Class: Authorization::DevelopmentSupport::ChangeAnalyzer

Inherits:
AbstractAnalyzer show all
Defined in:
lib/declarative_authorization/development_support/change_analyzer.rb

Overview

Ideas for improvement

  • Algorithm

    • Plan by tackling each condition separately

      • e.g. two users have a permission through the same role, one should lose that

    • Consider privilege hierarchy

    • Consider merging, splitting roles, role hierarchies

    • Add privilege to existing rules

  • Features

    • Show consequences from changes: which users are affected, show users in graph

    • restructure GUI layout: more room for analyzing suggestions

  • AI: planning: ADL-like, actions with preconditions and effects

  • Removing need of intention

  • Evaluation of approaches with Analyzer algorithms

  • Consider constraints

NOTE:

  • user.clone needs to clone role_symbols

  • user.role_symbols needs to respond to <<

  • user.login is needed

Defined Under Namespace

Classes: Approach, ApproachChecker, Step

Instance Attribute Summary

Attributes inherited from AbstractAnalyzer

#engine

Instance Method Summary (collapse)

Methods inherited from AbstractAnalyzer

#initialize, #roles, #rules

Constructor Details

This class inherits a constructor from Authorization::DevelopmentSupport::AbstractAnalyzer

Instance Method Details

- (Object) find_approaches_for(change_action, type, options, &tests)

Raises:

  • (ArgumentError)


30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# File 'lib/declarative_authorization/development_support/change_analyzer.rb', line 30

def find_approaches_for (change_action, type, options, &tests)
  raise ArgumentError, "Missing options" if !options[:on] or !options[:to]

  # * strategy for removing: [remove privilege, add privilege to different role]
  @seen_states = Set.new
  # * heuristic: change of failed tests;  small number of policy items
  strategy = case [change_action, type]
             when [:remove, :permission]
               [:remove_role_from_user, :remove_privilege, :add_privilege,
                 :add_role, :assign_role_to_user]
             when [:add, :permission]
               [:add_role, :add_privilege, :assign_role_to_user]
             else
               raise ArgumentError, "Unknown change action/type: #{[change_action, type].inspect}"
             end

  candidates = []
  viable_approaches = []
  approach_checker = ApproachChecker.new(self, tests)

  starting_candidate = Approach.new(@engine, options[:users], [])
  if starting_candidate.check(approach_checker)
    viable_approaches << starting_candidate
  else
    candidates << starting_candidate
  end

  step_count = 0
  while !candidates.empty? and step_count < 100
    next_step(viable_approaches, candidates, approach_checker, options[:to], 
        options[:on], strategy)
    step_count += 1
  end

  # remove subsets

  viable_approaches.sort!
end