2018-12-13 13:39:08 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
require_dependency 'declarative_policy/cache'
|
|
|
|
require_dependency 'declarative_policy/condition'
|
2018-05-09 12:01:36 +05:30
|
|
|
require_dependency 'declarative_policy/delegate_dsl'
|
|
|
|
require_dependency 'declarative_policy/policy_dsl'
|
|
|
|
require_dependency 'declarative_policy/rule_dsl'
|
2017-09-10 17:25:29 +05:30
|
|
|
require_dependency 'declarative_policy/preferred_scope'
|
|
|
|
require_dependency 'declarative_policy/rule'
|
|
|
|
require_dependency 'declarative_policy/runner'
|
|
|
|
require_dependency 'declarative_policy/step'
|
|
|
|
|
|
|
|
require_dependency 'declarative_policy/base'
|
|
|
|
|
|
|
|
module DeclarativePolicy
|
2020-04-08 14:13:33 +05:30
|
|
|
extend PreferredScope
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
CLASS_CACHE_MUTEX = Mutex.new
|
|
|
|
CLASS_CACHE_IVAR = :@__DeclarativePolicy_CLASS_CACHE
|
|
|
|
|
|
|
|
class << self
|
|
|
|
def policy_for(user, subject, opts = {})
|
|
|
|
cache = opts[:cache] || {}
|
|
|
|
key = Cache.policy_key(user, subject)
|
|
|
|
|
2018-11-18 11:00:15 +05:30
|
|
|
cache[key] ||=
|
2019-02-15 15:39:39 +05:30
|
|
|
# to avoid deadlocks in multi-threaded environment when
|
|
|
|
# autoloading is enabled, we allow concurrent loads,
|
2019-12-04 20:38:33 +05:30
|
|
|
# https://gitlab.com/gitlab-org/gitlab-foss/issues/48263
|
2019-02-15 15:39:39 +05:30
|
|
|
ActiveSupport::Dependencies.interlock.permit_concurrent_loads do
|
2018-11-18 11:00:15 +05:30
|
|
|
class_for(subject).new(user, subject, opts)
|
|
|
|
end
|
2017-09-10 17:25:29 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
def class_for(subject)
|
|
|
|
return GlobalPolicy if subject == :global
|
|
|
|
return NilPolicy if subject.nil?
|
|
|
|
|
|
|
|
subject = find_delegate(subject)
|
|
|
|
|
|
|
|
policy_class = class_for_class(subject.class)
|
|
|
|
raise "no policy for #{subject.class.name}" if policy_class.nil?
|
2018-03-17 18:26:18 +05:30
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
policy_class
|
|
|
|
end
|
|
|
|
|
|
|
|
def has_policy?(subject)
|
|
|
|
!class_for_class(subject.class).nil?
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
# This method is heavily cached because there are a lot of anonymous
|
|
|
|
# modules in play in a typical rails app, and #name performs quite
|
|
|
|
# slowly for anonymous classes and modules.
|
|
|
|
#
|
|
|
|
# See https://bugs.ruby-lang.org/issues/11119
|
|
|
|
#
|
|
|
|
# if the above bug is resolved, this caching could likely be removed.
|
|
|
|
def class_for_class(subject_class)
|
|
|
|
unless subject_class.instance_variable_defined?(CLASS_CACHE_IVAR)
|
|
|
|
CLASS_CACHE_MUTEX.synchronize do
|
|
|
|
# re-check in case of a race
|
|
|
|
break if subject_class.instance_variable_defined?(CLASS_CACHE_IVAR)
|
|
|
|
|
|
|
|
policy_class = compute_class_for_class(subject_class)
|
|
|
|
subject_class.instance_variable_set(CLASS_CACHE_IVAR, policy_class)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
subject_class.instance_variable_get(CLASS_CACHE_IVAR)
|
|
|
|
end
|
|
|
|
|
|
|
|
def compute_class_for_class(subject_class)
|
|
|
|
subject_class.ancestors.each do |klass|
|
|
|
|
next unless klass.name
|
|
|
|
|
|
|
|
begin
|
2019-12-26 22:10:19 +05:30
|
|
|
klass_name =
|
|
|
|
if subject_class.respond_to?(:declarative_policy_class)
|
|
|
|
subject_class.declarative_policy_class
|
|
|
|
else
|
|
|
|
"#{klass.name}Policy"
|
|
|
|
end
|
|
|
|
|
|
|
|
policy_class = klass_name.constantize
|
2017-09-10 17:25:29 +05:30
|
|
|
|
|
|
|
# NOTE: the < operator here tests whether policy_class
|
|
|
|
# inherits from Base. We can't use #is_a? because that
|
|
|
|
# tests for *instances*, not *subclasses*.
|
|
|
|
return policy_class if policy_class < Base
|
|
|
|
rescue NameError
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
|
|
|
|
def find_delegate(subject)
|
|
|
|
seen = Set.new
|
|
|
|
|
|
|
|
while subject.respond_to?(:declarative_policy_delegate)
|
|
|
|
raise ArgumentError, "circular delegations" if seen.include?(subject.object_id)
|
2018-03-17 18:26:18 +05:30
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
seen << subject.object_id
|
|
|
|
subject = subject.declarative_policy_delegate
|
|
|
|
end
|
|
|
|
|
|
|
|
subject
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|