diff --git a/.gitignore b/.gitignore index 6505972..fab6ac5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ node_modules -todo \ No newline at end of file +todo +.tmp \ No newline at end of file diff --git a/example_functions_test.go b/example_functions_test.go new file mode 100644 index 0000000..875077e --- /dev/null +++ b/example_functions_test.go @@ -0,0 +1,58 @@ +package fastac_test + +import ( + "github.com/abichinger/fastac" + "github.com/abichinger/fastac/model" + "github.com/abichinger/fastac/model/fm" +) + +//the model uses a custom MatchingFunc named customPathMatch +var example_functions_model = ` +[request_definition] +r = sub, obj, act + +[policy_definition] +p = sub, obj, act + +[policy_effect] +e = some(where (p.eft == allow)) + +[matchers] +m = r.sub == p.sub && customPathMatch(r.obj, p.obj) && r.act == p.act` + +var example_functions_policy = [][]string{ + {"p", "alice", "*", "GET"}, + {"p", "alice", "/user/alice", "PATCH"}, +} + +// ExampleFunctions shows how to use a custom util.MatchingFunc +func Example_functions() { + + //customPathMatch needs to be registered before loading the model + fm.SetFunction("customPathMatch", func(arguments ...interface{}) (interface{}, error) { + rObj := arguments[0].(string) + rSub := arguments[1].(string) + + if rSub == "*" { + return true, nil + } + return rObj == rSub, nil + }) + + //create enforcer and add rules + m := model.NewModel() + _ = m.LoadModelFromText(example_functions_model) + e, _ := fastac.NewEnforcer(m, nil) + _ = e.AddRules(example_functions_policy) + + //perform some requests + printReq(e, "alice", "/user/alice/entry/1", "GET") + printReq(e, "bob", "/user/alice/entry/1", "GET") + printReq(e, "alice", "/user/alice", "PATCH") + printReq(e, "bob", "/user/alice", "PATCH") + + // Output: alice, /user/alice/entry/1, GET => allow + // bob, /user/alice/entry/1, GET => deny + // alice, /user/alice, PATCH => allow + // bob, /user/alice, PATCH => deny +} diff --git a/example_matcher_test.go b/example_matcher_test.go new file mode 100644 index 0000000..b3845ae --- /dev/null +++ b/example_matcher_test.go @@ -0,0 +1,80 @@ +package fastac_test + +import ( + "fmt" + "strings" + + "github.com/abichinger/fastac" + "github.com/abichinger/fastac/model" + "github.com/abichinger/fastac/rbac" + "github.com/abichinger/fastac/util" +) + +//the model uses the built-in MatchingFunc pathMatch +var example_matcher_model = ` +[request_definition] +r = sub, obj, act + +[policy_definition] +p = sub, obj, act + +[role_definition] +g = _, _ + +[policy_effect] +e = some(where (p.eft == allow)) + +[matchers] +m = g(r.sub, p.sub) && pathMatch(r.obj, p.obj) && r.act == p.act` + +var example_matcher_policy = [][]string{ + {"p", "role:user", "/user/:uid/entry/:eid", "GET"}, + {"p", "user:alice", "/user/alice/*", "POST"}, + {"p", "role:admin", "/user/:uid/entry/:eid", "DELETE"}, + {"g", "reg:user:.*", "role:user"}, + {"g", "user:alice", "role:admin"}, +} + +func printReq(e *fastac.Enforcer, params ...interface{}) { + b, _ := e.Enforce(params...) + var rule []string + for _, param := range params { + rule = append(rule, param.(string)) + } + if b { + fmt.Printf("%s => allow\n", strings.Join(rule, ", ")) + } else { + fmt.Printf("%s => deny\n", strings.Join(rule, ", ")) + } +} + +// ExampleMatchers shows the usage of util.MatchingFunc and util.IMatcher +func Example_matchers() { + + //create enforcer and add rules + m := model.NewModel() + _ = m.LoadModelFromText(example_matcher_model) + e, _ := fastac.NewEnforcer(m, nil) + _ = e.AddRules(example_matcher_policy) + + //get the default rolemanager + rm, _ := e.GetModel().GetRoleManager("g") + + // set a role matcher. + // create a PrefixMatcher. PrefixMatcher implements the interface util.IMatcher + // each regex pattern needs to be marked with the prefix "reg:" + roleMatcher := util.NewPrefixMatcher("reg:", util.RegexMatch) + rm.