search

casbin / Casbin.NET

An authorization library that supports access control models like ACL, RBAC, ABAC in .NET (C#)
https://casbin.org
Apache License 2.0
1.16k stars 111 forks source link

How to evaluate a single grouping policy. #217

Closed thoraj closed 2 years ago

thoraj commented 2 years ago

I have the need to check if a value is part of a named grouping hierarchy.

Lets say I have:

g2, l1_child1, root1, domain1
g2, l2_child1, l1_child, domain1

g2, l1_child2, root1, domain2
g2, l2_child2, l1_child2, domain2

What I would like to evaluate is:

IsInGrouping("g2", root1, root1, domain1) => true
IsInGrouping("g2", root1, root1, domain2) => true

IsInGrouping("g2", l1_child1, root1, domain1) => true
IsInGrouping("g2", l2_child1, root1, domain1) => true

IsInGrouping("g2", l1_child1, root1, domain2) => false
IsInGrouping("g2", l2_child1, root1, domain2) => false

IsInGrouping("g2", l1_child2, root1, domain2) => true
IsInGrouping("g2", l2_child2, root1, domain2) => true

Is there anything equivalent to IsInGrouping() in Casbin?

My initial thought was to use a second matcher. 

[request_definition]
r = sub, dom, res, op

[policy_definition]
p = sub, dom, res, op

[role_definition]
...
g2 = _, _, _    # module/resource hierarchy
...

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = ...
m2 = g2(r.res, p.res, r.dom)

And use: 

bool IsInGrouping = enforcer,EnforceWithMatcher("m2", "", domain, resource, "") 

so 

enforcer,EnforceWithMatcher("m2", "", domain1, root1, "")   => true
enforcer,EnforceWithMatcher("m2", "", domain2, root1, "")   => true

enforcer,EnforceWithMatcher("m2", "", domain1, root1, "")   => true
enforcer,EnforceWithMatcher("m2", "", domain2, root1, "")   => true

The idea is that this will work since the value provided for p.res argument when evaluating m2 would always come from a "p" policy. Unfortunately I ran into issues (#216) when testing this, hence the question if there is a more direct way to compute IsInGrouping()??

casbin-bot commented 2 years ago

@sagilio @xcaptain @huazhikui

sagilio commented 2 years ago

You can try

enforcer,EnforceWithMatcher("g2(r.res, p.res, r.dom)", "", domain1, root1, "")

Any type of r/p/m/e is only supported on the v2.x/preview branch, here is the sample:https://github.com/casbin/Casbin.NET/blob/b1f3b0bc7ba1f159ffe7d31542642080a191853a/NetCasbin.UnitTest/ModelTests/ModelTest.cs#L565-L605

thoraj commented 2 years ago

Thanks for responding.

I was able to work around the issue, but will certainly try using the suggested ..enforce("matcher_exression")