tuersteher 0.5.2 → 0.6.0

data/.gitignore

@@ -2,3 +2,4 @@ pkg
 .idea
 tuersteher*.gem
 nbproject
+.rvmrc

data/VERSION

@@ -1 +1 @@
-0.5.2
+0.6.0

data/lib/tuersteher.rb

@@ -7,6 +7,7 @@
 #
 
 require 'singleton'
+require 'logger'
 
 module Tuersteher
 
@@ -143,7 +144,10 @@ module Tuersteher
       Tuersteher::TLogger.logger.info "extend_path_rules_with_prefix: #{prefix}"
       @path_prefix = prefix
       path_rules.each do |rule|
-        rule.path = "#{prefix}#{rule.path}" unless rule.path == :all
+        path_spec = rule.path_spezification
+        if path_spec
+          path_spec.path = "#{prefix}#{path_spec.path}"
+        end
       end
     end
 
@@ -302,7 +306,7 @@ module Tuersteher
       url_path = request.send(@@url_path_method)
       unless path_access?(url_path, req_method)
         usr_id = current_user && current_user.respond_to?(:id) ? current_user.id : current_user.object_id
-        msg = "Tuersteher#check_access: access denied for #{request.request_uri} :#{req_method} user.id=#{usr_id}"
+        msg = "Tuersteher#check_access: access denied for #{url_path} :#{req_method} user.id=#{usr_id}"
         Tuersteher::TLogger.logger.warn msg
         logger.warn msg  # log message also for Rails-Default logger
         access_denied  # Methode aus dem authenticated_system, welche ein redirect zum login auslöst
@@ -360,25 +364,148 @@ module Tuersteher
   end # of module ModelExtensions
 
 
+  # The Classes for the separate Rule-Specifications
+  class PathSpecification
+    attr_reader :path
+
+    def initialize path, negation
+      @negation = negation
+      self.path = path
+    end
+
+    def path= url_path
+      @path = url_path
+      # url_path in regex ^#{path} wandeln ausser bei "/",
+      # dies darf keine Regex mit ^/ werden, da diese dann ja immer matchen wuerde
+      if url_path == "/"
+        @path_regex = /^\/$/
+      else
+        @path_regex = /^#{url_path}/
+      end
+    end
+
+    def grant? path_or_model, method, login_ctx
+      rc = @path_regex =~ path_or_model
+      rc = !rc if @negation
+      rc
+    end
+  end
+
+  class ModelSpecification
+    def initialize clazz, negation
+      @clazz, @negation = clazz, negation
+    end
+
+    def grant? path_or_model, method, login_ctx
+      m_class = path_or_model.instance_of?(Class) ? path_or_model : path_or_model.class
+      rc = @clazz == m_class
+      rc = !rc if @negation
+      rc
+    end
+  end
+
+  class RolesSpecification
+    attr_reader :roles, :negation
+
+    def initialize role, negation
+      @negation = negation
+      @roles = [role]
+    end
+
+    def grant? path_or_model, method, login_ctx
+      return false if login_ctx.nil?
+      # roles sind or verknüpft
+      rc = @roles.any?{|role| login_ctx.has_role?(role) }
+      rc = !rc if @negation
+      rc
+    end
+  end
+
+  class MethodSpecification
+    def initialize method, negation
+      @method, @negation = method, negation
+    end
+
+    def grant? path_or_model, method, login_ctx
+      rc = @method==method
+      rc = !rc if @negation
+      rc
+    end
+  end
+
+  class ExtensionSpecification
+    def initialize method_name, negation, expected_value=nil
+      @method, @negation, @expected_value = method_name, negation, expected_value
+    end
+
+    def grant? path_or_model, method, login_ctx
+      rc = false
+      if path_or_model.is_a?(String)
+        # path-variante
+        return false if login_ctx.nil?
+        unless login_ctx.respond_to?(@method)
+          Tuersteher::TLogger.logger.warn("#{to_s}.grant? => false why Login-Context have not method '#{@method}'!")
+          return false
+        end
+        if @expected_value
+          rc = login_ctx.send(@method, @expected_value)
+        else
+          rc = login_ctx.send(@method)
+        end
+      else
+        # model-variante
+        unless path_or_model.respond_to?(@method)
+          m_msg = path_or_model.instance_of?(Class) ? "Class '#{path_or_model.name}'" : "Object '#{path_or_model.class}'"
+          Tuersteher::TLogger.logger.warn("#{to_s}.grant? => false why #{m_msg} have not method '#{@method}'!")
+          return false
+        end
+        if @expected_value
+          rc = path_or_model.send(@method, login_ctx, @expected_value)
+        else
+          rc = path_or_model.send(@method, login_ctx)
+        end
+      end
+      rc = !rc if @negation
+      rc
+    end
+  end
+
+
 
-  # Astracte base class for Access-Rules
+  # Abstracte base class for Access-Rules
   class BaseAccessRule
+    attr_reader :rule_spezifications
 
     def initialize
-      @roles = []
-      @access_method = :all
+      @rule_spezifications = []
+      @last_role_specification
     end
 
     # add role
     def role(role_name)
+      return self if role_name==:all  # :all is only syntax sugar
       raise "wrong role '#{role_name}'! Must be a symbol " unless role_name.is_a?(Symbol)
-      @roles << role_name
+      # roles are OR-linked (per default)
+      # => add the role to RolesSpecification, create only new RolesSpecification if not exist
+      if @last_role_specification
+        raise("Mixin of role and not.role are yet not implemented!") if @negation != @last_role_specification.negation
+        @last_role_specification.roles << role_name
+      else
+        @last_role_specification = RolesSpecification.new(role_name, @negation)
+        @rule_spezifications << @last_role_specification
+      end
+      @negation = false if @negation
       self
     end
 
     # add list of roles
     def roles(*role_names)
-      role_names.flatten.each{|role_name| role(role_name)}
+      negation_state = @negation
+      role_names.flatten.each do |role_name|
+        self.role(role_name)
+        @negation = negation_state # keep Negation-State for all roles
+      end
+      @negation = false if @negation
       self
     end
 
@@ -387,11 +514,21 @@ module Tuersteher
     #   method_name:      Symbol with the name of the method to call for addional check
     #   expected_value:   optional expected value for the result of the with metho_name specified method, defalt is true
     def extension method_name, expected_value=nil
-      @check_extensions ||= {}
-      @check_extensions[method_name] = expected_value
+      @rule_spezifications << ExtensionSpecification.new(method_name, @negation, expected_value)
+      @negation = false if @negation
       self
     end
 
+    # set methode for access
+    # access_method        Name of Methode for access as Symbol
+    def method(access_method)
+      return self if access_method==:all  # :all is only syntax sugar
+      @rule_spezifications << MethodSpecification.new(access_method, @negation)
+      @negation = false if @negation
+      self
+    end
+
+
     # mark this rule as grant-rule
     def grant
       self
@@ -408,43 +545,34 @@ module Tuersteher
       @deny
     end
 
-    # set methode for access
-    # access_method        Name of Methode for access as Symbol
-    def method(access_method)
-      @access_method = access_method
-      self
-    end
 
-    # negate role-membership
+    # negate role followed rule specification (role or extension
     def not
-      @not = true
+      @negation = true
       self
     end
 
-    protected
-
-    # check, if this rule granted for specified user
-    def grant_role? user
-      return true if @roles.empty?
-      return false if user.nil?
-      role = @roles.detect{|r| user.has_role?(r)}
-      role = !role if @not
-      return true if role
-      false
+    # check, if this rule fired for specified parameter
+    def fired? path_or_model, method, login_ctx
+      login_ctx = nil if login_ctx==:false # manche Authenticate-System setzen den login_ctx/user auf :false
+      @rule_spezifications.all?{|spec| spec.grant?(path_or_model, method, login_ctx)}
     end
 
