search

casbin / Casbin.NET

An authorization library that supports access control models like ACL, RBAC, ABAC in .NET (C#)
https://casbin.org
Apache License 2.0
1.14k stars 110 forks source link

Bug in AddNamedDomainMatchingFunc() ? #247

Closed thoraj closed 2 years ago

thoraj commented 2 years ago

I have a need to use a custom key-matcher for my g grouping policy: 

[request_definition]
r = sub, dom, res, op, mod

[policy_definition]
p = sub, dom, res, op, mod

[role_definition]
g = _, _, _     # users and groups hierarcies
g2 = _, _, _        # module/resource hierarchy
g3 = _, _       # role/action/permission hierarchies
g4 = _, _       # Superuser group/hierarchy

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m  =   (g4(r.sub, p.sub) && g3(r.op, p.op))    ||     (g(r.sub, p.sub, r.dom) && (r.res == "__BYPASS__" || g2(r.res, p.res, r.dom)) && g3(r.op, p.op))

I noticed there is a way to set matching func for domain as shown in the test: 

       [Fact]
        public void CanEnforceWithGroupsInParentService()
        {
            var enforcer = new Enforcer("../../../Casbin/verji-access-control-model.conf", "../../../Casbin/rules-with-microservices.csv");
            enforcer.AddNamedMatchingFunc("g3", BuiltInFunctions.KeyMatch4);
            enforcer.AddNamedDomainMatchingFunc("g", (reqDom, polDom) =>
            {
                return reqDom == polDom;
            });

            enforcer.Enforce("user1", "lob::domain1", "link1", "REST url1 GET", "link").Should().BeTrue();
        }

But cannot make this work as it seems to operate on the x.sub values and not x.dom values?

When digging into the source, it seems to not set the function properly? And I think maybe this is a bug (?).

https://github.com/casbin/Casbin.NET/blob/a5122e846ce02463ad84bc4ff966b9efe343406c/NetCasbin/Extensions/EnforcerExtension.cs#L28

Shouldn't this code call AddDomainMatchingFunc() instead of the AddMatchingFunc()?

casbin-bot commented 2 years ago

@sagilio @xcaptain @huazhikui

hsluoyz commented 2 years ago

@sagilio

thoraj commented 2 years ago

I have forked the project and "fixed" the bug i master. I have verified the fix by setting up a pipeline to build a nuget, and consumed the forked nuget in our solution.

I would strongly prefer to not have a private fork of Casbin in production, and would like to know how to get the fix into the released Casbin.Net package?

If this is not possible, could you say which branch/tag we should use in our private package? The idea is to have something as close to the released Casbin as possible.

hsluoyz commented 2 years ago

@thoraj why not make a PR? Contributions are welcome!

github-actions[bot] commented 2 years ago

:tada: This issue has been resolved in version 1.12.2 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

github-actions[bot] commented 1 year ago

:tada: This issue has been resolved in version 1.12.2 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: