RubyGems - tuersteher - Versions diffs - 0.3.0 → 0.3.3 - Mend

tuersteher 0.3.0 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

data/VERSION +1 -1
data/lib/tuersteher.rb +132 -58
data/spec/model_access_rule_spec.rb +1 -1
data/spec/model_extensions_spec.rb +58 -0
data/spec/spec_helper.rb +1 -0
data/tuersteher.gemspec +8 -6
metadata +8 -6

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.3.0
1	+ 0.3.3

data/lib/tuersteher.rb CHANGED Viewed

@@ -37,30 +37,35 @@ module Tuersteher
     DEFAULT_RULES_CONFIG_FILE = 'access_rules.rb' # in config-dir
+    # private initializer why this class is a singleton
     def initialize
       @path_rules = []
       @model_rules = []
     end
+    # get all path_rules as array of PathAccessRule-Instances
     def path_rules
       read_rules unless @was_read
       @path_rules
     end
+    # get all model_rules as array of ModelAccessRule-Instances
     def model_rules
       read_rules unless @was_read
       @model_rules
     end
+    # evaluated rules_definitions and create path-/model-rules
     def eval_rules rules_definitions
       @path_rules = []
       @model_rules = []
       eval rules_definitions
+      @was_read = true
       Tuersteher::TLogger.logger.info "Tuersteher::AccessRulesStorage: #{@path_rules.size} path-rules and #{@model_rules.size} model-rules"
     end
-    # Laden der AccesRules aus den Dateien
+    # Load AccesRules from file
     #  config/access_rules.rb
     def read_rules
       @rules_config_file ||= File.join(Rails.root, 'config', DEFAULT_RULES_CONFIG_FILE)
@@ -74,7 +79,6 @@ module Tuersteher
       rules_file.close
       if content
         eval_rules content
-        @was_read = true
       end
     rescue => ex
       Tuersteher::TLogger.logger.error "Tuersteher::AccessRulesStorage - Error in rules: #{ex.message}\n\t"+ex.backtrace.join("\n\t")
@@ -106,12 +110,16 @@ module Tuersteher
       end
     end
+    # create new rule as grant-rule
+    # and add this to the model_rules array
     def grant
       rule = ModelAccessRule.new(@current_model_class)
       @model_rules << rule
       rule.grant
     end
+    # create new rule as deny-rule
+    # and add this to the model_rules array
     def deny
       rule = ModelAccessRule.new(@current_model_class)
       @model_rules << rule
@@ -122,62 +130,67 @@ module Tuersteher
   class AccessRules
-    # Pruefen Zugriff fuer eine Web-action
-    # user        User, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
-    # path        Pfad der Webresource (String)
-    # method      http-Methode (:get, :put, :delete, :post), default ist :get
-    #
-    def self.path_access?(user, path, method = :get)
-      rule = AccessRulesStorage.instance.path_rules.detect do |r|
-        r.fired?(path, method, user)
-      end
-      if Tuersteher::TLogger.logger.debug?
-        if rule.nil?
-          s = 'denied'
-        elsif rule.deny?
-          s = "denied with #{rule}"
-        else
-          s = "granted with #{rule}"
+    class << self
+      # Pruefen Zugriff fuer eine Web-action
+      # user        User, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
+      # path        Pfad der Webresource (String)
+      # method      http-Methode (:get, :put, :delete, :post), default ist :get
+      #
+      def path_access?(user, path, method = :get)
+        rule = AccessRulesStorage.instance.path_rules.detect do |r|
+          r.fired?(path, method, user)
         end
-        Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(#{path}, #{method})  =>  #{s}")
+        if Tuersteher::TLogger.logger.debug?
+          if rule.nil?
+            s = 'denied'
+          elsif rule.deny?
+            s = "denied with #{rule}"
+          else
+            s = "granted with #{rule}"
+          end
+          usr_id = user.respond_to?(:id) ? user.id : user.object_id
+          Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(user.id=#{usr_id}, path=#{path}, method=#{method})  =>  #{s}")
+        end
+        !(rule.nil? || rule.deny?)
       end
-      !(rule.nil? || rule.deny?)
-    end
-    # Pruefen Zugriff auf ein Model-Object
-    #
-    # user        User, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
-    # model       das Model-Object
-    # permission  das geforderte Zugriffsrecht (:create, :update, :destroy, :get)
-    #
-    # liefert true/false
-    def self.model_access? user, model, permission
-      raise "Wrong call! Use: model_access(model-instance-or-class, permission)" unless permission.is_a? Symbol
-      return false unless model
+      # Pruefen Zugriff auf ein Model-Object
+      #
+      # user        User, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
+      # model       das Model-Object
+      # permission  das geforderte Zugriffsrecht (:create, :update, :destroy, :get)
+      #
+      # liefert true/false
+      def model_access? user, model, permission
+        raise "Wrong call! Use: model_access(model-instance-or-class, permission)" unless permission.is_a? Symbol
+        return false unless model
-      rule = AccessRulesStorage.instance.model_rules.detect do |rule|
-        rule.fired? model, permission, user
-      end
-      access = rule && !rule.deny?
-      if Tuersteher::TLogger.logger.debug?
-        if model.instance_of?(Class)
-          Tuersteher::TLogger.logger.debug("Tuersteher: model_access?(#{model}, #{permission}) =>  #{access || 'denied'} #{rule}")
-        else
-          Tuersteher::TLogger.logger.debug("Tuersteher: model_access?(#{model.class}(#{model.respond_to?(:id) ? model.id : model.object_id }), #{permission}) =>  #{access || 'denied'} #{rule}")
+        rule = AccessRulesStorage.instance.model_rules.detect do |rule|
+          rule.fired? model, permission, user
+        end
+        access = rule && !rule.deny?
+        if Tuersteher::TLogger.logger.debug?
+          usr_id = user.respond_to?(:id) ? user.id : user.object_id
+          if model.instance_of?(Class)
+            Tuersteher::TLogger.logger.debug(
+              "Tuersteher: model_access?(user.id=#{usr_id}, model=#{model}, permission=#{permission}) =>  #{access || 'denied'} #{rule}")
+          else
+            Tuersteher::TLogger.logger.debug(
+              "Tuersteher: model_access?(user.id=#{usr_id}, model=#{model.class}(#{model.respond_to?(:id) ? model.id : model.object_id }), permission=#{permission}) =>  #{access || 'denied'} #{rule}")
+          end
         end
+        access
       end
-      access
-    end
-    # Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
-    # wo der angegebene User nicht das angegebene Recht hat
-    #
-    # liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
-    def self.purge_collection user, collection, permission
-      collection.select{|model| model_access?(user, model, permission)}
-    end
+      # Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
+      # wo der angegebene User nicht das angegebene Recht hat
+      #
+      # liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
+      def purge_collection user, collection, permission
+        collection.select{|model| model_access?(user, model, permission)}
+      end
+    end # of Class-Methods
   end # of AccessRules
@@ -224,7 +237,7 @@ module Tuersteher
     # wo der akt. User nicht das angegebene Recht hat
     #
     # liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
-    def self.purge_collection collection, permission
+    def purge_collection collection, permission
       AccessRules.purge_collection(current_user, collection, permission)
     end
@@ -248,10 +261,14 @@ module Tuersteher
       # Rails3 hat andere url-path-methode
       @@url_path_method ||= Rails.version[0..1]=='3.' ? :fullpath : :request_uri
+      # bind current_user on the current thread
+      Thread.current[:user] = current_user
       req_method = request.method.downcase.to_sym
       url_path = request.send(@@url_path_method)
       unless path_access?(url_path, req_method)
-        msg = "Tuersteher#check_access: access denied for #{request.request_uri} :#{req_method}"
+        usr_id = current_user.respond_to?(:id) ? current_user.id : current_user.object_id
+        msg = "Tuersteher#check_access: access denied for #{request.request_uri} :#{req_method} user.id=#{usr_id}"
         Tuersteher::TLogger.logger.warn msg
         logger.warn msg  # log message also for Rails-Default logger
         access_denied  # Methode aus dem authenticated_system, welche ein redirect zum login auslöst
@@ -261,6 +278,55 @@ module Tuersteher
   end
+  # Module for include in Model-Object-Classes
+  #
+  # The module get the current-user from Thread.current[:user]
+  #
+  # Sample for ActiveRecord-Class
+  #   class Sample < ActiveRecord::Base
+  #    include Tuersteher::ModelExtensions
+  #
+  #     def transfer_to account
+  #       check_model_access :transfer # raise a exception if not allowed
+  #       ....
+  #     end
+  #
+  #
+  module ModelExtensions
+    # Check permission for the Model-Object
+    #
+    # permission  the requested permission (sample :create, :update, :destroy, :get)
+    #
+    # raise a SecurityError-Exception if access denied
+    def check_access permission
+      user = Thread.current[:user]
+      unless AccessRules.model_access? user, self, permission
+        raise SecurityError, "Access denied! Current user have no permission '#{permission}' on Model-Object #{self}."
+      end
+    end
+    def self.included(base)
+      base.extend ClassMethods
+    end
+    module ClassMethods
+      # Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
+      # wo der akt. User nicht das angegebene Recht hat
+      #
+      # liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
+      def purge_collection collection, permission
+        user = Thread.current[:user]
+        AccessRules.purge_collection(user, collection, permission)
+      end
+    end # of ClassMethods
+  end # of module ModelExtensions
   # Astracte base class for Access-Rules
   class BaseAccessRule
@@ -275,26 +341,33 @@ module Tuersteher
       self
     end
-    def extension method_name, methode_parameter=nil
+    # add extension-definition
+    # parmaters:
+    #   method_name:      Symbol with the name of the method to call for addional check
+    #   expected_value:   optional expected value for the result of the with metho_name specified method, defalt is true
+    def extension method_name, expected_value=nil
       @check_extensions ||= {}
-      @check_extensions[method_name] = methode_parameter
+      @check_extensions[method_name] = expected_value
       self
     end
+    # mark this rule as grant-rule
     def grant
       self
     end
+    # mark this rule as deny-rule
     def deny
       @deny = true
       self
     end
+    # is this rule a deny-rule
     def deny?
       @deny
     end
+    # negate role-membership
     def not
       @not = true
       self
@@ -302,6 +375,7 @@ module Tuersteher
     protected
+    # check, if this rule granted for specified user
     def grant_role? user
       return true if @roles.empty?
       return false if user.nil?
@@ -384,6 +458,7 @@ module Tuersteher
     private
+    # check, if this rule grant the defined extension (if exist)
     def grant_extension? user
       return true if @check_extensions.nil?
       return false if user.nil?  # check_extensions need a user
@@ -426,7 +501,7 @@ module Tuersteher
       @clazz = clazz.instance_of?(Symbol) ? clazz : clazz.to_s
     end
+    # set the permission-name
     def permission permission_name
       @permission = permission_name
       self
@@ -445,7 +520,6 @@ module Tuersteher
     #
     def fired? model, perm, user
       user = nil if user==:false # manche Authenticate-System setzen den user auf :false
-      debugger
       m_class = model.instance_of?(Class) ? model : model.class
       if @clazz!=m_class.to_s && @clazz!=:all
         #Tuersteher::TLogger.logger.debug("#{to_s}.has_access? => false why #{@clazz}!=#{model.class.to_s} && #{@clazz}!=:all")
@@ -471,6 +545,7 @@ module Tuersteher
     private
+    # check, if this rule grant the defined extension (if exist)
     def grant_extension? user, model
       return true if @check_extensions.nil?
       return false if model.nil?  # check_extensions need a model
@@ -491,5 +566,4 @@ module Tuersteher
   end
 end

