wallaby-core 0.1.0

data/lib/authorizers/wallaby/cancancan_authorization_provider.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Wallaby
+  # Cancancan base authorization provider
+  class CancancanAuthorizationProvider < ModelAuthorizationProvider
+    # Detect and see if Cancancan is in use.
+    # @param context [ActionController::Base]
+    # @return [true] if Cancancan is in use.
+    # @return [false] if Cancancan is not in use.
+    def self.available?(context)
+      defined?(CanCanCan) && defined?(Ability) && context.respond_to?(:current_ability)
+    end
+
+    # This will pull out the args required for contruction from context
+    # @param context [ActionController::Base]
+    # @return [Hash] args for initialize
+    def self.args_from(context)
+      { ability: context.current_ability, user: ModuleUtils.try_to(context, :current_user) }
+    end
+
+    # @!attribute [r] ability
+    # @return [Ability]
+    attr_reader :ability
+
+    def initialize(ability:, user: nil)
+      @ability = ability
+      @user = user
+    end
+
+    # Check user's permission for an action on given subject.
+    # This method will be used in controller.
+    # @param action [Symbol, String]
+    # @param subject [Object, Class]
+    # @raise [Wallaby::Forbidden] when user is not authorized to perform the action.
+    def authorize(action, subject)
+      ability.authorize! action, subject
+    rescue ::CanCan::AccessDenied
+      Rails.logger.info I18n.t('errors.unauthorized', user: user, action: action, subject: subject)
+      raise Forbidden
+    end
+
+    # Check and see if user is allowed to perform an action on given subject.
+    # @param action [Symbol, String]
+    # @param subject [Object, Class]
+    # @return [Boolean]
+    def authorized?(action, subject)
+      ability.can? action, subject
+    end
+
+    # Restrict user to access certain scope.
+    # @param action [Symbol, String]
+    # @param scope [Object]
+    # @return [Object]
+    def accessible_for(action, scope)
+      ModuleUtils.try_to(scope, :accessible_by, ability, action) || scope
+    end
+
+    # Restrict user to assign certain values.
+    # @param action [Symbol, String]
+    # @param subject [Object]
+    # @return nil
+    delegate :attributes_for, to: :ability
+
+    # Just return nil
+    # @param action [Symbol, String]
+    # @param subject [Object]
+    # @return [nil]
+    def permit_params(action, subject)
+      # Do nothing
+    end
+  end
+end

data/lib/authorizers/wallaby/default_authorization_provider.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Wallaby
+  # Default authorization provider
+  class DefaultAuthorizationProvider < ModelAuthorizationProvider
+    # Always available.
+    # @param _context [ActionController::Base]
+    # @return [true]
+    def self.available?(_context)
+      true
+    end
+
+    # This will pull out the args required for contruction from context
+    # @param _context [ActionController::Base]
+    # @return [Hash] args for initialize
+    def self.args_from(_context)
+      {}
+    end
+
+    # Do nothing
+    # @param _action [Symbol, String]
+    # @param subject [Object, Class]
+    def authorize(_action, subject)
+      subject
+    end
+
+    # Always return true
+    # @param _action [Symbol, String]
+    # @param _subject [Object, Class]
+    # @return [true]
+    def authorized?(_action, _subject)
+      true
+    end
+
+    # Do nothing
+    # @param _action [Symbol, String]
+    # @param scope [Object]
+    def accessible_for(_action, scope)
+      scope
+    end
+
+    # Return empty attributes
+    # @param _action [Symbol, String]
+    # @param _subject [Object]
+    # @return [Hash] empty hash
+    def attributes_for(_action, _subject)
+      {}
+    end
+
+    # @note Please make sure to return nil when the authorization doesn't support this feature.
+    # @param _action [Symbol, String]
+    # @param _subject [Object]
+    # @return [nil]
+    def permit_params(_action, _subject)
+      # Do nothing
+    end
+  end
+end

data/lib/authorizers/wallaby/model_authorizer.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+module Wallaby
+  # Model Authorizer to provide authorization functions
+  # @since 5.2.0
+  class ModelAuthorizer
+    extend Baseable::ClassMethods
+
+    class << self
+      # @!attribute [w] model_class
+      attr_writer :model_class
+
+      # @!attribute [r] model_class
+      # Return associated model class, e.g. return **Product** for **ProductAuthorizer**.
+      #
+      # If Wallaby can't recognise the model class for Authorizer, it's required to be configured as below example:
+      # @example To configure model class
+      #   class Admin::ProductAuthorizer < Admin::ApplicationAuthorizer
+      #     self.model_class = Product
+      #   end
+      # @example To configure model class for version below 5.2.0
+      #   class Admin::ProductAuthorizer < Admin::ApplicationAuthorizer
+      #     def self.model_class
+      #       Product
+      #     end
+      #   end
+      # @return [Class] assoicated model class
+      # @return [nil] if current class is marked as base class
+      # @return [nil] if current class is the same as the value of {Wallaby::Configuration::Mapping#model_authorizer}
+      # @return [nil] if current class is {Wallaby::ModelAuthorizer}
+      # @return [nil] if assoicated model class is not found
+      def model_class
+        return unless self < ModelAuthorizer
+        return if base_class? || self == Wallaby.configuration.mapping.model_authorizer
+
+        @model_class ||= Map.model_class_map(name.gsub(/(^#{namespace}::)|(Authorizer$)/, EMPTY_STRING))
+      end
+
+      # @!attribute [w] provider_name
+      attr_writer :provider_name
+
+      # @!attribute [r] provider_name
+      # @return [String, Symbol] provider name of the authorization framework used
+      def provider_name
+        @provider_name ||= ModuleUtils.try_to superclass, :provider_name
+      end
+
+      # Factory method to create the model authorizer
+      # @param context [ActionController::Base]
+      # @param model_class [Class]
+      # @return [Wallaby::ModelAuthorizer]
+      def create(context, model_class)
+        model_class ||= self.model_class
+        provider_class = guess_provider_class context, model_class
+        new model_class, provider_class, provider_class.args_from(context)
+      end
+
+      private
+
+      # @param context [ActionController::Base]
+      # @param model_class [Class]
+      # @return [Class] provider class
+      def guess_provider_class(context, model_class)
+        providers = Map.authorizer_provider_map model_class
+        providers[provider_name] || providers.values.find { |klass| klass.available? context }
+      end
+    end
+
+    delegate(*ModelAuthorizationProvider.instance_methods(false), to: :@provider)
+
+    # @!attribute [r] model_class
+    # @return [Class]
+    attr_reader :model_class
+
+    # @!attribute [r] provider
+    # @return [Wallaby::ModelAuthorizationProvider]
+    # @since 5.2.0
+    attr_reader :provider
+
+    # @param model_class [Class]
+    # @param provider_name_or_class [String, Symbol, Class]
+    # @param options [Hash]
+    def initialize(model_class, provider_name_or_class, options = {})
+      @model_class = model_class || self.class.model_class
+      @provider = init_provider provider_name_or_class, options
+    end
+
+    protected
+
+    # Go through provider list and detect which provider is used.
+    # @param provider_name_or_class [String, Symbol, Class]
+    # @param options [Hash]
+    # @return [Wallaby::Authorizer]
+    def init_provider(provider_name_or_class, options)
+      providers = Map.authorizer_provider_map model_class
+      provider_class = provider_name_or_class.is_a?(Class) ? provider_name_or_class : providers[provider_name_or_class]
+      provider_class.new(**options)
+    end
+  end
+end

data/lib/authorizers/wallaby/pundit_authorization_provider.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Wallaby
+  # Pundit base authorization provider
+  class PunditAuthorizationProvider < ModelAuthorizationProvider
+    # Detect and see if Pundit is in use.
+    # @param context [ActionController::Base]
+    # @return [true] if Pundit is in use.
+    # @return [false] if Pundit is not in use.
+    def self.available?(context)
+      defined?(Pundit) && context.respond_to?(:pundit_user)
+    end
+
+    # This will pull out the args required for contruction from context
+    # @param context [ActionController::Base]
+    # @return [Hash] args for initialize
+    def self.args_from(context)
+      { user: context.pundit_user }
+    end
+
+    # @param user [Object]
+    def initialize(user:)
+      @user = user
+    end
+
+    # Check user's permission for an action on given subject.
+    #
+    # This method will be used in controller.
+    # @param action [Symbol, String]
+    # @param subject [Object, Class]
+    # @raise [Wallaby::Forbidden] when user is not authorized to perform the action.
+    def authorize(action, subject)
+      Pundit.authorize(user, subject, normalize(action)) && subject
+    rescue ::Pundit::NotAuthorizedError
+      Rails.logger.info I18n.t('errors.unauthorized', user: user, action: action, subject: subject)
+      raise Forbidden
+    end
+
+    # Check and see if user is allowed to perform an action on given subject
+    # @param action [Symbol, String]
+    # @param subject [Object, Class]
+    # @return [Boolean]
+    def authorized?(action, subject)
+      policy = Pundit.policy! user, subject
+      ModuleUtils.try_to policy, normalize(action)
+    end
+
+    # Restrict user to assign certain values.
+    #
+    # It will do a lookup in policy's methods and pick the first available method:
+    #
+    # - attributes\_for\_#\{ action \}
+    # - attributes\_for
+    # @param action [Symbol, String]
+    # @param subject [Object]
+    # @return [Hash] field value paired hash that user's allowed to assign
+    def attributes_for(action, subject)
+      policy = Pundit.policy! user, subject
+      value = ModuleUtils.try_to(policy, "attributes_for_#{action}") || ModuleUtils.try_to(policy, 'attributes_for')
+      Rails.logger.warn I18n.t('error.pundit.not_found.attributes_for', subject: subject) unless value
+      value || {}
+    end
+
+    # Restrict user for mass assignment.
+    #
+    # It will do a lookup in policy's methods and pick the first available method:
+    #
+    # - permitted\_attributes\_for\_#\{ action \}
+    # - permitted\_attributes
+    # @param action [Symbol, String]
+    # @param subject [Object]
+    # @return [Array] field list that user's allowed to change.
+    def permit_params(action, subject)
+      policy = Pundit.policy! user, subject
+      # @see https://github.com/varvet/pundit/blob/master/lib/pundit.rb#L258
+      ModuleUtils.try_to(policy, "permitted_attributes_for_#{action}") \
+        || ModuleUtils.try_to(policy, 'permitted_attributes')
+    end
+
+    private
+
+    # Convert action to pundit method name
+    # @param action [Symbol, String]
+    # @return [String] e.g. `create?`
+    def normalize(action)
+      "#{action}?".tr('??', '?')
+    end
+  end
+end

data/lib/concerns/wallaby/authorizable.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+module Wallaby
+  # Authorizer related attributes
+  module Authorizable
+    # Configurable attribute for authorizer related
+    module ClassMethods
+      # @!attribute [w] model_authorizer
+      def model_authorizer=(model_authorizer)
+        ModuleUtils.inheritance_check model_authorizer, application_authorizer
+        @model_authorizer = model_authorizer
+      end
+
+      # @!attribute [r] model_authorizer
+      # If Wallaby doesn't get it right, please specify the **model_authorizer**.
+      # @example To set model authorizer
+      #   class Admin::ProductionsController < Admin::ApplicationController
+      #     self.model_authorizer = ProductAuthorizer
+      #   end
+      # @return [Class] model authorizer
+      # @raise [ArgumentError] when **model_authorizer** doesn't inherit from **application_authorizer**
+      # @see Wallaby::ModelAuthorizer
+      # @since 5.2.0
+      attr_reader :model_authorizer
+
+      # @!attribute [w] application_authorizer
+      def application_authorizer=(application_authorizer)
+        ModuleUtils.inheritance_check model_authorizer, application_authorizer
+        @application_authorizer = application_authorizer
+      end
+
+      # @!attribute [r] application_authorizer
+      # The **application_authorizer** is as the base class of {#model_authorizer}.
+      # @example To set application decorator:
+      #   class Admin::ApplicationController < Wallaby::ResourcesController
+      #     self.application_authorizer = AnotherApplicationAuthorizer
+      #   end
+      # @return [Class] application decorator
+      # @raise [ArgumentError] when **model_authorizer** doesn't inherit from **application_authorizer**
+      # @see Wallaby::ModelAuthorizer
+      # @since 5.2.0
+      def application_authorizer
+        @application_authorizer ||= ModuleUtils.try_to superclass, :application_authorizer
+      end
+    end
+
+    # Model authorizer for current modal class.
+    #
+    #  It can be configured in following class attributes:
+    #
+    # - controller configuration {Wallaby::Authorizable::ClassMethods#model_authorizer .model_authorizer}
+    # - a generic authorizer based on
+    #   {Wallaby::Authorizable::ClassMethods#application_authorizer .application_authorizer}
+    # @return [Wallaby::ModelAuthorizer] model authorizer
+    # @since 5.2.0
+    def current_authorizer
+      @current_authorizer ||=
+        authorizer_of(current_model_class, controller_to_get(:model_authorizer)).tap do |authorizer|
+          Rails.logger.info %(  - Current authorizer: #{authorizer.try(:class)})
+        end
+    end
+
+    # Check if user is allowed to perform action on given subject
+    # @param action [Symbol, String]
+    # @param subject [Object, Class]
+    # @return [true] if allowed
+    # @return [false] if not allowed
+    # @since 5.2.0
+    def authorized?(action, subject)
+      return false unless subject
+
+      klass = subject.is_a?(Class) ? subject : subject.class
+      authorizer_of(klass).authorized? action, subject
+    end
+
+    # Check if user is allowed to perform action on given subject
+    # @param action [Symbol, String]
+    # @param subject [Object, Class]
+    # @return [true] if not allowed
+    # @return [false] if allowed
+    # @since 5.2.0
+    def unauthorized?(action, subject)
+      !authorized? action, subject
+    end
+
+    # @deprecated Use {#current_authorizer} instead. It will be removed from 5.3.*
+    def authorizer
+      Utils.deprecate 'deprecation.authorizer', caller: caller
+      current_authorizer
+    end
+
+    protected
+
+    # @param model_class [Class]
+    # @param authorizer_class [Class, nil]
+    # @return [Wallaby::ModelAuthorizer] model authorizer for given model
+    # @since 5.2.0
+    def authorizer_of(model_class, authorizer_class = nil)
+      authorizer_class ||= Map.authorizer_map(model_class, controller_to_get(:application_authorizer))
+      authorizer_class.try :create, self, model_class
+    end
+  end
+end

data/lib/concerns/wallaby/baseable.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Wallaby
+  # Abstract related class methods
+  module Baseable
+    # Configurable attributes and class methods for marking a class the base class
+    # and skipping {Wallaby::Map Wallaby mapping}
+    module ClassMethods
+      # @return [true] if class is a base class
+      # @return [false] if class is not a base class
+      def base_class?
+        @base_class ||= false
+      end
+
+      # Mark class a base class
+      # @return [true]
+      def base_class!
+        @base_class = true
+      end
+
+      # @!attribute [w] namespace
+      # Used by `model_class`
+      # @since 5.2.0
+      attr_writer :namespace
+
+      # @!attribute [r] namespace
+      # @return [String] namespace
+      # @since 5.2.0
+      def namespace
+        @namespace ||=
+          ModuleUtils.try_to(superclass, :namespace) \
+          || name.deconstantize.gsub(/Wallaby(::)?/, EMPTY_STRING).presence
+      end
+    end
+  end
+end