)
+    end
+
+    def add_missing_policy_error_for(record, attribute:)
+      record.errors.add(
+        attribute,
+        "does not have #{action_name.to_s.inspect} action policy defined"
+      )
+    end
+
+    def add_not_permitted_error_for(record, attribute:)
+      record.errors.add(
+        attribute,
+        "action #{action_name.to_s.inspect} is not allowed"
+      )
+    end
+  end
+end

data/lib/resource_policy/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ResourcePolicy
+  VERSION = '1.0.0'
+end

data/lib/resource_policy.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'resource_policy/version'
+
+# Root namespace
+module ResourcePolicy
+  class Error < StandardError; end
+
+  require 'resource_policy/policy'
+  # Your code goes here...
+end

data/resource_policy.gemspec

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'resource_policy/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'resource_policy'
+  spec.version       = ResourcePolicy::VERSION
+  spec.authors       = ['Povilas Jurcys']
+  spec.email         = ['po.jurcys@gmail.com']
+
+  spec.summary       = "Access control for single resource and it's methods"
+  spec.homepage      = 'https://github.com/samesystem/resource_policy'
+  spec.license       = 'MIT'
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata['homepage_uri'] = spec.homepage
+    spec.metadata['source_code_uri'] = 'https://github.com/samesystem/resource_policy'
+    spec.metadata['changelog_uri'] = \
+      "https://github.com/samesystem/resource_policy/blob/v#{ResourcePolicy::VERSION}/CHANGELOG.md"
+  else
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+      'public gem pushes.'
+  end
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'pry-byebug'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'rubocop-performance'
+  spec.add_development_dependency 'rubocop-rails'
+  spec.add_development_dependency 'rubocop-rspec'
+  spec.add_development_dependency 'rails', '~> 7.0.0'
+end

metadata

@@ -0,0 +1,212 @@
+--- !ruby/object:Gem::Specification
+name: resource_policy
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Povilas Jurcys
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2023-02-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 7.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 7.0.0
+description: 
+email:
+- po.jurcys@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/ruby.yml"
+- ".gitignore"
+- ".hound.yml"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- ".travis.yml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- Rakefile
+- bin/console
+- bin/setup
+- docs/.nojekyll
+- docs/README.md
+- docs/_sidebar.md
+- docs/components/action_validator.md
+- docs/components/actions_policy.md
+- docs/components/attributes_policy.md
+- docs/components/policy.md
+- docs/index.html
+- lib/resource_policy.rb
+- lib/resource_policy/policy.rb
+- lib/resource_policy/policy/action_policy_configuration.rb
+- lib/resource_policy/policy/actions_policy.rb
+- lib/resource_policy/policy/actions_policy/action_policy.rb
+- lib/resource_policy/policy/actions_policy/actions_policy_model.rb
+- lib/resource_policy/policy/attributes_policy.rb
+- lib/resource_policy/policy/attributes_policy/attribute_configuration.rb
+- lib/resource_policy/policy/attributes_policy/attribute_policy.rb
+- lib/resource_policy/policy/attributes_policy/attributes_policy_model.rb
+- lib/resource_policy/policy/merge_policies.rb
+- lib/resource_policy/policy/policy_configuration.rb
+- lib/resource_policy/protected_resource.rb
+- lib/resource_policy/rails.rb
+- lib/resource_policy/validators/action_policy_validator.rb
+- lib/resource_policy/version.rb
+- resource_policy.gemspec
+homepage: https://github.com/samesystem/resource_policy
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/samesystem/resource_policy
+  source_code_uri: https://github.com/samesystem/resource_policy
+  changelog_uri: https://github.com/samesystem/resource_policy/blob/v1.0.0/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key: 
+specification_version: 4
+summary: Access control for single resource and it's methods
+test_files: []