search

casbin / jcasbin

An authorization library that supports access control models like ACL, RBAC, ABAC in Java
https://casbin.org
Apache License 2.0
2.38k stars 461 forks source link

[Bug] Implicit role doesn't work in java lib 'jcasbin' but work in casbin editor #339

Closed yuzhenling closed 1 year ago

yuzhenling commented 1 year ago

Describe the bug This is a similar bug as https://github.com/casbin/casbin/issues/1204 , but this is in java. We are using RBAC with domain model to do authorization. And using group policy to extend one role to another.

In the casbin editor below we can see that can_manage extends can_use role in all domain, and user with can_manage role can also perform can_use action like attach.

https://editor.casbin.org/#DQV237WAL

image

But same logic doesn't work in casbin java lib even latest version v1.32.3

To Reproduce image


model is 
[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
#RBAC
m = g(r.sub, p.sub, r.dom) && keyMatch(r.dom, p.dom) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)

public void setDefaultPoliciesForCasbin(DefaultPolicyModel dpm){
        Enforcer e = CasbinEnforce.getInstance().getEnforcer();

        e.addPolicy("can_manage", "engines/*", "*", "(pause)|(resume)");
        e.addPolicy("can_use", "engines/*", "*", "(attach)|(detach)");

        e.addGroupingPolicy("can_manage", "can_use", "*");
        e.addGroupingPolicy("Username==test2", "can_manage", "engines/engine1");

        List<String> r = e.getImplicitRolesForUser("Username==test2", "engines/engine1");
        System.out.println("r " + r);
        EnforceResult enforceEx = e.enforceEx("Username==test2", "engines/engine1", "*", "attach");
        System.out.println(enforceEx.toString());

    }

Expected behavior implicitRoles should be can_manage and can_use and ok should be true

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

OS: [e.g. iOS] Browser [e.g. chrome, safari] Version [e.g. 22] Smartphone (please complete the following information):

Device: [e.g. iPhone6] OS: [e.g. iOS8.1] Browser [e.g. stock browser, safari] Version [e.g. 22] Additional context Add any other context about the problem here.

casbin-bot commented 1 year ago

@tangyang9464 @JalinWang

casbin-bot commented 1 year ago

@tangyang9464 @imp2002