tuersteher 0.7.2 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/lib/tuersteher.rb +39 -44
- data/tuersteher.gemspec +8 -6
- metadata +23 -35
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 6c9a87b5dd44b07d9d007776268488b17bc54eac69e7b2ca9c34ead5dd9e5ca7
|
|
4
|
+
data.tar.gz: e899723582f2090efd837a7a2d308d40c2cbc43a089ca0b8a6dcd4a6fe1e3de4
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: eb765c3d95fcbd938c675e0396128aead6cfd81f5cfa037cec31e04a188ae8f7e6bbae7f9fa6113066e6e685e5679f37e3b7377e4ff5bad08f33a3f7a3e83a96
|
|
7
|
+
data.tar.gz: 71893a402e3327ecd40c9b2e2d9932da4df596c328ad0ce7d91fe469203e629c0b79b64fde50b3b0ba500befe5e378eaeb0d4f07bb1dccf806239745b58e44a5
|
data/lib/tuersteher.rb
CHANGED
|
@@ -194,13 +194,13 @@ module Tuersteher
|
|
|
194
194
|
class << self
|
|
195
195
|
|
|
196
196
|
# Pruefen Zugriff fuer eine Web-action
|
|
197
|
-
#
|
|
198
|
-
# path
|
|
199
|
-
# method
|
|
197
|
+
# @param login_contex Login-Contex, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
|
|
198
|
+
# @param path Pfad der Webresource (String)
|
|
199
|
+
# @param method http-Methode (:get, :put, :delete, :post), default ist :get
|
|
200
200
|
#
|
|
201
|
-
def path_access?(
|
|
201
|
+
def path_access?(login_contex, path, method = :get)
|
|
202
202
|
rule = AccessRulesStorage.instance.path_rules.detect do |r|
|
|
203
|
-
r.fired?(path, method,
|
|
203
|
+
r.fired?(path, method, login_contex)
|
|
204
204
|
end
|
|
205
205
|
if Tuersteher::TLogger.logger.debug?
|
|
206
206
|
if rule.nil?
|
|
@@ -208,8 +208,8 @@ module Tuersteher
|
|
|
208
208
|
else
|
|
209
209
|
s = "fired with #{rule}"
|
|
210
210
|
end
|
|
211
|
-
|
|
212
|
-
Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(
|
|
211
|
+
lc_id = login_contex && login_contex.respond_to?(:id) ? login_contex.id : login_contex.object_id
|
|
212
|
+
Tuersteher::TLogger.logger.debug("Tuersteher: path_access?(login_contex.id=#{lc_id}, path=#{path}, method=#{method}) => #{s}")
|
|
213
213
|
end
|
|
214
214
|
!(rule.nil? || rule.deny?)
|
|
215
215
|
end
|
|
@@ -217,38 +217,38 @@ module Tuersteher
|
|
|
217
217
|
|
|
218
218
|
# Pruefen Zugriff auf ein Model-Object
|
|
219
219
|
#
|
|
220
|
-
#
|
|
221
|
-
# model
|
|
222
|
-
# permission
|
|
220
|
+
# @param login_contex Login-Contex, für den der Zugriff geprüft werden soll (muss Methode has_role? haben)
|
|
221
|
+
# @param model das Model-Object
|
|
222
|
+
# @param permission das geforderte Zugriffsrecht (:create, :update, :destroy, :get)
|
|
223
223
|
#
|
|
224
224
|
# liefert true/false
|
|
225
|
-
def model_access?
|
|
225
|
+
def model_access? login_contex, model, permission
|
|
226
226
|
raise "Wrong call! Use: model_access(model-instance-or-class, permission)" unless permission.is_a? Symbol
|
|
227
227
|
return false unless model
|
|
228
228
|
|
|
229
229
|
rule = AccessRulesStorage.instance.model_rules.detect do |rule|
|
|
230
|
-
rule.fired? model, permission,
|
|
230
|
+
rule.fired? model, permission, login_contex
|
|
231
231
|
end
|
|
232
232
|
access = rule && !rule.deny?
|
|
233
233
|
if Tuersteher::TLogger.logger.debug?
|
|
234
|
-
|
|
234
|
+
lc_id = login_contex && login_contex.respond_to?(:id) ? login_contex.id : login_contex.object_id
|
|
235
235
|
if model.instance_of?(Class)
|
|
236
236
|
Tuersteher::TLogger.logger.debug(
|
|
237
|
-
"Tuersteher: model_access?(
|
|
237
|
+
"Tuersteher: model_access?(login_contex.id=#{lc_id}, model=#{model}, permission=#{permission}) => #{access || 'denied'} #{rule}")
|
|
238
238
|
else
|
|
239
239
|
Tuersteher::TLogger.logger.debug(
|
|
240
|
-
"Tuersteher: model_access?(
|
|
240
|
+
"Tuersteher: model_access?(login_contex.id=#{lc_id}, model=#{model.class}(#{model.respond_to?(:id) ? model.id : model.object_id }), permission=#{permission}) => #{access || 'denied'} #{rule}")
|
|
241
241
|
end
|
|
242
242
|
end
|
|
243
243
|
access
|
|
244
244
|
end
|
|
245
245
|
|
|
246
246
|
# Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
|
|
247
|
-
# wo der angegebene
|
|
247
|
+
# wo der angegebene login_contex nicht das angegebene Recht hat
|
|
248
248
|
#
|
|
249
249
|
# liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
|
|
250
|
-
def purge_collection
|
|
251
|
-
collection.select{|model| model_access?(
|
|
250
|
+
def purge_collection login_contex, collection, permission
|
|
251
|
+
collection.select{|model| model_access?(login_contex, model, permission)}
|
|
252
252
|
end
|
|
253
253
|
end # of Class-Methods
|
|
254
254
|
end # of AccessRules
|
|
@@ -258,10 +258,10 @@ module Tuersteher
|
|
|
258
258
|
# Module zum Include in Controllers
|
|
259
259
|
# Dieser muss die folgenden Methoden bereitstellen:
|
|
260
260
|
#
|
|
261
|
-
#
|
|
261
|
+
# login_contex : akt. Login-Contex
|
|
262
262
|
# access_denied : Methode aus dem authenticated_system, welche ein redirect zum login auslöst
|
|
263
263
|
#
|
|
264
|
-
# Der
|
|
264
|
+
# Der Loginlogin_contex muss fuer die hier benoetigte Funktionalitaet
|
|
265
265
|
# die Methode:
|
|
266
266
|
# has_role?(role) # role the Name of the Role as Symbol
|
|
267
267
|
# besitzen.
|
|
@@ -272,15 +272,13 @@ module Tuersteher
|
|
|
272
272
|
#
|
|
273
273
|
module ControllerExtensions
|
|
274
274
|
|
|
275
|
-
@@url_path_method = nil
|
|
276
|
-
|
|
277
275
|
# Pruefen Zugriff fuer eine Web-action
|
|
278
276
|
#
|
|
279
277
|
# path Pfad der Webresource (String)
|
|
280
278
|
# method http-Methode (:get, :put, :delete, :post), default ist :get
|
|
281
279
|
#
|
|
282
280
|
def path_access?(path, method = :get)
|
|
283
|
-
AccessRules.path_access?
|
|
281
|
+
AccessRules.path_access? login_contex, path, method
|
|
284
282
|
end
|
|
285
283
|
|
|
286
284
|
# Pruefen Zugriff auf ein Model-Object
|
|
@@ -290,15 +288,15 @@ module Tuersteher
|
|
|
290
288
|
#
|
|
291
289
|
# liefert true/false
|
|
292
290
|
def model_access? model, permission
|
|
293
|
-
AccessRules.model_access?