(rbac.IDefaultRoleManager).SetMatcher(roleMatcher) + + printReq(e, "user:alice", "/user/joe/entry/1", "GET") //allow, because user:alice has role:user + printReq(e, "user:alice", "/user/alice/entry/2", "POST") + printReq(e, "user:alice", "/user/bob/entry/3", "POST") + printReq(e, "user:alice", "/user/bob/entry/3", "DELETE") + printReq(e, "user:bob", "/user/alice/entry/2", "DELETE") + + // Output: user:alice, /user/joe/entry/1, GET => allow + // user:alice, /user/alice/entry/2, POST => allow + // user:alice, /user/bob/entry/3, POST => deny + // user:alice, /user/bob/entry/3, DELETE => allow + // user:bob, /user/alice/entry/2, DELETE => deny +} diff --git a/example_rules_test.go b/example_rules_test.go new file mode 100644 index 0000000..e553c62 --- /dev/null +++ b/example_rules_test.go @@ -0,0 +1,63 @@ +package fastac_test + +import ( + "fmt" + "sort" + + "github.com/abichinger/fastac" + "github.com/abichinger/fastac/util" +) + +var example_rules_policy = [][]string{ + {"p", "alice", "data1", "read"}, + {"p", "alice", "data1", "write"}, + {"p", "bob", "data2", "read"}, + {"p", "bob", "data2", "write"}, + {"p", "alice", "data3", "read"}, + {"p", "bob", "data3", "read"}, + {"p", "manager", "data3", "write"}, + {"g", "bob", "manager"}, +} + +// ExampleManagePolicy demonstrates the usage of functions to modify the policy +func Example_managePolicy() { + + //create enforcer with rbac model and empty policy + e, _ := fastac.NewEnforcer("examples/rbac_model.conf", nil) + + //add multiple rules at once + _ = e.AddRules(example_rules_policy) + + //remove all rules of user bob + bobRules, _ := e.Filter(fastac.SetMatcher(`p.sub == "bob"`)) + bobGroupingRules, _ := e.Filter(fastac.SetMatcher(`g.user == "bob"`)) + _ = e.RemoveRules(append(bobRules, bobGroupingRules...)) + + //make alice a manager + alice_manager := []string{"g", "alice", "manager"} + added, _ := e.AddRule(alice_manager) + if added { + fmt.Println("rule added successfully") + } + + //get a list of all rules + var allRules [][]string + e.GetModel().RangeRules(func(rule []string) bool { + allRules = append(allRules, rule) + return true + }) + + //sort and print rules + allRulesStr := util.Join2D(allRules, ", ") + sort.Strings(allRulesStr) + for _, rule := range allRulesStr { + fmt.Println(rule) + } + + // Output: rule added successfully + // g, alice, manager + // p, alice, data1, read + // p, alice, data1, write + // p, alice, data3, read + // p, manager, data3, write +} diff --git a/example_storage_test.go b/example_storage_test.go new file mode 100644 index 0000000..35164e9 --- /dev/null +++ b/example_storage_test.go @@ -0,0 +1,69 @@ +package fastac_test + +import ( + "fmt" + "os" + "sort" + "strings" + + "github.com/abichinger/fastac" + gormadapter "github.com/abichinger/gorm-adapter" + "gorm.io/driver/sqlite" + "gorm.io/gorm" +) + +var example_rules_1 = [][]string{ + {"p", "alice", "data1", "read"}, + {"p", "alice", "data1", "write"}, + {"p", "bob", "data1", "read"}, +} + +func createDB(name string) *gorm.DB { + _ = os.Mkdir(".tmp", 0755) + db, _ := gorm.Open(sqlite.Open(".tmp/"+name+".db"), &gorm.Config{}) + return db +} + +func removeDB(name string) { + os.Remove(".tmp/" + name + ".db") +} + +// ExampleStorageAdapter shows how to store/load policy rules to/from a storage adapter +func Example_storageAdapter() { + + //init adapter + db := createDB("example") + defer removeDB("example") + a, err := gormadapter.NewAdapter(db) + if err != nil { + panic(err) + } + + //create enforcer and store rules using the autosave feature + e, _ := fastac.NewEnforcer("examples/basic_model.conf", a, fastac.OptionAutosave(true)) + err = e.AddRules(example_rules_1) + if err != nil { + panic(err) + } + + //second enforcer to demonstrate LoadPolicy + e2, _ := fastac.NewEnforcer("examples/basic_model.conf", a) + err = e2.LoadPolicy() + if err != nil { + panic(err) + } + + loadedRules := []string{} + e2.GetModel().RangeRules(func(rule []string) bool { + loadedRules = append(loadedRules, strings.Join(rule, ", ")) + return true + }) + + sort.Strings(loadedRules) + for _, rule := range loadedRules { + fmt.Println(rule) + } + // Output: p, alice, data1, read + // p, alice, data1, write + // p, bob, data1, read +} diff --git a/go.mod b/go.mod index 7b41eeb..8bc47cb 100644 --- a/go.mod +++ b/go.mod @@ -3,18 +3,24 @@ module github.com/abichinger/fastac go 1.17 require ( + github.com/abichinger/gorm-adapter v1.0.1 github.com/abichinger/govaluate v1.5.1-0.20220503123756-74b96f998566 github.com/casbin/casbin/v2 v2.44.3 github.com/go-ini/ini v1.66.4 github.com/sirupsen/logrus v1.8.1 github.com/stretchr/testify v1.7.1 github.com/vansante/go-event-emitter v1.0.2 + gorm.io/driver/sqlite v1.3.2 + gorm.io/gorm v1.23.5 ) require ( github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/jinzhu/inflection v1.0.0 // indirect + github.com/jinzhu/now v1.1.5 // indirect + github.com/mattn/go-sqlite3 v1.14.12 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 // indirect - gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect + golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd // indirect + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect ) diff --git a/go.sum b/go.sum index 359eae9..e772195 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,9 @@ github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible h1:1G1pk05UrOh0NlF1oeaaix1x8XzrfjIDK47TY0Zehcw= github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= +github.com/abichinger/fastac v1.0.1/go.mod h1:HWQYswCOqXnViLAJzBOiRdIIi2rUhzhhKb7Z+TZ6Di4= +github.com/abichinger/gorm-adapter v1.0.1 h1:9MxhILBlN07w3JPUy6DUeQBjjCCODw0aEvcKb8p3YpM= +github.com/abichinger/gorm-adapter v1.0.1/go.mod h1:aQT/0ZwJDx/mo83sPdVfS2YTV3/XzQs+NIXfOVgAmW8= +github.com/abichinger/govaluate v1.5.1-0.20220429195714-1a681aad947c/go.mod h1:kxvs9v5HO4iu/FbZPqhiWJ43Vv7INmjYTlyBbfGq3Xo= github.com/abichinger/govaluate v1.5.1-0.20220503123756-74b96f998566 h1:rKOEJDa0kBdr+pOIZHb6gCzACW8mfI+zkDqjxgMPflY= github.com/abichinger/govaluate v1.5.1-0.20220503123756-74b96f998566/go.mod h1:kxvs9v5HO4iu/FbZPqhiWJ43Vv7INmjYTlyBbfGq3Xo= github.com/casbin/casbin/v2 v2.44.3 h1:tPP1YypfG2fqe7S2zivYuD11yc+/mc0GXJe/sDVbb1U= @@ -11,12 +15,21 @@ github.com/go-ini/ini v1.66.4 h1:dKjMqkcbkzfddhIhyglTPgMoJnkvmG+bSLrU9cTHc5M= github.com/go-ini/ini v1.66.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc= github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E= +github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc= +github.com/jinzhu/now v1.1.4/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8= +github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ= +github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8= +github.com/mattn/go-sqlite3 v1.14.9/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= +github.com/mattn/go-sqlite3 v1.14.12 h1:TJ1bhYJPV44phC+IMu1u2K/i5RriLTPe+yc68XDJ1Z0= +github.com/mattn/go-sqlite3 v1.14.12/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/vansante/go-event-emitter v1.0.2 h1:Qh/B4aM2OKyWWqToiIgS9XCf5sR8/R6vAp/rOpSuwss= @@ -25,11 +38,20 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gorm.io/driver/sqlite v1.3.1/go.mod h1:wJx0hJspfycZ6myN38x1O/AqLtNS6c5o9TndewFbELg= +gorm.io/driver/sqlite v1.3.2 h1:nWTy4cE52K6nnMhv23wLmur9Y3qWbZvOBz+V4PrGAxg= +gorm.io/driver/sqlite v1.3.2/go.mod h1:B+8GyC9K7VgzJAcrcXMRPdnMcck+8FgJynEehEPM16U= +gorm.io/gorm v1.23.1/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk= +gorm.io/gorm v1.23.4/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk= +gorm.io/gorm v1.23.5 h1:TnlF26wScKSvknUC/Rn8t0NLLM22fypYBlvj1+aH6dM= +gorm.io/gorm v1.23.5/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk=