tuersteher 0.3.0 → 0.3.3

data/VERSION

@@ -1 +1 @@
-0.3.0
+0.3.3

data/lib/tuersteher.rb

@@ -37,30 +37,35 @@ module Tuersteher
 
     DEFAULT_RULES_CONFIG_FILE = 'access_rules.rb' # in config-dir
 
+    # private initializer why this class is a singleton
     def initialize
       @path_rules = []
       @model_rules = []
     end
 
+    # get all path_rules as array of PathAccessRule-Instances
     def path_rules
       read_rules unless @was_read
       @path_rules
     end
 
+    # get all model_rules as array of ModelAccessRule-Instances
     def model_rules
       read_rules unless @was_read
       @model_rules
     end
 
 
+    # evaluated rules_definitions and create path-/model-rules
     def eval_rules rules_definitions
       @path_rules = []
       @model_rules = []
       eval rules_definitions
+      @was_read = true
       Tuersteher::TLogger.logger.info "Tuersteher::AccessRulesStorage: #{@path_rules.size} path-rules and #{@model_rules.size} model-rules"
     end
 
-    # Laden der AccesRules aus den Dateien
+    # Load AccesRules from file
     #  config/access_rules.rb
     def read_rules
       @rules_config_file ||= File.join(Rails.root, 'config', DEFAULT_RULES_CONFIG_FILE)
@@ -74,7 +79,6 @@ module Tuersteher
       rules_file.close
       if content
         eval_rules content
-        @was_read = true
       end
     rescue => ex
       Tuersteher::TLogger.logger.error "Tuersteher::AccessRulesStorage - Error in rules: #{ex.message}\n\t"+ex.backtrace.join("\n\t")
@@ -106,12 +110,16 @@ module Tuersteher
       end
     end
 
+    # create new rule as grant-rule
+    # and add this to the model_rules array
     def grant
       rule = ModelAccessRule.new(@current_model_class)
       @model_rules << rule
       rule.grant
     end
 
+    # create new rule as deny-rule
+    # and add this to the model_rules array
     def deny
       rule = ModelAccessRule.new(@current_model_class)
       @model_rules << rule
@@ -122,62 +130,67 @@ module Tuersteher
 
 
   class AccessRules
-
-    # Pruefen Zugriff fuer eine Web-action
-    # user        User, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
-    # path        Pfad der Webresource (String)
-    # method      http-Methode (:get, :put, :delete, :post), default ist :get
-    #
-    def self.path_access?(user, path, method = :get)
-      rule = AccessRulesStorage.instance.path_rules.detect do |r|
-        r.fired?(path, method, user)
-      end
-      if Tuersteher::TLogger.logger.debug?
-        if rule.nil?
-          s = 'denied'
-        elsif rule.deny?
-          s = "denied with #{rule}"
-        else
-          s = "granted with #{rule}"
+    class << self
+      # Pruefen Zugriff fuer eine Web-action
+      # user        User, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
+      # path        Pfad der Webresource (String)
+      # method      http-Methode (:get, :put, :delete, :post), default ist :get
+      #
+      def path_access?(user, path, method = :get)
+        rule = AccessRulesStorage.instance.path_rules.detect do |r|
+          r.fired?(path, method, user)
         end
-        Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(#{path}, #{method})  =>  #{s}")
+        if Tuersteher::TLogger.logger.debug?
+          if rule.nil?
+            s = 'denied'
+          elsif rule.deny?
+            s = "denied with #{rule}"
+          else
+            s = "granted with #{rule}"
+          end
+          usr_id = user.respond_to?(:id) ? user.id : user.object_id
+          Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(user.id=#{usr_id}, path=#{path}, method=#{method})  =>  #{s}")
+        end
+        !(rule.nil? || rule.deny?)
       end
-      !(rule.nil? || rule.deny?)
-    end
 
 
-    # Pruefen Zugriff auf ein Model-Object
-    #
-    # user        User, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
-    # model       das Model-Object
-    # permission  das geforderte Zugriffsrecht (:create, :update, :destroy, :get)
-    #
-    # liefert true/false
-    def self.model_access? user, model, permission
-      raise "Wrong call! Use: model_access(model-instance-or-class, permission)" unless permission.is_a? Symbol
-      return false unless model
+      # Pruefen Zugriff auf ein Model-Object
+      #
+      # user        User, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
+      # model       das Model-Object
+      # permission  das geforderte Zugriffsrecht (:create, :update, :destroy, :get)
+      #
+      # liefert true/false
+      def model_access? user, model, permission
+        raise "Wrong call! Use: model_access(model-instance-or-class, permission)" unless permission.is_a? Symbol
+        return false unless model
 
-      rule = AccessRulesStorage.instance.model_rules.detect do |rule|
-        rule.fired? model, permission, user
-      end
-      access = rule && !rule.deny?
-      if Tuersteher::TLogger.logger.debug?
-        if model.instance_of?(Class)
-          Tuersteher::TLogger.logger.debug("Tuersteher: model_access?(#{model}, #{permission}) =>  #{access || 'denied'} #{rule}")
-        else
-          Tuersteher::TLogger.logger.debug("Tuersteher: model_access?(#{model.class}(#{model.respond_to?(:id) ? model.id : model.object_id }), #{permission}) =>  #{access || 'denied'} #{rule}")
+        rule = AccessRulesStorage.instance.model_rules.detect do |rule|
+          rule.fired? model, permission, user
+        end
+        access = rule && !rule.deny?
+        if Tuersteher::TLogger.logger.debug?
+          usr_id = user.respond_to?(:id) ? user.id : user.object_id
+          if model.instance_of?(Class)
+            Tuersteher::TLogger.logger.debug(
+              "Tuersteher: model_access?(user.id=#{usr_id}, model=#{model}, permission=#{permission}) =>  #{access || 'denied'} #{rule}")
+          else
+            Tuersteher::TLogger.logger.debug(
+              "Tuersteher: model_access?(user.id=#{usr_id}, model=#{model.class}(#{model.respond_to?(:id) ? model.id : model.object_id }), permission=#{permission}) =>  #{access || 'denied'} #{rule}")
+          end
         end
+        access
       end
-      access
-    end
 
-    # Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
-    # wo der angegebene User nicht das angegebene Recht hat
-    #
-    # liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
-    def self.purge_collection user, collection, permission
-      collection.select{|model| model_access?(user, model, permission)}
-    end
+      # Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
+      # wo der angegebene User nicht das angegebene Recht hat
+      #
+      # liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
+      def purge_collection user, collection, permission
+        collection.select{|model| model_access?(user, model, permission)}
+      end
+    end # of Class-Methods
   end # of AccessRules
 
 
@@ -224,7 +237,7 @@ module Tuersteher
     # wo der akt. User nicht das angegebene Recht hat
     #
     # liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
-    def self.purge_collection collection, permission
+    def purge_collection collection, permission
       AccessRules.purge_collection(current_user, collection, permission)
     end
 
@@ -248,10 +261,14 @@ module Tuersteher
       # Rails3 hat andere url-path-methode
       @@url_path_method ||= Rails.version[0..1]=='3.' ? :fullpath : :request_uri
 
+      # bind current_user on the current thread
+      Thread.current[:user] = current_user
+
       req_method = request.method.downcase.to_sym
       url_path = request.send(@@url_path_method)
       unless path_access?(url_path, req_method)
-        msg = "Tuersteher#check_access: access denied for #{request.request_uri} :#{req_method}"
+        usr_id = current_user.respond_to?(:id) ? current_user.id : current_user.object_id
+        msg = "Tuersteher#check_access: access denied for #{request.request_uri} :#{req_method} user.id=#{usr_id}"
         Tuersteher::TLogger.logger.warn msg
         logger.warn msg  # log message also for Rails-Default logger
         access_denied  # Methode aus dem authenticated_system, welche ein redirect zum login auslöst
@@ -261,6 +278,55 @@ module Tuersteher
   end
 
 
+
+  # Module for include in Model-Object-Classes
+  #
+  # The module get the current-user from Thread.current[:user]
+  #
+  # Sample for ActiveRecord-Class
+  #   class Sample < ActiveRecord::Base
+  #    include Tuersteher::ModelExtensions
+  #
+  #     def transfer_to account
+  #       check_model_access :transfer # raise a exception if not allowed
+  #       ....
+  #     end
+  #
+  #
+  module ModelExtensions
+
+    # Check permission for the Model-Object
+    #
+    # permission  the requested permission (sample :create, :update, :destroy, :get)
+    #
+    # raise a SecurityError-Exception if access denied
+    def check_access permission
+      user = Thread.current[:user]
+      unless AccessRules.model_access? user, self, permission
+        raise SecurityError, "Access denied! Current user have no permission '#{permission}' on Model-Object #{self}."
+      end
+    end
+
+    def self.included(base)
+      base.extend ClassMethods
+    end
+
+    module ClassMethods
+
+      # Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
+      # wo der akt. User nicht das angegebene Recht hat
+      #
+      # liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
+      def purge_collection collection, permission
+        user = Thread.current[:user]
+        AccessRules.purge_collection(user, collection, permission)
+      end
+    end # of ClassMethods
+
+  end # of module ModelExtensions
+
+
+
   # Astracte base class for Access-Rules
   class BaseAccessRule
 
@@ -275,26 +341,33 @@ module Tuersteher
       self
     end
 
-
-    def extension method_name, methode_parameter=nil
+    # add extension-definition
+    # parmaters:
+    #   method_name:      Symbol with the name of the method to call for addional check
+    #   expected_value:   optional expected value for the result of the with metho_name specified method, defalt is true
+    def extension method_name, expected_value=nil
       @check_extensions ||= {}
-      @check_extensions[method_name] = methode_parameter
+      @check_extensions[method_name] = expected_value
       self
     end
 
+    # mark this rule as grant-rule
     def grant
       self
     end
 
+    # mark this rule as deny-rule
     def deny
       @deny = true
       self
     end
 
+    # is this rule a deny-rule
     def deny?
       @deny
     end
 
+    # negate role-membership
     def not
       @not = true
       self
@@ -302,6 +375,7 @@ module Tuersteher
 
     protected
 
+    # check, if this rule granted for specified user
     def grant_role? user
       return true if @roles.empty?
       return false if user.nil?
@@ -384,6 +458,7 @@ module Tuersteher
 
     private
 
+    # check, if this rule grant the defined extension (if exist)
     def grant_extension? user
       return true if @check_extensions.nil?
       return false if user.nil?  # check_extensions need a user
@@ -426,7 +501,7 @@ module Tuersteher
       @clazz = clazz.instance_of?(Symbol) ? clazz : clazz.to_s
     end
 
-
+    # set the permission-name
     def permission permission_name
       @permission = permission_name
       self
@@ -445,7 +520,6 @@ module Tuersteher
     #
     def fired? model, perm, user
       user = nil if user==:false # manche Authenticate-System setzen den user auf :false
-      debugger
       m_class = model.instance_of?(Class) ? model : model.class
       if @clazz!=m_class.to_s && @clazz!=:all
         #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@clazz}!=#{model.class.to_s} && #{@clazz}!=:all")
@@ -471,6 +545,7 @@ module Tuersteher
 
     private
 
+    # check, if this rule grant the defined extension (if exist)
     def grant_extension? user, model
       return true if @check_extensions.nil?
       return false if model.nil?  # check_extensions need a model
@@ -491,5 +566,4 @@ module Tuersteher
 
   end
 
-
 end

data/spec/model_access_rule_spec.rb

@@ -35,7 +35,7 @@ module Tuersteher
           @user.stub(:has_role?).and_return(false)
         end
 
-        it "should not be fired for String-Object and access-type :read" do
+        specify do
           @rule.fired?("test", :read, @user).should_not be_true
         end
       end

data/spec/model_extensions_spec.rb

@@ -0,0 +1,58 @@
+require "spec_helper"
+
+module Tuersteher
+
+  describe ModelExtensions do
+
+    class SampleModel
+      include ModelExtensions
+
+      def deactived
+        check_access :deactived
+      end
+    end
+
+
+    before do
+      rules = [ModelAccessRule.new(SampleModel).grant.permission(:deactived).role(:admin)]
+      AccessRulesStorage.instance.stub(:model_rules).and_return(rules)
+      @user = stub('user')
+      Thread.current[:user] = @user
+    end
+
+
+    context "check_access" do
+
+      it "should not raise a Error for user with role :admin" do
+        @user.stub(:has_role?){|role| role==:admin}
+        model = SampleModel.new
+        model.deactived
+      end
+
+      it "should raise a SecurityError for user with not role :admin" do
+        @user.stub(:has_role?){|role| role==:user}
+        model = SampleModel.new
+        expect{ model.deactived }.to raise_error(SecurityError)
+      end
+
+    end # of context "grant with roles"
+
+
+    context "purge_collection" do
+
+      it "should purge nothing for user with role :admin" do
+        @user.stub(:has_role?){|role| role==:admin}
+        list = [SampleModel.new]
+        SampleModel.purge_collection(list, :deactived).should == list
+      end
+
+      it "should purge all for user with not role :admin" do
+        @user.stub(:has_role?){|role| role==:user}
+        list = [SampleModel.new]
+        SampleModel.purge_collection(list, :deactived).should == []
+      end
+
+    end # of  context "purge_collection"
+  end
+end
+

data/spec/spec_helper.rb

@@ -4,3 +4,4 @@ require File.expand_path(File.dirname(__FILE__) + "/../lib/tuersteher")
 
 # Logger auf stdout stellen
 Tuersteher::TLogger.logger = Logger.new(STDOUT)
+Tuersteher::TLogger.logger.level = Logger::ERROR

data/tuersteher.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{tuersteher}
-  s.version = "0.3.0"
+  s.version = "0.3.3"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Bernd Ledig"]
-  s.date = %q{2010-08-30}
+  s.date = %q{2010-09-01}
   s.description = %q{Security-Layer for Rails-Application acts like a firewall.}
   s.email = %q{bernd@ledig.info}
   s.extra_rdoc_files = [
@@ -29,6 +29,7 @@ Gem::Specification.new do |s|
      "spec/acces_rules_storage_spec.rb",
      "spec/access_rules_spec.rb",
      "spec/model_access_rule_spec.rb",
+     "spec/model_extensions_spec.rb",
      "spec/path_access_rule_spec.rb",
      "spec/spec.opts",
      "spec/spec_helper.rb",
@@ -40,11 +41,12 @@ Gem::Specification.new do |s|
   s.rubygems_version = %q{1.3.7}
   s.summary = %q{Security-Layer for Rails-Application}
   s.test_files = [
-    "spec/acces_rules_storage_spec.rb",
-     "spec/path_access_rule_spec.rb",
+    "spec/path_access_rule_spec.rb",
      "spec/model_access_rule_spec.rb",
-     "spec/access_rules_spec.rb",
-     "spec/spec_helper.rb"
+     "spec/model_extensions_spec.rb",
+     "spec/acces_rules_storage_spec.rb",
+     "spec/spec_helper.rb",
+     "spec/access_rules_spec.rb"
   ]
 
   if s.respond_to? :specification_version then

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: tuersteher
 version: !ruby/object:Gem::Version 
-  hash: 19
+  hash: 21
   prerelease: false
   segments: 
   - 0
   - 3
-  - 0
-  version: 0.3.0
+  - 3
+  version: 0.3.3
 platform: ruby
 authors: 
 - Bernd Ledig
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-08-30 00:00:00 +02:00
+date: 2010-09-01 00:00:00 +02:00
 default_executable: 
 dependencies: []
 
@@ -41,6 +41,7 @@ files:
 - spec/acces_rules_storage_spec.rb
 - spec/access_rules_spec.rb
 - spec/model_access_rule_spec.rb
+- spec/model_extensions_spec.rb
 - spec/path_access_rule_spec.rb
 - spec/spec.opts
 - spec/spec_helper.rb
@@ -80,8 +81,9 @@ signing_key:
 specification_version: 3
 summary: Security-Layer for Rails-Application
 test_files: 
-- spec/acces_rules_storage_spec.rb
 - spec/path_access_rule_spec.rb
 - spec/model_access_rule_spec.rb
-- spec/access_rules_spec.rb
+- spec/model_extensions_spec.rb
+- spec/acces_rules_storage_spec.rb
 - spec/spec_helper.rb
+- spec/access_rules_spec.rb