thelinuxlich-aegis 1.1.7

data/lib/aegis/normalization.rb

@@ -0,0 +1,26 @@
+module Aegis
+  class Normalization
+    
+    VERB_NORMALIZATIONS = {
+      "edit"   => "update",
+      "show"   => "read",
+      "list"   => "read",
+      "view"   => "read",
+      "delete" => "destroy",
+      "remove" => "destroy"
+    }
+    
+    def self.normalize_verb(verb)
+      VERB_NORMALIZATIONS[verb] || verb
+    end
+    
+    def self.normalize_permission(permission)
+      if permission =~ /^([^_]+?)_(.+?)$/
+        verb, target = $1, $2
+        permission = normalize_verb(verb) + "_" + target
+      end
+      permission
+    end
+    
+  end
+end

data/lib/aegis/permission_error.rb

@@ -0,0 +1,5 @@
+module Aegis
+  class PermissionError < StandardError
+
+  end
+end

data/lib/aegis/permission_evaluator.rb

@@ -0,0 +1,34 @@
+module Aegis
+  class PermissionEvaluator
+
+	def initialize(role)
+	  @role = role
+	end
+
+	def evaluate(permissions, rule_args)
+	  @result = @role.allow_by_default?
+	  permissions.each do |permission|
+		instance_exec(*rule_args, &permission)
+	  end
+	  @result
+	end
+
+	def allow(*role_name_or_names, &block)
+	  rule_encountered(role_name_or_names, true, &block)
+	end
+
+	def deny(*role_name_or_names, &block)
+	  rule_encountered(role_name_or_names, false, &block)
+	end
+
+	def rule_encountered(role_name_or_names, is_allow, &block)
+	  role_names = Array(role_name_or_names)
+	  if role_names.include?(@role.name) || role_names.include?(Aegis::Constants::EVERYONE_ROLE_NAME)
+		@result = (block ? block.call : true) 
+		@result = !@result unless is_allow
+	  end
+	end
+
+  end
+end
+

data/lib/aegis/permissions.rb

@@ -0,0 +1,107 @@
+module Aegis
+  class Permissions
+  
+    def self.inherited(base)
+      base.class_eval do
+        @roles_by_name = {}
+        @permission_blocks = Hash.new { |hash, key| hash[key] = [] }
+        extend ClassMethods
+      end
+    end    
+
+    module ClassMethods
+ 
+      def role(role_name, options = {})
+        role_name = role_name.to_sym
+        role_name != Aegis::Constants::EVERYONE_ROLE_NAME or raise "Cannot define a role named: #{Aegis::Constants::EVERYONE_ROLE_NAME}"
+        @roles_by_name[role_name] = Aegis::Role.new(role_name, self, options)
+      end
+      
+      def find_all_role_names
+        @roles_by_name.keys
+      end
+      
+      def find_all_roles
+        @roles_by_name.values.sort
+      end
+      
+      def find_role_by_name(name)
+        # cannot call :to_sym on nil or an empty string
+        if name.blank?
+          nil
+        else
+          @roles_by_name[name.to_sym]
+        end
+      end
+      
+      def find_role_by_name!(name)
+        find_role_by_name(name) or raise "Undefined role: #{name}"
+      end
+      
+      def permission(*permission_name_or_names, &block)
+        permission_names = Array(permission_name_or_names).map(&:to_s)
+        permission_names.each do |permission_name|
+          add_split_crud_permission(permission_name, &block)
+        end
+      end
+      
+      define_method "#{Aegis::Constants::PERMISSION_PREFIX}?" do |role_or_role_name, permission, *args|
+        role = role_or_role_name.is_a?(Aegis::Role) ? role_or_role_name : find_role_by_name(role_or_role_name)
+        blocks = @permission_blocks[permission.to_sym]
+        evaluate_permission_blocks(role, blocks, *args)
+      end
+      
+      def evaluate_permission_blocks(role, blocks, *args)
+        evaluator = Aegis::PermissionEvaluator.new(role)
+        evaluator.evaluate(blocks, args)
+      end
+      
+      def denied?(*args)
+        !allowed?(*args)
+      end
+      
+      private
+
+      def add_split_crud_permission(permission_name, &block)
+        if permission_name =~ /^crud_(.+?)$/
+          target = $1
+          Aegis::Constants::CRUD_VERBS.each do |verb|
+            add_normalized_permission("#{verb}_#{target}", &block)
+          end
+        else
+          add_normalized_permission(permission_name, &block)
+        end
+      end
+
+      def add_normalized_permission(permission_name, &block)
+        normalized_permission_name = Aegis::Normalization.normalize_permission(permission_name)
+        add_singularized_permission(normalized_permission_name, &block)
+      end
+      
+      def add_singularized_permission(permission_name, &block)
+        if permission_name =~ /^([^_]+?)_(.+?)$/
+          verb = $1
+          target = $2
+          singular_target = target.singularize
+          if singular_target.length < target.length
+            singular_block = lambda do |*args|
+        args.delete_at 1
+        instance_exec(*args, &block)
+            end
+            singular_permission_name = "#{verb}_#{singular_target}"
+            add_permission(singular_permission_name, &singular_block)
+          end
+        end
+        add_permission(permission_name, &block)
+      end
+      
+      def add_permission(permission_name, &block)
+        permission_name = permission_name.to_sym
+        @permission_blocks[permission_name] << block
+      end
+ 
+    end # module ClassMethods
+    
+  end # class Permissions
+end # module Aegis
+

