Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add priority_policy_explicit support #250

Merged
merged 10 commits into from Mar 23, 2021
Merged

feat: add priority_policy_explicit support #250

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
368db62
test: add unit tests for explicit priority model
Zxilly Mar 17, 2021
4c254d9
feat: add priority_policy_explicit support
Zxilly Mar 20, 2021
69576e7
perf: enhance batch action performance
Zxilly Mar 20, 2021
9c5c54e
style: small fix
Zxilly Mar 21, 2021
c851497
fix: change function argument
Zxilly Mar 21, 2021
604316e
fix: fix incorrect implement
Zxilly Mar 21, 2021
c9b33e3
refactor: refactor priority index
Zxilly Mar 21, 2021
e4f38c3
feat: add update priority unittest
Zxilly Mar 21, 2021
88d2ada
perf: priority performance enhanced
Zxilly Mar 22, 2021
c4eda9c
refactor: refactor updatePolicy()
Zxilly Mar 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 14 additions & 0 deletions examples/priority_model_explicit.conf
View file
Open in desktop
@@ -0,0 +1,14 @@
[request_definition]
r = sub, obj, act

[policy_definition]
p = priority, sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = priority(p.eft) || deny

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
12 changes: 12 additions & 0 deletions examples/priority_policy_explicit.csv
View file
Open in desktop
@@ -0,0 +1,12 @@
p, 10, data1_deny_group, data1, read, deny
p, 10, data1_deny_group, data1, write, deny
p, 10, data2_allow_group, data2, read, allow
p, 10, data2_allow_group, data2, write, allow


p, 1, alice, data1, write, allow
p, 1, alice, data1, read, allow
p, 1, bob, data2, read, deny

g, bob, data2_allow_group
g, alice, data1_deny_group
31 changes: 30 additions & 1 deletion src/coreEnforcer.ts
View file
Open in desktop
Expand Up @@ -18,7 +18,16 @@ import { DefaultEffector, Effect, Effector } from './effect';
import { FunctionMap, Model, newModel, PolicyOp } from './model';
import { Adapter, FilteredAdapter, Watcher, BatchAdapter, UpdatableAdapter } from './persist';
import { DefaultRoleManager, RoleManager } from './rbac';
import { escapeAssertion, generateGFunction, getEvalValue, hasEval, replaceEval, generatorRunSync, generatorRunAsync } from './util';
import {
escapeAssertion,
generateGFunction,
getEvalValue,
hasEval,
replaceEval,
generatorRunSync,
generatorRunAsync,
policySortByPriority,
} from './util';
import { getLogger, logPrint } from './log';
import { MatchingFunc } from './rbac';

Expand Down Expand Up @@ -160,6 +169,16 @@ export class CoreEnforcer {
this.model.clearPolicy();
await this.adapter.loadPolicy(this.model);

const policy = this.model.model.get('p')?.get('p')?.policy;
const tokens = this.model.model.get('p')?.get('p')?.tokens;

if (policy && tokens) {
const priorityIndex = tokens.indexOf('p_priority');
if (priorityIndex !== -1) {
policySortByPriority(priorityIndex, policy);
}
}

this.initRmMap();

if (this.autoBuildRoleLinks) {
Expand All @@ -182,6 +201,16 @@ export class CoreEnforcer {
throw new Error('filtered policies are not supported by this adapter');
}

const policy = this.model.model.get('p')?.get('p')?.policy;
const tokens = this.model.model.get('p')?.get('p')?.tokens;

if (policy && tokens) {
const priorityIndex = tokens.indexOf('p_priority');
if (priorityIndex !== -1) {
policySortByPriority(priorityIndex, policy);
}
}

this.initRmMap();

if (this.autoBuildRoleLinks) {
Expand Down
1 change: 1 addition & 0 deletions src/internalEnforcer.ts
View file
Open in desktop
Expand Up @@ -45,6 +45,7 @@ export class InternalEnforcer extends CoreEnforcer {
}

const ok = this.model.addPolicy(sec, ptype, rule);

if (sec === 'g' && ok) {
await this.buildIncrementalRoleLinks(PolicyOp.PolicyAdd, ptype, [rule]);
}
Expand Down
31 changes: 29 additions & 2 deletions src/model/model.ts
View file
Open in desktop
Expand Up @@ -220,7 +220,19 @@ export class Model {
if (!ast) {
return false;
}
ast.policy.push(rule);

const policy = ast.policy;
const tokens = ast.tokens;

if (tokens.find((str) => str === 'p_priority')) {
Zxilly marked this conversation as resolved.
Show resolved Hide resolved
const targetPriorityIndex = tokens.indexOf('p_priority');
const rulePriority = rule[targetPriorityIndex];
const targetInsertIndex = policy.findIndex((oneRule) => oneRule[targetPriorityIndex] >= rulePriority);
// If targetInsertIndex returns -1, next line will still work as expected.
Zxilly marked this conversation as resolved.
Show resolved Hide resolved
policy.splice(targetInsertIndex, 0, rule);
} else {
policy.push(rule);
}
return true;
}

Expand All @@ -240,7 +252,22 @@ export class Model {
}
}

ast.policy = ast.policy.concat(rules);
let priorityFlag = false;

if (rules.length > 0) {
const tmpRule = rules[0];
if (tmpRule.find((value) => value === 'p_priority')) {
priorityFlag = true;
Zxilly marked this conversation as resolved.
Show resolved Hide resolved
}
}

if (priorityFlag) {
rules.forEach((rule) => {
this.addPolicy(sec, ptype, rule);
});
} else {
ast.policy = ast.policy.concat(rules);
}

return [true, rules];
}
Expand Down
7 changes: 7 additions & 0 deletions src/util/util.ts
View file
Open in desktop
Expand Up @@ -159,6 +159,12 @@ async function generatorRunAsync(iterator: Generator<any>): Promise<any> {
}
}

function policySortByPriority(priorityIndex: number, policy: Array<Array<string>>): void {
Zxilly marked this conversation as resolved.
Show resolved Hide resolved
policy.sort((a, b) => {
return parseInt(a[priorityIndex], 10) - parseInt(b[priorityIndex], 10);
});
}

export {
escapeAssertion,
removeComments,
Expand All @@ -175,4 +181,5 @@ export {
getEvalValue,
generatorRunSync,
generatorRunAsync,
policySortByPriority,
};
28 changes: 28 additions & 0 deletions test/model.test.ts
View file
Open in desktop
Expand Up @@ -287,6 +287,34 @@ test('TestPriorityModel', async () => {
await testEnforce(e, 'bob', 'data2', 'write', false);
});

test('TestExplicitPriorityModel', async () => {
const e = await newEnforcer('examples/priority_model_explicit.conf', 'examples/priority_policy_explicit.csv');

await testEnforce(e, 'alice', 'data1', 'write', true);
await testEnforce(e, 'alice', 'data1', 'read', true);
await testEnforce(e, 'bob', 'data2', 'read', false);
await testEnforce(e, 'bob', 'data2', 'write', true);
await testEnforce(e, 'data1_deny_group', 'data1', 'read', false);
await testEnforce(e, 'data1_deny_group', 'data1', 'write', false);
await testEnforce(e, 'data2_allow_group', 'data2', 'read', true);
await testEnforce(e, 'data2_allow_group', 'data2', 'write', true);
});

test('TestExplicitPriorityModelAdd', async () => {
const e = await newEnforcer('examples/priority_model_explicit.conf', 'examples/priority_policy_explicit.csv');

await e.addPolicy('1', 'bob', 'data2', 'write', 'deny');

await testEnforce(e, 'alice', 'data1', 'write', true);
await testEnforce(e, 'alice', 'data1', 'read', true);
await testEnforce(e, 'bob', 'data2', 'read', false);
await testEnforce(e, 'bob', 'data2', 'write', false);
await testEnforce(e, 'data1_deny_group', 'data1', 'read', false);
await testEnforce(e, 'data1_deny_group', 'data1', 'write', false);
await testEnforce(e, 'data2_allow_group', 'data2', 'read', true);
await testEnforce(e, 'data2_allow_group', 'data2', 'write', true);
});

test('TestPriorityModelIndeterminate', async () => {
const e = await newEnforcer('examples/priority_model.conf', 'examples/priority_indeterminate_policy.csv');

Expand Down