verifica 1.0.0 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/README.md +17 -13
- data/lib/verifica/acl.rb +1 -2
- data/lib/verifica/authorizer.rb +1 -0
- data/lib/verifica/sid.rb +61 -0
- data/lib/verifica/version.rb +1 -1
- data/lib/verifica.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ccea0b2769fa053006c2ec3d0b4cd0d3cc65a3a4b4375ce390dabe3a093f490d
|
|
4
|
+
data.tar.gz: 0bb0dd63b30f08a1df1af771671312182cde2c159613094f9fd0c664201b6e24
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5c3bfab0ce9ccd36cd91baadcc4454e462c9a5d098c6295d3073040d3291030e516d7ae90d200b55b84d4cafd51cd0118c51a1e5a5e0ee075d54e18528033d01
|
|
7
|
+
data.tar.gz: 6f6011eaec5b7f8a1d810233350a8a68cb7fdf7cf86d8bdc069d51478826ce847461c9d53e5c5f7e83922ac956cb3c1546fd957cb973c5dfee1a71cbc7258726
|
data/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [1.0.1] - 2023-04-15
|
|
11
|
+
|
|
12
|
+
### Added
|
|
13
|
+
|
|
14
|
+
- `Sid#country_sid` and `Sid#group_sid` helper methods
|
|
15
|
+
|
|
10
16
|
## [1.0.0] - 2023-01-19
|
|
11
17
|
|
|
12
18
|
Initial public release
|
data/README.md
CHANGED
|
@@ -1,4 +1,6 @@
|
|
|
1
|
+
[](https://badge.fury.io/rb/verifica)
|
|
1
2
|
[](https://github.com/maximgurin/verifica/actions/workflows/ci.yml)
|
|
3
|
+
[](http://rubydoc.info/github/maximgurin/verifica)
|
|
2
4
|
[](https://www.codacy.com/gh/maximgurin/verifica/dashboard?utm_source=github.com&utm_medium=referral&utm_content=maximgurin/verifica&utm_campaign=Badge_Grade)
|
|
3
5
|
[](https://www.codacy.com/gh/maximgurin/verifica/dashboard?utm_source=github.com&utm_medium=referral&utm_content=maximgurin/verifica&utm_campaign=Badge_Coverage)
|
|
4
6
|
|
|
@@ -22,7 +24,7 @@ But anyway, trust nothing. DYOR.*
|
|
|
22
24
|
|
|
23
25
|
## Why Verifica? Isn't Pundit or CanCanCan enough?
|
|
24
26
|
|
|
25
|
-
Let's say you working on a video platform application:
|
|
27
|
+
Let's say you are working on a video platform application:
|
|
26
28
|
|
|
27
29
|
- You have 10M videos in the database
|
|
28
30
|
- 7 types of user roles
|
|
@@ -70,7 +72,7 @@ authorizer = Verifica.authorizer do |config|
|
|
|
70
72
|
end
|
|
71
73
|
|
|
72
74
|
public_video = Video.new(id: 1, author_id: 1000, public: true)
|
|
73
|
-
private_video = Video.new(id: 2, author_id: 1000, public:
|
|
75
|
+
private_video = Video.new(id: 2, author_id: 1000, public: false)
|
|
74
76
|
|
|
75
77
|
superuser = User.new(id: 777, role: "root")
|
|
76
78
|
video_author = User.new(id: 1000, role: "user")
|
|
@@ -184,9 +186,9 @@ end
|
|
|
184
186
|
|
|
185
187
|
video_acl.to_a
|
|
186
188
|
# =>
|
|
187
|
-
# [#<Verifica::Ace:0x00007fab1955dd60 @action=:
|
|
188
|
-
# #<Verifica::Ace:0x00007fab1955dd10 @action=:comment, @allow=true, @sid="authenticated">,
|
|
189
|
-
# #<Verifica::Ace:0x00007fab1955dc48 @action=:
|
|
189
|
+
# [#<Verifica::Ace:0x00007fab1955dd60 @action=:read, @allow=true, @sid="authenticated">,
|
|
190
|
+
# #<Verifica::Ace:0x00007fab1955dd10 @action=:comment, @allow=true, @sid="authenticated">,
|
|
191
|
+
# #<Verifica::Ace:0x00007fab1955dc48 @action=:read, @allow=false, @sid="country:US">]
|
|
190
192
|
```
|
|
191
193
|
|
|
192
194
|
### AclProvider
|
|
@@ -210,8 +212,8 @@ end
|
|
|
210
212
|
### Authorizer
|
|
211
213
|
|
|
212
214
|
And finally, Authorizer, the heart of Verifica. It couples all concepts above into an isolated container with no global state.
|
|
213
|
-
Each Authorizer has a list of resource types registered with their companion AclProviders
|
|
214
|
-
|
|
215
|
+
Each Authorizer has a list of resource types registered with their companion AclProviders and
|
|
216
|
+
several methods to check the Subject's rights to perform a specific action on a given resource.
|
|
215
217
|
|
|
216
218
|
Check the [Basic example](#basic-example) above to see how it all plays together.
|
|
217
219
|
|
|
@@ -318,11 +320,11 @@ class User < ApplicationRecord
|
|
|
318
320
|
when "moderator"
|
|
319
321
|
[user_sid(id), role_sid("moderator")]
|
|
320
322
|
when "user"
|
|
321
|
-
sids = [authenticated_sid, user_sid(id),
|
|
323
|
+
sids = [authenticated_sid, user_sid(id), country_sid(country)]
|
|
322
324
|
organization_id.try { |org_id| sids.push(organization_sid(org_id)) }
|
|
323
325
|
sids
|
|
324
326
|
when "organization_admin"
|
|
325
|
-
sids = [authenticated_sid, user_sid(id),
|
|
327
|
+
sids = [authenticated_sid, user_sid(id), country_sid(country)]
|
|
326
328
|
sids.push(organization_sid(organization_id))
|
|
327
329
|
sids.push(role_sid("organization_admin:#{organization_id}"))
|
|
328
330
|
else
|
|
@@ -354,7 +356,7 @@ end
|
|
|
354
356
|
```
|
|
355
357
|
|
|
356
358
|
```ruby
|
|
357
|
-
# app/models/
|
|
359
|
+
# app/models/video.rb
|
|
358
360
|
|
|
359
361
|
class Video < ApplicationRecord
|
|
360
362
|
attr_accessor :allowed_actions
|
|
@@ -383,7 +385,11 @@ end
|
|
|
383
385
|
|
|
384
386
|
class VideosController
|
|
385
387
|
def index
|
|
386
|
-
@videos = Video
|
|
388
|
+
@videos = Video
|
|
389
|
+
.includes(:distribution_setting, author: [:organization])
|
|
390
|
+
.available_for(current_user)
|
|
391
|
+
.order(:name)
|
|
392
|
+
.limit(50)
|
|
387
393
|
end
|
|
388
394
|
|
|
389
395
|
def show
|
|
@@ -415,8 +421,6 @@ run a background job to find all affected videos and update `read_allow_sids`, `
|
|
|
415
421
|
Same applies to Distribution Settings and other dependencies.
|
|
416
422
|
- **Rules change handling.** If implementation of `VideoAclProvider` changed you need to run a background job
|
|
417
423
|
to update `read_allow_sids`, `read_deny_sids` columns for all videos.
|
|
418
|
-
- **Cache, N+1 problem.** `VideoAclProvider` retrieves a chain of records associated with each video which leads to
|
|
419
|
-
N+1 problem in a naive implementation.
|
|
420
424
|
|
|
421
425
|
See also:
|
|
422
426
|
|
data/lib/verifica/acl.rb
CHANGED
|
@@ -54,7 +54,6 @@ module Verifica
|
|
|
54
54
|
|
|
55
55
|
allow_deny[:allowed_sids].freeze
|
|
56
56
|
allow_deny[:denied_sids].freeze
|
|
57
|
-
allow_deny.freeze
|
|
58
57
|
end
|
|
59
58
|
|
|
60
59
|
@allowed_actions.freeze
|
|
@@ -154,7 +153,7 @@ module Verifica
|
|
|
154
153
|
|
|
155
154
|
# @example
|
|
156
155
|
# acl = Verifica::Acl.build { |acl| acl.allow "root", [:read, :write] }
|
|
157
|
-
# acl.to_a.map(
|
|
156
|
+
# acl.to_a.map(&:to_h)
|
|
158
157
|
# # => [{:sid=>"root", :action=>:read, :allow=>true}, {:sid=>"root", :action=>:write, :allow=>true}]
|
|
159
158
|
#
|
|
160
159
|
# @return [Array<Ace>] a new array representing +self+
|
data/lib/verifica/authorizer.rb
CHANGED
|
@@ -141,6 +141,7 @@ module Verifica
|
|
|
141
141
|
def resource_acl(resource, **context)
|
|
142
142
|
config = config_by_resource(resource)
|
|
143
143
|
acl = config.acl_provider.call(resource, **context)
|
|
144
|
+
# trade-off flexibility to increase robustness here by requiring a specific type
|
|
144
145
|
unless acl.is_a?(Verifica::Acl)
|
|
145
146
|
type = resource.resource_type
|
|
146
147
|
raise Error, "'#{type}' resource acl_provider should respond to #call with Acl object but got '#{acl.class}'"
