strongbolt 0.3.6

data/lib/strongbolt/tenantable.rb

@@ -0,0 +1,304 @@
+module Strongbolt
+  module Tenantable
+    module ClassMethods
+
+      def tenant?() (@tenant.present? && @tenant) || Strongbolt.tenants.include?(name); end
+
+      #
+      # Returns associations potential name
+      #
+      def singular_association_name
+        @singular_association_name ||= self.name.demodulize.underscore.to_sym
+      end
+      def plural_association_name
+        @plural_association_name ||= self.name.demodulize.underscore.pluralize.to_sym
+      end
+
+      private
+
+      #
+      # Specifies that the class can be tenanted
+      # It will traverse all the has_many relationships
+      # and add a has_one :tenant if not specified
+      #
+      def tenant opts = {}
+        # Stops if already configured
+        return if tenant?
+
+        Strongbolt.logger.debug "-------------------------------------------------------------------\n" +
+          "Configuring tenant #{self.name}\n" +
+          "-------------------------------------------------------------------\n\n"
+        #
+        # We're traversing using BFS the relationships
+        #
+        # Keep track of traversed models and their relationship to the tenant
+        @models_traversed = {self.name => self}
+        # File of models/associations to traverse
+        models_to_traverse = reflect_on_all_associations
+        while models_to_traverse.size > 0
+          # BFS search, shiftin first elt of array (older)
+          current_association = models_to_traverse.shift
+          # We don't check has_many :through association,
+          # only first degree relationships. It makes sense as we'll
+          # obviously also be checking the models concerned with the through
+          # relationship, using the intermediate model before.
+
+          # So unless we've already traversed this model, or that's a through relationship
+          # or a polymorphic association
+          # Also we don't go following belongs_to relationship, it becomes crazy
+          if should_visit? current_association
+            # We setup the model using the association given
+            method = setup_model(current_association)
+            # We flag the model, storing the name of the method used to link to tenant
+            @models_traversed[current_association.klass.name] = method
+            # And add its relationships into the array, at the end, if method not nil
+            if method.present?
+              models_to_traverse.concat current_association.klass.reflect_on_all_associations
+            end
+          end
+        end
+
+        # We add models name to Configuration
+        Strongbolt::Configuration.models = @models_traversed.keys
+
+        create_users_tenant_subclass
+        setup_association_on_user
+
+        @tenant = true
+      end
+
+      #
+      # Setup a model and returns the method name in symbol of the
+      # implemented link to the tenant
+      #
+      def setup_model association
+        # Source class
+        original_class = association.active_record
+        # Current class
+        klass = association.klass
+        # Get the link of original class to tenant
+        link = @models_traversed[original_class.name]
+
+        # If the original class is the actual tenant, it should have defined
+        # the reverse association as we cannot guess it
+        if original_class == self
+          # Inverse association
+          inverse = inverse_of(association)
+          # We first check the model doesn't have an association already created to the tenant
+          # We may have one but with a different name, and we don't care
+          if inverse.present?
+            assoc = inverse.name
+          else
+            raise DirectAssociationNotConfigured, "Class #{klass.name} is 1 degree from #{self.name} but the association isn't configured, you should implement it before using tenant method"
+          end
+        
+        # The coming class has a relationship to the tenant
+        else
+          # If already created, we don't need to go further
+          return singular_association_name if klass.new.respond_to?(singular_association_name)
+          return plural_association_name if klass.new.respond_to?(plural_association_name)
+          
+          # Inverse association
+          inverse = inverse_of(association)
+          
+          # If no inverse, we cannot go further
+          if inverse.nil?
+            raise InverseAssociationNotConfigured, "Assocation #{association.name} on #{association.klass.name} could not be configured correctly as no inverse has been found"
+          elsif inverse.options.has_key? :polymorphic
+            return nil
+          end
+            
+
+          # Common options
+          options = {
+            through: inverse.name,
+            autosave: false
+          }
+          
+          # If the target is linked through some sort of has_many
+          if link == plural_association_name || inverse.collection?
