stffn-declarative_authorization 0.2.4 → 0.2.5

data/CHANGELOG

@@ -1,5 +1,21 @@
+* New option :join_by for has_permission_on to allow AND'ing of statements in one has_permission_on block
+
+* Allow using_access_control to be called directly on ActiveRecord::Base, globally enabling model security
+
+* New operator:  intersects_with, comparing two Enumerables in if_attribute
+
+* Improved if_permitted_to syntax:  if the attribute is left out, permissions are checked on for the current object
+
+* Added #has_role_with_hierarchy? method to retrieve explicit and calculated roles [jeremyf]
+
+* Added a simple rules analyzer to help improve authorization rules [sb]
+
+* Gemified plugin.  Needed to restructure the lib path contents [sb]
+
 * Added handling of Authorization::AuthorizationInController::ClassMethods.filter_access_to parameters that are of the form [:show, :update] instead of just :show, :update. [jeremyf]
 
+* Added authorization usage helper for checking filter_access_to usage in controllers [sb]
+
 * Added a authorization rules browser.  See README for more information [sb]
 
 * Added Model.using_access_control? to check if a model has model security activated [sb]

data/README.rdoc

@@ -31,7 +31,8 @@ Plugin features
 Requirements
 * An authentication mechanism 
   * User object in Controller#current_user
-* User object needs to respond to a method :role_symbols that returns an 
+  * (For model security) Setting Authorization.current_user
+* User objects need to respond to a method :role_symbols that returns an
   array of role symbols
 See below for installation instructions.
 
@@ -362,6 +363,7 @@ The requirements are
 * An authentication mechanism 
 * A user object returned by controller.current_user
 * An array of role symbols returned by user.role_symbols
+* (For model security) Setting Authorization.current_user to the request's user
 
 Of the various ways to provide these requirements, here is one way employing
 restful_authentication.
@@ -467,7 +469,10 @@ sbartsch at tzi.org
 = Contributors
 
 Thanks to
+* Erik Dahlstrand
+* Jeremy Friesen
 * Brian Langenfeld
+* Geoff Longman
 * Mark Mansour
 * Mike Vincent
 

data/app/controllers/authorization_rules_controller.rb

@@ -1,5 +1,7 @@
 if Authorization::activate_authorization_rules_browser?
 
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization authorization_rules_analyzer})
+
 begin
   # for nice auth_rules output:
   require "parse_tree"
@@ -81,7 +83,7 @@ class AuthorizationRulesController < ApplicationController
   end
   
   def dot_to_svg (dot_data)
-    gv = IO.popen("/usr/bin/dot -q -Tsvg", "w+")
+    gv = IO.popen("#{Authorization.dot_path} -q -Tsvg", "w+")
     gv.puts dot_data
     gv.close_write
     gv.read
@@ -100,4 +102,6 @@ class AuthorizationRulesController < ApplicationController
   end
 end
 
+else
+class AuthorizationRulesController < ApplicationController; end
 end # activate_authorization_rules_browser?

data/app/controllers/authorization_usages_controller.rb

@@ -1,6 +1,6 @@
 if Authorization::activate_authorization_rules_browser?
 
-require File.join(File.dirname(__FILE__), %w{.. .. lib maintenance})
+require File.join(File.dirname(__FILE__), %w{.. .. lib declarative_authorization maintenance})
 
 class AuthorizationUsagesController < ApplicationController
   helper :authorization_rules
@@ -16,4 +16,6 @@ class AuthorizationUsagesController < ApplicationController
   end
 end
 
+else
+class AuthorizationUsagesController < ApplicationController; end
 end # activate_authorization_rules_browser?

data/app/helpers/authorization_rules_helper.rb

@@ -21,6 +21,22 @@ module AuthorizationRulesHelper
     end
     rules
   end
+
+  def policy_analysis_hints (marked_up, policy_data)
+    analyzer = Authorization::Analyzer.new(controller.authorization_engine)
+    analyzer.analyze(policy_data)
+    marked_up_by_line = marked_up.split("\n")
+    reports_by_line = analyzer.reports.inject({}) do |memo, report|
+      memo[report.line] ||= []
+      memo[report.line] << report
+      memo
+    end
+    reports_by_line.each do |line, reports|
+      note = %Q{<span class="note" title="#{reports.first.type}: #{reports.first.message}">[i]</span>}
+      marked_up_by_line[line - 1] = note + marked_up_by_line[line - 1]
+    end
+    marked_up_by_line * "\n"
+  end
   
   def link_to_graph (title, options = {})
     type = options[:type] || ''

data/app/views/authorization_rules/index.html.erb

@@ -9,7 +9,8 @@
   pre .proc {color: #0a0;}
   pre .privilege, pre .context {font-weight: bold}
   pre .preproc, pre .comment, pre .comment span {color: grey !important;}
+  pre .note {color: #a00; position:absolute; cursor: help }
 </style>
 <pre>
-<%= syntax_highlight(h(@auth_rules_script)) %>
+<%= policy_analysis_hints(syntax_highlight(h(@auth_rules_script)), @auth_rules_script) %>
 </pre>

data/lib/declarative_authorization/authorization.rb

@@ -42,6 +42,15 @@ module Authorization
   def self.activate_authorization_rules_browser? # :nodoc:
     ::RAILS_ENV == 'development'
   end
+
+  @@dot_path = "dot"
+  def self.dot_path
+    @@dot_path
+  end
+
+  def self.dot_path= (path)
+    @@dot_path = path
+  end
   
   # Authorization::Engine implements the reference monitor.  It may be used
   # for querying the permission and retrieving obligations under which
@@ -147,7 +156,7 @@ module Authorization
         begin
           options[:skip_attribute_test] or
             rule.attributes.empty? or
-            rule.attributes.any? do |attr|
+            rule.attributes.send(rule.join_operator == :and ? :all? : :any?) do |attr|
               begin
                 attr.validate?( attr_validator )
               rescue NilAttributeValueError => e
@@ -192,10 +201,17 @@ module Authorization
     def obligations (privilege, options = {})
       options = {:context => nil}.merge(options)
       user, roles, privileges = user_roles_privleges_from_options(privilege, options)
-      attr_validator = AttributeValidator.new(self, user)
+      attr_validator = AttributeValidator.new(self, user, nil, options[:context])
       matching_auth_rules(roles, privileges, options[:context]).collect do |rule|
-        obligation = rule.attributes.collect {|attr| attr.obligation(attr_validator) }
-        obligation.empty? ? [{}] : obligation
+        obligations = rule.attributes.collect {|attr| attr.obligation(attr_validator) }
+        if rule.join_operator == :and and !obligations.empty?
+          merged_obligation = obligations.first
+          obligations[1..-1].each do |obligation|
+            merged_obligation = merged_obligation.deep_merge(obligation)
+          end
+          obligations = [merged_obligation]
+        end
+        obligations.empty? ? [{}] : obligations
       end.flatten
     end
     
@@ -230,6 +246,11 @@ module Authorization
       (roles.empty? ? [:guest] : roles)
     end
     
+    # Returns the role symbols and inherritted role symbols for the given user
+    def roles_with_hierarchy_for(user)
+      flatten_roles(roles_for(user))
+    end
+    
     # Returns an instance of Engine, which is created if there isn't one
     # yet.  If +dsl_file+ is given, it is passed on to Engine.new and 
     # a new instance is always created.
@@ -242,11 +263,12 @@ module Authorization
     end
     
     class AttributeValidator # :nodoc:
-      attr_reader :user, :object, :engine
-      def initialize (engine, user, object = nil)
+      attr_reader :user, :object, :engine, :context
+      def initialize (engine, user, object = nil, context = nil)
         @engine = engine
         @user = user
         @object = object
+        @context = context
       end
       
       def evaluate (value_block)
@@ -307,12 +329,13 @@ module Authorization
   end
   
   class AuthorizationRule
-    attr_reader :attributes, :contexts, :role, :privileges
+    attr_reader :attributes, :contexts, :role, :privileges, :join_operator
     
-    def initialize (role, privileges = [], contexts = nil)
+    def initialize (role, privileges = [], contexts = nil, join_operator = :or)
       @role = role
       @privileges = Set.new(privileges)
       @contexts = Set.new((contexts && !contexts.is_a?(Array) ? [contexts] : contexts))
+      @join_operator = join_operator
       @attributes = []
     end
     
@@ -370,13 +393,45 @@ module Authorization
           when :is_not
             attr_value != evaluated
           when :contains
-            attr_value.include?(evaluated)
+            begin
+              attr_value.include?(evaluated)
+            rescue NoMethodError => e
+              raise AuthorizationUsageError, "Operator contains requires a " +
+                  "subclass of Enumerable as attribute value, got: #{attr_value.inspect} " +
+                  "contains #{evaluated.inspect}: #{e}"
+            end
           when :does_not_contain
-            !attr_value.include?(evaluated)
+            begin
+              !attr_value.include?(evaluated)
+            rescue NoMethodError => e
+              raise AuthorizationUsageError, "Operator does_not_contain requires a " +
+                  "subclass of Enumerable as attribute value, got: #{attr_value.inspect} " +
+                  "does_not_contain #{evaluated.inspect}: #{e}"
+            end
+          when :intersects_with
+            begin
+              !(evaluated.to_set & attr_value.to_set).empty?
+            rescue NoMethodError => e
+              raise AuthorizationUsageError, "Operator intersects_with requires " +
+                  "subclasses of Enumerable, got: #{attr_value.inspect} " +
+                  "intersects_with #{evaluated.inspect}: #{e}"
+            end
           when :is_in
-            evaluated.include?(attr_value)
+            begin
+              evaluated.include?(attr_value)
+            rescue NoMethodError => e
+              raise AuthorizationUsageError, "Operator is_in requires a " +
+                  "subclass of Enumerable as value, got: #{attr_value.inspect} " +
+                  "is_in #{evaluated.inspect}: #{e}"
+            end
           when :is_not_in
-            !evaluated.include?(attr_value)
+            begin
+              !evaluated.include?(attr_value)
+            rescue NoMethodError => e
+              raise AuthorizationUsageError, "Operator is_not_in requires a " +
+                  "subclass of Enumerable as value, got: #{attr_value.inspect} " +
+                  "is_not_in #{evaluated.inspect}: #{e}"
+            end
           else
             raise AuthorizationError, "Unknown operator #{value[0]}"
           end
@@ -446,15 +501,20 @@ module Authorization
       case hash_or_attr
       when Symbol
         attr_value = object_attribute_value(object, hash_or_attr)
+        if attr_value.nil?
+          raise NilAttributeValueError, "Attribute #{hash_or_attr.inspect} is nil in #{object.inspect}."
+        end
         attr_validator.engine.permit? @privilege, :object => attr_value, :user => attr_validator.user
       when Hash
         hash_or_attr.all? do |attr, sub_hash|
           attr_value = object_attribute_value(object, attr)
           if attr_value.nil?
-            raise AuthorizationError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
+            raise NilAttributeValueError, "Attribute #{attr.inspect} is nil in #{object.inspect}."
           end
           validate?(attr_validator, attr_value, sub_hash)
         end
+      when NilClass
+        attr_validator.engine.permit? @privilege, :object => object, :user => attr_validator.user
       else
         raise AuthorizationError, "Wrong conditions hash format: #{hash_or_attr.inspect}"
       end
@@ -494,6 +554,10 @@ module Authorization
           end.flatten
         end
         obligations
+      when NilClass
+        attr_validator.engine.obligations(@privilege,
+            :context => attr_validator.context,
+            :user    => attr_validator.user)
       else
         raise AuthorizationError, "Wrong conditions hash format: #{hash_or_attr.inspect}"
       end

data/lib/declarative_authorization/authorization_rules_analyzer.rb

@@ -0,0 +1,138 @@
+begin
+  require "ruby_parser"
+  #require "parse_tree"
+  #require "parse_tree_extensions"
+  require "sexp_processor"
+rescue LoadError
+  raise "Authorization::Analyzer requires ruby_parser gem"
+end
+
+module Authorization
+
+  class Analyzer
+    attr_reader :engine
+
+    def initialize (engine)
+      @engine = engine
+    end
+
+    def analyze (rules)
+      sexp_array = RubyParser.new.parse(rules)
+      #sexp_array = ParseTree.translate(rules)
+      @reports = []
+      [MergeableRulesProcessor].each do |parser|
+        parser.new(self).analyze(sexp_array)
+      end
+      #p @reports
+    end
+
+    def reports
+      @reports or raise "No rules analyzed!"
+    end
+
+    class GeneralAuthorizationProcessor < SexpProcessor
+      def initialize(analyzer)
+        super()
+        self.auto_shift_type = true
+        self.require_empty = false
+        self.strict = false
+        @analyzer = analyzer
+      end
+
+      def analyze (sexp_array)
+        process(sexp_array)
+        analyze_rules
+      end
+
+      def analyze_rules
+        # to be implemented by specific processor
+      end
+
+      def process_iter (exp)
+        s(:iter, process(exp.shift), process(exp.shift), process(exp.shift))
+      end
+
+      def process_arglist (exp)
+        s(exp.collect {|inner_exp| process(inner_exp).shift})
+      end
+
+      def process_hash (exp)
+        s(Hash[*exp.collect {|inner_exp| process(inner_exp).shift}])
+      end
+
+      def process_lit (exp)
+        s(exp.shift)
+      end
+    end
+
+    class MergeableRulesProcessor < GeneralAuthorizationProcessor
+      def analyze_rules
+        if @has_permission
+          #p @has_permission
+          permissions_by_context_and_rules = @has_permission.inject({}) do |memo, permission|
+            key = [permission[:context], permission[:rules]]
+            memo[key] ||= []
+            memo[key] << permission
+            memo
+          end
+
+          permissions_by_context_and_rules.each do |key, rules|
+            if rules.length > 1
+              rule_lines = rules.collect {|rule| rule[:line] }
+              rules.each do |rule|
+                @analyzer.reports << Report.new(:mergeable_rules, "", rule[:line],
+                  "Similar rules already in line(s) " +
+                      rule_lines.reject {|l| l == rule[:line] } * ", ")
+              end
+            end
+          end
+        end
+      end
+
+      def process_call (exp)
+        klass = exp.shift
+        name = exp.shift
+        case name
+        when :role
+          analyze_rules
+          @has_permission = []
+          s(:call, klass, name)
+        when :has_permission_on
+          arglist_line = exp[0].line
+          arglist = process(exp.shift).shift
+          context = arglist.shift
+          args_hash = arglist.shift
+          @has_permission << {
+            :context => context,
+            :rules => [],
+            :privilege => args_hash && args_hash[:to],
+            # a hack: call exp line seems to be wrong
+            :line => arglist_line
+          }
+          s(:call, klass, name)
+        when :to
+          @has_permission.last[:privilege] = process(exp.shift).shift if @has_permission
+          s(:call, klass, name)
+        when :if_attribute
+          @in_if_attribute = true
+          rules = process(exp.shift).shift
+          @has_permission.last[:rules] << rules if @has_permission
+          @in_if_attribute = false
+          s(:call, klass, name)
+        else
+          s(:call, klass, name, process(exp.shift))
+        end
+      end
+    end
+
+    class Report
+      attr_reader :type, :filename, :line, :message
+      def initialize (type, filename, line, msg)
+        @type = type
+        @filename = filename
+        @line = line
+        @message = msg
+      end
+    end
+  end
+end

data/lib/declarative_authorization/helper.rb

@@ -47,5 +47,10 @@ module Authorization
     def has_role? (*roles, &block)
       controller.has_role?(*roles, &block)
     end
+    
+    # As has_role? except checks all roles included in the role hierarchy
+    def has_role_with_hierarchy?(*roles, &block)
+      controller.has_role_with_hierarchy?(*roles, &block)
+    end
   end
 end

data/lib/declarative_authorization/in_controller.rb

@@ -69,6 +69,17 @@ module Authorization
       result
     end
     
+    # As has_role? except checks all roles included in the role hierarchy
+    def has_role_with_hierarchy?(*roles, &block)
+      user_roles = authorization_engine.roles_with_hierarchy_for(current_user)
+      result = roles.all? do |role|
+        user_roles.include?(role)
+      end
+      yield if result and block_given?
+      result
+    end
+    
+    
     protected
     def filter_access_filter # :nodoc:
       permissions = self.class.all_filter_access_permissions