uhees-declarative_authorization 0.3.1

data/test/controller_test.rb

@@ -0,0 +1,418 @@
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
+
+
+class LoadMockObject < MockDataObject
+  def self.find(*args)
+    new :id => args[0]
+  end
+end
+
+
+##################
+class SpecificMocksController < MocksController
+  filter_access_to :test_action, :require => :test, :context => :permissions
+  filter_access_to :test_action_2, :require => :test, :context => :permissions_2
+  filter_access_to :show
+  filter_access_to :edit, :create, :require => :test, :context => :permissions
+  filter_access_to :edit_2, :require => :test, :context => :permissions,
+    :attribute_check => true, :model => LoadMockObject
+  filter_access_to :new, :require => :test, :context => :permissions
+  
+  filter_access_to [:action_group_action_1, :action_group_action_2]
+  define_action_methods :test_action, :test_action_2, :show, :edit, :create,
+    :edit_2, :new, :unprotected_action, :action_group_action_1, :action_group_action_2
+end
+
+class BasicControllerTest < ActionController::TestCase
+  tests SpecificMocksController
+  
+  
+  def test_filter_access_to_receiving_an_explicit_array
+    reader = Authorization::Reader::DSLReader.new
+
+    reader.parse %{
+      authorization do
+        role :test_action_group_2 do
+          has_permission_on :specific_mocks, :to => :action_group_action_2
+        end
+      end
+    }
+
+    request!(MockUser.new(:test_action_group_2), "action_group_action_2", reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:test_action_group_2), "action_group_action_1", reader)
+    assert !@controller.authorized?
+    request!(nil, "action_group_action_2", reader)
+    assert !@controller.authorized?
+  end
+  
+  def test_filter_access
+    assert !@controller.class.before_filters.empty?
+    
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+          has_permission_on :specific_mocks, :to => :show
+        end
+      end
+    }
+    
+    request!(MockUser.new(:test_role), "test_action", reader)
+    assert @controller.authorized?
+    
+    request!(MockUser.new(:test_role), "test_action_2", reader)
+    assert !@controller.authorized?
+    
+    request!(MockUser.new(:test_role_2), "test_action", reader)
+    assert_response :forbidden
+    assert !@controller.authorized?
+    
+    request!(MockUser.new(:test_role), "show", reader)
+    assert @controller.authorized?
+  end
+  
+  def test_filter_access_multi_actions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    } 
+    request!(MockUser.new(:test_role), "create", reader)
+    assert @controller.authorized?
+  end
+  
+  def test_filter_access_unprotected_actions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+        end
+      end
+    }
+    request!(MockUser.new(:test_role), "unprotected_action", reader)
+    assert @controller.authorized?
+  end
+
+  def test_filter_access_priv_hierarchy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :read do
+          includes :list, :show
+        end
+      end
+      authorization do
+        role :test_role do
+          has_permission_on :specific_mocks, :to => :read
+        end
+      end
+    }
+    request!(MockUser.new(:test_role), "show", reader)
+    assert @controller.authorized?
+  end
+  
+  def test_filter_access_skip_attribute_test
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :id => is { user }
+          end
+        end
+      end
+    }
+    request!(MockUser.new(:test_role), "new", reader)
+    assert @controller.authorized?
+    
+    request!(MockUser.new(:test_role), "edit_2", reader)
+    assert !@controller.authorized?
+  end
+  
+  def test_existing_instance_var_remains_unchanged
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :id => is { 5 }
+          end
+        end
+      end
+    }
+    mock_object = MockDataObject.new(:id => 5)
+    @controller.send(:instance_variable_set, :"@load_mock_object",
+        mock_object)
+    request!(MockUser.new(:test_role), "edit_2", reader)
+    assert_equal mock_object, 
+      @controller.send(:instance_variable_get, :"@load_mock_object")
+    assert @controller.authorized?
+  end
+
+  def test_permitted_to_without_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :specific_mocks, :to => :test
+        end
+      end
+    }
+    @controller.current_user = MockUser.new(:test_role)
+    @controller.authorization_engine = Authorization::Engine.new(reader)
+    assert @controller.permitted_to?(:test)
+  end
+end
+
+
+##################
+class AllMocksController < MocksController
+  filter_access_to :all
+  filter_access_to :view, :require => :test, :context => :permissions
+  define_action_methods :show, :view
+end
+class AllActionsControllerTest < ActionController::TestCase
+  tests AllMocksController
+  def test_filter_access_all
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+          has_permission_on :all_mocks, :to => :show
+        end
+      end
+    }
+    
+    request!(MockUser.new(:test_role), "show", reader)
+    assert @controller.authorized?
+    
+    request!(MockUser.new(:test_role), "view", reader)
+    assert @controller.authorized?
+    
+    request!(MockUser.new(:test_role_2), "show", reader)
+    assert !@controller.authorized?
+  end
+end
+
+
+##################
+class LoadMockObjectsController < MocksController
+  filter_access_to :show, :attribute_check => true, :model => LoadMockObject
+  filter_access_to :edit, :attribute_check => true
+  filter_access_to :update, :delete, :attribute_check => true,
+                   :load_method => lambda {MockDataObject.new(:test => 1)}
+  filter_access_to :create do
+    permitted_to! :edit, :load_mock_objects
+  end
+  filter_access_to :view, :attribute_check => true, :load_method => :load_method
+  def load_method
+    MockDataObject.new(:test => 2)
+  end
+  define_action_methods :show, :edit, :update, :delete, :create, :view
+end
+class LoadObjectControllerTest < ActionController::TestCase
+  tests LoadMockObjectsController
+  
+  def test_filter_access_with_object_load
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :load_mock_objects, :to => [:show, :edit] do
+            if_attribute :id => is {"1"}
+          end
+        end
+      end
+    }
+    
+    request!(MockUser.new(:test_role), "show", reader, :id => 2)
+    assert !@controller.authorized?
+    
+    request!(MockUser.new(:test_role), "show", reader, :id => 1,
+      :clear => [:@load_mock_object])
+    assert @controller.authorized?
+    
+    request!(MockUser.new(:test_role), "edit", reader, :id => 1,
+      :clear => [:@load_mock_object])
+    assert @controller.authorized?
+    assert @controller.instance_variable_defined?(:@load_mock_object)
+  end
+  
+  def test_filter_access_with_object_load_custom
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :load_mock_objects, :to => :view do
+            if_attribute :test => is {2}
+          end
+          has_permission_on :load_mock_objects, :to => :update do
+            if_attribute :test => is {1}
+          end
+          has_permission_on :load_mock_objects, :to => :delete do
+            if_attribute :test => is {2}
+          end
+        end
+      end
+    }
+    
+    request!(MockUser.new(:test_role), "delete", reader)
+    assert !@controller.authorized?
+    
+    request!(MockUser.new(:test_role), "view", reader)
+    assert @controller.authorized?
+    
+    request!(MockUser.new(:test_role), "update", reader)
+    assert @controller.authorized?
+  end
+  
+  def test_filter_access_custom
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :load_mock_objects, :to => :edit
+        end
+        role :test_role_2 do
+          has_permission_on :load_mock_objects, :to => :create
+        end
+      end
+    }
+    
+    request!(MockUser.new(:test_role), "create", reader)
+    assert @controller.authorized?
+    
+    request!(MockUser.new(:test_role_2), "create", reader)
+    assert !@controller.authorized?
+  end
+end
+
+
+##################
+class AccessOverwritesController < MocksController
+  filter_access_to :test_action, :test_action_2, 
+    :require => :test, :context => :permissions_2
+  filter_access_to :test_action, :require => :test, :context => :permissions
+  define_action_methods :test_action, :test_action_2
+end
+class AccessOverwritesControllerTest < ActionController::TestCase
+  def test_filter_access_overwrite
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    request!(MockUser.new(:test_role), "test_action_2", reader)
+    assert !@controller.authorized?
+    
+    request!(MockUser.new(:test_role), "test_action", reader)
+    assert @controller.authorized?
+  end
+end
+
+
+##################
+class PeopleController < MocksController
+  filter_access_to :all
+  define_action_methods :show
+end
+class PluralizationControllerTest < ActionController::TestCase
+  tests PeopleController
+  
+  def test_filter_access_people_controller
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :people, :to => :show
+        end
+      end
+    }
+    request!(MockUser.new(:test_role), "show", reader)
+    assert @controller.authorized?
+  end
+end
+
+
+##################
+class CommonController < MocksController
+  filter_access_to :delete, :context => :common
+  filter_access_to :all
+end
+class CommonChild1Controller < CommonController
+  filter_access_to :all, :context => :context_1
+end
+class CommonChild2Controller < CommonController
+  filter_access_to :delete
+  define_action_methods :show
+end
+class HierachicalControllerTest < ActionController::TestCase
+  tests CommonChild2Controller
+  def test_controller_hierarchy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :mocks, :to => [:delete, :show]
+        end
+      end
+    }
+    request!(MockUser.new(:test_role), "show", reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:test_role), "delete", reader)
+    assert !@controller.authorized?
+  end
+end
+
+##################
+module Foo
+  class CommonController < MocksController
+    filter_access_to :all
+    filter_access_to :new
+    filter_access_to :show, :namespace => :bar
+    filter_access_to :delete, :namespace => true
+  
+    define_action_methods :new, :show, :delete
+  end
+end
+class NamespacedControllerTest < ActionController::TestCase
+  tests Foo::CommonController
+  def test_namespaced_controller
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role1 do
+          has_permission_on :common, :to => [:new, :show, :delete]
+        end
+        role :test_role2 do
+          has_permission_on :common, :to => [:new]
+          has_permission_on :bar_common, :to => [:show]
+          has_permission_on :foo_common, :to => [:delete]
+        end
+      end
+    }
+    request!(MockUser.new(:test_role1), "new", reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:test_role1), "show", reader)
+    assert !@controller.authorized?
