sanction 0.0.1 → 2.1.0

data/lib/sanction/whitelist/list.rb

@@ -0,0 +1,34 @@
+module Sanction
+  module Whitelist
+    class List < Sanction::AttachedList
+
+      def allowed_ids
+        (wildcard_resource? || resources.include?(@key)) ? entries.map {|x| x.id} : []
+      end
+
+      def permitted?
+        return true  if wildcard_resource?
+        return false if ids_blank?
+        return true  if resources.include?(@key)
+        false
+      end
+
+      def blacklist?
+        false
+      end
+
+      def whitelist?
+        true
+      end
+
+      def denied_ids
+        []
+      end
+
+      def null_node_class
+        Sanction::Whitelist::NullNode
+      end
+
+    end
+  end
+end

data/lib/sanction/whitelist/node.rb

@@ -0,0 +1,43 @@
+module Sanction
+  module Whitelist
+    class Node < Sanction::Node
+
+      def permitted?
+        super
+        root? ? true : (@parent[type].permitted? && @parent[type].allowed_ids.include?(id))
+      end
+
+      def allow!
+        false
+      end
+
+      def deny!
+        @parent.resources << type
+        @parent.resources.uniq!
+        unlink
+        true
+      end
+
+      def whitelist?
+        true
+      end
+
+      def blacklist?
+        false
+      end
+
+      def mode
+        'whitelist'
+      end
+
+      def array_class
+        Sanction::Whitelist::List
+      end
+
+      def null_array_class
+        Sanction::Whitelist::NullList
+      end
+
+    end
+  end
+end

data/lib/sanction/whitelist/null_list.rb

@@ -0,0 +1,21 @@
+module Sanction
+  module Whitelist
+    class NullList < Sanction::Whitelist::List
+
+      def permitted?
+        return true  if wildcard_resource?
+        return true  if resources.include?(@key) && !ids_blank?
+        return false if ids_blank?
+      end
+
+      def persisted?
+        false
+      end
+
+      def null_node_class
+        Sanction::Whitelist::NullNode
+      end
+
+    end
+  end
+end

data/lib/sanction/whitelist/null_node.rb

@@ -0,0 +1,37 @@
+module Sanction
+  module Whitelist
+    class NullNode < Sanction::Whitelist::Node
+
+      def permitted?
+        a = ancestors.reject(&:root?).map(&:permitted?)
+        a << false 
+        a.all?
+      end
+
+      def allow!
+        ancestors.reject(&:persisted?).each(&:allow!)
+        @parent.resources << type
+        @parent.resources.uniq!
+        @parent.add_subject({
+          id:   id,
+          type: type
+        })
+      end
+
+      def deny!
+        false
+      end
+
+      def persisted?
+        false
+      end
+
+      def array_class
+        Sanction::Whitelist::NullList
+      end
+
+      alias :null_array_class :array_class
+
+    end
+  end
+end

data/lib/sanction.rb

@@ -1,5 +1,36 @@
+require "active_support"
+require "active_support/core_ext"
 require "sanction/version"
 
 module Sanction
-  # Your code goes here...
+
+  autoload :AttachedList,    'sanction/attached_list'
+  autoload :Tree,            'sanction/tree'
+  autoload :Node,            'sanction/node'
+  autoload :Permission,      'sanction/permission'
+
+  module Whitelist
+    autoload :List,      'sanction/whitelist/list'
+    autoload :Node,      'sanction/whitelist/node'
+    autoload :NullList,  'sanction/whitelist/null_list'
+    autoload :NullNode,  'sanction/whitelist/null_node'
+  end
+
+  module Blacklist
+    autoload :List,      'sanction/blacklist/list'
+    autoload :Node,      'sanction/blacklist/node'
+    autoload :NullList,  'sanction/blacklist/null_list'
+    autoload :NullNode,  'sanction/blacklist/null_node'
+  end
+
+  extend self
+
+  def build(hash)
+    "sanction/#{hash[:mode]}/node".classify.constantize.new(hash)
+  end
+
+  def permission(permission, *predicates)
+    Sanction::Permission.new(permission, *predicates)
+  end
+
 end

data/sanction.gemspec

@@ -6,11 +6,11 @@ require 'sanction/version'
 Gem::Specification.new do |spec|
   spec.name          = "sanction"
   spec.version       = Sanction::VERSION
-  spec.authors       = ["JGW Maxwell"]
-  spec.email         = ["john.maxwell@boardintelligence.co.uk", "adam.carlile@boardintelligence.co.uk"]
-  spec.summary       = %q{Sanction.}
-  spec.description   = %q{Sanction.}
-  spec.homepage      = "http://www.boardintelligence.co.uk"
+  spec.authors       = ["Adam Carlile", "John Maxwell"]
+  spec.email         = ["adam.carlile@boardintelligence.co.uk", "john.maxwell@boardintelligence.co.uk"]
+  spec.summary       = "A permissions gem for people who love JSON"
+  spec.description   = "Provides a JSON format for describing complex nested permission sets"
+  spec.homepage      = "http://github.com/boardiq/sanction"
   spec.license       = "MIT"
 
   spec.files         = `git ls-files -z`.split("\x0")
@@ -18,6 +18,11 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
+  spec.add_dependency "activesupport"
+
+  spec.add_development_dependency "minitest"
   spec.add_development_dependency "bundler", "~> 1.6"
-  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "awesome_print"
 end

data/spec/application_spec.rb

@@ -0,0 +1,91 @@
+require 'spec_helper'
+
+# Issues lifted from the web app
+
+describe 'application issues' do
+
+  let(:permissions_hash)  { {} }
+  let(:permissions)       { Sanction.build(permissions_hash) }
+  let(:predicates)        { [] }
+  let(:permission)        { Sanction::Permission.new(permissions, *predicates)}
+
+  describe 'regular user with one allowed bookcase, but no allowed shelves' do
+    let(:permissions_hash) do
+      {
+        mode: "whitelist",
+        scope: [:read],
+        subjects: [
+          {
+            id: "948b9ace-784f-4326-aeb9-a2a0587d75b9", 
+            type: 'bookcase', 
+            mode: "whitelist", 
+            scope: [:read, :manage],
+            resources: []
+          }
+        ],
+        resources: [:bookcase]
+       }
+    end
+    let(:predicates) { [Bookcase.new('948b9ace-784f-4326-aeb9-a2a0587d75b9')] }
+
+    it 'should not allow access to any shelves' do
+      permission.path[:shelf].permitted?.must_equal false
+    end
+
+    describe "allowing a new shelf" do
+      before do
+        permission.path[:shelf][1234].allow!
+      end
+
+      it 'should allow access to the shelf' do
+        permission.path[:shelf][1234].permitted?.must_equal true
+      end
+    end
+  end
+
+  describe 'admin user with one banned bookcase' do
+
+    let(:permissions_hash) do
+      {
+        mode: 'blacklist',
+        scope: [:read, :manage],
+        subjects: [
+          {
+            id:   'f23175aa-014b-4796-aaef-878df597e7f1',
+            type: 'bookcase', 
+            mode: 'whitelist'
+          }
+        ]
+      }
+    end
+
+    let(:predicates) { [User.new(32)] }
+
+    it 'should allow access for a user and a random id' do
+      permission.permitted?.must_equal true
+    end
+
+    describe 'disalowing neseted objects' do
+      before do
+        permission.path.root[:bookcase][12][:shelf][10][:pack][14].deny!
+      end
+
+      it 'should not be viewable' do
+        permission.path.root[:bookcase][12][:shelf][10][:pack][14].permitted?.must_equal false
+      end
+    end
+
+    describe 'disalowing a user' do
+      before do
+        permission.path.root[:user][12].deny!
+      end
+
+      it 'should prevent access to user 12' do
+        permission.path.root[:user][12].permitted?.must_equal false
+      end
+    end
+
+  end
+
+
+end

data/spec/node_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe Sanction::Node do
+
+  let(:permissions_hash) do
+    {
+      mode: 'whitelist',
+      scope: ['manage', 'read'],
+      subjects: [
+        {
+          id: 6,
+          type: 'bookcase',
+          scope: []
+        }
+      ]
+    }
+  end
+  let(:permissions) { Sanction.build(permissions_hash) }
+
+  it 'should let me find id: 6' do
+    permissions.find('bookcase', 6).id.must_equal 6
+  end
+
+  describe 'changing root node type' do
+
+    it 'should return the root node as being a blacklist' do
+      perm = permissions.root.change_type!(:blacklist)
+      perm.mode.must_equal 'blacklist'
+    end
+  end
+
+  describe 'with complex permissons' do
+    let(:permissions_hash) { PERMISSIONS }
+
+    describe 'changing a node type' do
+
+      it 'should return the node as being changed' do
+        perm = permissions.find('bookcase', 2).change_type!(:blacklist)
+        perm.find('bookcase', 2).mode.must_equal 'blacklist'
+      end
+
+    end
+
+    it 'should return root for a missing id and type' do
+      permissions.find('test', 5).root?.must_equal true
+    end
+  end
+
+end

data/spec/permission_spec.rb

@@ -0,0 +1,218 @@
+require 'spec_helper'
+
+describe Sanction::Permission do
+
+  let(:permissions) { Sanction.build(permissions_hash) }
+  let(:predicates)  { [] }
+  let(:permission)  { Sanction::Permission.new(permissions, *predicates)}
+
+  let(:bookcase)    { Bookcase.new(6) }
+  let(:shelf)       { Shelf.new(4) }
+  let(:pack)        { Pack.new(5) }
+
+  describe "With simple whitelist permissions" do
+
+    let(:permissions_hash) do
+      {
+        mode: 'whitelist',
+        scope: ['manage', 'read'],
+        resources: ['bookcase'],
+        subjects: [
+          {
+            id: 6,
+            type: 'bookcase',
+            scope: []
+          }
+        ]
+      }
+    end
+    let(:predicates)  { [bookcase] }
+
+    it 'should be permitted' do
+      permission.permitted?.must_equal true
+    end
+
+    it 'should have scope manage' do
+      permission.permitted_with_scope?(:manage).must_equal true
+    end
+
+    it 'should have scope read' do
+      permission.permitted_with_scope?(:read).must_equal true
+    end
+
+    describe 'With a class predicate' do
+      let(:predicates) { [Shelf] }
+
+      it 'should not be permitted' do
+        permission.permitted?.must_equal false
+      end
+
+    end
+
+  end
+
+  describe "With simple blacklist permissions" do
+    let(:permissions_hash) do
+      {
+        mode: 'blacklist',
+        scope: ['manage', 'read'],
+        subjects: [
+          {
+            id: 6,
+            type: 'bookcase',
+            scope: []
+          }
+        ]
+      }
+    end
+    let(:predicates)  { [bookcase] }
+
+    it 'should not be permitted' do
+      permission.permitted?.must_equal false
+    end
+
+    it 'should not be permitted for a scope of manage' do
+      permission.permitted_with_scope?(:manage).must_equal false
+    end
+
+    describe 'With a class predicate not blacklisted' do
+      let(:predicates) { [Shelf] }
+
+      it 'should be permitted' do
+        permission.permitted?.must_equal true
+      end
+
+      it 'should be permitted with a scope of manage' do
+        permission.permitted_with_scope?(:manage).must_equal true
+      end
+
+    end
+
+  end
+
+  describe "With complex whitelist permissions" do
+    let(:permissions_hash) { PERMISSIONS }
+    let(:bookcase)   { Bookcase.new(2) }
+    let(:predicates) { [bookcase, shelf] }
+
+    describe "with a blacklisted mode shelf" do
+      let(:shelf)    { Shelf.new(7) }
+
+      describe "with a pack on the blacklist" do
+        let(:pack)        { Pack.new(8) }
+        let(:predicates)  { [bookcase, shelf, pack] }
+
+        it 'should not be permitted' do
+          permission.permitted?.must_equal false
+        end
+
+      end
+
+      describe "with a pack not on the blacklist" do
+        let(:pack)       { Pack.new(100) }
+        let(:predicates) { [bookcase, shelf, pack] }
+
+        it 'should be permitted' do
+          permission.permitted?.must_equal true
+        end
+
+        it 'should have its parents scopes' do
+          permission.permitted_with_scope?(:manage).must_equal true
+          permission.permitted_with_scope?(:read).must_equal true
+        end
+
+      end
+
+    end
+
+    describe "with a whitelisted shelf" do
+      let(:shelf)    { Shelf.new(4) }
+
+      it 'should be permitted' do
+        permission.permitted?.must_equal true
+      end
+
+      describe "with a whitelisted pack" do
+        let(:pack)   { Pack.new(5) }
+        let(:predicates) { [bookcase, shelf, pack] }
+
+        it 'should be permitted' do
+          permission.permitted?.must_equal true
+        end
+
+        it 'should have a read and manage scope' do
+          permission.permitted_with_scope?(:manage).must_equal true
+          permission.permitted_with_scope?(:read).must_equal true
+        end
+
+      end
+
+    end
+
+  end
+
+  describe "with an incorrect object graph with a whitelisted incorrect parent" do
+    let(:permissions_hash)  { PERMISSIONS }
+    let(:bookcase)          { Bookcase.new(2) }
+    let(:shelf)             { Shelf.new(6) }
+    let(:predicates)        { [bookcase, shelf] }
+
+    it 'should not allow the shelf to be permitted' do
+      permission.permitted?.must_equal false
+    end
+
+  end
+
+  describe "With missing blacklist permissions" do
+    let(:permissions_hash) { PERMISSIONS }
+    let(:bookcase)    { Bookcase.new(1) }
+    let(:predicates)  { [bookcase, shelf] }
+
+    describe "with a blacklisted shelf" do
+      let(:shelf)     { Shelf.new(6) }
+
+      it 'should not be permitted' do
+        permission.permitted?.must_equal false
+      end
+
+      describe "with a pack within a blacklisted shelf" do
+        let(:pack)        { Pack.new(98) }
+        let(:predicates)  { [bookcase, shelf, pack] }
+
+        it 'should not be permitted' do
+          permission.permitted?.must_equal false
+        end
+
+        it 'should not have a read scope' do
+          permission.permitted_with_scope?(:read).must_equal false
+        end
+
+      end
+
+    end
+
+    describe 'with a non blacklisted shelf' do
+      let(:shelf)     { Shelf.new(31) }
+
+      it 'should be permitted' do
+        permission.permitted?.must_equal true
+      end
+
+      describe 'with a non blacklisted pack' do
+        let(:pack)        { Pack.new(10) }
+        let(:predicates)  { [bookcase, shelf, pack] }
+
+        it 'should be permitted' do
+          permission.permitted?.must_equal true
+        end
+
+        it 'should have a read scope' do
+          permission.permitted_with_scope?(:read).must_equal true
+        end
+
+      end
+
+    end
+  end
+
+end