tuersteher 0.7.2 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/lib/tuersteher.rb +39 -44
- data/tuersteher.gemspec +8 -6
- metadata +23 -35
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 6c9a87b5dd44b07d9d007776268488b17bc54eac69e7b2ca9c34ead5dd9e5ca7
|
|
4
|
+
data.tar.gz: e899723582f2090efd837a7a2d308d40c2cbc43a089ca0b8a6dcd4a6fe1e3de4
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: eb765c3d95fcbd938c675e0396128aead6cfd81f5cfa037cec31e04a188ae8f7e6bbae7f9fa6113066e6e685e5679f37e3b7377e4ff5bad08f33a3f7a3e83a96
|
|
7
|
+
data.tar.gz: 71893a402e3327ecd40c9b2e2d9932da4df596c328ad0ce7d91fe469203e629c0b79b64fde50b3b0ba500befe5e378eaeb0d4f07bb1dccf806239745b58e44a5
|
data/lib/tuersteher.rb
CHANGED
|
@@ -194,13 +194,13 @@ module Tuersteher
|
|
|
194
194
|
class << self
|
|
195
195
|
|
|
196
196
|
# Pruefen Zugriff fuer eine Web-action
|
|
197
|
-
#
|
|
198
|
-
# path
|
|
199
|
-
# method
|
|
197
|
+
# @param login_contex Login-Contex, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
|
|
198
|
+
# @param path Pfad der Webresource (String)
|
|
199
|
+
# @param method http-Methode (:get, :put, :delete, :post), default ist :get
|
|
200
200
|
#
|
|
201
|
-
def path_access?(
|
|
201
|
+
def path_access?(login_contex, path, method = :get)
|
|
202
202
|
rule = AccessRulesStorage.instance.path_rules.detect do |r|
|
|
203
|
-
r.fired?(path, method,
|
|
203
|
+
r.fired?(path, method, login_contex)
|
|
204
204
|
end
|
|
205
205
|
if Tuersteher::TLogger.logger.debug?
|
|
206
206
|
if rule.nil?
|
|
@@ -208,8 +208,8 @@ module Tuersteher
|
|
|
208
208
|
else
|
|
209
209
|
s = "fired with #{rule}"
|
|
210
210
|
end
|
|
211
|
-
|
|
212
|
-
Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(
|
|
211
|
+
lc_id = login_contex && login_contex.respond_to?(:id) ? login_contex.id : login_contex.object_id
|
|
212
|
+
Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(login_contex.id=#{lc_id}, path=#{path}, method=#{method}) => #{s}")
|
|
213
213
|
end
|
|
214
214
|
!(rule.nil? || rule.deny?)
|
|
215
215
|
end
|
|
@@ -217,38 +217,38 @@ module Tuersteher
|
|
|
217
217
|
|
|
218
218
|
# Pruefen Zugriff auf ein Model-Object
|
|
219
219
|
#
|
|
220
|
-
#
|
|
221
|
-
# model
|
|
222
|
-
# permission
|
|
220
|
+
# @param login_contex Login-Contex, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
|
|
221
|
+
# @param model das Model-Object
|
|
222
|
+
# @param permission das geforderte Zugriffsrecht (:create, :update, :destroy, :get)
|
|
223
223
|
#
|
|
224
224
|
# liefert true/false
|
|
225
|
-
def model_access?
|
|
225
|
+
def model_access? login_contex, model, permission
|
|
226
226
|
raise "Wrong call! Use: model_access(model-instance-or-class, permission)" unless permission.is_a? Symbol
|
|
227
227
|
return false unless model
|
|
228
228
|
|
|
229
229
|
rule = AccessRulesStorage.instance.model_rules.detect do |rule|
|
|
230
|
-
rule.fired? model, permission,
|
|
230
|
+
rule.fired? model, permission, login_contex
|
|
231
231
|
end
|
|
232
232
|
access = rule && !rule.deny?
|
|
233
233
|
if Tuersteher::TLogger.logger.debug?
|
|
234
|
-
|
|
234
|
+
lc_id = login_contex && login_contex.respond_to?(:id) ? login_contex.id : login_contex.object_id
|
|
235
235
|
if model.instance_of?(Class)
|
|
236
236
|
Tuersteher::TLogger.logger.debug(
|
|
237
|
-
"Tuersteher: model_access?(
|
|
237
|
+
"Tuersteher: model_access?(login_contex.id=#{lc_id}, model=#{model}, permission=#{permission}) => #{access || 'denied'} #{rule}")
|
|
238
238
|
else
|
|
239
239
|
Tuersteher::TLogger.logger.debug(
|
|
240
|
-
"Tuersteher: model_access?(
|
|
240
|
+
"Tuersteher: model_access?(login_contex.id=#{lc_id}, model=#{model.class}(#{model.respond_to?(:id) ? model.id : model.object_id }), permission=#{permission}) => #{access || 'denied'} #{rule}")
|
|
241
241
|
end
|
|
242
242
|
end
|
|
243
243
|
access
|
|
244
244
|
end
|
|
245
245
|
|
|
246
246
|
# Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
|
|
247
|
-
# wo der angegebene
|
|
247
|
+
# wo der angegebene login_contex nicht das angegebene Recht hat
|
|
248
248
|
#
|
|
249
249
|
# liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
|
|
250
|
-
def purge_collection
|
|
251
|
-
collection.select{|model| model_access?(
|
|
250
|
+
def purge_collection login_contex, collection, permission
|
|
251
|
+
collection.select{|model| model_access?(login_contex, model, permission)}
|
|
252
252
|
end
|
|
253
253
|
end # of Class-Methods
|
|
254
254
|
end # of AccessRules
|
|
@@ -258,10 +258,10 @@ module Tuersteher
|
|
|
258
258
|
# Module zum Include in Controllers
|
|
259
259
|
# Dieser muss die folgenden Methoden bereitstellen:
|
|
260
260
|
#
|
|
261
|
-
#
|
|
261
|
+
# login_contex : akt. Login-Contex
|
|
262
262
|
# access_denied : Methode aus dem authenticated_system, welche ein redirect zum login auslöst
|
|
263
263
|
#
|
|
264
|
-
# Der
|
|
264
|
+
# Der Loginlogin_contex muss fuer die hier benoetigte Funktionalitaet
|
|
265
265
|
# die Methode:
|
|
266
266
|
# has_role?(role) # role the Name of the Role as Symbol
|
|
267
267
|
# besitzen.
|
|
@@ -272,15 +272,13 @@ module Tuersteher
|
|
|
272
272
|
#
|
|
273
273
|
module ControllerExtensions
|
|
274
274
|
|
|
275
|
-
@@url_path_method = nil
|
|
276
|
-
|
|
277
275
|
# Pruefen Zugriff fuer eine Web-action
|
|
278
276
|
#
|
|
279
277
|
# path Pfad der Webresource (String)
|
|
280
278
|
# method http-Methode (:get, :put, :delete, :post), default ist :get
|
|
281
279
|
#
|
|
282
280
|
def path_access?(path, method = :get)
|
|
283
|
-
AccessRules.path_access?
|
|
281
|
+
AccessRules.path_access? login_contex, path, method
|
|
284
282
|
end
|
|
285
283
|
|
|
286
284
|
# Pruefen Zugriff auf ein Model-Object
|
|
@@ -290,15 +288,15 @@ module Tuersteher
|
|
|
290
288
|
#
|
|
291
289
|
# liefert true/false
|
|
292
290
|
def model_access? model, permission
|
|
293
|
-
AccessRules.model_access?
|
|
291
|
+
AccessRules.model_access? login_contex, model, permission
|
|
294
292
|
end
|
|
295
293
|
|
|
296
294
|
# Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
|
|
297
|
-
# wo der akt.
|
|
295
|
+
# wo der akt. login_contex nicht das angegebene Recht hat
|
|
298
296
|
#
|
|
299
297
|
# liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
|
|
300
298
|
def purge_collection collection, permission
|
|
301
|
-
AccessRules.purge_collection(
|
|
299
|
+
AccessRules.purge_collection(login_contex, collection, permission)
|
|
302
300
|
end
|
|
303
301
|
|
|
304
302
|
|
|
@@ -311,7 +309,7 @@ module Tuersteher
|
|
|
311
309
|
|
|
312
310
|
protected
|
|
313
311
|
|
|
314
|
-
# Pruefen, ob Zugriff des
|
|
312
|
+
# Pruefen, ob Zugriff des login_contex
|
|
315
313
|
# fuer aktullen Request erlaubt ist
|
|
316
314
|
def check_access
|
|
317
315
|
|
|
@@ -325,21 +323,18 @@ module Tuersteher
|
|
|
325
323
|
ar_storage.read_rules
|
|
326
324
|
end
|
|
327
325
|
|
|
328
|
-
#
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
# bind current_user on the current thread
|
|
332
|
-
Thread.current[:user] = current_user
|
|
326
|
+
# bind login_contex on the current thread
|
|
327
|
+
Thread.current[:login_contex] = login_contex
|
|
333
328
|
|
|
334
329
|
req_method = request.method
|
|
335
330
|
req_method = req_method.downcase.to_sym if req_method.is_a?(String)
|
|
336
|
-
url_path = request.
|
|
331
|
+
url_path = request.fullpath
|
|
337
332
|
unless path_access?(url_path, req_method)
|
|
338
|
-
|
|
339
|
-
msg = "Tuersteher#check_access: access denied for #{url_path} :#{req_method}
|
|
333
|
+
lc_id = login_contex && login_contex.respond_to?(:id) ? login_contex.id : login_contex.object_id
|
|
334
|
+
msg = "Tuersteher#check_access: access denied for #{url_path} :#{req_method} login_contex.id=#{lc_id}"
|
|
340
335
|
Tuersteher::TLogger.logger.warn msg
|
|
341
336
|
logger.warn msg # log message also for Rails-Default logger
|
|
342
|
-
access_denied # Methode aus dem authenticated_system, welche ein redirect zum login auslöst
|
|
337
|
+
access_denied # Methode aus dem authenticated_system, welche z.B. ein redirect zum login auslöst
|
|
343
338
|
end
|
|
344
339
|
end
|
|
345
340
|
|
|
@@ -349,7 +344,7 @@ module Tuersteher
|
|
|
349
344
|
|
|
350
345
|
# Module for include in Model-Object-Classes
|
|
351
346
|
#
|
|
352
|
-
# The module get the
|
|
347
|
+
# The module get the login_contex from Thread.current[:login_contex]
|
|
353
348
|
#
|
|
354
349
|
# Sample for ActiveRecord-Class
|
|
355
350
|
# class Sample < ActiveRecord::Base
|
|
@@ -369,9 +364,9 @@ module Tuersteher
|
|
|
369
364
|
#
|
|
370
365
|
# raise a SecurityError-Exception if access denied
|
|
371
366
|
def check_access permission
|
|
372
|
-
|
|
373
|
-
unless AccessRules.model_access?
|
|
374
|
-
raise SecurityError, "Access denied! Current
|
|
367
|
+
login_contex = Thread.current[:login_contex]
|
|
368
|
+
unless AccessRules.model_access? login_contex, self, permission
|
|
369
|
+
raise SecurityError, "Access denied! Current login_contex have no permission '#{permission}' on Model-Object #{self}."
