tarsolya-declarative_authorization 0.4.1

data/lib/declarative_authorization/development_support/analyzer.rb

@@ -0,0 +1,252 @@
+require File.join(File.dirname(__FILE__), %w{development_support})
+
+begin
+  require "ruby_parser"
+  #require "parse_tree"
+  #require "parse_tree_extensions"
+  require "sexp_processor"
+rescue LoadError
+  raise "Authorization::DevelopmentSupport::Analyzer requires ruby_parser gem"
+end
+
+module Authorization
+
+  module DevelopmentSupport
+
+    # Ideas for improvement
+    # * moving rules up in the role hierarchy
+    # * merging roles
+    # * role hierarchy
+    #
+    # Mergeable Rules:  respect if_permitted_to hash
+    #
+    class Analyzer < AbstractAnalyzer
+      def analyze (rules)
+        sexp_array = RubyParser.new.parse(rules)
+        #sexp_array = ParseTree.translate(rules)
+        @reports = []
+        [MergeableRulesProcessor].each do |parser|
+          parser.new(self).analyze(sexp_array)
+        end
+        [
+          RoleExplosionAnalyzer, InheritingPrivilegesAnalyzer,
+          ProposedPrivilegeHierarchyAnalyzer
+        ].each do |parser|
+          parser.new(self).analyze
+        end
+      end
+
+      def reports
+        @reports or raise "No rules analyzed!"
+      end
+
+      class GeneralRulesAnalyzer
+        def initialize(analyzer)
+          @analyzer = analyzer
+        end
+
+        def analyze
+          mark(:policy, nil) if analyze_policy
+          roles.select {|role| analyze_role(role) }.
+              each { |role| mark(:role, role) }
+          rules.select {|rule| analyze_rule(rule) }.
+              each { |rule| mark(:rule, rule) }
+          privileges.select {|privilege| !!analyze_privilege(privilege) }.
+              each { |privilege| mark(:privilege, privilege) }
+        end
+
+        protected
+        def roles
+          @analyzer.roles
+        end
+
+        def rules
+          @analyzer.rules
+        end
+
+        def privileges
+          @privileges ||= rules.collect {|rule| rule.privileges.to_a}.flatten.uniq
+        end
+
+        # to be implemented by specific processor
+        def analyze_policy; end
+        def analyze_role (a_role); end
+        def analyze_rule (a_rule); end
+        def analyze_privilege (a_privilege); end
+        def message (object); end
+
+        private
+        def source_line (object)
+          object.source_line if object.respond_to?(:source_line)
+        end
+
+        def source_file (object)
+          object.source_file if object.respond_to?(:source_file)
+        end
+
+        def mark (type, object)
+          @analyzer.reports << Report.new(report_type,
+              source_file(object), source_line(object), message(object))
+        end
+
+        # analyzer class name stripped of last word
+        def report_type
+          (self.class.name.demodulize.underscore.split('_')[0...-1] * '_').to_sym
+        end
+      end
+
+      class RoleExplosionAnalyzer < GeneralRulesAnalyzer
+        SMALL_ROLE_RULES_COUNT = 3
+        SMALL_ROLES_RATIO = 0.2
+
+        def analyze_policy
+          small_roles.length > 1 and small_roles.length.to_f / roles.length.to_f > SMALL_ROLES_RATIO
+        end
+
+        def message (object)
+          "The ratio of small roles is quite high (> %.0f%%).  Consider refactoring." % (SMALL_ROLES_RATIO * 100)
+        end
+
+        private
+        def small_roles
+          roles.select {|role| role.rules.length < SMALL_ROLE_RULES_COUNT }
+        end
+      end
+
+      class InheritingPrivilegesAnalyzer < GeneralRulesAnalyzer
+        def analyze_rule (rule)
+          rule.privileges.any? {|privilege| rule.privileges.intersects?(privilege.ancestors) }
+        end
+
+        def message (object)
+          "At least one privilege inherits from another in this rule."
+        end
+      end
+
+      class ProposedPrivilegeHierarchyAnalyzer < GeneralRulesAnalyzer
+        # TODO respect, consider contexts
+        def analyze_privilege (privilege)
+          privileges.find do |other_privilege|
+            other_privilege != privilege and
+                other_privilege.rules.all? {|rule| rule.privileges.include?(privilege)}
+          end
+        end
+
+        def message (privilege)
+          other_privilege = analyze_privilege(privilege)
+          "Privilege #{other_privilege.to_sym} is always used together with #{privilege.to_sym}. " +
+              "Consider to include #{other_privilege.to_sym} in #{privilege.to_sym}."
+        end
+      end
+
+      class GeneralAuthorizationProcessor < SexpProcessor
+        def initialize(analyzer)
+          super()
+          self.auto_shift_type = true
+          self.require_empty = false
+          self.strict = false
+          @analyzer = analyzer
+        end
+
+        def analyze (sexp_array)
+          process(sexp_array)
+          analyze_rules
+        end
+
+        def analyze_rules
+          # to be implemented by specific processor
+        end
+
+        def process_iter (exp)
+          s(:iter, process(exp.shift), process(exp.shift), process(exp.shift))
+        end
+
+        def process_arglist (exp)
+          s(exp.collect {|inner_exp| process(inner_exp).shift})
+        end
+
+        def process_hash (exp)
+          s(Hash[*exp.collect {|inner_exp| process(inner_exp).shift}])
+        end
+
+        def process_lit (exp)
+          s(exp.shift)
+        end
+      end
+
+      class MergeableRulesProcessor < GeneralAuthorizationProcessor
+        def analyze_rules
+          if @has_permission
+            #p @has_permission
+            permissions_by_context_and_rules = @has_permission.inject({}) do |memo, permission|
+              key = [permission[:context], permission[:rules]]
+              memo[key] ||= []
+              memo[key] << permission
+              memo
+            end
+
+            permissions_by_context_and_rules.each do |key, rules|
+              if rules.length > 1
+                rule_lines = rules.collect {|rule| rule[:line] }
+                rules.each do |rule|
+                  @analyzer.reports << Report.new(:mergeable_rules, "", rule[:line],
+                    "Similar rules already in line(s) " +
+                        rule_lines.reject {|l| l == rule[:line] } * ", ")
+                end
+              end
+            end
+          end
+        end
+
+        def process_call (exp)
+          klass = exp.shift
+          name = exp.shift
+          case name
+          when :role
+            analyze_rules
+            @has_permission = []
+            s(:call, klass, name)
+          when :has_permission_on
+            arglist_line = exp[0].line
+            arglist = process(exp.shift).shift
+            context = arglist.shift
+            args_hash = arglist.shift
+            @has_permission << {
+              :context => context,
+              :rules => [],
+              :privilege => args_hash && args_hash[:to],
+              # a hack: call exp line seems to be wrong
+              :line => arglist_line
+            }
+            s(:call, klass, name)
+          when :to
+            @has_permission.last[:privilege] = process(exp.shift).shift if @has_permission
+            s(:call, klass, name)
+          when :if_attribute
+            rules = process(exp.shift).shift
+            rules.unshift :if_attribute
+            @has_permission.last[:rules] << rules if @has_permission
+            s(:call, klass, name)
+          when :if_permitted_to
+            rules = process(exp.shift).shift
+            rules.unshift :if_permitted_to
+            @has_permission.last[:rules] << rules if @has_permission
+            s(:call, klass, name)
+          else
+            s(:call, klass, name, process(exp.shift))
+          end
+        end
+      end
+
+      class Report
+        attr_reader :type, :filename, :line, :message
+        def initialize (type, filename, line, msg)
+          @type = type
+          @filename = filename
+          @line = line
+          @message = msg
+        end
+      end
+    end
+  end
+end

data/lib/declarative_authorization/development_support/change_analyzer.rb

@@ -0,0 +1,253 @@
+require File.join(File.dirname(__FILE__), %w{development_support})
+
+module Authorization
+
+  module DevelopmentSupport
+    # Ideas for improvement
+    # * Algorithm
+    #   * Plan by tackling each condition separately
+    #     * e.g. two users have a permission through the same role,
+    #       one should lose that
+    #   * Consider privilege hierarchy
+    #   * Consider merging, splitting roles, role hierarchies
+    #   * Add privilege to existing rules
+    # * Features
+    #   * Show consequences from changes: which users are affected,
+    #     show users in graph
+    #   * restructure GUI layout: more room for analyzing suggestions
+    # * AI: planning: ADL-like, actions with preconditions and effects
+    # * Removing need of intention
+    # * Evaluation of approaches with Analyzer algorithms
+    # * Consider constraints