+    request!(MockUser.new(:test_role1), "delete", reader)
+    assert !@controller.authorized?
+
+    request!(MockUser.new(:test_role2), "new", reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:test_role2), "show", reader)
+    assert @controller.authorized?
+    request!(MockUser.new(:test_role2), "delete", reader)
+    assert @controller.authorized?
+  end
+end
+

data/test/dsl_reader_test.rb

@@ -0,0 +1,157 @@
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
+
+class DSLReaderTest < Test::Unit::TestCase
+  def test_privileges
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :test_priv do
+          includes :lower_priv
+        end
+      end
+    }
+    assert_equal 2, reader.privileges_reader.privileges.length
+    assert_equal [[:lower_priv, nil]], 
+      reader.privileges_reader.privilege_hierarchy[:test_priv]
+  end
+  
+  def test_privileges_with_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :test_priv, :test_context do
+          includes :lower_priv
+        end
+      end
+    }
+    assert_equal [[:lower_priv, :test_context]], 
+      reader.privileges_reader.privilege_hierarchy[:test_priv]
+  end
+  
+  def test_privileges_one_line
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :test_priv, :test_context, :includes => :lower_priv
+        privilege :test_priv_2, :test_context, :includes => [:lower_priv]
+        privilege :test_priv_3, :includes => [:lower_priv]
+      end
+    }
+    assert_equal [[:lower_priv, :test_context]], 
+      reader.privileges_reader.privilege_hierarchy[:test_priv]
+    assert_equal [[:lower_priv, :test_context]], 
+      reader.privileges_reader.privilege_hierarchy[:test_priv_2]
+    assert_equal [[:lower_priv, nil]], 
+      reader.privileges_reader.privilege_hierarchy[:test_priv_3]
+  end
+  
+  def test_auth_role
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          includes :lesser_role
+          has_permission_on :items, :to => :read
+        end
+      end
+    }
+    assert_equal 1, reader.auth_rules_reader.roles.length
+    assert_equal [:lesser_role], reader.auth_rules_reader.role_hierarchy[:test_role]
+    assert_equal 1, reader.auth_rules_reader.auth_rules.length
+  end
+  
+  def test_auth_role_permit_on
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :test_context do
+            to :test_perm, :manage
+            if_attribute :test_attr => is { user.test_attr }
+          end
+        end
+      end
+    |
+    assert_equal 1, reader.auth_rules_reader.roles.length
+    assert_equal 1, reader.auth_rules_reader.auth_rules.length
+    assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test_perm], :test_context)
+    assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:manage], :test_context)
+  end
+  
+  def test_permit_block
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :perms, :to => :test do
+            if_attribute :test_attr   => is { user.test_attr }
+            if_attribute :test_attr_2 => is_not { user.test_attr }
+            if_attribute :test_attr_3 => contains { user.test_attr }
+            if_attribute :test_attr_4 => does_not_contain { user.test_attr }
+            if_attribute :test_attr_5 => is_in { user.test_attr }
+            if_attribute :test_attr_5 => is_not_in { user.test_attr }
+          end
+        end
+      end
+    |
+    assert_equal 1, reader.auth_rules_reader.roles.length
+    assert_equal 1, reader.auth_rules_reader.auth_rules.length
+    assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
+  end
+  
+  def test_has_permission_to_with_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :perms, :to => :test
+        end
+      end
+    |
+    assert_equal 1, reader.auth_rules_reader.roles.length
+    assert_equal 1, reader.auth_rules_reader.auth_rules.length
+    assert reader.auth_rules_reader.auth_rules[0].matches?(:test_role, [:test], :perms)
+  end
+  
+  def test_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      contexts do
+        context :high_level_context do
+          includes :low_level_context_1, :low_level_context_2
+        end
+      end
+    }
+  end
+  
+  def test_dsl_error
+    reader = Authorization::Reader::DSLReader.new
+    assert_raise(Authorization::Reader::DSLError) do
+      reader.parse %{
+        authorization do
+          includes :lesser_role
+        end
+      }
+    end
+  end
+  
+  def test_syntax_error
+    reader = Authorization::Reader::DSLReader.new
+    assert_raise(Authorization::Reader::DSLSyntaxError) do
+      reader.parse %{
+        authorizations do
+        end
+      }
+    end
+  end
+  
+  def test_syntax_error_2
+    reader = Authorization::Reader::DSLReader.new
+    assert_raise(Authorization::Reader::DSLSyntaxError) do
+      reader.parse %{
+        authorizations
+        end
+      }
+    end
+  end
+end