|
|
291
|
+
AccessRules.model_access? login_contex, model, permission
|
|
294
292
|
end
|
|
295
293
|
|
|
296
294
|
# Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
|
|
297
|
-
# wo der akt.
|
|
295
|
+
# wo der akt. login_contex nicht das angegebene Recht hat
|
|
298
296
|
#
|
|
299
297
|
# liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
|
|
300
298
|
def purge_collection collection, permission
|
|
301
|
-
AccessRules.purge_collection(
|
|
299
|
+
AccessRules.purge_collection(login_contex, collection, permission)
|
|
302
300
|
end
|
|
303
301
|
|
|
304
302
|
|
|
@@ -311,7 +309,7 @@ module Tuersteher
|
|
|
311
309
|
|
|
312
310
|
protected
|
|
313
311
|
|
|
314
|
-
# Pruefen, ob Zugriff des
|
|
312
|
+
# Pruefen, ob Zugriff des login_contex
|
|
315
313
|
# fuer aktullen Request erlaubt ist
|
|
316
314
|
def check_access
|
|
317
315
|
|
|
@@ -325,21 +323,18 @@ module Tuersteher
|
|
|
325
323
|
ar_storage.read_rules
|
|
326
324
|
end
|
|
327
325
|
|
|
328
|
-
#
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
# bind current_user on the current thread
|
|
332
|
-
Thread.current[:user] = current_user
|
|
326
|
+
# bind login_contex on the current thread
|
|
327
|
+
Thread.current[:login_contex] = login_contex
|
|
333
328
|
|
|
334
329
|
req_method = request.method
|
|
335
330
|
req_method = req_method.downcase.to_sym if req_method.is_a?(String)
|
|
336
|
-
url_path = request.
|
|
331
|
+
url_path = request.fullpath
|
|
337
332
|
unless path_access?(url_path, req_method)
|
|
338
|
-
|
|
339
|
-
msg = "Tuersteher#check_access: access denied for #{url_path} :#{req_method}
|
|
333
|
+
lc_id = login_contex && login_contex.respond_to?(:id) ? login_contex.id : login_contex.object_id
|
|
334
|
+
msg = "Tuersteher#check_access: access denied for #{url_path} :#{req_method} login_contex.id=#{lc_id}"
|
|
340
335
|
Tuersteher::TLogger.logger.warn msg
|
|
341
336
|
logger.warn msg # log message also for Rails-Default logger
|
|
342
|
-
access_denied # Methode aus dem authenticated_system, welche ein redirect zum login auslöst
|
|
337
|
+
access_denied # Methode aus dem authenticated_system, welche z.B. ein redirect zum login auslöst
|
|
343
338
|
end
|
|
344
339
|
end
|
|
345
340
|
|
|
@@ -349,7 +344,7 @@ module Tuersteher
|
|
|
349
344
|
|
|
350
345
|
# Module for include in Model-Object-Classes
|
|
351
346
|
#
|
|
352
|
-
# The module get the
|
|
347
|
+
# The module get the login_contex from Thread.current[:login_contex]
|
|
353
348
|
#
|
|
354
349
|
# Sample for ActiveRecord-Class
|
|
355
350
|
# class Sample < ActiveRecord::Base
|
|
@@ -369,9 +364,9 @@ module Tuersteher
|
|
|
369
364
|
#
|
|
370
365
|
# raise a SecurityError-Exception if access denied
|
|
371
366
|
def check_access permission
|
|
372
|
-
|
|
373
|
-
unless AccessRules.model_access?
|
|
374
|
-
raise SecurityError, "Access denied! Current
|
|
367
|
+
login_contex = Thread.current[:login_contex]
|
|
368
|
+
unless AccessRules.model_access? login_contex, self, permission
|
|
369
|
+
raise SecurityError, "Access denied! Current login_contex have no permission '#{permission}' on Model-Object #{self}."
|
|
375
370
|
end
|
|
376
371
|
end
|
|
377
372
|
|
|
@@ -382,12 +377,12 @@ module Tuersteher
|
|
|
382
377
|
module ClassMethods
|
|
383
378
|
|
|
384
379
|
# Bereinigen (entfernen) aller Objecte aus der angebenen Collection,
|
|
385
|
-
# wo der akt.
|
|
380
|
+
# wo der akt. login_contex nicht das angegebene Recht hat
|
|
386
381
|
#
|
|
387
382
|
# liefert ein neues Array mit den Objecten, wo der spez. Zugriff arlaubt ist
|
|
388
383
|
def purge_collection collection, permission
|
|
389
|
-
|
|
390
|
-
AccessRules.purge_collection(
|
|
384
|
+
login_contex = Thread.current[:login_contex]
|
|
385
|
+
AccessRules.purge_collection(login_contex, collection, permission)
|
|
391
386
|
end
|
|
392
387
|
end # of ClassMethods
|
|
393
388
|
|
|
@@ -645,7 +640,7 @@ module Tuersteher
|
|
|
645
640
|
|
|
646
641
|
# check, if this rule fired for specified parameter
|
|
647
642
|
def fired? path_or_model, method, login_ctx
|
|
648
|
-
login_ctx = nil if login_ctx==:false # manche Authenticate-System setzen den login_ctx/
|
|
643
|
+
login_ctx = nil if login_ctx==:false # manche Authenticate-System setzen den login_ctx/login_contex auf :false
|
|
649
644
|
@rule_spezifications.all?{|spec| spec.grant?(path_or_model, method, login_ctx)}
|
|
650
645
|
end
|
|
651
646
|
|
data/tuersteher.gemspec
CHANGED
|
@@ -3,14 +3,15 @@ $:.push File.expand_path("../lib", __FILE__)
|
|
|
3
3
|
|
|
4
4
|
Gem::Specification.new do |s|
|
|
5
5
|
s.name = 'tuersteher'
|
|
6
|
-
s.version = '0.
|
|
6
|
+
s.version = '1.0.1'
|
|
7
7
|
s.authors = ["Bernd Ledig"]
|
|
8
|
-
s.email = ["bernd@ledig.info"]
|
|
9
|
-
s.homepage = "
|
|
10
|
-
s.summary = "
|
|
8
|
+
s.email = ["bernd@ledig.info","bernd.ledig@ottogroup.com"]
|
|
9
|
+
s.homepage = "https://gitlab.com/bledig/tuersteher"
|
|
10
|
+
s.summary = "Access-Handling for Rails-Apps"
|
|
11
11
|
s.description = <<-EOT
|
|
12
12
|
Security-Layer for Rails-Application acts like a firewall.
|
|
13
13
|
EOT
|
|
14
|
+
s.licenses = ["GPL-3.0-or-later"]
|
|
14
15
|
|
|
15
16
|
s.rubyforge_project = "tuersteher"
|
|
16
17
|
|
|
@@ -19,11 +20,12 @@ Gem::Specification.new do |s|
|
|
|
19
20
|
s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
|
|
20
21
|
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
|
21
22
|
s.require_paths = ["lib"]
|
|
23
|
+
s.required_ruby_version = '> 2.5'
|
|
22
24
|
|
|
23
25
|
#s.add_runtime_dependency "i18n"
|
|
24
26
|
|
|
25
|
-
s.add_development_dependency "rake"
|
|
26
|
-
s.add_development_dependency "rspec", '
|
|
27
|
+
s.add_development_dependency "rake", '~> 10.5'
|
|
28
|
+
s.add_development_dependency "rspec", '~> 2.14'
|
|
27
29
|
|
|
28
30
|
end
|
|
29
31
|
|
metadata
CHANGED
|
@@ -1,65 +1,53 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: tuersteher
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
5
|
-
prerelease:
|
|
4
|
+
version: 1.0.1
|
|
6
5
|
platform: ruby
|
|
7
6
|
authors:
|
|
8
7
|
- Bernd Ledig
|
|
9
8
|
autorequire:
|
|
10
9
|
bindir: bin
|
|
11
10
|
cert_chain: []
|
|
12
|
-
date:
|
|
11
|
+
date: 2020-02-06 00:00:00.000000000 Z
|
|
13
12
|
dependencies:
|
|
14
13
|
- !ruby/object:Gem::Dependency
|
|
15
14
|
name: rake
|
|
16
15
|
requirement: !ruby/object:Gem::Requirement
|
|
17
|
-
none: false
|
|
18
16
|
requirements:
|
|
19
|
-
- -
|
|
17
|
+
- - "~>"
|
|
20
18
|
- !ruby/object:Gem::Version
|
|
21
|
-
version: '
|
|
19
|
+
version: '10.5'
|
|
22
20
|
type: :development
|
|
23
21
|
prerelease: false
|
|
24
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
-
none: false
|
|
26
23
|
requirements:
|
|
27
|
-
- -
|
|
24
|
+
- - "~>"
|
|
28
25
|
- !ruby/object:Gem::Version
|
|
29
|
-
version: '
|
|
26
|
+
version: '10.5'
|
|
30
27
|
- !ruby/object:Gem::Dependency
|
|
31
28
|
name: rspec
|
|
32
29
|
requirement: !ruby/object:Gem::Requirement
|
|
33
|
-
none: false
|
|
34
30
|
requirements:
|
|
35
|
-
- -
|
|
31
|
+
- - "~>"
|
|
36
32
|
- !ruby/object:Gem::Version
|
|
37
|
-
version: '2.
