timcharper-declarative_authorization 0.4.1.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (42) hide show
  1. data/CHANGELOG +135 -0
  2. data/MIT-LICENSE +20 -0
  3. data/README.rdoc +503 -0
  4. data/Rakefile +43 -0
  5. data/app/controllers/authorization_rules_controller.rb +259 -0
  6. data/app/controllers/authorization_usages_controller.rb +23 -0
  7. data/app/helpers/authorization_rules_helper.rb +218 -0
  8. data/app/views/authorization_rules/_change.erb +58 -0
  9. data/app/views/authorization_rules/_show_graph.erb +37 -0
  10. data/app/views/authorization_rules/_suggestions.erb +48 -0
  11. data/app/views/authorization_rules/change.html.erb +169 -0
  12. data/app/views/authorization_rules/graph.dot.erb +68 -0
  13. data/app/views/authorization_rules/graph.html.erb +40 -0
  14. data/app/views/authorization_rules/index.html.erb +17 -0
  15. data/app/views/authorization_usages/index.html.erb +36 -0
  16. data/authorization_rules.dist.rb +20 -0
  17. data/config/routes.rb +7 -0
  18. data/garlic_example.rb +20 -0
  19. data/init.rb +5 -0
  20. data/lib/declarative_authorization.rb +15 -0
  21. data/lib/declarative_authorization/authorization.rb +683 -0
  22. data/lib/declarative_authorization/development_support/analyzer.rb +252 -0
  23. data/lib/declarative_authorization/development_support/change_analyzer.rb +253 -0
  24. data/lib/declarative_authorization/development_support/change_supporter.rb +620 -0
  25. data/lib/declarative_authorization/development_support/development_support.rb +243 -0
  26. data/lib/declarative_authorization/helper.rb +60 -0
  27. data/lib/declarative_authorization/in_controller.rb +623 -0
  28. data/lib/declarative_authorization/in_model.rb +162 -0
  29. data/lib/declarative_authorization/maintenance.rb +198 -0
  30. data/lib/declarative_authorization/obligation_scope.rb +345 -0
  31. data/lib/declarative_authorization/rails_legacy.rb +14 -0
  32. data/lib/declarative_authorization/reader.rb +472 -0
  33. data/test/authorization_test.rb +971 -0
  34. data/test/controller_filter_resource_access_test.rb +511 -0
  35. data/test/controller_test.rb +465 -0
  36. data/test/dsl_reader_test.rb +157 -0
  37. data/test/helper_test.rb +171 -0
  38. data/test/maintenance_test.rb +46 -0
  39. data/test/model_test.rb +1694 -0
  40. data/test/schema.sql +54 -0
  41. data/test/test_helper.rb +134 -0
  42. metadata +119 -0
@@ -0,0 +1,511 @@
1
+ require File.join(File.dirname(__FILE__), 'test_helper.rb')
2
+
3
+ class BasicResource < MockDataObject
4
+ def self.name
5
+ "BasicResource"
6
+ end
7
+ end
8
+ class BasicResourcesController < MocksController
9
+ filter_resource_access
10
+ define_resource_actions
11
+ end
12
+ class BasicResourcesControllerTest < ActionController::TestCase
13
+ def test_basic_filter_index
14
+ reader = Authorization::Reader::DSLReader.new
15
+ reader.parse %{
16
+ authorization do
17
+ role :allowed_role do
18
+ has_permission_on :basic_resources, :to => :index do
19
+ if_attribute :id => is {"1"}
20
+ end
21
+ end
22
+ end
23
+ }
24
+
25
+ allowed_user = MockUser.new(:allowed_role)
26
+ request!(MockUser.new(:another_role), :index, reader)
27
+ assert !@controller.authorized?
28
+ request!(allowed_user, :index, reader)
29
+ assert @controller.authorized?
30
+ end
31
+
32
+ def test_basic_filter_show_with_id
33
+ reader = Authorization::Reader::DSLReader.new
34
+ reader.parse %{
35
+ authorization do
36
+ role :allowed_role do
37
+ has_permission_on :basic_resources, :to => :show do
38
+ if_attribute :id => is {"1"}
39
+ end
40
+ end
41
+ end
42
+ }
43
+
44
+ allowed_user = MockUser.new(:allowed_role)
45
+ request!(allowed_user, :show, reader, :id => "2")
46
+ assert !@controller.authorized?
