thwart 0.0.0

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,24 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## RVM
+.rvmrc
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Harry Brundage
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,17 @@
+= thwart
+
+Simple, powerful, and developer friendly authorization plugin.
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Copyright
+
+Copyright (c) 2010 Harry Brundage. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,30 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "thwart"
+    gem.summary = %Q{A simple, powerful, and developer friendly authorization plugin. Still WIP.}
+    gem.description = %Q{Implements a robust Role Based Access System where Actors are granted permission to preform Actions by playing any number of Roles. All defined programatically in one place using a super easy DSL.}
+    gem.email = "harry@skylightlabs.ca"
+    gem.homepage = "http://github.com/hornairs/thwart"
+    gem.authors = ["Harry Brundage"]
+    gem.add_development_dependency "rspec", ">= 2.0.0.beta19"
+    gem.add_dependency "activesupport", ">= 3.0.rc1"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "thwart #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.0.0

data/autotest/discover.rb

@@ -0,0 +1 @@
+Autotest.add_discovery { "rspec2" }

data/examples/a_complete_example.rb

@@ -0,0 +1,56 @@
+require File.expand_path(File.dirname(__FILE__) + '/example_helper')
+
+Thwart.configure do
+  Thwart::Actions.add_crud!
+  default_query_response false
+
+  action_group :manage, [:view, :create, :update, :destroy]
+
+  role :employee do
+    view :all
+    update :this, :that
+  end
+
+  role :manager, :include => :employee do
+    allow do
+      destroy :this
+    end
+    deny do
+      destroy :that
+    end
+  end
+
+  role :administrator do
+    manage :all
+  end
+end
+
+@ed    = User.new('Ed', :employee)
+@mary  = User.new('Mary', :manager)
+@admin = User.new('Admin', :administrator)
+
+@a_this = This.new
+@a_that = That.new
+@a_then = Then.new
+
+puts @ed.can_view?(@a_this)
+puts @ed.can_view?(@a_that)
+puts @ed.can_view?(@a_then)
+puts @ed.can_update?(@a_this)
+puts @ed.can_update?(@a_that)
+puts @ed.can_update?(@a_then)
+
+# Thwart.query(:employee, :this, :view).should == true
+# Thwart.query(:employee, @a_this, :view).should == true
+# Thwart.query(@ed, :this, :view).should == true
+# Thwart.query(@ed, @a_this, :view).should == true
+# 
+# Thwart.query(:employee, :this, :update).should == true
+# Thwart.query(:employee, @a_this, :update).should == true
+# Thwart.query(@ed, :this, :update).should == true
+# Thwart.query(@ed, @a_this, :update).should == true
+# 
+# Thwart.query(:employee, :then, :update).should == true
+# Thwart.query(:employee, @a_then, :update).should == true
+# Thwart.query(@ed, :then, :update).should == true
+# Thwart.query(@ed, @a_then, :update).should == true

data/examples/example_helper.rb

@@ -0,0 +1,45 @@
+require 'active_support'
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'thwart'
+
+# require 'rubygems'
+# require 'ruby-debug'
+
+class User
+  include Thwart::Actor
+  thwart_access do
+    role_method :role
+  end
+  attr_accessor :name, :role
+  def initialize(n, r)
+    self.name = n
+    self.role = r
+  end
+end
+
+class Thing
+  include Thwart::Resource
+  thwart_access do
+    name :thing
+  end
+end
+
+class This < Thing
+  thwart_access do
+    name :this
+  end
+end
+
+class That < Thing
+  thwart_access do
+    name :that
+  end
+end
+
+class Then < Thing
+  thwart_access do
+    name :then
+  end
+end
+