data/lib/aegis/role.rb

@@ -0,0 +1,55 @@
+module Aegis
+  class Role
+  
+    attr_reader :name, :default_permission
+          
+    # permissions is a hash like: permissions[:edit_user] = lambda { |user| ... }
+    def initialize(name, permissions, options)
+      @name = name
+      @permissions = permissions
+      @default_permission = options[:default_permission] == :allow ? :allow : :deny
+      freeze
+    end
+    
+    def allow_by_default?
+      @default_permission == :allow
+    end
+    
+    define_method "#{Aegis::Constants::PERMISSION_PREFIX}?" do |permission,*args|
+      # puts "may? #{permission}, #{args}"
+      @permissions.send "#{Aegis::Constants::PERMISSION_PREFIX}?",self, permission, *args
+    end
+    
+    def <=>(other)
+      name.to_s <=> other.name.to_s
+    end
+
+    def to_s
+      name.to_s.humanize
+    end
+    
+    def id
+      name.to_s
+    end
+
+    private
+    
+    def method_missing(symb, *args)
+      method_name = symb.to_s
+      if method_name =~ /^#{Aegis::Constants::PERMISSION_PREFIX}_(.+)(\?|\!)$/
+        permission, severity = $1, $2
+        permission = Aegis::Normalization.normalize_permission(permission)
+        may = send "#{Aegis::Constants::PERMISSION_PREFIX}?", permission, *args
+        if severity == '!' && !may 
+          raise PermissionError, "Access denied: #{permission}" 
+        else
+          may
+        end
+      else
+        super
+      end
+    end
+        
+    
+  end
+end

data/lib/rails/active_record.rb

@@ -0,0 +1,5 @@
+ActiveRecord::Base.class_eval do
+
+  extend Aegis::HasRole
+  
+end

data/test/app_root/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

data/test/app_root/app/models/old_soldier.rb

@@ -0,0 +1,6 @@
+class VeteranSoldier < ActiveRecord::Base
+
+  # Use legacy parameter :name_accessor instead of :accessor
+  has_role :name_accessor => "rank"
+
+end

data/test/app_root/app/models/permissions.rb

@@ -0,0 +1,49 @@
+
+class Permissions < Aegis::Permissions
+
+  role :guest
+  role :student
+  role :admin, :default_permission => :allow
+  
+  permission :use_empty do
+  end
+  
+  permission :use_simple do
+    allow :student
+    deny :admin
+  end
+
+  permission :update_users do
+    allow :student
+    deny :admin
+  end
+  
+  permission :crud_projects do
+    allow :student
+  end
+  
+  permission :edit_drinks do
+    allow :student
+    deny :admin
+  end
+  
+  permission :hug do
+    allow :everyone
+  end
+  
+  permission :divide do |user, left, right|
+    allow :student do
+      right != 0
+    end
+  end
+  
+  permission :draw do
+    allow :everyone
+  end
+  
+  permission :draw do
+    deny :student
+    deny :admin
+  end
+  
+end

data/test/app_root/app/models/soldier.rb

@@ -0,0 +1,5 @@
+class Soldier < ActiveRecord::Base
+
+  has_role :accessor => "rank"
+
+end

data/test/app_root/app/models/trust_fund_kid.rb

@@ -0,0 +1,5 @@
+class TrustFundKid < ActiveRecord::Base
+
+  has_role :default => :admin
+
+end