-    def grant_access_method? method
-      return true if @access_method==:all
-      @access_method == method
-    end
 
+    def to_s
+      s = "#{self.class}["
+      s << 'DENY ' if @deny
+      s << @rule_spezifications.map(&:to_s).join(', ')
+      s << ']'
+      s
+    end
   end # of BaseAccessRule
 
 
   class PathAccessRule < BaseAccessRule
 
     METHOD_NAMES = [:get, :edit, :put, :delete, :post, :all].freeze
-    attr_reader :path
+    attr_reader :path_spezification
 
     # Zugriffsregel
     #
@@ -453,23 +581,13 @@ module Tuersteher
     def initialize(path)
       raise "wrong path '#{path}'! Must be a String or :all ." unless path==:all or path.is_a?(String)
       super()
-      self.path = path
-    end
-
-    def path= url_path
-      @path = url_path
-      if url_path != :all
-        # path in regex ^#{path} wandeln ausser bei "/",
-        # dies darf keine Regex mit ^/ werden,
-        # da diese ja immer matchen wuerde
-        if url_path == "/"
-          @path_regex = /^\/$/
-        else
-          @path_regex = /^#{url_path}/
-        end
+      if path != :all # :all is only syntax sugar
+        @path_spezification = PathSpecification.new(path, @negation)
+        @rule_spezifications << @path_spezification
       end
     end
 
+
     # set http-methode
     # http_method        http-Method, allowed is :get, :put, :delete, :post, :all
     def method(http_method)
@@ -478,57 +596,6 @@ module Tuersteher
       self
     end
 
-
-
-    # pruefen, ob Zugriff fuer angegebenen
-    # path / method fuer den current_user erlaubt ist
-    #
-    # user ist ein Object (meist der Loginuser),
-    # welcher die Methode 'has_role?(role)' besitzen muss.
-    # *roles ist dabei eine Array aus Symbolen
-    #
-    def fired?(path, method, user)
-      user = nil if user==:false # manche Authenticate-System setzen den user auf :false
-
-      if @path!=:all && !(@path_regex =~ path)
-        return false
-      end
-
-      return false unless grant_access_method?(method)
-      return false unless grant_role?(user)
-      return false unless grant_extension?(user)
-
-      true
-    end
-
-
-    def to_s
-      s = "PathAccesRule[#{@deny ? 'DENY ' : ''}#{@path}, #{@access_method}, #{@roles.join(' ')}"
-      s << " #{@check_extensions.inspect}" if @check_extensions
-      s << ']'
-      s
-    end
-
-    private
-
-    # check, if this rule grant the defined extension (if exist)
-    def grant_extension? user
-      return true if @check_extensions.nil?
-      return false if user.nil?  # check_extensions need a user
-      @check_extensions.each do |key, value|
-        unless user.respond_to?(key)
-          Tuersteher::TLogger.logger.warn("#{to_s}.fired? => false why user have not check-extension method '#{key}'!")
-          return false
-        end
-        if value
-          return false unless user.send(key,value)
-        else
-          return false unless user.send(key)
-        end
-      end
-      true
-    end
-
   end
 