47
+ request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
48
+ assert @controller.authorized?
49
+ end
50
+
51
+ def test_basic_filter_new_with_params
52
+ reader = Authorization::Reader::DSLReader.new
53
+ reader.parse %{
54
+ authorization do
55
+ role :allowed_role do
56
+ has_permission_on :basic_resources, :to => :new do
57
+ if_attribute :id => is {"1"}
58
+ end
59
+ end
60
+ end
61
+ }
62
+
63
+ allowed_user = MockUser.new(:allowed_role)
64
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
65
+ assert !@controller.authorized?
66
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
67
+ :clear => [:@basic_resource])
68
+ assert @controller.authorized?
69
+ end
70
+ end
71
+
72
+
73
+ class NestedResource < MockDataObject
74
+ def initialize (attributes = {})
75
+ if attributes[:id]
76
+ attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
77
+ end
78
+ super(attributes)
79
+ end
80
+ def self.name
81
+ "NestedResource"
82
+ end
83
+ end
84
+
85
+ class ShallowNestedResource < MockDataObject
86
+ def initialize (attributes = {})
87
+ if attributes[:id]
88
+ attributes[:parent_mock] ||= ParentMock.new(:id => attributes[:id])
89
+ end
90
+ super(attributes)
91
+ end
92
+ def self.name
93
+ "ShallowNestedResource"
94
+ end
95
+ end
96
+
97
+ class ParentMock < MockDataObject
98
+ def nested_resources
99
+ Class.new do
100
+ def initialize (parent_mock)
101
+ @parent_mock = parent_mock
102
+ end
103
+ def new (attributes = {})
104
+ NestedResource.new(attributes.merge(:parent_mock => @parent_mock))
105
+ end
106
+ end.new(self)
107
+ end
108
+
109
+ alias :shallow_nested_resources :nested_resources
110
+
111
+ def == (other)
112
+ id == other.id
113
+ end
114
+ def self.name
115
+ "ParentMock"
116
+ end
117
+ end
118
+
119
+ class NestedResourcesController < MocksController
120
+ filter_resource_access :nested_in => :parent_mocks
121
+ define_resource_actions
122
+ end
123
+ class NestedResourcesControllerTest < ActionController::TestCase
124
+ def test_nested_filter_index
125
+ reader = Authorization::Reader::DSLReader.new
126
+ reader.parse %{
127
+ authorization do
128
+ role :allowed_role do
129
+ has_permission_on :nested_resources, :to => :index do
130
+ if_attribute :parent_mock => is {ParentMock.find("1")}
131
+ end
132
+ end
133
+ end
134
+ }
135
+
136
+ allowed_user = MockUser.new(:allowed_role)
137
+ request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
138
+ assert !@controller.authorized?
139
+ request!(allowed_user, :index, reader, :parent_mock_id => "2",
140
+ :clear => [:@nested_resource, :@parent_mock])
141
+ assert !@controller.authorized?
142
+ request!(allowed_user, :index, reader, :parent_mock_id => "1",
143
+ :clear => [:@nested_resource, :@parent_mock])
144
+ assert @controller.authorized?
145
+ end
146
+
147
+ def test_nested_filter_show_with_id
148
+ reader = Authorization::Reader::DSLReader.new
149
+ reader.parse %{
150
+ authorization do
151
+ role :allowed_role do
152
+ has_permission_on :nested_resources, :to => :show do
153
+ if_attribute :parent_mock => is {ParentMock.find("1")}
154
+ end
155
+ end
156
+ end
157
+ }
158
+
159
+ allowed_user = MockUser.new(:allowed_role)
160
+ request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
161
+ assert !@controller.authorized?
162
+ request!(allowed_user, :show, reader, :id => "1", :parent_mock_id => "1",
163
+ :clear => [:@nested_resource, :@parent_mock])
164
+ assert @controller.authorized?
165
+ end
166
+
167
+ def test_nested_filter_new_with_params
168
+ reader = Authorization::Reader::DSLReader.new
169
+ reader.parse %{
170
+ authorization do
171
+ role :allowed_role do
172
+ has_permission_on :nested_resources, :to => :new do
173
+ if_attribute :parent_mock => is {ParentMock.find("1")}
174
+ end
175
+ end
176
+ end
177
+ }
178
+
179
+ allowed_user = MockUser.new(:allowed_role)
180
+ request!(allowed_user, :new, reader, :parent_mock_id => "2",
181
+ :nested_resource => {:id => "2"})
182
+ assert !@controller.authorized?
183
+ request!(allowed_user, :new, reader, :parent_mock_id => "1",
184
+ :nested_resource => {:id => "1"},
185
+ :clear => [:@nested_resource, :@parent_mock])
186
+ assert @controller.authorized?
187
+ end
188
+ end
189
+
190
+ class ShallowNestedResourcesController < MocksController
191
+ filter_resource_access :nested_in => :parent_mocks,
192
+ :shallow => true,
193
+ :additional_member => :additional_member_action
194
+ define_resource_actions
195
+ define_action_methods :additional_member_action
196
+ end
197
+ class ShallowNestedResourcesControllerTest < ActionController::TestCase
198
+ def test_nested_filter_index
199
+ reader = Authorization::Reader::DSLReader.new
200
+ reader.parse %{
201
+ authorization do
202
+ role :allowed_role do
203
+ has_permission_on :shallow_nested_resources, :to => :index do
204
+ if_attribute :parent_mock => is {ParentMock.find("1")}
205
+ end
206
+ end
207
+ end
208
+ }
209
+
210
+ allowed_user = MockUser.new(:allowed_role)
211
+ request!(MockUser.new(:another_role), :index, reader, :parent_mock_id => "2")
212
+ assert !@controller.authorized?
213
+ request!(allowed_user, :index, reader, :parent_mock_id => "2",
214
+ :clear => [:@shallow_nested_resource, :@parent_mock])
215
+ assert !@controller.authorized?
216
+ request!(allowed_user, :index, reader, :parent_mock_id => "1",
217
+ :clear => [:@shallow_nested_resource, :@parent_mock])
218
+ assert assigns(:parent_mock)
219
+ assert @controller.authorized?
220
+ end
221
+
222
+ def test_nested_filter_show_with_id
223
+ reader = Authorization::Reader::DSLReader.new
224
+ reader.parse %{
225
+ authorization do
226
+ role :allowed_role do
227
+ has_permission_on :shallow_nested_resources, :to => :show do
228
+ if_attribute :parent_mock => is {ParentMock.find("1")}
229
+ end
230
+ end
231
+ end
232
+ }
233
+
234
+ allowed_user = MockUser.new(:allowed_role)
235
+ request!(allowed_user, :show, reader, :id => "2", :parent_mock_id => "2")
236
+ assert !@controller.authorized?
237
+ request!(allowed_user, :show, reader, :id => "1",
238
+ :clear => [:@shallow_nested_resource, :@parent_mock])
239
+ assert !assigns(:parent_mock)
240
+ assert assigns(:shallow_nested_resource)
241
+ assert @controller.authorized?
242
+ end
243
+
244
+ def test_nested_filter_new_with_params
245
+ reader = Authorization::Reader::DSLReader.new
246
+ reader.parse %{
247
+ authorization do
248
+ role :allowed_role do
249
+ has_permission_on :shallow_nested_resources, :to => :new do
250
+ if_attribute :parent_mock => is {ParentMock.find("1")}
251
+ end
252
+ end
253
+ end
254
+ }
255
+
256
+ allowed_user = MockUser.new(:allowed_role)
257
+ request!(allowed_user, :new, reader, :parent_mock_id => "2",
258
+ :shallow_nested_resource => {:id => "2"})
259
+ assert !@controller.authorized?
260
+ request!(allowed_user, :new, reader, :parent_mock_id => "1",
261
+ :shallow_nested_resource => {:id => "1"},
262
+ :clear => [:@shallow_nested_resource, :@parent_mock])
263
+ assert assigns(:parent_mock)
264
+ assert assigns(:shallow_nested_resource)
265
+ assert @controller.authorized?
266
+ end
267
+
268
+ def test_nested_filter_additional_member_action_with_id
269
+ reader = Authorization::Reader::DSLReader.new
270
+ reader.parse %{
271
+ authorization do
272
+ role :allowed_role do
273
+ has_permission_on :shallow_nested_resources, :to => :additional_member_action do
274
+ if_attribute :parent_mock => is {ParentMock.find("1")}
275
+ end
276
+ end
277
+ end
278
+ }
279
+
280
+ allowed_user = MockUser.new(:allowed_role)
281
+ request!(allowed_user, :additional_member_action, reader, :id => "2", :parent_mock_id => "2")
282
+ assert !@controller.authorized?
283
+ request!(allowed_user, :additional_member_action, reader, :id => "1",
284
+ :clear => [:@shallow_nested_resource, :@parent_mock])
285
+ assert !assigns(:parent_mock)
286
+ assert assigns(:shallow_nested_resource)
287
+ assert @controller.authorized?
288
+ end
289
+ end
290
+
291
+
292
+ class CustomMembersCollectionsResourceController < MocksController
293
+ def self.controller_name
294
+ "basic_resources"
295
+ end
296
+ filter_resource_access :member => [[:other_show, :read]],
297
+ :collection => {:search => :read}, :new => [:other_new]
298
+ define_action_methods :other_new, :search, :other_show
299
+ end
300
+ class CustomMembersCollectionsResourceControllerTest < ActionController::TestCase
301
+ def test_custom_members_filter_search
302
+ reader = Authorization::Reader::DSLReader.new
303
+ reader.parse %{
304
+ authorization do
305
+ role :allowed_role do
306
+ has_permission_on :basic_resources, :to => :read do
307
+ if_attribute :id => is {"1"}
308
+ end
309
+ end
310
+ end
311
+ }
312
+
313
+ request!(MockUser.new(:another_role), :search, reader)
314
+ assert !@controller.authorized?
315
+ request!(MockUser.new(:allowed_role), :search, reader)
316
+ assert @controller.authorized?
317
+ end
318
+
319
+ def test_custom_members_filter_other_show
320
+ reader = Authorization::Reader::DSLReader.new
321
+ reader.parse %{
322
+ authorization do
323
+ role :allowed_role do
324
+ has_permission_on :basic_resources, :to => :read do
325
+ if_attribute :id => is {"1"}
326
+ end
327
+ end
328
+ end
329
+ }
330
+
331
+ allowed_user = MockUser.new(:allowed_role)
332
+ request!(allowed_user, :other_show, reader, :id => "2")
333
+ assert !@controller.authorized?
334
+ request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
335
+ assert @controller.authorized?
336
+ end
337
+
338
+ def test_custom_members_filter_other_new
339
+ reader = Authorization::Reader::DSLReader.new
340
+ reader.parse %{
341
+ authorization do
342
+ role :allowed_role do
343
+ has_permission_on :basic_resources, :to => :other_new do
344
+ if_attribute :id => is {"1"}
345
+ end
346
+ end
347
+ end
348
+ }
349
+
350
+ allowed_user = MockUser.new(:allowed_role)
351
+ request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
352
+ assert !@controller.authorized?
353
+ request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
354
+ :clear => [:@basic_resource])
355
+ assert @controller.authorized?
356
+ end
357
+ end
358
+
359
+
360
+ class AdditionalMembersCollectionsResourceController < MocksController
361
+ def self.controller_name
362
+ "basic_resources"
363
+ end
364
+ filter_resource_access :additional_member => :other_show,
365
+ :additional_collection => [:search], :additional_new => {:other_new => :new}
366
+ define_resource_actions
367
+ define_action_methods :other_new, :search, :other_show
368
+ end
369
+ class AdditionalMembersCollectionsResourceControllerTest < ActionController::TestCase
370
+ def test_additional_members_filter_search_index
371
+ reader = Authorization::Reader::DSLReader.new
372
+ reader.parse %{
373
+ authorization do
374
+ role :allowed_role do
375
+ has_permission_on :basic_resources, :to => [:search, :index] do
376
+ if_attribute :id => is {"1"}
377
+ end
378
+ end
379
+ end
380
+ }
381
+
382
+ request!(MockUser.new(:another_role), :search, reader)
383
+ assert !@controller.authorized?
384
+ request!(MockUser.new(:another_role), :index, reader)
385
+ assert !@controller.authorized?
386
+ request!(MockUser.new(:allowed_role), :search, reader)
387
+ assert @controller.authorized?
388
+ request!(MockUser.new(:allowed_role), :index, reader)
389
+ assert @controller.authorized?
390
+ end
391
+
392
+ def test_additional_members_filter_other_show
393
+ reader = Authorization::Reader::DSLReader.new
394
+ reader.parse %{
395
+ authorization do
396
+ role :allowed_role do
397
+ has_permission_on :basic_resources, :to => [:show, :other_show] do
398
+ if_attribute :id => is {"1"}
399
+ end
400
+ end
401
+ end
402
+ }
403
+
404
+ allowed_user = MockUser.new(:allowed_role)
405
+ request!(allowed_user, :other_show, reader, :id => "2")
406
+ assert !@controller.authorized?
407
+ request!(allowed_user, :show, reader, :id => "2", :clear => [:@basic_resource])
408
+ assert !@controller.authorized?
409
+ request!(allowed_user, :other_show, reader, :id => "1", :clear => [:@basic_resource])
410
+ assert @controller.authorized?
411
+ request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
412
+ assert @controller.authorized?
413
+ end
414
+
415
+ def test_additional_members_filter_other_new
416
+ reader = Authorization::Reader::DSLReader.new
417
+ reader.parse %{
418
+ authorization do
419
+ role :allowed_role do
420
+ has_permission_on :basic_resources, :to => :new do
421
+ if_attribute :id => is {"1"}
422
+ end
423
+ end
424
+ end
425
+ }
426
+
427
+ allowed_user = MockUser.new(:allowed_role)
428
+ request!(allowed_user, :other_new, reader, :basic_resource => {:id => "2"})
429
+ assert !@controller.authorized?
430
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "2"},
431
+ :clear => [:@basic_resource])
432
+ assert !@controller.authorized?
433
+
434
+ request!(allowed_user, :other_new, reader, :basic_resource => {:id => "1"},
435
+ :clear => [:@basic_resource])
436
+ assert @controller.authorized?
437
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
438
+ :clear => [:@basic_resource])
439
+ assert @controller.authorized?
440
+ end
441
+ end
442
+
443
+
444
+ class CustomMethodsResourceController < MocksController
445
+ # not implemented yet
446
+ end
447
+
448
+
449
+ class ExplicitContextResourceController < MocksController
450
+ filter_resource_access :context => :basic_resources
451
+ define_resource_actions
452
+ end
453
+ class ExplicitContextResourceControllerTest < ActionController::TestCase
454
+ def test_explicit_context_filter_index
455
+ reader = Authorization::Reader::DSLReader.new
456
+ reader.parse %{
457
+ authorization do
458
+ role :allowed_role do
459
+ has_permission_on :basic_resources, :to => :index do
460
+ if_attribute :id => is {"1"}
461
+ end
462
+ end
463
+ end
464
+ }
465
+
466
+ allowed_user = MockUser.new(:allowed_role)
467
+ request!(MockUser.new(:another_role), :index, reader)
468
+ assert !@controller.authorized?
469
+ request!(allowed_user, :index, reader)
470
+ assert @controller.authorized?
471
+ end
472
+
473
+ def test_explicit_context_filter_show_with_id
474
+ reader = Authorization::Reader::DSLReader.new
475
+ reader.parse %{
476
+ authorization do
477
+ role :allowed_role do
478
+ has_permission_on :basic_resources, :to => :show do
479
+ if_attribute :id => is {"1"}
480
+ end
481
+ end
482
+ end
483
+ }
484
+
485
+ allowed_user = MockUser.new(:allowed_role)
486
+ request!(allowed_user, :show, reader, :id => "2")
487
+ assert !@controller.authorized?
488
+ request!(allowed_user, :show, reader, :id => "1", :clear => [:@basic_resource])
489
+ assert @controller.authorized?
490
+ end
491
+
492
+ def test_explicit_context_filter_new_with_params
493
+ reader = Authorization::Reader::DSLReader.new
494
+ reader.parse %{
495
+ authorization do
496
+ role :allowed_role do
497
+ has_permission_on :basic_resources, :to => :new do
498
+ if_attribute :id => is {"1"}
499
+ end
500
+ end
501
+ end
502
+ }
503
+
504
+ allowed_user = MockUser.new(:allowed_role)
505
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "2"})
506
+ assert !@controller.authorized?
507
+ request!(allowed_user, :new, reader, :basic_resource => {:id => "1"},
508
+ :clear => [:@basic_resource])
509
+ assert @controller.authorized?
510
+ end
511
+ end