search

casbin / jcasbin

An authorization library that supports access control models like ACL, RBAC, ABAC in Java
https://casbin.org
Apache License 2.0
2.4k stars 464 forks source link

Implementation doesn't match Online Editor Results #108

Closed will7200 closed 4 years ago

will7200 commented 4 years ago

Hello

A user of the casbin plugin for Jetbrains is experiencing some mismatched results compared to the online editor. The following is the policy, model, test request with results from java implementation vs online implementation. You can refer to the original issue will7200/casbin-idea-plugin#2. Any help would be appreciated.

Casbin policy:

p, alice, domain1, /foo/bar/.+/.+baz.+, GET, allow
p, alice, domain1, /foo/bar/.+/baz$, GET, deny
p, alice, domain1, /foo/bar/.+, GET, allow
p, alice, domain1, /foo/bar.+, GET, deny
p, alice, domain1, /foo/bar$, GET, allow
p, alice, 10.10.10.10, /foo/.+, GET, allow
p, alice, 10.10.10.10, /foo.+, GET, deny
p, alice, domain1, /foo/.+, GET, deny
p, alice, domain1, /foo.+, GET, deny
p, data2_admin, domain1, /foo$, GET, allow
p, alice, domain1, /foo$, GET, deny
p, root, domain1, /foo$, GET, deny
p, alice, domain1, /.+, GET, deny

g, alice, data2_admin, domain1
g, bob, root, domain1

Casbin model:

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act, eft

[role_definition]
g = _, _, _

[policy_effect]
e = priority(p.eft) || deny

[matchers]
m = (((r.sub == p.sub) || g(r.sub, p.sub, r.dom)) && r.dom == p.dom && c(r.obj, p.obj) && regexMatch(r.act, p.act)) || (g(r.sub, "root", p.dom) || r.sub == "admin")

Test requests

alice, domain1, /zed, GET
alice, domain1, /zed, POST

alice, domain-10050, /foo, GET
alice, domain1, /foo, GET
data2_admin, domain1, /foo, GET
alice, domain1, /foo-bar, GET
alice, domain1, /foo/zed, GET
alice, domain1, /foo/bar, GET
alice, domain1, /foo/bar-zed, GET
alice, domain1, /foo/bar/zed, GET

alice, domain1, /foo/bar/*/baz-q, GET
alice, domain1, /foo/bar/zed/baz, GET

alice, domain1, /foo/bar/*/*baz*, GET
alice, domain1, /foo/bar/zed/aaa-baz=val, GET

alice, 10.10.10.10, /foo, GET
alice, 10.10.10.10, /foo/bar, GET

root, *, *, *
root, *, *, GET
root, *, *, POST
root, *, *, PUT
root, *, /foo/bar/zed/baz, *
root, *, /foo/bar/zed/aaa-baz=val, *

bob, domain1, /foo, POST
bob, domain1, /foo$, GET
bob, domain1, /foo/bar/baz, GET
bob, domain2, /foo, PUT
bob, domain2, /foo, GET
bob1, domain1, /foo, GET
admin, domain1, /foo-bar, GET
admin, domain10500, /cert, GET
request expected actual
alice, domain1, /zed, GET False False
alice, domain1, /zed, POST False False
alice, domain-10050, /foo, GET False False
alice, domain1, /foo, GET False False
data2_admin, domain1, /foo, GET False False
alice, domain1, /foo-bar, GET False False
alice, domain1, /foo/zed, GET False False
alice, domain1, /foo/bar, GET False False
alice, domain1, /foo/bar-zed, GET False False
alice, domain1, /foo/bar/zed, GET False False
alice, domain1, /foo/bar/*/baz-q, GET False False
alice, domain1, /foo/bar/zed/baz, GET False False
alice, domain1, /foo/bar//baz*, GET False False
alice, domain1, /foo/bar/zed/aaa-baz=val, GET False False
alice, 10.10.10.10, /foo, GET False False
alice, 10.10.10.10, /foo/bar, GET False False
root, , , * True True
root, , , GET True True
root, , , POST True True
root, , , PUT True True
root, , /foo/bar/zed/baz, True True
root, , /foo/bar/zed/aaa-baz=val, True True
bob, domain1, /foo, POST True False
bob, domain1, /foo$, GET True False
bob, domain1, /foo/bar/baz, GET True False
bob, domain2, /foo, PUT True False
bob, domain2, /foo, GET True False
bob1, domain1, /foo, GET False False
admin, domain1, /foo-bar, GET True True
admin, domain10500, /cert, GET True True
hsluoyz commented 4 years ago

@nodece please take a look.

nodece commented 4 years ago

@will7200 I tried to clone by gh repo clone casbin/jcasbin, then use the data you provide for testing, jcasbin works fine.

[main] INFO org.casbin.jcasbin - Model:
[main] INFO org.casbin.jcasbin - p.p: sub, dom, obj, act, eft
[main] INFO org.casbin.jcasbin - r.r: sub, dom, obj, act
[main] INFO org.casbin.jcasbin - e.e: priority(p_eft) || deny
[main] INFO org.casbin.jcasbin - g.g: _, _, _
[main] INFO org.casbin.jcasbin - m.m: (((r_sub == p_sub) || g(r_sub, p_sub, r_dom)) && r_dom == p_dom && c(r_obj, p_obj) && regexMatch(r_act, p_act)) || (g(r_sub, "root", p_dom) || r_sub == "admin")
[main] INFO org.casbin.jcasbin - Policy:
[main] INFO org.casbin.jcasbin - p: sub, dom, obj, act, eft: [[alice, domain1, /foo/bar/.+/.+baz.+, GET, allow], [alice, domain1, /foo/bar/.+/baz$, GET, deny], [alice, domain1, /foo/bar/.+, GET, allow], [alice, domain1, /foo/bar.+, GET, deny], [alice, domain1, /foo/bar$, GET, allow], [alice, 10.10.10.10, /foo/.+, GET, allow], [alice, 10.10.10.10, /foo.+, GET, deny], [alice, domain1, /foo/.+, GET, deny], [alice, domain1, /foo.+, GET, deny], [data2_admin, domain1, /foo$, GET, allow], [alice, domain1, /foo$, GET, deny], [root, domain1, /foo$, GET, deny], [alice, domain1, /.+, GET, deny]]
[main] INFO org.casbin.jcasbin - g: _, _, _: [[alice, data2_admin, domain1], [bob, root, domain1]]
[main] INFO org.casbin.jcasbin - Role links for: g
[main] INFO org.casbin.jcasbin - bob < root
[main] INFO org.casbin.jcasbin - root < 
[main] INFO org.casbin.jcasbin - alice < data2_admin
[main] INFO org.casbin.jcasbin - data2_admin < 
[main] INFO org.casbin.jcasbin - Request: bob, domain1, /foo, POST ---> true
[main] INFO org.casbin.jcasbin - Request: bob, domain1, /foo$, GET ---> true
[main] INFO org.casbin.jcasbin - Request: bob, domain1, /foo/bar/baz, GET ---> true
[main] INFO org.casbin.jcasbin - Request: bob, domain2, /foo, PUT ---> true
[main] INFO org.casbin.jcasbin - Request: bob, domain2, /foo, GET ---> true
will7200 commented 4 years ago

@nodece Thanks for looking into this. It seems that I am getting the correct results now. I was able to replicate the issue yesterday, but now I can no longer today. Most likely a bug in the plugin then.