 
@@ -538,74 +605,13 @@ module Tuersteher
     # erzeugt neue Object-Zugriffsregel
     #
     # clazz         Model-Klassenname oder :all fuer alle
-    # access_type   Zugriffsart (:create, :update, :destroy, :all o.A. selbst definierte Typem)
-    # roles         Aufzählung der erforderliche Rolen (:all für ist egal),
-    #               hier ist auch ein Array von Symbolen möglich
-    # block         optionaler Block, wird mit model und user aufgerufen und muss true oder false liefern
-    #               hier ein Beispiel mit Block:
-    #               <code>
-    #                 # Regel, in der sich jeder User selbst aendern darf
-    #                 ModelAccessRule.new(User, :update, :all){|model,user| model.id==user.id}
-    #               </code>
     #
     def initialize(clazz)
       raise "wrong clazz '#{clazz}'! Must be a Class or :all ." unless clazz==:all or clazz.is_a?(Class)
       super()
-      @clazz = clazz.instance_of?(Symbol) ? clazz : clazz.to_s
-    end
-
-
-    # liefert true, wenn zugriff fuer das angegebene model mit
-    # der Zugriffsart perm für das security_object hat
-    #
-    # model des zupruefende ModelObject
-    # perm gewunschte Zugriffsart (Symbol :create, :update, :destroy)
-    #
-    # user ist ein User-Object (meist der Loginuser),
-    # welcher die Methode 'has_role?(*roles)' besitzen muss.
-    # *roles ist dabei eine Array aus Symbolen
-    #
-    #
-    def fired? model, access_method, user
-      user = nil if user==:false # manche Authenticate-System setzen den user auf :false
-      m_class = model.instance_of?(Class) ? model : model.class
-      if @clazz!=m_class.to_s && @clazz!=:all
-        #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@clazz}!=#{model.class.to_s} && #{@clazz}!=:all")
-        return false
-      end
-
-      return false unless grant_access_method?(access_method)
-      return false unless grant_role?(user)
-      return false unless grant_extension?(user, model)
-      true
-    end
-
-    def to_s
-      s = "ModelAccessRule[#{@deny ? 'DENY ' : ''}#{@clazz}, #{@access_method}, #{@roles.join(' ')}"
-      s << " #{@check_extensions.inspect}" if @check_extensions
-      s << ']'
-      s
-    end
-
-    private
-
-    # check, if this rule grant the defined extension (if exist)
-    def grant_extension? user, model
-      return true if @check_extensions.nil?
-      return false if model.nil?  # check_extensions need a model
-      @check_extensions.each do |key, value|
-        unless model.respond_to?(key)
-          m_msg = model.instance_of?(Class) ? "Class '#{model.name}'" : "Object '#{model.class}'"
-          Tuersteher::TLogger.logger.warn("#{to_s}.fired? => false why #{m_msg} have not check-extension method '#{key}'!")
-          return false
-        end
-        if value
-          return false unless model.send(key,user,value)
-        else
-          return false unless model.send(key,user)
-        end
+      if clazz != :all # :all is only syntax sugar
+        @rule_spezifications << ModelSpecification.new(clazz, @negation)
       end
-      true
     end
 
   end

data/spec/acces_rules_storage_spec.rb

@@ -58,8 +58,8 @@ end
           @path_rules = AccessRulesStorage.instance.path_rules
         end
 
-        specify{ @path_rules.first.path.should == :all }
-        specify{ @path_rules.last.path.should == '/test/special' }
+        specify{ @path_rules.first.path_spezification.should be_nil }
+        specify{ @path_rules.last.path_spezification.path.should == '/test/special' }
 
       end
     end

data/spec/access_rules_spec.rb

@@ -177,7 +177,7 @@ module Tuersteher
     context 'purge_collection' do
 
       class SampleModel
-        def owner? user; false; end
+        def owner?(user); false; end
       end
 
       before do

data/spec/path_access_rule_spec.rb

@@ -150,20 +150,47 @@ module Tuersteher
     end # of context "deny" do
 
 
-    context "with not as role prefix" do
-      before(:all) do
-        @rule = PathAccessRule.new('/admin').deny.not.role(:admin)
-        @user = stub('user')
-      end
+    context "with not" do
+      context "as prefix for role" do
+        before(:all) do
+          @rule = PathAccessRule.new('/admin').deny.not.role(:admin)
+          @user = stub('user')
+        end
 
