ya_acl 0.0.6

data/.gitignore

@@ -0,0 +1,8 @@
+pkg/*
+*.gem
+.bundle
+nbproject
+.idea
+Gemfile.lock
+*.swo
+*.swp

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in ya_acl.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2010 Kirill Mokevnin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,84 @@
+== ya_acl
+
+Ya_Acl - реализация списка прав доступа (ACL).
+
+Ya_Acl представляет собой самостоятельный объект посредством которого производятся все проверки.
+Это значит что он не привязан к фреймворкам и это руководство предлагает только один из возможных путей использования этого компонента.
+
+=== Установка
+
+    gem install ya_acl
+
+=== Основные понятия
+
+Ресурс - объект, доступ к которому контролируется.
+Привилегия - действие совершаемое над ресурсом.
+Роль - объект, который может запрашивать доступ к ресурсу.
+
+Роль(роли) запрашивает доступ к привилегии ресурса.
+Например ресурс "пользователь" может иметь привилегию "создать".
+
+=== Начальные условия
+
+- По умолчанию все запрещено. И по ходу можно только выставлять разрешения, но не запреты.
+- Все ресурсы должны быть добавлены в acl (в противном случае получите исключение).
+
+=== Основные возможности
+
+Assert - динамические проверки, например, является ли залогиненый пользователь владельцем этого объекта.
+Проверки могут ставиться на конкретные роли для текущей привилегии, а не просто "на привилегию".
+Владение несколькими ролями. Если хотя бы одной из ролей пользователя разрешен доступ к привилегии ресурса, то доступ открыт.
+Роль с глобальным доступом ко всем ресурсам. Передается аргументом в метод билдера "resources".
+Наследование ролей для ресурсов. То есть мы можем определить роли которым автоматически станут доступны все привилегии ресурса.
+
+=== Порядок выполнения проверок на доступность к привилегии ресурса
+
+1. Если ни одна из переданных ролей не имеет доступа к привилегии ресурса, то доступ запрещается.
+2. Для каждой роли, имеющий доступ к привилегии, проверяются проверки предназначенные для этой роли. Если хотя бы для одной роли прошли все проверки, то доступ разрешается.
+
+=== Workflow
+
+В начале необходимо проинициализировать объект acl.
+Для этого необходимо создать файл (структура ниже) который будет загружаться при старте приложения. Хотя в development среде вы можете захотеть подгружать его при каждом запросе для удобства разработки.
+
+    YaAcl::Builder.build do
+      roles do # Роли
+        role :admin
+        role :editor
+        role :operator
+      end
+
+      asserts do # Проверки
+        assert :assert_name, [:current_user_id, :another_user_id] do
+          current_user_id == another_user_id
+        end
+
+        assert :another_assert_name, [:current_user_id, :another_user_id] do
+          current_user_id != another_user_id
+        end
+      end
+
+      resources :admin do # Ресурсы и роль которой доступно все
+        resource 'UserController', [:editor] do # Ресурс и роли которым доступны все привилегии данного ресурса
+          privilege :index, [:operator] # доступно для :admin, :editor, :operator
+          privilege :edit # доступно для :admin, :editor
+          privilege :new do
+            assert :assert_name, [:editor] # Эта проверка будет вызвана только для роли :editor
+            assert :another_assert_name # Эта проверка будет вызвана для ролей :admin, :editor
+          end
+        end
+      end
+    end
+
+После этого будет доступен объект acl через YaAcl::Acl.instance.
+
+    acl = YaAcl::Acl.instance
+
+    acl.allow?('UserController', :index, [:editor, :opeartor]) # true
+    acl.allow?('UserController', :edit, [:editor, :opeartor]) # true
+    acl.allow?('UserController', :edit, [:opeartor]) # false
+    acl.allow?('UserController', :new, [:admin], :current_user_id => 1, :another_user_id => 1) # true
+    acl.allow?('UserController', :new, [:editor], :current_user_id => 1, :another_user_id => 2) # false
+
+    acl#check - возвращает объект результата YaAcl::Result
+    acl#check! - возвращает true или бросает исключение

