search

casbin / jcasbin

An authorization library that supports access control models like ACL, RBAC, ABAC in Java
https://casbin.org
Apache License 2.0
2.38k stars 461 forks source link

Not validating with jCasbin #92

Closed brunodomenici closed 4 years ago

brunodomenici commented 4 years ago

Hi,

I'm not able to enforce a policy that is working on Casbin Editor with jCasbin.

I have this conf:

[request_definition]
r = sub, obj, act, artifact

[policy_definition]
p = sub, obj, act, artifact

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.act, p.act) && regexMatch(r.artifact, p.artifact)

This policy file:

p, group_app1_manager, schema, promote, .*APP1
p, group_app1_manager, schema, get, .*APP1
p, group_app1_manager, schema, create, .*APP1
p, group_app1_manager, schema, get, .*APP1
p, group_app1_manager, topic, create, .*APP1

p, group_app1_viewer, topic, list, .*APP1
p, group_app1_viewer, topic, get, .*APP1
p, group_app1_viewer, schema, get, .*APP1
p, group_app1_viewer, schema, list, .*APP1

p, group_dsp_admin, *, *, .*

g, admin, group_dsp_admin
g, viewer, group_app1_viewer
g, manager, group_app1_manager

My code:

    @Test
    public void givenViewerUser_ThenList_MustAllow() {
        assertTrue(enforcer.enforce("viewer", "schema", "list", "europe-west1-APP1-SALES-BY-LOCATION-value"));
    }

My application log:

16:28:36.360 [main] INFO  org.casbin.jcasbin - Model:
16:28:36.361 [main] INFO  org.casbin.jcasbin - p.p: sub, obj, act, artifact
16:28:36.361 [main] INFO  org.casbin.jcasbin - r.r: sub, obj, act, artifact
16:28:36.361 [main] INFO  org.casbin.jcasbin - e.e: some(where (p_eft == allow))
16:28:36.361 [main] INFO  org.casbin.jcasbin - g.g: _, _
16:28:36.361 [main] INFO  org.casbin.jcasbin - m.m: g(r_sub, p_sub) && keyMatch(r_act, p_act) && regexMatch(r_artifact, p_artifact)
16:28:36.370 [main] INFO  org.casbin.jcasbin - Policy:
16:28:36.370 [main] INFO  org.casbin.jcasbin - p: sub, obj, act, artifact: [[group_app1_manager, schema, promote, .*APP1], [group_app1_manager, schema, get, .*APP1], [group_app1_manager, schema, create, .*APP1], [group_app1_manager, schema, get, .*APP1], [group_app1_manager, topic, create, .*APP1], [group_app1_viewer, topic, list, .*APP1], [group_app1_viewer, topic, get, .*APP1], [group_app1_viewer, schema, get, .*APP1], [group_app1_viewer, schema, list, .*APP1], [group_dsp_admin, *, *, .*]]
16:28:36.370 [main] INFO  org.casbin.jcasbin - g: _, _: [[admin, group_dsp_admin], [viewer, group_app1_viewer], [manager, group_app1_manager]]
16:28:36.371 [main] INFO  org.casbin.jcasbin - Role links for: g
16:28:36.371 [main] INFO  org.casbin.jcasbin - viewer < group_app1_viewer
16:28:36.371 [main] INFO  org.casbin.jcasbin - group_app1_viewer < 
16:28:36.371 [main] INFO  org.casbin.jcasbin - manager < group_app1_manager
16:28:36.371 [main] INFO  org.casbin.jcasbin - group_dsp_admin < 
16:28:36.371 [main] INFO  org.casbin.jcasbin - group_app1_manager < 
16:28:36.371 [main] INFO  org.casbin.jcasbin - admin < group_dsp_admin
16:28:36.454 [main] INFO  org.casbin.jcasbin - Request: viewer, schema, list, europe-west1-APP1-SALES-BY-LOCATION-value ---> false

Any ideas?

Thanks a lot!

hsluoyz commented 4 years ago

Hi @brunodomenici I didn't see "viewer" is granted permission anywhere..

brunodomenici commented 4 years ago

@hsluoyz ooops, my bad on copy & paste, sorry... I corrected issue description... Thanks

hsluoyz commented 4 years ago

@tldyl please test this issue.

hsluoyz commented 4 years ago

@brunodomenici your code looks OK.

Can you troubleshoot it by removing a part from the matcher? Like chaning:

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.act, p.act) && regexMatch(r.artifact, p.artifact)

into:

[matchers]
m = keyMatch(r.act, p.act) && regexMatch(r.artifact, p.artifact)

So we can know which part doesn't work as expected.

brunodomenici commented 4 years ago

@hsluoyz I did the the test and is definitely && regexMatch(r.artifact, p.artifact) which not validate. Without that, the enforce returns true

brunodomenici commented 4 years ago

Well, I got it. The problem was my regular expression. To achieve what I want, it should be .*APP1.* instead of .*APP1. This works in Casbin Editor because I supposed that it's implemented in GO. In jCasbin you use Java's flavor regex (of course). What makes sense, but I need to pay attention because I'm planing to use Casbin in several Microservices, implemented in several platforms (JAVA, GO, NodeJS) this could be an issue if I reuse policies with regex in those platforms.

Thanks a lot!

hsluoyz commented 4 years ago

@brunodomenici one thing to clarify is that Casbin Editor is based on Node-Casbin instead of Golang Casbin, see: https://github.com/casbin/casbin-editor . It is actually calculated totally in your own browser (Node-Casbin can run on both browser and Node.js environment). There's no backend for it.

About regex, yes we usually use the built-in or std regex for that language. Maybe it is an issue for cross-language applications. We are open to all suggestions that like using a unified regex dialect by replacing the regex lib for some languages.