= Walruz: Simple yet Powerful Policy Composition Authorization Framework

== Rails Integration

See walruz-rails[http://github.com/noomii/walruz-rails] gem.

== Basic and Terminology

Walruz facilitates the separation between the authorization process on the business logic and the actions executed after the validation of the authorizations. To understand how it works, we will follow the following terminology:

[<b>Subject</b>] Object that is going to be managed (Profile, Posts).
[<b>Actor</b>] Entity that wants to perform an action on a <em>subject</em> (User, Admin).
[<b>Policy</b>] A set of rules that tells if the <em>actor</em> can perform the desired action on the <em>subject</em>.

== Walruz Architecture 

Walruz provides modules and classes that help on the implementation of the concepts given previously, this are:
  
[<b><tt>Walruz::Subject</tt></b>]
  Module that provides the interface to associate policies to an action in the <em>subject</em>.
  
[<b><tt>Walruz::Actor</tt></b>]
  Module that provides the interface to perform queries to validate if an action can be done between the
  <em>actor</em> and the <em>subject</em>.
    
[<b><tt>Walruz::Policy</tt></b>]
  Class that provides the interface to implement authorization logic.

== Subjects specify which policies are related to which actions

Subject classes may specify a set of actions that can be performed to them using the <tt>check_authorization</tt> method

  class User
    include Walruz::Subject
    
    check_authorization :read => UserReadPolicy,
                        :update => UserUpdatePolicy
  end

If there is just one <em>policy</em> to every possible action performed to the <em>subject</em>, you may specify the :default action, or just specify the Policy class.

Example:

  class User
    include Walruz::Subject
  
    check_authorization UserPolicy
  end

or

  class User
    include Walruz::Subject
  
    check_authorization :default => UserPolicy
  end
  
You can also specify other flags with the default flag.

  class User
    include Walruz::Subject

    check_authorization :read => UserReadPolicy,
                        :update => UserUpdatePolicy,
                        :default => UserPolicy
  end

== Actors verify if they are able to perform an action on a subject

Actor classes can use several methods to check if the <em>actor</em> instance can perform the given action on a <em>subject</em>. This are:

[<b><tt>can?(action, subject)</tt></b>] Returns boolean that says if the <em>actor</em> can execute or not the action on the <em>subject</em>.

[<b><tt>authorize(action, subject)</tt></b>] In case the <em>actor</em> can execute the action on the <em>subject</em>, it returns the parameters hash from the <em>policy</em>, otherwise it will return <tt>nil</tt>

[<b><tt>authorize!(action, subject)</tt></b>] In case the <em>actor</em> can execute the action on the <em>subject</em>, it returns the parameters hash from the <em>policy</em>, otherwise it will raise a <tt>Walruz::NotAuthorized</tt> error.

[<b><tt>satisfies?(policy_label, subject)</tt></b>] It behaves just like the <tt>can?</tt> method, but instead of giving an action to be executed to the <em>subject</em>, it receives a <em>policy label</em> (More on <em>policy labels</em> next).

In case the given action is not assigned to any <em>policy</em>, a default Policy will be executed (if given), if no default <em>policy</em> is given then a <tt>Walruz::ActionNotFound</tt> exception will be raised.

Examples:
  
  current_user.can?(:read, friends_profile)      #=> true
  current_user.satisfies?(:actor_is_admin, nil)  #=> false
  current_user.satisfies(:actor_is_admin, nil)  #=> nil
  current_user.authorize(:read, friends_profile) #=> Hash
  current_user.authorize!(:read, other_person_profile) # => raises Walruz::NotAuthorized 

== Implementing Policies

To implement a <em>policy</em>, it is necessary to inherit from the Walruz::Policy class. This class provides a method called <tt>authorized?</tt> that return either a Boolean, or an Array of two items, the first one being a Boolean, and the second being a Hash of parameters returned from the Policy.

Every Policy Class also has a label associated to it, by default the label will be the name of the class in underscore case; if you want to have a custom label for a Policy Class, you can invoke the <tt>set_policy_label</tt> method on the class context and specify the label that you want for it. This label is used on the <tt>satisfies?</tt> method.

Examples:
  
  class ActorIsAdmin < Walruz::Policy
    set_policy_label :is_admin
  
    def authorized?(actor, _)
      actor.is_admin?
    end
  
  end
  
  class UserIsFriend < Walruz::Policy
  
    def authorized?(current_user, friend)
      friendship = Friendship.first(:conditions => { :friend_id => current_user.id, :owner_id => friend.id})
      if !friendship.nil?
        [true, {
          :friendship => friendship
        }]
      else
        false
      end
    end
  
  end
  
  # Examples using this policies with the satisfies method
  
  current_user.satisfies?(:is_admin, nil)
  
  # By default, the policy label is the name of the class in underscore case.
  current_user.satisfies?(:user_is_friend, other_user)


== Composing basic policies to create complex ones

Sometimes policies can turn really messy, specially when you have a complex business model. The good news is that normally this complex policies are a composition of more simple policies (e.g. <tt>ActorCanSeeUserPictures</tt>). Instead of creating this new classes that replicates the same logic of basic policies, we could merge them together in the following way:

  ActorCanSeeUserPictures = Walruz::Utils.all(UserIsFriend, UserAllowsDisclosureOfPictures)

There is also the utility methods <tt>any</tt> and <tt>not</tt>, to create combinations of policies. 

If your <em>policy</em> returns a parameters hash, and you are using the <tt>all</tt> method, the parameters of each <em>policy</em> will be merged together, if you are using the <tt>any</tt> method, the parameters of the first <em>policy</em> that returns true will be returned.

One other thing that the utility methods does for you is that it leaves its track on the returned <em>policy</em> parameters, when you invoke a composite <em>policy</em>, every <em>policy</em> will leave in the parameters hash the policy_label with a question mark at the end, that way you can know which policies were successful or not. 

Example:
  
  class ActorIsAdmin < Walruz::Policy 
    set_policy_label :is_admin

    def authorized?(actor, _)
      actor.is_admin?
    end

  end
  
  class ActorIsSubject < Walruz::Policy
    def authorized?(actor, subject); actor == subject; end
  end
  
  UserReadPolicy = any(ActorIsSubject, ActorIsAdmin)
  
  class User < AbstractORM
    include Walruz::Subject
    
    check_authorizations :read => UserReadPolicy
  end
  
  class UsersController < Framework::Controller
    def show
      policy_params = current_user.authorize(:read, other_user)
      if policy_params[:actor_is_subject?]
        # do logic of the user interacting with herself
      elsif policy_params[:is_admin?]
        # do logic of the admin user interacting with other user
      else
        # do other logic here...
      end
    end
  end

== Dependencies between Policies

Sometimes you would like to have a Policy that strictly depends in other policies, on the previous example <tt>UserAllowsDisclosureOfPictures</tt> could have a dependency that says that only the User allows the disclosure of pictures if and only if there is a friend relationship, so we could re-implement this <em>policy</em> as:

Example:

  class UserAllowsDisclosureOfPictures < Walruz::Policy
    depends_on UserIsFriend
    # ...
  end

Suppose you need the parameters returned by the previous Policy, you can have them with the <tt>params</tt> method.

Example:

  class UserAllowsDisclosureOfPictures < Walruz::Policy
    depends_on UserIsFriend
    
    def authorized?(_, _)
      params[:friendship].allows_disclosure_of_images?
    end
    
  end
  
== Policy combinators

Sometimes you would like to execute policies that are not directly related to a <em>subject</em>, but to the association of a <em>subject</em>. Given the example above of the friendship relationship and the disclosure of pictures, sometimes you would like to check if a user can see a picture directly on the picture model.

Suppose we have the following model in our system:

  class Picture < AbstractORM
    belongs_to :owner
  end

and we would like to check if the <tt>current_user</tt> can see (read) the picture using:

  current_user.can?(:read, picture_instance)
  
If you may recall, we already implemented the logic that checks that authorization in <tt>UserAllowsDisclosureOfPictures</tt>, but that <em>policy</em> only works when the <em>subject</em> is of class User; given that you have a <em>subject</em> of class Picture you can not re-use this <em>policy</em>.

You could solve this issue doing the following:

  class PictureReadPolicy < Walruz::Policy
    
    def authorized?(user, image)
      user.satisfies?(UserAllowsDisclosureOfPictures, image.owner)
    end
    
  end

But as you may see, we are just creating new policies to handle old ones, we are not combining the policies effectively. To avoid this caveat, you can use the <tt>PolicyClass.for_subject</tt> method:

  PictureReadPolicy = UserAllowsDisclosureOfPictures.for_subject(:owner)
  
  class Picture < AbstractORM
    include Walruz::Subject
    belongs_to :owner
    
    check_authorizations :read => PictureReadPolicy
  end
  
The parameter of <tt>for_subject</tt> is the name of the <em>subject's</em> method that will return a new <em>subject</em>, this new <em>subject</em> is then passed through the <em>policy</em>. Pretty neat eh?

== Returning custom errors

Suppose you want to add an error to the authorization failure that is a more descriptive, you can do so on the <tt>authorized?</tt> method passing a hash with a <tt>:error_message</tt> key on the false return. If you use the <tt>authorize!</tt> method on the <em>actor</em> model, this will become the <tt>Walruz::NotAuthorized</tt> error message.

Example:
  
  class SomePolicy < Walruz::Policy
  
    def authorized?(actor, subject)
      # some complex logic here
      return [false, {
        :error_message => 'More descriptive error message'
      }]
    end
  end


== Conventions

You'll notice that once you start implementing policies for your system, you'll be lost soon enough asking yourself which type of <em>subject</em> a Policy receives; to avoid such confusions, we suggest that you apply the following rules of thumb:

- The first name of the <em>policy</em> should be the Subject class (e.g. <tt>UserIsFriend</tt>)
- If the <em>policy</em> only applies to the <em>actor</em>, the <em>policy</em> class name should start with the Actor word (e.g. <tt>ActorIsAdmin</tt>)
- You should always have the compositions of policies in just one place in your library folder (e.g. in <tt>policies.rb</tt> file).
- The result of <em>policy</em> compositions should finish with the word Policy (e.g <tt>UserDeletePolicy = any(ActorIsSubject, ActorIsAdmin)</tt>)
- Use <tt>PolicyClass.for_subject</tt> when you are combining the <em>policy</em> class with other policies, if you are not doing this, consider checking authorizations on parents of the <em>subject</em> instead of the <em>subject</em> (e.g. <tt>current_user.can?(:see_pictures_of, picture.owner)</tt>)

If you follow this rules, it will be much easier for you to merge policies together in an efficient way.

== More examples

You may check the project in the examples/ directory for more info; on the rails project, take a look on the <tt>spec/models/beatle_spec.rb</tt> file, it's really illustrating.

== Copyright

Copyright (c) 2009 Roman Gonzalez <romanandreg@gmail.com>.

Copyright (c) 2009 Noomii inc. <http://www.noomii.com>.

All rights reserved.