sinatra-bouncer 1.2.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 254ec098fccec946d8f3891767aec06c0b176ba1
-  data.tar.gz: e9289acabf308082675f3176367c3016f3af791b
+SHA256:
+  metadata.gz: f07c9c87e55563ac21610aecc8813d32ee3322d291382bb1bd5cca0ce0d55a12
+  data.tar.gz: fa55400409722c0f0f4ea83c6ee552654d0d8aee128d484f3a42c2c888e9b46b
 SHA512:
-  metadata.gz: b42b9091612bc206cc384f346108eee042de851c8793b09772d8c9fc818df7595c4a9cd2dfe5443b9f61ab045748d49082677e77f0e901abd1c78d4fa8d232a8
-  data.tar.gz: 34231f5cbb55f638c6d6b977c080dd9a77ed5f4a3e561d90221b85c413e3717330d433eb06c2564d6613e5b325dc92b02e0ad34ace65ebbb5502748e15abac3b
+  metadata.gz: 4fc6e73dcb5867a418dea6b555f74fee57f41b58d75ab76657925a71b1b2ff059295135c30646f4de83fe82a00bc816a6d668d54ecd64f035b63f27d68b80ef1
+  data.tar.gz: ca808e79a1f59743c17afc6e7475dd03a9a3186d8ed1ec3c6b4412ec96af2c38c0e454a0fada15c513e83c1070eb7b6f72c2a116be9e2ed7135592ce7f04ce70

data/.gitignore

@@ -0,0 +1,18 @@
+# See http://help.github.com/ignore-files/ for more about ignoring files.
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile ~/.gitignore_global
+
+# Ignore all logfiles and tempfiles.
+*.log
+tmp/*
+
+# Rubymine stuff
+.idea
+
+# Ignore all gem files.
+*.gem
+
+# Ignore simplecov results
+.coverage/

data/.rubocop.yml

@@ -0,0 +1,14 @@
+inherit_from: ~/.config/rubocop/config.yml
+
+AllCops:
+  Exclude:
+    - 'bin/*'
+    - 'benchmarks/*'
+
+Layout/LineLength:
+  Exclude:
+    - 'spec/**/*.rb'
+
+# setting to 6 to match RubyMine autoformat
+Layout/FirstArrayElementIndentation:
+  IndentationWidth: 6

data/.ruby-version

@@ -0,0 +1 @@
+ruby-3.1.4

data/.simplecov

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+SimpleCov.start do
+   coverage_dir '.coverage'
+   enable_coverage :branch
+
+   root __dir__
+
+   add_filter 'tests/'
+   # add_filter 'spec/'
+end

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,49 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting a project maintainer at robin@tenjin.ca. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. Maintainers are
+obligated to maintain confidentiality with regard to the reporter of an
+incident.
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

data/Gemfile

@@ -1,4 +1,20 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
-# Specify your gem's dependencies in dirt_core.gemspec
-gemspec
+# Gem dependencies in dirt_core.gemspec
+gemspec
+
+group :development do
+   gem 'bundler', '~> 2.4'
+   gem 'rake', '~> 13.1'
+   gem 'rubocop', '~> 1.57'
+   gem 'rubocop-performance', '~> 1.19'
+   gem 'yard', '~> 0.9'
+end
+
+group :test do
+   gem 'rack-test', '~> 2.1'
+   gem 'rspec', '~> 3.12'
+   gem 'simplecov', '~> 0.22'
+end

