search

casbin / Casbin.NET

An authorization library that supports access control models like ACL, RBAC, ABAC in .NET (C#)
https://casbin.org
Apache License 2.0
1.18k stars 112 forks source link

Casbin.net Breaking changes while migrating from V1.13.0 to V2.9.1 - GetModel and GetPolicy #367

Open shrey-shah opened 2 months ago

shrey-shah commented 2 months ago

I am trying to migrate Casbin.net package from V1.13.0 to V2.9.1. I was validating my permission setup with this function in the earlier version.

private bool IsValidPermissionPolicySetup(string model, string policy)
        {
            CustomEnforcer enforcer = new CustomEnforcer(model, policy);
            int model_count = enforcer.GetModel().Model.Count;
            if (enforcer.GetPolicy().Any(x => x.Count != model_count))
            {
                return false;
            }
            if (enforcer.GetPolicy().Any(x => x[model_count - 1] != "allow" && x[model_count - 1] != "deny"))
            {
                return false;
            }
            return true;
        }

in the wiki, it says that enforcer.GetModel() is now replaced by enforcer.Model. but I couldn't find a way to get this count as the IModel interface doesn't explicitly have any property. Also, the wiki doesn't mention the alternative of enforcer.GetPolicy() so not sure how to convert the above function to the latest version. Can someone help here?

casbin-bot commented 2 months ago

@sagilio @sociometry @AsakusaRinne

sagilio commented 2 months ago

Would you like to provide a valid model and policy text sample?

  1. This piece of code may not be the correct implementation. enforcer.GetModel().Model.Count is the section count of the model, It may want to get the tokens count of policy.

For example:

[policy_definition] p = sub, obj, act

[policy_effect] e = some(where (p.eft == allow))

[matchers] m = r.sub == r.obj.Owner


You can get the **tokens count** like this:
```csharp
var assertion = e.Model.Sections.GetPolicyAssertion(PermConstants.DefaultPolicyType);
var tokensCount =  assertion.Tokens.Count;
  1. The check of enforcer.GetPolicy().Any(x => x.Count != model_count) is unnecessary now.
  2. enforcer.GetPolicy() exist in the latest version yet, it is here: https://github.com/casbin/Casbin.NET/blob/fe66cd4c4b290997bec6ea4184424702db36f42b/Casbin/Extensions/Enforcer/ManagementEnforcerExtension.cs#L111-L116
shrey-shah commented 2 months ago

permission model:

[request_definition]
        r = role, resource, action
        [policy_definition]
        p = role, resource, action, eft
        [policy_effect]
        # There must be atleast one rule to allow and no rule to deny
        e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
        [matchers]
        m = keyMatch(r.role, p.role) && (keyMatch(r.resource, p.resource) || keyMatch2(r.resource, p.resource)) && regexMatch(r.action, p.action)

permission policy sample:

p, SecurityAdmin, *, GET, allow
p, SecurityAdmin, /api/preferences, GET, deny
p, SecurityAdmin, /api/calendar_sync, GET, deny
p, SecurityAdmin, /api//bulk_download, POST, deny
p, SecurityAdmin, /api/service/*, POST, deny

the above code was used to validate if policy is setup as per the model. can we validate using any other way in the latest version?

shrey-shah commented 1 month ago

any update here?

sagilio commented 1 month ago

Here is the sample:

private bool IsValidPermissionPolicySetup(string model, string policy)
{
    CustomEnforcer enforcer = new CustomEnforcer(model, policy);
    return enforcer.GetPolicy().All(p =>
    {
        string last = p.Last();
        return last is "allow" or "deny";
    });
}