Permalink
Browse files

Factored out authorization rules browser

  • Loading branch information...
1 parent 395303e commit 663de5628d4da8ca8bfc1b7401e3c86f883c6ab6 @stffn committed Feb 12, 2009
View
99 app/controllers/authorization_rules_controller.rb
@@ -1,99 +0,0 @@
-class AuthorizationRulesController < ApplicationController
- filter_access_to :all, :require => :read
- def index
- respond_to do |format|
- format.html do
- @auth_rules_script = File.read("#{RAILS_ROOT}/config/authorization_rules.rb")
- end
- format.graph do
- render :layout => 'layout.html.erb'
- end
- format.dot do
- render :text => auth_to_dot(graph_options)
- end
- # image/svg+xml
- format.svg do
- render :text => dot_to_svg(auth_to_dot(graph_options))
- end
- # application/xacml+xml?
- #format.xacml do
- # render :text => File.read("#{RAILS_ROOT}/generated.xml")
- #end
- end
- end
-
- #def graph
- #end
-
- private
- def auth_to_dot (options = {})
- options = {
- :effective_role_privs => true,
- :privilege_hierarchy => false,
- :filter_roles => nil,
- :filter_contexts => nil
- }.merge(options)
-
- @roles = authorization_engine.roles
- @roles = @roles.select {|r| r == options[:filter_roles] } if options[:filter_roles]
- @role_hierarchy = authorization_engine.role_hierarchy
- @privilege_hierarchy = authorization_engine.privilege_hierarchy
-
- @contexts = authorization_engine.auth_rules.
- collect {|ar| ar.contexts.to_a}.flatten.uniq
- @contexts = @contexts.select {|c| c == options[:filter_contexts] } if options[:filter_contexts]
- @context_privs = {}
- @role_privs = {}
- authorization_engine.auth_rules.each do |auth_rule|
- @role_privs[auth_rule.role] ||= []
- auth_rule.contexts.
- select {|c| options[:filter_contexts].nil? or c == options[:filter_contexts]}.
- each do |context|
- @context_privs[context] ||= []
- @context_privs[context] += auth_rule.privileges.to_a
- @context_privs[context].uniq!
- @role_privs[auth_rule.role] += auth_rule.privileges.collect {|p| [context, p, auth_rule.attributes.empty?]}
- end
- end
-
- if options[:effective_role_privs]
- @roles.each do |role|
- @role_privs[role] ||= []
- (@role_hierarchy[role] || []).each do |lower_role|
- @role_privs[role].concat(@role_privs[lower_role]).uniq!
- end
- end
- end
-
- if options[:privilege_hierarchy]
- @context_privs.each do |context, privs|
- privs.each do |priv|
- context_lower_privs = (@privilege_hierarchy[priv] || []).
- select {|p,c| c.nil? or c == context}.
- collect {|p,c| p}
- privs.concat(context_lower_privs).uniq!
- end
- end
- end
-
- render_to_string :template => 'authorization_rules/index.dot.erb', :layout => false
- end
-
- def dot_to_svg (dot_data)
- gv = IO.popen("/usr/bin/dot -q -Tsvg", "w+")
- gv.puts dot_data
- gv.close_write
- gv.read
- rescue IOError, Errno::EPIPE => e
- raise Exception, "Error in call to graphviz: #{e}"
- end
-
- def graph_options
- {
- :effective_role_privs => !params[:effective_role_privs].blank?,
- :privilege_hierarchy => !params[:privilege_hierarchy].blank?,
- :filter_roles => params[:filter_roles].blank? ? nil : params[:filter_roles].to_sym,
- :filter_contexts => params[:filter_contexts].blank? ? nil : params[:filter_contexts].to_sym
- }
- end
-end
View
51 app/helpers/authorization_rules_helper.rb
@@ -1,51 +0,0 @@
-module AuthorizationRulesHelper
- def syntax_highlight (rules)
- regexps = {
- :constant => [/(:)(\w+)/],
- :proc => ['role', 'authorization', 'privileges'],
- :statement => ['has_permission_on', 'if_attribute', 'includes', 'privilege', 'to'],
- :operator => ['is', 'contains'],
- :special => ['user', 'true', 'false'],
- :preproc => ['do', 'end', /()(=&gt;)/, /()(\{)/, /()(\})/, /()(\[)/, /()(\])/],
- :comment => [/()(#.*$)/]#,
- #:privilege => [:read],
- #:context => [:conferences]
- }
- regexps.each do |name, res|
- res.each do |re|
- rules.gsub!(
- re.is_a?(String) ? Regexp.new("(^|[^:])\\b(#{Regexp.escape(re)})\\b") :
- (re.is_a?(Symbol) ? Regexp.new("()(:#{Regexp.escape(re.to_s)})\\b") : re),
- "\\1<span class=\"#{name}\">\\2</span>")
- end
- end
- rules
- end
-
- def link_to_graph (title, options = {})
- type = options[:type] || ''
- link_to_function title, "$$('object')[0].data = '#{url_for :action => 'index', :format => 'svg', :type => type}'"
- end
-
- def navigation
- link_to("Rules", :format => 'html') << ' | ' <<
- link_to("Graphical view", :format => 'graph') #<< ' | ' <<
- # 'Edit | ' <<
- # link_to("XACML export", :action => 'index', :format => 'xacml')
- end
-
- def role_color (role, fill = false)
- fill_colors = %w{#ffdddd #ddffdd #ddddff #ffffdd #ffddff #ddffff}
- colors = %w{#dd0000 #00dd00 #0000dd #dddd00 #dd00dd #00dddd}
- @@role_colors ||= {}
- @@role_colors[role] ||= begin
- idx = @@role_colors.length % colors.length
- [colors[idx], fill_colors[idx]]
- end
- @@role_colors[role][fill ? 1 : 0]
- end
-
- def role_fill_color (role)
- role_color(role, true)
- end
-end
View
48 app/views/authorization_rules/index.dot.erb
@@ -1,48 +0,0 @@
-
-digraph rules {
- compound = true
- edge [arrowhead=open]
- node [shape=box,fontname="sans-serif",fontsize="16"]
- fontname="sans-serif";fontsize="16"
- ranksep = "0.3"
- //concentrate = true
- rankdir = TB
- {
- node [shape=ellipse,style=filled]
- //rank = source
- <% @roles.each do |role| %>
- "<%= role.inspect %>" [fillcolor="<%= role_fill_color(role) %>"]
- <% end %>
- <% @roles.each do |role| %>
- <% (@role_hierarchy[role] || []).each do |lower_role| %>
- "<%= role.inspect %>" -> "<%= lower_role.inspect %>" [constraint=false,arrowhead=empty]
- <% end %>
- <% end %>
- }
-
- <% @contexts.each do |context| %>
- subgraph cluster_<%= context %> {
- label = "<%= context.inspect %>"
- style=filled; fillcolor="#eeeeee"
- node[fillcolor=white,style=filled]
- <% (@context_privs[context] || []).each do |priv| %>
- <%= priv %>_<%= context %> [label="<%= priv.inspect %>"]
- <% end %>
- <% (@context_privs[context] || []).each do |priv| %>
- <% (@privilege_hierarchy[priv] || []).
- select {|p,c| (c.nil? or c == context) and @context_privs[context].include?(p)}.
- each do |lower_priv, c| %>
- <%= priv %>_<%= context %> -> <%= lower_priv %>_<%= context %> [arrowhead=empty]
- <% end %>
- <% end %>
- //read_conferences -> update_conferences [style=invis]
- //create_conferences -> delete_conferences [style=invis]
- }
- <% end %>
-
- <% @roles.each do |role| %>
- <% (@role_privs[role] || []).each do |context, privilege, unconditionally| %>
- "<%= role.inspect %>" -> <%= privilege %>_<%= context %> [color="<%= role_color(role) %>", minlen=3<%= ", arrowhead=opendot" unless unconditionally %>]
- <% end %>
- <% end %>
-}
View
26 app/views/authorization_rules/index.graph.erb
@@ -1,26 +0,0 @@
-<h1>Authorization Rules Graph</h1>
-<p>Currently active rules in this application.</p>
-<p><%= navigation %></p>
-
-<% javascript_tag do %>
- function update_graph (form) {
- base_url = "<%= url_for :format => 'svg' %>";
- $('graph').data = base_url + '?' + form.serialize();
- }
-<% end %>
-<p>
- <% form_tag do %>
- <%#= link_to_graph "Rules" %>
- <%#= link_to_graph "Privilege hierarchy", :type => 'priv_hierarchy' %>
-
- <%= select_tag "filter_roles", options_for_select([["All roles",'']] + controller.authorization_engine.roles), :onchange => 'update_graph(this.form)' %>
- <%= select_tag "filter_contexts", options_for_select([["All contexts",'']] + controller.authorization_engine.auth_rules.collect {|ar| ar.contexts.to_a}.flatten.uniq), :onchange => 'update_graph(this.form)' %>
- <%= check_box_tag "effective_role_privs", "1", false, :onclick => 'update_graph(this.form)' %> <%= label_tag "effective_role_privs", "Effective privileges" %>
- <%= check_box_tag "privilege_hierarchy", "1", false, :onclick => 'update_graph(this.form)' %> <%= label_tag "privilege_hierarchy", "Show full privilege hierarchy" %>
- <% end %>
-</p>
-<div style="margin: 1em;border:1px solid #ccc;max-width:95%">
-<object id="graph" data="<%= url_for :format => 'svg' %>" type="image/svg+xml" style="max-width:100%"/>
-</div>
-<%= button_to_function "Zoom in", '$("graph").style.maxWidth = "";$(this).toggle();$(this).next().toggle()' %>
-<%= button_to_function "Zoom out", '$("graph").style.maxWidth = "100%";$(this).toggle();$(this).previous().toggle()', :style => 'display:none' %>
View
15 app/views/authorization_rules/index.html.erb
@@ -1,15 +0,0 @@
-<h1>Authorization Rules</h1>
-<p>Currently active rules in this application.</p>
-<p><%= navigation %></p>
-<style type="text/css">
- pre .constant {color: #a00;}
- pre .special {color: red;}
- pre .operator {color: red;}
- pre .statement {color: #00a;}
- pre .proc {color: #0a0;}
- pre .privilege, pre .context {font-weight: bold}
- pre .preproc, pre .comment, pre .comment span {color: grey !important;}
-</style>
-<pre>
-<%= syntax_highlight(h(@auth_rules_script)) %>
-</pre>
View
1 config/authorization_rules.rb
@@ -7,6 +7,7 @@
if_attribute :conference => {:published => true}
end
has_permission_on :users, :to => :create
+ has_permission_on :authorization_rules, :to => :read
end
role :user do
View
5 config/initializers/mime_types.rb
@@ -3,8 +3,3 @@
# Add new mime types for use in respond_to blocks:
# Mime::Type.register "text/richtext", :rtf
# Mime::Type.register_alias "text/html", :iphone
-
-Mime::Type.register("image/svg+xml", :svg)
-Mime::Type.register_alias("text/xml", :xacml)
-Mime::Type.register_alias("text/html", :graph)
-Mime::Type.register("text/plain", :dot)
View
35 config/routes.rb
@@ -1,6 +1,4 @@
ActionController::Routing::Routes.draw do |map|
- map.resources :authorization_rules
-
map.resources :conferences do |conference|
conference.resources :talks do |talk|
@@ -16,35 +14,6 @@
map.resources :users
map.resource :session
-
- map.connect 'authorization_rules/:action.:format', :controller => 'authorization_rules'
-
- #map.connect 'authorization_rules', :controller => 'authorization_rules', :action => 'index'
-
- # The priority is based upon order of creation: first created -> highest priority.
-
- # Sample of regular route:
- # map.connect 'products/:id', :controller => 'catalog', :action => 'view'
- # Keep in mind you can assign values other than :controller and :action
-
- # Sample of named route:
- # map.purchase 'products/:id/purchase', :controller => 'catalog', :action => 'purchase'
- # This route can be invoked with purchase_url(:id => product.id)
-
- # Sample resource route (maps HTTP verbs to controller actions automatically):
- # map.resources :products
-
- # Sample resource route with options:
- # map.resources :products, :member => { :short => :get, :toggle => :post }, :collection => { :sold => :get }
-
- # Sample resource route with sub-resources:
- # map.resources :products, :has_many => [ :comments, :sales ], :has_one => :seller
-
- # Sample resource route with more complex sub-resources
- # map.resources :products do |products|
- # products.resources :comments
- # products.resources :sales, :collection => { :recent => :get }
- # end
# Sample resource route within a namespace:
# map.namespace :admin do |admin|
@@ -58,6 +27,6 @@
# See how all your routes lay out with "rake routes"
# Install the default routes as the lowest priority.
- map.connect ':controller/:action/:id'
- map.connect ':controller/:action/:id.:format'
+ #map.connect ':controller/:action/:id'
+ #map.connect ':controller/:action/:id.:format'
end
2 vendor/plugins/declarative_authorization
@@ -1 +1 @@
-Subproject commit feb0d3f49e85a645c597c505ddefd3b1d99e6138
+Subproject commit ef1c21a88fc8031bed75ca38b6f44fe7fc45dd42

0 comments on commit 663de56

Please sign in to comment.