/Koosa

Declarative Swift framework for Attributed Role-based Access Control management

Primary LanguageSwiftMIT LicenseMIT

Koosa   Build Status Coverage Status

Declarative Swift framework for Attributed Role-based Access Control management

Check out this blog post for full explanation and more details: Access Control Management with Swift

Example

Code In Action 
// Anyone can browse group, if it is public
Visitor.shouldBeAbleTo(BrowseGroup.action).when {
    guard let browseAction = $1 as? BrowseGroup else { return false }
    return browseAction.group.isPublicGroup
}

// Member can browse his groups + public groups
GroupMemberUser.shouldBeAbleTo(BrowseGroup.action).when {
    guard let groupMember = $0 as? GroupMember,
        let browseAction = $1 as? BrowseGroup else { return false }
    return groupMember.groupNumber == browseAction.group.groupNumber
}

// Member can post his groups 
GroupMemberUser.shouldBeAbleTo(PostToGroup.action).when {
    guard let groupMember = $0 as? GroupMember,
        let postAction = $1 as? PostToGroup else { return false }
    return groupMember.groupNumber == postAction.group.groupNumber
}

// Admin class extends Member + ability to delete
GroupAdminUser.shouldBeAbleTo(DeleteGroup.action).when {
    guard let groupAdmin = $0 as? GroupAdmin,
        let deleteAction = $1 as? DeleteGroup else { return false }
    return groupAdmin.groupNumber == deleteAction.group.groupNumber
}

// SuperAdmin can do everything
_ = SuperAdminUser.shouldBeAbleTo(BrowseGroup.action)
_ = SuperAdminUser.shouldBeAbleTo(DeleteGroup.action)
_ = SuperAdminUser.shouldBeAbleTo(PostToGroup.action)

Usage:

  1. Start by mapping each role in your requirements to a protocl that extends to prtocol Role or a protocl that extends it. Note that you can model role heirarchy using protocl inheritance.
protocol GroupMember: Role {
    var groupNumber: Int {set get}
}
protocol GroupAdmin: GroupMember { }
  1. Model your actions into classes/strcut that conforms to protocl Action.
struct BrowseGroup: Action {
    let group: Group
    
    init() {  // required default initializer
        group = Group(groupNumber: -1, isPublicGroup: false) // default froup
    }
    
    init(group: Group) {
        self.group = group
    }
}
  1. Use role protocls to create concrete role classes.
class GroupAdminUser: User, GroupAdmin {
    var groupNumber: Int
    init(name: String, age: Int, groupNumber: Int) {
        self.groupNumber = groupNumber
        super.init(name: name, age: age)
    }
    
    override required init() {
        self.groupNumber = -1
        super.init()
    }
}
  1. Add the policies.
GroupMemberUser.shouldBeAbleTo(BrowseGroup.action).when {
    guard let groupMember = $0 as? GroupMember,
        let browseAction = $1 as? BrowseGroup else { return false }
    return groupMember.groupNumber == browseAction.group.groupNumber
}
GroupAdminUser.shouldBeAbleTo(DeleteGroup.action).when {
    guard let groupAdmin = $0 as? GroupAdminUser,
        let deleteAction = $1 as? DeleteGroup else {
            return false
    }
    return groupAdmin.groupNumber == deleteAction.group.groupNumber
}
_ = SuperAdminUser.shouldBeAbleTo(BrowseGroup.action)
  1. Now you can validate if any user can do any action.
let member1 = GroupMemberUser(name: "member1", age: 18, groupNumber: 1)
let admin2 = GroupAdminUser(name: "admin2", age: 22, groupNumber: 2)
let group1 = Group(groupNumber: 1, isPublicGroup: false)
let group2 = Group(groupNumber: 2, isPublicGroup: false)
member1.can(BrowseGroup(group: group1) // true
member1.can(BrowseGroup(group: group2) // false
admin2.can(BrowseGroup(group: group1) // true: GroupAdmin inherits BrowseGroup permission from GroupMember
admin2.can(DeleteGroup(group: group2) // true
admin2.can(DeleteGroup(group: group1) // false

Installation

Koosa can be installed using CocoaPods

use_frameworks!
pod 'Koosa'

License

MIT