Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ABAC with rules in policy: online editor gives different results to pyCasbin Enforcer.enforce #164

Closed
lukemsmyth opened this issue Nov 15, 2024 · 3 comments · Fixed by #168
Assignees
Labels
bug Something isn't working released

Comments

@lukemsmyth
Copy link

I am trying to implement ABAC with rules in the policies (per these instructions).

Online Editor set up

I have set up my model, policy and request in the online editor like so:

model.conf

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub_rule, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = eval(p.sub_rule) && r.obj == p.obj && r.act == p.act

policy.csv

p, "r.sub.rank == 5 && keyMatch(""IT"", r.sub.org)", "data", "GET"

request

{rank: 5, org: "IT"}, data, GET

Online editor results

I am getting a result of true Reason: ["r.sub.rank == 5 && keyMatch(\"IT\", r.sub.org)","data","GET"] from the online editor - this is expected. See screenshot below:

Screenshot 2024-11-15 at 13 33 30

Local python environment set up

  • Running Python 3.12 on MacOS
  • Set up a new project in PyCharm
    • including default venv
  • Installed casbin using pip install casbin
  • Set up model.conf and policy.csv exactly the same as in the online editor.
  • Create a main.py file to run my request

main.py

import casbin

if __name__ == '__main__':
    enforcer = casbin.Enforcer("model.conf", "policy.csv")
    request_vals = ['{rank: 5, org: "IT"}', 'data', 'GET']
    print(enforcer.enforce(*request_vals)) # prints False

This code is printing False which is the opposite of the online editor and the unexpected result.

See screenshot below:
Screenshot 2024-11-15 at 13 37 43

I'm not sure if I'm missing something or if this is a bug

@hsluoyz
Copy link
Member

hsluoyz commented Nov 16, 2024

@lukemsmyth you need to use Python object instead of string, like:

import casbin

if __name__ == '__main__':
    enforcer = casbin.Enforcer("model.conf", "policy.csv")
    request_vals = [{'rank': 5, 'org': "IT"}, 'data', 'GET']  
    print(enforcer.enforce(*request_vals))

@hsluoyz hsluoyz self-assigned this Nov 16, 2024
@hsluoyz hsluoyz added the question Further information is requested label Nov 16, 2024
@lukemsmyth
Copy link
Author

@hsluoyz thanks for your response.

I changed my main.py code to your suggestion and was still getting the same problem. Then I changed the policy in policy.csv by removing the double quotes around the sub, obj and act like so (note, no longer escaping the double quotes around the value "IT"):

p, r.sub.rank == 5 && keyMatch("IT", r.sub.org), data2, GET

This gave the expected result of True.

I also verified that the problem was coming from escaping the string in the policy by testing with escaped and unescaped strings:
Screenshot 2024-11-18 at 09 14 24

However when I made the same change to the policy in the online editor, I get this InvalidOpeningQuote error, see below:
Screenshot 2024-11-18 at 09 18 07

So, from the Python side, I able to get the expected result which is the important thing. But it seems like there's a mismatch with the behaviour of the online editor.

@hsluoyz hsluoyz reopened this Nov 18, 2024
@hsluoyz hsluoyz transferred this issue from casbin/pycasbin Nov 18, 2024
@hsluoyz hsluoyz added bug Something isn't working and removed question Further information is requested labels Nov 22, 2024
@hsluoyz
Copy link
Member

hsluoyz commented Nov 22, 2024

🎉 This issue has been resolved in version 1.23.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working released
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants