[Question] RBAC with conditions and DynamoDB Adapter

[kawtar01]

Want to prioritize this issue? Try:

---

What's your scenario? What do you want to achieve? Context:

• Golang implementation for Casbin enforcer that relies on DynamoDB Adapter

• I'm adding the grouping policies and setting the link function as below: _, err := enforcer.AddGroupingPolicy(policy.User, policy.Group, policy.Dom, startTime, endTime) if err == nil { ok := enforcer.AddNamedDomainLinkConditionFunc(policy.PolicyType, policy.User, policy.Group, policy.Dom, util.TimeMatchFunc) if !ok { return errors.New("AddNamedDomainLinkConditionFunc:Couldn't apply conditional access") } }

• The policies are stored as below in my DynamoDB:

  

Scenario: Given that "some_user@somedomain.com" has a role/group "guests" and that the role/group "guests" has been granted temporary access to some resources in a domain when "some_user@domain" tries to access these resources and the time is not matching the temporary access condition then the access is denied.

Goal: I'm trying to leverage the concept of RBAC with conditions to set temporary access on some resources to some roles that I have defined within a domain.

Questions:

• As I'm not able to achieve my goal, I've tried to debug but with no success as when setting enforcer.EnableLog to true I don't really get the verbosity I was expecting (e.g what happens when the util.TimeMatchFunc is called? Is it even called?) ==> Is there a way to show more logs?
• I have also tried to provide my own TimeMatchFunc and added some print commands to it but I'm not also able to see if it's being invoked or not
• Also when trying to retrieve the users implicit roles or permissions, I'm getting the following error (I don't face these issues, when I get rid of the (,) in the g role definition and go with a simple RBAC with domain implementation): 2023/10/17 17:43:22 http: panic serving 127.0.0.1:54400: runtime error: invalid memory address or nil pointer dereference goroutine 48 [running]: net/http.(*conn).serve.func1() /opt/homebrew/Cellar/go/1.20.5/libexec/src/net/http/server.go:1854 +0xb0 panic({0x100a7f360, 0x100f13320}) /opt/homebrew/Cellar/go/1.20.5/libexec/src/runtime/panic.go:890 +0x258 github.com/casbin/casbin/v2.(*Enforcer).GetNamedImplicitPermissionsForUser(0x14000192c60, {0x100718a09, 0x1}, {0x14000616214, 0x18}, {0x14000108838, 0x1, 0x140000945b8?}) /Users/xxx/go/pkg/mod/github.com/casbin/casbin/v2@v2.77.2/rbac_api.go:312 +0x2c0 github.com/casbin/casbin/v2.(*Enforcer).GetImplicitPermissionsForUser(...) /Users/xxx/go/pkg/mod/github.com/casbin/casbin/v2@v2.77.2/rbac_api.go:286 example.com/casbin-poc/casbin_helper.GetImplicitPermissionsForUserInDomain({0x14000616214?, 0x14000627560?}, {0x1400061622d?, 0x3?}) /Users/xxx/Documents/xxx/access-controls/rbac-serverless-poc-go/casbin_helper/casbin_helper.go:111 +0x60 main.ImplicitPermissionsForUserInDomainHandler({0x100b1e220, 0x140001622a0}, 0x1400013c280?) /Users/xxx/Documents/xxx/access-controls/rbac-serverless-poc-go/main.go:93 +0x98 net/http.HandlerFunc.ServeHTTP(0x1400060a600?, {0x100b1e220?, 0x140001622a0?}, 0x0?) /opt/homebrew/Cellar/go/1.20.5/libexec/src/net/http/server.go:2122 +0x38 github.com/gorilla/mux.(*Router).ServeHTTP(0x140001480c0, {0x100b1e220, 0x140001622a0}, 0x1400060a500) /Users/xxx/go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 +0x19c net/http.serverHandler.ServeHTTP({0x14000627470?}, {0x100b1e220, 0x140001622a0}, 0x1400060a500) /opt/homebrew/Cellar/go/1.20.5/libexec/src/net/http/server.go:2936 +0x2d8 net/http.(*conn).serve(0x1400008d950, {0x100b1e568, 0x1400010cbd0}) /opt/homebrew/Cellar/go/1.20.5/libexec/src/net/http/server.go:1995 +0x560 created by net/http.(*Server).Serve /opt/homebrew/Cellar/go/1.20.5/libexec/src/net/http/server.go:3089 +0x520

Your model:

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _, (_, _)
g2 = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && g2(r.obj, p.obj, r.dom) && regexMatch(r.act, p.act)

Your policy:

Json file that I load:
[
    {"policy_type":"p","sub":"admins","dom":"OrgA","obj":"orgA_partitions","act":"read"},
    {"policy_type":"p","sub":"admins","dom":"OrgA","obj":"orgA_partitions","act":"write"},
    {"policy_type":"p","sub":"admins","dom":"OrgA","obj":"orgA_partitions_resources","act":"read"},
    {"policy_type":"p","sub":"admins","dom":"OrgA","obj":"orgA_partitions_resources","act":"write"},
    {"policy_type":"p","sub":"guests","dom":"OrgA","obj":"orgA_partitions","act":"read"},
    {"policy_type":"p","sub":"guests","dom":"OrgA","obj":"orgA_p1_buildings","act":"read"},
    {"policy_type":"p","sub":"guests","dom":"OrgA","obj":"orgA_p1_buildings_b1","act":"read"},
    {"policy_type":"p","sub":"guests","dom":"OrgA","obj":"orgA_p1_buildings_b1","act":"write"},
    {"policy_type":"p","sub":"guests","dom":"OrgA","obj":"orgA_p1_buildings_b2_floors_f1","act":"read"},

    {"policy_type":"g","user":"super_user@somedomain.com","group":"admins", "dom":"OrgA" , "condition":{"start":"0000-01-01 00:00:00","end":"9999-12-30 00:00:00"}},
    {"policy_type":"g","user":"some_user@somedomain.com","group":"guests","dom":"OrgA" , "condition":{"start":"0000-01-01 00:00:00","end":"0000-01-02 00:00:00"}},
    {"policy_type":"g2","obj":"/partitions/:id","objSet":"orgA_partitions", "dom":"OrgA" },
    {"policy_type":"g2","obj":"/partitions/*","objSet":"orgA_partitions_resources", "dom":"OrgA" },
    {"policy_type":"g2","obj":"/partitions/p1/buildings","objSet":"orgA_p1_buildings", "dom":"OrgA"},
    {"policy_type":"g2","obj":"/partitions/p1/buildings/b1","objSet":"orgA_p1_buildings_b1", "dom":"OrgA"},
    {"policy_type":"g2","obj":"/partitions/p1/buildings/b2/floors/f1","objSet":"orgA_p1_buildings_b2_floors_f1", "dom":"OrgA"}
  ]

Your request(s):

super_user@somedomain, OrgA,  /partitions/*, read ---> false (expected: true)
super_user@somedomain, OrgA,  /partitions/*, write ---> false (expected: true)
some_user@somedomain, OrgA,  /partitions/*, read ---> false (expected: false)
some_user@somedomain, OrgA,  /partitions/*, write ---> false (expected: false)

As am new to Casbin, I'm not really sure if there is something I'm missing, if this is due to the Adapter,...

Thanks a lot for your help and guidance :)

[casbin-bot]

@tangyang9464 @JalinWang

[hsluoyz]

@kawtar01 can you make a PR?