data/test/app_root/app/models/user.rb

@@ -0,0 +1,6 @@
+class User < ActiveRecord::Base
+
+  has_role
+  validates_role_name
+
+end

data/test/app_root/app/models/user_subclass.rb

@@ -0,0 +1,2 @@
+class UserSubclass < User
+end

data/test/app_root/app/models/veteran_soldier.rb

@@ -0,0 +1,6 @@
+class VeteranSoldier < ActiveRecord::Base
+
+  # Using legacy parameter names
+  has_role :name_accessor => "rank"
+
+end

data/test/app_root/config/boot.rb

@@ -0,0 +1,114 @@
+# Allow customization of the rails framework path
+RAILS_FRAMEWORK_ROOT = (ENV['RAILS_FRAMEWORK_ROOT'] || "#{File.dirname(__FILE__)}/../../../../../../vendor/rails") unless defined?(RAILS_FRAMEWORK_ROOT) 
+
+# Don't change this file!
+# Configure your app in config/environment.rb and config/environments/*.rb
+
+RAILS_ROOT = "#{File.dirname(__FILE__)}/.." unless defined?(RAILS_ROOT)
+
+module Rails
+  class << self
+    def boot!
+      unless booted?
+        preinitialize
+        pick_boot.run
+      end
+    end
+
+    def booted?
+      defined? Rails::Initializer
+    end
+
+    def pick_boot
+      (vendor_rails? ? VendorBoot : GemBoot).new
+    end
+
+    def vendor_rails?
+      File.exist?(RAILS_FRAMEWORK_ROOT)
+    end
+
+    def preinitialize
+      load(preinitializer_path) if File.exist?(preinitializer_path)
+    end
+
+    def preinitializer_path
+      "#{RAILS_ROOT}/config/preinitializer.rb"
+    end
+  end
+
+  class Boot
+    def run
+      load_initializer
+      Rails::Initializer.run(:set_load_path)
+    end
+  end
+
+  class VendorBoot < Boot
+    def load_initializer
+      require "#{RAILS_FRAMEWORK_ROOT}/railties/lib/initializer"
+      Rails::Initializer.run(:install_gem_spec_stubs)
+    end
+  end
+
+  class GemBoot < Boot
+    def load_initializer
+      self.class.load_rubygems
+      load_rails_gem
+      require 'initializer'
+    end
+
+    def load_rails_gem
+      if version = self.class.gem_version
+        gem 'rails', version
+      else
+        gem 'rails'
+      end
+    rescue Gem::LoadError => load_error
+      $stderr.puts %(Missing the Rails #{version} gem. Please `gem install -v=#{version} rails`, update your RAILS_GEM_VERSION setting in config/environment.rb for the Rails version you do have installed, or comment out RAILS_GEM_VERSION to use the latest version installed.)
+      exit 1
+    end
+
+    class << self
+      def rubygems_version
+        Gem::RubyGemsVersion rescue nil
+      end
+
+      def gem_version
+        if defined? RAILS_GEM_VERSION
+          RAILS_GEM_VERSION
+        elsif ENV.include?('RAILS_GEM_VERSION')
+          ENV['RAILS_GEM_VERSION']
+        else
+          parse_gem_version(read_environment_rb)
+        end
+      end
+
+      def load_rubygems
+        require 'rubygems'
+        min_version = '1.1.1'
+        unless rubygems_version >= min_version
+          $stderr.puts %Q(Rails requires RubyGems >= #{min_version} (you have #{rubygems_version}). Please `gem update --system` and try again.)
+          exit 1
+        end
+ 
+      rescue LoadError
+        $stderr.puts %Q(Rails requires RubyGems >= #{min_version}. Please install RubyGems and try again: http://rubygems.rubyforge.org)
+        exit 1
+      end
+
+      def parse_gem_version(text)
+        $1 if text =~ /^[^#]*RAILS_GEM_VERSION\s*=\s*["']([!~<>=]*\s*[\d.]+)["']/
+      end
+
+      private
+        def read_environment_rb
+          environment_rb = "#{RAILS_ROOT}/config/environment.rb"
+          environment_rb = "#{HELPER_RAILS_ROOT}/config/environment.rb" unless File.exists?(environment_rb)
+          File.read(environment_rb)
+        end
+    end
+  end
+end
+
+# All that for this:
+Rails.boot!