|
data/lib/verifica/sid.rb
CHANGED
|
@@ -211,5 +211,66 @@ module Verifica
|
|
|
211
211
|
|
|
212
212
|
"org:#{organization_id}".freeze
|
|
213
213
|
end
|
|
214
|
+
|
|
215
|
+
# Security Identifier of the subject who is a member of the group with given +group_id+
|
|
216
|
+
#
|
|
217
|
+
# @note (see #user_sid)
|
|
218
|
+
#
|
|
219
|
+
# @example
|
|
220
|
+
# class PostAclProvider
|
|
221
|
+
# include Verifica::Sid
|
|
222
|
+
#
|
|
223
|
+
# def call(post, **)
|
|
224
|
+
# Verifica::Acl.build do |acl|
|
|
225
|
+
# post.editor_groups.each do |group_id|
|
|
226
|
+
# acl.allow group_sid(group_id), [:edit, :delete]
|
|
227
|
+
# end
|
|
228
|
+
#
|
|
229
|
+
# # ...
|
|
230
|
+
# end
|
|
231
|
+
# end
|
|
232
|
+
# end
|
|
233
|
+
#
|
|
234
|
+
# @return [String]
|
|
235
|
+
#
|
|
236
|
+
# @api public
|
|
237
|
+
def group_sid(group_id)
|
|
238
|
+
if group_id.nil?
|
|
239
|
+
raise ArgumentError, "Nil 'group_id' is unsafe. Use empty string if you absolutely need this behavior"
|
|
240
|
+
end
|
|
241
|
+
|
|
242
|
+
"group:#{group_id}".freeze
|
|
243
|
+
end
|
|
244
|
+
|
|
245
|
+
# Security Identifier of the subject whose country is the country with given +country_id+
|
|
246
|
+
#
|
|
247
|
+
# @note (see #user_sid)
|
|
248
|
+
#
|
|
249
|
+
# @example
|
|
250
|
+
# class PostAclProvider
|
|
251
|
+
# include Verifica::Sid
|
|
252
|
+
#
|
|
253
|
+
# def call(post, **)
|
|
254
|
+
# Verifica::Acl.build do |acl|
|
|
255
|
+
# acl.allow authenticated_sid, [:read, :comment]
|
|
256
|
+
# post.banned_countries.each do |country_id|
|
|
257
|
+
# acl.deny country_sid(country_id), [:read, :comment]
|
|
258
|
+
# end
|
|
259
|
+
#
|
|
260
|
+
# # ...
|
|
261
|
+
# end
|
|
262
|
+
# end
|
|
263
|
+
# end
|
|
264
|
+
#
|
|
265
|
+
# @return [String]
|
|
266
|
+
#
|
|
267
|
+
# @api public
|
|
268
|
+
def country_sid(country_id)
|
|
269
|
+
if country_id.nil?
|
|
270
|
+
raise ArgumentError, "Nil 'country_id' is unsafe. Use empty string if you absolutely need this behavior"
|
|
271
|
+
end
|
|
272
|
+
|
|
273
|
+
"country:#{country_id}".freeze
|
|
274
|
+
end
|
|
214
275
|
end
|
|
215
276
|
end
|
data/lib/verifica/version.rb
CHANGED
data/lib/verifica.rb
CHANGED
|
@@ -54,7 +54,7 @@ require_relative "verifica/version"
|
|
|
54
54
|
# end
|
|
55
55
|
#
|
|
56
56
|
# public_video = Video.new(id: 1, author_id: 1000, public: true)
|
|
57
|
-
# private_video = Video.new(id: 2, author_id: 1000, public:
|
|
57
|
+
# private_video = Video.new(id: 2, author_id: 1000, public: false)
|
|
58
58
|
#
|
|
59
59
|
# superuser = User.new(id: 777, role: "root")
|
|
60
60
|
# video_author = User.new(id: 1000, role: "user")
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: verifica
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Maxim Gurin
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-04-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -105,7 +105,7 @@ metadata:
|
|
|
105
105
|
source_code_uri: https://github.com/maximgurin/verifica
|
|
106
106
|
bug_tracker_uri: https://github.com/maximgurin/verifica/issues
|
|
107
107
|
rubygems_mfa_required: 'true'
|
|
108
|
-
post_install_message:
|
|
108
|
+
post_install_message:
|
|
109
109
|
rdoc_options: []
|
|
110
110
|
require_paths:
|
|
111
111
|
- lib
|
|
@@ -120,8 +120,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
120
120
|
- !ruby/object:Gem::Version
|
|
121
121
|
version: '0'
|
|
122
122
|
requirements: []
|
|
123
|
-
rubygems_version: 3.4.
|
|
124
|
-
signing_key:
|
|
123
|
+
rubygems_version: 3.4.12
|
|
124
|
+
signing_key:
|
|
125
125
|
specification_version: 4
|
|
126
126
|
summary: The most scalable authorization solution for Ruby
|
|
127
127
|
test_files: []
|