rubycs-declarative_authorization 0.3.0

data/CHANGELOG

@@ -0,0 +1,70 @@
+
+** RELEASE 0.3 (April 20, 2009) **
+
+* New option :join_by for has_permission_on to allow AND'ing of statements in one has_permission_on block [sb]
+
+* Allow using_access_control to be called directly on ActiveRecord::Base, globally enabling model security [sb]
+
+* New operator:  intersects_with, comparing two Enumerables in if_attribute [sb]
+
+* Improved if_permitted_to syntax:  if the attribute is left out, permissions are checked on for the current object [sb]
+
+* Added #has_role_with_hierarchy? method to retrieve explicit and calculated roles [jeremyf]
+
+* Added a simple rules analyzer to help improve authorization rules [sb]
+
+* Gemified plugin.  Needed to restructure the lib path contents [sb]
+
+* Added handling of Authorization::AuthorizationInController::ClassMethods.filter_access_to parameters that are of the form [:show, :update] instead of just :show, :update. [jeremyf]
+
+* Added authorization usage helper for checking filter_access_to usage in controllers [sb]
+
+* Added a authorization rules browser.  See README for more information [sb]
+
+* Added Model.using_access_control? to check if a model has model security activated [sb]
+
+* Changed Authorization::ObligationScope#map_table_alias_for [Brian Langenfeld]
+  * Fixed to prevent bad aliases from being produced.
+
+* Changed Authorization::Attribute#validate? [Brian Langenfeld]
+  * Encountering a nil value when evaluating an attribute now raises a NilAttributeValueError, instead of an AuthorizationError.  We leave it to the caller to decide what to do about it.
+
+* Changed Authorization::Engine#permit! [Brian Langenfeld]
+  * We now convert incoming privileges to symbols (e.g. 'read' is made equivalent to :read).  This ensures the privileges will match those defined in the authorization rules file.
+  * The method now properly infers context when checking against an association (e.g. user.posts).  We do this by leveraging ActiveRecord builder method 'new' to instantiate a proper object we can work with.
+  * When testing rules for positive results (via Authorization::Attribute#validate?), we now rescue NilAttributeValueError exceptions, simply causing the rule to return a negative result (instead of barfing).
+
+* Changed Authorization::ObligationScope#rebuild_join_options! [Brian Langenfeld]
+  * If we're dealing with multiple obligations we have to check (i.e. ones that result in OR'd conditions), we now use :include instead of :joins for our generated scope.  This does seem like a kludge, but until ActiveRecord scopes support unions (for checking obligations individually and consolidating the results), we don't have much choice.  Something to revisit later, for sure.
+
+** RELEASE 0.2 (February 2, 2009) **
+
+* added negative operators: is_not, not_in, does_not_contain [sb]
+
+* changed user.roles to user.role_symbols to reduce interferance with associations [sb]
+
+* Ruby 1.9 and Rails 2.3 compatibility [sb]
+
+* if_permitted_to for has_permission_on blocks for DRYer auth rules [sb]
+
+* ObligationScope rewrite of query rewriting [Brian Langenfeld]
+
+* changed exception hierarchy to begin at StandardError [sb]
+
+* :is_in operator [sb]
+
+* added has_role? helper [sb]
+
+* made plugin thread-safe [sb]
+
+* added maintenance and test helpers [sb]
+
+* changed default permission denied response to 403 Forbidden [sb]
+
+* descriptions for titles and roles [sb]
+
+* fixed for PostgreSQL [Mark Mansour]
+
+* improved DSL syntax: allow for array of contexts in has_permission_on [sb]
+
+** RELEASE 0.1 (August 22, 2008) **

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,9 @@
+= Declarative Authorization with I18n support
+
+This is a fork of Steffen Bartsch's declarative_authorization[http://github.com/stffn/declarative_authorization/tree] equipped with localization
+based on Rails default I18n.
+
+
+= Usage
+
+

data/Rakefile

@@ -0,0 +1,43 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the authorization plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the authorization plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Authorization'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.options << '--charset' << 'utf-8'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('CHANGELOG')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+# load up garlic if it's here
+if File.directory?(File.join(File.dirname(__FILE__), 'garlic'))
+  require File.join(File.dirname(__FILE__), 'garlic/lib/garlic_tasks')
+  require File.join(File.dirname(__FILE__), 'garlic')
+end
+
+desc "clone the garlic repo (for running ci tasks)"
+task :get_garlic do
+  sh "git clone git://github.com/ianwhite/garlic.git garlic"
+end
+
+desc "Expand filelist in src gemspec"
+task :build_gemspec do
+  gemspec_data = File.read("declarative_authorization.gemspec.src")
+  gemspec_data.gsub!(/\.files = (.*)/) {|m| ".files = #{eval($1).inspect}"}
+  File.open("declarative_authorization.gemspec", "w") {|f| f.write(gemspec_data)}
+end
+

data/app/controllers/authorization_rules_controller.rb

@@ -0,0 +1,114 @@
+if Authorization::activate_authorization_rules_browser?
+
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization authorization_rules_analyzer})
+
+begin
+  # for nice auth_rules output:
+  require "parse_tree"
+  require "parse_tree_extensions"
+  require "ruby2ruby"
+rescue LoadError; end
+
+class AuthorizationRulesController < ApplicationController
+  unloadable
+  
+  filter_access_to :all, :require => :read
+  def index
+    respond_to do |format|
+      format.html do
+        @auth_rules_script = File.read("#{RAILS_ROOT}/config/authorization_rules.rb")
+      end
+    end
+  end
+
+  def graph
+    if params[:format] == "svg"
+      render :text => dot_to_svg(auth_to_dot(graph_options)),
+          :content_type => "image/svg+xml"
+    end
+  end
+
+  private
+  def auth_to_dot (options = {})
+    options = {
+      :effective_role_privs => true,
+      :privilege_hierarchy => false,
+      :only_relevant_contexts => true,
+      :filter_roles => nil,
+      :filter_contexts => nil,
+      :highlight_privilege => nil
+    }.merge(options)
+
+    @highlight_privilege = options[:highlight_privilege]
+    @roles = authorization_engine.roles
+    @roles = @roles.select {|r| r == options[:filter_roles] } if options[:filter_roles]
