Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add priority_policy_explicit support #250

Merged
merged 10 commits into from
Mar 23, 2021
14 changes: 14 additions & 0 deletions examples/priority_model_explicit.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
[request_definition]
r = sub, obj, act

[policy_definition]
p = priority, sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = priority(p.eft) || deny

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
12 changes: 12 additions & 0 deletions examples/priority_policy_explicit.csv
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
p, 10, data1_deny_group, data1, read, deny
p, 10, data1_deny_group, data1, write, deny
p, 10, data2_allow_group, data2, read, allow
p, 10, data2_allow_group, data2, write, allow


p, 1, alice, data1, write, allow
p, 1, alice, data1, read, allow
p, 1, bob, data2, read, deny

g, bob, data2_allow_group
g, alice, data1_deny_group
13 changes: 13 additions & 0 deletions examples/priority_policy_explicit_update.csv
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
p, 10, data1_deny_group, data1, read, deny
p, 10, data1_deny_group, data1, write, deny
p, 10, data2_allow_group, data2, read, allow
p, 10, data2_allow_group, data2, write, allow


p, 1, alice, data1, write, allow
p, 1, alice, data1, read, allow
p, 1, bob, data2, read, deny
p, 1, bob, data2, write, allow

g, bob, data2_allow_group
g, alice, data1_deny_group
18 changes: 18 additions & 0 deletions src/coreEnforcer.ts
Original file line number Diff line number Diff line change
Expand Up @@ -153,13 +153,29 @@ export class CoreEnforcer {
}
}

public sortPolicies(): void {
const policy = this.model.model.get('p')?.get('p')?.policy;
const tokens = this.model.model.get('p')?.get('p')?.tokens;

if (policy && tokens) {
const priorityIndex = tokens.indexOf('p_priority');
if (priorityIndex !== -1) {
policy.sort((a, b) => {
return parseInt(a[priorityIndex], 10) - parseInt(b[priorityIndex], 10);
});
}
}
}

/**
* loadPolicy reloads the policy from file/database.
*/
public async loadPolicy(): Promise<void> {
this.model.clearPolicy();
await this.adapter.loadPolicy(this.model);

this.sortPolicies();

this.initRmMap();

if (this.autoBuildRoleLinks) {
Expand All @@ -182,6 +198,8 @@ export class CoreEnforcer {
throw new Error('filtered policies are not supported by this adapter');
}

this.sortPolicies();

this.initRmMap();

if (this.autoBuildRoleLinks) {
Expand Down
1 change: 1 addition & 0 deletions src/internalEnforcer.ts
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ export class InternalEnforcer extends CoreEnforcer {
}

const ok = this.model.addPolicy(sec, ptype, rule);

if (sec === 'g' && ok) {
await this.buildIncrementalRoleLinks(PolicyOp.PolicyAdd, ptype, [rule]);
}
Expand Down
61 changes: 49 additions & 12 deletions src/model/model.ts
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,24 @@ export class Model {
if (!ast) {
return false;
}
ast.policy.push(rule);

const policy = ast.policy;
const tokens = ast.tokens;

const priorityIndex = tokens.indexOf('p_priority');

if (priorityIndex !== -1) {
const priorityRule = rule[priorityIndex];
const insertIndex = policy.findIndex((oneRule) => oneRule[priorityIndex] >= priorityRule);

if (priorityIndex === -1) {
policy.push(rule);
} else {
policy.splice(insertIndex, 0, rule);
}
} else {
policy.push(rule);
}
return true;
}

Expand All @@ -240,26 +257,46 @@ export class Model {
}
}

ast.policy = ast.policy.concat(rules);
const priorityFlag = ast.tokens.indexOf('p_priority') !== -1;

if (priorityFlag) {
rules.forEach((rule) => {
this.addPolicy(sec, ptype, rule);
});
} else {
ast.policy = ast.policy.concat(rules);
}

return [true, rules];
}

// updatePolicy updates a policy from the model
public updatePolicy(sec: string, ptype: string, oldRule: string[], newRule: string[]): boolean {
if (this.hasPolicy(sec, ptype, oldRule)) {
const ast = this.model.get(sec)?.get(ptype);
if (!ast) {
return false;
}
// const index = ast.policy.indexOf(oldRule);
const index = ast.policy.findIndex((r) => util.arrayEquals(r, oldRule));
if (index !== -1) {
const ast = this.model.get(sec)?.get(ptype);
if (!ast) {
return false;
}

const index = ast.policy.findIndex((r) => util.arrayEquals(r, oldRule));
if (index === -1) {
return false;
}

const priorityIndex = ast.tokens.indexOf('p_priority');

if (priorityIndex !== -1) {
if (oldRule[priorityIndex] === newRule[priorityIndex]) {
ast.policy[index] = newRule;
return true;
} else {
// this.removePolicy(sec, ptype, oldRule);
// this.addPolicy(sec, ptype, newRule);
throw new Error('new rule should have the same priority with old rule.');
}
} else {
ast.policy[index] = newRule;
}
return false;

return true;
}

// removePolicy removes a policy rule from the model.
Expand Down
45 changes: 45 additions & 0 deletions test/model.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,51 @@ test('TestPriorityModel', async () => {
await testEnforce(e, 'bob', 'data2', 'write', false);
});

test('TestExplicitPriorityModel', async () => {
const e = await newEnforcer('examples/priority_model_explicit.conf', 'examples/priority_policy_explicit.csv');

await testEnforce(e, 'alice', 'data1', 'write', true);
await testEnforce(e, 'alice', 'data1', 'read', true);
await testEnforce(e, 'bob', 'data2', 'read', false);
await testEnforce(e, 'bob', 'data2', 'write', true);
await testEnforce(e, 'data1_deny_group', 'data1', 'read', false);
await testEnforce(e, 'data1_deny_group', 'data1', 'write', false);
await testEnforce(e, 'data2_allow_group', 'data2', 'read', true);
await testEnforce(e, 'data2_allow_group', 'data2', 'write', true);
});

test('TestExplicitPriorityModelAddPolicy', async () => {
const e = await newEnforcer('examples/priority_model_explicit.conf', 'examples/priority_policy_explicit.csv');

await e.addPolicy('1', 'bob', 'data2', 'write', 'deny');

await testEnforce(e, 'alice', 'data1', 'write', true);
await testEnforce(e, 'alice', 'data1', 'read', true);
await testEnforce(e, 'bob', 'data2', 'read', false);
await testEnforce(e, 'bob', 'data2', 'write', false);
await testEnforce(e, 'data1_deny_group', 'data1', 'read', false);
await testEnforce(e, 'data1_deny_group', 'data1', 'write', false);
await testEnforce(e, 'data2_allow_group', 'data2', 'read', true);
await testEnforce(e, 'data2_allow_group', 'data2', 'write', true);
});

test('TestExplicitPriorityModelUpdatePolicy', async () => {
const e = await newEnforcer('examples/priority_model_explicit.conf', 'examples/priority_policy_explicit_update.csv');

await e.updatePolicy(['1', 'bob', 'data2', 'write', 'allow'], ['1', 'bob', 'data2', 'write', 'deny']);

await testEnforce(e, 'alice', 'data1', 'write', true);
await testEnforce(e, 'alice', 'data1', 'read', true);
await testEnforce(e, 'bob', 'data2', 'read', false);
await testEnforce(e, 'bob', 'data2', 'write', false);
await testEnforce(e, 'data1_deny_group', 'data1', 'read', false);
await testEnforce(e, 'data1_deny_group', 'data1', 'write', false);
await testEnforce(e, 'data2_allow_group', 'data2', 'read', true);
await testEnforce(e, 'data2_allow_group', 'data2', 'write', true);

await expect(e.updatePolicy(['1', 'bob', 'data2', 'write', 'allow'], ['2999', 'bob', 'data2', 'write', 'deny'])).resolves.toBe(false);
});

test('TestPriorityModelIndeterminate', async () => {
const e = await newEnforcer('examples/priority_model.conf', 'examples/priority_indeterminate_policy.csv');

Expand Down