data/Gemfile.lock

@@ -0,0 +1,92 @@
+PATH
+  remote: .
+  specs:
+    sinatra-bouncer (2.0.0)
+      sinatra (>= 2.2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.2)
+    diff-lcs (1.5.0)
+    docile (1.4.0)
+    json (2.6.3)
+    language_server-protocol (3.17.0.3)
+    mustermann (3.0.0)
+      ruby2_keywords (~> 0.0.1)
+    parallel (1.23.0)
+    parser (3.2.2.4)
+      ast (~> 2.4.1)
+      racc
+    racc (1.7.3)
+    rack (2.2.8)
+    rack-protection (3.1.0)
+      rack (~> 2.2, >= 2.2.4)
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rainbow (3.1.1)
+    rake (13.1.0)
+    regexp_parser (2.8.2)
+    rexml (3.2.6)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.2)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.6)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-support (3.12.1)
+    rubocop (1.57.2)
+      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
+      parallel (~> 1.10)
+      parser (>= 3.2.2.4)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.28.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.30.0)
+      parser (>= 3.2.1.0)
+    rubocop-performance (1.19.1)
+      rubocop (>= 1.7.0, < 2.0)
+      rubocop-ast (>= 0.4.0)
+    ruby-progressbar (1.13.0)
+    ruby2_keywords (0.0.5)
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.4)
+    sinatra (3.1.0)
+      mustermann (~> 3.0)
+      rack (~> 2.2, >= 2.2.4)
+      rack-protection (= 3.1.0)
+      tilt (~> 2.0)
+    tilt (2.2.0)
+    unicode-display_width (2.5.0)
+    yard (0.9.34)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  bundler (~> 2.4)
+  rack-test (~> 2.1)
+  rake (~> 13.1)
+  rspec (~> 3.12)
+  rubocop (~> 1.57)
+  rubocop-performance (~> 1.19)
+  simplecov (~> 0.22)
+  sinatra-bouncer!
+  yard (~> 0.9)
+
+BUNDLED WITH
+   2.4.19

data/README.md

@@ -1,108 +1,268 @@
-#Sinatra-Bouncer
-Simple authorization permissions extension for [Sinatra](http://www.sinatrarb.com/). Require the gem, then declare which routes are permitted based on your own logic. 
+# Sinatra-Bouncer
+
+Simple permissions extension for [Sinatra](http://www.sinatrarb.com/). Require the gem, then declare which
+routes are permitted based on your own logic.
+
+## Big Picture
+
+Bouncer rules look like:
 
-**Gemfile**
 ```ruby
-gem 'sinatra-bouncer'
-```
+rules do
+   # Routes match based on one or more strings. 
+   can get:  '/',
+       post: %w[/user/sign-in
+                /user/sign-out]
+
+   # Wildcards match anything directly under that path 
+   can get: '/lib/js/*'
+
+   # Use a conditional rule block for additional logic
+   can_sometimes get:  '/admin/*',
+                 post: '/admin/actions/*' do
+      current_user.admin?
+   end
+
+   # ... etc ...
+end
 
-**Terminal**
-```sh
-gem install sinatra-bouncer
 ```
 
-##Quickstart
-###Step 1: Require/Register Bouncer
+## Features
 
-After registration, Bouncer will reject any request that either:
-* has no rule associated with it, or
-* has no associated rule that returns `true`
+Here's what this Gem provides:
+
+* **Block-by-default**
+    * Any route must be explicitly allowed
+* **Declarative Syntax**
+    * Straightforward syntax reduces complexity of layered permissions
+    * Keeps permissions together for clarity
+* **Conditional Logic Via Blocks**
+    * Often additional checks must be performed to know if a route is allowed.
+* **Grouping**
+    * Routes can be matched by wildcard
+* **Forced Boolean Affirmation**
+    * Condition blocks must explicitly return `true`, avoiding accidental truthy values
+
+## Anti-Features
+
+Bouncer intentionally does not support some concepts.
+
+* **No User Identification** *(aka Authentication)*
+    * Bouncer is not a user identification gem. It assumes you already have an existing solution
+      like [Warden](https://github.com/wardencommunity/warden). Knowing *who* someone is is already a complex enough
+      problem and should be separate from what they may do.
+* **No Rails Integration**
+    * Bouncer is not intended to work with Rails. Use one of the Rails-based permissions gems for these situations.
+* **No Negation**
+    * There is intentionally no negation (eg. `cannot`) to preserve the default-deny frame of mind
+
+## Installation
+
+Add this to your gemfile:
 
-**Sinatra Classic**
 ```ruby
-require 'sinatra'
-require 'sinatra/bouncer'
+gem 'sinatra-bouncer'
+```
 
-   # ... routes and other config
+Then run:
+
+```shell
+bundle install
 ```
 
-**Modular**
+**Sinatra Modular Style**
+
 ```ruby
 require 'sinatra/base'
 require 'sinatra/bouncer'
 
 class MyApp < Sinatra::Base
-  register Sinatra::Bouncer
-  
-  # ... routes and other config
+   register Sinatra::Bouncer
+
+   rules do
+      # ... can statements ...
+   end
+
+   # ... routes and other config
 end
 ```
 
-###Step 2: Declare Bouncer Rules
-Call `rules` with a block that uses `can` and `can_sometimes` to declare which paths are legalduring this request.  The rules block is run in the context of the request, which means you will have access to sinatra helpers, 
-the `request` object, and `params`.
+**Sinatra Classic Style**
 
 ```ruby
 require 'sinatra'
 require 'sinatra/bouncer'
 
 rules do
-  # example: allow any GET request
-  can(:get, :all)
-  
-  # example: logged in users can edit their account
-  if(current_user)
-    can(:post, '/user_edits_account')
-  end
+   # ... can statements ...
 end
 
-# ... route declarations as normal below
+# ... routes and other config
 ```
 
-## API
-#### can
-Any route declared with #can will be accepted without further challenge. 
+## Usage
+
+Call `rules` with a block that uses the `#can` and `#can_sometimes` DSL methods to declare rules for paths.
+
+The rules block is run once as part of the configuration phase but the condition blocks are evaluated in the context of
+the
+request, which means you will have access to Sinatra helpers,
+the `request` object, and `params`.
 
 ```ruby
+require 'sinatra'
+require 'sinatra/bouncer'
+
 rules do
-   can(:post, '/user_posts_blog')
+   # example: always allow GET requests to root path or /sign-in
+   can get: %w[/
+               /sign-in]
+
+   # example: logged in users can view (GET) member restricted paths and edit their account (POST)
+   can_sometimes get:  '/members/*',
+                 post: '/members/edit-account' do
+      !current_user.nil?
+   end
+
+   # example: check an arbitrary request header is present
+   can_sometimes get: '/bots/*' do
+      !request.get_header('X-CUSTOM_PROP').nil?
+   end
 end
+
+# ... Sinatra route declarations as normal ... 
 ```
 
-####can_sometimes
-`can_sometimes` is for occasions that you to check further, but want to defer that choice until the path is actually attempted.
-`can_sometimes` takes a block that will be run once the path is attempted. This block **must return an explicit boolean** 
-(ie. `true` or `false`) to avoid any accidental truthy values creating unwanted access.
+### HTTP Method and Route Matching
+
+Both `#can` and `#can_sometimes` accept multiple
+[HTTP methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) as symbols
+and each key is paired with one or more path strings.
+
+```ruby
+# example: single method, single route 
+can get: '/'
+
+# example: multiple methods, single route each 
+can get:  '/',
+    post: '/blog/action/save'
+
+# example: multiple methods, multiple routes (using string array syntax)
+can get:  %w[/
+             /sign-in
+             /blog/editor],
+    post: %w[/blog/action/save 
+             /blog/action/delete]
+```
+
+> **Note** Allowing GET implies allowing HEAD, since HEAD is by spec a GET without a response body. The reverse is not
+> true, however; allowing HEAD will not also allow GET.
+
+#### Wildcards and Special Symbols
+
+> **Warning** Always be cautious when using wildcards and special symbols to not accidentally open up pathways that
+> should remain private.
+
+Provide a wildcard `*` to match any string excluding slash. There is intentionally no syntax for matching wildcards
+recursively, so nested paths will also need to be declared.
+
+```ruby
+# example: match anything directly under the /members/ path
+can get: '/members/*'
+```
+
+There are also 2 special symbols:
+
+1. `:any` will match any HTTP method.
+2. `:all` will match all paths.
+
+```ruby
+# this allows any method type on the / path
+can any: '/'
+
+# this allows GET on all paths
+can get: :all
+```
+
+### Always Allow: `can`
+
+Any route declared with `#can` will be accepted without further challenge.
 
 ```ruby
 rules do
-    can_sometimes('/login') # Anyone can access this path
+   # Anyone can access this path over GET
+   can get: '/login'
 end
 ```
 
-#### :any and :all special parameters
-Passing `can` or `can_sometimes`:
- * `:any` to the first parameter will match any HTTP method. 
- * `:all` to the second parameter will match any path. 
+### Conditionally Allow: `can_sometimes`
+
+`can_sometimes` is for occasions that you to check further, but want to defer that choice until the path is actually
+attempted.
+`can_sometimes` takes a block that will be run once the path is attempted. This block **must return an explicit boolean
+**
+(ie. `true` or `false`) to avoid any accidental truthy values creating unwanted access.
 
 ```ruby
-# this allows get on all paths
-can(:get, :all)
+rules do
+   can_sometimes get: '/login' # Anyone can access this path over GET
 
-# this allows any method type to run on the /login path
-can(:any, '/login')
+   can_sometimes post: '/user/blog/actions/save' do
+      !current_user.nil?
+   end
+end
 ```
 
 ### Custom Bounce Behaviour
-The default bounce action is to `halt 403`. Call `bounce_with` with a block to specify your own behaviour. The block is also run in a sinatra request context, so you can use helpers here as well. 
+
+The default bounce action is to `halt 403`. Call `bounce_with` with a block to specify your own behaviour. The block is
+also run in a sinatra request context, so you can use helpers here as well.
 
 ```ruby
 require 'sinatra'
 require 'sinatra/bouncer'
 
-bounce_with do 
-  redirect '/login'
+bounce_with do
+   redirect '/login'
 end
 
 # bouncer rules, routes, etc...
 ```
+
+## Alternatives
+
+The syntax for Bouncer is largely influenced by the now-deprecated [CanCan](https://github.com/ryanb/cancan) gem.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/TenjinInc/Sinatra-Bouncer.
+
+Valued topics:
+
+* Error messages (clarity, hinting)
+* Documentation
+* API
+* Security correctness
+
+This project is intended to be a friendly space for collaboration, and contributors are expected to adhere to the
+[Contributor Covenant](https://www.contributor-covenant.org/) code of conduct. Play nice.
+
+### Core Developers
+
+After checking out the repo, run `bundle install` to install dependencies. Then, run `rake spec` to run the tests. You
+can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the
+version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version,
+push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+Documentation is produced by Yard. Run `bundle exec rake yard`. The goal is to have 100% documentation coverage and 100%
+test coverage.
+
+Release notes are provided in `RELEASE_NOTES.md`, and should vaguely
+follow [Keep A Changelog](https://keepachangelog.com/en/1.0.0/) recommendations.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/license/mit/).

data/RELEASE_NOTES.md

@@ -0,0 +1,153 @@
+# Release Notes
+
+All notable changes to this project will be documented below.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project loosely follows
+[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Major Changes
+
+* none
+
+### Minor Changes
+
+* none
+
+### Bugfixes
+
+* none
+
+## [2.0.0] - 2023-11-13
+
+### Major Changes
+
+* Converted to hash syntax in `can` and `can_sometimes` statements
+
+### Minor Changes
+
+* Converted Cucumber tests to Rspec integration tests for consistency
+* HEAD requests are evaluated like GET requests due to semantic equivalence
+* Falsey values are now acceptable rule block results
+
+### Bugfixes
+
+* none
+
+## [1.3.0] - 2023-09-13
+
+### Major Changes
+
+* none
+
+### Minor Changes
+
+* Increased minimum Ruby to 3.1
+* Cleaned up development dependencies
+* Rubocop cleanups
+* Installed Simplecov
+* Created Rakefile
+
+### Bugfixes
+
+* none
+
+## [1.2.0] - 2016-10-02
+
+### Major Changes
+
+* none
+
+### Minor Changes
+
+* Supports wildcard matches in route strings
+
+### Bugfixes
+
+* none
+
+## [1.1.1] - 2015-06-02
+
+### Major Changes
+
+* none
+
+### Minor Changes
+
+* none
+
+### Bugfixes
+
+* Runs `bounce_with` in context of web request
+
+## [1.1.0] - 2015-05-28
+
+### Major Changes
+
+* none
+
+### Minor Changes
+
+* none
+
+### Bugfixes
+
+* Correctly forgets rules between routes
+
+## [1.0.2] - 2015-05-24
+
+### Major Changes
+
+* none
+
+### Minor Changes
+
+* Changed default halt to 403
+* Application available in rule block
+
+### Bugfixes
+
+* Fixed sinatra module registration
+
+## [1.0.1] - 2015-05-21
+
+### Major Changes
+
+* none
+
+### Minor Changes
+
+* none
+
+### Bugfixes
+
+* none
+
+## [1.0.0] - Unreleased Prototype
+
+### Major Changes
+
+* none
+
+### Minor Changes
+
+* none
+
+### Bugfixes
+
+* none
+
+## [0.1.0] - Unreleased Prototype
+
+### Major Changes
+
+* Initial prototype
+
+### Minor Changes
+
+* none
+
+### Bugfixes
+
+* none

data/Rakefile

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'yard'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec
+
+YARD::Rake::YardocTask.new do |t|
+   t.files = %w[lib/**/*.rb]
+   # t.options       = %w[--some-option]
+   t.stats_options = ['--list-undoc']
+end

data/cucumber.yml

@@ -0,0 +1 @@
+default: --publish-quiet

data/lib/sinatra/bouncer/basic_bouncer.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require_relative 'rule'
+
+module Sinatra
+   module Bouncer
+      # Core implementation of Bouncer logic
+      class BasicBouncer
+         attr_accessor :bounce_with, :rules_initializer
+
+         # Enumeration of HTTP method strings based on:
+         #    https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
+         # Ignoring CONNECT and TRACE due to rarity
+         HTTP_METHODS = %w[GET HEAD PUT POST DELETE OPTIONS PATCH].freeze
+
+         # Symbol versions of HTTP_METHODS constant
+         #
+         # @see HTTP_METHODS
+         HTTP_METHOD_SYMBOLS = HTTP_METHODS.collect do |http_method|
+            http_method.downcase.to_sym
+         end.freeze
+
+         # Method symbol used to match any method
+         WILDCARD_METHOD = :any
+
+         def initialize
+            @ruleset = Hash.new do
+               []
+            end
+
+            @rules_initializer = proc {}
+         end
+
+         def can(**method_routes)
+            if block_given?
+               hint = 'If you wish to conditionally allow, use #can_sometimes instead.'
+               raise BouncerError, "You cannot provide a block to #can. #{ hint }"
+            end
+
+            can_sometimes(**method_routes) do
+               true
+            end
+         end
+
+         def can_sometimes(**method_routes, &block)
+            unless block
+               hint = 'If you wish to always allow, use #can instead.'
+               raise BouncerError, "You must provide a block to #can_sometimes. #{ hint }"
+            end
+
+            method_routes.each do |method, paths|
+               unless HTTP_METHOD_SYMBOLS.include?(method) || method == WILDCARD_METHOD
+                  hint = "Must be one of: #{ HTTP_METHOD_SYMBOLS } or :#{ WILDCARD_METHOD }"
+                  raise BouncerError, "'#{ method }' is not a known HTTP method key. #{ hint }"
+               end
+
+               paths = [paths] unless paths.respond_to? :collect
+
+               @ruleset[method] += paths.collect { |path| Rule.new(path, &block) }
+            end
+         end
+
+         def can?(method, path, context)
+            rulesets = @ruleset[WILDCARD_METHOD] + @ruleset[method]
+
+            # HEAD requests are equivalent to GET requests without response
+            rulesets += @ruleset[:get] if method == :head
+
+            rules = rulesets.select { |rule| rule.match_path?(path) }
+
+            rules.any? do |rule_block|
+               ruling = rule_block.rule_passes? context
+
+               ruling
+            end
+         end
+
+         def bounce(instance)
+            if bounce_with
+               instance.instance_exec(&bounce_with)
+            else
+               instance.halt 403
+            end
+         end
+      end
+
+      class BouncerError < StandardError
+      end
+   end
+end

data/lib/sinatra/bouncer/rule.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module Sinatra
+   module Bouncer
+      # Defines a Rule to be evaluated with each request
+      class Rule
+         def initialize(path, &rule_block)
+            if path == :all
+               @path = :all
+            else
+               path = "/#{ path }" unless path.start_with?('/')
+
+               @path = path.split('/')
+            end
+
+            @rule = rule_block
+         end
+
+         # Determines if the path matches the exact path or wildcard.
+         #
+         # @return `true` if the path matches
+         def match_path?(path)
+            return true if @path == :all
+
+            path = "/#{ path }" unless path.start_with?('/')
+
+            split_path = path.split('/')
+            matches    = @path.length == split_path.length
+
+            @path.each_index do |i|
+               allowed_segment = @path[i]
+               given_segment   = split_path[i]
+
+               matches &= given_segment == allowed_segment || allowed_segment == '*'
+            end
+
+            matches
+         end
+
+         # Evaluates the rule's block. Defensively prevents truthy values from the block from allowing a route.
+         #
+         # @raise BouncerError when the rule block is a truthy value but not exactly `true`
+         # @return Exactly `true` or `false`, depending on the result of the rule block
+         def rule_passes?(context)
+            ruling = context.instance_exec(&@rule)
+
+            unless !ruling || ruling.is_a?(TrueClass)
+               source = @rule.source_location.join(':')
+               msg    = <<~ERR
+                  Rule block at does not return explicit true/false.
+                  Rules must return explicit true or false to prevent accidental truthy values.
+                  Source: #{ source }
+               ERR
+
+               raise BouncerError, msg
+            end
+
+            !!ruling
+         end
+      end
+   end
+end

data/lib/sinatra/bouncer/version.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Sinatra
+   module Bouncer
+      # Current version of the gem
+      VERSION = '2.0.0'
+   end
+end

data/lib/sinatra/bouncer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #--
 # Copyright (c) 2014 Tenjin Inc.
 #
@@ -21,55 +23,32 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #++
 
-require_relative 'basic_bouncer'
+require 'sinatra/base'
+require_relative 'bouncer/basic_bouncer'
 
+# Namespace module
 module Sinatra
+   # Namespace module
    module Bouncer
       def self.registered(base_class)
-         base_class.helpers HelperMethods
-
-         bouncer = BasicBouncer.new
-
-         # TODO: can we instead store it somehow on the actual temp request object?
-         base_class.set :bouncer, bouncer
+         base_class.set :bouncer, BasicBouncer.new
 
          base_class.before do
-            bouncer.reset! # must clear all rules otherwise will leave doors open
-
-            self.instance_exec &bouncer.rules_initializer
-
             http_method = request.request_method.downcase.to_sym
             path        = request.path.downcase
 
-            unless bouncer.can?(http_method, path)
-               bouncer.bounce(self)
-            end
+            settings.bouncer.bounce(self) unless settings.bouncer.can?(http_method, path, self)
          end
       end
 
-      # Start ExtensionMethods
       def bounce_with(&block)
          bouncer.bounce_with = block
       end
 
       def rules(&block)
-         bouncer.rules_initializer = block
-      end
-
-      # End ExtensionMethods
-
-      module HelperMethods
-         def can(*args)
-            settings.bouncer.can(*args)
-         end
-
-         def can_sometimes(*args, &block)
-            settings.bouncer.can_sometimes(*args, &block)
-         end
+         settings.bouncer.instance_exec(&block)
       end
    end
 
-   if defined? register
-      register Bouncer
-   end
-end
+   register Sinatra::Bouncer
+end

data/sinatra_bouncer.gemspec

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+require 'sinatra/bouncer/version'
+
+Gem::Specification.new do |spec|
+   spec.name    = 'sinatra-bouncer'
+   spec.version = Sinatra::Bouncer::VERSION
+   spec.authors = ['Tenjin Inc', 'Robin Miller']
+   spec.email   = %w[contact@tenjin.ca robin@tenjin.ca]
+
+   spec.summary     = 'Sinatra permissions plugin'
+   spec.description = 'Bouncer brings simple authorization to Sinatra.'
+   spec.homepage    = 'https://github.com/TenjinInc/Sinatra-Bouncer'
+   spec.license     = 'MIT'
+   spec.metadata    = {
+         'rubygems_mfa_required' => 'true'
+   }
+
+   spec.files = `git ls-files -z`.split("\x0").reject do |f|
+      f.match(%r{^(test|spec|features|integrations|benchmarks)/})
+   end
+
+   spec.require_paths = ['lib']
+
+   spec.required_ruby_version = '>= 3.1'
+
+   spec.add_dependency 'sinatra', '>= 2.2'
+end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: sinatra-bouncer
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 2.0.0
 platform: ruby
 authors:
-- Tenjin
+- Tenjin Inc
 - Robin Miller
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-10-02 00:00:00.000000000 Z
+date: 2023-11-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra
@@ -17,113 +17,44 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.14.1
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.14.1
-- !ruby/object:Gem::Dependency
-  name: cucumber
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.3.19
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.3.19
-- !ruby/object:Gem::Dependency
-  name: capybara
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: launchy
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: parallel_tests
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.2'
 description: Bouncer brings simple authorization to Sinatra.
-email: contact@tenjin.ca
+email:
+- contact@tenjin.ca
+- robin@tenjin.ca
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".gitignore"
+- ".rubocop.yml"
+- ".ruby-version"
+- ".simplecov"
+- CODE_OF_CONDUCT.md
 - Gemfile
+- Gemfile.lock
 - MIT-LICENSE
 - README.md
-- lib/sinatra/basic_bouncer.rb
+- RELEASE_NOTES.md
+- Rakefile
+- cucumber.yml
 - lib/sinatra/bouncer.rb
-- lib/sinatra/rule.rb
-homepage: http://www.tenjin.ca
-licenses: []
-metadata: {}
+- lib/sinatra/bouncer/basic_bouncer.rb
+- lib/sinatra/bouncer/rule.rb
+- lib/sinatra/bouncer/version.rb
+- sinatra_bouncer.gemspec
+homepage: https://github.com/TenjinInc/Sinatra-Bouncer
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -132,15 +63,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.9.3
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 3.4.18
 signing_key: 
 specification_version: 4
 summary: Sinatra permissions plugin

data/lib/sinatra/basic_bouncer.rb

@@ -1,69 +0,0 @@
-require_relative 'rule'
-
-module Sinatra
-   module Bouncer
-      class BasicBouncer
-         attr_accessor :bounce_with
-         attr_accessor :rules_initializer
-
-         def initialize
-            # @rules = Hash.new do |method_to_paths, method|
-            #    method_to_paths[method] = Hash.new do |path_to_rules, path|
-            #       path_to_rules[path] = []
-            #    end
-            # end
-
-            @ruleset           = Hash.new do
-               []
-            end
-            @rules_initializer = Proc.new {}
-         end
-
-         def reset!
-            @ruleset.clear
-         end
-
-         def can(method, *paths)
-            if block_given?
-               raise BouncerError.new('You cannot provide a block to #can. If you wish to conditionally allow, use #can_sometimes instead.')
-            end
-
-            can_sometimes(method, *paths) do
-               true
-            end
-         end
-
-         def can_sometimes(method, *paths, &block)
-            unless block_given?
-               raise BouncerError.new('You must provide a block to #can_sometimes. If you wish to always allow, use #can instead.')
-            end
-
-            paths.each do |path|
-               @ruleset[method] += [Rule.new(path, &block)]
-            end
-         end
-
-         def can?(method, path)
-            rules = (@ruleset[:any_method] + @ruleset[method]).select { |rule| rule.match_path?(path) }
-
-            rules.any? do |rule_block|
-               ruling = rule_block.rule_passes?
-
-               ruling
-            end
-         end
-
-         def bounce(instance)
-            if bounce_with
-               instance.instance_exec &bounce_with
-            else
-               instance.halt 403
-            end
-         end
-      end
-
-      class BouncerError < StandardError
-
-      end
-   end
-end

data/lib/sinatra/rule.rb

@@ -1,48 +0,0 @@
-module Sinatra
-   module Bouncer
-      class Rule
-         def initialize(path, &ruleblock)
-            if path == :all
-               @path = :all
-            else
-               path = '/' + path unless path.start_with?('/')
-
-               @path = path.split('/')
-            end
-
-            @rule = ruleblock
-         end
-
-         def match_path?(path)
-            return true if @path == :all
-
-            path = '/' + path unless path.start_with?('/')
-
-            split_path = path.split('/')
-            matches    = @path.length == split_path.length
-
-            @path.each_index do |i|
-               allowed_segment = @path[i]
-               given_segment   = split_path[i]
-
-               matches &= given_segment == allowed_segment || allowed_segment == '*'
-            end
-
-            matches
-         end
-
-         def rule_passes?
-            ruling = @rule.call
-
-            unless ruling.is_a?(TrueClass)|| ruling.is_a?(FalseClass)
-               source = @rule.source_location.join(':')
-               raise BouncerError.new("Rule block at does not return explicit true/false.\n\n"+
-                                            "Rules must return explicit true or false to prevent accidental truthy values.\n\n"+
-                                            "Source: #{source}\n")
-            end
-
-            ruling
-         end
-      end
-   end
-end