+            # Has many
+            assoc = plural_association_name
+            # Setup the association
+            # Setup the scope with_name_of_plural_associations
+            # Current tenant table name
+            klass.has_many assoc, options
+            
+            Strongbolt.logger.debug "#{klass.name} has_many #{plural_association_name} through: #{options[:through]}\n\n"
+
+          # Otherwise, it's linked through a has one
+          else
+            # Has one
+            assoc = singular_association_name
+            # Setup the association
+            # Setup the scope with_name_of_plural_associations
+            klass.has_one assoc, options
+            
+            Strongbolt.logger.debug "#{klass.name} has_one #{singular_association_name} through: #{options[:through]}\n\n"
+          end
+        end
+
+        #
+        # Now includes scopes
+        #
+        klass.class_exec(plural_association_name, assoc, table_name) do |plur, assoc, table_name|
+          scope "with_#{plur}", -> { includes assoc }
+
+          scope "where_#{plur}_among", ->(values) do
+              if values.is_a? Array
+                # If objects
+                values = values.map(&:id) if values.first.respond_to? :id
+              else
+                # If object
+                values = values.id if values.respond_to?(:id)
+              end
+
+              includes(assoc).where(table_name => {id: values})
+            end
+        end
+
+        # And return name of association
+        return assoc
+      end #/setup_model
+
+
+      #
+      # The initial idea of using a polymorphic association on UsersTenant
+      # leads to some problems* when the tenant is a subclass of a STI schema
+      # and not the whole schema. Using instead STI for the UsersTenant model
+      # allows to achieve the same results without the edge effects.
+      #
+      # *For instance, let's say we have a Resource STI model, with Client
+      # and User as subclasses. Client is a tenant, User is not.
+      # If using the original idea of polymorphic association on UsersTenant,
+      # Helpers like user.client_ids = [5] wouldn't work.
+      # This comes from the fact that AR use the base_class name of the STI model
+      # and not the actual class name to be stored in the _type column.
+      #
+      #
+      def create_users_tenant_subclass
+        unless Strongbolt.const_defined?("Users#{self.name}")
+          users_tenant_subclass = Class.new(Strongbolt::UsersTenant)
+          users_tenant_subclass.class_eval <<-RUBY
+            # Ensures permissions on UsersTenant are applied here
+            authorize_as "Strongbolt::UsersTenant"
+            # The association to the actual tenant model
+            belongs_to :#{singular_association_name},
+              :foreign_key => :tenant_id,
+              :class_name => "#{self.name}"
+
+            # We have to create this association every time to have
+            # The correct inverse_of
+            belongs_to :user, class_name: Configuration.user_class,
+              :inverse_of => :users_#{plural_association_name}
+
+            validates :#{singular_association_name}, :presence => true
+          RUBY
+          Strongbolt.const_set "Users#{self.name}", users_tenant_subclass
+        end
+      end #/create_users_tenant_subclass
+
+      #
+      # Setups the has_many thru association on the User class
+      #
+      def setup_association_on_user
+        begin
+          user_class = Configuration.user_class.constantize
+
+          # Setup the association
+          # The first one should never be there before
+          user_class.has_many :"users_#{plural_association_name}",
+            :class_name => "Strongbolt::Users#{self.name}",
+            :inverse_of => :user,
+            :dependent => :delete_all,
+            :foreign_key => :user_id
+
+          # This one may have been overriden by the developer
+          unless user_class.respond_to? plural_association_name
+            user_class.has_many plural_association_name,
+              :source => :"#{singular_association_name}",
+              :class_name => self.name,
+              :through => :"users_#{plural_association_name}"
+          end
+
+          # Setup a quick method to get accessible clients directly
+          unless user_class.respond_to? "accessible_#{plural_association_name}"
+            user_class.class_exec(self, plural_association_name) do |klass, plur|
+              define_method "accessible_#{plur}" do
+                # If can find ALL the tenants
+                if can? :find, klass, :any, true
+                  # Then it can access all of them
+                  klass.all
+                else
+                  # Otherwise, only the ones he manages
+                  send plur
+                end
+              end
+            end
+          end
+        rescue NameError => e
+          Strongbolt.logger.error "User #{Configuration.user_class} could not have his association to tenant #{name} created"
+        end
+      end #/setup_association_on_user
+
+      #
+      # Returns the inverse of specified association, using what's given
+      # as inverse_of or trying to guess it
+      #
+      def inverse_of association
+        # If specified in association configuration
+        return association.inverse_of if association.has_inverse?
+
+        polymorphic_associations = []
+
+        # Else we need to find it, using the class as reference
+        association.klass.reflect_on_all_associations.each do |assoc|
+          # If the association is polymorphic
+          if assoc.options.has_key? :polymorphic
+            polymorphic_associations << assoc
+
+          # If same class than the original source of the association
+          elsif assoc.klass == association.active_record
+
+            Strongbolt.logger.debug "Selected inverse of #{association.name} between #{association.active_record} " +
+              "and #{association.klass} is #{assoc.name}.\n " +
+              "If not, please configure manually the inverse of #{association.name}\n"
+
+            return assoc
+          end
+        end
+
+        if polymorphic_associations.size == 1
+          return polymorphic_associations.first
+        end
+
+        return nil
+      end
+
+      #
+      # Returns true if should visit the association
+      #
+      # The BFS should visit the next model if the model hasn't been visited yet
+      # or was already visited but through a polymorphic association (hence no inverse)
+      # if the model is a HasMany, HasManyAndBelongsTo or HasOne association (ie no BelongsTo)
+      # and not HasManyThrough, unless it's AR v >= 4.1.0 && < 4.2.0 where
+      # they define a HasManyAndBelongsTo as a HasManyThrough in the reflections
+      #
+      def should_visit? association
+        ! (association.is_a?(ActiveRecord::Reflection::ThroughReflection) ||
+            association.macro == :belongs_to ||
+            (@models_traversed.has_key?(association.klass.name) &&
+              @models_traversed[association.klass.name].present?) )
+      end
+
+    end
+    
+    module InstanceMethods
+    end
+    
+    def self.included(receiver)
+      receiver.extend         ClassMethods
+      receiver.send :include, InstanceMethods
+    end
+  end
+end

data/lib/strongbolt/user_abilities.rb

@@ -0,0 +1,292 @@
+module Strongbolt
+  module UserAbilities
+    module ClassMethods
+      
+    end
+    
+    module InstanceMethods
+      #----------------------------------------------------------#
+      #                                                          #
+      #  Returns all the user's capabilities plus inherited ones #
+      #                                                          #
+      #----------------------------------------------------------#
+      def capabilities
+        @capabilities_cache ||= Strongbolt::Capability.unscoped.joins(:roles)
+          .joins('INNER JOIN strongbolt_roles as children_roles ON strongbolt_roles.lft <= children_roles.lft AND children_roles.rgt <= strongbolt_roles.rgt')
+          .joins('INNER JOIN strongbolt_roles_user_groups rug ON rug.role_id = children_roles.id')
+          .joins('INNER JOIN strongbolt_user_groups_users ugu ON ugu.user_group_id = rug.user_group_id')
+          .where('ugu.user_id = ?', self.id).distinct.to_a.concat(Strongbolt.default_capabilities)
+      end
+
+      #
+      # Adds a managed tenant to the user
+      #
+      def add_tenant tenant
+        sing_tenant_name = tenant.class.name.demodulize.underscore
+        send("users_#{sing_tenant_name.pluralize}").create! sing_tenant_name => tenant
+        # users_tenants.create! tenant: tenant
+      end
+
+      #
+      # Main method for user, used to check whether the user
+      # is authorized to perform a certain action on an instance/class
+      #
+      def can? action, instance, attrs = :any, all_instance = false
+        without_grant do
+      
+          # Get the actual instance if we were given AR
+          instance = instance.try(:first) if instance.is_a?(ActiveRecord::Relation)
+          return false if instance.nil?
+          
+          # We require this to be an *existing* user, that the action and attribute be symbols
+          # and that the instance is a class or a String
+          raise ArgumentError, "Action must be a symbol and instance must be Class, String, Symbol or AR" unless self.id.present? && action.is_a?(Symbol) && 
+             (instance.is_a?(ActiveRecord::Base) || instance.is_a?(Class) || instance.is_a?(String)) && attrs.is_a?(Symbol)
+        
+          # Pre-populate all the capabilities into a results cache for quick lookup. Permissions for all "non-owned" objects are
+          # immediately available; additional lookups are required for owned objects (e.g. User, CheckoutBag, etc.).
+          # The results cache key is formatted as "action model attribute" (attribute can be any, all or an actual attribute)
+          # -any, all, an ID, or "owned" (if the ID will be verified later) is appended to the key based on which instances
+          # a user has access to
+          populate_capabilities_cache unless @results_cache.present?
+          # Determine the model name and the actual model (if we need to traverse the hierarchy)
+          if instance.is_a?(ActiveRecord::Base)
+            model = instance.class
+            model_name = model.name_for_authorization
+          elsif instance.is_a?(Class)
+            model = instance
+            model_name = model.name_for_authorization
+          else
+            model = nil # We could do model_name.constantize, but there's a big cost to doing this
+                        # if we don't need it, so just defer until we determine there's an actual need
+            model_name = instance
+          end
+          
+          # Look up the various possible valid entries in the cache that would allow us to see this
+          return capability_in_cache?(action, instance, model_name, attrs, all_instance)
+
+        end #end w/o grant   
+      end
+
+      #
+      # Convenient method
+      #
+      def cannot? *args
+        !can? *args
+      end
+
+      #
+      # Checks if the user owns the instance given
+      #
+      def owns? instance
+        raise ArgumentError unless instance.is_a?(Object) && !instance.is_a?(Class)
+        # If the user id is set, does this (a) user id match the user_id field of the instance
+        # or (b) if this is a User instance, does the user id match the instance id?
+        key = instance.is_a?(User) ? :id : :user_id
+        return !id.nil? && instance.try(key) == id
+      end
+
+
+
+      #
+      # Populate the capabilities cache
+      #
+      def populate_capabilities_cache
+        beginning = Time.now
+        
+        @results_cache ||= {}
+        @model_ancestor_cache ||= {}
+
+        # User can find itself by default
+        @results_cache["findUserany-any"] = true
+        @results_cache["findUserany-#{id}"] = true
+        
+        #
+        # Store every capability fetched
+        #
+        capabilities.each do |capability|
+
+          k = "#{capability.action}#{capability.model}"
+          attr_k = capability.attr || 'all'
+          
+          @results_cache["#{k}#{attr_k}-any"] = true
+          @results_cache["#{k}any-any"] = true
+
+          if capability.require_ownership
+            user_id = self.try(:id)
+            # We can use the ID of the User object for the key here because
+            # there's only one of them
+            if capability.model == Strongbolt::Configuration.user_class
+              @results_cache["#{k}#{attr_k}-#{user_id}"] = true
+              @results_cache["#{k}any-#{user_id}"] = true
+            else
+            # On the other hand, it doesn't make sense to pre-populate the valid
+            # IDs for the models with a lot of instances when we probably are never
+            # going to need to know this. Instead, adding 'owned' is a hint to actually look
+            # up later if we own a particular geography.
+              @results_cache["#{k}#{attr_k}-owned"] = true
+              @results_cache["#{k}any-owned"] = true
+            end
+          elsif capability.require_tenant_access # If tenant access required
+            @results_cache["#{k}#{attr_k}-tenanted"] = true
+            @results_cache["#{k}any-tenanted"] = true
+          else
+            @results_cache["#{k}#{attr_k}-all"] = true
+            @results_cache["#{k}any-all"] = true
+          end
+        end # End each capability
+
+        Strongbolt.logger.info "Populated capabilities in #{(Time.now - beginning)*1000}ms"
+      
+        @results_cache
+      end # End Populate capabilities Cache
+
+
+
+
+
+      #----------------------------------------------------------#
+      #                                                          #
+      #  Checks if the user can perform 'action' on 'instance'   #
+      #                                                          #
+      #----------------------------------------------------------#
+      
+      def capability_in_cache?(action, instance, model_name, attrs = :any, all_instance = false)
+        action_model = "#{action}#{model_name}"
+        
+        Strongbolt.logger.warn "User has no results cache" if @results_cache.empty?
+        Strongbolt.logger.debug { "Authorizing user to perform #{action} on #{instance.inspect}" }
+
+        # we don't know or care about tenants or if this is a new record
+        if instance.is_a?(ActiveRecord::Base) && !instance.new_record?
+          # First, check if we have a hash/cache hit for User being able to do this action to every instance of the model/class
+          return true if @results_cache["#{action_model}all-all"]  #Access to all attributes on ENTIRE class?
+          return true if @results_cache["#{action_model}#{attrs}-all"]  #Access to this specific attribute on ENTIRE class?
+          
+          # If we're checking on a specific instance of the class, not the general model,
+          # append the id to the key
+          id = instance.try(:id)
+          return true if @results_cache["#{action_model}all-#{id}"] # Access to all this instance's attributes?
+          return true if @results_cache["#{action_model}#{attrs}-#{id}"] #Access to this instance's attribute?
+          
+          # Checking ownership and tenant access
+          # Block access for non tenanted instance
+          valid_tenants = has_access_to_tenants?(instance)
+
+          # Then if the model is owned but isn't preloaded yet
+          if instance.class.owned?
+            # Tests if the owner id of the instance is the same than the user
+            if (own_instance = instance.strongbolt_owner_id == self.id)
+              @results_cache["#{action_model}all-#{id}"] = own_instance && valid_tenants && @results_cache["#{action_model}all-owned"]
+              @results_cache["#{action_model}#{attrs}-#{id}"] = own_instance && valid_tenants && @results_cache["#{action_model}#{attrs}-owned"]
+              return true if @results_cache["#{action_model}all-#{id}"] || @results_cache["#{action_model}#{attrs}-#{id}"]
+            else
+              @results_cache["#{action_model}all-#{id}"] = false
+              @results_cache["#{action_model}#{attrs}-#{id}"] = false
+            end
+          end
+
+          # Finally we check for tenanted instances
+          @results_cache["#{action_model}all-#{id}"] = @results_cache["#{action_model}all-tenanted"] && valid_tenants  #Access to all attributes on tenanted class?
+          @results_cache["#{action_model}#{attrs}-#{id}"] =  @results_cache["#{action_model}#{attrs}-tenanted"] && valid_tenants #Access to this specific attribute on tenanted class?
+          return true if @results_cache["#{action_model}all-#{id}"] || @results_cache["#{action_model}#{attrs}-#{id}"]
+        elsif instance.is_a?(ActiveRecord::Base) && instance.new_record?
+          return true if @results_cache["#{action_model}all-all"]  #Access to all attributes on ENTIRE class?
+          return true if @results_cache["#{action_model}#{attrs}-all"]  #Access to this specific attribute on ENTIRE class?
+          # Checking if the instance is from valid tenants (if necessary)
+          valid_tenants = has_access_to_tenants?(instance)
+          return true if @results_cache["#{action_model}all-tenanted"] && valid_tenants  #Access to all attributes on tenanted class?
+          return true if @results_cache["#{action_model}#{attrs}-tenanted"] && valid_tenants #Access to this specific attribute on tenanted class?
+
+          # Finally, in the case where it's a non tenanted model (it still need to have valid_tenants == true)
+          return true if @results_cache["#{action_model}all-any"] && valid_tenants
+          return true if @results_cache["#{action_model}#{attrs}-any"] && valid_tenants
+        else
+          # First, check if we have a hash/cache hit for User being able to do this action to every instance of the model/class
+          return true if @results_cache["#{action_model}all-all"]  #Access to all attributes on ENTIRE class?
+          return true if @results_cache["#{action_model}#{attrs}-all"]  #Access to this specific attribute on ENTIRE class?
+          return true if @results_cache["#{action_model}all-any"] && ! all_instance  #Access to all attributes on at least once instance?
+          return true if @results_cache["#{action_model}#{attrs}-any"] && ! all_instance  #Access to this specific attribute on at least once instance?
+        end
+        #logger.info "Cache miss for checking access to #{key}"
+        
+        return false
+      end
+
+      #
+      # Checks if the instance given fulfills tenant management rules
+      #
+      def has_access_to_tenants? instance, tenants = nil        
+        # If no tenants list given, we take all
+        tenants ||= Strongbolt.tenants
+        # Populate the cache if needed
+        populate_tenants_cache
+
+        # Go over each tenants and check if we access to at least one of the tenant
+        # models linked to it
+        tenants.inject(true) do |result, tenant|
+          begin
+            if instance.class == tenant
+              tenant_ids = [instance.id]
+            elsif instance.respond_to?(tenant.singular_association_name)
+              if instance.send(tenant.singular_association_name).present?
+                tenant_ids = [instance.send(tenant.singular_association_name).id]
+              else
+                tenant_ids = []
+              end
+            elsif instance.respond_to?(tenant.plural_association_name)
+              tenant_ids = instance.send("#{tenant.singular_association_name}_ids")
+            else
+              next result
+            end
+          # When we perform a :select on a model, we may omit
+          # the attribute(s) that link(s) to the tenant.
+          # In that case, we have to suppose the user has access
+          rescue ActiveModel::MissingAttributeError
+            tenant_ids = []
+          end
+          result && (tenant_ids.size == 0 || (@tenants_cache[tenant.name] & tenant_ids).present?)
+        end
+      end
+
+      #
+      # Populate a hash of tenants as keys and ids array as values
+      #
+      def populate_tenants_cache
+        return if @tenants_cache.present?
+
+        Strongbolt.logger.debug "Populating tenants cache for user #{self.id}"
+        
+        @tenants_cache = {}
+        # Go over each tenants
+        Strongbolt.tenants.each do |tenant|
+          @tenants_cache[tenant.name] = send("accessible_#{tenant.plural_association_name}").pluck(:id)
+          Strongbolt.logger.debug "#{@tenants_cache[tenant.name].size} #{tenant.name}"
+        end
+      end
+
+
+    end # End InstanceMethods
+    
+    def self.included(receiver)
+      receiver.extend         ClassMethods
+      receiver.send :include, InstanceMethods
+
+      receiver.class_eval do
+        has_many :user_groups_users,
+          :class_name => "Strongbolt::UserGroupsUser",
+          :dependent => :delete_all,
+          :inverse_of => :user,
+          :foreign_key => :user_id
+        has_many :user_groups, :through => :user_groups_users
+        
+        has_many :roles, through: :user_groups
+      end
+
+      # Sets up user association
+      Strongbolt.tenants.each do |tenant|
+        tenant.send :setup_association_on_user
+      end
+    end
+  end
+end