/
casbins.go
141 lines (121 loc) · 3.57 KB
/
casbins.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
package casbins
import (
"fmt"
"go-iris-curd/main/inits/parse"
"go-iris-curd/main/middleware/jwts"
"go-iris-curd/main/web/db"
"go-iris-curd/main/web/supports"
"net/http"
"strconv"
"sync"
"github.com/casbin/casbin"
//"github.com/casbin/xorm-adapter"
_ "github.com/go-sql-driver/mysql"
"github.com/kataras/iris/context"
)
var (
adt *Adapter // Your driver and data source.
e *casbin.Enforcer
adtLook sync.Mutex
eLook sync.Mutex
rbacModel string
)
/**
https://casbin.org/docs/en/rbac-with-domains
*/
func SetRbacModel(rootID string) {
rbacModel = fmt.Sprintf(`
[request_definition]
r = sub, dom, obj, act, suf
[policy_definition]
p = sub, dom, obj, act, suf
[role_definition]
g = _, _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && keyMatch(r.obj, p.obj) && regexMatch(r.suf, p.suf) && regexMatch(r.act, p.act) || r.sub == "%s"
`, rootID)
}
// 获取Enforcer
func GetEnforcer() *casbin.Enforcer {
if e != nil {
e.LoadPolicy()
return e
}
eLook.Lock()
defer eLook.Unlock()
if e != nil {
e.LoadPolicy()
return e
}
m := casbin.NewModel(rbacModel)
//m.AddDef("r", "r", "sub, obj, act, suf")
//m.AddDef("p", "p", "sub, obj, act, suf")
//m.AddDef("g", "g", "_, _")
//m.AddDef("e", "e", "some(where (p.eft == allow))")
//m.AddDef("m", "m", `g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && regexMatch(r.suf, p.suf) && regexMatch(r.act, p.act) || r.sub == "1"`)
// Or you can use an existing DB "abc" like this:
// The adapter will use the table named "casbin_rule".
// If it doesn't exist, the adapter will create it automatically.
// a := xormadapter.NewAdapter("mysql", "mysql_username:mysql_password@tcp(127.0.0.1:3306)/abc", true)
// TODO use go-bindata fill
//e = casbin.NewEnforcer("conf/rbac_model.conf", singletonAdapter())
e = casbin.NewEnforcer(m, singleAdapter())
e.EnableLog(true)
return e
}
func singleAdapter() *Adapter {
if adt != nil {
return adt
}
adtLook.Lock()
defer adtLook.Unlock()
if adt != nil {
return adt
}
master := parse.DBConfig.Master
url := db.GetConnURL(&master)
// Initialize a Gorm adapter and use it in a Casbin enforcer:
// The adapter will use the MySQL database named "casbins".
// If it doesn't exist, the adapter will create it automatically.
// a := xormadapter.NewAdapter("mysql", "root:root@tcp(127.0.0.1:3306)/?charset=utf8&parseTime=True&loc=Local") // Your driver and data source.
adt = NewAdapter(master.Dialect, url, true) // Your driver and data source.
return adt
}
// ServeHTTP is the iris compatible casbins handler which should be passed to specific routes or parties.
// Usage:
// [...]
// app.Get("/dataset1/resource1", casbinMiddleware.ServeHTTP, myHandler)
// [...]
func CheckPermissions(ctx context.Context) bool {
user, ok := jwts.ParseToken(ctx)
if !ok {
return false
}
uid := strconv.Itoa(int(user.ID))
yes := GetEnforcer().Enforce(uid, "a", ctx.Path(), ctx.Method(), ".*")
if !yes {
supports.Unauthorized(ctx, supports.PermissionsLess, nil)
ctx.StopExecution()
return false
}
return true
//ctx.Next()
}
// Wrapper is the router wrapper, prefer this method if you want to use casbins to your entire iris application.
// Usage:
// [...]
// app.WrapRouter(casbinMiddleware.Wrapper())
// app.Get("/dataset1/resource1", myHandler)
// [...]
func Wrapper() func(w http.ResponseWriter, r *http.Request, router http.HandlerFunc) {
return func(w http.ResponseWriter, r *http.Request, router http.HandlerFunc) {
//if !c.Check(r) {
// w.WriteHeader(http.StatusForbidden)
// w.Write([]byte("403 Forbidden"))
// return
//}
router(w, r)
}
}