data/lib/thwart/action_group_builder.rb

@@ -0,0 +1,62 @@
+module Thwart
+  class ActionGroupBuilder
+    # Holds all the different action groups in actionables[:name] => [array of resolved actions]
+    attr_accessor :actionables 
+    def actionables
+      @actionables ||= {}
+      @actionables
+    end
+    
+    # Adds an actionable to the list of actionable things.
+    # @param name [symbol] The name of the action
+    # @param actions [symbol|array|nil] The actions this actionable resolves to. If nil, this is set to the name argument.
+    def add_actionable(name, actions = nil)
+      if actions.nil?
+        actions = Array.wrap(name)
+      else
+        actions = Array.wrap(actions)
+      end 
+      self.actionables[name] = actions
+    end
+    
+    # Creates an action group from an array of actionables.
+    # @param name [symbol] The name of the new action group
+    # @param others [symbol|array] One or an array symbols reffering to action or action groups
+    def create_action_group(name, others)
+      self.add_actionable(name, resolve_action_group(others))
+    end
+    
+    # Resolves some actionables recursively down to the raw actions it corresponds to.
+    # @params name [symbol|array] the symbol (array) referring to the existing actionables
+    def resolve_action_group(name)
+      # - if name is an array => resolve it recursively
+      # - if name is in the action groups, pull out its existing resolution
+      # - otherwise, raise an error because we don't know what this is.
+      # Simple action groups (an action itself) must be added to the actions before they
+      # are referenced, which is accomplished using the :save callback on Actions
+      
+      return name.map{|n| resolve_action_group(n)}.flatten.uniq if name.respond_to?(:map)
+      return self.actionables[name].flatten.uniq if self.actionables.include?(name)
+      puts self.actionables
+      raise Thwart::ActionOrGroupNotFoundError, "Action or group #{name} could not be found!"
+    end
+    
+    # Adds the :create, :read, :update, and :destroy actionables
+    def add_crud_group!
+      @actions_store.add_crud! if @actions_store.respond_to?(:add_crud!)
+      if @crud.nil? || @crud == false    
+        self.create_action_group(:crud, Thwart::CrudActions.keys)
+        @crud = true
+      end
+    end
+    
+    def initialize(actions_store = Thwart::Actions)
+      builder = self
+      @actions_store = actions_store
+      @actions_store.class.set_callback :add, :after do |object|
+        builder.add_actionable(actions_store.last_action)
+      end
+      builder
+    end
+  end
+end

data/lib/thwart/actions_store.rb

@@ -0,0 +1,89 @@
+module Thwart
+  class ActionsStore
+    include ActiveSupport::Callbacks
+    attr_accessor :last_action
+    attr_reader :actions
+    define_callbacks :add
+  
+    def initialize
+      @actions = {}
+    end
+  
+    # Returns true if Thwart is providing methods for the [action-able]_by? style action
+    # identifier, false otherwise. 
+    #
+    #   @param [Symbol] able_method The name of the [action-able]_by? method to check for.  
+    def has_able?(able)
+      self.actions.has_value?(able)
+    end
+
+    # Returns true if Thwart is providing methods for the can_[action]? style action 
+    # identifer, false otherwise. 
+    #
+    #   @param [Symbol] able_method The name of the can_[action]? method to check for.  
+    def has_can?(can)
+      self.actions.has_key?(can)
+    end
+
+    # Finds the corresponding can from an able. 
+    #
+    #   @param [Symbol] able_method The name of the [action-able]_by? method.  
+    def can_from_able(able)
+      self.actions.key(able)
+    end
+
+    # Adds an action to actions and the correct methods to can and able modules.
+    #
+    #   @param [Symbol] can_method The name of the can_[action]? method.
+    #   @param [Symbol] resource_method The name of the [action-able]_by? method.
+    def create_action(can, able = nil)
+      if able.nil?
+        if can.respond_to?(:each) 
+          can.each {|c,a| self.create_action(c,a)} 
+        else
+          raise ArgumentError, "able can't be nil"
+        end
+      else
+        run_callbacks :add do
+          @actions[can] = able
+          @last_action = can
+        end
+      end
+    end
+
+    # Finds the able name of the action from a [action-able]_by? style method.
+    #
+    #   @param [Symbol] resource_method The name of the [action-able]_by? method.
+    # Adds an action to actions and the correct methods to can and able modules.
+    def find_able(name)
+      md = name.to_s.match(/(.+)_by\?/)
+      if md != nil && self.has_able?(md[1].intern)
+        md[1].intern
+      else
+        false
+      end
+    end
+
+    # Finds the can name of the action from a can_[action]? style method.
+    #
+    #   @param [Symbol] can_method The name of the can_[action]? method.
+    def find_can(name)
+      md = name.to_s.match(/can_(.+)\?/)
+      if md != nil && self.has_can?(md[1].intern)
+        md[1].intern
+      else
+        false
+      end
+    end
+
+    # Add the CRUD methods to the Thwart actions (create, read, update, destroy)
+    def add_crud!
+      if @crud.nil? || @crud == false      
+        Thwart::CrudActions.each do |(k,v)|
+          self.create_action(k, v)
+        end
+        @crud = true  
+      end
+    end
+  end
+end

data/lib/thwart/actor.rb

@@ -0,0 +1,36 @@
+module Thwart
+  module Actor
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+    
+    module ClassMethods
+      attr_accessor :default_role, :role_from
+      # Thwart enabling hook on actors
+      def thwart_access(&block)
+        self.instance_eval do
+          include Thwart::Cans
+          include Thwart::Actor::InstanceMethods
+        end
+        # Set up DSL using dsl helper
+        if block_given?
+          dsl = Thwart::Dsl.new(:role_method => :role_from=, :role_proc => :role_from=, :role => :default_role=)
+          dsl.evaluate(self, &block)
+        end
+      end
+    end
+    
+    module InstanceMethods
+      # The role of this particular actor instance
+      # If the class level @role_from is a symbol, it is the name of the instance method to get the role
+      # If the class level @role_from is a proc, call it
+      # If the above are unsuccessful, use the default if it exists
+      def thwart_role
+        r = self.send(self.class.role_from) if self.class.role_from.is_a?(Symbol) && self.respond_to?(self.class.role_from)
+        r ||= self.class.role_from.call(self) if self.class.role_from.respond_to?(:call)
+        r ||= self.class.default_role unless self.class.default_role.nil?
+        r
+      end
+    end
+  end
+end

data/lib/thwart/canable.rb

@@ -0,0 +1,30 @@
+module Thwart
+  # Module in which the can_[action]? methods hang out
+  module Cans   
+  
+    def respond_to?(name)
+      return true if Thwart::Actions.find_can(name) != false
+      super
+    end
+  
+    def method_missing(name, *args)
+      can = Thwart::Actions.find_can(name)
+      return Thwart.query(self, args.first, can) if args.length == 1 && !!can
+      super
+    end
+  end
+
+  # Module in which the [action]able_by? methods hang out
+  module Ables
+    def respond_to?(name)
+      return true if Thwart::Actions.find_able(name) != false
+      super
+    end
+  
+    def method_missing(name, *args)
+      able = Thwart::Actions.find_able(name)
+      return Thwart.query(args.first, self, Thwart::Actions.can_from_able(able)) if args.length == 1 && !!able
+      super
+    end
+  end
+end

data/lib/thwart/dsl.rb

@@ -0,0 +1,43 @@
+module Thwart
+  class DslError < NoMethodError; end
+  class Dsl
+    attr_accessor :extra_methods, # Hash of the extra method mappings of this DSL => target
+                  :method_map,    # Holds the whole method map hash
+                  :target,         # What object the DSL maps methods on to
+                  :all            # Wheather or not to allow all methods (including dynamic ones like method missing) to be mapped
+    
+    def initialize(map = {})
+      self.extra_methods = map
+    end
+    
+    def evaluate(a_target, &block)
+      self.target = a_target
+      self.method_map = target.public_methods.inject({}) do |acc, m| 
+        key = m.to_s.gsub("=", "").intern
+        acc[key] = m if acc[key].nil? || m != key
+        acc 
+      end.merge(self.extra_methods)
+      
+      self.instance_eval(&block)
+      self.target
+    end
+    
+    def respond_to?(name)
+      if @all
+        return target.respond_to?(name)
+      else
+        return true if self.method_map.has_key?(name) && !!self.method_map[name]
+        super
+      end
+    end
+    
+    def method_missing(name, *args, &block)
+      if self.respond_to?(name)
+        return self.target.send(self.method_map[name], *args, &block) if self.method_map.has_key?(name)
+        return self.target.send(name, *args, &block) if @all
+      end
+      super
+    end
+  end
+  
+end

data/lib/thwart/enforcer.rb

@@ -0,0 +1,15 @@
+module Thwart
+  module Enforcer
+    def thwart_access(resource)
+      raise ArgumentError, "Thwart needs a current_user method to enforce permissions." unless self.respond_to?(:current_user)
+      raise ArgumentError, "Thwart needs the params hash to have an [:action] to enforce." if params.nil? || params[:action].nil?
+      raise ArgumentError, "Unknown action #{params[:action]} to enforce" unless Thwart::Actions.has_can?(params[:action])
+
+      unless Thwart.query(current_user, resource, params[:action])
+        raise Thwart::NoPermissionError, "User #{current_user} doesn't have permission to #{params[:action]} #{resource}."
+      else
+        true
+      end
+    end
+  end
+end

data/lib/thwart/resource.rb

@@ -0,0 +1,27 @@
+require 'active_support/inflector'
+module Thwart::Resource
+  include Thwart::Ables
+  # Included hooks
+  def self.included(base) 
+    base.extend ClassMethods
+  end
+  
+  module ClassMethods
+    attr_accessor :thwart_name
+    
+    def thwart_access(&block) 
+      self.thwart_name = ActiveSupport::Inflector.singularize(self.table_name) if self.respond_to?(:table_name)
+      
+      # Set up DSL using dsl helper
+      if block_given? 
+        dsl = Thwart::Dsl.new(:name => :thwart_name=)
+        dsl.evaluate(self, &block)
+      end
+      self.ensure_attributes_set!
+    end
+    
+    def ensure_attributes_set!
+      raise Thwart::MissingAttributeError if self.thwart_name == nil
+    end
+  end
+end

data/lib/thwart/role.rb

@@ -0,0 +1,81 @@
+module Thwart
+  
+  module Role
+    attr_accessor :name, :default_response, :responses
+
+    def responses
+      @responses ||= {}
+      @responses
+    end
+    
+    def parents
+      @parents ||= []
+      @parents
+    end
+    
+    def parents=(p)
+      @parents = p.uniq
+      @parents
+    end    
+    
+    def query(actor, resource, action) 
+      @query_result_found = false
+      resp = nil
+
+      if self.responses.has_key?(action)
+        # Find the resource scope response if it exists {:view => {:foo => bool}}
+        resp = self.resource_response(self.responses[action], resource) if !found? 
+        # Find the action scope response if it exists {:view => bool}
+        resp = self.action_response(action) if !found?
+      end
+      
+      # Return the default if it exists
+      resp = found!(self.default_response) if !found? && !self.default_response.nil?
+      # Call it if it is a proc
+      resp = resp.call(actor, resource, action) if resp.respond_to?(:call) 
+
+      return resp
+    end
+    
+    def resource_response(resources, resource)
+      # Return the resource scoped response if it exists
+      if resources.respond_to?(:[]) && resources.respond_to?(:include?) 
+        if resources.include?(resource)
+          return found!(resources[resource])
+        elsif resources.include?(:_other)
+          return found!(resources[:_other])
+        end
+      end
+      nil
+    end
+    
+    def action_response(action)
+      # Return the action level boolean, proc, or nil if it exists is the responses array
+      response = self.responses[action]
+      if self.responses.has_key?(action) && (response.is_a?(TrueClass) || response.is_a?(FalseClass) || response.nil? || response.respond_to?(:call))
+        return found!(response)
+      end
+      nil
+    end
+    
+    private
+    
+    def found!(response)
+      @query_result_found = true
+      response
+    end
+    
+    def found?
+      @query_result_found ||= false
+      @query_result_found == true
+    end
+  end
+  
+  class DefaultRole
+    include Thwart::Role
+    def query(*args)
+      return Thwart.default_query_response
+    end
+  end
+  
+end