data/spec/model_access_rule_spec.rb CHANGED Viewed

@@ -35,7 +35,7 @@ module Tuersteher
           @user.stub(:has_role?).and_return(false)
         end
-        it "should not be fired for String-Object and access-type :read" do
+        specify do
           @rule.fired?("test", :read, @user).should_not be_true
         end
       end

data/spec/model_extensions_spec.rb ADDED Viewed

@@ -0,0 +1,58 @@
+require "spec_helper"
+module Tuersteher
+  describe ModelExtensions do
+    class SampleModel
+      include ModelExtensions
+      def deactived
+        check_access :deactived
+      end
+    end
+    before do
+      rules = [ModelAccessRule.new(SampleModel).grant.permission(:deactived).role(:admin)]
+      AccessRulesStorage.instance.stub(:model_rules).and_return(rules)
+      @user = stub('user')
+      Thread.current[:user] = @user
+    end
+    context "check_access" do
+      it "should not raise a Error for user with role :admin" do
+        @user.stub(:has_role?){|role| role==:admin}
+        model = SampleModel.new
+        model.deactived
+      end
+      it "should raise a SecurityError for user with not role :admin" do
+        @user.stub(:has_role?){|role| role==:user}
+        model = SampleModel.new
+        expect{ model.deactived }.to raise_error(SecurityError)
+      end
+    end # of context "grant with roles"
+    context "purge_collection" do
+      it "should purge nothing for user with role :admin" do
+        @user.stub(:has_role?){|role| role==:admin}
+        list = [SampleModel.new]
+        SampleModel.purge_collection(list, :deactived).should == list
+      end
+      it "should purge all for user with not role :admin" do
+        @user.stub(:has_role?){|role| role==:user}
+        list = [SampleModel.new]
+        SampleModel.purge_collection(list, :deactived).should == []
+      end
+    end # of  context "purge_collection"
+  end
+end

data/spec/spec_helper.rb CHANGED Viewed

@@ -4,3 +4,4 @@ require File.expand_path(File.dirname(__FILE__) + "/../lib/tuersteher")
 # Logger auf stdout stellen
 Tuersteher::TLogger.logger = Logger.new(STDOUT)
+Tuersteher::TLogger.logger.level = Logger::ERROR

data/tuersteher.gemspec CHANGED Viewed

@@ -5,11 +5,11 @@
 Gem::Specification.new do |s|
   s.name = %q{tuersteher}
-  s.version = "0.3.0"
+  s.version = "0.3.3"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Bernd Ledig"]
-  s.date = %q{2010-08-30}
+  s.date = %q{2010-09-01}
   s.description = %q{Security-Layer for Rails-Application acts like a firewall.}
   s.email = %q{bernd@ledig.info}
   s.extra_rdoc_files = [
@@ -29,6 +29,7 @@ Gem::Specification.new do |s|
      "spec/acces_rules_storage_spec.rb",
      "spec/access_rules_spec.rb",
      "spec/model_access_rule_spec.rb",
+     "spec/model_extensions_spec.rb",
      "spec/path_access_rule_spec.rb",
      "spec/spec.opts",
      "spec/spec_helper.rb",
@@ -40,11 +41,12 @@ Gem::Specification.new do |s|
   s.rubygems_version = %q{1.3.7}
   s.summary = %q{Security-Layer for Rails-Application}
   s.test_files = [
-    "spec/acces_rules_storage_spec.rb",
-     "spec/path_access_rule_spec.rb",
+    "spec/path_access_rule_spec.rb",
      "spec/model_access_rule_spec.rb",
-     "spec/access_rules_spec.rb",
-     "spec/spec_helper.rb"
+     "spec/model_extensions_spec.rb",
+     "spec/acces_rules_storage_spec.rb",
+     "spec/spec_helper.rb",
+     "spec/access_rules_spec.rb"
   ]
   if s.respond_to? :specification_version then

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: tuersteher
 version: !ruby/object:Gem::Version
-  hash: 19
+  hash: 21
   prerelease: false
   segments:
   - 0
   - 3
-  - 0
-  version: 0.3.0
+  - 3
+  version: 0.3.3
 platform: ruby
 authors:
 - Bernd Ledig
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2010-08-30 00:00:00 +02:00
+date: 2010-09-01 00:00:00 +02:00
 default_executable:
 dependencies: []
@@ -41,6 +41,7 @@ files:
 - spec/acces_rules_storage_spec.rb
 - spec/access_rules_spec.rb
 - spec/model_access_rule_spec.rb
+- spec/model_extensions_spec.rb
 - spec/path_access_rule_spec.rb
 - spec/spec.opts
 - spec/spec_helper.rb
@@ -80,8 +81,9 @@ signing_key:
 specification_version: 3
 summary: Security-Layer for Rails-Application
 test_files:
-- spec/acces_rules_storage_spec.rb
 - spec/path_access_rule_spec.rb
 - spec/model_access_rule_spec.rb
-- spec/access_rules_spec.rb
+- spec/model_extensions_spec.rb
+- spec/acces_rules_storage_spec.rb
 - spec/spec_helper.rb
+- spec/access_rules_spec.rb