search

casbin / jcasbin

An authorization library that supports access control models like ACL, RBAC, ABAC in Java
https://casbin.org
Apache License 2.0
2.4k stars 464 forks source link

Allow the explaination in `enforceEx` and `enforceExWithMatcher` methods in the CoreEnforcer to be accessed externally #304

Closed aryalrabin closed 2 years ago

aryalrabin commented 2 years ago

The current implementation of the CoreEnforcer prints the explanation on the log but does not allow it to be accessed externally.

The methods should allow the explanation to be passed externally. The below two methods should be 

public boolean enforceEx(List<String> explain, Object... rvals) {
       return enforce("", explain, rvals);
}

 public boolean enforceExWithMatcher(String matcher, List<String> explain,  Object... rvals) {
        return enforce(matcher, explain, rvals);
}
casbin-bot commented 2 years ago

@tangyang9464 @imp2002

imp2002 commented 2 years ago

Could you give a example manifest its necessity?

What I understand you mean is to replace Hit Policy: or add something around this. But I don't think it's necessary.👀

image

aryalrabin commented 2 years ago

You don't have to make any changes to Hit Policy:. The actual explanation is never returned back in jcasbin. Python or Go versions return multiple values with explanations back. https://github.com/casbin/pycasbin/blob/6f6b1279cddef182ddce98a8c806130d67666f91/casbin/core_enforcer.py#L459 https://github.com/casbin/casbin/blob/63b2757cc60362d974921cb9065809b617d8b527/enforcer.go#L707

However, jcasbin only logs the Hit policy: and does not expose the explanation. If you look at current implementation below

 public boolean enforceEx(Object... rvals) {
        List<String> explain = new ArrayList<>();
        return enforce("", explain, rvals);
    }

 public boolean enforceExWithMatcher(String matcher, Object... rvals) {
        List<String> explain = new ArrayList<>();
        return enforce(matcher, explain, rvals);
    }

Both enforceEx, enforceExWithMatcher print the Hit policy: in the log and never expose an explanation.

The above enforceEx, enforceExWithMatcher methods simply should let an explanation be passed as 

public boolean enforceEx(List<String> explain, Object... rvals) {
       return enforce("", explain, rvals);
}

 public boolean enforceExWithMatcher(String matcher, List<String> explain,  Object... rvals) {
        return enforce(matcher, explain, rvals);
}

The business necessity is that the policy is dynamically populated from AD and contains metadata at the end. These metadata are required for compliance and some critical business rules.

the example policy will look like p, bob, data2, write, sensitivity, pii, mask

imp2002 commented 2 years ago

Looks right, thanks for your advice. I will implement it latter.

github-actions[bot] commented 2 years ago

:tada: This issue has been resolved in version 1.31.1 :tada:

The release is available on:

Your semantic-release bot :package::rocket: