casbin · hsluoyz · Mar 23, 2021 · Mar 17, 2021 · Mar 20, 2021 · Mar 20, 2021
diff --git a/examples/priority_model_explicit.conf b/examples/priority_model_explicit.conf
@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = priority, sub, obj, act, eft
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = priority(p.eft) || deny
+
+[matchers]
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
diff --git a/examples/priority_policy_explicit.csv b/examples/priority_policy_explicit.csv
@@ -0,0 +1,12 @@
+p, 10, data1_deny_group, data1, read, deny
+p, 10, data1_deny_group, data1, write, deny
+p, 10, data2_allow_group, data2, read, allow
+p, 10, data2_allow_group, data2, write, allow
+
+
+p, 1, alice, data1, write, allow
+p, 1, alice, data1, read, allow
+p, 1, bob, data2, read, deny
+
+g, bob, data2_allow_group
+g, alice, data1_deny_group
diff --git a/examples/priority_policy_explicit_update.csv b/examples/priority_policy_explicit_update.csv
@@ -0,0 +1,13 @@
+p, 10, data1_deny_group, data1, read, deny
+p, 10, data1_deny_group, data1, write, deny
+p, 10, data2_allow_group, data2, read, allow
+p, 10, data2_allow_group, data2, write, allow
+
+
+p, 1, alice, data1, write, allow
+p, 1, alice, data1, read, allow
+p, 1, bob, data2, read, deny
+p, 1, bob, data2, write, allow
+
+g, bob, data2_allow_group
+g, alice, data1_deny_group
diff --git a/src/coreEnforcer.ts b/src/coreEnforcer.ts
@@ -153,13 +153,29 @@ export class CoreEnforcer {
     }
   }
 
+  public sortPolicies(): void {
+    const policy = this.model.model.get('p')?.get('p')?.policy;
+    const tokens = this.model.model.get('p')?.get('p')?.tokens;
+
+    if (policy && tokens) {
+      const priorityIndex = tokens.indexOf('p_priority');
+      if (priorityIndex !== -1) {
+        policy.sort((a, b) => {
+          return parseInt(a[priorityIndex], 10) - parseInt(b[priorityIndex], 10);
+        });
+      }
+    }
+  }
+
   /**
    * loadPolicy reloads the policy from file/database.
    */
   public async loadPolicy(): Promise<void> {
     this.model.clearPolicy();
     await this.adapter.loadPolicy(this.model);
 
+    this.sortPolicies();
+
     this.initRmMap();
 
     if (this.autoBuildRoleLinks) {
@@ -182,6 +198,8 @@ export class CoreEnforcer {
       throw new Error('filtered policies are not supported by this adapter');
     }
 
+    this.sortPolicies();
+
     this.initRmMap();
 
     if (this.autoBuildRoleLinks) {

diff --git a/src/internalEnforcer.ts b/src/internalEnforcer.ts
@@ -45,6 +45,7 @@ export class InternalEnforcer extends CoreEnforcer {
     }
 
     const ok = this.model.addPolicy(sec, ptype, rule);
+
     if (sec === 'g' && ok) {
       await this.buildIncrementalRoleLinks(PolicyOp.PolicyAdd, ptype, [rule]);
     }

diff --git a/src/model/model.ts b/src/model/model.ts
@@ -220,7 +220,24 @@ export class Model {
       if (!ast) {
         return false;
       }
-      ast.policy.push(rule);
+
+      const policy = ast.policy;
+      const tokens = ast.tokens;
+
+      const priorityIndex = tokens.indexOf('p_priority');
+
+      if (priorityIndex !== -1) {
+        const priorityRule = rule[priorityIndex];
+        const insertIndex = policy.findIndex((oneRule) => oneRule[priorityIndex] >= priorityRule);
+
+        if (priorityIndex === -1) {
+          policy.push(rule);
+        } else {
+          policy.splice(insertIndex, 0, rule);
+        }
+      } else {
+        policy.push(rule);
+      }
       return true;
     }
 