|
|
38
|
-
- - <
|
|
39
|
-
- !ruby/object:Gem::Version
|
|
40
|
-
version: '3.0'
|
|
33
|
+
version: '2.14'
|
|
41
34
|
type: :development
|
|
42
35
|
prerelease: false
|
|
43
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
44
|
-
none: false
|
|
45
37
|
requirements:
|
|
46
|
-
- -
|
|
47
|
-
- !ruby/object:Gem::Version
|
|
48
|
-
version: '2.7'
|
|
49
|
-
- - <
|
|
38
|
+
- - "~>"
|
|
50
39
|
- !ruby/object:Gem::Version
|
|
51
|
-
version: '
|
|
52
|
-
description:
|
|
53
|
-
|
|
54
|
-
'
|
|
40
|
+
version: '2.14'
|
|
41
|
+
description: " Security-Layer for Rails-Application acts like a firewall.\n"
|
|
55
42
|
email:
|
|
56
43
|
- bernd@ledig.info
|
|
44
|
+
- bernd.ledig@ottogroup.com
|
|
57
45
|
executables: []
|
|
58
46
|
extensions: []
|
|
59
47
|
extra_rdoc_files:
|
|
60
48
|
- README.rdoc
|
|
61
49
|
files:
|
|
62
|
-
- .gitignore
|
|
50
|
+
- ".gitignore"
|
|
63
51
|
- Gemfile
|
|
64
52
|
- README.rdoc
|
|
65
53
|
- Rakefile
|
|
@@ -76,28 +64,28 @@ files:
|
|
|
76
64
|
- spec/spec.opts
|
|
77
65
|
- spec/spec_helper.rb
|
|
78
66
|
- tuersteher.gemspec
|
|
79
|
-
homepage:
|
|
80
|
-
licenses:
|
|
67
|
+
homepage: https://gitlab.com/bledig/tuersteher
|
|
68
|
+
licenses:
|
|
69
|
+
- GPL-3.0-or-later
|
|
70
|
+
metadata: {}
|
|
81
71
|
post_install_message:
|
|
82
72
|
rdoc_options: []
|
|
83
73
|
require_paths:
|
|
84
74
|
- lib
|
|
85
75
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
86
|
-
none: false
|
|
87
76
|
requirements:
|
|
88
|
-
- -
|
|
77
|
+
- - ">"
|
|
89
78
|
- !ruby/object:Gem::Version
|
|
90
|
-
version: '
|
|
79
|
+
version: '2.5'
|
|
91
80
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
92
|
-
none: false
|
|
93
81
|
requirements:
|
|
94
|
-
- -
|
|
82
|
+
- - ">="
|
|
95
83
|
- !ruby/object:Gem::Version
|
|
96
84
|
version: '0'
|
|
97
85
|
requirements: []
|
|
98
86
|
rubyforge_project: tuersteher
|
|
99
|
-
rubygems_version:
|
|
87
|
+
rubygems_version: 2.7.6.2
|
|
100
88
|
signing_key:
|
|
101
|
-
specification_version:
|
|
102
|
-
summary:
|
|
89
|
+
specification_version: 4
|
|
90
|
+
summary: Access-Handling for Rails-Apps
|
|
103
91
|
test_files: []
|