search

casbin / Casbin.NET

An authorization library that supports access control models like ACL, RBAC, ABAC in .NET (C#)
https://casbin.org
Apache License 2.0
1.16k stars 111 forks source link

Using RBAC w/ Domain pattern matching can lead to unexpected results #351

Closed imf-code closed 5 months ago

imf-code commented 5 months ago

Building role links when domain matching function is set seems to result in some faulty links being created that can lead to unintended/unexpected privileges being granted.

Model:

# The exact model is not important, as the problem seems to lie in resolving g(r.sub, p.sub, r.dom)
[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.obj == p.obj && r.act == p.act && g(r.sub, p.sub, r.dom)

Policy:

p, book-reader, *, book, read
g, bob, car-driver, *
g, alice, book-reader, library

Result: 

var enforcer = new Enforcer(@"f:\temp\casbin\model.conf", @"f:\temp\casbin\policy.csv",
            new EnforcerOptions() { AutoBuildRoleLinks = false });
enforcer.AddDomainMatchingFunc(BuiltInFunctions.KeyMatch);
enforcer.BuildRoleLinks();

enforcer.Enforce("alice", "school", "book", "read"); // => true (!?)

For reference, the online editor returns false as would seem logical: https://editor.casbin.org/#6AJX758PB

As far as I understand, the issue lies in the AddLink method of DefaultRoleManager. What happens when the role links are built step-by-step:

  1. '*' is added to the list of domains
  2. 'bob' and 'car-driver' are added as roles in the '*' domain and linked as expected
  3. 'library' is pattern matched to previously added domains and '*' is found
  4. 'alice' and 'book-reader' are added as roles and linked in the '*' domain (!?)
  5. 'alice' and 'book-reader' are added as roles and linked in the 'library' doimain as expected
  6. Since 'school' matches '*' and 'alice' now has 'book-reader' in '*' then: alice, school, book, read => true

The current implementation also results in inconsistent linking based on the order roles are assigned:

If we swap the two role assignments:

p, book-reader, *, book, read
g, alice, book-reader, library
g, bob, car-driver, *

What happens:

  1. 'library' is added to domains
  2. 'alice' and 'book-reader' are added and linked in 'library' domain
  3. ' ´*' doesn't match 'library' and therefore 'bob' and 'car-driver' are only added and linked in '*'
  4. Result: alice, school, book, read => false
casbin-bot commented 5 months ago

@sagilio @sociometry @AsakusaRinne

imf-code commented 5 months ago

My attempt at tackling the issue #352