feat: added enforcer context to enable multiple section type (#317)

* feat: added EnforcerContext + enforce_with_context function * fix: debug cannot derive on DefaultEffectStream on expl which has (feature = 'explain') * fix: fixed wrong macro checking for ctx * fix: pub EnforceContext to be able to import * fix: fixed nightly and beta ubuntu Error: --> src/cached_enforcer.rs:77:1 and Error: --> src/effector.rs:33:9 docs: doc on enforce_with_context * fix: clippy cleaning
casbin · Nov 16, 2023 · 49f090e · 49f090e
1 parent b429e4d
commit 49f090e
Show file tree

Hide file tree

Showing 9 changed files with 342 additions and 12 deletions.
diff --git a/examples/multi_section_model.conf b/examples/multi_section_model.conf
@@ -0,0 +1,19 @@
+[request_definition]
+r = sub, act, obj
+r2 = sub, act
+
+[policy_definition]
+p = sub, act, obj
+p2 = sub, act
+
+[role_definition]
+g = _, _
+g2 = _,_
+
+[policy_effect]
+e = some(where (p.eft == allow))
+e2 = some(where (p.eft == allow))
+
+[matchers]
+m = r.sub == p.sub && g(p.act, r.act) && r.obj == p.obj
+m2 = r2.sub == p2.sub && g(p2.act, r2.act)
diff --git a/examples/multi_section_policy.csv b/examples/multi_section_policy.csv
@@ -0,0 +1,7 @@
+p, alice , admin, project1
+p, bob , user, project2
+p2, james, execute
+
+g, admin, read 
+g, admin, write 
+g, user, read
diff --git a/src/cached_enforcer.rs b/src/cached_enforcer.rs
@@ -6,6 +6,7 @@ use crate::{
     core_api::CoreApi,
     effector::Effector,
     emitter::{clear_cache, Event, EventData, EventEmitter},
+    enforcer::EnforceContext,
     enforcer::Enforcer,
     model::Model,
     rbac::RoleManager,
@@ -71,6 +72,21 @@ impl CachedEnforcer {
             (authorized, false, indices)
         })
     }
+    pub(crate) fn private_enforce_with_context(
+        &self,
+        ctx: EnforceContext,
+        rvals: &[Dynamic],
+        cache_key: u64,
+    ) -> Result<(bool, bool, Option<Vec<usize>>)> {
+        Ok(if let Some(authorized) = self.cache.get(&cache_key) {
+            (authorized, true, None)
+        } else {
+            let (authorized, indices) =
+                self.enforcer.private_enforce_with_context(ctx, &rvals)?;
+            self.cache.set(cache_key, authorized);
+            (authorized, false, indices)
+        })
+    }
 }
 
 #[async_trait]
@@ -226,6 +242,44 @@ impl CoreApi for CachedEnforcer {
         Ok(authorized)
     }
 
+    fn enforce_with_context<ARGS: EnforceArgs>(
+        &self,
+        ctx: EnforceContext,
+        rvals: ARGS,
+    ) -> Result<bool> {
+        let cache_key = rvals.cache_key();
+        let rvals = rvals.try_into_vec()?;
+        #[allow(unused_variables)]
+        let (authorized, cached, indices) =
+            self.private_enforce_with_context(ctx, &rvals, cache_key)?;
+
+        #[cfg(feature = "logging")]
+        {
+            self.enforcer.get_logger().print_enforce_log(
+                rvals.iter().map(|x| x.to_string()).collect(),
+                authorized,
+                cached,
+            );
+
+            #[cfg(feature = "explain")]
+            if let Some(indices) = indices {
+                let all_rules = get_or_err!(self, "p", ModelError::P, "policy")
+                    .get_policy();
+
+                let rules: Vec<String> = indices
+                    .into_iter()
+                    .filter_map(|y| {
+                        all_rules.iter().nth(y).map(|x| x.join(", "))
+                    })
+                    .collect();
+
+                self.enforcer.get_logger().print_explain_log(rules);
+            }
+        }
+
+        Ok(authorized)
+    }
+
     #[inline]
     fn enforce_mut<ARGS: EnforceArgs>(&mut self, rvals: ARGS) -> Result<bool> {
         self.enforce(rvals)

diff --git a/src/config.rs b/src/config.rs
@@ -151,8 +151,7 @@ impl Config {
         if section.is_empty() {
             section = DEFAULT_SECTION.to_owned();
         }
-        let section_value =
-            self.data.entry(section).or_insert_with(HashMap::new);
+        let section_value = self.data.entry(section).or_default();
 
         // if key not exists then insert, else update
         let key_value = section_value.get_mut(&option);

diff --git a/src/core_api.rs b/src/core_api.rs
@@ -1,6 +1,7 @@
 use crate::{
-    Adapter, Effector, EnforceArgs, Event, EventEmitter, Filter, Model, Result,
-    RoleManager, TryIntoAdapter, TryIntoModel,
+    enforcer::EnforceContext, Adapter, Effector, EnforceArgs, Event,
+    EventEmitter, Filter, Model, Result, RoleManager, TryIntoAdapter,
+    TryIntoModel,
 };
 