+    #
+    # NOTE:
+    # * user.clone needs to clone role_symbols
+    # * user.role_symbols needs to respond to <<
+    # * user.login is needed
+    #
+    class ChangeAnalyzer < AbstractAnalyzer
+
+      def find_approaches_for (change_action, type, options, &tests)
+        raise ArgumentError, "Missing options" if !options[:on] or !options[:to]
+
+        # * strategy for removing: [remove privilege, add privilege to different role]
+        @seen_states = Set.new
+        # * heurisic: change of failed tests;  small number of policy items
+        strategy = case [change_action, type]
+                   when [:remove, :permission]
+                     [:remove_role_from_user, :remove_privilege, :add_privilege,
+                       :add_role, :assign_role_to_user]
+                   when [:add, :permission]
+                     [:add_role, :add_privilege, :assign_role_to_user]
+                   else
+                     raise ArgumentError, "Unknown change action/type: #{[change_action, type].inspect}"
+                   end
+
+        candidates = []
+        viable_approaches = []
+        approach_checker = ApproachChecker.new(self, tests)
+
+        starting_candidate = Approach.new(@engine, options[:users], [])
+        if starting_candidate.check(approach_checker)
+          viable_approaches << starting_candidate
+        else
+          candidates << starting_candidate
+        end
+
+        step_count = 0
+        while !candidates.empty? and step_count < 100
+          next_step(viable_approaches, candidates, approach_checker, options[:to], 
+              options[:on], strategy)
+          step_count += 1
+        end
+
+        # remove subsets
+
+        viable_approaches.sort!
+      end
+
+      class ApproachChecker
+        attr_reader :failed_test_count, :users
+
+        def initialize (analyzer, tests)
+          @analyzer, @tests = analyzer, tests
+        end
+
+        def check (engine, users)
+          @current_engine = engine
+          @failed_test_count = 0
+          @users = users
+          @ok = true
+          instance_eval(&@tests)
+          @ok
+        end
+
+        def assert (ok)
+          @failed_test_count += 1 unless ok
+          @ok &&= ok
+        end
+
+        def permit? (*args)
+          @current_engine.permit?(*args)
+        end
+      end
+
+      class Approach
+        attr_reader :steps, :engine, :users
+        def initialize (engine, users, steps)
+          @engine, @users, @steps = engine, users, steps
+        end
+
+        def check (approach_checker)
+          res = approach_checker.check(@engine, @users)
+          @failed_test_count = approach_checker.failed_test_count
+          #puts "CHECKING #{inspect} (#{res}, #{sort_value})"
+          res
+        end
+
+        def clone_for_step (*step_params)
+          self.class.new(@engine.clone, @users.clone, @steps + [Step.new(step_params)])
+        end
+
+        def changes
+          @steps.select {|step| step.length > 1}
+        end
+
+        def subset? (other_approach)
+          other_approach.changes.length >= changes.length &&
+              changes.all? {|step| other_approach.changes.any? {|step_2| step_2.eql?(step)} }
+        end
+
+        def state_hash
+          @engine.auth_rules.inject(0) do |memo, rule|
+            memo + rule.privileges.hash + rule.contexts.hash +
+                rule.attributes.hash + rule.role.hash
+          end +
+              @users.inject(0) {|memo, user| memo + user.role_symbols.hash } +
+              @engine.privileges.hash + @engine.privilege_hierarchy.hash +
+              @engine.roles.hash + @engine.role_hierarchy.hash
+        end
+
+        def sort_value
+          (changes.length + 1) + steps.length / 2 + (@failed_test_count.to_i + 1)
+        end
+
+        def inspect
+          "Approach (#{state_hash}): Steps: #{changes.map(&:inspect) * ', '}"# +
+             # "\n  Roles: #{AnalyzerEngine.roles(@engine).map(&:to_sym).inspect}; " +
+             # "\n  Users: #{@users.map(&:role_symbols).inspect}"
+        end
+
+        def <=> (other)
+          sort_value <=> other.sort_value
+        end
+      end
+
+      class Step < Array
+        def eql? (other)
+          # TODO use approach.users.index(self[idx]) ==
+          #    other.approach.users.index(other[idx])
+          # instead of user.login
+          other.is_a?(Array) && other.length == length &&
+              (0...length).all? {|idx| self[idx].class == other[idx].class &&
+                  ((self[idx].respond_to?(:to_sym) && self[idx].to_sym == other[idx].to_sym) ||
+                   (self[idx].respond_to?(:login) && self[idx].login == other[idx].login) ||
+                   self[idx] == other[idx] ) }
+        end
+
+        def inspect
+          collect {|info| info.respond_to?(:to_sym) ? info.to_sym : (info.respond_to?(:login) ? info.login : info.class.name)}.inspect
+        end
+      end
+
+      protected
+      def next_step (viable_approaches, candidates, approach_checker,
+            privilege, context, strategy)
+        candidate = candidates.shift
+        next_in_strategy = strategy[candidate.steps.length % strategy.length]
+
+        #if @seen_states.include?([candidate.state_hash, next_in_strategy])
+        #  puts "SKIPPING #{next_in_strategy}; #{candidate.inspect}"
+        #end
+        return if @seen_states.include?([candidate.state_hash, next_in_strategy])
+        @seen_states << [candidate.state_hash, next_in_strategy]
+        candidate.steps << [next_in_strategy]
+        candidates << candidate
+
+        new_approaches = []
+
+        #puts "#{next_in_strategy} on #{candidate.inspect}"
+        case next_in_strategy
+        when :add_role
+          # ensure non-existent name
+          approach = candidate.clone_for_step(:add_role, :new_role_for_change_analyzer)
+          if AnalyzerEngine.apply_change(approach.engine, approach.changes.last)
+            #AnalyzerEngine.apply_change(approach.engine, [:add_privilege, privilege, context, :new_role_for_change_analyzer])
+            new_approaches << approach
+          end
+        when :assign_role_to_user
+          candidate.users.each do |user|
+            relevant_roles(candidate).each do |role|
+              next if user.role_symbols.include?(role.to_sym)
+              approach = candidate.clone_for_step(:assign_role_to_user, role, user)
+              # beware of shallow copies!
+              cloned_user = user.clone
+              approach.users[approach.users.index(user)] = cloned_user
+              # possible on real user objects?
+              cloned_user.role_symbols << role.to_sym
+              new_approaches << approach
+            end
+          end
+        when :remove_role_from_user
+          candidate.users.each do |user|
+            user.role_symbols.each do |role_sym|
+              approach = candidate.clone_for_step(:remove_role_from_user, role_sym, user)
+              # beware of shallow copies!
+              cloned_user = user.clone
+              approach.users[approach.users.index(user)] = cloned_user
+              # possible on real user objects?
+              cloned_user.role_symbols.delete(role_sym)
+              new_approaches << approach
+            end
+          end
+        when :add_privilege
+          relevant_roles(candidate).each do |role|
+            approach = candidate.clone_for_step(:add_privilege, privilege, context, role)
+            AnalyzerEngine.apply_change(approach.engine, approach.changes.last)
+            new_approaches << approach
+          end
+        when :remove_privilege
+          relevant_roles(candidate).each do |role|
+            approach = candidate.clone_for_step(:remove_privilege, privilege, context, role)
+            if AnalyzerEngine.apply_change(approach.engine, approach.changes.last)
+              new_approaches << approach
+            end
+          end
+        else
+          raise "Unknown next strategy step #{next_in_strategy}"
+        end
+
+        new_approaches.each do |new_approach|
+          if new_approach.check(approach_checker)
+            unless viable_approaches.any? {|viable_approach| viable_approach.subset?(new_approach) }
+              #puts "New: #{new_approach.changes.inspect}\n  #{viable_approaches.map(&:changes).inspect}"
+              viable_approaches.delete_if {|viable_approach| new_approach.subset?(viable_approach)}
+              viable_approaches << new_approach unless viable_approaches.find {|v_a| v_a.state_hash == new_approach.state_hash}
+            end
+          else
+            candidates << new_approach
+          end
+        end
+
+        candidates.sort!
+      end
+
+      def relevant_roles (approach)
+        #return AnalyzerEngine.roles(approach.engine)
+        (AnalyzerEngine.relevant_roles(approach.engine, approach.users) +
+            (approach.engine.roles.include?(:new_role_for_change_analyzer) ?
+               [AnalyzerEngine::Role.for_sym(:new_role_for_change_analyzer, approach.engine)] : [])).uniq
+      end
+    end
+  end
+end