Add Langchain integration for RAG authorization support

[Copilot]

Overview

This PR adds comprehensive authorization support for Langchain applications, particularly focusing on RAG (Retrieval-Augmented Generation) systems. As AI and LLM applications become more prevalent, there's a growing need for robust access control to protect sensitive data and ensure users only access authorized resources.

What's New

LangchainEnforcer Integration

A new LangchainEnforcer class provides Langchain-specific authorization methods wrapped around Casbin's powerful policy engine:

from casbin import Enforcer
from casbin.integrations import LangchainEnforcer

# Initialize with Langchain RAG model
enforcer = Enforcer("langchain_rag_model.conf", "langchain_rag_policy.csv")
lc_enforcer = LangchainEnforcer(enforcer)

# Check document access
can_read = lc_enforcer.can_access_document("alice", "document:public:readme", "read")

# Filter documents for RAG (critical for preventing data leaks)
retrieved_docs = vectorstore.similarity_search(query)
filtered_docs = lc_enforcer.filter_documents_by_permission("user", retrieved_docs)

# Check tool usage
can_use = lc_enforcer.can_use_tool("bob", "search")

# Check agent execution
can_execute = lc_enforcer.can_execute_agent("alice", "chatbot")

Key Features

🔒 Document Access Control for RAG

• Filter retrieved documents before sending to LLM to prevent unauthorized data exposure
• Support for document categories with pattern matching (document:public:*, document:analytics:*)
• Get list of accessible documents for a user

🛠️ Tool Usage Authorization

• Control which Langchain tools users can execute
• Enumerate available tools for a user
• Support for wildcard permissions

🤖 Agent Execution Control

• Manage permissions for running different Langchain agents
• Role-based agent access control

🏢 Multi-Tenant Support

• Isolated authorization per tenant/domain
• Users can have different permissions in different tenants
• Perfect for SaaS applications with multiple organizations

Authorization Models

Two pre-configured models are included:

Basic RAG Model - Single-tenant authorization with RBAC and pattern matching:

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && r.act == p.act

Multi-Tenant Model - Domain-aware authorization:

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && keyMatch(r.obj, p.obj) && r.act == p.act

Example Policies

# Role permissions
p, admin, document:*, read
p, admin, tool:*, use
p, data_analyst, document:public:*, read
p, data_analyst, document:analytics:*, read
p, data_analyst, tool:search, use

# Role assignments
g, alice, admin
g, bob, data_analyst

Use Cases

This integration is ideal for:

• RAG Systems: Filter documents based on user permissions before retrieval or generation
• AI Chatbots: Control which tools and agents users can access
• Multi-tenant AI Applications: Isolate data and capabilities across organizations
• Enterprise LLM Applications: Enforce data governance and compliance requirements
• Document Q&A Systems: Ensure users only query authorized documents

Testing

• ✅ 10 new comprehensive tests covering all functionality
• ✅ All 310 existing tests pass (no regressions)
• ✅ Two working examples demonstrating basic and multi-tenant usage
• ✅ End-to-end validation confirms all features working correctly

Documentation

Complete documentation included:

• Comprehensive README at examples/langchain/README.md
• Working examples with detailed comments
• Integration guide added to main README
• Usage patterns for common scenarios

Files Changed

New:

• casbin/integrations/langchain.py - Core integration module
• casbin/integrations/__init__.py - Integration exports
• examples/langchain_rag_model.conf - Basic RAG authorization model
• examples/langchain_rag_policy.csv - Example policies
• examples/langchain_with_domains_model.conf - Multi-tenant model
• examples/langchain_with_domains_policy.csv - Multi-tenant policies
• examples/langchain/basic_rag_example.py - Basic usage example
• examples/langchain/multi_tenant_example.py - Multi-tenant example
• examples/langchain/README.md - Integration documentation
• tests/test_langchain_integration.py - Test suite

Modified:

• casbin/__init__.py - Export integrations module
• README.md - Add Langchain integration section

Benefits

1. Enhanced Security: Filter documents before LLM processing to prevent data leaks
2. Fine-grained Control: Manage access at document, tool, and agent level
3. Multi-tenancy: Built-in support for multiple organizations
4. Production-Ready: Built on Casbin's battle-tested authorization engine
5. Easy Integration: Simple API with clear examples

Closes #XXX

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[feature] support authorization for Langchain</issue_title>
<issue_description>Casbin already supports a lot of access control models: https://casbin.org/docs/supported-models/. Casbin can also support AI resource authorization like Langchain: https://github.com/langchain-ai/langchain

Need to find a way to support authorization for LLM applications like Langchain RAG.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #401

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}