zero_authorization 1.0.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c71ff5e0e8ab8e104e78ba8c1c3c86528a552a5c
-  data.tar.gz: 9d960e3adbe023f1bbcf1321642cbc2a5d1a54aa
+  metadata.gz: e1890303102d3d41dea0c99df76d07cc731bfc1c
+  data.tar.gz: 337d2c4103dc0a5c099c642394296b9b86ae5c70
 SHA512:
-  metadata.gz: 6b88ea53e319c66c3d04c116563df6af81375217d4934f135668fca7839dccba1467fb9450c6177e5e52fd969f752ac8cf6fb0c79a0fc6bba82f7af4643b0aad
-  data.tar.gz: a8d2a23fab3871be610f7296c2b3fae38a6e027d6c63caf667d4bfbfe957aa73b77371c76e5c7421aab4734f853603fd264c643262196a6b825cbe09d61ae9a3
+  metadata.gz: 6adf012cb827cb91b5da8e96d52e375d2c8b14b1ebaf7ec8ba77c39ca1dd66d14c0b6fd45f596b9df0ef4cb61a668b0ace078b22f0e6799e6519c5575f49af86
+  data.tar.gz: a1463d0d766c3597b6e7724a37926c048c069eea052bd680a35927582ffc66939f8436c39df2d65fbf30ecd53a0952ef33e1e20d7f592873cfda9dcfa3d605c5

data/README.md

@@ -22,40 +22,37 @@ Or install it yourself as:
 
         :role_role_name_one:
           :can_do:
-            :Account:
-            - :create
-            - :save
-            - :update
+            :account:
+              - create
+              - save
+              - update
             :User:
-            - :create
-            - :save
-            - :update
-            :ModelCrudHistory: :anything
+              - :create
+              - :save
+              - :update
+            :model_crud_history: :nothing
             :Permission: :anything
           :cant_do:
             :Project:
             - :destroy
+            :model_crud_history: :anything
         :role_role_name_two:
           :can_do:
             :Project:
-            - :create
-            - :save:
-                :if:
-                  :authorize?
-            - :update:
-                :if:
-                  :authorize?
-            - :destroy:
-                :if:
-                  :authorize?
+              - create
+              - save: is_authorized?
+              - :update: is_authorized?
+              - :destroy: is_authorized?
+            :user:
+              create: :create_authorized?
+              save: :update_authorized?
+              update: :update_authorized?
         :role_role_name_three:
           :can_do:
-            :Plant:
-            - :create
-            - :save
-            - :update
-            - :destroy
-          :cant_do: :anything
+            - :Project
+            - :Organization
+          :cant_do:
+            - :User
 
 2. Restrict models for activity and let rule-set(s) via zero-authorization take control of activity
 
@@ -75,6 +72,18 @@ Or install it yourself as:
 
 4. (Re-)boot application.
 
+## Rules for rule-sets execution (Precedence: from top to bottom)
+
+    1. Rule 00: If no rule-sets are available for 'can do' and 'cant do' then is authorized true '(with warning message)'.
+    2. Rule 01: If role can't do 'anything' or can do 'nothing' then is authorized false.
+    3. Rule 02: If role can't do 'nothing' or can do 'anything' then is authorized true.
+    4. Rule 03: If role can't do 'specified' method and given 'evaluate' method returns true then is authorized false.
+    5. Rule 04: If role can't do 'specified' method and given 'evaluate' method returns false then is authorized true.
+    6. Rule 05: If role can   do 'specified' method and given 'evaluate' method returns true then is authorized true.
+    7. Rule 06: If role can   do 'specified' method and given 'evaluate' method returns false then is authorized false.
+    8. Rule 07: If role can't do 'specified' method then is authorized false.
+    9. Rule 08: If role can   do 'specified' method then is authorized true.
+
 ## Contributing
 