@@ -240,7 +257,15 @@ export class Model {
       }
     }
 
-    ast.policy = ast.policy.concat(rules);
+    const priorityFlag = ast.tokens.indexOf('p_priority') !== -1;
+
+    if (priorityFlag) {
+      rules.forEach((rule) => {
+        this.addPolicy(sec, ptype, rule);
+      });
+    } else {
+      ast.policy = ast.policy.concat(rules);
+    }
 
     return [true, rules];
   }
@@ -252,12 +277,19 @@ export class Model {
       if (!ast) {
         return false;
       }
-      // const index = ast.policy.indexOf(oldRule);
-      const index = ast.policy.findIndex((r) => util.arrayEquals(r, oldRule));
-      if (index !== -1) {
-        ast.policy[index] = newRule;
-        return true;
+
+      const priorityFlag = ast.tokens.indexOf('p_priority') !== -1;
+
+      if (priorityFlag) {
+        this.removePolicy(sec, ptype, oldRule);
+        this.addPolicy(sec, ptype, newRule);
+      } else {
+        const index = ast.policy.findIndex((r) => util.arrayEquals(r, oldRule));
+        if (index !== -1) {
+          ast.policy[index] = newRule;
+        }
       }
+      return true;
     }
     return false;
   }

diff --git a/test/model.test.ts b/test/model.test.ts
@@ -287,6 +287,49 @@ test('TestPriorityModel', async () => {
   await testEnforce(e, 'bob', 'data2', 'write', false);
 });
 
+test('TestExplicitPriorityModel', async () => {
+  const e = await newEnforcer('examples/priority_model_explicit.conf', 'examples/priority_policy_explicit.csv');
+
+  await testEnforce(e, 'alice', 'data1', 'write', true);
+  await testEnforce(e, 'alice', 'data1', 'read', true);
+  await testEnforce(e, 'bob', 'data2', 'read', false);
+  await testEnforce(e, 'bob', 'data2', 'write', true);
+  await testEnforce(e, 'data1_deny_group', 'data1', 'read', false);
+  await testEnforce(e, 'data1_deny_group', 'data1', 'write', false);
+  await testEnforce(e, 'data2_allow_group', 'data2', 'read', true);
+  await testEnforce(e, 'data2_allow_group', 'data2', 'write', true);
+});
+
+test('TestExplicitPriorityModelAddPolicy', async () => {
+  const e = await newEnforcer('examples/priority_model_explicit.conf', 'examples/priority_policy_explicit.csv');
+
+  await e.addPolicy('1', 'bob', 'data2', 'write', 'deny');
+
+  await testEnforce(e, 'alice', 'data1', 'write', true);
+  await testEnforce(e, 'alice', 'data1', 'read', true);
+  await testEnforce(e, 'bob', 'data2', 'read', false);
+  await testEnforce(e, 'bob', 'data2', 'write', false);
+  await testEnforce(e, 'data1_deny_group', 'data1', 'read', false);
+  await testEnforce(e, 'data1_deny_group', 'data1', 'write', false);
+  await testEnforce(e, 'data2_allow_group', 'data2', 'read', true);
+  await testEnforce(e, 'data2_allow_group', 'data2', 'write', true);
+});
+
+test('TestExplicitPriorityModelUpdatePolicy', async () => {
+  const e = await newEnforcer('examples/priority_model_explicit.conf', 'examples/priority_policy_explicit_update.csv');
+
+  await e.updatePolicy(['1', 'bob', 'data2', 'write', 'allow'], ['1', 'bob', 'data2', 'write', 'deny']);
+
+  await testEnforce(e, 'alice', 'data1', 'write', true);
+  await testEnforce(e, 'alice', 'data1', 'read', true);
+  await testEnforce(e, 'bob', 'data2', 'read', false);
+  await testEnforce(e, 'bob', 'data2', 'write', false);
+  await testEnforce(e, 'data1_deny_group', 'data1', 'read', false);
+  await testEnforce(e, 'data1_deny_group', 'data1', 'write', false);
+  await testEnforce(e, 'data2_allow_group', 'data2', 'read', true);
+  await testEnforce(e, 'data2_allow_group', 'data2', 'write', true);
+});
+
 test('TestPriorityModelIndeterminate', async () => {
   const e = await newEnforcer('examples/priority_model.conf', 'examples/priority_indeterminate_policy.csv');