Merge pull request #30 from GopherJ/filtered-adapter

Filtered adapter

Author: 0x8f701

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "diesel-adapter"
-version = "0.5.0"
+version = "0.6.0"
 authors = ["Cheng JIANG <[email protected]>"]
 edition = "2018"
 license = "Apache-2.0"
@@ -9,7 +9,7 @@ homepage="https://github.com/casbin-rs/diesel-adapter"
 readme="README.md"
 
 [dependencies]
-casbin = { version = "0.5.1" }
+casbin = { version = "0.6.0" }
 diesel = { version = "1.4.4", features = ["r2d2"] }
 async-trait = "0.1.30"
 

examples/rbac_policy.csv

@@ -2,4 +2,4 @@ p, alice, data1, read
 p, bob, data2, write
 p, data2_admin, data2, read
 p, data2_admin, data2, write
-g, alice, data2_admin
+g, alice, data2_admin

examples/rbac_with_domains_model.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, dom, obj, act
+
+[policy_definition]
+p = sub, dom, obj, act
+
+[role_definition]
+g = _, _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

examples/rbac_with_domains_policy.csv

@@ -0,0 +1,6 @@
+p, admin,domain1,data1,read
+p, admin,domain1,data1,write
+p, admin,domain2,data2,read
+p, admin,domain2,data2,write
+g, alice,admin,domain1
+g, bob,admin,domain2

src/adapter.rs

@@ -1,5 +1,5 @@
 use async_trait::async_trait;
-use casbin::{error::AdapterError, Adapter, Error as CasbinError, Model, Result};
+use casbin::{error::AdapterError, Adapter, Error as CasbinError, Filter, Model, Result};
 use diesel::{
     self,
     r2d2::{ConnectionManager, Pool},
@@ -11,6 +11,7 @@ use std::time::Duration;
 
 pub struct DieselAdapter {
     pool: Pool<ConnectionManager<adapter::Connection>>,
+    is_filtered: bool,
 }
 
 pub const TABLE_NAME: &str = "casbin_rules";
@@ -27,7 +28,10 @@ impl<'a> DieselAdapter {
             .get()
             .map_err(|err| CasbinError::from(AdapterError(Box::new(Error::PoolError(err)))));
 
-        adapter::new(conn).map(|_| Self { pool })
+        adapter::new(conn).map(|_| Self {
+            pool,
+            is_filtered: false,
+        })
     }
 
     pub(crate) fn save_policy_line(
@@ -82,6 +86,39 @@ impl<'a> DieselAdapter {
         None
     }
 
+    pub(crate) fn load_filtered_policy_line(
+        &self,
+        casbin_rule: &CasbinRule,
+        f: &Filter,
+    ) -> Option<Vec<String>> {
+        if let Some(sec) = casbin_rule.ptype.chars().next() {
+            if let Some(policy) = self.normalize_policy(casbin_rule) {
+                let mut is_filtered = false;
+                if sec == 'p' {
+                    for (i, rule) in f.p.iter().enumerate() {
+                        if !rule.is_empty() && rule != &policy[i] {
+                            is_filtered = true
+                        }
+                    }
+                } else if sec == 'g' {
+                    for (i, rule) in f.g.iter().enumerate() {
+                        if !rule.is_empty() && rule != &policy[i] {
+                            is_filtered = true
+                        }
+                    }
+                } else {
+                    return None;
+                }
+
+                if !is_filtered {
+                    return Some(policy);
+                }
+            }
+        }
+
+        None
+    }
+
     fn normalize_policy(&self, casbin_rule: &CasbinRule) -> Option<Vec<String>> {
         let mut result = vec![
             &casbin_rule.v0,
@@ -135,6 +172,33 @@ impl Adapter for DieselAdapter {
         Ok(())
     }
 
+    async fn load_filtered_policy(&mut self, m: &mut dyn Model, f: Filter) -> Result<()> {
+        let conn = self
+            .pool
+            .get()
+            .map_err(|err| CasbinError::from(AdapterError(Box::new(Error::PoolError(err)))))?;
+
+        let rules = adapter::load_policy(conn)?;
+
+        for casbin_rule in &rules {
+            let rule = self.load_filtered_policy_line(casbin_rule, &f);
+
+            if let Some(rule) = rule {
+                if let Some(ref sec) = casbin_rule.ptype.chars().next().map(|x| x.to_string()) {
+                    if let Some(t1) = m.get_mut_model().get_mut(sec) {
+                        if let Some(t2) = t1.get_mut(&casbin_rule.ptype) {
+                            t2.get_mut_policy().insert(rule);
+                        }
+                    }
+                }
+            } else {
+                self.is_filtered = true;
+            }
+        }
+
+        Ok(())
+    }
+
     async fn save_policy(&mut self, m: &mut dyn Model) -> Result<()> {
         let conn = self
             .pool
@@ -241,6 +305,10 @@ impl Adapter for DieselAdapter {
             Ok(false)
         }
     }
+
+    fn is_filtered(&self) -> bool {
+        self.is_filtered
+    }
 }
 
 #[cfg(test)]
@@ -411,5 +479,47 @@ mod tests {
             )
             .await
             .is_ok());
+
+        // shadow the previous enforcer
+        let mut e = Enforcer::new(
+            "examples/rbac_with_domains_model.conf",
+            "examples/rbac_with_domains_policy.csv",
+        )
+        .await
+        .unwrap();
+
+        assert!(adapter.save_policy(e.get_mut_model()).await.is_ok());
+        e.set_adapter(adapter).await.unwrap();
+
+        let filter = Filter {
+            p: vec!["", "domain1"],
+            g: vec!["", "", "domain1"],
+        };
+
+        e.load_filtered_policy(filter).await.unwrap();
+        assert!(e
+            .enforce(&["alice", "domain1", "data1", "read"])
+            .await
+            .unwrap());
+        assert!(e
+            .enforce(&["alice", "domain1", "data1", "write"])
+            .await
+            .unwrap());
+        assert!(!e
+            .enforce(&["alice", "domain1", "data2", "read"])
+            .await
+            .unwrap());
+        assert!(!e
+            .enforce(&["alice", "domain1", "data2", "write"])
+            .await
+            .unwrap());
+        assert!(!e
+            .enforce(&["bob", "domain2", "data2", "read"])
+            .await
+            .unwrap());
+        assert!(!e
+            .enforce(&["bob", "domain2", "data2", "write"])
+            .await
+            .unwrap());
     }
 }