 1. Fork it

data/lib/zero_authorization/engine.rb

@@ -26,13 +26,12 @@ module ZeroAuthorization
       # Authorization for authorization mode :strict
       def authorize_strictly(action)
         role = ZeroAuthorization::Role.role
-        raise 'ZeroAuthorizationRoleNotAvailable' if role.nil?
+        raise ZeroAuthorization::Exceptions::RoleNotAvailable, 'Executing authorize_strictly but role not available' if role.nil?
 
         if zero_authorized_core(role, action)
           return true
         else
-          logger.debug 'ZeroAuthorization: Not authorized to perform activity.'
-          raise 'NotAuthorized'
+          raise ZeroAuthorization::Exceptions::NotAuthorized.new(role), "Not authorized to execute #{action} on #{self.class.name}."
         end
 
         false
@@ -41,7 +40,7 @@ module ZeroAuthorization
       # Authorization for authorization mode :warning
       def authorize_with_warning(action)
         role = ZeroAuthorization::Role.role
-        raise 'ZeroAuthorizationRoleNotAvailable' if role.nil?
+        raise ZeroAuthorization::Exceptions::RoleNotAvailable, 'Executing authorize_with_warning but role not available' if role.nil?
 
         if zero_authorized_core(role, action)
           return true
@@ -68,48 +67,41 @@ module ZeroAuthorization
         elsif self.class.authorization_mode == :superficial
           return authorize_superficially(action)
         else
-          raise 'InvalidAuthorizationMode'
+          raise ZeroAuthorization::Exceptions::InvalidAuthorizationMode
         end
       end
 
       # Core of authorization after reading/parsing rule set for current role
+      # Rules for rule-sets execution (Precedence: from top to bottom)
+      # Rule 00: If no rule-sets are available for 'can do' and 'cant do' then is authorized true '(with warning message)'.
+      # Rule 01: If role can't do 'anything' or can do 'nothing' then is authorized false.
+      # Rule 02: If role can't do 'nothing' or can do 'anything' then is authorized true.
+      # Rule 03: If role can't do 'specified' method and given 'evaluate' method returns true then is authorized false.
+      # Rule 04: If role can't do 'specified' method and given 'evaluate' method returns false then is authorized true.
+      # Rule 05: If role can   do 'specified' method and given 'evaluate' method returns true then is authorized true.
+      # Rule 06: If role can   do 'specified' method and given 'evaluate' method returns false then is authorized false.
+      # Rule 07: If role can't do 'specified' method then is authorized false.
+      # Rule 08: If role can   do 'specified' method then is authorized true.
       def zero_authorized_core(role, action)
-        _auth_flag = false
-        unless role.rule_set[:can_do].nil?
-          if role.rule_set[:can_do] == :anything
-            _auth_flag = true
-
-          elsif role.rule_set[:can_do].is_a?(Hash)
-
-            if role.rule_set[:can_do][self.class.name.to_sym] == :anything
-              _auth_flag = true
-            else
-              logger.debug "----------- self.class.name.to_sym: #{self.class.name.to_sym}"
-              symbolized_actions = role.rule_set[:can_do][self.class.name.to_sym].collect { |x| x if x.is_a?(Symbol) }.compact
-              _auth_flag = if symbolized_actions.include?(action)
-                             true
-                           else
-                             conditional_check =nil
-                             (role.rule_set[:can_do][self.class.name.to_sym]- symbolized_actions).each do |action_rule_hash|
-                               conditional_check = action_rule_hash[action] if action_rule_hash.keys.include? action
-                             end
-                             conditional_check ||= {}
-                             conditional_check= conditional_check[:if]
-                             return self.send(conditional_check) unless conditional_check.nil?
-                             false
-                           end
-              #_auth_flag = true if (role.rule_set[:can_do][self.class.name.to_sym] || []).include?(action)
-            end
-          end
-        end
-        unless role.rule_set[:cant_do].nil?
-          if role.rule_set[:cant_do] == :anything
-            _auth_flag = false
-          elsif role.rule_set[:cant_do].is_a?(Hash)
-            _auth_flag = false if (role.rule_set[:cant_do][self.class.name.to_sym] || []).include?(action)
-          end
+        can_rights = role.can_do_rights(self.class.name)
+        can_rights_names = can_rights.keys
+        cant_rights = role.cant_do_rights(self.class.name)
+        cant_rights_names = cant_rights.keys
+
+        if can_rights.empty? and cant_rights.empty? #Rule 00
+          _temp_i = "#{self.class.name} is exempted from ZeroAuthorization. To enable back, try adding rule-set(s) in role_n_privileges.yml"
+          puts _temp_i
+          Rails.logger.info _temp_i
+          return true
         end
-        _auth_flag
+        return false if cant_rights_names.include?(:anything) or can_rights_names.include?(:nothing) #Rule 01
+        return true if cant_rights_names.include?(:nothing) or can_rights_names.include?(:anything) #Rule 02
+        return (self.send(cant_rights[action.to_sym]) ? false : true) unless cant_rights[action.to_sym].nil? # Rule 03 and Rule 04
+        return (self.send(can_rights[action.to_sym]) ? true : false) unless can_rights[action.to_sym].nil? # Rule 05 and Rule 06
+        return false if cant_rights_names.include?(action.to_sym) # Rule 07
+        return true if can_rights_names.include?(action.to_sym) # Rule 08
+
+        raise ZeroAuthorization::Exceptions::ExecutingUnreachableCode
       end
 
       def is_zero_authorized_4_save
@@ -132,25 +124,12 @@ module ZeroAuthorization
     module ClassMethods
       attr_accessor :authorization_mode
 
+      def declared_methods_to_restrict
+        Role.methods_marked_for(self.name).keys
+      end
+
       def list_of_methods_to_guard
-        _model_methods_set = {}
-        Role.roles_n_privileges_hash.each do |role_key, permission_value|
-          unless permission_value[:can_do].nil?
-            _model_methods_set = _model_methods_set.merge(permission_value[:can_do]) { |key, oval, nval| ([oval] << [nval]).flatten.compact.uniq } if permission_value[:can_do].is_a?(Hash)
-          end
-          unless permission_value[:cant_do].nil?
-            _model_methods_set = _model_methods_set.merge(permission_value[:cant_do]) { |key, oval, nval| ([oval] << [nval]).flatten.compact.uniq } if permission_value[:cant_do].is_a?(Hash)
-          end
-        end
-        if _model_methods_set[self.name.to_sym] == :anything
-          _model_methods_set.delete(self.name.to_sym)
-        end
-        (_model_methods_set[self.name.to_sym] || []).clone.delete_if do |x|
-          if x.is_a? Hash
-            x= x.keys.first
-          end
-          [:create, :save, :update, :destroy, :anything].include?(x)
-        end
+        declared_methods_to_restrict - [:create, :save, :update, :destroy, :anything, :nothing]
       end
 
       private
@@ -161,13 +140,18 @@ module ZeroAuthorization
       # applying restriction on methods
       def initialize_methods_restriction
         list_of_methods_to_guard.each do |method_name|
-          if method_name.is_a? Hash
-            method_name = method_name.keys.first
-          end
-          send(:alias_method, "za_#{method_name}", method_name)
-          define_method "#{method_name}" do |*args|
-            puts 'Restricted method call..'
-            send("za_#{method_name}", *args) if zero_authorized_checker(method_name)
+          if self.instance_methods.include?(method_name)
+            send(:alias_method, "za_#{method_name}", method_name)
+            define_method "#{method_name}" do |*args|
+              _temp_i = "Restricted method call to #{self.class.name}#{method_name}.."
+              puts _temp_i
+              Rails.logger.debug(_temp_i)
+              send("za_#{method_name}", *args) if zero_authorized_checker(method_name)
+            end
+          else
+            _temp_i = "[WARNING] ZeroAuthorization: Method '#{method_name}' unavailable in #{self.name} for restriction application."
+            puts _temp_i
+            Rails.logger.debug(_temp_i)
           end
         end
       end

data/lib/zero_authorization/exceptions.rb

@@ -1,6 +1,35 @@
-module Exceptions
+module ZeroAuthorization
+  module Exceptions
+    class ExecutingUnreachableCode < StandardError
+      def initialize(msg = 'It may be a bug. Please report to ZeroAuthorization\'s authors!')
+        super(msg)
+      end
+    end
 
-  #class ActivatedAlreadyError < StandardError;
-  #end
+    class RoleNotAvailable < StandardError
+    end
 
+    class NotAuthorized < StandardError
+      attr_reader :role
+
+      def initialize(role)
+        @role = role
+      end
+    end
+
+    class InvalidAuthorizationMode < StandardError
+      def initialize(msg = 'Invalid authorization mode in use it should be from :strict, :warning or :superficial')
+        super(msg)
+      end
+    end
+
+    class InvalidRolesNPrivilegesHash < StandardError
+      attr_reader :hash_in_use
+
+      def initialize(hash_in_use)
+        @hash_in_use = hash_in_use
+      end
+    end
+
+  end
 end

data/lib/zero_authorization/role.rb

@@ -22,15 +22,114 @@ module ZeroAuthorization
       roles_n_privileges_hash.keys.collect { |key| key.to_s.gsub(/^role_/, '') }.include?(@@role) ? new(@@role) : nil
     end
 
+    def can_do_rights(for_classname)
+      self.class.methods_marked_for(for_classname, :can_do, rule_set)
+    end
+
+    def cant_do_rights(for_classname)
+      self.class.methods_marked_for(for_classname, :cant_do, rule_set)
+    end
+
+    def self.methods_marked_for(for_classname, specific_can_or_cant = nil, source_class_rule_sets = nil)
+      method_collection = {}
+      if source_class_rule_sets.nil?
+        validate_roles_n_privileges_hash.each do |role, class_rule_sets|
+          method_collection.merge!(extract_rule_hash(class_rule_sets, for_classname, specific_can_or_cant))
+        end
+      else
+        method_collection.merge!(extract_rule_hash(source_class_rule_sets, for_classname, specific_can_or_cant))
+      end
+      method_collection
+    end
+
+    def self.extract_rule_hash(class_rule_sets, for_classname, specific_can_or_cant)
+      method_collection = {}
+      basic_rule = class_rule_sets[for_classname.to_sym]
+      basic_rule.each do |can_or_cant, rule_hash|
+        (method_collection.merge!(rule_hash)) if (specific_can_or_cant.nil? ? true : (can_or_cant == specific_can_or_cant)) and rule_hash.is_a?(Hash)
+      end if basic_rule.is_a?(Hash)
+      method_collection
+    end
+
     # Cache read of config/roles_n_privileges.yml for role_privileges_hash
     def self.roles_n_privileges_hash
-      @roles_n_privileges_hash ||= YAML::load_file(File.join(Rails.root, 'config', 'roles_n_privileges.yml'))
+      @roles_n_privileges_hash ||= validate_roles_n_privileges_hash
       @roles_n_privileges_hash
     end
 
     # Hard read of config/roles_n_privileges.yml for role_privileges_hash
     def self.roles_n_privileges_hash_reload
-      @roles_n_privileges_hash = YAML::load_file(File.join(Rails.root, 'config', 'roles_n_privileges.yml'))
+      @roles_n_privileges_hash = validate_roles_n_privileges_hash
+    end
+
+    def self.validate_roles_n_privileges_hash
+      _result_hash = {}
+      YAML::load_file(File.join(Rails.root, 'config', 'roles_n_privileges.yml')).each do |role_name, role_permissions|
+        _result_hash[role_name.to_sym] ||= {}
+        _rh_with_role = _result_hash[role_name.to_sym]
+
+        role_permissions.symbolize_keys!
+        [:can_do, :cant_do].each do |_can|
+
+          if role_permissions[_can].is_a?(Array)
+
+            role_permissions[_can].each do |class_name|
+              if [Symbol, String].include?(class_name.class)
+                _class_name = class_name.to_s.classify.to_sym
+                ((_rh_with_role[_class_name] ||= {})[_can] ||={}).merge!({:anything => nil})
+              else
+                raise ZeroAuthorization::Exceptions::InvalidRolesNPrivilegesHash.new(class_name), 'It should only be a Symbol or String'
+              end
+            end
+
+          elsif role_permissions[_can].is_a?(Hash)
+
+            role_permissions[_can].each do |class_name, permission_set|
+              _class_name = class_name.to_s.classify.to_sym
+
+              if [Symbol, String].include?(class_name.class)
+                if [Symbol, String].include?(permission_set.class)
+                  if [:anything, :nothing].include?(permission_set.to_sym)
+                    ((_rh_with_role[_class_name] ||= {})[_can] ||={}).merge!({permission_set.to_sym => nil})
+                  else
+                    raise ZeroAuthorization::Exceptions::InvalidRolesNPrivilegesHash.new(permission_set.to_sym), 'It should only have :anything or :nothing'
+                  end
+                elsif permission_set.is_a?(Array)
+                  permission_set.each do |i_permission_set|
+                    if [Symbol, String].include?(i_permission_set.class)
+                      ((_rh_with_role[_class_name] ||= {})[_can] ||={}).merge!({i_permission_set.to_sym => nil})
+                    elsif i_permission_set.is_a?(Hash)
+                      i_permission_set.each do |_key, _value|
+                        if [Symbol, String].include?(_key.class) and [Symbol, String].include?(_value.class)
+                          ((_rh_with_role[_class_name] ||= {})[_can] ||={}).merge!({_key.to_sym => _value.to_sym})
+                        else
+                          raise ZeroAuthorization::Exceptions::InvalidRolesNPrivilegesHash.new({_key => _value}), 'Hash should only have key and value of type Symbol or String'
+                        end
+                      end
+                    else
+                      raise ZeroAuthorization::Exceptions::InvalidRolesNPrivilegesHash.new(i_permission_set), 'It should only be a Symbol, String or Hash'
+                    end
+                  end
+                elsif permission_set.is_a?(Hash)
+                  permission_set.each do |i_permission_key, i_permission_value|
+                    if [Symbol, String].include?(i_permission_key.class) and [Symbol, String].include?(i_permission_value.class)
+                      ((_rh_with_role[_class_name] ||= {})[_can] ||={}).merge!({i_permission_key.to_sym => i_permission_value.to_sym})
+                    else
+                      raise ZeroAuthorization::Exceptions::InvalidRolesNPrivilegesHash.new({i_permission_key => i_permission_value}), 'Hash should only have key and value of type Symbol or String'
+                    end
+                  end
+                else
+                  raise ZeroAuthorization::Exceptions::InvalidRolesNPrivilegesHash.new(permission_set), 'It should only be a Symbol, String, Hash or Array'
+                end
+              else
+                raise ZeroAuthorization::Exceptions::InvalidRolesNPrivilegesHash.new(class_name), 'It should only be a Symbol or String'
+              end
+            end
+
+          end
+        end
+      end
+      _result_hash
     end
 
     # Do any activity with any specific temporary role and then revert back to normal situation.

data/lib/zero_authorization/version.rb

@@ -1,3 +1,3 @@
 module ZeroAuthorization
-  VERSION = "1.0.0"
+  VERSION = "1.4.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zero_authorization
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Rajeev Kannav Sharma
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-02-04 00:00:00.000000000 Z
+date: 2014-12-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -95,9 +95,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.1.11
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: 'How to setup: Specify what any specific role of current root entity(logged_user)
   can do/can''t do in roles_n_privileges.yml and (re-)boot application.'
 test_files: []
+has_rdoc: