feat:add not using policy for model

casbin · Feb 15, 2024 · b2c81d5 · b2c81d5
1 parent 2c363e1
commit b2c81d5
Show file tree

Hide file tree

Showing 8 changed files with 246 additions and 1 deletion.
diff --git a/examples/abac_not_using_policy_model.conf b/examples/abac_not_using_policy_model.conf
@@ -0,0 +1,11 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[policy_effect]
+e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+
+[matchers]
+m = r.sub == r.obj.Owner
diff --git a/examples/abac_rule_effect_policy.csv b/examples/abac_rule_effect_policy.csv
@@ -0,0 +1,4 @@
+p, alice, /data1, read, deny
+p, alice, /data1, write, allow
+p, bob, /data2, write, deny
+p, bob, /data2, read, allow
diff --git a/examples/comment_model.conf b/examples/comment_model.conf
@@ -0,0 +1,12 @@
+[request_definition]
+r = sub, obj, act ; Request definition
+
+[policy_definition]
+p = sub, obj, act
+
+[policy_effect]
+e = some(where (p.eft == allow)) # This is policy effect.
+
+# Matchers
+[matchers]
+m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
diff --git a/examples/keymatch_custom_model.conf b/examples/keymatch_custom_model.conf
@@ -0,0 +1,11 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = r.sub == p.sub && keyMatchCustom(r.obj, p.obj) && regexMatch(r.act, p.act)
diff --git a/examples/rbac_model_in_multi_line.conf b/examples/rbac_model_in_multi_line.conf
@@ -0,0 +1,15 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub) && r.obj == p.obj \
+ && r.act == p.act
diff --git a/src/main/java/org/casbin/jcasbin/config/Config.java b/src/main/java/org/casbin/jcasbin/config/Config.java
@@ -120,6 +120,12 @@ private void parseBuffer(BufferedReader buf) throws IOException {
             } else if (line.startsWith("[") && line.endsWith("]")) {
                 section = line.substring(1, line.length() - 1);
             } else {
+                int index1 = line.indexOf(DEFAULT_COMMENT);
+                int index2 = line.indexOf(DEFAULT_COMMENT_SEM);
+                int index = (index1 != -1 && index2 != -1) ? Math.min(index1, index2) : (index1 != -1) ? index1 : (index2 != -1) ? index2 : -1;
+                if (index != -1)
+                    line = line.substring(0, index);
+
                 String[] optionVal = line.split("=", 2);
                 if (optionVal.length != 2) {
                     throw new IllegalArgumentException(String.format("parse the content error : line %d , %s = ? ", lineNum, optionVal[0]));

diff --git a/src/main/java/org/casbin/jcasbin/main/CoreEnforcer.java b/src/main/java/org/casbin/jcasbin/main/CoreEnforcer.java
@@ -571,7 +571,7 @@ private EnforceResult enforce(String matcher, Object... rvals) {
         final int policyLen = policy.size();
         int explainIndex = -1;
 
-        if (policyLen != 0) {
+        if (policyLen != 0 && expString.contains(pType+"_")) {
             policyEffects = new Effect[policyLen];
             matcherResults = new float[policyLen];
 

diff --git a/src/test/java/org/casbin/jcasbin/main/ModelUnitTest.java b/src/test/java/org/casbin/jcasbin/main/ModelUnitTest.java
@@ -14,10 +14,14 @@
 
 package org.casbin.jcasbin.main;
 
+import com.googlecode.aviator.runtime.function.FunctionUtils;
+import com.googlecode.aviator.runtime.type.AviatorBoolean;
+import com.googlecode.aviator.runtime.type.AviatorObject;
 import org.casbin.jcasbin.persist.file_adapter.AdapterMock;
 import org.casbin.jcasbin.rbac.RoleManager;
 import org.casbin.jcasbin.util.BuiltInFunctions;
 import org.casbin.jcasbin.util.Util;
+import org.casbin.jcasbin.util.function.CustomFunction;
 import org.junit.Test;
 
 import java.util.*;
@@ -524,6 +528,64 @@ public void testABACTypes(){
         }
     }
 
+    @Test
+    public void testABACJsonRequest(){
+        Enforcer e1 = new Enforcer("examples/abac_model.conf");
+        e1.enableAcceptJsonRequest(true);
+
+        Map data1Json = new HashMap<String,String>();
+        data1Json.put("Name", "data1");
+        data1Json.put("Owner", "alice");
+        Map data2Json = new HashMap<String,String>();
+        data2Json.put("Name", "data2");
+        data2Json.put("Owner", "bob");
+
+        testEnforce(e1, "alice", data1Json, "read", true);
+        testEnforce(e1, "alice", data1Json, "write", true);
+        testEnforce(e1, "alice", data2Json, "read", false);
+        testEnforce(e1, "alice", data2Json, "write", false);
+        testEnforce(e1, "bob", data1Json, "read", false);
+        testEnforce(e1, "bob", data1Json, "write", false);
+        testEnforce(e1, "bob", data2Json, "read", true);
+        testEnforce(e1, "bob", data2Json, "write", true);
+
+
+        Enforcer e2 = new Enforcer("examples/abac_not_using_policy_model.conf", "examples/abac_rule_effect_policy.csv");
+        e2.enableAcceptJsonRequest(true);
+
+        testEnforce(e2, "alice", data1Json, "read", true);
+        testEnforce(e2, "alice", data1Json, "write", true);
+        testEnforce(e2, "alice", data2Json, "read", false);
+        testEnforce(e2, "alice", data2Json, "write", false);
+
+
+        Enforcer e3 = new Enforcer("examples/abac_rule_model.conf", "examples/abac_rule_policy.csv");
+        e3.enableAcceptJsonRequest(true);
+
+        Map sub1Json = new HashMap<String,Object>();
+        sub1Json.put("Name", "alice");
+        sub1Json.put("Age", 16);
+        Map sub2Json = new HashMap<String,String>();
+        sub2Json.put("Name", "alice");
+        sub2Json.put("Age", 20);
+        Map sub3Json = new HashMap<String,String>();
+        sub3Json.put("Name", "alice");
+        sub3Json.put("Age", 65);
+
+        testEnforce(e3, sub1Json, "/data1", "read", false);
+        testEnforce(e3, sub1Json, "/data2", "read", false);
+        testEnforce(e3, sub1Json, "/data1", "write", false);
+        testEnforce(e3, sub1Json, "/data2", "write", true);
+        testEnforce(e3, sub2Json, "/data1", "read", true);
+        testEnforce(e3, sub2Json, "/data2", "read", false);
+        testEnforce(e3, sub2Json, "/data1", "write", false);
+        testEnforce(e3, sub2Json, "/data2", "write", true);
+        testEnforce(e3, sub3Json, "/data1", "read", true);
+        testEnforce(e3, sub3Json, "/data2", "read", false);
+        testEnforce(e3, sub3Json, "/data1", "write", false);
+        testEnforce(e3, sub3Json, "/data2", "write", false);
+    }
+
     @Test
     public void testKeyMatchModel() {
         Enforcer e = new Enforcer("examples/keymatch_model.conf", "examples/keymatch_policy.csv");
@@ -561,6 +623,41 @@ public void testKeyMatch2Model() {
         testEnforce(e, "alice", "/alice_data2/myid/using/res_id", "GET", true);
     }
 
+    public boolean customFunction(String key1, String key2){
+        if (key1.equals("/alice_data2/myid/using/res_id") && key2.equals("/alice_data/:resource")){
+            return true;
+        } else if (key1.equals("/alice_data2/myid/using/res_id") && key2.equals("/alice_data2/:id/using/:resId")){
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    public class customFunctionWrapper extends CustomFunction{
+        @Override
+        public AviatorObject call(Map<String, Object> env, AviatorObject arg1, AviatorObject arg2) {
+            String key1 = FunctionUtils.getStringValue(arg1, env);
+            String key2 = FunctionUtils.getStringValue(arg2, env);
+
+            return AviatorBoolean.valueOf(customFunction(key1, key2));
+        }
+
+        @Override
+        public String getName() {
+            return "keyMatchCustom";
+        }
+    }
+
+    @Test
+    public void testKeyMatchCustomModel(){
+        Enforcer e = new Enforcer("examples/keymatch_custom_model.conf", "examples/keymatch2_policy.csv");
+
+        e.addFunction("keyMatchCustom", new customFunctionWrapper());
+
+        testEnforce(e, "alice", "/alice_data2/myid", "GET", false);
+        testEnforce(e, "alice", "/alice_data2/myid/using/res_id", "GET", true);
+    }
+
     @Test
     public void testIPMatchModel() {
         Enforcer e = new Enforcer("examples/ipmatch_model.conf", "examples/ipmatch_policy.csv");
@@ -615,6 +712,95 @@ public void testPriorityModelIndeterminate() {
         testEnforce(e, "alice", "data1", "read", false);
     }
 
+    @Test
+    public void testRBACModelInMultiLines(){
+        Enforcer e = new Enforcer("examples/rbac_model_in_multi_line.conf", "examples/rbac_policy.csv");
+
+        testEnforce(e, "alice", "data1", "read", true);
+        testEnforce(e, "alice", "data1", "write", false);
+        testEnforce(e, "alice", "data2", "read", true);
+        testEnforce(e, "alice", "data2", "write", true);
+        testEnforce(e, "bob", "data1", "read", false);
+        testEnforce(e, "bob", "data1", "write", false);
+        testEnforce(e, "bob", "data2", "read", false);
+        testEnforce(e, "bob", "data2", "write", true);
+    }
+
+    @Test
+    public void testABACNotUsingPolicy(){
+        Enforcer e = new Enforcer("examples/abac_not_using_policy_model.conf", "examples/abac_rule_effect_policy.csv");
+
+        TestResource data1 = new TestResource("data1", "alice");
+        TestResource data2 = new TestResource("data2", "bob");
+
+        testEnforce(e, "alice", data1, "read", true);
+        testEnforce(e, "alice", data1, "write", true);
+        testEnforce(e, "alice", data2, "read", false);
+        testEnforce(e, "alice", data2, "write", false);
+    }
+
+    public class TestSubject{
+        private String name;
+        private int age;
+
+        public TestSubject(String name, int age){
+            this.name = name;
+            this.age = age;
+        }
+
+        public String getName() {
+            return name;
+        }
+
+        public void setName(String name) {
+            this.name = name;
+        }
+
+        public int getAge() {
+            return age;
+        }
+
+        public void setAge(int age) {
+            this.age = age;
+        }
+    }
+
+    @Test
+    public void testABACPolicy(){
+        Enforcer e = new Enforcer("examples/abac_rule_model.conf", "examples/abac_rule_policy.csv");
+
+        TestSubject sub1 = new TestSubject("alice", 16);
+        TestSubject sub2 = new TestSubject("alice", 20);
+        TestSubject sub3 = new TestSubject("alice", 65);
+
+        testEnforce(e, sub1, "/data1", "read", false);
+        testEnforce(e, sub1, "/data2", "read", false);
+        testEnforce(e, sub1, "/data1", "write", false);
+        testEnforce(e, sub1, "/data2", "write", true);
+        testEnforce(e, sub2, "/data1", "read", true);
+        testEnforce(e, sub2, "/data2", "read", false);
+        testEnforce(e, sub2, "/data1", "write", false);
+        testEnforce(e, sub2, "/data2", "write", true);
+        testEnforce(e, sub3, "/data1", "read", true);
+        testEnforce(e, sub3, "/data2", "read", false);
+        testEnforce(e, sub3, "/data1", "write", false);
+        testEnforce(e, sub3, "/data2", "write", false);
+    }
+
+    @Test
+    public void testCommentModel(){
+        Enforcer e = new Enforcer("examples/comment_model.conf", "examples/basic_policy.csv");
+
+        testEnforce(e, "alice", "data1", "read", true);
+        testEnforce(e, "alice", "data1", "write", false);
+        testEnforce(e, "alice", "data2", "read", false);
+        testEnforce(e, "alice", "data2", "write", false);
+        testEnforce(e, "bob", "data1", "read", false);
+        testEnforce(e, "bob", "data1", "write", false);
+        testEnforce(e, "bob", "data2", "read", false);
+        testEnforce(e, "bob", "data2", "write", true);
+    }
+
     @Test
     public void testSubjectPriorityWithDomain() {
         Enforcer e = new Enforcer("examples/subject_priority_model_with_domain.conf", "examples/subject_priority_policy_with_domain.csv");