zuul 0.2.7 → 0.2.8

Sign up to get free protection for your applications and to get access to all the features.
Files changed (28) hide show
  1. checksums.yaml +4 -4
  2. data/lib/zuul/action_controller.rb +8 -4
  3. data/lib/zuul/action_controller/dsl.rb +6 -378
  4. data/lib/zuul/action_controller/dsl/actionable.rb +19 -0
  5. data/lib/zuul/action_controller/dsl/actions.rb +8 -0
  6. data/lib/zuul/action_controller/dsl/base.rb +254 -0
  7. data/lib/zuul/action_controller/dsl/permissions.rb +45 -0
  8. data/lib/zuul/action_controller/dsl/roles.rb +77 -0
  9. data/lib/zuul/active_record.rb +34 -35
  10. data/lib/zuul/active_record/context_accessors.rb +23 -0
  11. data/lib/zuul/active_record/permission.rb +2 -3
  12. data/lib/zuul/active_record/permission_role.rb +2 -3
  13. data/lib/zuul/active_record/permission_subject.rb +2 -3
  14. data/lib/zuul/active_record/role.rb +60 -15
  15. data/lib/zuul/active_record/role_subject.rb +2 -3
  16. data/lib/zuul/active_record/scope.rb +41 -1
  17. data/lib/zuul/active_record/subject.rb +213 -39
  18. data/lib/zuul/context.rb +15 -1
  19. data/lib/zuul/version.rb +1 -1
  20. data/spec/support/models.rb +11 -20
  21. data/spec/zuul/active_record/permission_role_spec.rb +1 -1
  22. data/spec/zuul/active_record/permission_subject_spec.rb +1 -1
  23. data/spec/zuul/active_record/role_spec.rb +10 -7
  24. data/spec/zuul/active_record/role_subject_spec.rb +1 -1
  25. data/spec/zuul/active_record/subject_spec.rb +14 -8
  26. data/spec/zuul/active_record_spec.rb +4 -4
  27. data/spec/zuul/context_spec.rb +350 -3
  28. metadata +66 -60
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b98d35feba741249f26d2700e815d15f0f87c969
4
- data.tar.gz: ea24b63238871dfd1ea1f2382dc9d1df48a97449
3
+ metadata.gz: be4dff9ba47f1212b70961cc4b5b8aa4489cf135
4
+ data.tar.gz: ba748634f6d3697ee427900df7561ef6c559e26b
5
5
  SHA512:
6
- metadata.gz: dea4199f801fa7a2463af0872d4b2367c5bd4491ff2b379b7127f785b58b2c1844c966d1d1e52520c3b7f626a6e1bf56b51f61ccbd013187086057ae53d1be18
7
- data.tar.gz: 60b3ef6d9d0b7444af7f6cae06401e280904d77c38cd7683476713ad370b0e619afc57d164645997aadb9810da0f1be289c485ad54a142db545480d65504a779
6
+ metadata.gz: 2c8ab1b4d39eeee721c0d5cfafc64d2208e2ea04a2e1d0ffe5f460cc4f821f5223c26fe42c9675cddbe398ec424fe8a275643f2164b2dbed22348486c2bd7e2a
7
+ data.tar.gz: 13ff795a005b763026daf8205dc9dd3212c394ad08aafc0b0465c5750de40881d764b776e0439400b631e2ea07e22a5879cbf4ad1fa9fa2b653678a46158eaeb
data/lib/zuul/action_controller.rb CHANGED
@@ -71,11 +71,11 @@ module Zuul
71
71
  raise Exceptions::AccessDenied if !controller.acl_dsl.authorized? && controller.acl_dsl.mode != :quiet
72
72
  end
73
73
  end
74
- append_before_filter "#{callback_method.to_s}(self)".to_sym, filter_args
74
+ append_before_filter "#{callback_method.to_s}(self)", filter_args
75
75
  end
76
76
 
77
77
  def acl_filters
78
- _process_action_callbacks.select { |f| f.kind == :before && f.filter.match(/\A_zuul_callback_before_.*/) }
78
+ _process_action_callbacks.select { |f| f.kind == :before && f.instance_variable_get(:@filter).match(/\A_zuul_callback_before_.*/) }
79
79
  end
80
80
 
81
81
  # TODO maybe implement these to be used as simple wrappers for access_control
@@ -98,10 +98,14 @@ module Zuul
98
98
  def parse_access_control_args(*args)
99
99
  args = args[0] if args.is_a?(Array)
100
100
  args = {} if args.nil?
101
- filter_args = args.select { |k,v| [:except, :only].include?(k) }
102
- [:except, :only].each { |k| args.delete(k) }
101
+ filter_args = args.select { |k,v| filter_keys.include?(k) }
102
+ args.reject! { |k| filter_keys.include?(k) }
103
103
  return [args, filter_args]
104
104
  end
105
+
106
+ def filter_keys
107
+ [:except, :only]
108
+ end
105
109
  end
106
110
  end
107
111
  end
data/lib/zuul/action_controller/dsl.rb CHANGED
@@ -1,384 +1,12 @@
1
+ require 'zuul/action_controller/dsl/base'
2
+ require 'zuul/action_controller/dsl/actions'
3
+ require 'zuul/action_controller/dsl/actionable'
4
+ require 'zuul/action_controller/dsl/roles'
5
+ require 'zuul/action_controller/dsl/permissions'
6
+
1
7
  module Zuul
2
8
  module ActionController
3
9
  module DSL
4
- class Base
5
- attr_reader :default, :context, :force_context, :mode, :default_block_allow_rules, :default_block_deny_rules, :actions, :roles, :permissions, :results, :subject_method, :scope
6
-
7
- def actions(*actions, &block)
8
- actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
9
- opts = options
10
- opts[:actions].concat(actions)
11
- return unless opts[:actions].map(&:to_sym).include?(@controller.params[:action].to_sym)
12
- dsl = Actions.new(@controller, opts)
13
- dsl.instance_eval(&block) if block_given?
14
-
15
- @results.concat dsl.results
16
- end
17
-
18
- def context(ctxt, &block)
19
- opts = options.merge(:context => ctxt)
20
- dsl = self.class.new(@controller, opts)
21
- dsl.instance_eval(&block) if block_given?
22
-
23
- @results.concat dsl.results
24
- end
25
-
26
- def force_context(flag=true, &block)
27
- opts = options.merge(:force_context => flag)
28
- dsl = self.class.new(@controller, opts)
29
- dsl.instance_eval(&block) if block_given?
30
-
31
- @results.concat dsl.results
32
- end
33
-
34
- def roles(*allowed, &block)
35
- allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
36
- opts = options
37
- opts[:roles].concat(allowed)
38
- dsl = Roles.new(@controller, opts)
39
- dsl.instance_eval(&block) if block_given?
40
-
41
- @results.concat dsl.results
42
- end
43
-
44
- def permissions(*allowed, &block)
45
- allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
46
- opts = options
47
- opts[:permissions].concat(allowed)
48
- dsl = Permissions.new(@controller, opts)
49
- dsl.instance_eval(&block) if block_given?
50
-
51
- @results.concat dsl.results
52
- end
53
-
54
- def scope(scope, &block)
55
- opts = options.merge(:scope => scope)
56
- dsl = self.class.new(@controller, opts)
57
- dsl.instance_eval(&block) if block_given?
58
-
59
- @results.concat dsl.results
60
- end
61
-
62
- def allow_roles(*allowed)
63
- allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
64
- roles *allowed do
65
- allow *@actions
66
- end
67
- end
68
- alias_method :allow_role, :allow_roles
69
- alias_method :allow, :allow_roles
70
-
71
- def allow_permissions(*allowed)
72
- allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
73
- permissions *allowed do
74
- allow *@actions
75
- end
76
- end
77
- alias_method :allow_permission, :allow_permissions
78
-
79
- def deny_roles(*denied)
80
- denied = denied[0] if denied.length == 1 && denied[0].is_a?(Array)
81
- roles *denied do
82
- deny *@actions
83
- end
84
- end
85
- alias_method :deny_role, :deny_roles
86
- alias_method :deny, :deny_roles
87
-
88
- def deny_permissions(*denied)
89
- denied = denied[0] if denied.length == 1 && denied[0].is_a?(Array)
90
- permissions *denied do
91
- deny *@actions
92
- end
93
- end
94
- alias_method :deny_permission, :deny_permissions
95
-
96
- def all_actions
97
- @controller.class.action_methods.select { |act| !act.match(/^_callback_before_[\d]*$/) }.map(&:to_sym)
98
- end
99
-
100
- def subject
101
- @controller.send(@subject_method)
102
- end
103
-
104
- def logged_out
105
- :_zuul_logged_out
106
- end
107
- alias_method :anonymous, :logged_out
108
-
109
- def logged_in
110
- :_zuul_logged_in
111
- end
112
-
113
- def anyone
114
- [logged_in, logged_out]
115
- end
116
-
117
- def all_roles(context=false)
118
- return [] if subject.nil?
119
- context = (context == false) ? @context : parse_context(context)
120
- found_roles = subject.auth_scope(@scope).role_class.where(:context_type => context.type, :context_id => context.id).to_a
121
- found_roles.concat(subject.auth_scope(@scope).role_class.where(:context_type => context.type, :context_id => nil).to_a) unless context.id.nil?
122
- found_roles.concat(subject.auth_scope(@scope).role_class.where(:context_type => nil, :context_id => nil).to_a) unless context.type.nil?
123
- found_roles
124
- end
125
-
126
- def all_permissions(context=false)
127
- return [] if subject.nil?
128
- context = (context == false) ? @context : parse_context(context)
129
- found_permissions = subject.auth_scope(@scope).permission_class.where(:context_type => context.type, :context_id => context.id).to_a
130
- found_permissions.concat(subject.auth_scope(@scope).permission_class.where(:context_type => context.type, :context_id => nil).to_a) unless context.id.nil?
131
- found_permissions.concat(subject.auth_scope(@scope).permission_class.where(:context_type => nil, :context_id => nil).to_a) unless context.type.nil?
132
- found_permissions
133
- end
134
-
135
- def contextual_role(slug, context=false)
136
- return nil if subject.nil?
137
- context = (context == false) ? @context : parse_context(context)
138
- return subject.auth_scope(@scope) { target_role(slug, context.to_context) }
139
- end
140
- alias_method :role, :contextual_role
141
-
142
- def contextual_permission(slug, context=false)
143
- return nil if subject.nil?
144
- context = (context == false) ? @context : parse_context(context)
145
- return subject.auth_scope(@scope) { target_permission(slug, context.to_context) }
146
- end
147
- alias_method :permission, :contextual_permission
148
-
149
- def options
150
- {
151
- :default => @default,
152
- :actions => @actions.clone,
153
- :roles => @roles.clone,
154
- :permissions => @permissions.clone,
155
- :context => @context.clone,
156
- :force_context => @force_context,
157
- :subject_method => @subject_method,
158
- :scope => @scope,
159
- :mode => @mode,
160
- :collect_results => @collect_results,
161
- :allow => (@default_block_allow_rules.nil? ? @default_block_allow_rules : @default_block_allow_rules.clone),
162
- :deny => (@default_block_deny_rules.nil? ? @default_block_deny_rules : @default_block_deny_rules.clone),
163
- }
164
- end
165
-
166
- def set_options(opts)
167
- [:default, :actions, :roles, :permissions, :force_context, :mode, :collect_results, :subject_method, :scope].each do |key|
168
- instance_variable_set "@#{key.to_s}", opts[key] if opts.has_key?(key)
169
- end
170
- [:allow, :deny].each do |key|
171
- instance_variable_set "@default_block_#{key.to_s}_rules", opts[key] if opts.has_key?(key)
172
- end
173
- @context = parse_context(opts[:context]) if opts.has_key?(:context)
174
- self
175
- end
176
- alias_method :configure, :set_options
177
-
178
- def parse_context(context=nil)
179
- if context.is_a?(String) || context.is_a?(Symbol)
180
- if context.to_s.match(/^@.*$/)
181
- context = @controller.send(:instance_variable_get, context)
182
- elsif @controller.respond_to?(context.to_sym)
183
- context = @controller.send(context)
184
- end
185
- end
186
-
187
- Zuul::Context.parse(context)
188
- end
189
-
190
- def execute(&block)
191
- log_timer_start = Time.now.to_f
192
- if block_given?
193
- instance_eval(&block)
194
- else
195
- instance_eval do
196
- [:allow, :deny].each do |auth_type|
197
- auth_opts = instance_variable_get("@default_block_#{auth_type.to_s}_rules")
198
- next if auth_opts.nil?
199
-
200
- auth_actions = @actions
201
- auth_opts[:actions] = [auth_opts[:actions]] if auth_opts.has_key?(:actions) && !auth_opts[:actions].is_a?(Array)
202
- if !auth_opts.has_key?(:actions) || auth_opts[:actions].empty?
203
- auth_actions << @controller.params[:action].to_sym if auth_actions.empty?
204
- else
205
- auth_actions.concat(auth_opts[:actions])
206
- end
207
-
208
- actions auth_actions do
209
- [:roles, :permissions].each do |allowable_type|
210
- if auth_opts.has_key?(allowable_type)
211
- send "#{auth_type.to_s}_#{allowable_type.to_s}", auth_opts[allowable_type]
212
- end
213
- end
214
- end
215
- end
216
- end
217
- end
218
- # only collect results if configured & there are more filters in the chain
219
- logger.debug " \e[1;34mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m #{(authorized? ? "\e[1;32mALLOWED\e[0m" : "\e[1;31mDENIED\e[0m")} using \e[1m#{@default.to_s.upcase}\e[0m [#{results.map { |r| "\e[#{(r ? "32mallow" : "31mdeny")}\e[0m" }.join(",")}]"
220
- collect_results if @collect_results && @controller.class.acl_filters.length > 0
221
- end
222
-
223
- def authorized?
224
- if @default == :deny
225
- !(@results.empty? || @results.any? { |result| result == false })
226
- else
227
- (@results.empty? || !@results.all? { |result| result == false })
228
- end
229
- end
230
-
231
- def collect_results
232
- @results = [authorized?]
233
- end
234
-
235
- protected
236
-
237
- def initialize(controller, opts={})
238
- @controller = controller
239
- # TODO catch 22: need config for subject_method, but need subject_method to check if subject
240
- opts = {:subject_method => Zuul.configuration.subject_method, :scope => :default}.merge(opts)
241
- config = @controller.send(opts[:subject_method]).nil? ? Zuul.configuration : @controller.send(opts[:subject_method]).auth_scope(opts[:scope]).config
242
- opts = {:default => config.acl_default, :force_context => config.force_context, :context => nil, :mode => config.acl_mode, :collect_results => config.acl_collect_results, :allow => nil, :deny => nil, :actions => [], :roles => [], :permissions => []}.merge(opts)
243
- set_options opts
244
- @results = []
245
- end
246
-
247
- def logger
248
- @controller.logger
249
- end
250
- end
251
-
252
- class Actions < Base
253
- end
254
-
255
- class Actionable < Base
256
- def all
257
- all_actions
258
- end
259
-
260
- def allow?(role_or_perm)
261
- match? role_or_perm
262
- end
263
-
264
- def deny?(role_or_perm)
265
- match? role_or_perm
266
- end
267
- end
268
-
269
- class Roles < Actionable
270
-
271
- def match?(role)
272
- (@or_higher && subject.auth_scope(@scope, @context, @force_context) { |context, force_context| has_role_or_higher?(role, context.to_context, force_context) }) || (!@or_higher && subject.auth_scope(@scope, @context, @force_context) { |context, force_context| has_role?(role, context.to_context, force_context) })
273
- end
274
-
275
- def allow(*actions)
276
- log_timer_start = Time.now.to_f
277
- actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
278
- actions.concat(@actions)
279
- return if @roles.empty? || actions.empty?
280
- if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
281
- @roles.each do |role|
282
- if (role == logged_out && subject.nil?) ||
283
- (role == logged_in && !subject.nil?)
284
- @results << true
285
- return
286
- end
287
-
288
- next if subject.nil? # keep going in case :_zuul_logged_out is specified
289
-
290
- if allow?(role)
291
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mMATCH\e[0m for \e[32mallow\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
292
- @results << true
293
- return
294
- end
295
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mNO MATCH\e[0m for \e[32mallow\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
296
- end
297
- end
298
- end
299
-
300
- def deny(*actions)
301
- log_timer_start = Time.now.to_f
302
- actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
303
- actions.concat(@actions)
304
- return if @roles.empty? || actions.empty?
305
- if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
306
- @roles.each do |role|
307
- if (role == logged_out && subject.nil?) ||
308
- (role == logged_in && !subject.nil?)
309
- @results << false
310
- return
311
- end
312
-
313
- next if subject.nil? # keep going in case :_zuul_logged_out is specified
314
-
315
- if deny?(role)
316
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mMATCH\e[0m for \e[31mdeny\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
317
- @results << false
318
- return
319
- end
320
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mNO MATCH\e[0m for \e[31mdeny\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
321
- end
322
- end
323
- end
324
-
325
- def or_higher(&block)
326
- opts = options.merge(:or_higher => true)
327
- dsl = self.class.new(@controller, opts)
328
- dsl.instance_eval(&block) if block_given?
329
-
330
- @results.concat dsl.results
331
- end
332
-
333
- protected
334
-
335
- def initialize(controller, opts={})
336
- super
337
- opts = {:or_higher => false}.merge(opts)
338
- @or_higher = opts[:or_higher]
339
- end
340
- end
341
-
342
- class Permissions < Actionable
343
-
344
- def match?(permission)
345
- subject.auth_scope(@scope, @context, @force_context) { |context, force_context| has_permission?(permission, context.to_context, force_context) }
346
- end
347
-
348
- def allow(*actions)
349
- log_timer_start = Time.now.to_f
350
- actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
351
- actions.concat(@actions)
352
- return if subject.nil? || @permissions.empty? || actions.empty?
353
- if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
354
- @permissions.each do |permission|
355
- if allow?(permission)
356
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mMATCH\e[0m for \e[32mallow\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
357
- @results << true
358
- return
359
- end
360
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mNO MATCH\e[0m for \e[32mallow\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
361
- end
362
- end
363
- end
364
-
365
- def deny(*actions)
366
- log_timer_start = Time.now.to_f
367
- actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
368
- actions.concat(@actions)
369
- return if subject.nil? || @permissions.empty? || actions.empty?
370
- if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
371
- @permissions.each do |permission|
372
- if deny?(permission)
373
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mMATCH\e[0m for \e[31mdeny\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
374
- @results << false
375
- return
376
- end
377
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mNO MATCH\e[0m for \e[31mdeny\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
378
- end
379
- end
380
- end
381
- end
382
10
  end
383
11
  end
384
12
  end
data/lib/zuul/action_controller/dsl/actionable.rb ADDED
@@ -0,0 +1,19 @@
1
+ module Zuul
2
+ module ActionController
3
+ module DSL
4
+ class Actionable < Base
5
+ def all
6
+ all_actions
7
+ end
8
+
9
+ def allow?(role_or_perm)
10
+ match? role_or_perm
11
+ end
12
+
13
+ def deny?(role_or_perm)
14
+ match? role_or_perm
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end