diff --git a/examples/multiple_policy_definitions_model.conf b/examples/multiple_policy_definitions_model.conf new file mode 100644 index 0000000..b619097 --- /dev/null +++ b/examples/multiple_policy_definitions_model.conf @@ -0,0 +1,19 @@ +[request_definition] +r = sub, obj, act +r2 = sub, obj, act + +[policy_definition] +p = sub, obj, act +p2= sub_rule, obj, act, eft + +[role_definition] +g = _, _ + +[policy_effect] +e = some(where (p.eft == allow)) + +[matchers] +#RABC +m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act +#ABAC +m2 = eval(p2.sub_rule) && r2.obj == p2.obj && r2.act == p2.act diff --git a/examples/multiple_policy_definitions_policy.csv b/examples/multiple_policy_definitions_policy.csv new file mode 100644 index 0000000..6a18a1d --- /dev/null +++ b/examples/multiple_policy_definitions_policy.csv @@ -0,0 +1,5 @@ +p, data2_admin, data2, read +p2, r2.sub.Age > 18 && r2.sub.Age < 60, /data1, read, allow +p2, r2.sub.Age > 60 && r2.sub.Age < 100, /data1, read, deny + +g, alice, data2_admin diff --git a/examples/rbac_with_multiple_policy_model.conf b/examples/rbac_with_multiple_policy_model.conf new file mode 100644 index 0000000..99755b2 --- /dev/null +++ b/examples/rbac_with_multiple_policy_model.conf @@ -0,0 +1,17 @@ +[request_definition] +r = user, thing, action + +[policy_definition] +p = role, thing, action +p2 = role, action + +[policy_effect] +e = some(where (p.eft == allow)) + +[matchers] +m = g(r.user, p.role) && r.thing == p.thing && r.action == p.action +m2 = g(r.user, p2.role) && r.action == p.action + +[role_definition] +g = _,_ +g2 = _,_ diff --git a/examples/rbac_with_multiple_policy_policy.csv b/examples/rbac_with_multiple_policy_policy.csv new file mode 100644 index 0000000..7abe0ff --- /dev/null +++ b/examples/rbac_with_multiple_policy_policy.csv @@ -0,0 +1,9 @@ +p, user, /data, GET +p, admin, /data, POST + +p2, user, view +p2, admin, create + +g, admin, user +g, alice, admin +g2, alice, user diff --git a/src/coreEnforcer.ts b/src/coreEnforcer.ts index 894fcc9..a18494f 100644 --- a/src/coreEnforcer.ts +++ b/src/coreEnforcer.ts @@ -479,7 +479,7 @@ export class CoreEnforcer { const effectStream = this.eft.newStream(effectExpr); - if (policyLen && policyLen !== 0) { + if (policyLen && policyLen !== 0 && expString.includes(`${enforceContext.pType}_`)) { for (let i = 0; i < policyLen; i++) { const parameters: { [key: string]: any } = {}; diff --git a/test/multiplePolicyDefinitions.test.ts b/test/multiplePolicyDefinitions.test.ts new file mode 100644 index 0000000..b7b1a7e --- /dev/null +++ b/test/multiplePolicyDefinitions.test.ts @@ -0,0 +1,28 @@ +// Copyright 2018 The Casbin Authors. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +import { newEnforcer, newEnforceContext } from '../src'; + +test('TestMultiplePolicyDefinitions', async () => { + const e = await newEnforcer('examples/multiple_policy_definitions_model.conf', 'examples/multiple_policy_definitions_policy.csv'); + const enforceContext = newEnforceContext('2'); + enforceContext.eType = 'e'; + + // Test with default context (r, p, e, m) + await expect(e.enforce('alice', 'data2', 'read')).resolves.toBe(true); + + // Test with EnforceContext for r2, p2, e, m2 + await expect(e.enforce(enforceContext, { Age: 70 }, '/data1', 'read')).resolves.toBe(false); + await expect(e.enforce(enforceContext, { Age: 30 }, '/data1', 'read')).resolves.toBe(true); +}); diff --git a/test/rbacAPI.test.ts b/test/rbacAPI.test.ts index 32b45a0..9992b25 100644 --- a/test/rbacAPI.test.ts +++ b/test/rbacAPI.test.ts @@ -202,3 +202,20 @@ test('test getImplicitUsersForRole', async () => { expect(await e.getImplicitUsersForRole('admin')).toEqual(['alice']); expect(await e.getImplicitUsersForRole('data1_admin')).toEqual(['admin', 'alice']); }); + +test('test rbac with multiple policy definitions', async () => { + const e = await newEnforcer('examples/rbac_with_multiple_policy_model.conf', 'examples/rbac_with_multiple_policy_policy.csv'); + + // Test getting named policies for different policy types + const pPolicies = await e.getNamedPolicy('p'); + expect(pPolicies).toEqual([ + ['user', '/data', 'GET'], + ['admin', '/data', 'POST'], + ]); + + const p2Policies = await e.getNamedPolicy('p2'); + expect(p2Policies).toEqual([ + ['user', 'view'], + ['admin', 'create'], + ]); +});