+    @role_hierarchy = authorization_engine.role_hierarchy
+    @privilege_hierarchy = authorization_engine.privilege_hierarchy
+    
+    @contexts = authorization_engine.auth_rules.
+                    collect {|ar| ar.contexts.to_a}.flatten.uniq
+    @contexts = @contexts.select {|c| c == options[:filter_contexts] } if options[:filter_contexts]
+    @context_privs = {}
+    @role_privs = {}
+    authorization_engine.auth_rules.each do |auth_rule|
+      @role_privs[auth_rule.role] ||= []
+      auth_rule.contexts.
+            select {|c| options[:filter_contexts].nil? or c == options[:filter_contexts]}.
+            each do |context|
+        @context_privs[context] ||= []
+        @context_privs[context] += auth_rule.privileges.to_a
+        @context_privs[context].uniq!
+        @role_privs[auth_rule.role] += auth_rule.privileges.collect {|p| [context, p, auth_rule.attributes.empty?, auth_rule.to_long_s]}
+      end
+    end
+
+    if options[:effective_role_privs]
+      @roles.each do |role|
+        @role_privs[role] ||= []
+        (@role_hierarchy[role] || []).each do |lower_role|
+          @role_privs[role].concat(@role_privs[lower_role]).uniq!
+        end
+      end
+    end
+
+    if options[:only_relevant_contexts]
+      @contexts.delete_if {|context| @roles.all? {|role| !@role_privs[role] || !@role_privs[role].any? {|info| info[0] == context}}}
+    end
+    
+    if options[:privilege_hierarchy]
+      @context_privs.each do |context, privs|
+        privs.each do |priv|
+          context_lower_privs = (@privilege_hierarchy[priv] || []).
+                                  select {|p,c| c.nil? or c == context}.
+                                  collect {|p,c| p}
+          privs.concat(context_lower_privs).uniq!
+        end
+      end
+    end
+    
+    render_to_string :template => 'authorization_rules/graph.dot.erb', :layout => false
+  end
+  
+  def dot_to_svg (dot_data)
+    gv = IO.popen("#{Authorization.dot_path} -q -Tsvg", "w+")
+    gv.puts dot_data
+    gv.close_write
+    gv.read
+  rescue IOError, Errno::EPIPE => e
+    raise Exception, "#{I18n.t(:error_in_call_to_graphviz, :scope => [:declarative_authorization])}: #{e}"
+  end
+  
+  def graph_options
+    {
+      :effective_role_privs => !params[:effective_role_privs].blank?,
+      :privilege_hierarchy => !params[:privilege_hierarchy].blank?,
+      :filter_roles => params[:filter_roles].blank? ? nil : params[:filter_roles].to_sym,
+      :filter_contexts => params[:filter_contexts].blank? ? nil : params[:filter_contexts].to_sym,
+      :highlight_privilege => params[:highlight_privilege].blank? ? nil : params[:highlight_privilege].to_sym
+    }
+  end
+end
+
+else
+class AuthorizationRulesController < ApplicationController; end
+end # activate_authorization_rules_browser?

data/app/controllers/authorization_usages_controller.rb

@@ -0,0 +1,23 @@
+if Authorization::activate_authorization_rules_browser?
+
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization maintenance})
+
+class AuthorizationUsagesController < ApplicationController
+  unloadable
+  
+  helper :authorization_rules
+  filter_access_to :all, :require => :read
+  # TODO set context?
+
+  def index
+    respond_to do |format|
+      format.html do
+        @auth_usages_by_controller = Authorization::Maintenance::Usage.usages_by_controller
+      end
+    end
+  end
+end
+
+else
+class AuthorizationUsagesController < ApplicationController; end
+end # activate_authorization_rules_browser?

data/app/helpers/authorization_rules_helper.rb

@@ -0,0 +1,100 @@
+module AuthorizationRulesHelper
+  def syntax_highlight (rules)
+    regexps = {
+      :constant => [/(:)(\w+)/], 
+      :proc => ['role', 'authorization', 'privileges'],
+      :statement => ['has_permission_on', 'if_attribute', 'includes', 'privilege', 'to'],
+      :operator => ['is', 'contains'],
+      :special => ['user', 'true', 'false'],
+      :preproc => ['do', 'end', /()(=>)/, /()(\{)/, /()(\})/, /()(\[)/, /()(\])/],
+      :comment => [/()(#.*$)/]#,
+      #:privilege => [:read],
+      #:context => [:conferences]
+    }
+    regexps.each do |name, res|
+      res.each do |re|
+        rules.gsub!(
+          re.is_a?(String) ? Regexp.new("(^|[^:])\\b(#{Regexp.escape(re)})\\b") :
+             (re.is_a?(Symbol) ? Regexp.new("()(:#{Regexp.escape(re.to_s)})\\b") : re), 
+          "\\1<span class=\"#{name}\">\\2</span>")
+      end
+    end
+    rules
+  end
+
+  def policy_analysis_hints (marked_up, policy_data)
+    analyzer = Authorization::Analyzer.new(controller.authorization_engine)
+    analyzer.analyze(policy_data)
+    marked_up_by_line = marked_up.split("\n")
+    reports_by_line = analyzer.reports.inject({}) do |memo, report|
+      memo[report.line] ||= []
+      memo[report.line] << report
+      memo
+    end
+    reports_by_line.each do |line, reports|
+      note = %Q{<span class="note" title="#{reports.first.type}: #{reports.first.message}">[i]</span>}
+      marked_up_by_line[line - 1] = note + marked_up_by_line[line - 1]
+    end
+    marked_up_by_line * "\n"
+  end
+  
+  def link_to_graph (title, options = {})
+    type = options[:type] || ''
+    link_to_function title, "$$('object')[0].data = '#{url_for :action => 'index', :format => 'svg', :type => type}'"
+  end
+  
+  def navigation
+    link_to(I18n.t(:rules, :scope => [:declarative_authorization]), authorization_rules_path) << ' | ' <<
+    link_to(I18n.t(:graphical_view, :scope => [:declarative_authorization]), graph_authorization_rules_path) << ' | ' <<
+    link_to(I18n.t(:usages, :scope => [:declarative_authorization]), authorization_usages_path) #<< ' | ' <<
+  #  'Edit | ' <<
+  #  link_to("XACML export", :action => 'index', :format => 'xacml')
+  end
+  
+  def role_color (role, fill = false)
+    fill_colors = %w{#ffdddd #ddffdd #ddddff #ffffdd #ffddff #ddffff}
+    colors = %w{#dd0000 #00dd00 #0000dd #dddd00 #dd00dd #00dddd}
+    @@role_colors ||= {}
+    @@role_colors[role] ||= begin
+      idx = @@role_colors.length % colors.length
+      [colors[idx], fill_colors[idx]]
+    end
+    @@role_colors[role][fill ? 1 : 0]
+  end
+  
+  def role_fill_color (role)
+    role_color(role, true)
+  end
+
+  def auth_usage_info_classes (auth_info)
+    classes = []
+    if auth_info[:controller_permissions]
+      if auth_info[:controller_permissions][0]
+        classes << "catch-all" if auth_info[:controller_permissions][0].actions.include?(:all)
+        classes << "default-privilege" unless auth_info[:controller_permissions][0].privilege
+        classes << "default-context" unless auth_info[:controller_permissions][0].context
+        classes << "no-attribute-check" unless auth_info[:controller_permissions][0].attribute_check
+      end
+    else
+      classes << "unprotected"
+    end
+    classes * " "
+  end
+
+  def auth_usage_info_title (auth_info)
+    titles = []
+    if auth_usage_info_classes(auth_info) =~ /unprotected/
+      titles << I18n.t(:no_filter_access_to_call_protects_this_action, :scope => [:declarative_authorization])
+    end
+    if auth_usage_info_classes(auth_info) =~ /no-attribute-check/
+      titles << I18n.t(:action_is_not_protected_with_attribute_check, :scope => [:declarative_authorization])
+    end
+    if auth_usage_info_classes(auth_info) =~ /default-privilege/
+      titles << I18n.t(:privilege_set_automatically_from_action_name_by_all_rule, :scope => [:declarative_authorization])
+    end
+    if auth_usage_info_classes(auth_info) =~ /default-context/
+      titles << I18n.t(:context_set_automatically_from_controller_name_by_filter_access_to_call_without_context_option, :scope => [:declarative_authorization])
+    end
+    titles * ". "
+  end
+end

data/app/views/authorization_rules/graph.dot.erb

@@ -0,0 +1,49 @@
+
+digraph rules {
+  compound = true
+  edge [arrowhead=open]
+  node [shape=box,fontname="sans-serif",fontsize="16"]
+  fontname="sans-serif";fontsize="16"
+  ranksep = "0.3"
+  //concentrate = true
+  rankdir = TB
+  {
+    node [shape=ellipse,style=filled]
+    //rank = source
+    <% @roles.each do |role| %>
+    "<%= role.inspect %>" [fillcolor="<%= role_fill_color(role) %>"]
+    // ,URL="javascript:set_filter({roles: '<%= role %>'})"
+    <% end %>
+    <% @roles.each do |role| %>
+        <% (@role_hierarchy[role] || []).each do |lower_role| %>
+            "<%= role.inspect %>" -> "<%= lower_role.inspect %>" [constraint=false,arrowhead=empty]
+        <% end %>
+    <% end %>
+  }
+
+  <% @contexts.each do |context| %>
+    subgraph cluster_<%= context %>  {
+      label = "<%= context.inspect %>"
+      style=filled; fillcolor="#eeeeee"
+      node[fillcolor=white,style=filled]
+      <% (@context_privs[context] || []).each do |priv| %>
+      <%= priv %>_<%= context %> [label="<%= priv.inspect %>"<%= ',fontcolor="#ff0000"' if @highlight_privilege == priv %>]
+      <% end %>
+      <% (@context_privs[context] || []).each do |priv| %>
+        <% (@privilege_hierarchy[priv] || []).
+                select {|p,c| (c.nil? or c == context) and @context_privs[context].include?(p)}.
+                each do |lower_priv, c| %>
+      <%= priv %>_<%= context %> -> <%= lower_priv %>_<%= context %> [arrowhead=empty]
+        <% end %>
+      <% end %>
+      //read_conferences -> update_conferences [style=invis]
+      //create_conferences -> delete_conferences [style=invis]
+    }
+  <% end %>
+
+  <% @roles.each do |role| %>
+    <% (@role_privs[role] || []).each do |context, privilege, unconditionally, attribute_string| %>
+  "<%= role.inspect %>" -> <%=  privilege %>_<%= context %> [color="<%= role_color(role) %>", minlen=3<%= ", arrowhead=opendot, URL=\"javascript:\", edgetooltip=\"#{attribute_string.gsub('"','')}\"" unless unconditionally %>]
+    <% end %>
+  <% end %>
+}

data/app/views/authorization_rules/graph.html.erb

@@ -0,0 +1,39 @@
+<h1><%= I18n.t(:authorization_rules_graph, :scope => [:declarative_authorization]) %></h1>
+<p><%= I18n.t(:currently_active_rules_in_this_application, :scope => [:declarative_authorization]) %></p>
+<p><%= navigation %></p>
+
+<% javascript_tag do %>
+    function update_graph (form) {
+        base_url = "<%= url_for :format => 'svg' %>";
+        $('graph').data = base_url + '?' + form.serialize();
+    }
+
+    function set_filter (filter) {
+        for (f in filter) {
+            var select = $("filter_" + f);
+            if (select) {
+                var opt = select.down("option[value='"+ filter[f] + "']");
+                if (opt) {
+                    opt.selected = true;
+                    update_graph(select.form);
+                }
+            }
+        }
+    }
+<% end %>
+<p>
+  <% form_tag do %>
+  <%#= link_to_graph I18n.t(:rules, :scope => [:declarative_authorization]) %>
+  <%#= link_to_graph I18n.t(:privilege_hierarchy, :scope => [:declarative_authorization]), :type => 'priv_hierarchy' %>
+  
+  <%= select_tag "filter_roles", options_for_select([[I18n.t(:all_rules, :scope => [:declarative_authorization]),'']] + controller.authorization_engine.roles.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
+  <%= select_tag "filter_contexts", options_for_select([[I18n.t(:all_contexts, :scope => [:declarative_authorization]),'']] + controller.authorization_engine.auth_rules.collect {|ar| ar.contexts.to_a}.flatten.uniq.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
+  <%= check_box_tag "effective_role_privs", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "effective_role_privs", I18n.t(:effective_privileges, :scope => [:declarative_authorization]) %>
+  <%= check_box_tag "privilege_hierarchy", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "privilege_hierarchy", I18n.t(:show_full_privilege_hierarchy, :scope => [:declarative_authorization])  %>
+  <% end %>
+</p>
+<div style="margin: 1em;border:1px solid #ccc;max-width:95%">
+<object id="graph" data="<%= url_for :format => 'svg' %>" type="image/svg+xml" style="max-width:100%"/>
+</div>
+<%= button_to_function I18n.t(:zoom_in, :scope => [:declarative_authorization]), '$("graph").style.maxWidth = "";$(this).toggle();$(this).next().toggle()' %>
+<%= button_to_function I18n.t(:zoom_out, :scope => [:declarative_authorization]), '$("graph").style.maxWidth = "100%";$(this).toggle();$(this).previous().toggle()', :style => 'display:none' %>