feat: add priority support

php-casbin · Sep 11, 2021 · bcc0153 · bcc0153
1 parent 132167b
commit bcc0153
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 5 deletions.
diff --git a/examples/priority_model_explicit.conf b/examples/priority_model_explicit.conf
@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = priority, sub, obj, act, eft
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = priority(p.eft) || deny
+
+[matchers]
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
diff --git a/examples/priority_policy_explicit.csv b/examples/priority_policy_explicit.csv
@@ -0,0 +1,12 @@
+p, 10, data1_deny_group, data1, read, deny
+p, 10, data1_deny_group, data1, write, deny
+p, 10, data2_allow_group, data2, read, allow
+p, 10, data2_allow_group, data2, write, allow
+
+
+p, 1, alice, data1, write, allow
+p, 1, alice, data1, read, allow
+p, 1, bob, data2, read, deny
+
+g, bob, data2_allow_group
+g, alice, data1_deny_group
diff --git a/src/CoreEnforcer.php b/src/CoreEnforcer.php
@@ -363,6 +363,7 @@ public function loadPolicy(): void
         }
 
         $this->model->printPolicy();
+        $this->model->sortPoliciesByPriority();
         if ($this->autoBuildRoleLinks) {
             $this->buildRoleLinks();
         }
@@ -386,6 +387,7 @@ public function loadFilteredPolicy($filter): void
             throw new CasbinException('filtered policies are not supported by this adapter');
         }
 
+        $this->model->sortPoliciesByPriority();
         $this->initRmMap();
         $this->model->printPolicy();
         if ($this->autoBuildRoleLinks) {

diff --git a/src/Model/Model.php b/src/Model/Model.php
@@ -216,4 +216,23 @@ public static function loadFunctionMap(): FunctionMap
     {
         return FunctionMap::loadFunctionMap();
     }
+
+    public function sortPoliciesByPriority(): void
+    {
+        foreach ($this->items['p'] as $ptype => $assertion) {
+            if ($assertion->tokens[0] != sprintf("%s_priority", $ptype)) {
+                continue;
+            }
+            $policies = &$assertion->policy;
+            usort($policies, function ($i, $j): int {
+                if ($i[0] == $j[0]) {
+                    return 0;
+                }
+                return ($i[0] < $j[0]) ? -1 : 1;
+            });
+            foreach ($assertion->policy as $i => $policy) {
+                $assertion->policyMap[implode(',', $policy)] = $i;
+            }
+        }
+    }
 }
diff --git a/src/Model/Policy.php b/src/Model/Policy.php
@@ -193,8 +193,24 @@ public function hasPolicies(string $sec, string $ptype, array $rules): bool
      */
     public function addPolicy(string $sec, string $ptype, array $rule): void
     {
-        $this->items[$sec][$ptype]->policy[] = $rule;
-        $this->items[$sec][$ptype]->policyMap[implode(self::DEFAULT_SEP, $rule)] = count($this->items[$sec][$ptype]->policy) - 1;
+        $assertion = &$this->items[$sec][$ptype];
+        $assertion->policy[] = $rule;
+        $idxInsert = $rule[0];
+
+        if (isset($assertion->tokens[0]) &&$assertion->tokens[0] == sprintf("%s_priority", $ptype)) {
+            for ($i = count($assertion->policy) - 1; $i > 0; $i--) {
+                $idx = $assertion->policy[$i-1][0];
+                if ($idx > $idxInsert) {
+                    $assertion->policy[$i] = $assertion->policy[$i-1];
+                } else {
+                    break;
+                }
+            }
+            $assertion->policy[$i] = $rule;
+            $assertion->policyMap[implode(self::DEFAULT_SEP, $rule)] = $i;
+        } else {
+            $assertion->policyMap[implode(self::DEFAULT_SEP, $rule)] = count($this->items[$sec][$ptype]->policy) - 1;
+        }
     }
 
     /**
@@ -211,9 +227,7 @@ public function addPolicies(string $sec, string $ptype, array $rules): void
             if (isset($this->items[$sec][$ptype]->policyMap[$hashKey])) {
                 continue;
             }
-
-            $this->items[$sec][$ptype]->policy[] = $rule;
-            $this->items[$sec][$ptype]->policyMap[$hashKey] = count($this->items[$sec][$ptype]->policy) - 1;
+            $this->addPolicy($sec, $ptype, $rule);
         }
     }
 

diff --git a/tests/Unit/CoreEnforcerTest.php b/tests/Unit/CoreEnforcerTest.php
@@ -236,4 +236,28 @@ public function testEnableEnforce()
         $this->assertFalse($e->enforce('bob', 'data2', 'read'));
         $this->assertTrue($e->enforce('bob', 'data2', 'write'));
     }
+
+    public function testPriorityExplicit()
+    {
+        $e = new Enforcer($this->modelAndPolicyPath . '/priority_model_explicit.conf', $this->modelAndPolicyPath . '/priority_policy_explicit.csv');
+        $this->assertTrue($e->enforce('alice', 'data1', 'write'));
+        $this->assertTrue($e->enforce('alice', 'data1', 'read'));
+        $this->assertFalse($e->enforce('bob', 'data2', 'read'));
+        $this->assertTrue($e->enforce('bob', 'data2', 'write'));
+        $this->assertFalse($e->enforce('data1_deny_group', 'data1', 'read'));
+        $this->assertFalse($e->enforce('data1_deny_group', 'data1', 'write'));
+        $this->assertTrue($e->enforce('data2_allow_group', 'data2', 'read'));
+        $this->assertTrue($e->enforce('data2_allow_group', 'data2', 'write'));
+
+        $e->addPolicy('1', 'bob', 'data2', 'write', 'deny');
+
+        $this->assertTrue($e->enforce('alice', 'data1', 'write'));
+        $this->assertTrue($e->enforce('alice', 'data1', 'read'));
+        $this->assertFalse($e->enforce('bob', 'data2', 'read'));
+        $this->assertFalse($e->enforce('bob', 'data2', 'write'));
+        $this->assertFalse($e->enforce('data1_deny_group', 'data1', 'read'));
+        $this->assertFalse($e->enforce('data1_deny_group', 'data1', 'write'));
+        $this->assertTrue($e->enforce('data2_allow_group', 'data2', 'read'));
+        $this->assertTrue($e->enforce('data2_allow_group', 'data2', 'write'));
+    }
 }