zuul 0.2.7 → 0.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. checksums.yaml +4 -4
  2. data/lib/zuul/action_controller.rb +8 -4
  3. data/lib/zuul/action_controller/dsl.rb +6 -378
  4. data/lib/zuul/action_controller/dsl/actionable.rb +19 -0
  5. data/lib/zuul/action_controller/dsl/actions.rb +8 -0
  6. data/lib/zuul/action_controller/dsl/base.rb +254 -0
  7. data/lib/zuul/action_controller/dsl/permissions.rb +45 -0
  8. data/lib/zuul/action_controller/dsl/roles.rb +77 -0
  9. data/lib/zuul/active_record.rb +34 -35
  10. data/lib/zuul/active_record/context_accessors.rb +23 -0
  11. data/lib/zuul/active_record/permission.rb +2 -3
  12. data/lib/zuul/active_record/permission_role.rb +2 -3
  13. data/lib/zuul/active_record/permission_subject.rb +2 -3
  14. data/lib/zuul/active_record/role.rb +60 -15
  15. data/lib/zuul/active_record/role_subject.rb +2 -3
  16. data/lib/zuul/active_record/scope.rb +41 -1
  17. data/lib/zuul/active_record/subject.rb +213 -39
  18. data/lib/zuul/context.rb +15 -1
  19. data/lib/zuul/version.rb +1 -1
  20. data/spec/support/models.rb +11 -20
  21. data/spec/zuul/active_record/permission_role_spec.rb +1 -1
  22. data/spec/zuul/active_record/permission_subject_spec.rb +1 -1
  23. data/spec/zuul/active_record/role_spec.rb +10 -7
  24. data/spec/zuul/active_record/role_subject_spec.rb +1 -1
  25. data/spec/zuul/active_record/subject_spec.rb +14 -8
  26. data/spec/zuul/active_record_spec.rb +4 -4
  27. data/spec/zuul/context_spec.rb +350 -3
  28. metadata +66 -60
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b98d35feba741249f26d2700e815d15f0f87c969
4
- data.tar.gz: ea24b63238871dfd1ea1f2382dc9d1df48a97449
3
+ metadata.gz: be4dff9ba47f1212b70961cc4b5b8aa4489cf135
4
+ data.tar.gz: ba748634f6d3697ee427900df7561ef6c559e26b
5
5
  SHA512:
6
- metadata.gz: dea4199f801fa7a2463af0872d4b2367c5bd4491ff2b379b7127f785b58b2c1844c966d1d1e52520c3b7f626a6e1bf56b51f61ccbd013187086057ae53d1be18
7
- data.tar.gz: 60b3ef6d9d0b7444af7f6cae06401e280904d77c38cd7683476713ad370b0e619afc57d164645997aadb9810da0f1be289c485ad54a142db545480d65504a779
6
+ metadata.gz: 2c8ab1b4d39eeee721c0d5cfafc64d2208e2ea04a2e1d0ffe5f460cc4f821f5223c26fe42c9675cddbe398ec424fe8a275643f2164b2dbed22348486c2bd7e2a
7
+ data.tar.gz: 13ff795a005b763026daf8205dc9dd3212c394ad08aafc0b0465c5750de40881d764b776e0439400b631e2ea07e22a5879cbf4ad1fa9fa2b653678a46158eaeb
data/lib/zuul/action_controller.rb CHANGED
@@ -71,11 +71,11 @@ module Zuul
71
71
  raise Exceptions::AccessDenied if !controller.acl_dsl.authorized? && controller.acl_dsl.mode != :quiet
72
72
  end
73
73
  end
74
- append_before_filter "#{callback_method.to_s}(self)".to_sym, filter_args
74
+ append_before_filter "#{callback_method.to_s}(self)", filter_args
75
75
  end
76
76
 
77
77
  def acl_filters
78
- _process_action_callbacks.select { |f| f.kind == :before && f.filter.match(/\A_zuul_callback_before_.*/) }
78
+ _process_action_callbacks.select { |f| f.kind == :before && f.instance_variable_get(:@filter).match(/\A_zuul_callback_before_.*/) }
79
79
  end
80
80
 
81
81
  # TODO maybe implement these to be used as simple wrappers for access_control
@@ -98,10 +98,14 @@ module Zuul
98
98
  def parse_access_control_args(*args)
99
99
  args = args[0] if args.is_a?(Array)
100
100
  args = {} if args.nil?
101
- filter_args = args.select { |k,v| [:except, :only].include?(k) }
102
- [:except, :only].each { |k| args.delete(k) }
101
+ filter_args = args.select { |k,v| filter_keys.include?(k) }
102
+ args.reject! { |k| filter_keys.include?(k) }
103
103
  return [args, filter_args]
104
104
  end
105
+
106
+ def filter_keys
107
+ [:except, :only]
108
+ end
105
109
  end
106
110
  end
107
111
  end
data/lib/zuul/action_controller/dsl.rb CHANGED
@@ -1,384 +1,12 @@
1
+ require 'zuul/action_controller/dsl/base'
2
+ require 'zuul/action_controller/dsl/actions'
3
+ require 'zuul/action_controller/dsl/actionable'
4
+ require 'zuul/action_controller/dsl/roles'
5
+ require 'zuul/action_controller/dsl/permissions'
6
+
1
7
  module Zuul
2
8
  module ActionController
3
9
  module DSL
4
- class Base
5
- attr_reader :default, :context, :force_context, :mode, :default_block_allow_rules, :default_block_deny_rules, :actions, :roles, :permissions, :results, :subject_method, :scope
6
-
7
- def actions(*actions, &block)
8
- actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
9
- opts = options
10
- opts[:actions].concat(actions)
11
- return unless opts[:actions].map(&:to_sym).include?(@controller.params[:action].to_sym)
12
- dsl = Actions.new(@controller, opts)
13
- dsl.instance_eval(&block) if block_given?
14
-
15
- @results.concat dsl.results
16
- end
17
-
18
- def context(ctxt, &block)
19
- opts = options.merge(:context => ctxt)
20
- dsl = self.class.new(@controller, opts)
21
- dsl.instance_eval(&block) if block_given?
22
-
23
- @results.concat dsl.results
24
- end
25
-
26
- def force_context(flag=true, &block)
27
- opts = options.merge(:force_context => flag)
28
- dsl = self.class.new(@controller, opts)
29
- dsl.instance_eval(&block) if block_given?
30
-
31
- @results.concat dsl.results
32
- end
33
-
34
- def roles(*allowed, &block)
35
- allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
36
- opts = options
37
- opts[:roles].concat(allowed)
38
- dsl = Roles.new(@controller, opts)
39
- dsl.instance_eval(&block) if block_given?
40
-
41
- @results.concat dsl.results
42
- end
43
-
44
- def permissions(*allowed, &block)
45
- allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
46
- opts = options
47
- opts[:permissions].concat(allowed)
48
- dsl = Permissions.new(@controller, opts)
49
- dsl.instance_eval(&block) if block_given?
50
-
51
- @results.concat dsl.results
52
- end
53
-
54
- def scope(scope, &block)
55
- opts = options.merge(:scope => scope)
56
- dsl = self.class.new(@controller, opts)
57
- dsl.instance_eval(&block) if block_given?
58
-
59
- @results.concat dsl.results
60
- end
61
-
62
- def allow_roles(*allowed)
63
- allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
64
- roles *allowed do
65
- allow *@actions
66
- end
67
- end
68
- alias_method :allow_role, :allow_roles
69
- alias_method :allow, :allow_roles
70
-
71
- def allow_permissions(*allowed)
72
- allowed = allowed[0] if allowed.length == 1 && allowed[0].is_a?(Array)
73
- permissions *allowed do
74
- allow *@actions
75
- end
76
- end
77
- alias_method :allow_permission, :allow_permissions
78
-
79
- def deny_roles(*denied)
80
- denied = denied[0] if denied.length == 1 && denied[0].is_a?(Array)
81
- roles *denied do
82
- deny *@actions
83
- end
84
- end
85
- alias_method :deny_role, :deny_roles
86
- alias_method :deny, :deny_roles
87
-
88
- def deny_permissions(*denied)
89
- denied = denied[0] if denied.length == 1 && denied[0].is_a?(Array)
90
- permissions *denied do
91
- deny *@actions
92
- end
93
- end
94
- alias_method :deny_permission, :deny_permissions
95
-
96
- def all_actions
97
- @controller.class.action_methods.select { |act| !act.match(/^_callback_before_[\d]*$/) }.map(&:to_sym)
98
- end
99
-
100
- def subject
101
- @controller.send(@subject_method)
102
- end
103
-
104
- def logged_out
105
- :_zuul_logged_out
106
- end
107
- alias_method :anonymous, :logged_out
108
-
109
- def logged_in
110
- :_zuul_logged_in
111
- end
112
-
113
- def anyone
114
- [logged_in, logged_out]
115
- end
116
-
117
- def all_roles(context=false)
118
- return [] if subject.nil?
119
- context = (context == false) ? @context : parse_context(context)
120
- found_roles = subject.auth_scope(@scope).role_class.where(:context_type => context.type, :context_id => context.id).to_a
121
- found_roles.concat(subject.auth_scope(@scope).role_class.where(:context_type => context.type, :context_id => nil).to_a) unless context.id.nil?
122
- found_roles.concat(subject.auth_scope(@scope).role_class.where(:context_type => nil, :context_id => nil).to_a) unless context.type.nil?
123
- found_roles
124
- end
125
-
126
- def all_permissions(context=false)
127
- return [] if subject.nil?
128
- context = (context == false) ? @context : parse_context(context)
129
- found_permissions = subject.auth_scope(@scope).permission_class.where(:context_type => context.type, :context_id => context.id).to_a
130
- found_permissions.concat(subject.auth_scope(@scope).permission_class.where(:context_type => context.type, :context_id => nil).to_a) unless context.id.nil?
131
- found_permissions.concat(subject.auth_scope(@scope).permission_class.where(:context_type => nil, :context_id => nil).to_a) unless context.type.nil?
132
- found_permissions
133
- end
134
-
135
- def contextual_role(slug, context=false)
136
- return nil if subject.nil?
137
- context = (context == false) ? @context : parse_context(context)
138
- return subject.auth_scope(@scope) { target_role(slug, context.to_context) }
139
- end
140
- alias_method :role, :contextual_role
141
-
142
- def contextual_permission(slug, context=false)
143
- return nil if subject.nil?
144
- context = (context == false) ? @context : parse_context(context)
145
- return subject.auth_scope(@scope) { target_permission(slug, context.to_context) }
146
- end
147
- alias_method :permission, :contextual_permission
148
-
149
- def options
150
- {
151
- :default => @default,
152
- :actions => @actions.clone,
153
- :roles => @roles.clone,
154
- :permissions => @permissions.clone,
155
- :context => @context.clone,
156
- :force_context => @force_context,
157
- :subject_method => @subject_method,
158
- :scope => @scope,
159
- :mode => @mode,
160
- :collect_results => @collect_results,
161
- :allow => (@default_block_allow_rules.nil? ? @default_block_allow_rules : @default_block_allow_rules.clone),
162
- :deny => (@default_block_deny_rules.nil? ? @default_block_deny_rules : @default_block_deny_rules.clone),
163
- }
164
- end
165
-
166
- def set_options(opts)
167
- [:default, :actions, :roles, :permissions, :force_context, :mode, :collect_results, :subject_method, :scope].each do |key|
168
- instance_variable_set "@#{key.to_s}", opts[key] if opts.has_key?(key)
169
- end
170
- [:allow, :deny].each do |key|
171
- instance_variable_set "@default_block_#{key.to_s}_rules", opts[key] if opts.has_key?(key)
172
- end
173
- @context = parse_context(opts[:context]) if opts.has_key?(:context)
174
- self
175
- end
176
- alias_method :configure, :set_options
177
-
178
- def parse_context(context=nil)
179
- if context.is_a?(String) || context.is_a?(Symbol)
180
- if context.to_s.match(/^@.*$/)
181
- context = @controller.send(:instance_variable_get, context)
182
- elsif @controller.respond_to?(context.to_sym)
183
- context = @controller.send(context)
184
- end
185
- end
186
-
187
- Zuul::Context.parse(context)
188
- end
189
-
190
- def execute(&block)
191
- log_timer_start = Time.now.to_f
192
- if block_given?
193
- instance_eval(&block)
194
- else
195
- instance_eval do
196
- [:allow, :deny].each do |auth_type|
197
- auth_opts = instance_variable_get("@default_block_#{auth_type.to_s}_rules")
198
- next if auth_opts.nil?
199
-
200
- auth_actions = @actions
201
- auth_opts[:actions] = [auth_opts[:actions]] if auth_opts.has_key?(:actions) && !auth_opts[:actions].is_a?(Array)
202
- if !auth_opts.has_key?(:actions) || auth_opts[:actions].empty?
203
- auth_actions << @controller.params[:action].to_sym if auth_actions.empty?
204
- else
205
- auth_actions.concat(auth_opts[:actions])
206
- end
207
-
208
- actions auth_actions do
209
- [:roles, :permissions].each do |allowable_type|
210
- if auth_opts.has_key?(allowable_type)
211
- send "#{auth_type.to_s}_#{allowable_type.to_s}", auth_opts[allowable_type]
212
- end
213
- end
214
- end
215
- end
216
- end
217
- end
218
- # only collect results if configured & there are more filters in the chain
219
- logger.debug " \e[1;34mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m #{(authorized? ? "\e[1;32mALLOWED\e[0m" : "\e[1;31mDENIED\e[0m")} using \e[1m#{@default.to_s.upcase}\e[0m [#{results.map { |r| "\e[#{(r ? "32mallow" : "31mdeny")}\e[0m" }.join(",")}]"
220
- collect_results if @collect_results && @controller.class.acl_filters.length > 0
221
- end
222
-
223
- def authorized?
224
- if @default == :deny
225
- !(@results.empty? || @results.any? { |result| result == false })
226
- else
227
- (@results.empty? || !@results.all? { |result| result == false })
228
- end
229
- end
230
-
231
- def collect_results
232
- @results = [authorized?]
233
- end
234
-
235
- protected
236
-
237
- def initialize(controller, opts={})
238
- @controller = controller
239
- # TODO catch 22: need config for subject_method, but need subject_method to check if subject
240
- opts = {:subject_method => Zuul.configuration.subject_method, :scope => :default}.merge(opts)
241
- config = @controller.send(opts[:subject_method]).nil? ? Zuul.configuration : @controller.send(opts[:subject_method]).auth_scope(opts[:scope]).config
242
- opts = {:default => config.acl_default, :force_context => config.force_context, :context => nil, :mode => config.acl_mode, :collect_results => config.acl_collect_results, :allow => nil, :deny => nil, :actions => [], :roles => [], :permissions => []}.merge(opts)
243
- set_options opts
244
- @results = []
245
- end
246
-
247
- def logger
248
- @controller.logger
249
- end
250
- end
251
-
252
- class Actions < Base
253
- end
254
-
255
- class Actionable < Base
256
- def all
257
- all_actions
258
- end
259
-
260
- def allow?(role_or_perm)
261
- match? role_or_perm
262
- end
263
-
264
- def deny?(role_or_perm)
265
- match? role_or_perm
266
- end
267
- end
268
-
269
- class Roles < Actionable
270
-
271
- def match?(role)
272
- (@or_higher && subject.auth_scope(@scope, @context, @force_context) { |context, force_context| has_role_or_higher?(role, context.to_context, force_context) }) || (!@or_higher && subject.auth_scope(@scope, @context, @force_context) { |context, force_context| has_role?(role, context.to_context, force_context) })
273
- end
274
-
275
- def allow(*actions)
276
- log_timer_start = Time.now.to_f
277
- actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
278
- actions.concat(@actions)
279
- return if @roles.empty? || actions.empty?
280
- if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
281
- @roles.each do |role|
282
- if (role == logged_out && subject.nil?) ||
283
- (role == logged_in && !subject.nil?)
284
- @results << true
285
- return
286
- end
287
-
288
- next if subject.nil? # keep going in case :_zuul_logged_out is specified
289
-
290
- if allow?(role)
291
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mMATCH\e[0m for \e[32mallow\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
292
- @results << true
293
- return
294
- end
295
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mNO MATCH\e[0m for \e[32mallow\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
296
- end
297
- end
298
- end
299
-
300
- def deny(*actions)
301
- log_timer_start = Time.now.to_f
302
- actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
303
- actions.concat(@actions)
304
- return if @roles.empty? || actions.empty?
305
- if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
306
- @roles.each do |role|
307
- if (role == logged_out && subject.nil?) ||
308
- (role == logged_in && !subject.nil?)
309
- @results << false
310
- return
311
- end
312
-
313
- next if subject.nil? # keep going in case :_zuul_logged_out is specified
314
-
315
- if deny?(role)
316
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mMATCH\e[0m for \e[31mdeny\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
317
- @results << false
318
- return
319
- end
320
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mNO MATCH\e[0m for \e[31mdeny\e[0m role \e[1m#{role.is_a?(subject.auth_scope(@scope).role_class) ? "#{role.slug}[#{role.context.to_s}]" : role}\e[0m"
321
- end
322
- end
323
- end
324
-
325
- def or_higher(&block)
326
- opts = options.merge(:or_higher => true)
327
- dsl = self.class.new(@controller, opts)
328
- dsl.instance_eval(&block) if block_given?
329
-
330
- @results.concat dsl.results
331
- end
332
-
333
- protected
334
-
335
- def initialize(controller, opts={})
336
- super
337
- opts = {:or_higher => false}.merge(opts)
338
- @or_higher = opts[:or_higher]
339
- end
340
- end
341
-
342
- class Permissions < Actionable
343
-
344
- def match?(permission)
345
- subject.auth_scope(@scope, @context, @force_context) { |context, force_context| has_permission?(permission, context.to_context, force_context) }
346
- end
347
-
348
- def allow(*actions)
349
- log_timer_start = Time.now.to_f
350
- actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
351
- actions.concat(@actions)
352
- return if subject.nil? || @permissions.empty? || actions.empty?
353
- if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
354
- @permissions.each do |permission|
355
- if allow?(permission)
356
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mMATCH\e[0m for \e[32mallow\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
357
- @results << true
358
- return
359
- end
360
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mNO MATCH\e[0m for \e[32mallow\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
361
- end
362
- end
363
- end
364
-
365
- def deny(*actions)
366
- log_timer_start = Time.now.to_f
367
- actions = actions[0] if actions.length == 1 && actions[0].is_a?(Array)
368
- actions.concat(@actions)
369
- return if subject.nil? || @permissions.empty? || actions.empty?
370
- if actions.map(&:to_sym).include?(@controller.params[:action].to_sym)
371
- @permissions.each do |permission|
372
- if deny?(permission)
373
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mMATCH\e[0m for \e[31mdeny\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
374
- @results << false
375
- return
376
- end
377
- logger.debug " \e[1;33mACL (#{((Time.now.to_f - log_timer_start) * 1000.0).round(1)}ms)\e[0m \e[1mNO MATCH\e[0m for \e[31mdeny\e[0m permission \e[1m#{permission.is_a?(subject.auth_scope(@scope).role_class) ? "#{permission.slug}[#{permission.context.to_s}]" : permission}\e[0m"
378
- end
379
- end
380
- end
381
- end
382
10
  end
383
11
  end
384
12
  end
data/lib/zuul/action_controller/dsl/actionable.rb ADDED
@@ -0,0 +1,19 @@
1
+ module Zuul
2
+ module ActionController
3
+ module DSL
4
+ class Actionable < Base
5
+ def all
6
+ all_actions
7
+ end
8
+
9
+ def allow?(role_or_perm)
10
+ match? role_or_perm
11
+ end
12
+
13
+ def deny?(role_or_perm)
14
+ match? role_or_perm
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end