zuul 0.2.7 → 0.2.8

data/lib/zuul/action_controller/dsl/actions.rb

@@ -0,0 +1,8 @@
+module Zuul
+  module ActionController
+    module DSL
+      class Actions < Base
+      end
+    end
+  end
+end

data/lib/zuul/action_controller/dsl/base.rb

@@ -0,0 +1,254 @@
+module Zuul
+  module ActionController
+    module DSL
+      class Base
+        attr_reader :default, :context, :force_context, :mode, :default_block_allow_rules, :default_block_deny_rules, :actions, :roles, :permissions, :results, :subject_method, :scope
+
+        def actions(*actions, &block)
+          actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
+          opts = options
+          opts[:actions].concat(actions)
+          return unless opts[:actions].map(&:to_sym).include?(@controller.params[:action].to_sym)
+          dsl = Actions.new(@controller, opts)
+          dsl.instance_eval(&block) if block_given?
+          
+          @results.concat dsl.results
+        end
+
+        def context(ctxt, &block)
+          opts = options.merge(:context => ctxt)
+          dsl = self.class.new(@controller, opts)
+          dsl.instance_eval(&block) if block_given?
+          
+          @results.concat dsl.results
+        end
+
+        def force_context(flag=true, &block)
+          opts = options.merge(:force_context => flag)
+          dsl = self.class.new(@controller, opts)
+          dsl.instance_eval(&block) if block_given?
+          
+          @results.concat dsl.results
+        end
+
+        def roles(*allowed, &block)
+          allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
+          opts = options
+          opts[:roles].concat(allowed)
+          dsl = Roles.new(@controller, opts)
+          dsl.instance_eval(&block) if block_given?
+          
+          @results.concat dsl.results
+        end
+
+        def permissions(*allowed, &block)
+          allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
+          opts = options
+          opts[:permissions].concat(allowed)
+          dsl = Permissions.new(@controller, opts)
+          dsl.instance_eval(&block) if block_given?
+          
+          @results.concat dsl.results
+        end
+
+        def scope(scope, &block)
+          opts = options.merge(:scope => scope)
+          dsl = self.class.new(@controller, opts)
+          dsl.instance_eval(&block) if block_given?
+          
+          @results.concat dsl.results
+        end
+
+        def allow_roles(*allowed)
+          allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
+          roles *allowed do
+            allow *@actions
+          end
+        end
+        alias_method :allow_role, :allow_roles
+        alias_method :allow, :allow_roles
+
+        def allow_permissions(*allowed)
+          allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
+          permissions *allowed do
+            allow *@actions
+          end
+        end
+        alias_method :allow_permission, :allow_permissions
+
+        def deny_roles(*denied)
+          denied = denied[0] if denied.length == 1 && denied[0].is_a?(Array)
+          roles *denied do
+            deny *@actions
+          end
+        end
+        alias_method :deny_role, :deny_roles
+        alias_method :deny, :deny_roles
+
+        def deny_permissions(*denied)
+          denied = denied[0] if denied.length == 1 && denied[0].is_a?(Array)
+          permissions *denied do
+            deny *@actions
+          end
+        end
+        alias_method :deny_permission, :deny_permissions
+
+        def all_actions
+          @controller.class.action_methods.select { |act| !act.match(/^_callback_before_[\d]*$/) }.map(&:to_sym)
+        end
+
+        def subject
+          @controller.send(@subject_method)
+        end
+
+        def logged_out
+          :_zuul_logged_out
+        end
+        alias_method :anonymous, :logged_out
+
+        def logged_in
+          :_zuul_logged_in
+        end
+
+        def anyone
+          [logged_in, logged_out]
+        end
+
+        def all_roles(context=false)
+          return [] if subject.nil?
+          context = (context == false) ? @context : parse_context(context)
+          found_roles = subject.auth_scope(@scope).role_class.where(:context_type => context.type, :context_id => context.id).to_a
+          found_roles.concat(subject.auth_scope(@scope).role_class.where(:context_type => context.type, :context_id => nil).to_a) unless context.id.nil?
+          found_roles.concat(subject.auth_scope(@scope).role_class.where(:context_type => nil, :context_id => nil).to_a) unless context.type.nil?
+          found_roles
+        end
+
+        def all_permissions(context=false)
+          return [] if subject.nil?
+          context = (context == false) ? @context : parse_context(context)
+          found_permissions = subject.auth_scope(@scope).permission_class.where(:context_type => context.type, :context_id => context.id).to_a
+          found_permissions.concat(subject.auth_scope(@scope).permission_class.where(:context_type => context.type, :context_id => nil).to_a) unless context.id.nil?
+          found_permissions.concat(subject.auth_scope(@scope).permission_class.where(:context_type => nil, :context_id => nil).to_a) unless context.type.nil?
+          found_permissions
+        end
+
+        def contextual_role(slug, context=false)
+          return nil if subject.nil?
+          context = (context == false) ? @context : parse_context(context)
+          return subject.auth_scope(@scope) { target_role(slug, context.to_context) }
+        end
+        alias_method :role, :contextual_role
+        
+        def contextual_permission(slug, context=false)
+          return nil if subject.nil?
+          context = (context == false) ? @context : parse_context(context)
+          return subject.auth_scope(@scope) { target_permission(slug, context.to_context) }
+        end
+        alias_method :permission, :contextual_permission
+
+        def options
+          {
+            :default => @default,
+            :actions => @actions.clone,
+            :roles => @roles.clone,
+            :permissions => @permissions.clone,
+            :context => @context.clone,
+            :force_context => @force_context,
+            :subject_method => @subject_method,
+            :scope => @scope,
+            :mode => @mode,
+            :collect_results => @collect_results,
+            :allow => (@default_block_allow_rules.nil? ? @default_block_allow_rules : @default_block_allow_rules.clone),
+            :deny => (@default_block_deny_rules.nil? ? @default_block_deny_rules : @default_block_deny_rules.clone),
+          }
+        end
+
+        def set_options(opts)
+          [:default, :actions, :roles, :permissions, :force_context, :mode, :collect_results, :subject_method, :scope].each do |key|
+            instance_variable_set "@#{key.to_s}", opts[key] if opts.has_key?(key)
+          end
+          [:allow, :deny].each do |key|
+            instance_variable_set "@default_block_#{key.to_s}_rules", opts[key] if opts.has_key?(key)
+          end
+          @context = parse_context(opts[:context]) if opts.has_key?(:context)
+          self
+        end
+        alias_method :configure, :set_options
+
+        def parse_context(context=nil)
+          if context.is_a?(String) || context.is_a?(Symbol)
+            if context.to_s.match(/^@.*$/)
+              context = @controller.send(:instance_variable_get, context)
+            elsif @controller.respond_to?(context.to_sym)
+              context = @controller.send(context)
+            end
+          end
+
+          Zuul::Context.parse(context)
+        end
+
+        def execute(&block)
+          log_timer_start = Time.now.to_f
+          if block_given?
+            instance_eval(&block)
+          else
+            instance_eval do
+              [:allow, :deny].each do |auth_type|
+                auth_opts = instance_variable_get("@default_block_#{auth_type.to_s}_rules")
+                next if auth_opts.nil?
+                
+                auth_actions = @actions
+                auth_opts[:actions] = [auth_opts[:actions]] if auth_opts.has_key?(:actions) && !auth_opts[:actions].is_a?(Array)
+                if !auth_opts.has_key?(:actions) || auth_opts[:actions].empty?
+                  auth_actions << @controller.params[:action].to_sym if auth_actions.empty?
+                else
+                  auth_actions.concat(auth_opts[:actions])
+                end
+                
+                actions auth_actions do
+                  [:roles, :permissions].each do |allowable_type|
+                    if auth_opts.has_key?(allowable_type)
+                      send "#{auth_type.to_s}_#{allowable_type.to_s}", auth_opts[allowable_type]
+                    end
+                  end
+                end
+              end
+            end
+          end
+          # only collect results if configured & there are more filters in the chain
+          logger.debug "  \e[1;34mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m  #{(authorized? ? "\e[1;32mALLOWED\e[0m" : "\e[1;31mDENIED\e[0m")} using \e[1m#{@default.to_s.upcase}\e[0m [#{results.map { |r| "\e[#{(r ? "32mallow" : "31mdeny")}\e[0m" }.join(",")}]"
+          collect_results if @collect_results && @controller.class.acl_filters.length > 0
+        end
+
+        def authorized?
+          if @default == :deny
+            !(@results.empty? || @results.any? { |result| result == false })
+          else
+            (@results.empty? || !@results.all? { |result| result == false })
+          end
+        end
+
+        def collect_results
+          @results = [authorized?]
+        end
+
+        protected
+
+        def initialize(controller, opts={})
+          @controller = controller
+          # TODO catch 22: need config for subject_method, but need subject_method to check if subject
+          opts = {:subject_method => Zuul.configuration.subject_method, :scope => :default}.merge(opts)
+          config = @controller.send(opts[:subject_method]).nil? ? Zuul.configuration : @controller.send(opts[:subject_method]).auth_scope(opts[:scope]).config
+          opts = {:default => config.acl_default, :force_context => config.force_context, :context => nil, :mode => config.acl_mode, :collect_results => config.acl_collect_results, :allow => nil, :deny => nil, :actions => [], :roles => [], :permissions => []}.merge(opts)
+          set_options opts
+          @results = []
+        end
+
+        def logger
+          @controller.logger
+        end
+      end
+
+    end
+  end
+end

data/lib/zuul/action_controller/dsl/permissions.rb

@@ -0,0 +1,45 @@
+module Zuul
+  module ActionController
+    module DSL
+      class Permissions < Actionable
+        def match?(permission)
+          subject.auth_scope(@scope, @context, @force_context) { |context, force_context| has_permission?(permission, context.to_context, force_context) }
+        end
+        
+        def allow(*actions)
+          log_timer_start = Time.now.to_f
+          actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
+          actions.concat(@actions)
+          return if subject.nil? || @permissions.empty? || actions.empty?
+          if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
+            @permissions.each do |permission|
+              if allow?(permission)
+                logger.debug "  \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m  \e[1mMATCH\e[0m for \e[32mallow\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
+                @results << true
+                return
+              end
+              logger.debug "  \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m  \e[1mNO MATCH\e[0m for \e[32mallow\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
+            end
+          end
+        end
+        
+        def deny(*actions)
+          log_timer_start = Time.now.to_f
+          actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
+          actions.concat(@actions)
+          return if subject.nil? || @permissions.empty? || actions.empty?
+          if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
+            @permissions.each do |permission|
+              if deny?(permission)
+                logger.debug "  \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m  \e[1mMATCH\e[0m for \e[31mdeny\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
+                @results << false
+                return
+              end
+              logger.debug "  \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m  \e[1mNO MATCH\e[0m for \e[31mdeny\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/zuul/action_controller/dsl/roles.rb

@@ -0,0 +1,77 @@
+module Zuul
+  module ActionController
+    module DSL
+      class Roles < Actionable
+        def match?(role)
+          (@or_higher && subject.auth_scope(@scope, @context, @force_context) { |context, force_context| has_role_or_higher?(role, context.to_context, force_context) }) || (!@or_higher && subject.auth_scope(@scope, @context, @force_context) { |context, force_context| has_role?(role, context.to_context, force_context) })
+        end
+        
+        def allow(*actions)
+          log_timer_start = Time.now.to_f
+          actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
+          actions.concat(@actions)
+          return if @roles.empty? || actions.empty?
+          if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
+            @roles.each do |role|
+              if (role == logged_out && subject.nil?) ||
+                 (role == logged_in && !subject.nil?)
+                @results << true
+                return
+              end
+              
+              next if subject.nil? # keep going in case :_zuul_logged_out is specified
+              
+              if allow?(role)
+                logger.debug "  \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m  \e[1mMATCH\e[0m for \e[32mallow\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
+                @results << true
+                return
+              end
+              logger.debug "  \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m  \e[1mNO MATCH\e[0m for \e[32mallow\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
+            end
+          end
+        end
+        
+        def deny(*actions)
+          log_timer_start = Time.now.to_f
+          actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
+          actions.concat(@actions)
+          return if @roles.empty? || actions.empty?
+          if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
+            @roles.each do |role|
+              if (role == logged_out && subject.nil?) ||
+                 (role == logged_in && !subject.nil?)
+                @results << false
+                return
+              end
+              
+              next if subject.nil? # keep going in case :_zuul_logged_out is specified
+              
+              if deny?(role)
+                logger.debug "  \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m  \e[1mMATCH\e[0m for \e[31mdeny\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
+                @results << false
+                return
+              end
+              logger.debug "  \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m  \e[1mNO MATCH\e[0m for \e[31mdeny\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
+            end
+          end
+        end
+
+        def or_higher(&block)
+          opts = options.merge(:or_higher => true)
+          dsl = self.class.new(@controller, opts)
+          dsl.instance_eval(&block) if block_given?
+          
+          @results.concat dsl.results
+        end
+
+        protected
+
+        def initialize(controller, opts={})
+          super
+          opts = {:or_higher => false}.merge(opts)
+          @or_higher = opts[:or_higher]
+        end
+      end
+    end
+  end
+end

data/lib/zuul/active_record.rb

@@ -1,3 +1,4 @@
+require 'zuul/active_record/context_accessors'
 require 'zuul/active_record/scope'
 require 'zuul/active_record/role'
 require 'zuul/active_record/permission'
@@ -96,19 +97,19 @@ module Zuul
       def prepare_join_classes(scope)
         scope_config = auth_scope(scope).config
 
-        unless auth_scope(scope).role_subject_class.ancestors.include?(RoleSubject)
+        unless auth_scope(scope).role_subject_class.acts_as_authorization_role_subject?
           auth_scope(scope).role_subject_class.instance_eval do
             acts_as_authorization_role_subject(scope_config.to_h)
           end
         end
         
         if auth_scope(scope).config.with_permissions
-          unless auth_scope(scope).permission_subject_class.ancestors.include?(PermissionSubject)
+          unless auth_scope(scope).permission_subject_class.acts_as_authorization_permission_subject?
             auth_scope(scope).permission_subject_class.instance_eval do
               acts_as_authorization_permission_subject(scope_config.to_h)
             end
           end
-          unless auth_scope(scope).permission_role_class.ancestors.include?(PermissionRole)
+          unless auth_scope(scope).permission_role_class.acts_as_authorization_permission_role?
             auth_scope(scope).permission_role_class.instance_eval do
               acts_as_authorization_permission_role(scope_config.to_h)
             end
@@ -116,30 +117,50 @@ module Zuul
         end
       end
 
+
+      def acts_as_authorization_model?(type)
+        ancestors.include?("zuul/active_record/#{type}".camelize.constantize)
+      end
+
       # Checks if the model is setup to act as a zuul authorization role
       def acts_as_authorization_role?
-        ancestors.include?(Zuul::ActiveRecord::Role)
+        acts_as_authorization_model? :role
       end
 
       # Checks if the model is setup to act as a zuul authorization permission
       def acts_as_authorization_permission?
-        ancestors.include?(Zuul::ActiveRecord::Permission)
+        acts_as_authorization_model? :permission
       end
 
       # Checks if the model is setup to act as a zuul authorization context/resource
       def acts_as_authorization_context?
-        ancestors.include?(Zuul::ActiveRecord::Context)
+        acts_as_authorization_model? :context
       end
 
       # Checks if the model is setup to act as a zuul authorization subject
       def acts_as_authorization_subject?
-        ancestors.include?(Zuul::ActiveRecord::Subject)
+        acts_as_authorization_model? :subject
+      end
+
+      # Checks if the model is setup to act as a zuul authorization role_subject
+      def acts_as_authorization_role_subject?
+        acts_as_authorization_model? :role_subject
+      end
+
+      # Checks if the model is setup to act as a zuul authorization permission_subject
+      def acts_as_authorization_permission_subject?
+        acts_as_authorization_model? :permission_subject
+      end
+
+      # Checks if the model is setup to act as a zuul authorization permission_role
+      def acts_as_authorization_permission_role?
+        acts_as_authorization_model? :permission_role
       end
     end
 
-    # Defines acts_as_authorization_*? methods to pass through to the class
     module InstanceMethods
-      [:role, :permission, :subject, :context].each do |auth_type|
+      # Defines acts_as_authorization_*? methods to pass through to the class
+      [:role, :permission, :subject, :context, :role_subject, :permission_subject, :permission_role].each do |auth_type|
         method_name = "acts_as_authorization_#{auth_type}?"
         define_method method_name do
           self.class.send method_name
@@ -157,7 +178,7 @@ module Zuul
       end
 
       module ClassMethods
-        # Return the requested scope, call a method within a scope or execute an optional block within that scope
+        # Return the requested scope, call a method within a scope, or execute an optional block within that scope
         #
         # If an optional block is passed, it will be executed within the provided scope. This allows
         # you to call methods on the model or the auth scope without having to specify a scope
@@ -217,7 +238,7 @@ module Zuul
           self.class.auth_scopes
         end
 
-        # Return the requested scope, call a method within a scope or execute an optional block within that scope
+        # Return the requested scope, call a method within a scope, or execute an optional block within that scope
         #
         # If an optional block is passed, it will be executed within the provided scope. This allows
         # you to call methods on the model or the auth scope without having to specify a scope
@@ -321,8 +342,7 @@ module Zuul
           return false if target.nil?
           force_context ||= auth_scope.config.force_context
           context = Zuul::Context.parse(context)
-          return (target.context.class_name == context.class_name && target.context.id == context.id) if force_context
-          (target.context.class_name.nil? && target.context.id.nil?) || (target.context.class_name == context.class_name && (target.context.id.nil? || target.context.id == context.id))
+          force_context ? context == target.context : context <= target.context
         end
 
         # Simple helper for "IS NULL" vs "= 'VALUE'" SQL syntax
@@ -332,28 +352,7 @@ module Zuul
         end
       end
     end
-
-    # These are included in roles & permissions objects and assigned roles & permissions objects
-    # to provide easy access to the context for that object.
-    module ContextMethods
-      def self.included(base)
-        base.send :attr_accessible, :context if ::Zuul
-.should_whitelist?
-      end
-
-      # Return a Zuul::Context object representing the context for the role
-      def context
-        Zuul::Context.new(context_type, context_id)
-      end
-
-      # Parse a context into an Zuul::Context and set the type and id
-      def context=(context)
-        context = Zuul::Context.parse(context)
-        self.context_type = context.class_name
-        self.context_id = context.id
-      end
-    end
-
+  
   end
 end