stffn-declarative_authorization 0.2.4 → 0.2.5

data/lib/declarative_authorization/in_model.rb

@@ -76,6 +76,10 @@ module Authorization
         #   
         # If an operation is not permitted, a Authorization::AuthorizationError
         # is raised.
+        #
+        # To activate model security on all models, call using_access_control
+        # on ActiveRecord::Base
+        #   ActiveRecord::Base.using_access_control
         # 
         # Available options
         # [:+context+] Specify context different from the models table name.
@@ -86,28 +90,19 @@ module Authorization
             :context => nil,
             :include_read => false
           }.merge(options)
-          context = (options[:context] || self.table_name).to_sym
 
           class_eval do
-            before_create do |object|
-              Authorization::Engine.instance.permit!(:create, :object => object,
-                :context => context)
-            end
-            
-            before_update do |object|
-              Authorization::Engine.instance.permit!(:update, :object => object,
-                :context => context)
+            [:create, :update, [:destroy, :delete]].each do |action, privilege|
+              send(:"before_#{action}") do |object|
+                Authorization::Engine.instance.permit!(privilege || action,
+                  :object => object, :context => options[:context])
+              end
             end
-            
-            before_destroy do |object|
-              Authorization::Engine.instance.permit!(:delete, :object => object,
-                :context => context)
-            end
-            
-            # only called if after_find is implemented
+
+            # after_find is only called if after_find is implemented
             after_find do |object|
               Authorization::Engine.instance.permit!(:read, :object => object,
-                :context => context)
+                :context => options[:context])
             end
             
             if options[:include_read]

data/lib/declarative_authorization/obligation_scope.rb

@@ -48,7 +48,7 @@ module Authorization
       @current_obligation = obligation
       obligation_conditions[@current_obligation] ||= {}
       follow_path( obligation )
-      
+
       rebuild_condition_options!
       rebuild_join_options!
     end
@@ -133,7 +133,7 @@ module Authorization
         parent.reflect_on_association( path.last )
       end
       raise "invalid path #{path.inspect}" if reflection.nil?
-      
+
       reflections[path] = reflection
       map_table_alias_for( path )  # Claim a table alias for the path.
       
@@ -208,17 +208,15 @@ module Authorization
             end
             bindvar = "#{attribute_table_alias}__#{attribute_name}_#{obligation_index}".to_sym
 
-            attribute_value = value.respond_to?( :descends_from_active_record? ) && value.descends_from_active_record? && value.id ||
-                              value.is_a?( Array ) && value[0].respond_to?( :descends_from_active_record? ) && value[0].descends_from_active_record? && value.map( &:id ) ||
-                              value
             attribute_operator = case operator
                                  when :contains, :is             then "= :#{bindvar}"
                                  when :does_not_contain, :is_not then "<> :#{bindvar}"
-                                 when :is_in                     then "IN (:#{bindvar})"
+                                 when :is_in, :intersects_with   then "IN (:#{bindvar})"
                                  when :is_not_in                 then "NOT IN (:#{bindvar})"
+                                 else raise AuthorizationUsageError, "Unknown operator: #{operator}"
                                  end
             obligation_conds << "#{connection.quote_table_name(attribute_table_alias)}.#{connection.quote_table_name(attribute_name)} #{attribute_operator}"
-            binds[bindvar] = attribute_value
+            binds[bindvar] = attribute_value(value)
           end
         end
         obligation_conds << "1=1" if obligation_conds.empty?
@@ -227,36 +225,40 @@ module Authorization
       (delete_paths - used_paths).each {|path| reflections.delete(path)}
       @proxy_options[:conditions] = [ conds.join( " OR " ), binds ]
     end
+
+    def attribute_value (value)
+      value.respond_to?( :descends_from_active_record? ) && value.descends_from_active_record? && value.id ||
+        value.is_a?( Array ) && value[0].respond_to?( :descends_from_active_record? ) && value[0].descends_from_active_record? && value.map( &:id ) ||
+        value
+    end
     
     # Parses all of the defined obligation joins and defines the scope's :joins or :includes option.
     # TODO: Support non-linear association paths.  Right now, we just break down the longest path parsed.
     def rebuild_join_options!
-      joins = @proxy_options[:joins] || []
+      joins = (@proxy_options[:joins] || []) + (@proxy_options[:includes] || [])
 
-      reflections.keys.reverse.each do |path|
+      reflections.keys.each do |path|
         next if path.empty?
-        
+
         existing_join = joins.find do |join|
-          join.is_a?(Symbol) ? (join == path.first) : join.key?(path.first)
+          existing_path = join_to_path(join)
+          min_length = [existing_path.length, path.length].min
+          existing_path.first(min_length) == path.first(min_length)
         end
-        path_join = path_to_join(path)
 
-        case [existing_join.class, path_join.class]
-        when [Symbol, Hash]
-          joins.delete(existing_join)
-          joins << path_join
-        when [Hash, Hash]
-          joins.delete(existing_join)
-          joins << path_join.deep_merge(existing_join)
-        when [NilClass, Hash], [NilClass, Symbol]
-          joins << path_join
+        if existing_join
+          if join_to_path(existing_join).length < path.length
+            joins[joins.index(existing_join)] = path_to_join(path)
+          end
+        else
+          joins << path_to_join(path)
         end
       end
 
       case obligation_conditions.length
-      when 0:
+      when 0 then
         # No obligation conditions means we don't have to mess with joins or includes at all.
-      when 1:
+      when 1 then
         @proxy_options[:joins] = joins
         @proxy_options.delete( :include )
       else
@@ -277,5 +279,14 @@ module Authorization
         hash
       end
     end
+
+    def join_to_path (join)
+      case join
+      when Symbol
+        [join]
+      when Hash
+        [join.keys.first] + join_to_path(join[join.keys.first])
+      end
+    end
   end
 end

data/lib/declarative_authorization/reader.rb

@@ -24,6 +24,7 @@ module Authorization
   # Methods to be used in if_attribute statements
   # * AuthorizationRulesReader#contains,
   # * AuthorizationRulesReader#does_not_contain,
+  # * AuthorizationRulesReader#intersects_with,
   # * AuthorizationRulesReader#is,
   # * AuthorizationRulesReader#is_not,
   # * AuthorizationRulesReader#is_in,
@@ -209,22 +210,27 @@ module Authorization
       # The block form allows to describe restrictions on the permissions
       # using if_attribute.  Multiple has_permission_on statements are
       # OR'ed when evaluating the permissions.  Also, multiple if_attribute
-      # statements in one block are OR'ed.
+      # statements in one block are OR'ed if no :+join_by+ option is given
+      # (see below).  To AND conditions, either set :+join_by+ to :and or place
+      # them in one if_attribute statement.
       # 
       # Available options
       # [:+to+]
       #   A symbol or an array of symbols representing the privileges that
       #   should be granted in this statement.
+      # [:+join_by+]
+      #   Join operator to logically connect the constraint statements inside
+      #   of the has_permission_on block.  May be :+and+ or :+or+.  Defaults to :+or+.
       #
       def has_permission_on (context, options = {}, &block)
         raise DSLError, "has_permission_on only allowed in role blocks" if @current_role.nil?
-        options = {:to => []}.merge(options)
+        options = {:to => [], :join_by => :or}.merge(options)
         
         privs = options[:to] 
         privs = [privs] unless privs.is_a?(Array)
         raise DSLError, "has_permission_on either needs a block or :to option" if !block_given? and privs.empty?
         
-        rule = AuthorizationRule.new(@current_role, privs, context)
+        rule = AuthorizationRule.new(@current_role, privs, context, options[:join_by])
         @auth_rules << rule
         if block_given?
           @current_rule = rule
@@ -292,11 +298,21 @@ module Authorization
       #     end
       #   end
       # 
-      # Multiple if_attribute statements are OR'ed.
+      # Multiple attributes in one :if_attribute statement are AND'ed.
+      # Multiple if_attribute statements are OR'ed if the join operator for the
+      # has_permission_on block isn't explicitly set.  Thus, the following would
+      # require the current user either to be of the same branch AND the employee
+      # to be "changeable_by_coworker".  OR the current user has to be the
+      # employee in question.
+      #   has_permission_on :employees, :to => :manage do
+      #     if_attribute :branch => is {user.branch}, :changeable_by_coworker => true
+      #     if_attribute :id => is {user.id}
+      #   end
       #
       # Arrays and fixed values may be used directly as hash values:
-      #   if_attribute :id => 1
-      #   if_attribute :id => [1,2]
+      #   if_attribute :id   => 1
+      #   if_attribute :type => "special"
+      #   if_attribute :id   => [1,2]
       #
       def if_attribute (attr_conditions_hash)
         raise DSLError, "if_attribute only in has_permission blocks" if @current_rule.nil?
@@ -322,6 +338,18 @@ module Authorization
       # if_permitted_to associations may be nested as well:
       #   if_permitted_to :read, :branch => :company
       #
+      # To check permissions based on the current object, the attribute has to
+      # be left out:
+      #   has_permission_on :branches, :to => :manage do
+      #     if_attribute :employees => includes { user }
+      #   end
+      #   has_permission_on :branches, :to => :paint_green do
+      #     if_permitted_to :update
+      #   end
+      # Normally, one would merge those rules into one.  Deviding makes sense
+      # if additional if_attribute are used in the second rule or those rules
+      # are applied to different roles.
+      #
       # Options:
       # [:+context+]
       #   If the context of the refered object may not be infered from the
@@ -329,9 +357,11 @@ module Authorization
       #     if_permitted_to :read, :home_branch, :context => :branches
       #     if_permitted_to :read, :branch => :main_company, :context => :companies
       #
-      def if_permitted_to (privilege, attr_or_hash, options = {})
+      def if_permitted_to (privilege, attr_or_hash = nil, options = {})
         raise DSLError, "if_permitted_to only in has_permission blocks" if @current_rule.nil?
         options[:context] ||= attr_or_hash.delete(:context) if attr_or_hash.is_a?(Hash)
+        # only :context option in attr_or_hash:
+        attr_or_hash = nil if attr_or_hash.is_a?(Hash) and attr_or_hash.empty?
         @current_rule.append_attribute AttributeWithPermission.new(privilege,
             attr_or_hash, options[:context])
       end
@@ -355,10 +385,19 @@ module Authorization
         [:contains, block]
       end
 
-      # The negation of contains.
+      # The negation of contains.  Currently, query rewriting is disabled
+      # for does_not_contain.
       def does_not_contain (&block)
         [:does_not_contain, block]
       end
+
+      # In an if_attribute statement, intersects_with requires that at least
+      # one of the values has to be part of the collection specified by the
+      # if_attribute attribute.  The value block needs to evaluate to an
+      # Enumerable.  For information on the block argument, see if_attribute.
+      def intersects_with (&block)
+        [:intersects_with, block]
+      end
       
       # In an if_attribute statement, is_in says that the value has to
       # contain the attribute value.
@@ -381,7 +420,7 @@ module Authorization
           elsif !value.is_a?(Array)
             merge_hash[key] = [:is, lambda { value }]
           elsif value.is_a?(Array) and !value[0].is_a?(Symbol)
-            merge_hash[key] = [:is_in, value]
+            merge_hash[key] = [:is_in, lambda { value }]
           end
         end
         hash.merge!(merge_hash)

data/test/authorization_rules_analyzer_test.rb

@@ -0,0 +1,123 @@
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
+require File.join(File.dirname(__FILE__), %w{.. lib declarative_authorization authorization_rules_analyzer})
+
+class AuthorizationRulesAnalyzerTest < Test::Unit::TestCase
+
+  def test_analyzing_complex_rules
+    assert_nothing_raised do
+      engine, analyzer = engine_analyzer_for %{
+        authorization do
+          role :guest do
+            has_permission_on :conferences, :to => :read do
+              if_attribute :published => true
+            end
+            has_permission_on :talks, :to => :read do
+              if_permitted_to :read, :conference
+            end
+            has_permission_on :users, :to => :create
+            has_permission_on :authorization_rules, :to => :read
+            has_permission_on :authorization_usages, :to => :read
+          end
+
+          role :user do
+            includes :guest
+            has_permission_on :conference_attendees, :to => :create do
+              if_attribute :user => is {user},
+                :conference => { :published => true }
+            end
+            has_permission_on :conference_attendees, :to => :delete do
+              if_attribute :user => is {user},
+                :conference => { :attendees => contains {user} }
+            end
+            has_permission_on :talk_attendees, :to => :create do
+              if_attribute :talk => { :conference => { :attendees => contains {user} }}
+            end
+            has_permission_on :talk_attendees, :to => :delete do
+              if_attribute :user => is {user}
+            end
+          end
+
+          role :conference_organizer do
+            has_permission_on :conferences do
+              to :manage
+              # if...
+            end
+            has_permission_on [:conference_attendees, :talks, :talk_attendees], :to => :manage
+          end
+
+          role :admin do
+            has_permission_on [:conferences, :users, :talks], :to => :manage
+            has_permission_on :authorization_rules, :to => :read
+            has_permission_on :authorization_usages, :to => :read
+          end
+        end
+
+        privileges do
+          privilege :manage, :includes => [:create, :read, :update, :delete]
+          privilege :read, :includes => [:index, :show]
+          privilege :create, :includes => :new
+          privilege :update, :includes => :edit
+          privilege :delete, :includes => :destroy
+        end
+      }
+    end
+  end
+
+  def test_mergeable_rules_without_constraints
+    engine, analyzer = engine_analyzer_for %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+          has_permission_on :permissions, :to => :test2
+        end
+      end
+    }
+
+    report = analyzer.reports.find {|report| report.type == :mergeable_rules}
+    assert report
+    assert_equal 4, report.line
+  end
+
+  def test_mergeable_rules_with_in_block_to
+    assert_nothing_raised do
+      engine, analyzer = engine_analyzer_for %{
+        authorization do
+          role :test_role do
+            has_permission_on :permissions do
+              to :test
+            end
+          end
+        end
+      }
+    end
+  end
+
+  def test_no_mergeable_rules_with_constraints
+    engine, analyzer = engine_analyzer_for %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :some_attr => is {bla}
+          end
+          has_permission_on :permissions, :to => :test2 do
+            if_attribute :some_attr_2 => is {bla}
+          end
+        end
+      end
+    }
+
+    assert !analyzer.reports.find {|report| report.type == :mergeable_rules}
+  end
+
+  protected
+  def engine_analyzer_for (rules)
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse rules
+    engine = Authorization::Engine.new(reader)
+
+    analyzer = Authorization::Analyzer.new(engine)
+    analyzer.analyze rules
+
+    [engine, analyzer]
+  end
+end

data/test/authorization_test.rb

@@ -82,6 +82,42 @@ class AuthorizationTest < Test::Unit::TestCase
       engine.obligations(:test, :context => :permissions, 
           :user => MockUser.new(:test_role, :attr => 1))
   end
+
+  def test_obligations_with_anded_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test, :join_by => :and do
+            if_attribute :attr => is { user.attr }
+            if_attribute :attr_2 => is { user.attr_2 }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attr => [:is, 1], :attr_2 => [:is, 2]}],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :attr => 1, :attr_2 => 2))
+  end
+
+  def test_obligations_with_deep_anded_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test, :join_by => :and do
+            if_attribute :attr => { :deeper_attr => is { user.deeper_attr }}
+            if_attribute :attr => { :deeper_attr_2 => is { user.deeper_attr_2 }}
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attr => { :deeper_attr => [:is, 1], :deeper_attr_2 => [:is, 2] } }],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2))
+  end
   
   def test_obligations_with_conditions_and_empty
     reader = Authorization::Reader::DSLReader.new
@@ -390,6 +426,42 @@ class AuthorizationTest < Test::Unit::TestCase
               :user => MockUser.new(:test_role),
               :object => MockDataObject.new(:test_attr => 4))
   end
+
+  def test_attribute_intersects_with
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attrs => intersects_with { [1,2] }
+          end
+        end
+        role :test_role_2 do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attrs => intersects_with { 1 }
+          end
+        end
+      end
+    }
+
+    engine = Authorization::Engine.new(reader)
+    assert_raise Authorization::AuthorizationUsageError do
+      engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attrs => 1 ))
+    end
+    assert_raise Authorization::AuthorizationUsageError do
+      engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role_2),
+              :object => MockDataObject.new(:test_attrs => [1, 2] ))
+    end
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attrs => [1,3] ))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attrs => [3,4] ))
+  end
   
   def test_attribute_deep
     reader = Authorization::Reader::DSLReader.new
@@ -514,6 +586,137 @@ class AuthorizationTest < Test::Unit::TestCase
               :object => MockDataObject.new(:shallow_permission =>
                 MockDataObject.new(:permission => perm_data_attr_2)))
   end
+
+  def test_attribute_with_permissions_nil
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    assert_nothing_raised do
+      engine.permit?(:test, :context => :permission_children,
+                :user => MockUser.new(:test_role),
+                :object => MockDataObject.new(:permission => nil))
+    end
+    
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => nil))
+  end
+
+  def test_attribute_with_permissions_on_self
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permissions, :to => :another_test do
+            if_permitted_to :test
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_1)
+    assert !engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_2)
+  end
+
+  def test_attribute_with_permissions_on_self_with_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permissions, :to => :another_test do
+            if_permitted_to :test, :context => :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_1)
+    assert !engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_2)
+  end
+
+  def test_attribute_with_permissions_and_anded_rules
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test, :join_by => :and do
+            if_permitted_to :test, :permission
+            if_attribute :test_attr => 1
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 1))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_2, :test_attr => 1))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 2))
+  end
+
+  def test_attribute_with_anded_rules
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test, :join_by => :and do
+            if_attribute :test_attr => 1
+            if_attribute :test_attr_2 => 2
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 2))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 3))
+  end
   
   def test_raise_on_if_attribute_hash_on_collection
     reader = Authorization::Reader::DSLReader.new