Class: Ixtlan::Guard::Guard

Inherits:
Object
  • Object
show all
Defined in:
lib/ixtlan/guard/guard.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(options = {}) ⇒ Guard

Returns a new instance of Guard.



9
10
11
12
13
14
 
# File 'lib/ixtlan/guard/guard.rb', line 9

def initialize(options = {})
  options[:guards_dir] ||= File.expand_path(".")
  @superuser = [(options[:superuser] || "root").to_s]
  @config = Config.new(options)
  @logger = options[:logger]
end

Instance Attribute Details

#superuserObject (readonly)

Returns the value of attribute superuser.



7
8
9
 
# File 'lib/ixtlan/guard/guard.rb', line 7

def superuser
  @superuser
end

Instance Method Details

#allowed?(resource, action, groups, &block) ⇒ Boolean

Returns:

  • (Boolean) 


96
97
98
 
# File 'lib/ixtlan/guard/guard.rb', line 96

def allowed?(resource, action, groups, &block)
  check(resource, action, groups, &block) != nil
end

#allowed_groups(resource_name, action, current_group_names) ⇒ Object 



40
41
42
43
44
45
46
47
48
49
50
51
 
# File 'lib/ixtlan/guard/guard.rb', line 40

def allowed_groups(resource_name, 
                   action, 
                   current_group_names)
  allowed = @config.allowed_groups(resource_name, action)
  allowed = allowed - blocked_groups + @superuser
  if allowed.member?('*')
    # keep superuser in current_groups if in there
    current_group_names - (blocked_groups - @superuser)
  else
    allowed & current_group_names
  end
end

#block_groups(groups) ⇒ Object 



20
21
22
23
24
 
# File 'lib/ixtlan/guard/guard.rb', line 20

def block_groups(groups)
  @blocked_groups = (groups || []).collect { |g| g.to_s}
  @blocked_groups.delete(@superuser)
  @blocked_groups
end

#blocked_groupsObject 



26
27
28
 
# File 'lib/ixtlan/guard/guard.rb', line 26

def blocked_groups
  @blocked_groups ||= []
end

#check(resource_name, action, current_groups, &block) ⇒ Object 



69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
# File 'lib/ixtlan/guard/guard.rb', line 69

def check(resource_name, action, current_groups, &block)
  action = action.to_s
  group_map = group_map(current_groups)
  allowed_group_names = allowed_groups(resource_name, action, group_map.keys)

  if allowed_group_names.size > 0
    groups = allowed_group_names.collect { |name| group_map[name] }
    # call block to filter groups unless we are superuser
    if block && !allowed_group_names.member?(superuser_name)
      groups = block.call(groups)
    end
    
    logger.debug { "guard #{resource_name}##{action}: #{groups.size > 0}" }

    # nil means 'access denied', i.e. there are no allowed groups
    groups if groups.size > 0
  else
    unless @config.has_guard?(resource_name)
      raise ::Ixtlan::Guard::GuardException.new("no guard config for '#{resource_name}'")
    else
      logger.debug { "guard #{resource_name}##{action}: #{allowed_group_names.size > 0}" }
      # nil means 'access denied', i.e. there are no allowed groups
      nil
    end
  end
end

#loggerObject 



30
31
32
33
34
35
36
37
38
 
# File 'lib/ixtlan/guard/guard.rb', line 30

def logger
  @logger ||= 
    if defined?(Slf4r::LoggerFactory)
      Slf4r::LoggerFactory.new(Ixtlan::Guard)
    else
      require 'logger'
      Logger.new(STDOUT)
    end
end

#permissions(current_groups, &block) ⇒ Object 



100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
 
# File 'lib/ixtlan/guard/guard.rb', line 100

def permissions(current_groups, &block)
  group_map = group_map(current_groups)
  perms = []
  m = @config.map_of_all
  m.each do |resource, actions|
    nodes = []
    perm = Node.new(:permission)
    perm[:resource] = resource
    perm[:actions] = nodes

    # setup default_groups
    default_groups = actions.delete('defaults') || []
    default_groups = group_map.keys & (default_groups + @superuser) unless default_groups.member?('*')

    deny = if actions.size == 0
             # no actions
             # deny = false: !default_groups.member?('*')
             # deny = true: default_groups.member?('*') || current_group_names.member?(@superuser[0])
             default_groups.member?('*') || group_map.keys.member?(@superuser[0]) || !group_map.keys.detect {|g| default_groups.member? g }.nil?
           else
             # actions
             # deny = false : default_groups == []
             # deny = true : default_groups.member?('*')
             default_groups.size != 0 || default_groups.member?('*')
           end
    perm[:deny] = deny

    actions.each do |action, groups|
      group_names = groups.collect { |g| g.is_a?(Hash) ? g.keys : g }.flatten if groups
      node = Node.new(:action)
      allowed_groups = 
        if groups && group_names.member?('*')
          group_map.values
        else
          names = group_map.keys & ((group_names || []) + @superuser)
          names.collect { |name| group_map[name] }
        end

      if (deny && allowed_groups.size == 0) || (!deny && allowed_groups.size > 0)
        node[:name] = action
        if block
          if allowed_groups.size > 0
            assos = block.call(resource, allowed_groups)
            node[:associations] = assos if assos && assos.size > 0
          else
            assos = block.call(resource, group_map.values)
            perm[:associations] = assos if assos && assos.size > 0
          end
        end
        nodes << node
      elsif deny && allowed_groups.size > 0 && block
        assos = block.call(resource, group_map.values)
        perm[:associations] = assos if assos && assos.size > 0
      end
    end
    # TODO is that right like this ?
    # only default_groups, i.e. no actions !!!
    if block && actions.size == 0 && deny
      assos = block.call(resource, group_map.values)
      perm[:associations] = assos if assos && assos.size > 0
    end
    perms << perm
  end
  perms
end

#superuser_nameObject 



16
17
18
 
# File 'lib/ixtlan/guard/guard.rb', line 16

def superuser_name
  @superuser[0]
end