-      it "should not fired for user with role :admin" do
-        @user.stub(:has_role?){|role| role==:admin}
-        @rule.fired?("/admin", :get, @user).should_not be_true
+        it "should not fired for user with role :admin" do
+          @user.stub(:has_role?){|role| role==:admin}
+          @rule.fired?("/admin", :get, @user).should_not be_true
+        end
+
+        it "should fired for user with role :user" do
+          @user.stub(:has_role?){|role| role==:user}
+          @rule.fired?("/admin", :get, @user).should be_true
+        end
       end
 
-      it "should fired for user with role :user" do
-        @user.stub(:has_role?){|role| role==:user}
-        @rule.fired?("/admin", :get, @user).should be_true
+      context "as prefix for extension" do
+        before(:all) do
+          @rule = PathAccessRule.new('/admin').grant.role(:admin).not.extension(:login_ctx_method)
+          @user = stub('user')
+        end
+
+        it "should fired for user with role :admin and false for extension" do
+          @user.stub(:has_role?){|role| role==:admin}
+          @user.should_receive(:login_ctx_method).and_return(false)
+          @rule.fired?("/admin", :get, @user).should be_true
+        end
+
+        it "should not fired for user with role :admin and true for extension" do
+          @user.stub(:has_role?){|role| role==:admin}
+          @user.should_receive(:login_ctx_method).and_return(true)
+          @rule.fired?("/admin", :get, @user).should_not be_true
+        end
+
+        it "should not fired for user with role :user" do
+          @user.stub(:has_role?){|role| role==:user}
+          @rule.fired?("/admin", :get, @user).should be_false
+        end
+
       end
     end # of context "not" do
 

data/spec/spec_helper.rb

@@ -1,4 +1,4 @@
-require 'spec'
+require 'rspec'
 require 'logger'
 require File.expand_path(File.dirname(__FILE__) + "/../lib/tuersteher")
 

data/tuersteher.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{tuersteher}
-  s.version = "0.5.2"
+  s.version = "0.6.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Bernd Ledig"]
-  s.date = %q{2010-11-07}
+  s.date = %q{2011-02-02}
   s.description = %q{Security-Layer for Rails-Application acts like a firewall.}
   s.email = %q{bernd@ledig.info}
   s.extra_rdoc_files = [
@@ -41,12 +41,12 @@ Gem::Specification.new do |s|
   s.rubygems_version = %q{1.3.7}
   s.summary = %q{Security-Layer for Rails-Application}
   s.test_files = [
-    "spec/spec_helper.rb",
-     "spec/model_extensions_spec.rb",
-     "spec/access_rules_spec.rb",
-     "spec/path_access_rule_spec.rb",
+    "spec/model_extensions_spec.rb",
+     "spec/acces_rules_storage_spec.rb",
+     "spec/spec_helper.rb",
      "spec/model_access_rule_spec.rb",
-     "spec/acces_rules_storage_spec.rb"
+     "spec/access_rules_spec.rb",
+     "spec/path_access_rule_spec.rb"
   ]
 
   if s.respond_to? :specification_version then

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: tuersteher
 version: !ruby/object:Gem::Version 
-  hash: 15
+  hash: 7
   prerelease: false
   segments: 
   - 0
-  - 5
-  - 2
-  version: 0.5.2
+  - 6
+  - 0
+  version: 0.6.0
 platform: ruby
 authors: 
 - Bernd Ledig
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-11-07 00:00:00 +01:00
+date: 2011-02-02 00:00:00 +01:00
 default_executable: 
 dependencies: []
 
@@ -81,9 +81,9 @@ signing_key:
 specification_version: 3
 summary: Security-Layer for Rails-Application
 test_files: 
-- spec/spec_helper.rb
 - spec/model_extensions_spec.rb
+- spec/acces_rules_storage_spec.rb
+- spec/spec_helper.rb
+- spec/model_access_rule_spec.rb
 - spec/access_rules_spec.rb
 - spec/path_access_rule_spec.rb
-- spec/model_access_rule_spec.rb
-- spec/acces_rules_storage_spec.rb