feat: Add function sortPoliciesBySubjectHierarchy (#110)

Signed-off-by: Edmond <edomondja@gmail.com>

Author: Edmond-J-A

examples/subject_priority_model.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = subjectPriority(p.eft) || deny
+
+[matchers]
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

examples/subject_priority_model_with_domain.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, dom, act
+
+[policy_definition]
+p = sub, obj, dom, act, eft
+
+[role_definition]
+g = _, _, _
+
+[policy_effect]
+e = subjectPriority(p.eft) || deny
+
+[matchers]
+m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

examples/subject_priority_policy.csv

@@ -0,0 +1,16 @@
+p, root, data1, read, deny
+p, admin, data1, read, deny
+
+p, editor, data1, read, deny
+p, subscriber, data1, read, deny
+
+p, jane, data1, read, allow
+p, alice, data1, read, allow
+
+g, admin, root
+
+g, editor, admin
+g, subscriber, admin
+
+g, jane, editor
+g, alice, subscriber

examples/subject_priority_policy_with_domain.csv

@@ -0,0 +1,8 @@
+p, admin, data1, domain1, write, deny
+p, alice, data1, domain1, write, allow
+p, admin, data2, domain2, write, deny
+p, bob, data2, domain2, write, allow
+
+
+g, alice, admin, domain1
+g, bob, admin, domain2

src/effect/DefaultEffector.lua

@@ -64,7 +64,7 @@ function DefaultEffector:mergeEffects(expr, effects)
                 break
             end
         end
-    elseif expr == "priority(p_eft) || deny" then
+    elseif expr == "priority(p_eft) || deny" or expr == "subjectPriority(p_eft) || deny" then
         result = false
         for i, eft in pairs(effects) do
             if eft ~= self.Effect.INDETERMINATE then

src/model/Model.lua

@@ -210,6 +210,93 @@ function Model:printModel()
     end
 end
 
+local function getSubjectHierarchyMap(policies)
+    local subjectHierarchyMap = { }
+    --Tree structure of role
+    local policyMap = { }
+    for _, policy in pairs(policies) do
+        if #policy < 2 then
+            return nil, error("policy g expect 2 more params")
+        end
+        local domain=""
+        if #policy~=2 then
+            domain  = policy[3]
+        end
+        local child = domain.."::"..policy[1]
+        local parent = domain.."::"..policy[2]
+        if policyMap[parent]==nil then
+            policyMap[parent]={}
+        end
+        table.insert(policyMap[parent], child)
+        if subjectHierarchyMap[child]==nil then
+            subjectHierarchyMap[child] = 0
+        end
+        if subjectHierarchyMap[parent]==nil then
+            subjectHierarchyMap[parent] = 0
+        end
+        subjectHierarchyMap[child] = 1
+    end
+    local queue = {  }
+    for k, v in pairs(subjectHierarchyMap) do
+        if v == 0 then
+            local root = k
+            local lv = 0
+            table.insert(queue,root)
+            while #queue~=0 do
+                local sz=#queue
+                for i=1,sz do
+                    local node=queue[1]
+                    table.remove(queue,1)
+                    subjectHierarchyMap[node] = lv
+                    if policyMap[node]~=nil then
+                        for _,child in pairs(policyMap[node]) do
+                            table.insert(queue,child)
+                        end
+                    end
+                end
+                lv=lv+1
+            end
+        end
+    end
+
+    return subjectHierarchyMap, nil
+end
+
+function Model:sortPoliciesBySubjectHierarchy()
+    if self.model["e"]["e"].value ~= "subjectPriority(p_eft) || deny" then
+        return nil
+    end
+    local subIndex = 1
+    local domainIndex = -1
+    for ptype, assertion in pairs(self.model["p"]) do
+        for index, token in pairs(assertion.tokens)  do
+            if token == ptype.."_dom" then
+            domainIndex = index
+            break
+            end
+        end
+        local subjectHierarchyMap, err = getSubjectHierarchyMap(self.model["g"]["g"].policy)
+        if err ~= nil then
+            return err
+        end
+        table.sort(assertion.policy, function(i, j)
+            local domain1, domain2 = "", ""
+            if domainIndex ~= -1 then
+                domain1 = i[domainIndex]
+                domain2 = j[domainIndex]
+            end
+            local name1, name2 =domain1.."::"..i[subIndex], domain2.."::".. j[subIndex]
+            local p1 = subjectHierarchyMap[name1]
+            local p2 = subjectHierarchyMap[name2]
+            return p1 > p2
+        end)
+        for i, policy in pairs(assertion.policy) do
+            assertion.policyMap[table.concat(policy, ",")] = i
+        end
+    end
+    return nil
+end
+
 -- sortPoliciesByPriority sorts policies by their priorities if 'priority' token exists
 function Model:sortPoliciesByPriority()
     if not self.model["p"] then return end

tests/main/enforcer_spec.lua

@@ -390,6 +390,20 @@ describe("Enforcer tests", function ()
         assert.is.True(e:enforce("data2_allow_group", "data2", "write"))
     end)
 
+    it("explicit subject priority test", function ()
+        local model  = path .. "/examples/subject_priority_model_with_domain.conf"
+        local policy  = path .. "/examples/subject_priority_policy_with_domain.csv"
+        local e = Enforcer:new(model, policy)
+        assert.is.False(e:enforce("alice", "data1","domain1", "write"))
+        assert.is.False(e:enforce("bob", "data2","domain2", "write"))
+        e.model:printPolicy()
+        e.model:sortPoliciesBySubjectHierarchy()
+        e.model:printPolicy()
+        assert.is.True(e:enforce("alice", "data1","domain1", "write"))
+        assert.is.True(e:enforce("bob", "data2","domain2", "write"))
+    end)
+
+
     it("Batch Enforce test", function ()
         local model  = path .. "/examples/basic_model.conf"
         local policy  = path .. "/examples/basic_policy.csv"