Closed rachnaaggarwal closed 3 years ago
@shy1st @shink
Do you mind providing entity class code related to it? This may be more convenient to debug for me. @rachnaaggarwal
@shy1st I think @rachnaaggarwal means:
\"test\".equals(r.sub) && java.util.regex.Pattern.compile(\"/*/url1/url2/*\", java.util.regex.Pattern.CASE_INSENSITIVE).matcher(r.obj).find()
will be processed into:
"test1".getEquals(r_sub)() && java.getUtil().getRegex().getgetPattern()().getCompile("/*/approve/expense/*",() java.getUtil().getRegex().getgetPattern()().getCASE_INSENSITIVE)().getMatcher(r_obj)().find()
in latest jCasbin. You can see a lot of getXxx() there. I guess some of our escaping rules are functioning wrongly, so abc() is changed to getAbc(). Can you check this bug?
@shy1st
Please find attached the zip file "abacPOCWithCasbin.zip" for the Spring Boot POC using jcasbin. The build.gradle in the zip includes the jcasbin 1.6.4 library since it defaults to the one included by casbin-spring-boot-starter. When you will run the application and will access the following "GET" URL:
http://localhost:8080/test/approve/expense/2?subject=test1
You would see the result as "Authorized".
If you will now replace the build.gradle in the zip with the attached "build.gradle" file from the "build.gradle.zip" which includes the jcasbin 1.8.1 version, and will run the application and access the above URL, you will get the error and "Not Authorized".
abacPOCWithCasbin.zip build.gradle.zip
Please let me know if any further information is required.
Regards, Rachna
@shy1st plz take a look.
I wanted to add here that I have created another issue (#184) for the original issue that I was facing with CSV parsing since I thought they are separate ones.
@shink
@shink
I'll do it.
@hsluoyz @shy1st @rachnaaggarwal
I think this problem is caused by the pattern. Through this pattern, equals
, util
, regex
etc. are recognized as attributes and changed to getXXX()
.
For example, we need convert user.age
to user.getAge()
instead of converting java.util
to java.getUtil()
, so we need distinguish between user
and java
. But it is impossible to exhaust all situations like java.util
. Do you have any good suggestions?
@shink it's not hard to solve I think. You can first check if it's starting with with policy or request definition. For example, r.sub.age
should be converted to r.sub.getAge()
, because you know we have the following in model:
[request_definition]
r = sub, obj, act
Similar for p.sub.xxx()
.
If it's not the case, then it's Java's package path.
@hsluoyz Got it! I will do it.
We introduced eval()
in PR: https://github.com/casbin/jcasbin/pull/85 , but it used bsh. But then we switched to janino. Now we decided to use aviator, just like how matcher is evaluated.
We fixed this bug and implemented the eval
function using aviator. However, aviator is powerful but does not support executing non-static Java methods.
System.out.println(AviatorEvaluator.execute("Integer.toString(10)")); // 10
// an exception (com.googlecode.aviator.exception.ExpressionSyntaxErrorException) will be thrown because the matches and find functions are not static
System.out.println(AviatorEvaluator.execute("Pattern.compile(\"/*/url1/url2/*\", Pattern.CASE_INSENSITIVE).matcher(\"/test/url1/url2/2\").find()"));
So, I think we can add support for custom function, then the complex policy can be handled by function customed by user. What do you think? @hsluoyz @rachnaaggarwal
@shink To clarify, have you added the support for executing a custom function (including java functions) from within a policy, or have you added the support for executing java functions from within eval?
So, for example, can we now do the following from either eval or within policy?
java.util.regex.Pattern.compile(\"//url1/url2/\", java.util.regex.Pattern.CASE_INSENSITIVE).matcher(r.obj).find()
@rachnaaggarwal
Now, I have added support for custom function. You can take a look at this PR.
Unfortunately, in this PR, the java code in policies will no longer be supported. Because I don't think there should be verbose java code in policies.
However, you can create a custom function in this way and use it in the policy, which is more powerful and recommended. But in this way, you need to modify your previous policy. Looking forward to any your suggestions.
@rachnaaggarwal actually java.util.regex.Pattern.compile("//url1/url2/", java.util.regex.Pattern.CASE_INSENSITIVE).matcher(r.obj).find()
this code is so tedious and it is not supposed to be Casbin grammar. And it will not be supported by other Casbin implementations. If we can support it, that's fine. But it's totally fine I think if we don't support it.
Got it, thank you!
Hello, I am trying to do a POC on using ABAC via "jcasbin" and I am facing an issue related to the "eval" function. The eval function in the jcasbin library prior to the 1.7.1 version allowed using java expressions whereas a change was added in version 1.7.1 (https://github.com/casbin/jcasbin/compare/v1.7.0...v1.7.1) which broke this functionality. When I used "casbin-spring-boot-starter" dependency, the jcasbin library included was of version 1.6.4 and I was able to evaluate the following policy definition:
"\"test\".equals(r.sub) && java.util.regex.Pattern.compile(\"/*/url1/url2/*\", java.util.regex.Pattern.CASE_INSENSITIVE).matcher(r.obj).find()","r.obj","PUT"
with the below model definition:
Please note that I had to use the enforcer.addPolicy() method for adding the above policy definition because the csv parser with the file adapter was splitting the definition with comma. Then I found that the comma issue was fixed in version 1.8.1 (https://github.com/casbin/jcasbin/issues/158). So, I upgraded the jcasbin library to 1.8.1 but then the above stopped working because the eval function is changing the above expression to:
"test1".getEquals(r_sub)() && java.getUtil().getRegex().getgetPattern()().getCompile("/*/approve/expense/*",() java.getUtil().getRegex().getgetPattern()().getCASE_INSENSITIVE)().getMatcher(r_obj)().find()
i.e., its appending get for all the attributes and is not working as java expression.
I know that we can use functions (and even write our own customized function) in the model definition. But my requirement is to define a function in the policy definition. The reason being, I don't want to use the function for all the use cases and so the use case for which I need, I can define that in the policy definition.
Could you please suggest how can we achieve that?