rushiro 1.0.0

data/Gemfile

@@ -0,0 +1,2 @@
+source :rubygems
+gemspec

data/Rakefile

@@ -0,0 +1,161 @@
+require 'date'
+require 'rspec/core/rake_task'
+
+#############################################################################
+#
+# Helper functions
+#
+#############################################################################
+
+def name
+  @name ||= Dir['*.gemspec'].first.split('.').first
+end
+
+def version
+  line = File.read("lib/#{name}/version.rb")[/^\s*VERSION\s*=\s*.*/]
+  line.match(/.*VERSION\s*=\s*['"](.*)['"]/)[1]
+end
+
+def date
+  Date.today.to_s
+end
+
+def rubyforge_project
+  name
+end
+
+def gemspec_file
+  "#{name}.gemspec"
+end
+
+def gem_file
+  "#{name}-#{version}.gem"
+end
+
+def replace_header(head, header_name, provider = nil)
+  if provider
+    value = send(provider)
+  else
+    value = "'#{send(header_name)}'"
+  end
+
+  provider ||= header_name
+  head.sub!(/(\.#{header_name}\s*= ).*/) { "#{$1}#{value}"}
+end
+
+def platform
+  jruby? ? '-java' : ''
+end
+
+def platform_dependant_gem_file
+  "#{name}-#{version}#{platform}.gem"
+end
+
+def platform_dependent_version
+  "'#{version}#{platform}'"
+end
+
+def jruby?
+  RUBY_PLATFORM.to_s == 'java'
+end
+
+def trim_array_ends array
+  array.shift
+  array.pop
+  array
+end
+
+#############################################################################
+#
+# Custom tasks
+#
+#############################################################################
+
+default_rspec_opts = %w[--colour --format Fuubar]
+
+desc "Run all examples"
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.rspec_opts = default_rspec_opts
+end
+
+#############################################################################
+#
+# Packaging tasks
+#
+#############################################################################
+
+def built_gem
+  @built_gem ||= Dir["#{name}*.gem"].first
+end
+
+desc "Create tag v#{platform_dependent_version} and build and push #{platform_dependant_gem_file} to Rubygems"
+task :release => :build do
+  unless `git branch` =~ /^\* master$/
+    puts "You must be on the master branch to release!"
+    exit!
+  end
+
+  sh "git commit --allow-empty -a -m 'Release #{platform_dependent_version}'"
+  sh "git tag v#{platform_dependent_version}"
+  sh "git push origin master"
+  sh "git push origin v#{platform_dependent_version}"
+
+  command = "gem push pkg/#{platform_dependant_gem_file}"
+
+  if jruby?
+    puts "--------------------------------------------------------------------------------------"
+    puts "can't push to rubygems using jruby at the moment, so switch to mri and run: #{command}"
+    puts "--------------------------------------------------------------------------------------"
+  else
+    sh command
+  end
+end
+
+desc "Build #{platform_dependant_gem_file} into the pkg directory"
+task :build => :gemspec do
+  sh "mkdir -p pkg"
+  sh "gem build #{gemspec_file}"
+  sh "mv #{built_gem} pkg"
+end
+
+desc "Generate #{gemspec_file}"
+task :gemspec => :validate do
+  # read spec file and split out manifest section
+  spec = File.read(gemspec_file)
+  head, manifest, tail = spec.split("  # = MANIFEST =\n")
+
+  # replace name version and date
+  replace_header(head, :name)
+  replace_header(head, :version)
+  replace_header(head, :date)
+  #comment this out if your rubyforge_project has a different name
+  #replace_header(head, :rubyforge_project)
+
+  # determine file list from git ls-files
+  files = `git ls-files`.
+    split("\n").
+    sort.
+    reject { |file| file =~ /^\./ }.
+    reject { |file| file =~ /^(rdoc|pkg)/ }.
+    map { |file| "    #{file}" }.
+    join("\n")
+
+  # piece file back together and write
+  manifest = "  s.files = %w[\n#{files}\n  ]\n"
+  spec = [head, manifest, tail].join("  # = MANIFEST =\n")
+  File.open(gemspec_file, 'w') { |io| io.write(spec) }
+  puts "Updated #{gemspec_file}"
+end
+
+desc "Validate #{gemspec_file}"
+task :validate do
+  libfiles = Dir['lib/*'] - ["lib/#{name}.rb", "lib/#{name}"]
+  unless libfiles.empty?
+    puts "Directory `lib` should only contain a `#{name}.rb` file and `#{name}` dir."
+    exit!
+  end
+  unless Dir['VERSION*'].empty?
+    puts "A `VERSION` file at root level violates Gem best practices."
+    exit!
+  end
+end

data/lib/rushiro.rb

@@ -0,0 +1,4 @@
+%w[permission permissions access_levels access_control_hash deny_based_control allow_based_control].each do |file|
+  require "rushiro/#{file}"
+end
+

data/lib/rushiro/access_control_hash.rb

@@ -0,0 +1,50 @@
+module Rushiro
+  GSEP = '|'
+  FSEP = ','
+  class AccessControlHash
+    attr_reader :allows, :denies, :original, :dirty
+    def initialize(hash)
+      @allows = AccessLevels.new(hash[:allows] || {})
+      @denies = AccessLevels.new(hash[:denies] || {})
+      @dirty = false
+      @original = hash
+    end
+
+    def permitted?(perm)
+      # virtual
+    end
+
+    def add_permission(perm) #as string "allow|individual|domain(|action(|instance))"
+      grant, rest = perm.split(GSEP, 2)
+      case grant
+      when 'allows'
+        @allows.add_permission(rest) and @dirty = true
+      when 'denies'
+        @denies.add_permission(rest) and @dirty = true
+      else
+        raise ArgumentError.new("Could not add permission for type: #{grant} of #{perm}")
+      end
+    end
+
+    def remove_permission(perm) #as string "allow|individual|domain(|action(|instance))"
+      grant, rest = perm.split(GSEP, 2)
+      case grant
+      when 'allows'
+        @allows.remove_permission(rest) and @dirty = true
+      when 'denies'
+        @denies.remove_permission(rest) and @dirty = true
+      else
+        raise ArgumentError.new("Could not remove permission for type: #{grant} of #{perm}")
+      end
+    end
+
+    def serialize
+      unless @dirty
+        @original
+      else
+        Hash[:allows, @allows.serialize, :denies, @denies.serialize]
+      end
+    end
+  end
+
+end

data/lib/rushiro/access_levels.rb

@@ -0,0 +1,45 @@
+module Rushiro
+  class AccessLevels
+    attr_reader :individual, :organization, :musicglue
+    def initialize(hash)
+      @individual = Permissions.new(hash[:individual] || [])
+      @organization = Permissions.new(hash[:organization] || [])
+      @system = Permissions.new(hash[:system] || [])
+    end
+
+    def permitted?(perm)
+      @system.permitted?(perm) || @organization.permitted?(perm) || @individual.permitted?(perm)
+    end
+
+    def add_permission(perm)
+      level, rest = perm.split(GSEP, 2)
+      case level
+      when 'individual'
+        @individual.add_permission(rest)
+      when 'organization'
+        @organization.add_permission(rest)
+      when 'system'
+        @system.add_permission(rest)
+      else
+        raise ArgumentError.new("Could not add permission for level: #{level} of #{level}#{SEP}#{perm}")
+      end
+    end
+
+    def remove_permission(perm)
+      level, rest = perm.split(GSEP, 2)
+      case level
+      when 'individual'
+        @individual.remove_permission(rest)
+      when 'organization'
+        @organization.remove_permission(rest)
+      when 'system'
+        @system.remove_permission(rest)
+      else
+        raise ArgumentError.new("Could not remove permission for level: #{level} of #{level}#{SEP}#{rest}")
+      end
+    end
+    def serialize
+      Hash[:individual, @individual.serialize, :organization, @organization.serialize, :system, @system.serialize]
+    end
+  end
+end

data/lib/rushiro/allow_based_control.rb

@@ -0,0 +1,8 @@
+module Rushiro
+  class AllowBasedControl < AccessControlHash
+    def permitted?(perm)
+      return false if !@dirty && @original.empty?
+      @allows.permitted?(perm)
+    end
+  end
+end

data/lib/rushiro/deny_based_control.rb

@@ -0,0 +1,9 @@
+module Rushiro
+  class DenyBasedControl < AccessControlHash
+    def permitted?(perm)
+      return true if !@dirty && @original.empty?
+      return false if @denies.permitted?(perm)
+      true
+    end
+  end
+end

data/lib/rushiro/permission.rb

@@ -0,0 +1,41 @@
+module Rushiro
+  class Permission
+    attr_reader :parts, :original, :size
+
+    WildCard = :*
+
+    def initialize(permission)
+      raise ArgumentError.new("Invalid permission, empty string") if permission.empty?
+      @original = permission
+      @parts = permission.split(GSEP).map {|part| part.split(FSEP).map(&:to_sym)}
+      @size = @parts.size
+    end
+
+    def implied?(perm)
+      if perm.include?(FSEP)
+        msg = "Field separator: #{FSEP} used in input. Be specific, one of domain, action or instance per section."
+        raise ArgumentError.new(msg)
+      end
+      array = perm.split(GSEP).map(&:to_sym)
+      array.each_with_index do |part_sym, idx|
+        # If the permission has less parts than the permission being tested, everything after the number
+        # of parts contained in this permission is automatically implied, so return true
+        break if @size.pred < idx
+        return false if (@parts[idx] & [WildCard, part_sym]).empty?
+      end
+      true
+    end
+
+    def ==(other)
+      return false unless @size == other.size
+      @parts.each_with_index do |part, idx|
+        return false unless (part - other.parts[idx]).empty?
+      end
+      true
+    end
+
+    def serialize
+      @parts.map { |part| part.map(&:to_s).join(FSEP) }.join(GSEP)
+    end
+  end
+end

data/lib/rushiro/permissions.rb

@@ -0,0 +1,30 @@
+module Rushiro
+  class Permissions
+    attr_reader :permissions
+    def initialize(entries)
+      @permissions = entries.map do |permission|
+        Permission.new(permission)
+      end || []
+    end
+
+    def permitted?(perm)
+      return nil if @permissions.empty?
+      @permissions.any? { |permission| permission.implied?(perm) }
+    end
+
+    def add_permission(perm)
+      to_add = Permission.new(perm)
+      return false if @permissions.any?{|_p| _p == to_add}
+      @permissions << to_add
+      true
+    end
+
+    def remove_permission(perm)
+      !!@permissions.delete(Permission.new(perm))
+    end
+
+    def serialize
+      @permissions.map(&:serialize)
+    end
+  end
+end

data/lib/rushiro/version.rb

@@ -0,0 +1,3 @@
+module Rushiro
+  VERSION = "1.0.0"
+end

data/readme.md

@@ -0,0 +1,108 @@
+# Description
+
+## Summary
+
+Rushiro takes a source hash (of permissions definitions) and gives you an object that
+you use to test for permitted access.
+
+## Strategies
+
+- Deny all allow some, use the AllowBasedControl class
+- Allow all deny some, use the DenyBasedControl class
+
+## Permissions
+
+Manages explicit permissions. It lets you define 'allows' or 'denies' permissions.
+You can define level based permissions i.e. individual, organization or 
+system. Organization or system levels are meant for short term overrides.
+Set long term permissions at the individual level.
+
+For more information on this check out [Apache Shiro permissions][shiro_p].
+
+The permission part has three pipe separated sections, domain, action and instance:
+
+- Domain - aka resources, e.g. webpages, db entities, domain models or services
+- Action - these entries are from the set of actions available for the domain
+- Instance - these entries are 'labels' you have given to instances of the domain,
+  e.g. a particular webpage, a uuid or unique id of a db record
+Note: Multiple comma separated entries are allowed, as is the * wildcard
+
+
+example: this hash is processed into a hierarchy of objects
+``` ruby
+perm = {
+  allows: {
+    individual: [
+      "feature|create,read,update|feat-x",
+      "page|*|posts",
+      "company|read"
+      "company|update|5b90a720-e6b0-012e-dc18-782bcb979e60"
+    ],
+    organization: [],
+    system: []
+  },
+  denies: {}
+}
+
+access_control = AllowBasedControl.new(perm)
+access_control.permitted?("company|read|5b90a720-e6b0-012e-dc18-782bcb979e60") ==> true
+access_control.permitted?("feature|delete|feat-x") ==> false
+```
+
+Read the specs for more usage examples.
+
+## Source Hash
+
+Typically the source hash will be stored in a document database directly as a hash field
+in the User record (see [Subject][shiro_s]). In most cases this would be the current_users db document.
+
+## Authorization
+
+The permitted?(permission) method is called to check authorization. The string you pass
+in is obtained from metadata in your application.  It should be specific, exact domain,
+action and instance.
+
+# Future
+
+## Roles
+
+A chaining mechanism is needed. References to other Rushiro control objects are assigned
+to the current_user's Rushiro control and permission is tested through the chain.
+
+## Mixed Mode
+
+The jury is still out on whether it is practical to have a mixture of allows and denies.
+
+# Development
+
+* Source hosted at [GitHub][repo]
+* Report issues/Questions/Feature requests on [GitHub Issues][issues]
+
+Pull requests are very welcome! Make sure your patches are well tested.
+Ideally create a topic branch for every separate change you make.
+
+# License and Authors
+
+Author:: Guy Boertje (<guyboertje@gmail.com>)
+Author:: Lee Henson (<leemhenson@gmail.com>)
+
+Contributors:: https://github.com/guyboertje/rushiro/contributors
+
+Copyright (c) 2011, Guy Boertje
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+[repo]:         https://github.com/guyboertje/rushiro
+[issues]:       https://github.com/guyboertje/rushiro/issues
+[shiro_p]:      http://shiro.apache.org/permissions.html
+[shiro_s]:      http://shiro.apache.org/subject.html

data/rushiro.gemspec

@@ -0,0 +1,37 @@
+Gem::Specification.new do |s|
+  s.name        = 'rushiro'
+  s.version     = '1.0.0'
+  s.date        = '2011-11-03'
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ['Lee Henson', 'Guy Boertje']
+  s.email       = ['lee.m.henson@gmail.com', 'guyboertje@gmail.com']
+  s.homepage    = "http://github.com/guyboertje/rushiro"
+  s.summary     = %q{Explicit permissions inspired by Apache Shiro}
+  s.description = %q{}
+
+  # = MANIFEST =
+  s.files = %w[
+    Gemfile
+    Rakefile
+    lib/rushiro.rb
+    lib/rushiro/access_control_hash.rb
+    lib/rushiro/access_levels.rb
+    lib/rushiro/allow_based_control.rb
+    lib/rushiro/deny_based_control.rb
+    lib/rushiro/permission.rb
+    lib/rushiro/permissions.rb
+    lib/rushiro/version.rb
+    readme.md
+    rushiro.gemspec
+    spec/access_control_spec.rb
+    spec/spec_helper.rb
+  ]
+  # = MANIFEST =
+
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+
+  s.add_development_dependency  'awesome_print',      '~> 0.4.0'
+  s.add_development_dependency  'fuubar',             '~> 0.0.0'
+  s.add_development_dependency  'rspec',              '~> 2.6.0'
+end

data/spec/access_control_spec.rb

@@ -0,0 +1,63 @@
+require "spec_helper"
+
+module Rushiro
+  describe "Allow all deny some Access Control" do
+    let(:access_control) { DenyBasedControl.new(acl)}
+    describe "with no set permissions" do
+      let(:acl) { Hash.new }
+      it "should deny all" do
+        access_control.permitted?("page|view|posts").should be_true
+        access_control.serialize.should == {}
+        access_control.dirty.should be_false
+      end
+    end
+
+    describe "when adding a denies permission" do
+      let(:acl) { Hash.new }
+      it "should add the permission" do
+        access_control.add_permission("denies|individual|company|edit|acme-123")
+        access_control.dirty.should be_true
+        access_control.serialize.should_not == {}
+        access_control.permitted?("page|view|posts").should be_true
+        access_control.permitted?("company|view|acme-125").should be_true
+        access_control.permitted?("company|edit|acme-123").should be_false
+      end
+    end
+
+    describe "when removing a denies permission" do
+      let(:acl) { Hash.new }
+      it "should remove the permission" do
+        access_control.add_permission("denies|individual|company|edit|acme-123")
+        access_control.add_permission("denies|organization|page|edit")
+        access_control.permitted?("page|view|settings").should be_true
+        access_control.permitted?("page|edit|settings").should be_false
+        access_control.permitted?("company|edit|acme-123").should be_false
+        access_control.remove_permission("denies|organization|page|edit")
+        access_control.permitted?("page|view|settings").should be_true
+        access_control.permitted?("page|edit|settings").should be_true
+        access_control.permitted?("company|edit|acme-123").should be_false
+      end
+    end
+  end
+
+  describe "Deny all allow some Access Control" do
+    let(:access_control) { AllowBasedControl.new(acl)}
+    describe "with no set permissions" do
+      let(:acl) { Hash.new }
+      it "should deny all" do
+        access_control.permitted?("page|view|posts").should be_false
+        access_control.serialize.should == {}
+        access_control.dirty.should be_false
+      end
+    end
+
+    describe "when adding an allows permission" do
+      let(:acl) { Hash.new }
+      it "should add the permission" do
+        access_control.add_permission("allows|individual|page")
+        access_control.permitted?("page|view|posts").should be_true
+        access_control.permitted?("company|edit|acme-123").should be_false
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,11 @@
+#$:.unshift File.expand_path("../../lib", __FILE__)
+
+require 'ap'
+#require 'cranky'
+require 'rushiro'
+
+def apr(what, header='')
+  ap "== #{header} =="
+  ap what
+  ap "="*(header.size + 6)
+end

metadata

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification
+name: rushiro
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Lee Henson
+- Guy Boertje
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-11-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: &9402520 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+  type: :development
+  prerelease: false
+  version_requirements: *9402520
+- !ruby/object:Gem::Dependency
+  name: fuubar
+  requirement: &9401920 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.0
+  type: :development
+  prerelease: false
+  version_requirements: *9401920
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &9401440 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.6.0
+  type: :development
+  prerelease: false
+  version_requirements: *9401440
+description: ''
+email:
+- lee.m.henson@gmail.com
+- guyboertje@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Rakefile
+- lib/rushiro.rb
+- lib/rushiro/access_control_hash.rb
+- lib/rushiro/access_levels.rb
+- lib/rushiro/allow_based_control.rb
+- lib/rushiro/deny_based_control.rb
+- lib/rushiro/permission.rb
+- lib/rushiro/permissions.rb
+- lib/rushiro/version.rb
+- readme.md
+- rushiro.gemspec
+- spec/access_control_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/guyboertje/rushiro
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: Explicit permissions inspired by Apache Shiro
+test_files: []