|
|
375
370
|
end
|
|
376
371
|
end
|
|
377
372
|
|
|
@@ -382,12 +377,12 @@ module Tuersteher
|
|
|
382
377
|
module ClassMethods
|
|
383
378
|
|
|
384
379
|
# Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
|
|
385
|
-
# wo der akt.
|
|
380
|
+
# wo der akt. login_contex nicht das angegebene Recht hat
|
|
386
381
|
#
|
|
387
382
|
# liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
|
|
388
383
|
def purge_collection collection, permission
|
|
389
|
-
|
|
390
|
-
AccessRules.purge_collection(
|
|
384
|
+
login_contex = Thread.current[:login_contex]
|
|
385
|
+
AccessRules.purge_collection(login_contex, collection, permission)
|
|
391
386
|
end
|
|
392
387
|
end # of ClassMethods
|
|
393
388
|
|
|
@@ -645,7 +640,7 @@ module Tuersteher
|
|
|
645
640
|
|
|
646
641
|
# check, if this rule fired for specified parameter
|
|
647
642
|
def fired? path_or_model, method, login_ctx
|
|
648
|
-
login_ctx = nil if login_ctx==:false # manche Authenticate-System setzen den login_ctx/
|
|
643
|
+
login_ctx = nil if login_ctx==:false # manche Authenticate-System setzen den login_ctx/login_contex auf :false
|
|
649
644
|
@rule_spezifications.all?{|spec| spec.grant?(path_or_model, method, login_ctx)}
|
|
650
645
|
end
|
|
651
646
|
|
data/tuersteher.gemspec
CHANGED
|
@@ -3,14 +3,15 @@ $:.push File.expand_path("../lib", __FILE__)
|
|
|
3
3
|
|
|
4
4
|
Gem::Specification.new do |s|
|
|
5
5
|
s.name = 'tuersteher'
|
|
6
|
-
s.version = '0.
|
|
6
|
+
s.version = '1.0.1'
|
|
7
7
|
s.authors = ["Bernd Ledig"]
|
|
8
|
-
s.email = ["bernd@ledig.info"]
|
|
9
|
-
s.homepage = "
|
|
10
|
-
s.summary = "
|
|
8
|
+
s.email = ["bernd@ledig.info","bernd.ledig@ottogroup.com"]
|
|
9
|
+
s.homepage = "https://gitlab.com/bledig/tuersteher"
|
|
10
|
+
s.summary = "Access-Handling for Rails-Apps"
|
|
11
11
|
s.description = <<-EOT
|
|
12
12
|
Security-Layer for Rails-Application acts like a firewall.
|
|
13
13
|
EOT
|
|
14
|
+
s.licenses = ["GPL-3.0-or-later"]
|
|
14
15
|
|
|
15
16
|
s.rubyforge_project = "tuersteher"
|
|
16
17
|
|
|
@@ -19,11 +20,12 @@ Gem::Specification.new do |s|
|
|
|
19
20
|
s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
|
|
20
21
|
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
|
21
22
|
s.require_paths = ["lib"]
|
|
23
|
+
s.required_ruby_version = '> 2.5'
|
|
22
24
|
|
|
23
25
|
#s.add_runtime_dependency "i18n"
|
|
24
26
|
|
|
25
|
-
s.add_development_dependency "rake"
|
|
26
|
-
s.add_development_dependency "rspec", '
|
|
27
|
+
s.add_development_dependency "rake", '~> 10.5'
|
|
28
|
+
s.add_development_dependency "rspec", '~> 2.14'
|
|
27
29
|
|
|
28
30
|
end
|
|
29
31
|
|
metadata
CHANGED
|
@@ -1,65 +1,53 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: tuersteher
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
5
|
-
prerelease:
|
|
4
|
+
version: 1.0.1
|
|
6
5
|
platform: ruby
|
|
7
6
|
authors:
|
|
8
7
|
- Bernd Ledig
|
|
9
8
|
autorequire:
|
|
10
9
|
bindir: bin
|
|
11
10
|
cert_chain: []
|
|
12
|
-
date:
|
|
11
|
+
date: 2020-02-06 00:00:00.000000000 Z
|
|
13
12
|
dependencies:
|
|
14
13
|
- !ruby/object:Gem::Dependency
|
|
15
14
|
name: rake
|
|
16
15
|
requirement: !ruby/object:Gem::Requirement
|
|
17
|
-
none: false
|
|
18
16
|
requirements:
|
|
19
|
-
- -
|
|
17
|
+
- - "~>"
|
|
20
18
|
- !ruby/object:Gem::Version
|
|
21
|
-
version: '
|
|
19
|
+
version: '10.5'
|
|
22
20
|
type: :development
|
|
23
21
|
prerelease: false
|
|
24
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
-
none: false
|
|
26
23
|
requirements:
|
|
27
|
-
- -
|
|
24
|
+
- - "~>"
|
|
28
25
|
- !ruby/object:Gem::Version
|
|
29
|
-
version: '
|
|
26
|
+
version: '10.5'
|
|
30
27
|
- !ruby/object:Gem::Dependency
|
|
31
28
|
name: rspec
|
|
32
29
|
requirement: !ruby/object:Gem::Requirement
|
|
33
|
-
none: false
|
|
34
30
|
requirements:
|
|
35
|
-
- -
|
|
31
|
+
- - "~>"
|
|
36
32
|
- !ruby/object:Gem::Version
|
|
37
|
-
version: '2.
|
|
38
|
-
- - <
|
|
39
|
-
- !ruby/object:Gem::Version
|
|
40
|
-
version: '3.0'
|
|
33
|
+
version: '2.14'
|
|
41
34
|
type: :development
|
|
42
35
|
prerelease: false
|
|
43
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
44
|
-
none: false
|
|
45
37
|
requirements:
|
|
46
|
-
- -
|
|
47
|
-
- !ruby/object:Gem::Version
|
|
48
|
-
version: '2.7'
|
|
49
|
-
- - <
|
|
38
|
+
- - "~>"
|
|
50
39
|
- !ruby/object:Gem::Version
|
|
51
|
-
version: '
|
|
52
|
-
description:
|
|
53
|
-
|
|
54
|
-
'
|
|
40
|
+
version: '2.14'
|
|
41
|
+
description: " Security-Layer for Rails-Application acts like a firewall.\n"
|
|
55
42
|
email:
|
|
56
43
|
- bernd@ledig.info
|
|
44
|
+
- bernd.ledig@ottogroup.com
|
|
57
45
|
executables: []
|
|
58
46
|
extensions: []
|
|
59
47
|
extra_rdoc_files:
|
|
60
48
|
- README.rdoc
|
|
61
49
|
files:
|
|
62
|
-
- .gitignore
|
|
50
|
+
- ".gitignore"
|
|
63
51
|
- Gemfile
|
|
64
52
|
- README.rdoc
|
|
65
53
|
- Rakefile
|
|
@@ -76,28 +64,28 @@ files:
|
|
|
76
64
|
- spec/spec.opts
|
|
77
65
|
- spec/spec_helper.rb
|
|
78
66
|
- tuersteher.gemspec
|
|
79
|
-
homepage:
|
|
80
|
-
licenses:
|
|
67
|
+
homepage: https://gitlab.com/bledig/tuersteher
|
|
68
|
+
licenses:
|
|
69
|
+
- GPL-3.0-or-later
|
|
70
|
+
metadata: {}
|
|
81
71
|
post_install_message:
|
|
82
72
|
rdoc_options: []
|
|
83
73
|
require_paths:
|
|
84
74
|
- lib
|
|
85
75
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
86
|
-
none: false
|
|
87
76
|
requirements:
|
|
88
|
-
- -
|
|
77
|
+
- - ">"
|
|
89
78
|
- !ruby/object:Gem::Version
|
|
90
|
-
version: '
|
|
79
|
+
version: '2.5'
|
|
91
80
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
92
|
-
none: false
|
|
93
81
|
requirements:
|
|
94
|
-
- -
|
|
82
|
+
- - ">="
|
|
95
83
|
- !ruby/object:Gem::Version
|
|
96
84
|
version: '0'
|
|
97
85
|
requirements: []
|
|
98
86
|
rubyforge_project: tuersteher
|
|
99
|
-
rubygems_version:
|
|
87
|
+
rubygems_version: 2.7.6.2
|
|
100
88
|
signing_key:
|
|
101
|
-
specification_version:
|
|
102
|
-
summary:
|
|
89
|
+
specification_version: 4
|
|
90
|
+
summary: Access-Handling for Rails-Apps
|
|
103
91
|
test_files: []
|