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks

data/lib/ya_acl/acl.rb

@@ -0,0 +1,125 @@
+module YaAcl
+
+  class AccessDeniedError < StandardError ; end
+  class AssertAccessDeniedError < AccessDeniedError ; end
+
+  class Acl
+
+    attr_reader :roles, :resources, :asserts
+
+    class << self
+      def instance
+        @@acl
+      end
+
+      def instance=(v)
+        @@acl = v
+      end
+    end
+
+    def initialize()
+      @acl = {}
+    end
+
+    def add_role(role)
+      @roles ||= {}
+      @roles[role.name] = role
+    end
+
+    def role(role_name)
+      if !defined?(@roles) || !@roles[role_name.to_sym]
+        raise ArgumentError, "#Role '#{role_name}' doesn't exists"
+      end
+      @roles[role_name.to_sym]
+    end
+    
+    def add_resource(resource)
+      @resources ||= {}
+      @resources[resource.name] = resource
+    end
+
+    def resource(resource_name)
+      if !defined?(@resources) || !@resources[resource_name.to_sym]
+        raise ArgumentError, "#Resource '#{resource_name}' doesn't exists"
+      end
+      @resources[resource_name.to_sym]
+    end
+
+    def privilege(resource_name, privilege_name)
+      r = resource(resource_name)
+      p = privilege_name.to_sym
+      unless @acl[r.name][p]
+        raise ArgumentError, "Undefine privilege '#{privilege_name}' for resource '#{resource_name}'"
+      end
+
+      @acl[r.name][p]
+    end
+
+    def add_assert(assert)
+      @asserts ||= {}
+      @asserts[assert.name] = assert
+    end
+
+    def assert(assert_name)
+      if !defined?(@asserts) || !@asserts[assert_name.to_sym]
+        raise ArgumentError, "#Assert '#{assert_name}' doesn't exists"
+      end
+      @asserts[assert_name.to_sym]
+    end
+
+    def allow(resource_name, privilege_name, role_name, assert_name = nil)
+      resource  = resource(resource_name).name
+      privilege = privilege_name.to_sym
+      role      = role(role_name).name
+
+      @acl[resource] ||= {}
+      @acl[resource][privilege] ||= {}
+      @acl[resource][privilege][role] ||= {}
+      if assert_name
+        assert = assert(assert_name)
+        @acl[resource][privilege][role][assert.name] = assert
+      end
+    end
+
+    def check(resource_name, privilege_name, roles = [], params = {})
+      a_l = privilege(resource_name, privilege_name)
+      roles_for_check = a_l.keys & roles.map(&:to_sym)
+      return Result.new(false) if roles_for_check.empty? # return
+
+      role_for_result = nil
+      assert_for_result = nil
+      roles_for_check.each do |role|
+        role_for_result = role
+        asserts = a_l[role]
+        return Result.new if asserts.empty? #return
+        result = true
+        asserts.values.each do |assert|
+          assert_for_result = assert
+          result = assert.allow?(params)
+          break unless result
+        end
+        if result
+          return Result.new # return
+        end
+      end
+
+      Result.new(false, role_for_result, assert_for_result) # return
+    end
+
+    def allow?(resource_name, privilege_name, roles = [], params = {})
+      check(resource_name, privilege_name, roles, params).status
+    end
+
+    def check!(resource_name, privilege_name, roles = [], params = {})
+      result = check(resource_name, privilege_name, roles, params)
+      return true if result.status
+      
+      message = "Access denied for '#{resource_name}', privilege '#{privilege_name}'"
+      if result.assert
+        raise AssertAccessDeniedError, message + ", role '#{result.role}' and assert '#{result.assert.name}'"
+      else
+        raise AccessDeniedError, message + " and roles '#{roles.inspect}'"
+      end
+    end
+  end
+end

data/lib/ya_acl/assert.rb

@@ -0,0 +1,27 @@
+module YaAcl
+  class Assert
+    attr_reader :name
+    
+    def initialize(name, param_names, &block)
+      @name = name.to_sym
+      @param_names = param_names
+      @block = block
+
+      @param_names.each do |name|
+        self.class.send :attr_accessor, name
+      end
+    end
+
+    def allow?(params)
+      if @param_names != (@param_names & params.keys)
+        raise "Params for assert '#{name}': #{@param_names.inspect}"
+      end
+
+      @param_names.each do |name|
+        self.send "#{name}=", params[name]
+      end
+      
+      instance_eval &@block
+    end
+  end
+end

data/lib/ya_acl/builder.rb

@@ -0,0 +1,92 @@
+module YaAcl
+  class Builder
+    attr_accessor :acl
+
+    def self.build &block
+      builder = new
+      builder.instance_eval &block
+      builder.acl.freeze
+      Acl.instance = builder.acl
+    end
+
+    def initialize
+      self.acl = Acl.new
+    end
+
+    def roles(&block)
+      instance_eval &block
+    end
+
+    def role(name, options = {})
+      acl.add_role Role.new(name, options)
+    end
+
+    def asserts(&block)
+      instance_eval &block
+    end
+
+    def assert(name, param_names, &block)
+      acl.add_assert Assert.new(name, param_names, &block)
+    end
+
+    def resources(allow, &block)
+      @global_allow_role = allow
+      instance_eval &block
+    end
+
+    def resource(name, allow_roles = [], &block)
+      raise ArgumentError, 'Options "allow_roles" must be Array' unless allow_roles.is_a? Array
+      resource_allow_roles = allow_roles << @global_allow_role
+      resource = Resource.new(name)
+      acl.add_resource resource
+      PrivilegeProxy.new(resource.name, resource_allow_roles, acl, block)
+    end
+
+    class PrivilegeProxy
+      def initialize(name, allow_roles, acl, block)
+        @resource_name = name
+        @allow_roles = allow_roles
+        @acl = acl
+        instance_eval &block
+      end
+
+      def privilege(privilege_name, roles = [], &asserts_block)
+        all_allow_roles = roles | @allow_roles
+
+        asserts = {}
+        if block_given?
+          proxy = PrivilegeAssertProxy.new(asserts_block, all_allow_roles)
+          asserts = proxy.asserts
+        end
+        
+        all_allow_roles.each do |role|
+          if asserts[role]
+            asserts[role].each do |assert|
+              @acl.allow(@resource_name, privilege_name, role, assert)
+            end
+          else
+            @acl.allow(@resource_name, privilege_name, role, nil)
+          end
+        end
+      end
+    end
+
+    class PrivilegeAssertProxy
+      attr_reader :asserts
+      
+      def initialize(block, all_allow_roles)
+        @all_allow_roles = all_allow_roles
+        @asserts = {}
+        instance_eval &block
+      end
+
+      def assert(name, roles = [])
+        roles = @all_allow_roles unless roles.any?
+        roles.each do |role|
+          @asserts[role] ||= []
+          @asserts[role] << name
+        end
+      end
+    end
+  end
+end

data/lib/ya_acl/resource.rb

@@ -0,0 +1,9 @@
+module YaAcl
+  class Resource
+    attr_reader :name
+    
+    def initialize(name)
+      @name = name.to_sym
+    end
+  end
+end

data/lib/ya_acl/result.rb

@@ -0,0 +1,11 @@
+module YaAcl
+  class Result
+    attr_reader :status, :assert, :role
+
+    def initialize(status = true, role = nil, assert = nil)
+      @status = status
+      @assert = assert
+      @role   = role
+    end
+  end
+end

data/lib/ya_acl/role.rb

@@ -0,0 +1,13 @@
+module YaAcl
+  class Role
+    attr_reader :name, :options
+    def initialize(name, options = {})
+      @name = name.to_sym
+      @options = options
+    end
+
+    def to_s
+      self.name
+    end
+  end
+end

data/lib/ya_acl/version.rb

@@ -0,0 +1,3 @@
+module YaAcl
+  VERSION = "0.0.6"
+end

data/lib/ya_acl.rb

@@ -0,0 +1,6 @@
+require 'ya_acl/acl'
+require 'ya_acl/builder'
+require 'ya_acl/role'
+require 'ya_acl/resource'
+require 'ya_acl/assert'
+require 'ya_acl/result'

data/spec/spec_helper.rb

@@ -0,0 +1 @@
+require 'ya_acl'

data/spec/ya_acl/acl_spec.rb

@@ -0,0 +1,56 @@
+require 'spec_helper'
+
+describe YaAcl::Acl do
+
+  before do
+    @acl = YaAcl::Acl.new
+    @acl.add_resource(YaAcl::Resource.new(:name))
+
+    @acl.add_role YaAcl::Role.new(:admin)
+    @acl.add_role YaAcl::Role.new(:moderator)
+    @acl.add_role YaAcl::Role.new(:editor)
+    @acl.add_role YaAcl::Role.new(:member)
+    @acl.add_role YaAcl::Role.new(:guest)
+
+    assert = YaAcl::Assert.new :assert, [:object_user_id, :user_id] do
+      object_user_id == user_id
+    end
+    
+    @acl.add_assert assert
+  end
+
+  it 'should be work allow?' do
+    @acl.allow :name, :index, :admin
+    @acl.allow :name, :index, :member
+    @acl.allow :name, :update, :admin
+
+    @acl.allow?(:name, :index, [:admin]).should be_true
+    @acl.allow?(:name, :index, [:nobody, :admin]).should be_true
+    @acl.allow?(:name, :index, [:nobody, :another_nobody]).should be_false
+    @acl.allow?(:name, 'index', ['nobody']).should be_false
+    @acl.allow?(:name, :index, [:guest]).should be_false
+  end
+
+  it 'should be work allow? with assert' do
+    @acl.allow :name, :index, :admin
+    @acl.allow :name, :index, :guest, :assert
+    @acl.allow :name, :index, :member, :assert
+
+
+    @acl.allow?(:name, :index, [:guest], :object_user_id => 3, :user_id => 4).should be_false
+    @acl.allow?(:name, :index, [:guest], :object_user_id => 3, :user_id => 3).should be_true
+  end
+
+  it 'should be work with roles' do
+    assert = YaAcl::Assert.new :another_assert, [:var] do
+      var
+    end
+    @acl.add_assert assert
+    @acl.allow :name, :index, :admin
+    @acl.allow :name, :empty, :admin
+    @acl.allow :name, :index, :guest, :another_assert
+
+    @acl.allow?(:name, :empty, [:guest, :admin]).should be_true
+    @acl.allow?(:name, :index, [:guest, :admin], :var => false).should be_true
+  end
+end

data/spec/ya_acl/builder_spec.rb

@@ -0,0 +1,146 @@
+require 'spec_helper'
+
+describe YaAcl::Builder do
+  it 'should be add role' do
+    acl = YaAcl::Builder.build do
+      roles do
+        role :admin, :name => 'Administrator'
+      end
+    end
+    
+    acl.role(:admin).should_not be_nil
+  end
+
+  it 'should be add resource' do
+    acl = YaAcl::Builder.build do
+      roles do
+        role :admin
+        role :another_admin
+        role :user
+        role :operator
+      end
+
+      asserts do
+        assert :first_assert, [:param, :param2] do
+          param == param2
+        end
+
+        assert :another_assert, [:param, :param2] do
+          param != param2
+        end
+      end
+
+      resources :admin do
+        resource :name, [:another_admin] do
+          privilege :index, [:operator]
+          privilege :show, [:operator]
+          privilege :edit
+          privilege :with_assert, [:operator] do
+            assert :first_assert
+            assert :another_assert, [:admin]
+          end
+        end
+      end
+    end
+    
+    acl.check!(:name, :index, [:admin]).should be_true
+    acl.check!(:name, :index, [:another_admin]).should be_true
+    acl.check!(:name, :index, [:operator]).should be_true
+
+    acl.allow?(:name, :show, [:admin]).should be_true
+    acl.allow?(:name, :show, [:user]).should be_false
+    acl.allow?(:name, :show, [:operator]).should be_true
+    acl.allow?(:name, :edit, [:operator]).should be_false
+  end
+
+  it 'should be raise exception for unknown role in privilegy' do
+    lambda {
+      YaAcl::Builder.build do
+        roles do
+          role :admin, :name => 'Administrator'
+        end
+        resources :admin do
+          resource 'resource' do
+            privilege :index, [:operator]
+          end
+        end
+      end
+    }.should raise_exception(ArgumentError)
+  end
+
+  it 'should be raise exception for unknown role in resource' do
+    lambda {
+      YaAcl::Builder.build do
+        roles do
+          role :admin, :name => 'Administrator'
+          role :operator
+        end
+
+        resources :admin do
+          resource 'resource', [:another_admin] do
+            privilege :index, [:opeartor]
+          end
+        end
+      end
+    }.should raise_exception(ArgumentError)
+  end
+
+  it 'should be work with asserts' do
+    acl = YaAcl::Builder.build do
+      roles do
+        role :admin
+        role :another_user
+        role :editor
+        role :operator
+      end
+
+      asserts do
+        assert :first, [:var] do
+          var
+        end
+
+        assert :another, [:first] do
+          statuses = [1, 2]
+          statuses.include? first
+        end
+
+        assert :another2, [:first] do
+          !!first
+        end
+
+        assert :another3, [:first] do
+          statuses = [1, 2]
+          statuses.include? first
+        end
+
+        assert :another4, [:first, :second] do
+          first == second
+        end
+      end
+
+      resources :admin do
+        resource :name, [:editor, :operator] do
+          privilege :create do
+            assert :first, [:admin, :another_user]
+          end
+          privilege :update do
+            assert :another, [:editor]
+            assert :another2, [:editor, :operator]
+            assert :another3, [:operator]
+            assert :another4, [:operator]
+          end
+        end
+      end
+    end
+
+    acl.allow?(:name, :update, [:another_user]).should be_false
+    acl.allow?(:name, :update, [:editor], :first => true, :second => false).should be_false
+    acl.allow?(:name, :update, [:editor], :first => false, :second => true).should be_false
+    acl.allow?(:name, :update, [:editor], :first => 1, :second => true).should be_true
+    acl.check!(:name, :create, [:admin], :var => 2).should be_true
+    acl.allow?(:name, :update, [:editor], :first => 3, :second => false).should be_false
+    acl.allow?(:name, :update, [:operator], :first => true, :second => true).should be_false
+    acl.allow?(:name, :update, [:operator], :first => 1, :second => 1).should be_true
+    acl.allow?(:name, :update, [:operator], :first => 3, :second => 3).should be_false
+  end
+end

data/spec/ya_acl/role_spec.rb

@@ -0,0 +1,10 @@
+require 'spec_helper'
+
+describe YaAcl::Role do
+  it 'should be instance' do
+    options = {:name => 'Administrator'}
+    role = YaAcl::Role.new :admin, options
+    role.name.should == :admin
+    role.options.should == options
+  end
+end

data/spec/ya_acl_spec.rb

@@ -0,0 +1,7 @@
+require "ya_acl"
+
+describe YaAcl do
+  before do
+    @acl = YaAcl::Acl.new
+  end
+end

data/ya_acl.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "ya_acl/version"
+
+Gem::Specification.new do |s|
+  s.name        = "ya_acl"
+  s.version     = YaAcl::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Mokevnin Kirill"]
+  s.email       = ["mokevnin@gmail.com"]
+  s.homepage    = "http://github.com/mokevnin/ya_acl"
+  s.summary     = %q{Yet Another ACL}
+  s.description = %q{Yet Another ACL}
+
+#  s.rubyforge_project = "ya_acl"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+end

metadata

@@ -0,0 +1,64 @@
+--- !ruby/object:Gem::Specification
+name: ya_acl
+version: !ruby/object:Gem::Version
+  version: 0.0.6
+  prerelease: 
+platform: ruby
+authors:
+- Mokevnin Kirill
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-02-21 00:00:00.000000000 Z
+dependencies: []
+description: Yet Another ACL
+email:
+- mokevnin@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.rdoc
+- Rakefile
+- lib/ya_acl.rb
+- lib/ya_acl/acl.rb
+- lib/ya_acl/assert.rb
+- lib/ya_acl/builder.rb
+- lib/ya_acl/resource.rb
+- lib/ya_acl/result.rb
+- lib/ya_acl/role.rb
+- lib/ya_acl/version.rb
+- spec/spec_helper.rb
+- spec/ya_acl/acl_spec.rb
+- spec/ya_acl/builder_spec.rb
+- spec/ya_acl/role_spec.rb
+- spec/ya_acl_spec.rb
+- ya_acl.gemspec
+homepage: http://github.com/mokevnin/ya_acl
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.15
+signing_key: 
+specification_version: 3
+summary: Yet Another ACL
+test_files: []