stffn-declarative_authorization 0.3.0 → 0.3.1

data/app/views/authorization_rules/_show_graph.erb

@@ -0,0 +1,37 @@
+<% javascript_tag do %>
+    function show_graph (privilege, context, user_ids) {
+        var params = {
+          privilege_hierarchy: 1,
+          highlight_privilege: privilege,
+          filter_contexts: context
+        };
+        if (user_ids)
+          params['user_ids[]'] = user_ids;
+        show_graph_with_params('graph', params);
+    }
+
+    var graph_params = {};
+    function show_graph_with_params (graph_id, params) {
+        graph_params[graph_id] = params;
+        base_url = "<%= graph_authorization_rules_path('svg') %>";
+        $(graph_id).data = base_url + '?' + Object.toQueryString(params);
+        $(graph_id).up().show();
+    }
+
+    function update_graph_params (graph_id, params) {
+        show_graph_with_params(graph_id,
+            $H(graph_params[graph_id] || {}).merge(params).toObject());
+    }
+
+    function toggle_graph_params (graph_id) {
+        var opts = {}
+        $A(arguments).slice(1).each(function (param) {
+          opts[param] = graph_params[graph_id][param] ? null : '1';
+        });
+        update_graph_params(graph_id, opts)
+    }
+<% end %>
+<div id="graph-container" style="display:none">
+<%= link_to_function "Hide", "$('graph-container').hide()" %><br/>
+<object id="graph" data="" type="image/svg+xml" style="max-width:100%"/>
+</div>

data/app/views/authorization_rules/_suggestion.erb

@@ -0,0 +1,9 @@
+<ul>
+  <% suggestion.changes.each do |action| %>
+    <% (action.to_a[0].is_a?(Enumerable) ? action.to_a : [action.to_a]).each do |step| %>
+      <li>
+        <%= describe_step(step.to_a, :with_removal => true) %>
+      </li>
+    <% end %>
+  <% end %>
+</ul>

data/app/views/authorization_rules/_suggestions.erb

@@ -0,0 +1,24 @@
+<h2>Suggestions</h2>
+
+<% if @approaches.length > 0 %>
+  <% if @approaches.first.changes.empty? %>
+    <p>No changes necessary.</p>
+  <% else %>
+    <p>Suggested changes (<%= link_to_function "show", "show_suggest_graph('#{serialize_changes(@approaches.first)}', '#{serialize_relevant_roles(@approaches.first)}', '#{@context}', relevant_user_ids())" %>):</p>
+    <%= render "suggestion", :object => @approaches.first %>
+  <% end %>
+<% else %>
+  <p><strong>No approach found.</strong></p>
+<% end %>
+
+<% if @approaches.length > 1 %>
+  <p <%= !params[:show_all] ? '' : 'style="display: none"' %>><a href="#" onclick="$(this).up().hide();$('more-suggestions').show();return false">Show other <%= pluralize(@approaches.length - 1, 'approach') %></a></p>
+  <div id="more-suggestions" <%= params[:show_all] ? '' : 'style="display: none"' %>>
+    <% @approaches[1..-1].each_with_index do |approach, index| %>
+      <p>
+        <%= (index + 2).ordinalize %> best approach (<%= pluralize(approach.changes.length, 'step') %>, <%= link_to_function "show", "show_suggest_graph('#{serialize_changes(approach)}', '#{serialize_relevant_roles(approach)}', '#{@context}', relevant_user_ids())" %>)
+        <%= render "suggestion", :object => approach %>
+      </p>
+    <% end %>
+  </div>
+<% end %>

data/app/views/authorization_rules/change.html.erb

@@ -0,0 +1,124 @@
+<h1>Suggestions on Authorization Rules Change</h1>
+<p><%= navigation %></p>
+<div style="display:none" id="suggest-graph-container">
+<%= link_to_function "Hide", "$(this).up().hide()", :class => 'important' %>
+<%= link_to_function "Toggle stacked roles", "toggle_graph_params('suggest-graph', 'stacked_roles');" %>
+<%= link_to_function "Toggle only users' roles", "toggle_graph_params('suggest-graph', 'only_relevant_roles');" %><br/>
+<object id="suggest-graph" data="" type="image/svg+xml" style="max-width: 98%;max-height: 95%"/>
+</div>
+<%= render 'show_graph' %>
+
+<style type="text/css">
+  .action-options label { display: block; float: left; width: 7em; padding-bottom: 0.5em }
+  .action-options select { float: left; }
+  .action-options br { clear: both; }
+  .action-options { margin-bottom: 2em }
+  .change-options { margin-bottom: 1em }
+  .change-options td.user_id { display: none }
+  .change-options td { padding-right: 1em; padding-left: 0.5em }
+  .change-options thead td { border-bottom: 1px solid lightgrey }
+  .change-options thead td.choose { text-align: center; font-weight: bold }
+  .change-options tr.permitted td.yes,
+  .change-options tr.not-permitted td.no { background: #FFE599 }
+  .submit { margin-top: 0 }
+  .submit input { font-weight: bold; font-size: 120% }
+  #suggest-result { 
+    position: absolute; left: 60%; right: 10px;
+    border-left: 2px solid grey;
+    padding-left: 1em;
+    z-index: 10;
+  }
+  #suggest-graph-container {
+    background: white; border:1px solid #ccc;
+    position:fixed; z-index: 20;
+    left:10%; bottom: 10%; right: 10%; top: 10%
+  }
+  #graph-container {
+    background: white; margin: 1em; border:1px solid #ccc;
+    max-width:50%; position:fixed; z-index: 20; right:0;
+  }
+  .unimportant, .remove { color: grey }
+  .remove { cursor: pointer }
+</style>
+<% javascript_tag do %>
+    function suggest_changes (refresh) {
+        if (!refresh)
+          $("suggest-result").innerHTML = "Searching...";
+        $("suggest-result").show();
+        new Ajax.Updater({success: 'suggest-result'}, '<%= suggest_change_authorization_rules_path %>', {
+            method: 'get',
+            onFailure: function(request) {
+                $("suggest-result").innerHTML = "Error while searching."
+            },
+            parameters: $H($('change').down('form').serialize(true)).merge(refresh ? {show_all: "true"} : {}).toQueryString()
+        });
+        if (!refresh)
+          location.hash = 'suggest-result';
+    }
+
+    function show_suggest_graph (changes, filter_roles_params, filter_context, user_ids) {
+        var params = {changes: changes, highlight_privilege: $F('privilege')};
+        if (filter_context)
+          params['filter_contexts'] = filter_context;
+        if (user_ids)
+          params['user_ids[]'] = user_ids;
+        show_graph_with_params('suggest-graph', params);
+    }
+
+    document.observe('dom:loaded', function() {
+      install_change_observers();
+    });
+
+    function install_change_observers () {
+        $$('#change select').each(function (el) {
+            el.observe('change', function (event) {
+                new Ajax.Updater({success: 'change'}, '<%= url_for %>', {
+                  parameters: { context: $F('context'), privilege: $F('privilege') },
+                  method: 'get',
+                  onComplete: function () {
+                      install_change_observers();
+                      if ($('graph-container').visible())
+                        show_current_permissions();
+                  }
+                });
+            });
+        });
+        $('prohibited_actions').observe('click', function (event) {
+          var target = event.findElement();
+          if (target.hasClassName('remove')) {
+            target.up().remove();
+            if ($('prohibited_actions').childElements().length == 0)
+              $('prohibited_actions').previous().hide();
+            suggest_changes();
+          }
+        });
+    }
+
+    function show_current_permissions () {
+        show_graph($F('privilege'), $F('context')/*, relevant_user_ids()*/);
+    }
+
+    function relevant_user_ids () {
+      return $$('#change .user_id').collect(function (el) {
+        return el.innerHTML;
+      }).reject(function (id) {
+        return $('user_' + id + '_permission_undetermined').checked;
+      });
+    }
+
+    var prohibited_action_template =
+        new Template('<li>#{description} <span class="remove">[x]</span><input type="hidden" name="prohibited_action[]" value="#{action}"></li>');
+    function prohibit_action (action, description) {
+      $('prohibited_actions').previous().show();
+      $('prohibited_actions').insert(
+          {bottom: prohibited_action_template.evaluate({action: action, description: description}) }
+      );
+      suggest_changes(true);
+    }
+<% end %>
+
+<div id="suggest-result" style="display:none"></div>
+
+<div id="change">
+  <%= render 'change' %>
+</div>

data/app/views/authorization_rules/graph.dot.erb

@@ -7,20 +7,39 @@ digraph rules {
   ranksep = "0.3"
   //concentrate = true
   rankdir = TB
+  
+  <% unless @users.blank? %>
+  {
+    rank = source
+    node [shape=polygon,style=filled,fillcolor="#eeeeee"]
+    <% @users.each do |user| %>
+    "<%= user.login %>"
+    <% end %>
+  }
+  <% end %>
+
   {
     node [shape=ellipse,style=filled]
-    //rank = source
+    <%= @stacked_roles ? '' : "rank = same" %>
     <% @roles.each do |role| %>
     "<%= role.inspect %>" [fillcolor="<%= role_fill_color(role) %>"]
     // ,URL="javascript:set_filter({roles: '<%= role %>'})"
     <% end %>
     <% @roles.each do |role| %>
-        <% (@role_hierarchy[role] || []).each do |lower_role| %>
-            "<%= role.inspect %>" -> "<%= lower_role.inspect %>" [constraint=false,arrowhead=empty]
+        <% (@role_hierarchy[role] || []).select {|lower_role| @roles.include?(lower_role)}.each do |lower_role| %>
+            "<%= role.inspect %>" -> "<%= lower_role.inspect %>" [arrowhead=empty]
         <% end %>
     <% end %>
   }
 
+  <% unless @users.blank? %>
+    <% @users.each do |user| %>
+      <% user.role_symbols.select {|role| @roles.include?(role)}.each do |role| %>
+    "<%= user.login %>" -> "<%= role.inspect %>" [color="<%= has_changed(:assign_role_to_user, role, user.login) ? '#00dd00' : (has_changed(:remove_role_from_user, role, user.login) ? '#dd0000' : '#000000') %>"]
+      <% end %>
+    <% end %>
+  <% end %>
+
   <% @contexts.each do |context| %>
     subgraph cluster_<%= context %>  {
       label = "<%= context.inspect %>"
@@ -43,7 +62,7 @@ digraph rules {
 
   <% @roles.each do |role| %>
     <% (@role_privs[role] || []).each do |context, privilege, unconditionally, attribute_string| %>
-  "<%= role.inspect %>" -> <%=  privilege %>_<%= context %> [color="<%= role_color(role) %>", minlen=3<%= ", arrowhead=opendot, URL=\"javascript:\", edgetooltip=\"#{attribute_string.gsub('"','')}\"" unless unconditionally %>]
+  "<%= role.inspect %>" -> <%=  privilege %>_<%= context %> [color="<%= privilege_color(privilege, context, role) %>", minlen=3<%= ", arrowhead=opendot, URL=\"javascript:\", edgetooltip=\"#{attribute_string.gsub('"','')}\"" unless unconditionally %>]
     <% end %>
   <% end %>
 }

data/app/views/authorization_rules/graph.html.erb

@@ -30,6 +30,7 @@
   <%= select_tag "filter_contexts", options_for_select([["All contexts",'']] + controller.authorization_engine.auth_rules.collect {|ar| ar.contexts.to_a}.flatten.uniq.map(&:to_s).sort), :onchange => 'update_graph(this.form)' %>
   <%= check_box_tag "effective_role_privs", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "effective_role_privs", "Effective privileges"  %>
   <%= check_box_tag "privilege_hierarchy", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "privilege_hierarchy", "Show full privilege hierarchy"  %>
+  <%= check_box_tag "stacked_roles", "1", false, :onclick => 'update_graph(this.form)'  %> <%= label_tag "stacked_roles", "Stacked roles"  %>
   <% end %>
 </p>
 <div style="margin: 1em;border:1px solid #ccc;max-width:95%">

data/app/views/authorization_rules/index.html.erb

@@ -9,8 +9,9 @@
   pre .proc {color: #0a0;}
   pre .privilege, pre .context {font-weight: bold}
   pre .preproc, pre .comment, pre .comment span {color: grey !important;}
-  pre .note {color: #a00; position:absolute; cursor: help }
+  pre .note {color: #a00; position:absolute; cursor: help; left: 15px }
+  pre.with-notes {padding-left: 35px}
 </style>
-<pre>
+<pre class="with-notes">
 <%= policy_analysis_hints(syntax_highlight(h(@auth_rules_script)), @auth_rules_script) %>
 </pre>

data/app/views/authorization_usages/index.html.erb

@@ -1,7 +1,5 @@
 <h1>Authorization Usage</h1>
-<div style="margin: 1em;border:1px solid #ccc;max-width:50%;position:fixed;right:0;display:none">
-<object id="graph" data="<%= url_for :format => 'svg' %>" type="image/svg+xml" style="max-width:100%"/>
-</div>
+<%= render 'authorization_rules/show_graph' %>
 <p>Filter rules in actions by controller:</p>
 <p><%= navigation %></p>
 <style type="text/css">
@@ -13,15 +11,8 @@
   /*.auth-usages tr.catch-all td.privilege,*/
   .auth-usages tr.default-privilege td.privilege,
   .auth-usages tr.default-context td.context { color: #888888 }
+  #graph-container {margin: 1em; border:1px solid #ccc; max-width:50%; position:fixed; right:0;}
 </style>
-<% javascript_tag do %>
-    function show_graph (privilege, context) {
-        base_url = "<%= graph_authorization_rules_path('svg') %>";
-        $('graph').data = base_url + '?privilege_hierarchy=1&highlight_privilege=' +
-            privilege + '&filter_contexts=' + context;
-        $('graph').up().show();
-    }
-<% end %>
 <table class="auth-usages">
   <% @auth_usages_by_controller.keys.sort {|c1, c2| c1.name <=> c2.name}.each do |controller| %>
     <% default_context = controller.controller_name.to_sym rescue nil %>

data/config/routes.rb

@@ -1,6 +1,7 @@
 ActionController::Routing::Routes.draw do |map|
   if Authorization::activate_authorization_rules_browser?
-    map.resources :authorization_rules, :only => :index, :collection => {:graph => :get}
+    map.resources :authorization_rules, :only => [:index], 
+        :collection => {:graph => :get, :change => :get, :suggest_change => :get}
     map.resources :authorization_usages, :only => :index
   end
 end

data/lib/declarative_authorization/authorization.rb

@@ -58,7 +58,8 @@ module Authorization
   #
   class Engine
     attr_reader :roles, :role_titles, :role_descriptions, :privileges,
-      :privilege_hierarchy, :auth_rules, :role_hierarchy, :rev_priv_hierarchy
+      :privilege_hierarchy, :auth_rules, :role_hierarchy, :rev_priv_hierarchy,
+      :rev_role_hierarchy
     
     # If +reader+ is not given, a new one is created with the default
     # authorization configuration of +AUTH_DSL_FILE+.  If given, may be either
@@ -82,6 +83,7 @@ module Authorization
 
       @role_titles = reader.auth_rules_reader.role_titles
       @role_descriptions = reader.auth_rules_reader.role_descriptions
+      @reader = reader
       
       # {[priv, ctx] => [priv, ...]}
       @rev_priv_hierarchy = {}
@@ -91,6 +93,20 @@ module Authorization
           @rev_priv_hierarchy[val] << key
         end
       end
+      @rev_role_hierarchy = {}
+      @role_hierarchy.each do |higher_role, lower_roles|
+        lower_roles.each do |role|
+          (@rev_role_hierarchy[role] ||= []) << higher_role
+        end
+      end
+    end
+
+    def initialize_copy (from) # :nodoc:
+      [
+        :privileges, :privilege_hierarchy, :roles, :role_hierarchy, :role_titles,
+        :role_descriptions, :rev_priv_hierarchy, :rev_role_hierarchy
+      ].each {|attr| instance_variable_set(:"@#{attr}", from.send(attr).clone) }
+      @auth_rules = from.auth_rules.collect {|rule| rule.clone}
     end
     
     # Returns true if privilege is met by the current user.  Raises
@@ -143,7 +159,7 @@ module Authorization
 
       # find a authorization rule that matches for at least one of the roles and 
       # at least one of the given privileges
-      attr_validator = AttributeValidator.new(self, user, options[:object])
+      attr_validator = AttributeValidator.new(self, user, options[:object], privilege, options[:context])
       rules = matching_auth_rules(roles, privileges, options[:context])
       if rules.empty?
         raise NotAuthorized, "No matching rules found for #{privilege} for #{user.inspect} " +
@@ -152,21 +168,8 @@ module Authorization
       end
       
       # Test each rule in turn to see whether any one of them is satisfied.
-      grant_permission = rules.any? do |rule|
-        begin
-          options[:skip_attribute_test] or
-            rule.attributes.empty? or
-            rule.attributes.send(rule.join_operator == :and ? :all? : :any?) do |attr|
-              begin
-                attr.validate?( attr_validator )
-              rescue NilAttributeValueError => e
-                nil # Bumping up against a nil attribute value flunks the rule.
-              end
-            end
-        end
-      end
-      unless grant_permission
-        raise AttributeAuthorizationError, "#{privilege} not allowed for #{user.inspect} on #{options[:object].inspect}."
+      unless rules.any? {|rule| rule.validate?(attr_validator, options[:skip_attribute_test])}
+        raise AttributeAuthorizationError, "#{privilege} not allowed for #{user.inspect} on #{(options[:object] || options[:context]).inspect}."
       end
       true
     end
@@ -201,17 +204,9 @@ module Authorization
     def obligations (privilege, options = {})
       options = {:context => nil}.merge(options)
       user, roles, privileges = user_roles_privleges_from_options(privilege, options)
-      attr_validator = AttributeValidator.new(self, user, nil, options[:context])
+      attr_validator = AttributeValidator.new(self, user, nil, privilege, options[:context])
       matching_auth_rules(roles, privileges, options[:context]).collect do |rule|
-        obligations = rule.attributes.collect {|attr| attr.obligation(attr_validator) }
-        if rule.join_operator == :and and !obligations.empty?
-          merged_obligation = obligations.first
-          obligations[1..-1].each do |obligation|
-            merged_obligation = merged_obligation.deep_merge(obligation)
-          end
-          obligations = [merged_obligation]
-        end
-        obligations.empty? ? [{}] : obligations
+        rule.obligations(attr_validator)
       end.flatten
     end
     
@@ -263,11 +258,12 @@ module Authorization
     end
     
     class AttributeValidator # :nodoc:
-      attr_reader :user, :object, :engine, :context
-      def initialize (engine, user, object = nil, context = nil)
+      attr_reader :user, :object, :engine, :context, :privilege
+      def initialize (engine, user, object = nil, privilege = nil, context = nil)
         @engine = engine
         @user = user
         @object = object
+        @privilege = privilege
         @context = context
       end
       
@@ -281,15 +277,16 @@ module Authorization
     def user_roles_privleges_from_options(privilege, options)
       options = {
         :user => nil,
-        :context => nil
+        :context => nil,
+        :user_roles => nil
       }.merge(options)
       user = options[:user] || Authorization.current_user
       privileges = privilege.is_a?(Array) ? privilege : [privilege]
       
-      raise AuthorizationUsageError, "No user object given (#{user.inspect})" \
-        unless user
+      raise AuthorizationUsageError, "No user object given (#{user.inspect}) or " +
+        "set through Authorization.current_user" unless user
 
-      roles = flatten_roles(roles_for(user))
+      roles = options[:user_roles] || flatten_roles(roles_for(user))
       privileges = flatten_privileges privileges, options[:context]
       [user, roles, privileges]
     end
@@ -329,14 +326,24 @@ module Authorization
   end
   
   class AuthorizationRule
-    attr_reader :attributes, :contexts, :role, :privileges, :join_operator
+    attr_reader :attributes, :contexts, :role, :privileges, :join_operator,
+        :source_file, :source_line
     
-    def initialize (role, privileges = [], contexts = nil, join_operator = :or)
+    def initialize (role, privileges = [], contexts = nil, join_operator = :or,
+          options = {})
       @role = role
       @privileges = Set.new(privileges)
       @contexts = Set.new((contexts && !contexts.is_a?(Array) ? [contexts] : contexts))
       @join_operator = join_operator
       @attributes = []
+      @source_file = options[:source_file]
+      @source_line = options[:source_line]
+    end
+
+    def initialize_copy (from)
+      @privileges = @privileges.clone
+      @contexts = @contexts.clone
+      @attributes = @attributes.collect {|attribute| attribute.clone }
     end
     
     def append_privileges (privs)
@@ -353,6 +360,29 @@ module Authorization
         not (@privileges & privs).empty?
     end
 
+    def validate? (attr_validator, skip_attribute = false)
+      skip_attribute or @attributes.empty? or
+        @attributes.send(@join_operator == :and ? :all? : :any?) do |attr|
+          begin
+            attr.validate?(attr_validator)
+          rescue NilAttributeValueError => e
+            nil # Bumping up against a nil attribute value flunks the rule.
+          end
+        end
+    end
+
+    def obligations (attr_validator)
+      obligations = @attributes.collect {|attr| attr.obligation(attr_validator) }.flatten
+      if @join_operator == :and and !obligations.empty?
+        merged_obligation = obligations.first
+        obligations[1..-1].each do |obligation|
+          merged_obligation = merged_obligation.deep_merge(obligation)
+        end
+        obligations = [merged_obligation]
+      end
+      obligations.empty? ? [{}] : obligations
+    end
+
     def to_long_s
       attributes.collect {|attr| attr.to_long_s } * "; "
     end
@@ -365,6 +395,10 @@ module Authorization
     def initialize (conditions_hash)
       @conditions_hash = conditions_hash
     end
+
+    def initialize_copy (from)
+      @conditions_hash = deep_hash_clone(@conditions_hash)
+    end
     
     def validate? (attr_validator, object = nil, hash = nil)
       object ||= attr_validator.object
@@ -480,6 +514,20 @@ module Authorization
          "#{object.inspect} for validating attribute: #{e}"
       end
     end
+
+    def deep_hash_clone (hash)
+      hash.inject({}) do |memo, (key, val)|
+        memo[key] = case val
+                    when Hash
+                      deep_hash_clone(val)
+                    when NilClass, Symbol
+                      val
+                    else
+                      val.clone
+                    end
+        memo
+      end
+    end
   end
 
   # An attribute condition that uses existing rules to decide validation
@@ -493,6 +541,10 @@ module Authorization
       @attr_hash = attr_or_hash
     end
 
+    def initialize_copy (from)
+      @attr_hash = deep_hash_clone(@attr_hash) if @attr_hash.is_a?(Hash)
+    end
+
     def validate? (attr_validator, object = nil, hash_or_attr = nil)
       object ||= attr_validator.object
       hash_or_attr ||= @attr_hash