 #[cfg(feature = "watcher")]
@@ -64,6 +65,13 @@ pub trait CoreApi: Send + Sync {
         Self: Sized;
     fn set_effector(&mut self, e: Box<dyn Effector>);
     fn enforce<ARGS: EnforceArgs>(&self, rvals: ARGS) -> Result<bool>
+    where
+        Self: Sized;
+    fn enforce_with_context<ARGS: EnforceArgs>(
+        &self,
+        ctx: EnforceContext,
+        rvals: ARGS,
+    ) -> Result<bool>
     where
         Self: Sized;
     fn enforce_mut<ARGS: EnforceArgs>(&mut self, rvals: ARGS) -> Result<bool>

diff --git a/src/enforcer.rs b/src/enforcer.rs
@@ -5,7 +5,7 @@ use crate::{
     effector::{DefaultEffector, EffectKind, Effector},
     emitter::{Event, EventData, EventEmitter},
     error::{ModelError, PolicyError, RequestError},
-    get_or_err,
+    get_or_err, get_or_err_with_context,
     management_api::MgmtApi,
     model::{FunctionMap, Model},
     rbac::{DefaultRoleManager, RoleManager},
@@ -74,9 +74,33 @@ pub struct Enforcer {
     logger: Box<dyn Logger>,
 }
 
+pub struct EnforceContext {
+    pub r_type: String,
+    pub p_type: String,
+    pub e_type: String,
+    pub m_type: String,
+}
+
+impl EnforceContext {
+    pub fn new(suffix: &str) -> Self {
+        Self {
+            r_type: format!("r{}", suffix),
+            p_type: format!("p{}", suffix),
+            e_type: format!("e{}", suffix),
+            m_type: format!("m{}", suffix),
+        }
+    }
+    pub fn get_cache_key(&self) -> String {
+        format!(
+            "EnforceContext{{{}-{}-{}-{}}}",
+            &self.r_type, &self.p_type, &self.e_type, &self.m_type,
+        )
+    }
+}
+
 impl EventEmitter<Event> for Enforcer {
     fn on(&mut self, e: Event, f: fn(&mut Self, EventData)) {
-        self.events.entry(e).or_insert_with(Vec::new).push(f)
+        self.events.entry(e).or_default().push(f)
     }
 
     fn off(&mut self, e: Event) {
@@ -127,7 +151,136 @@ impl Enforcer {
             self.eft.new_stream(&e_ast.value, max(policy_len, 1));
         let m_ast_compiled = self
             .engine
-            .compile_expression(&escape_eval(&m_ast.value))
+            .compile_expression(escape_eval(&m_ast.value))
+            .map_err(Into::<Box<EvalAltResult>>::into)?;
+
+        if policy_len == 0 {
+            for token in p_ast.tokens.iter() {
+                scope.push_constant(token, String::new());
+            }
+
+            let eval_result = self
+                .engine
+                .eval_ast_with_scope::<bool>(&mut scope, &m_ast_compiled)?;
+            let eft = if eval_result {
+                EffectKind::Allow
+            } else {
+                EffectKind::Indeterminate
+            };
+
+            eft_stream.push_effect(eft);
+
+            return Ok((eft_stream.next(), None));
+        }
+
+        for pvals in policies {
+            scope.rewind(scope_len);
+
+            if p_ast.tokens.len() != pvals.len() {
+                return Err(PolicyError::UnmatchPolicyDefinition(
+                    p_ast.tokens.len(),
+                    pvals.len(),
+                )
+                .into());
+            }
+            for (ptoken, pval) in p_ast.tokens.iter().zip(pvals.iter()) {
+                scope.push_constant(ptoken, pval.to_owned());
+            }
+
+            let eval_result = self
+                .engine
+                .eval_ast_with_scope::<bool>(&mut scope, &m_ast_compiled)?;
+            let eft = match p_ast.tokens.iter().position(|x| x == "p_eft") {
+                Some(j) if eval_result => {
+                    let p_eft = &pvals[j];
+                    if p_eft == "deny" {
+                        EffectKind::Deny
+                    } else if p_eft == "allow" {
+                        EffectKind::Allow
+                    } else {
+                        EffectKind::Indeterminate
+                    }
+                }
+                None if eval_result => EffectKind::Allow,
+                _ => EffectKind::Indeterminate,
+            };
+
+            if eft_stream.push_effect(eft) {
+                break;
+            }
+        }
+
+        Ok((eft_stream.next(), {
+            #[cfg(feature = "explain")]
+            {
+                eft_stream.explain()
+            }
+            #[cfg(not(feature = "explain"))]
+            {
+                None
+            }
+        }))
+    }
+
+    pub(crate) fn private_enforce_with_context(
+        &self,
+        ctx: EnforceContext,
+        rvals: &[Dynamic],
+    ) -> Result<(bool, Option<Vec<usize>>)> {
+        if !self.enabled {
+            return Ok((true, None));
+        }
+
+        let mut scope: Scope = Scope::new();
+        let r_ast = get_or_err_with_context!(
+            self,
+            "r",
+            &ctx.r_type,
+            ModelError::R,
+            "request"
+        );
+        let p_ast = get_or_err_with_context!(
+            self,
+            "p",
+            &ctx.p_type,
+            ModelError::P,
+            "policy"
+        );
+        let m_ast = get_or_err_with_context!(
+            self,
+            "m",
+            &ctx.m_type,
+            ModelError::M,
+            "matcher"
+        );
+        let e_ast = get_or_err_with_context!(
+            self,
+            "e",
+            &ctx.e_type,
+            ModelError::E,
+            "effector"
+        );
+
+        if r_ast.tokens.len() != rvals.len() {
+            return Err(RequestError::UnmatchRequestDefinition(
+                r_ast.tokens.len(),
+                rvals.len(),
+            )
+            .into());
+        }
+
+        for (rtoken, rval) in r_ast.tokens.iter().zip(rvals.iter()) {
+            scope.push_constant_dynamic(rtoken, rval.to_owned());
+        }
+
+        let policies = p_ast.get_policy();
+        let (policy_len, scope_len) = (policies.len(), scope.len());
+
+        let mut eft_stream =
+            self.eft.new_stream(&e_ast.value, max(policy_len, 1));
+        let m_ast_compiled = self
+            .engine
+            .compile_expression(escape_eval(&m_ast.value))
             .map_err(Into::<Box<EvalAltResult>>::into)?;
 
         if policy_len == 0 {
@@ -426,6 +579,75 @@ impl CoreApi for Enforcer {
 
         Ok(authorized)
     }
+    /// Enforce decides whether a "subject" can access a "object" with the operation "action",
+    /// input parameters are usually: (sub, obj, act).
+    /// this function will add suffix to each model eg. r2, p2, e2, m2, g2,
+    ///
+    /// # Examples
+    /// ```
+    /// use casbin::prelude::*;
+    /// use casbin::EnforceContext;
+    ///
+    /// #[cfg(feature = "runtime-async-std")]
+    /// #[async_std::main]
+    /// async fn main() -> Result<()> {
+    ///     let mut e = Enforcer::new("examples/multi_section_model.conf", "examples/multi_section_policy.csv").await?;
+    ///     assert_eq!(true, e.enforce(("alice", "read", "project1"))?);
+    ///     let ctx = EnforceContext::new("2");
+    ///     assert_eq!(true, e.enforce_with_context(ctx, ("james", "execute"))?);
+    ///     Ok(())
+    /// }
+    ///
+    /// #[cfg(feature = "runtime-tokio")]
+    /// #[tokio::main]
+    /// async fn main() -> Result<()> {
+    ///     let mut e = Enforcer::new("examples/multi_section_model.conf", "examples/multi_section_policy.csv").await?;
+    ///     assert_eq!(true, e.enforce(("alice", "read", "project1"))?);
+    ///     let ctx = EnforceContext::new("2");
+    ///     assert_eq!(true, e.enforce_with_context(ctx, ("james", "execute"))?);
+    ///
+    ///     Ok(())
+    /// }
+    /// #[cfg(all(not(feature = "runtime-async-std"), not(feature = "runtime-tokio")))]
+    /// fn main() {}
+    /// ```
+
+    fn enforce_with_context<ARGS: EnforceArgs>(
+        &self,
+        ctx: EnforceContext,
+        rvals: ARGS,
+    ) -> Result<bool> {
+        let rvals = rvals.try_into_vec()?;
+        #[allow(unused_variables)]
+        let (authorized, indices) =
+            self.private_enforce_with_context(ctx, &rvals)?;
+
+        #[cfg(feature = "logging")]
+        {
+            self.logger.print_enforce_log(
+                rvals.iter().map(|x| x.to_string()).collect(),
+                authorized,
+                false,
+            );
+
+            #[cfg(feature = "explain")]
+            if let Some(indices) = indices {
+                let all_rules = get_or_err!(self, "p", ModelError::P, "policy")
+                    .get_policy();
+
+                let rules: Vec<String> = indices
+                    .into_iter()
+                    .filter_map(|y| {
+                        all_rules.iter().nth(y).map(|x| x.join(", "))
+                    })
+                    .collect();
+
+                self.logger.print_explain_log(rules);
+            }
+        }
+
+        Ok(authorized)
+    }
 
     fn enforce_mut<ARGS: EnforceArgs>(&mut self, rvals: ARGS) -> Result<bool> {
         self.enforce(rvals)