feat: Port GetAllowedObjectConditions() from Go Casbin (#493)

Author: Copilot

examples/object_conditions_model.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, sub_rule, act
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub) && eval(p.sub_rule) && r.act == p.act

examples/object_conditions_policy.csv

@@ -0,0 +1,5 @@
+p, alice, r.obj.price < 25, read
+p, admin, r.obj.category_id = 2, read
+p, bob, r.obj.author = bob, write
+
+g, alice, admin

src/main/java/org/casbin/jcasbin/exception/CasbinEmptyConditionException.java

@@ -0,0 +1,26 @@
+// Copyright 2018 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.casbin.jcasbin.exception;
+
+public class CasbinEmptyConditionException extends RuntimeException {
+
+    public CasbinEmptyConditionException(String message) {
+        super(message);
+    }
+
+    public CasbinEmptyConditionException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

src/main/java/org/casbin/jcasbin/exception/CasbinObjConditionException.java

@@ -0,0 +1,26 @@
+// Copyright 2018 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.casbin.jcasbin.exception;
+
+public class CasbinObjConditionException extends RuntimeException {
+
+    public CasbinObjConditionException(String message) {
+        super(message);
+    }
+
+    public CasbinObjConditionException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

src/main/java/org/casbin/jcasbin/main/Enforcer.java

@@ -14,7 +14,9 @@
 
 package org.casbin.jcasbin.main;
 
+import org.casbin.jcasbin.exception.CasbinEmptyConditionException;
 import org.casbin.jcasbin.exception.CasbinNameNotExistException;
+import org.casbin.jcasbin.exception.CasbinObjConditionException;
 import org.casbin.jcasbin.model.Assertion;
 import org.casbin.jcasbin.model.FunctionMap;
 import org.casbin.jcasbin.model.Model;
@@ -644,4 +646,50 @@ public List<Boolean> batchEnforceWithMatcher(String matcher, List<List<String>>
         }
         return results;
     }
+
+    /**
+     * getAllowedObjectConditions returns a list of object conditions that the user can access.
+     * For example: conditions = e.getAllowedObjectConditions("alice", "read", "r.obj.")
+     * Note:
+     * <p>
+     * 0. prefix: You can customize the prefix of the object conditions, and "r.obj." is commonly used as a prefix.
+     * After removing the prefix, the remaining part is the condition of the object.
+     * If there is an obj policy that does not meet the prefix requirement, a CasbinObjConditionException will be thrown.
+     * <p>
+     * 1. If the 'objectConditions' list is empty, throw CasbinEmptyConditionException
+     * This exception is thrown because some data adapters' ORM return full table data by default
+     * when they receive an empty condition, which tends to behave contrary to expectations.(e.g. GORM)
+     * If you are using an adapter that does not behave like this, you can choose to ignore this exception.
+     *
+     * @param user   the user.
+     * @param action the action.
+     * @param prefix the prefix of the object conditions.
+     * @return a list of object conditions.
+     * @throws CasbinObjConditionException if there is a policy that doesn't meet the prefix requirement.
+     * @throws CasbinEmptyConditionException if the objectConditions list is empty.
+     */
+    public List<String> getAllowedObjectConditions(String user, String action, String prefix) {
+        if (user == null || action == null || prefix == null) {
+            throw new IllegalArgumentException("user, action, and prefix cannot be null");
+        }
+        
+        List<List<String>> permissions = getImplicitPermissionsForUser(user);
+        
+        List<String> objectConditions = new ArrayList<>();
+        for (List<String> policy : permissions) {
+            // policy {sub, obj, act}
+            if (policy.size() >= 3 && policy.get(2).equals(action)) {
+                if (!policy.get(1).startsWith(prefix)) {
+                    throw new CasbinObjConditionException("need to meet the prefix required by the object condition");
+                }
+                objectConditions.add(policy.get(1).substring(prefix.length()));
+            }
+        }
+        
+        if (objectConditions.isEmpty()) {
+            throw new CasbinEmptyConditionException("GetAllowedObjectConditions has an empty condition");
+        }
+        
+        return objectConditions;
+    }
 }

src/test/java/org/casbin/jcasbin/main/RbacAPIUnitTest.java

@@ -240,4 +240,62 @@ public void testImplicitUsersForRole() {
         testGetImplicitUsersForRole(e, "book_group", asList("/book/*", "/book/:id", "/book2/{id}"));
         testGetImplicitUsersForRole(e, "pen_group", asList("/pen/:id", "/pen2/{id}"));
     }
+
+    @Test
+    public void testGetAllowedObjectConditions() {
+        Enforcer e = new Enforcer("examples/object_conditions_model.conf", "examples/object_conditions_policy.csv");
+        
+        // Test basic cases
+        testGetAllowedObjectConditions(e, "alice", "read", "r.obj.", asList("price < 25", "category_id = 2"));
+        testGetAllowedObjectConditions(e, "admin", "read", "r.obj.", asList("category_id = 2"));
+        testGetAllowedObjectConditions(e, "bob", "write", "r.obj.", asList("author = bob"));
+        
+        // Test null parameter validation
+        testGetAllowedObjectConditionsWithException(e, null, "read", "r.obj.", 
+            IllegalArgumentException.class);
+        testGetAllowedObjectConditionsWithException(e, "alice", null, "r.obj.", 
+            IllegalArgumentException.class);
+        testGetAllowedObjectConditionsWithException(e, "alice", "read", null, 
+            IllegalArgumentException.class);
+        
+        // Test ErrEmptyCondition
+        testGetAllowedObjectConditionsWithException(e, "alice", "write", "r.obj.", 
+            org.casbin.jcasbin.exception.CasbinEmptyConditionException.class);
+        testGetAllowedObjectConditionsWithException(e, "bob", "read", "r.obj.", 
+            org.casbin.jcasbin.exception.CasbinEmptyConditionException.class);
+        
+        // Test ErrObjCondition - policy without proper prefix
+        // should: e.addPolicy("alice", "r.obj.price > 50", "read")
+        boolean ok = e.addPolicy("alice", "price > 50", "read");
+        if (ok) {
+            testGetAllowedObjectConditionsWithException(e, "alice", "read", "r.obj.", 
+                org.casbin.jcasbin.exception.CasbinObjConditionException.class);
+        }
+        
+        // Test with different prefix
+        e.clearPolicy();
+        e.getRoleManager().deleteLink("alice", "admin");
+        e.addPolicies(asList(
+            asList("alice", "r.book.price < 25", "read"),
+            asList("admin", "r.book.category_id = 2", "read"),
+            asList("bob", "r.book.author = bob", "write")
+        ));
+        testGetAllowedObjectConditions(e, "alice", "read", "r.book.", asList("price < 25"));
+        testGetAllowedObjectConditions(e, "admin", "read", "r.book.", asList("category_id = 2"));
+        testGetAllowedObjectConditions(e, "bob", "write", "r.book.", asList("author = bob"));
+    }
+    
+    private void testGetAllowedObjectConditions(Enforcer e, String user, String action, String prefix, List<String> expectedConditions) {
+        List<String> actualConditions = e.getAllowedObjectConditions(user, action, prefix);
+        assertEquals(expectedConditions, actualConditions);
+    }
+    
+    private void testGetAllowedObjectConditionsWithException(Enforcer e, String user, String action, String prefix, Class<? extends RuntimeException> expectedExceptionClass) {
+        try {
+            e.getAllowedObjectConditions(user, action, prefix);
+            fail("Expected exception " + expectedExceptionClass.getName() + " was not thrown");
+        } catch (RuntimeException ex) {
+            assertEquals(expectedExceptionClass, ex.getClass());
+        }
+    }
 }