zeiv-declarative_authorization 1.0.0.pre

data/lib/generators/authorization/install/install_generator.rb

@@ -0,0 +1,77 @@
+require 'rails/generators'
+module Authorization
+  class InstallGenerator < Rails::Generators::Base
+    
+    include Rails::Generators::Migration
+    source_root File.expand_path('../templates', __FILE__)
+
+    argument :name, type: :string, default: "User"
+    argument :attributes, type: :array, default: ['name:string'], banner: "field[:type] field[:type]"
+    class_option :create_user, type: :boolean, default: false, desc: "Creates the defined User model with attributes given."
+    class_option :commit, type: :boolean, default: false, desc: "Performs rake tasks such as migrate and seed."
+    class_option :user_belongs_to_role, type: :boolean, default: false, desc: "Users have only one role, which can inherit others roles."
+
+    def self.next_migration_number dirname
+      if ActiveRecord::Base.timestamped_migrations
+        Time.now.utc.strftime("%Y%m%d%H%M%S")
+      else
+        "%.3d" % (current_migration_number(dirname) + 1)
+      end
+    end
+
+    def install_decl_auth
+      habtm_table_name  = "#{name.pluralize}" <= "Roles" ? "#{name.pluralize}Roles" : "Roles#{name.pluralize}" unless options[:user_belongs_to_role]
+      habtm_file_glob  = "#{name.pluralize}" <= "Roles" ? 'db/migrate/*create_*_roles*' : 'db/migrate/*create_roles_*' unless options[:user_belongs_to_role]
+
+      generate 'model', "#{name} #{attributes.join(' ')}" if options[:create_user]
+      generate 'model', 'Role title:string'
+
+      if options[:user_belongs_to_role]
+        inject_into_file "app/models/#{name.singularize.downcase}.rb", "  belongs_to :role\n", after: "ActiveRecord::Base\n"
+        generate 'migration', "AddRoleIdTo#{name.camelcase} role_id:integer"
+      else
+        generate 'migration', "Create#{habtm_table_name} #{name.downcase}:integer role:integer"
+        gsub_file Dir.glob(habtm_file_glob).last, 'integer', 'references'
+        inject_into_file Dir.glob(habtm_file_glob).last, ", id: false", before: ' do |t|'
+        inject_into_file "app/models/role.rb", "  has_and_belongs_to_many :#{name.downcase.pluralize}\n", after: "ActiveRecord::Base\n"
+        inject_into_file "app/models/#{name.singularize.downcase}.rb", "  has_and_belongs_to_many :roles\n", after: "ActiveRecord::Base\n"
+      end
+
+      rake 'db:migrate' if options[:commit]
+
+      if options[:user_belongs_to_role]
+        inject_into_file "app/models/#{name.singularize.downcase}.rb", before: "\nend" do <<-'RUBY'
+
+
+  def role_symbols
+    [role.title.to_sym]
+  end
+        RUBY
+        end
+      else
+        inject_into_file "app/models/#{name.singularize.downcase}.rb", before: "\nend" do <<-'RUBY'
+
+
+  def role_symbols
+    (roles || []).map {|r| r.title.to_sym}
+  end
+        RUBY
+        end
+      end
+
+      inject_into_file 'db/seeds.rb', after: ".first)\n" do <<-'RUBY'
+
+roles = Role.create([
+  {title: 'admin'},
+  {title: 'user'}
+]) if Role.count == 0
+RUBY
+      end
+
+      rake 'db:seed' if options[:commit]
+
+      generate 'authorization:rules'
+      puts "Please run `rake db:migrate` and `rake db:seed` to finish installing." unless options[:commit]
+    end
+  end
+end

data/lib/generators/authorization/rules/rules_generator.rb

@@ -0,0 +1,14 @@
+require 'rails/generators'
+module Authorization
+  class RulesGenerator < Rails::Generators::Base
+
+    source_root File.expand_path('../templates', __FILE__)
+
+    def copy_auth_rules
+      
+      puts "WARNING - Copying authorization_rules template.  Make sure to back up any existing rules before overwriting."
+
+      copy_file "authorization_rules.rb", "config/authorization_rules.rb"
+    end
+  end
+end

data/lib/generators/authorization/rules/templates/authorization_rules.rb

@@ -0,0 +1,27 @@
+authorization do
+  role :guest do
+    # add permissions for guests here, e.g.
+    # has_permission_on :conferences, :to => :read
+  end
+  
+  # permissions on other roles, such as
+  # role :admin do
+  #   has_permission_on :conferences, :to => :manage
+  # end
+  # role :user do
+  #   has_permission_on :conferences, :to => [:read, :create]
+  #   has_permission_on :conferences, :to => [:update, :delete] do
+  #     if_attribute :user_id => is {user.id}
+  #   end
+  # end
+  # See the readme or GitHub for more examples
+end
+
+privileges do
+  # default privilege hierarchies to facilitate RESTful Rails apps
+  privilege :manage, :includes => [:create, :read, :update, :delete]
+  privilege :read, :includes => [:index, :show]
+  privilege :create, :includes => :new
+  privilege :update, :includes => :edit
+  privilege :delete, :includes => :destroy
+end

data/lib/tasks/authorization_tasks.rake

@@ -0,0 +1,89 @@
+namespace :auth do
+  desc "Lists all privileges used in controllers, views, models"
+  task :used_privileges do
+    # TODO note where privileges are used
+    require File.join(Rails.root, 'config', 'boot.rb')
+    require File.join(Rails.root, 'config', 'environment.rb')
+    controllers = [ApplicationController]
+    Dir.new("#{Rails.root}/app/controllers").entries.each do |controller_file|
+      if controller_file =~ /_controller/ 
+        controllers << controller_file.gsub(".rb","").camelize.constantize
+      end
+    end 
+    perms = controllers.select {|c| c.send(:class_variable_defined?, :@@permissions)}.
+                        inject([]) do |all, c|
+      contr_context = c.name.sub("Controller", "").tableize.to_sym
+      contr_perms = c.send(:class_variable_get, :@@permissions).collect do |cp|
+        [cp.privilege, cp.context || contr_context, cp]
+      end
+      if contr_perms.any? {|cp| cp[0].nil?}
+        contr_perms += c.send(:action_methods).collect {|am| am.to_sym}.
+                         reject {|am| contr_perms.any? {|cp| cp[2].actions.include?(am)}}.
+                         collect {|am| [am, contr_context]}
+      end
+      all += contr_perms.reject {|cp| cp[0].nil?}.collect {|cp| cp[0..1]}
+    end
+
+    model_all = `grep -l "Base\.using_access_control" #{Rails.root}/config/*.rb #{Rails.root}/config/initializers/*.rb`.split("\n")
+    if model_all.count > 0
+      model_files = Dir.glob( "#{Rails.root}/app/models/*.rb").reject do |item|
+        item.match(/_observer\.rb/)
+      end
+    else
+      model_files = `grep -l "^[[:space:]]*using_access_control" #{Rails.root}/app/models/*.rb`.split("\n")
+    end
+    models_with_ac = model_files.collect {|mf| mf.sub(/^.*\//, "").sub(".rb", "").tableize.to_sym}
+    model_security_privs = [:create, :read, :update, :delete]
+    models_with_ac.each {|m| perms += model_security_privs.collect{|msp| [msp, m]}}
+
+    grep_file_pattern = "#{Rails.root}/app/models/*.rb #{Rails.root}/app/views/**/* #{Rails.root}/app/controllers/*.rb"
+    `grep "permitted_to?" #{grep_file_pattern}`.split("\n").each do |ptu|
+      file, grep_match = ptu.split(':', 2)
+      context = privilege = nil
+      if (match = grep_match.match(/permitted_to\?\(?\s*:(\w+),\s*(:?@?\w+)/))
+        privilege = match[1].to_sym
+        if match[2][0..0] == ':'
+          context = match[2][1..-1].to_sym
+        else
+          c = (match[2][0..0] == '@' ? match[2][1..-1] : match[2]).pluralize.to_sym
+          context = c if perms.any? {|p| p[1] == c}
+        end
+      end
+      if privilege.nil? or context.nil?
+        puts "Could not handle: #{ptu}"
+      else
+        perms << [privilege, context]
+      end
+    end
+    
+    `grep ".with_permissions_to" #{grep_file_pattern}`.split("\n").each do |wpt|
+      file, grep_match = wpt.split(':', 2)
+      context = privilege = nil
+      if match = grep_match.match(/(\w+\.)?with_permissions_to(\(:\w+)?/)
+        c = match[1][0..-2].tableize.to_sym if match[1]
+        c ||= File.basename(file, '.rb').tableize.to_sym
+        context = c if perms.any? {|p| p[1] == c}
+        privilege = match[2] && match[2][(match[2][0..0]=='(' ? 2 : 1)..-1].to_sym
+        privilege ||= :read
+      end
+      if privilege.nil? or context.nil?
+        puts "Could not handle: #{wpt}"
+      else
+        perms << [privilege, context]
+      end
+    end
+    
+    perms.uniq!
+    perm_hash = {}
+    perms.each do |cp| 
+      perm_hash[cp[1]] ||= []
+      perm_hash[cp[1]] << cp[0]
+    end
+
+    puts "Privileges currently in use:"
+    perm_hash.each do |context, privileges|
+      puts "  #{context.inspect}:\t#{privileges.collect {|p| p.inspect}.sort * ', '}"
+      #privileges.collect {|p| p.inspect}.sort.each {|p| puts "  #{p}"}
+    end
+  end
+end

data/test/authorization_test.rb

@@ -0,0 +1,1124 @@
+require 'test_helper'
+
+class AuthorizationTest < Test::Unit::TestCase
+  
+  def test_permit
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions, 
+      :user => MockUser.new(:test_role, :test_role_2))
+    assert !engine.permit?(:test_2, :context => :permissions_2, 
+      :user => MockUser.new(:test_role))
+    assert !engine.permit?(:test, :context => :permissions, 
+      :user => MockUser.new(:test_role_2))
+  end
+  
+  def test_permit_context_people
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :people, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :people, 
+      :user => MockUser.new(:test_role))
+  end
+
+  def test_permit_with_has_omnipotence
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :admin do
+          has_omnipotence
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :people,
+      :user => MockUser.new(:admin))
+  end
+
+  def test_permit_multiple_contexts
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on [:permissions, :permissions_2], :to => :test
+          has_permission_on :permissions_4, :permissions_5, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions, 
+      :user => MockUser.new(:test_role))
+    assert engine.permit?(:test, :context => :permissions_2, 
+      :user => MockUser.new(:test_role))
+    assert !engine.permit?(:test, :context => :permissions_3, 
+      :user => MockUser.new(:test_role))
+      
+    assert  engine.permit?(:test, :context => :permissions_4, :user => MockUser.new(:test_role))
+    assert  engine.permit?(:test, :context => :permissions_5, :user => MockUser.new(:test_role))
+  end
+
+  def test_permit_with_frozen_roles
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :other_role do
+          includes :test_role
+        end
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    roles = [:other_role].freeze
+    assert_nothing_raised do
+      assert engine.permit?(:test, :context => :permissions,
+        :user => MockUser.new(:role_symbols => roles))
+    end
+  end
+  
+  def test_obligations_without_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{}], engine.obligations(:test, :context => :permissions, 
+      :user => MockUser.new(:test_role))
+  end
+  
+  def test_obligations_with_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attr => [:is, 1]}], 
+      engine.obligations(:test, :context => :permissions, 
+          :user => MockUser.new(:test_role, :attr => 1))
+  end
+
+  def test_obligations_with_omnipotence
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :admin do
+          has_omnipotence
+        end
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :admin, :attr => 1))
+  end
+
+  def test_obligations_with_anded_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test, :join_by => :and do
+            if_attribute :attr => is { user.attr }
+            if_attribute :attr_2 => is { user.attr_2 }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attr => [:is, 1], :attr_2 => [:is, 2]}],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :attr => 1, :attr_2 => 2))
+  end
+
+  def test_obligations_with_deep_anded_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test, :join_by => :and do
+            if_attribute :attr => { :deeper_attr => is { user.deeper_attr }}
+            if_attribute :attr => { :deeper_attr_2 => is { user.deeper_attr_2 }}
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attr => { :deeper_attr => [:is, 1], :deeper_attr_2 => [:is, 2] } }],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :deeper_attr => 1, :deeper_attr_2 => 2))
+  end
+
+  def test_obligations_with_has_many
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attrs => { :deeper_attr => is { user.deeper_attr } }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:attrs => {:deeper_attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permissions,
+          :user => MockUser.new(:test_role, :deeper_attr => 1))
+  end
+  
+  def test_obligations_with_conditions_and_empty
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{}, {:attr => [:is, 1]}], 
+      engine.obligations(:test, :context => :permissions, 
+          :user => MockUser.new(:test_role, :attr => 1))
+  end
+
+  def test_obligations_with_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permission, :context => :permissions
+          end
+          has_permission_on :permission_children_2, :to => :test do
+            if_permitted_to :test, :permission
+          end
+          has_permission_on :permission_children_children, :to => :test do
+            if_permitted_to :test, :permission_child => :permission,
+                            :context => :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:permission => {:attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children,
+          :user => MockUser.new(:test_role, :attr => 1))
+    assert_equal [{:permission => {:attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children_2,
+          :user => MockUser.new(:test_role, :attr => 1))
+    assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}}],
+      engine.obligations(:test, :context => :permission_children_children,
+          :user => MockUser.new(:test_role, :attr => 1))
+  end
+
+  def test_obligations_with_has_many_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { user.attr }
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permissions, :context => :permissions
+          end
+          has_permission_on :permission_children_2, :to => :test do
+            if_permitted_to :test, :permissions
+          end
+          has_permission_on :permission_children_children, :to => :test do
+            if_permitted_to :test, :permission_child => :permissions,
+                            :context => :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:permissions => {:attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children,
+          :user => MockUser.new(:test_role, :attr => 1))
+    assert_equal [{:permissions => {:attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children_2,
+          :user => MockUser.new(:test_role, :attr => 1))
+    assert_equal [{:permission_child => {:permissions => {:attr => [:is, 1]}}}],
+      engine.obligations(:test, :context => :permission_children_children,
+          :user => MockUser.new(:test_role, :attr => 1))
+  end
+
+  def test_obligations_with_permissions_multiple
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => is { 1 }
+            if_attribute :attr => is { 2 }
+          end
+          has_permission_on :permission_children_children, :to => :test do
+            if_permitted_to :test, :permission_child => :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_equal [{:permission_child => {:permission => {:attr => [:is, 1]}}},
+        {:permission_child => {:permission => {:attr => [:is, 2]}}}],
+      engine.obligations(:test, :context => :permission_children_children,
+          :user => MockUser.new(:test_role))
+  end
+
+  def test_obligations_with_permissions_and_anded_conditions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permission_children, :to => :test, :join_by => :and do
+            if_permitted_to :test, :permission
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    assert_equal [{:test_attr => [:is, 1], :permission => {:test_attr => [:is, 1]}}],
+      engine.obligations(:test, :context => :permission_children,
+          :user => MockUser.new(:test_role))
+  end
+  
+  def test_guest_user
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :guest do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions)
+    assert !engine.permit?(:test, :context => :permissions_2)
+  end
+  
+  def test_default_role
+    previous_default_role = Authorization.default_role
+    Authorization.default_role = :anonymous
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :anonymous do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions)
+    assert !engine.permit?(:test, :context => :permissions, 
+      :user => MockUser.new(:guest))
+    # reset the default role, so that it does not mess up other tests
+    Authorization.default_role = previous_default_role
+  end
+  
+  def test_invalid_user_model
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :guest do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_raise(Authorization::AuthorizationUsageError) do
+      engine.permit?(:test, :context => :permissions, :user => MockUser.new(1, 2))
+    end
+    assert_raise(Authorization::AuthorizationUsageError) do
+      engine.permit?(:test, :context => :permissions, :user => MockDataObject.new)
+    end
+  end
+  
+  def test_role_hierarchy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          includes :lower_role
+          has_permission_on :permissions, :to => :test
+        end
+        role :lower_role do
+          has_permission_on :permissions, :to => :lower
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:lower, :context => :permissions, 
+      :user => MockUser.new(:test_role))
+  end
+    
+  def test_role_hierarchy_infinity
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          includes :lower_role
+          has_permission_on :permissions, :to => :test
+        end
+        role :lower_role do
+          includes :higher_role
+          has_permission_on :permissions, :to => :lower
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:lower, :context => :permissions, 
+      :user => MockUser.new(:test_role))
+  end
+  
+  def test_privilege_hierarchy
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :test, :permissions do
+          includes :lower
+        end
+      end
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:lower, :context => :permissions, 
+      :user => MockUser.new(:test_role))
+  end
+  
+  def test_privilege_hierarchy_without_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      privileges do
+        privilege :read do
+          includes :list, :show
+        end
+      end
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :read
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:list, :context => :permissions, 
+      :user => MockUser.new(:test_role))
+  end
+  
+  def test_attribute_is
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => is { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions, 
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert engine.permit?(:test, :context => :permissions, 
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 3))
+    assert((not(engine.permit?(:test, :context => :permissions, 
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1)))))
+  end
+
+  def test_attribute_is_not
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => is_not { user.test_attr }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1))
+  end
+  
+  def test_attribute_contains
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => contains { user.test_attr }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions, 
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => [1,2]))
+    assert !engine.permit?(:test, :context => :permissions, 
+              :user => MockUser.new(:test_role, :test_attr => 3),
+              :object => MockDataObject.new(:test_attr => [1,2]))
+  end
+
+  def test_attribute_does_not_contain
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => does_not_contain { user.test_attr }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => [1,2]))
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 3),
+              :object => MockDataObject.new(:test_attr => [1,2]))
+  end
+  
+  def test_attribute_in_array
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => is_in { [1,2] }
+            if_attribute :test_attr => [2,3]
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions, 
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert engine.permit?(:test, :context => :permissions, 
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 3))
+    assert !engine.permit?(:test, :context => :permissions, 
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 4))
+  end
+
+  def test_attribute_not_in_array
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => is_not_in { [1,2] }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 4))
+  end
+
+  def test_attribute_intersects_with
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attrs => intersects_with { [1,2] }
+          end
+        end
+        role :test_role_2 do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attrs => intersects_with { 1 }
+          end
+        end
+      end
+    }
+
+    engine = Authorization::Engine.new(reader)
+    assert_raise Authorization::AuthorizationUsageError do
+      engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attrs => 1 ))
+    end
+    assert_raise Authorization::AuthorizationUsageError do
+      engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role_2),
+              :object => MockDataObject.new(:test_attrs => [1, 2] ))
+    end
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attrs => [1,3] ))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attrs => [3,4] ))
+  end
+  
+  def test_attribute_lte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => lte { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    # object < user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1))
+    # object > user && object = control -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 3))
+    # object = user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1))
+    # object > user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 2)))))
+  end
+
+  def test_attribute_gt
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => gt { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    # object > user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 2))
+    # object < user && object = control -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 4),
+              :object => MockDataObject.new(:test_attr => 3))
+    # object = user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1)))))
+    # object < user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1)))))
+  end
+
+  def test_attribute_gte
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => gte { user.test_attr }
+            if_attribute :test_attr => 3
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    # object > user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 2))
+    # object < user && object = control -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 4),
+              :object => MockDataObject.new(:test_attr => 3))
+    # object = user -> pass
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 1),
+              :object => MockDataObject.new(:test_attr => 1))
+    # object < user -> fail
+    assert((not(engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role, :test_attr => 2),
+              :object => MockDataObject.new(:test_attr => 1)))))
+  end
+
+  def test_attribute_deep
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr_1 => {:test_attr_2 => contains { 1 }}
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr_1 =>
+                    MockDataObject.new(:test_attr_2 => [1,2])))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr_1 =>
+                    MockDataObject.new(:test_attr_2 => [3,4])))
+    assert_equal [{:test_attr_1 => {:test_attr_2 => [:contains, 1]}}], 
+      engine.obligations(:test, :context => :permissions, 
+          :user => MockUser.new(:test_role))
+  end
+
+  def test_attribute_has_many
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :companies, :to => :read do
+            if_attribute :branches => {:city => is { user.city } }
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+
+    company = MockDataObject.new(:branches => [
+        MockDataObject.new(:city => 'Barcelona'),
+        MockDataObject.new(:city => 'Paris')
+      ])
+    assert engine.permit!(:read, :context => :companies,
+              :user => MockUser.new(:test_role, :city => 'Paris'),
+              :object => company)
+    assert !engine.permit?(:read, :context => :companies,
+              :user => MockUser.new(:test_role, :city => 'London'),
+              :object => company)
+  end
+  
+  def test_attribute_non_block
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %|
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+        end
+      end
+    |
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert !engine.permit?(:test, :context => :permissions, 
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 2))
+  end
+  
+  def test_attribute_multiple
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+            if_attribute :test_attr => 2  # or
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1))
+    assert engine.permit?(:test, :context => :permissions, 
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 2))
+  end
+
+  class PermissionMock < MockDataObject
+    def self.name
+      "Permission"
+    end
+  end
+  def test_attribute_with_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_1))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_2))
+  end
+
+  def test_attribute_with_has_many_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permissions => [perm_data_attr_1]))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permissions => [perm_data_attr_2]))
+  end
+
+  def test_attribute_with_deep_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :shallow_permission => :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:shallow_permission =>
+                MockDataObject.new(:permission => perm_data_attr_1)))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:shallow_permission =>
+                MockDataObject.new(:permission => perm_data_attr_2)))
+  end
+
+  def test_attribute_with_deep_has_many_permissions
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :shallow_permissions => :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:shallow_permissions =>
+                [MockDataObject.new(:permission => perm_data_attr_1)]))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:shallow_permissions =>
+                [MockDataObject.new(:permission => perm_data_attr_2)]))
+  end
+
+  def test_attribute_with_permissions_nil
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test do
+            if_permitted_to :test, :permission
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    assert_nothing_raised do
+      engine.permit?(:test, :context => :permission_children,
+                :user => MockUser.new(:test_role),
+                :object => MockDataObject.new(:permission => nil))
+    end
+    
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => nil))
+  end
+
+  def test_attribute_with_permissions_on_self
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permissions, :to => :another_test do
+            if_permitted_to :test
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_1)
+    assert !engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_2)
+  end
+
+  def test_attribute_with_permissions_on_self_with_context
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permissions, :to => :another_test do
+            if_permitted_to :test, :context => :permissions
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_1)
+    assert !engine.permit?(:another_test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => perm_data_attr_2)
+  end
+
+  def test_attribute_with_permissions_and_anded_rules
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attr => 1
+          end
+          has_permission_on :permission_children, :to => :test, :join_by => :and do
+            if_permitted_to :test, :permission
+            if_attribute :test_attr => 1
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    perm_data_attr_1 = PermissionMock.new({:test_attr => 1})
+    perm_data_attr_2 = PermissionMock.new({:test_attr => 2})
+    assert engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 1))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_2, :test_attr => 1))
+    assert !engine.permit?(:test, :context => :permission_children,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:permission => perm_data_attr_1, :test_attr => 2))
+  end
+
+  def test_attribute_with_anded_rules
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test, :join_by => :and do
+            if_attribute :test_attr => 1
+            if_attribute :test_attr_2 => 2
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+
+    assert engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 2))
+    assert !engine.permit?(:test, :context => :permissions,
+              :user => MockUser.new(:test_role),
+              :object => MockDataObject.new(:test_attr => 1, :test_attr_2 => 3))
+  end
+  
+  def test_raise_on_if_attribute_hash_on_collection
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :test_attrs => {:attr => is {1}}
+          end
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert_raise Authorization::AuthorizationUsageError do
+      engine.permit?(:test, :context => :permissions,
+                     :user => MockUser.new(:test_role),
+                     :object => MockDataObject.new(:test_attrs => [1, 2, 3]))
+    end
+  end
+  
+  def test_role_title_description
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role, :title => 'Test Role' do
+          description "Test Role Description"
+        end
+      end
+    }
+    engine = Authorization::Engine.new(reader)
+    assert engine.roles.include?(:test_role)
+    assert_equal "Test Role", engine.role_titles[:test_role]
+    assert_equal "Test Role", engine.title_for(:test_role)
+    assert_nil engine.title_for(:test_role_2)
+    assert_equal "Test Role Description", engine.role_descriptions[:test_role]
+    assert_equal "Test Role Description", engine.description_for(:test_role)
+    assert_nil engine.description_for(:test_role_2)
+  end
+  
+  def test_multithread
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test
+        end
+      end
+    }
+    
+    engine = Authorization::Engine.new(reader)
+    Authorization.current_user = MockUser.new(:test_role)
+    assert engine.permit?(:test, :context => :permissions)
+    Thread.new do
+      Authorization.current_user = MockUser.new(:test_role2)
+      assert !engine.permit?(:test, :context => :permissions)
+    end
+    assert engine.permit?(:test, :context => :permissions)
+    Authorization.current_user = nil
+  end
+
+  def test_clone
+    reader = Authorization::Reader::DSLReader.new
+    reader.parse %{
+      authorization do
+        role :test_role do
+          has_permission_on :permissions, :to => :test do
+            if_attribute :attr => { :sub_attr => is { user } }
+            if_permitted_to :read, :attr_2 => :attr_3
+            if_permitted_to :read, :attr_2
+          end
+        end
+      end
+    }
+
+    engine = Authorization::Engine.new(reader)
+    cloned_engine = engine.clone
+    assert_not_equal engine.auth_rules.first.contexts.object_id,
+        cloned_engine.auth_rules.first.contexts.object_id
+    assert_not_equal engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id,
+        cloned_engine.auth_rules.first.attributes.first.send(:instance_variable_get, :@conditions_hash)[:attr].object_id
+  end
+end
+